CINXE.COM

<?xml version="1.0" encoding="utf-8"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:webfeeds="http://webfeeds.org/rss/1.0"><channel><title>1Password Blog</title><link>https://blog.1password.com/</link><description>1Password news and announcements feed</description><generator>Hugo -- gohugo.io</generator><language>en-us</language><lastBuildDate>Fri, 22 Nov 2024 00:00:00 +0000</lastBuildDate><webfeeds:cover image="https://blog.1password.com/posts/2019/freedom-press/header.png"/><webfeeds:icon>https://blog.1password.com/img/icons/logo-small.svg</webfeeds:icon><webfeeds:logo>https://blog.1password.com/img/icons/logo-wide.svg</webfeeds:logo><webfeeds:accentColor>1a8cff</webfeeds:accentColor><webfeeds:related layout="card" target="browser"/><atom:link href="https://blog.1password.com/index.xml" rel="self" type="application/rss+xml"/><item><title>4 tips to encourage your team to use 1Password Enterprise Password Manager</title><link>https://blog.1password.com/tips-encourage-1password-use-post-launch/</link><pubDate>Fri, 22 Nov 2024 00:00:00 +0000</pubDate><author>info@1password.com (Courtney Buffie)</author><guid>https://blog.1password.com/tips-encourage-1password-use-post-launch/</guid><description> <img src='https://blog.1password.com/posts/2024/tips-encourage-1password-use-post-launch/header.png' class='webfeedsFeaturedVisual' alt='4 tips to encourage your team to use 1Password Enterprise Password Manager' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> So you’ve rolled out 1Password Enterprise Password Manager, successfully onboarded your team – now what? Don’t let the momentum you’ve built go to waste! By building long-term security habits early on you’ll reap the benefits far into the future Here are a few tips to help you encourage your team to use 1Password. <h2 id="tip-1-use-built-in-reporting-to-track-who-isnt-using-1password">Tip 1: Use built-in reporting to track who isn’t using 1Password</h2> Even the most successful onboarding might result in a few people taking longer to begin using the tool in their day-to-day activities. For a security tool to be effective, you need everyone on your team to actually engage with it and use it properly. Use the <a href="https://support.1password.com/reports/#create-a-team-report">Team Report</a> to identify team members who aren’t actively using 1Password. The report includes information like an employee&rsquo;s last sign-in date, the number of items saved in individual and shared vaults, and if a team member has redeemed their free family account. With that information, you can decide who to target with a re-engagement campaign. <img src="https://blog.1password.com/posts/2024/tips-encourage-1password-use-post-launch/domain-breach-report.png" alt="A screenshot of the Domain Breach Report, with a highlighted section that reads: Reach out to deleted people and let them know about a breach affecting their account." title="A screenshot of the Domain Breach Report, with a highlighted section that reads: Reach out to deleted people and let them know about a breach affecting their account." class="c-featured-image"/> <h2 id="tip-2-engage-with-non-active-team-members">Tip 2: Engage with non-active team members</h2> Once you know who isn’t using 1Password, you can create a strategy to follow up with them. Make a plan that’s repeatable and build it into your everyday workflow. Recommendations for building a communication strategy that works: <ul> <li>Frequency: Decide how often to reach out to team members who aren’t using 1Password – a minimum of once every three months is a good place to start. If you’re in a security-conscious industry, monthly might be more appropriate.</li> <li>Channel: How you communicate this message to your team could determine how well it&rsquo;s received, and how effective it is at changing behavior. Email is very trackable, but other communication channels, like Slack or Teams, may be more effective.</li> <li>Messaging: You’ll likely be using messaging similar to your initial communication plan, so refer back to that for inspiration. Focus on the benefits – like better productivity and faster sign-ins – to show employees how 1Password is more than just a security tool.</li> <li>Feedback: One great way to get people to use a tool is to listen to any concerns they have with it, and fix them. Some people might not like the vault setup, or don’t feel like they’ve had enough training to use the tool effectively. Listening to feedback from your team can help them feel like they’re an active participant in security. It’s also the best way to make sure 1Password is set up and usable for your team.</li> </ul> <h2 id="tip-3-provide-ongoing-training-on-1password">Tip 3: Provide ongoing training on 1Password</h2> Ongoing 1Password training helps keep security top of mind for your team. Most industries have ongoing learning programs, and mandatory security training in place – incorporate 1Password into these existing programs for best results. Some options might include: <ul> <li>Annual security training.</li> <li>Onboarding for new hires.</li> <li>Cybersecurity Awareness Month activities.</li> <li>Optional lunch &amp; learn sessions.</li> <li>Self-serve intranet pages.</li> </ul> <aside class="c-technical-aside-box c-technical-aside-box--background" aria-labelledby="bonus-tip"> <h2 class="c-technical-aside-box__title" id="bonus-tip"> Bonus tip </h2> <div class="c-technical-aside-box__description"> Lean into your 1Password champions – employees in your company who are 1Password advocates and power users. They can help provide training and share their personal experiences. Sometimes hearing about the benefits from someone outside of the security team can help push employees to really look at the value of 1Password in their daily tasks. </div> </aside> <h2 id="tip-4-run-a-social-sharing-campaign">Tip 4: Run a social sharing campaign</h2> Training doesn’t have to come as a formal training session, you can build opportunities for learning into your team&rsquo;s day to day! One fun way to do that is to run a social sharing campaign where you share a “1Password feature of the month”. Monthly shares will keep 1Password top of mind for your team, and they might learn something new that really improves their workflow. It also helps build awareness of security best practices and encourages better security habits. These monthly spotlights can be shared on the company intranet, or other platforms like Slack, Teams, or Workplace. The key is to keep highlighting features that improve your team&rsquo;s workflows and encourage them to use 1Password more often so that your company can reap the benefit of a fully integrated security program. <h2 id="help-everyone-adopt-1password-enterprise-password-manager">Help everyone adopt 1Password Enterprise Password Manager</h2> Keeping your team’s attention and building on the momentum from onboarding can help your team adopt strong security habits every day. Check out the <a href="https://1password.com/1password-launch-kit">1Password Launch Kit</a> and our ongoing training sessions to build a culture of security in your business.</description></item><item><title>1Password partners with Ingram Micro to distribute Extended Access Management</title><link>https://blog.1password.com/1password-ingram-micro-partnership-resellers/</link><pubDate>Thu, 21 Nov 2024 00:00:00 +0000</pubDate><author>info@1password.com (Monica Jain)</author><guid>https://blog.1password.com/1password-ingram-micro-partnership-resellers/</guid><description> <img src='https://blog.1password.com/posts/2024/1password-ingram-micro-distribution-agreement/header.png' class='webfeedsFeaturedVisual' alt='1Password partners with Ingram Micro to distribute Extended Access Management' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> If you run a business, your data should be just that: your business and nobody else’s. But keeping logins and other sensitive information away from cybercriminals can be a challenge in today’s world. Threats are always evolving and <a href="https://blog.1password.com/securing-your-hybrid-workforce/">hybrid work is redefining the traditional perimeter that businesses need to defend</a>. Today, we’re announcing a distribution agreement with <a href="https://www.ingrammicro.com/en-us">Ingram Micro</a>, the world’s leading technology distributor. Together we can help more businesses adapt to this changing world and secure every sign-in for every app on every device. <h2 id="who-is-ingram-micro">Who is Ingram Micro?</h2> Ingram Micro is a leading distributor that brings products and services from technology companies like 1Password to IT service providers and other business-to-business experts. The company is committed to providing resellers with cutting-edge solutions that cover every aspect of cybersecurity, from assessment and strategy to monitoring and remediation. Our distribution agreement will allow us to reach more businesses and help them strengthen their security with our password management and Extended Access Management solutions. <h2 id="what-this-means-for-ingram-micro-customers">What this means for Ingram Micro customers</h2> If you work for an IT service provider, you can now find 1Password products on Ingram Micro’s platform and offer them to your business customers. Adding 1Password Extended Access Management to your portfolio will help you stand apart from your competitors, increase revenue, and better solve your clients’ needs. <h2 id="the-future">The future</h2> At 1Password, we’re on a mission to provide human-centric solutions that secure every sign-in and address the growing <a href="https://blog.1password.com/explaining-the-access-trust-gap/">access-trust gap</a>. Our distribution agreement with Ingram Micro is a crucial step toward this goal. The strategic alliance will extend our reach and lead to more businesses strengthening their security with truly fit-for-purpose tools. <blockquote> “With Ingram Micro’s proven security expertise and expansive market reach, this agreement expedites our expansion in North America and empowers our mutual channel partners to secure their customers’ access points with greater confidence.” - Lori Cornmesser, VP of Channel Sales and Alliances at 1Password </blockquote> Look for more partnership announcements on our <a href="https://blog.1password.com/">blog</a>, as well as <a href="https://1password.com/resources/">resources</a> that can help you better protect your business and the organizations you work with.</description></item><item><title>Addressing security and privacy compliance mandates with Extended Access Management</title><link>https://blog.1password.com/addressing-security-privacy-compliance-mandates/</link><pubDate>Thu, 21 Nov 2024 00:00:00 +0000</pubDate><author>info@1password.com (Marc von Mandel)</author><guid>https://blog.1password.com/addressing-security-privacy-compliance-mandates/</guid><description> <img src='https://blog.1password.com/posts/2024/addressing-security-privacy-compliance-mandates/header.png' class='webfeedsFeaturedVisual' alt='Addressing security and privacy compliance mandates with Extended Access Management' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> In today&rsquo;s digital landscape, businesses face increasing pressure to protect personal data and ensure compliance with security and privacy mandates. With regulations such as the General Data Protection Regulation (GDPR) and Health Insurance Portability and Accountability Act (HIPAA) as well as audit frameworks with privacy implications like ISO 27001 and SOC 2, organizations must implement strict controls over data privacy, access management, and auditability. Compliance with these mandates can be complex, especially when managing user access to sensitive data across modern IT environments. <h2 id="why-address-these-challenges">Why address these challenges?</h2> Failure to meet regulatory or audit requirements can have serious consequences, including fines, loss of customer trust, and reputational damage. Non-compliance also increases the likelihood of security incidents, including unintended data leaks. For example, mishandling access to personal data can lead to violations of GDPR’s mandates, which emphasize the necessity of restricting data access strictly to authorized users with a lawful business need only. The financial and operational impact of security incidents, especially in regulated industries, can be damaging, with costs averaging millions per incident due to business disruption, legal expenses, and potential customer churn. <h2 id="the-role-of-extended-access-management-in-compliance">The role of Extended Access Management in compliance</h2> To tackle compliance challenges, businesses need a modernized approach to access management that goes beyond traditional methods. Traditional access management tools often struggle with the complexities of today’s decentralized IT environments, which include remote workforces and cloud services. Modern approaches to access management involve implementing more granular controls, automating compliance processes, and ensuring continuous monitoring of user access to sensitive data. Using this strategy can significantly reduce the risk of non-compliance and security incidents, paving the way for a more secure and resilient organization. <a href="https://1password.com/product/xam">Extended Access Management</a> (XAM), a new category of security software, provides enhanced control and monitoring of how users access corporate resources, including sensitive data and systems. XAM expands the scope of access management by delivering granular control on devices and credentials, visibility, and reporting and auditing capabilities that address the specific requirements of privacy regulations like GDPR. <h2 id="aligning-with-gdpr-compliance-using-1password-extended-access-management">Aligning with GDPR compliance using 1Password Extended Access Management</h2> The GDPR mandates that organizations protect the privacy and personal data of individuals within the European Union. A key principle of GDPR is ensuring that access to personal data is restricted to authorized personnel and for legitimate purposes only. Under GDPR Article 32, organizations must implement strong security measures such as encryption, data anonymization, and access control policies to protect personal data. 1Password®️ Extended Access Management enforces these measures through end-to-end encryption on vaults, multi-factor authentication (MFA) at sign-in, custom groups and vault permissions, device health checks, and detailed logs on access activity to align with privacy compliance mandates. <h2 id="protecting-data-with-granular-access-control-mfa-and-auditing">Protecting data with granular access control, MFA, and auditing</h2> 1Password Extended Access Management is designed to help organizations manage access to credentials securely, enforce security policies, and maintain audit trails in compliance with privacy mandates. Let’s explore some of the core features that help businesses better align with privacy and security regulations. <h3 id="granular-access-control-and-permissions">Granular access control and permissions</h3> A cornerstone of privacy compliance is ensuring that only authorized individuals access sensitive data. 1Password Extended Access Management offers access controls that allow administrators to define permissions for the vaults where credentials and data are stored. These controls help organizations restrict access to sensitive databases, personal information, or corporate systems. For example, permissions and conditional access policies are applied so that users are granted the least privilege necessary to perform their tasks, minimizing the risk of data misuse and supporting GDPR’s principle of data minimization. <h3 id="multi-factor-authentication-mfa-for-stronger-security">Multi-factor authentication (MFA) for stronger security</h3> Many privacy regulations, including GDPR, emphasize the importance of MFA to prevent unauthorized access. 1Password Extended Access Management acts as a possession-based MFA across sign-ins when using device trust capabilities and can identify MFA opportunities for sign-ins not covered by your SSO provider, adding an extra layer of security to ensure that users must verify their identity through multiple methods. MFA helps mitigate the risk of compromised credentials and unauthorized access, both critical elements of privacy regulations. With 1Password Extended Access Management, organizations can align with stringent authentication requirements while safeguarding personal data from breaches. <h3 id="comprehensive-access-auditing-and-reporting">Comprehensive access auditing and reporting</h3> Maintaining detailed access logs is critical for compliance with privacy regulations like GDPR and security audit frameworks like ISO 27001 and SOC 2. 1Password Extended Access Management provides comprehensive audit trails through activity logging on accessed credentials and actions that occur using 1Password Device Trust, allowing administrators to monitor who accessed what data and when. These reports can be generated for privacy audits, demonstrating that access to personal data is properly controlled and monitored. Audit trails can be sent to an organization’s security information and event management (SIEM) provider, allowing organizations to proactively detect and address security issues or anomalies before they escalate into incidents. <h3 id="contextual-access-management">Contextual access management</h3> Going beyond traditional MFA, contextual access management adds another layer of security by evaluating the context in which access is requested. 1Password Extended Access Management can assess: <ul> <li>Device health: Enforcing device compliance based on health checks and ensuring that configurations are up-to-date.</li> <li>Location: When connected to your chosen identity provider (IdP), determining whether the access request to credentials and applications originates from a trusted or suspicious location.</li> <li>Time of access: When connected to your chosen identity provider (IdP), checking if the request occurs during typical work hours or during unusual times.</li> </ul> This adaptive approach enables organizations to dynamically adjust access requirements based on risk, helping protect sensitive personal data while enhancing security compliance. <h2 id="protecting-sensitive-data-through-encryption-and-secure-secrets-management">Protecting sensitive data through encryption and secure secrets management</h2> GDPR requires organizations to implement technical measures to ensure the security of personal data, including encryption and data minimization. 1Password Extended Access Management provides: <ul> <li>End-to-end encryption in vaults: Personal data in vaults is encrypted at rest and in transit, reducing the risk of unauthorized data exposure.</li> <li>Device checks: Enforces that all devices accessing sensitive data align with your security posture requirements, including having the device hard drive encrypted.</li> <li>Secure secrets management: Stores sensitive data such as passwords, API keys, and encryption keys in secure, encrypted vaults, limiting access to only authorized individuals. This helps organizations align with compliance requirements for data protection.</li> </ul> <h2 id="third-party-access-and-cross-border-data-transfers">Third-party access and cross-border data transfers</h2> Privacy regulations like GDPR require organizations to ensure that third-party vendors adhere to the same privacy standards, especially when accessing personal data. Additionally, GDPR regulates cross-border data transfers to countries outside of the European Economic Area (EEA), requiring specific safeguards such as encryption or contractual clauses to protect data. 1Password Extended Access Management supports these compliance mandates by: <ul> <li>Controlling access to vaults and vault items when sharing with third parties, limiting access to only the data they need and within a timeframe specified, and logging and monitoring access attempts to verify adherence to agreed upon security practices.</li> <li>Restricting access to credential vaults based on IP addresses, countries, or continents, ensuring that data is accessed and secure under the customer&rsquo;s control within the EEA.</li> </ul> <h2 id="breach-monitoring-and-response">Breach monitoring and response</h2> GDPR mandates that organizations notify regulators within 72 hours of a personal data breach. 1Password Extended Access Management will notify admins if the credentials stored in vaults are reported in external breaches. In addition, activity logging on vaults and devices is provided, enabling organizations to quickly identify and respond to potential security incidents. With detailed audit logs, organizations can assess the scope of a credential breach, determine what data was affected, and report the incident in compliance with GDPR’s breach notification requirements. <h2 id="future-proof-your-privacy-compliance-with-1password-extended-access-management">Future-proof your privacy compliance with 1Password Extended Access Management</h2> As privacy regulations like GDPR and security audit frameworks like SOC 2 and ISO 27001 become more stringent or applicable to your organization, ensuring compliance is no longer optional — it’s critical for protecting your organization’s reputation and avoiding costly penalties. 1Password Extended Access Management simplifies security and privacy compliance by continually adding new advanced access controls for vaults and device checks, audit capabilities, and encryption measures that help organizations protect personal data and align with these standards. By leveraging 1Password Extended Access Management, businesses can confidently align with evolving security and privacy requirements while building a security posture that protects both their data and their reputation. Explore how 1Password Extended Access Management can transform your security and privacy compliance strategy. <a href="https://1password.com/contact-sales/xam?utm_ref=blog">Request a demo</a> or join our <a href="https://1password.com/webinars/simplify-regulatory-compliance-with-1Password?utm_ref=blog">upcoming webinar on compliance</a>!</description></item><item><title>1Password’s record-breaking growth in passkey adoption</title><link>https://blog.1password.com/passkeys-story-metrics/</link><pubDate>Wed, 20 Nov 2024 00:00:00 +0000</pubDate><author>info@1password.com (Travis Hogan)</author><guid>https://blog.1password.com/passkeys-story-metrics/</guid><description> <img src='https://blog.1password.com/posts/2024/passkeys-story-metrics/header.png' class='webfeedsFeaturedVisual' alt='1Password’s record-breaking growth in passkey adoption' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Passwords are frustrating. Whether it’s forgetting, resetting, or getting locked out, we’ve all been there. And without a password manager to help, passwords can also make you vulnerable to data breaches, putting your sensitive information at a huge risk. That’s why we’re all-in on passkeys, a way for you to <a href="https://blog.1password.com/what-are-passkeys/">create and sign</a> in to online accounts without a password. We’ve been busy since we first mentioned passkeys in <a href="https://blog.1password.com/1password-is-joining-the-fido-alliance/">mid-2022</a>, like working on offering the ability to <a href="https://blog.1password.com/fido-alliance-import-export-passkeys-draft-specs/">import and export passkeys</a>, partnering with Microsoft on an integration that will soon allow customers to <a href="https://www.theverge.com/2024/10/10/24266780/microsoft-windows-11-passkey-redesign-windows-hello">save and store passkeys with 1Password on Windows 11</a>, and helping businesses support passkeys on their apps and websites with <a href="https://passage.1password.com/?utm_source=passkey+directory&amp;utm_medium=banner&amp;utm_campaign=passkey-directory">Passage by 1Password</a>. And there’s more! Let’s take a look at what we’ve accomplished on the road to a truly passwordless future: <h2 id="passkeys-by-the-numbers">Passkeys by the numbers</h2> As a leading third-party passkey provider since launching passkeys, millions of 1Password customers are creating, saving, and signing in with passkeys. In fact, we&rsquo;ve seen over 4.2 million passkeys saved in 1Password, and that number continues to grow every day. 1Password sees the highest spikes in adoption when another large platform announces passkey support, and many well-known websites, apps, and services are adding the option of passwordless authentication every day. For instance, when X (formerly Twitter) announced global passkey support on iOS, 89,953 new passkeys were created and saved in 1Password within the same week. But it doesn’t stop there. Since 1Password first launched passkeys in September 2023, we’ve seen: <ul> <li>4.2M passkeys saved in 1Password.</li> <li>15.4M passkeys autofilled by 1Password.</li> <li>Averaging over 2.1M passkey authentications per month.</li> <li>On average, every 1 in 3.4 customers using the extension has at least one passkey stored in 1Password!</li> <li>Of 1Password passkey customers, 73% are consumer accounts and 27% are business accounts.</li> <li>206 companies have added a passkey log-in option, doubling since last year. Check out our <a href="https://passkeys.directory/">directory</a> for the full list of websites that support passkeys.</li> </ul> <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> 💡 Tip: To learn where you can start using passkeys, browse our online <a href="https://passkeys.directory/">Passkeys directory</a>, or open Watchtower in 1Password to see if any of your saved logins have passkey authentication available. </div> </aside> These adoption metrics aren’t just a major milestone for 1Password because we’re at the forefront of passwordless advocacy. It’s a testament to the trust our customers place in 1Password to provide secure and reliable passkey support. <a href="https://blog.1password.com/1password-is-joining-the-fido-alliance/">As members of the FIDO Alliance</a>, we’re committed to help even more individuals and businesses move away from passwords and embrace a safer and simpler future without them. <h2 id="why-passkeys">Why passkeys?</h2> Everyone is used to needing passwords for almost everything online, but the security landscape is changing. Passkeys come with more benefits than traditional passwords, and they’re another step toward uncomplicating the process of digital security. Easily sign into apps, sites, and services: Passkeys aren’t just secure – they’re really convenient to use, too. You don’t have to manually create a traditional password, so there’s no two-factor authentication, nothing to memorize, and nothing to type! When you want to sign in, you just verify your identity using biometrics (like Face ID or your fingerprint) or by entering your device’s password or PIN. Get the best line of defense for you or your organization: Unlike traditional passwords, passkeys are resistant to phishing because the underlying private key never leaves your device. That makes them resistant to social engineering scams, too. Enjoy passkey peace of mind: Rest easy knowing that your passkeys are even more protected thanks to 1Password’s unique, industry-leading security model and recovery options. Plus, our experts are always on hand to help you when you need it. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> 1Password is available on <a href="https://apps.microsoft.com/detail/xp99c9g0krdz27?hl=en-us&amp;gl=CA">Windows</a>, <a href="https://1password.com/downloads/mac/">Mac</a>, <a href="https://1password.com/downloads/linux/">Linux</a>, <a href="https://apps.apple.com/app/id1511601750?mt=8">iOS</a>, <a href="https://play.google.com/store/apps/details?id=com.onepassword.android">Android</a>, and 1Password browser extensions (<a href="https://1password.com/downloads/browser-extension/">Microsoft Edge, Chrome, Firefox, Safari, and Brave</a>). </div> </aside> <h2 id="a-better-future-for-authentication">A better future for authentication</h2> Passkeys are the future of online security – and the future is here. Signing in is faster, easier, and safer than ever before thanks to passkeys, and whether you want to secure <a href="https://1password.com/personal">personal</a>, <a href="https://1password.com/business">business</a>, or <a href="https://1password.com/enterprise">enterprise</a> sign-ins, 1Password has you covered. If you’re a 1Password customer, you have everything you need to <a href="https://support.1password.com/save-use-passkeys/">start using passkeys now</a>. If you’re not already using 1Password, <a href="https://1password.com/business-pricing">sign up for a free 14-day trial</a> and experience passwordless authentication today. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Ready to protect yourself?</h3> Keep all of your accounts secure with 1Password, the world’s most-trusted password manager. Get started today with a free 14-day trial. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>More than compliance: Elevate your security posture with 1Password</title><link>https://blog.1password.com/more-than-compliance-elevate-your-security-posture/</link><pubDate>Thu, 14 Nov 2024 00:00:00 +0000</pubDate><author>info@1password.com (Marc von Mandel and Dave Lewis)</author><guid>https://blog.1password.com/more-than-compliance-elevate-your-security-posture/</guid><description> <img src='https://blog.1password.com/posts/2024/more-than-compliance-elevate-your-security-posture/header.png' class='webfeedsFeaturedVisual' alt='More than compliance: Elevate your security posture with 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> You run a business that handles sensitive customer data. To ensure you’re following industry standards, you diligently work to achieve compliance with relevant laws and regulations, such as HIPAA, SOC 2, or GDPR. You invest in the necessary tools, train your staff, and implement the required security policies. After an exhaustive process, you proudly receive your compliance certification. However, one evening, you discover that your system has been breached. Hackers have infiltrated your network and stolen customer data by obtaining access to systems using stolen credentials. How could this happen when you were compliant with all the regulations? Here’s where the difference between compliance and security becomes starkly apparent. Compliance means adhering to a set of rules and standards set by regulatory bodies. It ensures you meet the minimum requirements to protect data and maintain privacy. While compliance is essential, it often focuses on documentation, procedural requirements, and periodic audits. Security, on the other hand, is an ongoing, dynamic process. It involves actively protecting your identities, devices, systems, data, and networks from threats, which are constantly evolving. It requires a proactive approach to identify and mitigate risks, continuously monitor devices and applications for vulnerabilities, and respond swiftly to incidents. At 1Password, we recognize the importance of compliance as a core pillar of security. We understand that <a href="https://app.conveyor.com/profile/1password">achieving compliance</a> is necessary, but we also know that true security goes beyond merely meeting regulatory requirements. It involves a deeper, more comprehensive approach, especially in today’s complex business landscape. To truly secure your business, we focus on meeting you where you are with security tools that enhance both your productivity and security. This includes a strong emphasis on identity and device security, integrated in seamless and user-friendly ways. <h2 id="go-beyond-compliance-with-strong-identity-security">Go beyond compliance with strong identity security</h2> Ensuring that only authorized individuals have access to your data and systems is paramount. Identity security involves: <ol> <li>Multi-factor authentication (MFA): Mandating MFA adds an extra layer of security, requiring users to provide multiple forms of verification before gaining access.</li> <li>Contextual access management: Continuously verifying the identities of users and their use of various (managed and unmanaged) devices for login against defined policies, such as location, device health, and configurations.</li> <li>Least privilege access: Limiting access rights for users to the bare minimum they need to perform their job functions reduces risks.</li> </ol> <h2 id="complement-strong-identity-security-with-device-security">Complement strong identity security with device security</h2> With the increasing use of mobile and remote work environments, securing the devices that access your assets is crucial. Device security involves: <ol> <li>Device Trust: Identifying all devices (managed and unmanaged) accessing your resources and ensuring they are properly secured, including up-to-date software and security patches.</li> <li>Self-remediation: Guide end users with clear instructions on how to self-remediate their devices so they are empowered to become compliant without engaging IT.</li> <li>Device protection: Implementing advanced endpoint protection to collect telemetry from endpoints and alert when there is suspected threats on devices.</li> </ol> <h2 id="additional-comprehensive-security-measures">Additional comprehensive security measures</h2> In addition to identity and device security, a holistic approach includes: <ol> <li>Continuous monitoring: Regularly monitoring your systems for unusual activities or potential threats.</li> <li>Threat intelligence: Staying informed about the latest threats and attack vectors that could target your industry.</li> <li>Incident response: Having a robust incident response plan to quickly address and mitigate any security incidents.</li> <li>Employee training: Ensuring your team is continuously educated on the latest security best practices and they have the tools needed to implement good security hygiene with the right security tools.</li> </ol> Meeting regulatory compliance standards like GDPR, ISO27001, SOC2, or HIPAA can be overwhelming. <a href="https://1password.com/webinars/simplify-regulatory-compliance-with-1Password?utm_ref=blog">Join our upcoming webinar on December 5th at 9am PT/ 12pm ET</a> to learn how 1Password simplifies compliance with seamless, secure access controls and auditing. At 1Password, we believe in not just achieving compliance but in empowering you with security tools that make you more productive and secure. By prioritizing identity and device security, you create a robust defense against evolving threats.</description></item><item><title>1Password has joined the Microsoft Intelligent Security Association</title><link>https://blog.1password.com/1password-joins-microsoft-intelligent-security-association/</link><pubDate>Tue, 12 Nov 2024 00:00:00 +0000</pubDate><author>info@1password.com (Matt O'Leary)</author><guid>https://blog.1password.com/1password-joins-microsoft-intelligent-security-association/</guid><description> <img src='https://blog.1password.com/posts/2024/1password-joins-microsoft-intelligent-security-association/header.png' class='webfeedsFeaturedVisual' alt='1Password has joined the Microsoft Intelligent Security Association' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Here at 1Password, we’re on a mission to help businesses of all sizes secure every sign-in for every app. To achieve that goal, it’s important that our solutions integrate with and elevate organizations’ existing infrastructure. Microsoft is one of the world’s largest enterprise software providers, and today we’re announcing that 1Password has joined the Microsoft Intelligent Security Association (MISA). <aside class="c-technical-aside-box c-technical-aside-box--background" aria-labelledby="what-is-misa"> <h2 class="c-technical-aside-box__title" id="what-is-misa"> What is MISA? </h2> <div class="c-technical-aside-box__description"> <a href="https://www.microsoft.com/en-us/security/business/intelligent-security-association">MISA</a> is an ecosystem of independent software vendors (ISVs) and managed security service providers (MSSPs) that have integrated their solutions with Microsoft Security technology to better defend customers against a world of increasing cyber threats. Our acceptance into MISA reflects how deeply <a href="https://1password.com/product/xam">1Password® Extended Access Management</a> and 1Password <a href="https://1password.com/product/enterprise-password-manager">Enterprise Password Manager</a> integrate with Microsoft solutions, and our commitment to supporting businesses that have invested in Microsoft’s ecosystem. </div> </aside> <h2 id="two-seamless-integrations">Two seamless integrations</h2> So far, 1Password has released two integrations for Microsoft Sentinel and Microsoft Entra ID that make it simpler for organizations to protect their employees and sensitive information. <h3 id="microsoft-sentinel">Microsoft Sentinel</h3> Microsoft Sentinel is a scalable, cloud-native security information and event management (SIEM) platform that lets businesses centralize threat detection, investigation, response, and proactive hunting. 1Password’s integration lets businesses track and ingest data using the 1Password Events API into Microsoft Sentinel. Bringing information from 1Password Enterprise Password Manager into Microsoft Sentinel gives you a consolidated view into security events across your organization. <a href="https://blog.1password.com/1password-microsoft-sentinel-siem/">Learn more about 1Password’s integration with Microsoft Sentinel</a>. <h3 id="microsoft-entra-id">Microsoft Entra ID</h3> Microsoft Entra ID (formerly Azure Active Directory) is a cloud-based identity and access management solution. It can be <a href="https://www.microsoft.com/en-gb/security/business/identity-access/microsoft-entra-single-sign-on">configured with single sign-on</a> (SSO) so employees can securely access company resources using a single set of login credentials. By integrating Microsoft Entra ID with Device Trust – a key capability of Extended Access Management – businesses can make sure that only known, healthy, and compliant devices can access sensitive data. That includes both work-issued hardware and personal “BYOD” devices. Using Device Trust in tandem with Entra ID is a critical step for any organization that wants to adopt a zero trust strategy, which hinges on a “trust nothing and continuously verify” approach to access management. <a href="https://support.1password.com/device-trust-entra/">Learn more about 1Password’s integration with Microsoft Entra ID</a>. <h2 id="microsoft--1password-better-together">Microsoft &amp; 1Password: Better together</h2> These integrations are only the beginning. As a member of MISA, we’re excited about the opportunity to partner with Microsoft and make our identity security and access management solutions even more simple, seamless, and powerful for businesses that already have or are considering Microsoft services in their IT stack. If you’re not already a 1Password customer, <a href="https://1password.com/pricing">start a 14-day free trial</a> to experience the benefits of 1Password Enterprise Password Manager and Extended Access Management, including our integrations with Microsoft Sentinel and Microsoft Entra ID. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Request a demo of Extended Access Management</h3> Schedule a demo of 1Password Extended Access Management to learn how to secure every sign-in, to every app, from every device. <a href="#ZgotmplZ" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Schedule a demo </a> </div> </section></description></item><item><title>Managed vs personal Apple accounts in the workplace: An IT guide</title><link>https://blog.1password.com/managed-vs-personal-apple-accounts/</link><pubDate>Fri, 08 Nov 2024 00:00:00 +0000</pubDate><author>info@1password.com (Fritz Ifert-Miller)</author><guid>https://blog.1password.com/managed-vs-personal-apple-accounts/</guid><description> <img src='https://blog.1password.com/posts/2024/managed-vs-personal-apple-accounts/header.png' class='webfeedsFeaturedVisual' alt='Managed vs personal Apple accounts in the workplace: An IT guide' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Managed Apple Accounts may offer some benefits to workplace security, but teams will have to consider whether it&rsquo;s worth the sacrifice to the end-user experience. Apple devices rely on an <a href="https://support.apple.com/en-us/105023#:~:text=Your%20Apple%20Account%20is%20what,or%20phone%20number%20and%20password.">Apple Account</a> (formerly Apple ID) in order for various services and integrations to function (e.g., Find My), as well as to link software licenses purchased via the App Store. There are two distinct types of Apple Accounts which a device may be configured/associated with: <ul> <li> Personal Apple Account (default). </li> <li> Managed Apple Account (configured through Apple Business Manager or Apple Business Essentials). </li> </ul> Increasingly, employees are taking their organization-owned devices (such as MacBooks) off-site to use in a work from home (WFH) context. This shift has resulted in a greater overlap of personal and work-related activity taking place on organization-owned devices. For this reason, many organizations are reevaluating whether to permit employees to use their personal Apple Accounts. Here, we&rsquo;ll go over the various options for end-user Apple Accounts and the tradeoffs associated with each. <h2 id="dealing-with-apple-account-in-a-corporate-environment">Dealing with Apple Account in a corporate environment</h2> For <a href="https://blog.1password.com/what-is-device-trust/">1Password Device Trust</a>, we&rsquo;re often asked to build Checks relating to the configured Apple Account on devices. The most common form this question takes is: <blockquote> &ldquo;I want to find individuals using a personal email address for their Apple Account.&quot; </blockquote> Typically, admins want to forbid the use of personal Apple Accounts in order to exercise greater control over their Apple devices. However, this task comes with a number of downstream effects which you should be aware of before deciding how to proceed. Before we dive into the request, let&rsquo;s unpack Apple Accounts for a moment. As mentioned above, Apple Accounts are a tightly integrated component of the macOS and iOS experience, and understanding how they are used can help inform the scope of your security objectives. <h2 id="what-capabilities-do-apple-accounts-enable">What capabilities do Apple Accounts enable?</h2> The syncing services provided via personal Apple Accounts are considerable due to the intended quality of life benefits they offer a normal home user: <ul> <li> iCloud Drive (Documents, Desktop, Photos): These synced User home directory folders allow a user to access documents they&rsquo;ve saved via iCloud. </li> <li> Find My: Allows a user to remotely locate a device in the event it becomes lost or stolen. </li> <li> Calendar, Contacts, and Mail: These basic apps/services can be configured with both personal and work information. </li> <li> Media and Purchases: Apps purchased through the App Store are associated with the Apple Account which purchased them, and can be transferred from device to device. </li> </ul> <h2 id="why-are-personal-apple-accounts-sometimes-a-concern-for-it-and-security-administrators">Why are personal Apple Accounts sometimes a concern for IT and security administrators?</h2> There are a variety of reasons an IT or Security administrator may wish to limit or prohibit the use of personal Apple Accounts on company-provided devices. The following are some (but not all) possible reasons: <h3 id="shadow-it">Shadow IT</h3> <a href="https://blog.1password.com/what-is-shadow-it/">Shadow IT</a> describes personal or unmanaged applications or devices which are not within the purview of the IT or Security team at an organization. A good example of Shadow IT would be an employee connecting their personal Dropbox account to their company laptop. An employer may worry that this personal Dropbox account could sync proprietary or sensitive organization data, with no ability for the company to know what was synced or to revoke access in the event the employee leaves the company. <h3 id="activation-lock">Activation lock</h3> Devices which have Secure Enclaves (T1 and T2 Intel Macs, all Apple Silicon Macs, and most iPads and iPhones) and are not enrolled in MDM have a feature called <a href="https://support.apple.com/en-us/HT208987">Activation Lock</a>. This feature works with Find My to prevent a device from being recovered or reimaged without the express authorization of the registered Apple Account on the device. This can pose an issue if a company-owned device (with Find My enabled) is returned to an IT department, as the device will not be serviceable until that Apple Account has been disconnected or Find My has been disabled. For this reason, Apple <a href="https://support.apple.com/en-us/116942">expressly recommends</a> that personal users turn off Activation Lock when sending a device in for service or transferring ownership to another individual. <h3 id="software-provisioning">Software provisioning</h3> When an end-user purchases software licenses through the Apple App Store using their personal Apple Account, the license is non-transferable and linked to their Apple Account. This means that if the software is intended to be used for work purposes, that license cannot be re-provisioned to another end-user if the existing end-user discontinues their employment. <h2 id="managed-apple-accounts-an-alternative-with-restrictions">Managed Apple Accounts: An alternative with restrictions</h2> For a number of years, Apple has provided a more restricted version of Apple Account used in education environments through <a href="https://support.apple.com/en-my/guide/apple-school-manager/welcome/web">Apple School Manager</a>. In 2018, Apple Business Program accounts became able to use Managed Apple IDs (now Managed Apple Accounts) as well. Managed Apple Accounts are provisioned, configured, and managed through <a href="https://support.apple.com/guide/apple-business-manager/welcome/web">Apple Business Manager</a>, or through <a href="https://www.apple.com/business/essentials/">Apple Business Essentials</a> (which is, broadly speaking, Apple Business Manager packaged with Apple&rsquo;s own MDM solution). <h3 id="managed-apple-account-restrictions">Managed Apple Account restrictions</h3> While Managed Apple Accounts are the only real alternative to personal accounts, they come with <a href="https://support.apple.com/guide/deployment/service-access-with-managed-apple-accounts-depdc4ba8d82/web">some real changes to user experience</a>. iCloud restrictions <ul> <li> Find My is disabled. </li> <li> Health is disabled. </li> <li> iCloud Family Sharing is disabled. </li> <li> iCloud Mail is disabled. </li> <li> All iCloud+ services (e.g., Private Relay) are unavailable. </li> <li> Apple Pay is unavailable. </li> </ul> Media &amp; content restrictions Media-related Apple services, subscriptions, and stores (e.g., Apple One, Apple Arcade, Apple TV+) are completely inaccessible with a Managed Apple Account. In addition, users can browse but not purchase or download items in the App Store, iTunes Store, and Apple Books. Instead, administrators <a href="https://support.apple.com/guide/deployment/distribute-managed-apps-dep575bfed86/1/web/1.0">must manually distribute apps through a Mobile Device Management (MDM) solution</a>. Individual and role-based restrictions Managed Apple Accounts can also be assigned different role-based administration and denied access to certain other Apple services, like Apple Wallet, FaceTime, or Apple Developer content, depending on the company&rsquo;s policies or the employee&rsquo;s role. BYOD device restrictions The role that Managed Apple Accounts can or can&rsquo;t play in BYOD scenarios is worth mentioning as well. Employees using a personal macOS or iOS device can log into that device with multiple accounts, switching between their Managed and Personal Apple Account. However, this may disrupt workflows, and users requiring Windows or Linux devices will certainly have issues. And for companies using an IdP and MDM solution, recent updates from Apple require User Enrollment for BYOD devices, in order to separate users' Personal and Managed Apple accounts from MDM management. This means that users can only enroll their personal macOS or iOS devices by using a Managed Apple Account. So even if your company allows for Personal Apple Accounts, you&rsquo;ll need to provision Managed Apple Accounts for any users looking to enroll a personal device in your MDM. <h3 id="managed-apple-account-benefits">Managed Apple Account benefits</h3> <ul> <li> Apple Account access can be provisioned, configured, managed, and revoked for onboarding/off-boarding purposes. </li> <li> Apple Account passwords can be reset by an administrator if a user forgets their password. </li> <li> App Store app licenses can be centrally managed, purchased, and distributed/re-provisioned as needed. </li> <li> If iCloud FileVault recovery is configured, an administrator can recover FileVault without an escrowed key via Apple Account password reset. </li> <li> Managed Apple Accounts can be restricted to only allow use on supervised or managed devices. </li> </ul> As you can see, there are a significant number of considerations to take into account (no pun intended) before deciding which path is best for your organization, and the level of control/restriction you wish to deploy. <h2 id="what-are-my-choices-as-an-employer">What are my choices as an employer?</h2> Option 1: Allow end-users to use their personal Apple Account with their work laptop. We believe this is the best choice for organizations that do not have an explicit compliance requirement prohibiting Apple Account/iCloud usage. The risk of unauthorized data syncing is no greater than an employee uploading or emailing sensitive files via other services. If your organization uses an MDM solution, you can manage items such as Activation Lock and FileVault 2 Recovery without the need for a Managed Apple Account. Option 2: Assign and configure Managed Apple Accounts for employees and require their usage on managed devices. This will permit greater control by security and IT teams, at the cost of reduced or restricted end-user functionality. Option 3: Use a personal Apple Account with a corporate email. See below for why this is not recommended. <h3 id="why-not-to-use-personal-apple-accounts-with-company-emails">Why not to use personal Apple Accounts with company emails</h3> Having an employee use their work email to sign up for a personal Apple Account might seem like an ideal workaround, but in reality, you get none of the benefits of a Managed Apple Account while negatively impacting the user experience of your employee (e.g., preventing them from installing apps from the App Store). You will not be able to: <ul> <li> Centrally configure or manage company Apple Accounts. </li> <li> Provision software. </li> <li> Restrict which devices can log into the account. </li> <li> Reset passwords. </li> <li> Revoke access to any services or synced data when the employee leaves. </li> </ul> Furthermore, the employee will still be able to sync files and services to iCloud, purchase software licenses, Activation Lock their device, etc. A caveat to these limitations Some teams work around the limitations of Personal Apple Accounts configured via work email address by assuming they can access the employee&rsquo;s email upon termination. By accessing an employee&rsquo;s work email (which they signed up for the Apple Account with), an administrator may be able to reset the password and delete any synced information, prevent the end-user from accessing that Apple Account, and ensure that any linked services requiring Apple Account authorization (e.g., Activation Lock) can be disabled by the administrator. <h2 id="final-thoughts-choosing-the-right-strategy">Final thoughts: choosing the right strategy</h2> There is no perfect option here, and every route requires some tradeoffs between security, privacy, and user experience. It is ultimately up to the IT or Security team to decide which path is best for their organization. Whatever you choose, 1Password Device Trust can then assist in identifying the Apple Accounts connected to a device, and notify users and admins if any do not match your policy. Want to learn more about how 1Password Device Trust can help you tailor your access management policies? <a href="https://1password.com/contact-sales/xam?utm_ref=xam">Reach out for a demo!</a></description></item><item><title>We need better systems for vulnerability management</title><link>https://blog.1password.com/better-systems-for-vulnerability-management/</link><pubDate>Wed, 06 Nov 2024 00:00:00 +0000</pubDate><author>info@1password.com (Jason Meller)</author><guid>https://blog.1password.com/better-systems-for-vulnerability-management/</guid><description> <img src='https://blog.1password.com/posts/2024/better-systems-for-vulnerability-management/header.png' class='webfeedsFeaturedVisual' alt='We need better systems for vulnerability management' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The systems in place to manage software vulnerabilities are often overwhelming and ineffective. But that can change if teams enlist their end users to remediate vulnerabilities. Organizations that implement an effective vulnerability management program benefit in two ways. First, they are compromised less often. Second, if a single device does become compromised, the degree of lateral movement an attacker can enjoy is significantly constrained. But even though endpoint vulnerability management has always been vital to cybersecurity, it&rsquo;s a tough nut to crack. That&rsquo;s especially true when you take a <a href="https://blog.1password.com/vulnerability-management-goes-much-deeper-than-patching/">broad view</a> on your fleet&rsquo;s vulnerabilities, which could include everything from <a href="https://watchtower.1password.com/">shoddy passwords</a> to EOL software. But even if we narrow the scope to patch management for software vulnerabilities, we&rsquo;re talking about a major challenge. I recently came across a <a href="https://www.ibm.com/downloads/cas/YLQPAJZV">sobering 2020 study</a> by the Ponemon Institute about on-premise and cloud vulnerabilities. The following statement leapt off the page: <blockquote> &ldquo;Fifty-three percent of respondents say their organizations had a data breach in the past two years. […] of these data breaches, 42 percent of respondents say they occurred because a patch was available for a known vulnerability but not applied.&quot; </blockquote> Meanwhile, Verizon&rsquo;s 2024 Data Breach Incident Report shows that the problem is only getting worse. As they put it, in 2024 &ldquo;attacks involving the exploitation of vulnerabilities as the critical path to initiate a breach&hellip;almost tripled (180% increase) from last year.&rdquo; A failure in detection is unfortunate but easy to understand and forgive. As IT administrators and security practitioners, we know it is not possible to enumerate all potential flaws in installed software. That isn&rsquo;t the case here. Here, the problems are known in advance and on a list of things to be fixed! What we have isn&rsquo;t a failure in detection but a failure in our remediation processes. In many organizations, these processes are either totally broken or simply do not scale. To fix these processes, we need to understand the root causes that left them so flawed. Luckily, we don&rsquo;t have to look far as many of these problems are rooted in the fundamental design of the vulnerability program itself. <h2 id="the-naive-top-down-approach">The naive top-down approach</h2> When organizations plan their first vulnerability detection and management programs, they tend to approach it by following these steps: <ol> <li> Create a central inventory of the software across your fleet. (<a href="https://1password.com/product/xam">1Password® Extended Access Management</a> does this asset management for you) </li> <li> Parse vulnerability data feeds like the <a href="https://nvd.nist.gov/">National Vulnerability Database</a>, usually with some form of vulnerability scanning software. </li> <li> Compare the data between the feed and the inventory to find your list of software vulnerabilities. </li> <li> Filter and prioritize vulnerabilities based on the CVSS score or other criteria. </li> <li> Create an alerting/notification capability to drive vulnerability remediation. </li> </ol> I call this a top-down approach because it starts from a list of all known software vulnerabilities and then works downward, applying them to devices in an organization&rsquo;s fleet. On the surface, this appears to be an approach that should reduce the risk of serious compromise. But does it help in practice? The answer is no. <h2 id="classic-vulnerability-management-does-not-yield-actionable-remediation">Classic vulnerability management does not yield actionable remediation</h2> The top-down strategy is designed to send the maximum amount of information to a small team of expert human operators. Then, they&rsquo;re expected to triage it and drive remediation. Unfortunately, this approach only works well if the following is true: <ol> <li> An operator can quickly review all possible use cases of any device. </li> <li> All aspects of any device – from the operating system, to the software, to the configuration – can be managed remotely and in a scalable way. </li> <li> There is always a safe way to remediate the vulnerability (or mitigate the risk). </li> </ol> For most real life situations, that&rsquo;s a fairy tale. In the real world, it&rsquo;s pretty standard for vulnerability management software to enumerate long-flashing red lists of software vulnerabilities that: <ul> <li> Have no vendor supported remediation path. </li> <li> Relate to software that is not important or even used. </li> <li> Overstate their applicability and their severity. </li> <li> Will be fixed automatically without any intervention. </li> <li> Are just straight-up false positives. </li> </ul> While these problems affect both servers and endpoints, it is the end-user-driven endpoints that are a terrible fit. IT and security teams are inundated with long lists of software vulnerabilities, most of which will be low quality and non-actionable. Soon, alert fatigue will set in, and the entire program is put at risk. To compensate, IT teams often do precisely the wrong thing. Rather than change their vulnerability management process, they force the endpoints to change to best suit it. For end-user-driven devices, this means maximizing the amount of remote management IT does on the device, and minimizing the management tasks typically done by an end-user. But end-user devices are multi-purpose, and those purposes cannot be fully known in advance. It&rsquo;s nearly impossible for a skilled operator to triage vulnerabilities correctly. This creates a negative feedback loop where the operator will seek more data and more control over these endpoints. Counterintuitively, this just makes the problem worse. The data needed by the IT team to make good decisions on behalf of the user starts to feel like dystopian-level surveillance. End-users begin to notice the performance and productivity impacts of endpoint management software. It&rsquo;s not too long before an employee either works around it or starts using personal devices instead. When this ultimately happens, instead of reducing risk, you&rsquo;ve eliminated your ability to enumerate it. <h2 id="an-end-user-focused-approach-to-vulnerability-management">An end-user focused approach to vulnerability management</h2> In security, we often let perfect be the enemy of good. This makes us blind to novel solutions that can significantly reduce (but not eliminate) the likelihood of a device becoming compromised. One of those novel solutions is to enlist the help of the end-users directly and have them remediate serious vulnerabilities for us. As we wrote in <a href="https://honest.security/">Honest Security</a>: <blockquote> End-users can make rational and informed decisions about security risks when educated and honestly motivated. </blockquote> To apply the values of Honest Security to vulnerability remediation, we need to devise a system optimized for end-users. This means: <ul> <li> Encouraging preventative behaviors (like keeping the OS and apps up-to-date) rather than reacting to individual vulnerabilities. </li> <li> Ensuring issues reported to end-users are always accurate, instead of an exhaustive but potentially flawed list of vulnerable software. </li> <li> Sacrificing reporting speed in favor of waiting for vendor-supported patches to be available.. </li> <li> Focusing only on the high impact vulnerabilities. </li> </ul> This approach does not give you &ldquo;perfect&rdquo; vulnerability management. That&rsquo;s ok because we aren&rsquo;t looking for perfection. Instead, we get an imperfect, yet more effective tool to manage the nuances of patching vulnerabilities, particularly in apps where traditional automation cannot work. That is a significant upgrade from classic top-down vulnerability management. <h2 id="apply-these-principles-to-device-posture-checks">Apply these principles to device posture Checks</h2> In the 1Password Extended Access Management device trust product, our Checks feature allows IT administrators to verify that their devices are meeting specific requirements in their security posture. For instance, <a href="https://blog.1password.com/what-is-device-trust/">our device trust solution ships with a check to ensure Google Chrome is always up-to-date</a>. In addition, it also deploys checks to look for known violations of IT policy or high-impact security risks. This can include: <ul> <li> Evil applications (e.g. <a href="https://blog.1password.com/ai-browser-extension-nightmare/">malicious browser extensions</a>) </li> <li> Misappropriated sensitive data or credentials (e.g. Incorrectly stored 2FA backup codes) </li> <li> Specific high-impact software vulnerabilities </li> </ul> When a highly publicized new vulnerability hits the news, customers will frequently ask us if we will build a check that detects it. With our end-user focus, we approach these decisions by answering the following questions: <ol> <li> Does this vulnerability easily allow for remote code execution with minimal or no user interaction? </li> <li> Is it unlikely the vulnerable software will update itself within a reasonable time frame without end-user or IT intervention? </li> <li> Is there a straightforward vendor-provided patch available? </li> <li> Is the likelihood low that this software will have a similar issue in the next 90 days? </li> </ol> If the answers to all of the above are a resounding yes, then it meets the criteria for end-user remediation, and therefore, it makes sense for us to ship a new check. To demonstrate why these questions matter, let&rsquo;s work through an example where we created such a check. Specifically, let&rsquo;s talk about <a href="https://blog.mozilla.org/security/2019/10/09/iterm2-critical-issue-moss-audit/">CVE-2019-9535</a>, a 2019 vulnerability in popular terminal software iTerm2. To summarize, this vulnerability allows an attacker to craft specific output that, when viewed in the terminal, could cause the software to execute arbitrary commands. Now that we understand the nature of the vulnerability let&rsquo;s walk through the checklist above. <hr> <h3 id="does-this-vulnerability-easily-allow-for-remote-code-execution-with-minimal-or-no-user-interaction">Does this vulnerability easily allow for remote code execution with minimal or no user interaction?</h3> Yes. According to the report, during the ordinary course of using the app, a user can be easily tricked into running the exploit. It can then be leveraged to compromise the integrity of their device completely. If this vulnerability didn&rsquo;t result in an RCE, and simply crashed a device, it wouldn&rsquo;t be worth fatiguing the user with notifications. <h3 id="is-the-likelihood-low-that-the-vulnerable-software-will-update-itself-within-a-reasonable-time-frame-without-end-user-or-it-intervention">Is the likelihood low that the vulnerable software will update itself within a reasonable time frame without end-user or IT intervention?</h3> Yes. iTerm2 is not an auto-updating app (more on this later). While it does prompt users when an update is available, these updates can be easily skipped by users. This means we cannot even be reasonably sure that all the vulnerable versions running in our environment will get patched. If this app auto-updated, and the likelihood of the vulnerability being exploited within 30 days was low, it wouldn&rsquo;t be worth fatiguing the user with a notification. <h3 id="is-there-a-clear-vendor-provided-mitigation-available">Is there a clear vendor-provided mitigation available?</h3> Yes. Simply following the update prompts will immediately patch the vulnerability. An end-user will have no trouble mitigating the risk, and we should have no problem writing step-by-step instructions that anyone familiar with the app can follow. Why does this matter? It&rsquo;s common for severe vulnerabilities to be reported days or even weeks before a vendor can develop a mitigation or a patch. Sometimes the vendor-supported solutions never arrive. We must wait for the most user-friendly solution to become available so that we can drive the maximum impact through end user notifications. Fatiguing end users with issues they can&rsquo;t fix will simply train them to ignore the ones they can. <h3 id="is-the-likelihood-low-that-this-software-will-have-a-similar-issue-in-the-next-90-days">Is the likelihood low that this software will have a similar issue in the next 90 days?</h3> Yes. We can&rsquo;t predict the future, but iTerm2 historically has&rsquo;t had many vulnerabilities, and it is unlikely to have another with a similar severity in the next three months. This is important; we don&rsquo;t want to fatigue end-users with a deluge of issues for the same application (especially when they just fixed it). If we think another vulnerability will be reported soon, we may either want to wait a few weeks to see how the situation develops.rIf the app is essential, we can add it to a list of apps we always ask users to keep up-to-date. <hr> As you can see from the above example, we only want to contact end users about serious problems, and only when we can provide a clear path to remediation. As for what that path is, we&rsquo;ll use 1Password Device Trust&rsquo;s method as an example. Once we&rsquo;ve determined that we want end users to apply a specific patch, we&rsquo;ll create a Check that uses osquery to see which devices have an unpatched version of the software. For any device that does, 1Password Device Trust will send a menu bar alert with clear instructions on how to apply the patch. It will also provide consequences. If a user fails to remediate vulnerabilities within a certain amount of time, then they won&rsquo;t be able to authenticate into company systems. That way, your team has peace of mind that device vulnerabilities can&rsquo;t be used to breach systems. While the above rubric can be applied to most apps, auto-updating apps, like web browsers, change the calculus significantly. Let&rsquo;s discuss. <h2 id="what-about-evergreen-apps">What about evergreen apps?</h2> Many of our most important apps manage their own update process outside of the operating system&rsquo;s central software update. Apps that do this are often known as evergreen apps, and they can significantly complicate the vulnerability management remediation story. Plenty of apps automatically keep themselves up-to-date without the user needing to participate at all (not even by clicking an &ldquo;install update&rdquo; button). In theory, every time you launch the app, you are using the latest version. Modern web browsers are the canonical example, with Google popularizing the practice shortly after its Chrome Browser was released in 2008. Auto-updating apps have significant advantages over apps with different release and update strategies. Before the majority of the web browser industry became evergreen, developers would often be stuck supporting web browsers that were years old. Today, if a vendor ships a new release, web developers can expect that release to become the dominant version in less than a month. As I write this blog post, I am currently running the following auto-updating apps: Google Chrome, Slack, Discord, and VSCode. To be honest, I&rsquo;m not even sure if that is all of them. The benefit of the auto-update process is how seamless it is; as a user, I simply don&rsquo;t think about it. <h3 id="how-to-reason-about-the-vulnerability-of-auto-updating-apps">How to reason about the vulnerability of auto-updating apps</h3> Remember the old philosophical question: &ldquo;If a tree falls in the woods, but no one is around, does it make a sound?&rdquo; Well, with auto-updating apps, we have a similar one to consider – if an app is vulnerable on disk but when launched is immediately updated to the non-vulnerable version, was it even vulnerable to begin with? The answer – as I&rsquo;ve learned from experience – is &ldquo;it depends.&rdquo; Let&rsquo;s explore what important information we need to know the answer definitively. We need to understand the probability of an exploit successfully running against a vulnerable auto-updating app before it has a chance to upgrade itself. To do that, we need more data about the app itself, the device that&rsquo;s running it, and even the person who uses that device. We can split this into two simple criteria. <h3 id="criteria-1-is-it-easy-to-activate-the-exploit">Criteria #1: Is it easy to activate the exploit?</h3> For example, let&rsquo;s take an attacker attempting to leverage an RCE-style vulnerability. This attacker will likely take a two-step approach: build a reliable exploit and then find a reliable way to get their victims to trigger it. Knowing how likely a victim is to trigger the exploit is vital information, and is different for each device and end-user you are considering. To enumerate this risk, we often think about the following (ordered by severity): <ul> <li> Can the attacker trigger the exploit via a communication channel that pushes untrusted content to end-users? (e.g. email, SMS, iMessage, etc.) </li> <li> Can the attacker craft a malicious URL that causes the app to launch and immediately load the exploit? </li> <li> Can the attacker craft a malicious file that causes the app to immediately load the exploit when opened? </li> <li> Is the exploit so ubiquitously distributed that a user is likely to encounter the malicious payload through the normal course of their duties? </li> <li> If we can answer in the affirmative to at least two of the three criteria above, then yes, this exploit is a threat. </li> </ul> <h3 id="criteria-2-after-launch-how-quickly-does-the-app-update">Criteria #2: After launch, how quickly does the app update?</h3> When an update is released, evergreen apps are supposed to apply the update quickly. Unfortunately, this isn&rsquo;t always the case. Not all apps poll for updates as frequently as you&rsquo;d expect, and if the update process isn&rsquo;t working correctly, an important update may never be applied. An obvious sign is when you see a very old version of an auto-updating app running. The real devils can be found in the weird nuances around how an app auto-updates. More specifically: after the update, can multiple versions of the app exist simultaneously? There are two main auto-update strategies, each with slightly different risks: Seamless full update This is the best strategy. The update is downloaded and applied to in the background, and the app restarts without any user interaction. User action required This is the worst strategy. Even after the update is downloaded and applied to the app in the background, the old code still runs until the user takes action (like entirely restarting the app). <h3 id="three-approaches-to-autoupdate-vulnerability-management">Three approaches to autoupdate vulnerability management</h3> You want to pick one of the following vulnerability management strategies for each app based on the criteria above. Strategy #1: Ensure app is always up-to-date In this strategy, we inform the user every time the app is out of date, within a grace period. A good example is <a href="https://blog.1password.com/extended-access-management-patch-management/">the Chrome Check</a> in 1Password Device Trust. This strategy is a good fit for common, regularly used apps that receive a continuous stream of security updates. 1Password Device Trust chooses this for web browsers and other apps with regular exposure to untrusted user-generated content (webpages). In this strategy, the key to minimizing fatigue is only to generate an issue if we detect the app is in-use and out of date, unless there is a pathway to activate the exploit through opening an arbitrary file or via a link. Strategy #2: Ensure app has the latest security-related update applied This strategy is similar to #1, but instead of requiring all updates to be applied, we need to understand the release announcement and its security impact before asking a user to perform the upgrade. Strategy #3: Ensure app auto-update system is working This strategy detects if a regularly launched app is significantly out of date. This is a good indicator that the app&rsquo;s automatic update is damaged or has been disabled intentionally by an advanced user. This is a good strategy for apps with similar exposure, but fewer vulnerabilities to a web browser. Slack is an excellent example of this. It&rsquo;s an app that really should always be up-to-date. If it isn&rsquo;t, it&rsquo;s a great indicator that something has gone wrong. <hr> <h2 id="pulling-it-all-together">Pulling it all together</h2> As we&rsquo;ve learned above, we need to let go of any preconceived notions of what makes an effective vulnerability management program. That will open our minds to novel ideas that allow us to make real headway on securing user devices. The key is to distill down the use cases that end users can solve on their own, and use tools that allow you to effectively communicate with them at scale, enabling them to keep their devices secure. This has the added benefit of freeing up time and toil for admins who were previously inundated with an ever-growing list of CVEs – many of which are totally unimportant– to manage for their entire fleet. If the issues we ask our users to fix don&rsquo;t feel important, are wrong, or aren&rsquo;t actionable, we will lose their trust. When that happens, we&rsquo;ve lost one of the most effective resources we have to solve our most challenging and nuanced security issues. If you are interested in learning more about end-user-driven remediation and the philosophy behind it, I encourage you to read <a href="https://honest.security/">Honest Security</a>. If you want to get started with a turn-key product built on top of these principles, you should check out <a href="https://1password.com/product/xam">1Password Extended Access Management</a>.</description></item><item><title>IBM's Troy Bettencourt shares key insights from the 2024 Cost of a Data Breach Report</title><link>https://blog.1password.com/troy-bettencourt-cost-data-breach-interview/</link><pubDate>Tue, 05 Nov 2024 00:00:00 +0000</pubDate><author>info@1password.com (Jenn Marshall)</author><guid>https://blog.1password.com/troy-bettencourt-cost-data-breach-interview/</guid><description> <img src='https://blog.1password.com/posts/2024/troy-bettencourt-cost-data-breach-interview/header.png' class='webfeedsFeaturedVisual' alt='IBM's Troy Bettencourt shares key insights from the 2024 Cost of a Data Breach Report' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> It should be no surprise that the costs associated with a corporate data breach can be high. (The average total cost <a href="https://newsroom.ibm.com/2024-07-30-ibm-report-escalating-data-breach-disruption-pushes-costs-to-new-highs">is now nearly $5 million</a>, according to IBM.) What may be more alarming is the average length of time it takes for businesses to recover from a breach – and what that means for their security teams, business operations, and bottom line. To unpack these numbers and the rest of IBM’s latest Cost of a Data Breach Report, Michael “Roo” Fey, Head of User Lifecycle and Growth at 1Password, sat down with Troy Bettencourt, a global partner at IBM and head of IBM X-Force, on the <a href="https://randombutmemorable.simplecast.com/">Random But Memorable</a> podcast. Beyond costs, the conversation ranged from AI-powered prevention tools to how executive leadership can make or break a response, even if all the right technology is in place. To learn more about these topics, as well as Bettencourt’s advice for developing an effective incident response plan, read the interview highlights below or <a href="https://randombutmemorable.simplecast.com/episodes/relic-robot-printer-report">listen to the full podcast episode</a>. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/kHAb5EQzB5k?si=BX86GpaHGcdFEXhi" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> Editor’s note: This interview has been lightly edited for clarity and brevity. The views and opinions expressed by the interviewee don’t represent the opinions of 1Password. Michael Fey: Can you give a little background on yourself and the work you&rsquo;ve done in cybersecurity? Troy Bettencourt: My career started about 20 years ago in cybersecurity in United States federal law enforcement. I worked for an agency focused on cybercrime against U.S. resources, mostly military defense. When I was there, I led some of the largest investigations we&rsquo;ve had. In the interest of not doxing myself, I won&rsquo;t drop any particular case names because we were targeted by Anonymous and other groups. So, we&rsquo;ll try to stay off that radar! After about nine years of federal cybercrime service across two different agencies, I worked for a security consultancy and then moved into the private sector with IBM two years ago. My background is primarily on the incident response side but my background is definitely on the blue side. I have really smart people on the red side. I took this role in March as the <a href="https://www.ibm.com/x-force/team">head of X-Force</a> and, as I mentioned, we&rsquo;re a security consultancy that pretty much brings the full spectrum of blue and red solutions. MF: Let&rsquo;s get into the Cost of a Data Breach Report. Can you start off giving us some background on how the research is conducted and the main purpose of the report? TB: We&rsquo;ve been doing the <a href="https://www.ibm.com/reports/data-breach">Cost of a Data Breach (CODB) Report</a> for 19 years. The 19th-year trend analysis is pretty cool. It&rsquo;s conducted by a third party, the Ponemon Institute, with whom we partner, and they survey companies that are not just IBM clients. This is really key because a lot of the &lsquo;this is the state of cybersecurity&rsquo; reports out there are all going to have their own aperture. For example, if you&rsquo;re a managed security service provider (MSSP) or a product company in a specific vertical, you may do a survey or a study of your own clients. Or you may only survey large enterprise or small business. Or maybe you skew towards a sector like financial services or industrial. It narrows the aperture. We feel the CODB report adds a certain layer that isn&rsquo;t there in most reports, but I&rsquo;m not saying it&rsquo;s better than any of the others. A smart security practitioner should be taking all of these reports, understanding where their data comes from, the methodology behind them, and then really tailoring all of that to be something that&rsquo;s meaningful for them. MF: What are some of the most important findings? TB: Three big ones. First, the impact of breaches isn&rsquo;t increasing, it&rsquo;s just continuing. And by impact, costs are part of it. This year was about a 10% year-over-year increase in cost. Second, we&rsquo;ve really started focusing on what&rsquo;s the business disruption, not just the cost itself, but the things that might be a little harder to quantify. Seventy percent of the businesses that were surveyed this year reported significant disruption from their breach, and recovery on average took longer than 100 days. <blockquote> &ldquo;Recovery on average took longer than 100 days.&quot; </blockquote> Companies are already trying to run lean operations with staffing and resourcing that matches what their demand is now, under normal circumstances. When you throw something like a breach on for 100 days, it can overwhelm security teams and infrastructure teams. It&rsquo;s pretty challenging. Third is the impact of AI-powered prevention. Right now that&rsquo;s mostly in the form of security solutions that use AI, like EDR solutions (endpoint detection and response), XDR solutions (extended detection and response), SIEM (security information and event management), SOAR (security orchestration, automation, and response), that area. That saves on average about $2.2 million on breach costs. <blockquote> &ldquo;The human mind cannot digest the number of alerts coming out of any of these security solutions in a meaningful way.&quot; </blockquote> Fundamentally, that comes down to what we refer to as the mean time to identify or detect that you&rsquo;ve been breached. And then mean the time to respond or contain – so how quickly can you get your hands around it and minimize future damage. If you can reduce those times, you reduce costs. With the scale of telemetry nowadays, you need AI to do that. The human mind cannot digest the number of alerts coming out of any of these security solutions in a meaningful way. MF: Over a quarter of the year spent trying to recover from a breach is wild. That&rsquo;s a huge disruption. TB: It&rsquo;s insane, isn&rsquo;t it? Take everything else out of it. If you&rsquo;re a business, that&rsquo;s 100 days with a lack of laser focus on your objectives and your business operations. And then, the data theft. Everyone is talking about ransomware. It’s still a risk, I’m not minimizing it. But our report and most others have seen a decline in the use of ransomware. Several years back you started to see ransomware and data theft, and we moved into other threat actor activities. But data theft still continues to be a key objective. It&rsquo;s getting harder and harder to get ransomware to work impactfully with security tools getting better, but data theft is still pretty easy. <blockquote> &ldquo;Our report and most others have seen a decline in the use of ransomware.&quot; </blockquote> A lot of large enterprises struggle to know where their data is across their disparate enterprise. Particularly hybrid companies if they&rsquo;re cloud and on-prem and have multiple cloud providers. And the other is understanding the sensitivity and classification of that data across an enterprise, especially if you&rsquo;re now 30, 40 years into an IT operation. There&rsquo;s a lot of legacy debt there. There&rsquo;s a lot of stuff stuffed in little dusty corners, and that&rsquo;s really where we&rsquo;re seeing a lot of impact. MF: Does the report get into causes of data breach? Are there any new trends? TB: I don&rsquo;t think we&rsquo;ve seen significant changes. We&rsquo;ve seen continuation of trends. One, as I mentioned earlier, reducing the mean time to detect and respond is massive. That can save you up to $2 million a year just in breach costs. The other is we keep seeing stolen credentials, whether that&rsquo;s through <a href="https://www.scworld.com/news/raccoon-infostealer-mastermind-pleads-guilty-in-us-court">an info stealer like Raccoon</a>, through compromised breaches like the large ones that we&rsquo;ve had over the years, or maybe even through targeting an employee at home who uses a remote device to log in and would have credentials stored in a browser, let&rsquo;s say. <blockquote> &ldquo;We keep seeing stolen credentials.&quot; </blockquote> That makes it really difficult because once the threat actor can leverage legitimate credentials, especially if they&rsquo;re a domain administrator or a privileged account, it can be difficult for a security team to discern what is legitimate activity versus illegitimate activity. This then slows response, which then increases cost, etc. It&rsquo;s like if you have to break into a house, the easiest way is to steal the keys. Why go through figuring out how you&rsquo;re going to get through a window or a lock if you can just steal the keys out of somebody&rsquo;s pocket and walk in? Same thing for threat actors. It&rsquo;s the easiest way in, and they&rsquo;re all about minimal work for maximum financial achievement. MF: Are there any notable differences in the cost and the frequency of data breaches across different industries? What sectors do you think are most at risk? TB: I think we see one clear outlier. The most targeted industry with the highest cost is healthcare. It&rsquo;s 60% higher than the next closest market. If you think about it, that makes sense. Threat actors are trying to target industries where disruption will have a significant impact. The goal is to get a ransom, so you&rsquo;ve got to make the victim feel pain. Health care is a really easy one. You&rsquo;re literally impacting people&rsquo;s lives. We&rsquo;ve all heard the stories of hospitals that had to shut down and reroute emergency services to other hospitals, which could have an impact on somebody living or dying. The next markets in order are financial, industrial, and technology. Financial disruptions impact a lot of people, and there just so happens to be money. Industrial: think critical infrastructure-type industrial, as well as large-scale manufacturing that could disrupt supply chains and national economies and their technology. If you&rsquo;re a technology provider that services a large number of consumers or businesses, and you can be disrupted, it&rsquo;s very impactful. MF: It’s gutting to hear that health care continues to be targeted. It seems like one of those things that would be off limits, and that everyone would just silently agree not to go after. It&rsquo;s really disheartening to hear that&rsquo;s not the case. TB: It really is. And there was <a href="https://www.wired.com/story/vastaamo-psychotherapy-patients-hack-data-breach/">one a couple of years ago</a>, it was out of one of the Scandinavian countries, if I recall. To make it even worse, it was a mental health provider. All the records were compromised and the threat actors started reaching out to the patients individually and threatening to disclose their mental health treatment records to family members, employers, etc. And I just thought: &ldquo;How dirty is that? Is there no low bar that they won&rsquo;t cross?&rdquo; And clearly it appears there&rsquo;s not. MF: Let&rsquo;s talk about cost. What was the average cost of a data breach in 2024? TB: The average cost is $4.88 million globally. The report&rsquo;s pretty extensive. We break it down by country so you can look to see if there&rsquo;s anything regional or impactful in the particular countries in which you operate. We also break it down by industry. We also categorize the four main components that are contributing to cost this year. <blockquote> &ldquo;The average cost is $4.88 million globally.&quot; </blockquote> One is lost business cost. What are those costs that you&rsquo;re impacted by because your business can&rsquo;t continue to operate? That could be disruption, revenue losses, system downtime, customer churn, reputational damage. This has remained relatively flat – a couple of percent increase this year. Detection and escalation, which is the traditional thing we think of when we talk about response, forensics, investigative activity, audit, crisis management, communication. These costs have risen about 33% since 2019. So definitely seeing some costs there. That&rsquo;s really notable because cyber insurance generally has driven down response costs because they&rsquo;ve tightened the rates at which they&rsquo;ll pay outside providers. So, to have that significant of an increase while also seeing significant down pressures on costs really shows that the costs are still on an upward trajectory. Next, post-breach response, that is things like staffing the help desk, credit monitoring for victims, identity protection, new accounts, credit cards, all of that. Those costs have increased about 26% since 2019. The biggest jump in costs is notifications. That&rsquo;s emails and letters going outbound to consumer victims of the companies that were breached, regulatory compliance, things like that. They&rsquo;ve jumped 104% since 2019. But I should note that they are only 7% of the total costs, so a 100-plus percent increase in this small number isn&rsquo;t huge. <blockquote> &ldquo;The biggest jump in costs is notifications. That&rsquo;s emails and letters to victims.&quot; </blockquote> But I think it&rsquo;s a clear indicator that we&rsquo;re seeing a lot more regulatory controls around data breaches. You go back to 2019, you didn&rsquo;t have a lot. Between then and now, we have General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), the Brazilian data privacy regime, New York has one. You just start adding them all up and you can see why those costs have increased. MF: What are the modern challenges facing organizations when it comes to protecting and navigating data breaches? You talked about AI but are there any other technology advancements that are making it easier or more difficult for businesses? TB: This could be an entire research dissertation – there&rsquo;s a lot here. On one hand, security practitioners like myself and the folks that work with me have never had more powerful tools at our disposal. If I think back 20 years ago and compare what we had versus what we have now – what operating systems did as far as recording information and the data and the logging and the fidelity – it&rsquo;s insane what we have access to. But that creates a problem where you have too much data. How do you do anything with it? That&rsquo;s really where the technology adds value. That&rsquo;s where AI and machine learning and building automated processes really make us more powerful. <blockquote> &ldquo;We have never had more powerful tools at our disposal.&quot; </blockquote> On the other hand, from the defense perspective, environments have become a lot more in flux. Twenty years ago, maybe you had an active directory controller, maybe used LDAP (lightweight directory access protocol) for authentication of local accounts. Everything was really an enclave. Other than your firewall, there was no exposure to the internet. You had a really defined limited perimeter that you could secure. As we move to cloud, other platforms, to SaaS, now all of a sudden <a href="https://blog.1password.com/securing-your-hybrid-workforce/">everywhere on the internet is part of your threat exposure and you have to defend it</a>. And if it&rsquo;s a shared responsibility with maybe a SaaS provider or a cloud platform provider, now there&rsquo;s obligations on the company to manage it as well as their partners. All of that adds tons of complexity and makes it harder to defend. Overall, the trends have been relatively similar. Unfortunately, most are upward, but there&rsquo;s not anything that&rsquo;s been hugely groundbreaking. I think the real big thing people will talk about is the three-legged stool: people, process, and technology. Often we focus so much on the technology because it’s such a huge multiplier force, but under-investments in the people or immature processes, really can hinder the ability to leverage the potential of that technology. I don&rsquo;t want us to lose focus on those areas as well. MF: Let&rsquo;s talk about the process part of the stool. What are some of the best practices for developing an effective incident response plan? TB: I would say don&rsquo;t start with the incident response plan. That might sound weird coming from someone with my background. But first, do a business impact analysis. What are the most important things in your business? What would it take to have a minimum viable business if you had an incident? <blockquote> &ldquo;Don&rsquo;t start with the incident response plan.&quot; </blockquote> People might think: &ldquo;Well, I&rsquo;m a manufacturing company.&rdquo; Clearly the manufacturing floor is most important. Maybe it is, maybe it isn&rsquo;t. Maybe you&rsquo;re not just-in-time manufacturing. You have enough in a warehouse to manage through those blips, and you want to focus more on the logistics side, the distribution, that might be important. You definitely want to focus on active directory. It may not be sexy or exciting but without active directory most modern enterprises can&rsquo;t function at all. It all shuts down. How do you communicate with your regulators, your incident response team, your outside counsel, your clients because email is based upon that? After you figure out your key impacts and what the minimum viable business is, as the question: Where does your data sit? Where do your assets sit and what are they? It&rsquo;s hard to defend if you don&rsquo;t know what you have to defend. That&rsquo;s really important. Once you have all of that, let&rsquo;s talk incident response plan. Whether that&rsquo;s through NIST or others that businesses may want to align to. They should use those previous parts as inputs. The other thing is to be careful about just downloading an off-the-shelf plan or having AI generate one for you because they should be tailored to your business. Again, the business impact analysis, minimal viable business. <blockquote> &ldquo;Be careful about just downloading an off-the-shelf plan or having AI generate one.&quot; </blockquote> Once you have it, practice, practice, practice. In our industry, we say you have two times to do a crisis simulation exercise. One you choose, one the threat actor chooses. It&rsquo;s much better if you get to choose the timing. Lastly, an executive focus. The impact of a phenomenal technical response can be squandered with poor executives. And what I mean by that is not to cast dispersion on executives, but there&rsquo;s a lot of decisions that need to be made in these critical moments. It doesn&rsquo;t matter how good the technical response is, if the decision making hasn&rsquo;t been exercised, and people don&rsquo;t know their roles, and they haven&rsquo;t been trained, they are likely to make wrong decisions. There&rsquo;s plenty out there in the press, where you can look at very similar breaches and one&rsquo;s considered a wonderful response and one&rsquo;s considered pretty bad. The underlying technical response was pretty equal, it was the front-end dissenting that was the difference. MF: Can you talk about where folks can go to learn more about you, IBM, and the Cost of a Data Breach Report? TB: <a href="https://www.linkedin.com/in/troy-bettencourt/">LinkedIn</a> is the way to get me. There&rsquo;s really not much in the way of social media otherwise. You&rsquo;ve got to keep a minimal profile. For the data breach report, check out <a href="https://www.ibm.com/reports/data-breach">ibm.com/reports/data-breach</a>. You can download it and really dig through it. I really encourage everyone to start at the bottom with the methodology. Again, going back to that aperture, I don&rsquo;t want people to read through the report and make assumptions. It&rsquo;s better to start with the methodology then go back to the top so you&rsquo;re in the right frame of mind to understand the report. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Subscribe to Random but Memorable</h3> Listen to the latest news, tips and advice to level up your security game, as well as guest interviews with leaders from the security community. <a href="https://randombutmemorable.simplecast.com/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Subscribe to our podcast </a> </div> </section></description></item><item><title>Leveling up the 1Password Developer experience</title><link>https://blog.1password.com/new-developer-experience/</link><pubDate>Mon, 04 Nov 2024 00:00:00 +0000</pubDate><author>info@1password.com (Bryan Byrne & Floris van der Grinten)</author><guid>https://blog.1password.com/new-developer-experience/</guid><description> <img src='https://blog.1password.com/posts/2024/new-developer-experience/header.png' class='webfeedsFeaturedVisual' alt='Leveling up the 1Password Developer experience' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The 1Password desktop apps now include the option to show a dedicated developer section, accessible from the sidebar. The next time you open 1Password for Mac, Windows, or Linux, the built-in SSH Agent, 1Password CLI, and Developer Watchtower will be a click away. The latest release includes a dedicated space to discover, configure, and use <a href="https://developer.1password.com/">1Password Developer</a>, the bundle of tools designed to simplify developer security and workflows. Also added: secure logging of recent SSH agent activity, so you can see how your SSH keys are being used. Until now, 1Password Developer features and settings were buried in the menu, or within individual items. Now, it’s much easier to secure developer credentials like SSH keys and API tokens. <img src='https://blog.1password.com/posts/2024/new-developer-experience/developercredentials.png' alt='Types of credentials that 1Password secures, including passwords, passkeys, and developer credentials.' title='Types of credentials that 1Password secures, including passwords, passkeys, and developer credentials.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We’re <a href="https://1password.com/company">building a safer, simpler digital future for everyone</a>. With this release, developer credentials are treated as first-class citizens, as easy to manage and secure as passwords and passkeys. And we’re not stopping there. The introduction of the SSH agent activity log is the first of many planned improvements to the developer experience. <h2 id="explore-the-new-developer-experience">Explore the new developer experience</h2> <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/RO625v1HXxo" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> This initial version of the 1Password Developer experience includes three sections: <ol> <li> <a href="https://developer.1password.com/docs/ssh">1Password SSH Agent</a>. Securely store and use SSH keys directly from 1Password, authenticate SSH key requests with biometrics, configure Git signing, and even view an activity log of recent SSH key activity. </li> <li> <a href="https://developer.1password.com/docs/cli">1Password CLI</a>. Bring the power of 1Password to the terminal to use 1Password for secrets management and automate administrative tasks. </li> <li> <a href="https://blog.1password.com/watchtower-ssh-keys/">Developer Watchtower</a>. Review and mitigate potential SSH key security risks. </li> </ol> <img src="https://blog.1password.com/posts/2024/new-developer-experience/developer-section.png" alt="The new developer section in 1Password for Mac, also available in 1Password for Windows and Linux." title="The new developer section in 1Password for Mac, also available in 1Password for Windows and Linux." class="c-featured-image"/> <h2 id="introducing-the-1password-ssh-agent-activity-log">Introducing the 1Password SSH Agent activity log</h2> The newest feature the 1Password Developer experience delivers is the SSH agent activity log. The locally stored log records SSH agent requests and documents which key and application was used, the command that was run, and whether the request came from a background process (like when an IDE checks for version control updates). <img src="https://blog.1password.com/posts/2024/new-developer-experience/activity-log.png" alt="SSH key activity log within 1Password" title="SSH key activity log within 1Password" class="c-featured-image"/> <h2 id="get-started">Get started</h2> You can explore the new 1Password Developer experience right now. If you don’t see the Developer menu in your sidebar of 1Password for Mac, Windows, or Linux, go to Settings &gt; Developer and enable the experience. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Secure your workflows with 1Password Developer</h3> Streamline how you manage SSH keys, API tokens, and other application secrets from your first line of code all the way into production. <a href="https://developer.1password.com/?utm_ref=blog" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Explore documentation </a> </div> </section></description></item><item><title>Product designer Sierre Wolfkostin explains why passkeys haven't completely replaced passwords…yet</title><link>https://blog.1password.com/sierre-wolfkostin-passkeys-interview/</link><pubDate>Thu, 31 Oct 2024 00:00:00 +0000</pubDate><author>info@1password.com (Jenn Marshall)</author><guid>https://blog.1password.com/sierre-wolfkostin-passkeys-interview/</guid><description> <img src='https://blog.1password.com/posts/2024/sierre-wolfkostin-passkeys-interview/header.png' class='webfeedsFeaturedVisual' alt='Product designer Sierre Wolfkostin explains why passkeys haven't completely replaced passwords…yet' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Passwords are required to do practically everything, from watching TV and accessing your phone to making a doctor’s appointment and paying your electric bill. Without a password manager, it’s virtually impossible to remember all of your passwords, particularly if you&rsquo;re using strong and unique ones for each account. But the security landscape is changing. As Sierre Wolfkostin, Principal Product Designer at 1Password and Matt Davey, Chief Experience Officer at 1Password discuss on the <a href="https://randombutmemorable.simplecast.com/">Random But Memorable</a> podcast, the world is headed toward a more streamlined, passwordless future. You can already use 1Password to <a href="https://blog.1password.com/how-save-manage-share-passkeys-1password/">save and sign in with passkeys</a>. New 1Password customers also can use passkeys to unlock their 1Password accounts (currently <a href="https://blog.1password.com/unlock-1password-individual-passkey-beta/">in public beta</a>). Why aren’t we using passkeys for everything, all the time? Read the interview highlights below or listen to the <a href="https://randombutmemorable.simplecast.com/episodes/honesty-salable-uppish-penguin">full podcast episode</a> to hear Wolfkostin and Davey talk about the advantages of passkeys, as well as some of the remaining challenges and why we’re not ready to replace all passwords with passkeys – yet. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/HDPiEXkiNQ8?si=wF31wJZHVyX_lxDo" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> Editor’s note: This interview has been lightly edited for clarity and brevity. Matt Davey: Both from a security and usability standpoint, what are the advantages of passkeys and other forms of passwordless authentication over traditional passwords? Sierre Wolfkostin: I&rsquo;m glad you zeroed in on usability because during my time working with the <a href="https://blog.1password.com/1password-is-joining-the-fido-alliance/">FIDO Alliance</a>, that&rsquo;s what we found consumers tended to value the most: that usability and that convenience factor. What&rsquo;s neat about passwordless authentication is it removes a ton of friction that didn&rsquo;t really need to be there in the first place. Logging in with a biometric, it takes just a couple of seconds. In many cases it&rsquo;s literally as simple as tapping your laptop&rsquo;s fingerprint sensor or staring at your phone to unlock it. You don&rsquo;t have to go through this adventure journey of finding your password and getting it in the login box. There have been reports recently comparing the set-up time, the login time, and also the error rate between passwordless authentication and traditional authentication. Even if you look at the really conservative ones, we&rsquo;re talking about <a href="https://blog.google/technology/safety-security/google-passkeys-update-april-2024/">a 50% increase in speed</a> and maybe a 20% decrease in error rate. It&rsquo;s not just perceived ease, it&rsquo;s actual ease. You are able to log in faster and with less hiccups along the way if you are doing so without a password. MD: So we’re getting to that point where people are comfortable enough with biometrics that we can present them in the authentication or signup flow and it still makes things easier over the long run? SW: Yes. To be fair, it took time for people to be comfortable with biometrics. I’ve conducted different user interviews and studies over the last six years or so. Six years ago was when Touch ID had started to gain traction as a main way to unlock your phone. I remember at the time, man, there were some people who were very hesitant about Touch ID. Concerns about a company stealing your fingerprint; I think one participant mentioned losing a finger and being unable to unlock their phone because their finger was gone. Just all these really big concerns about Touch ID. <blockquote> &ldquo;It&rsquo;s just a matter of time for people to get comfortable with it.&quot; </blockquote> Gradually those concerns dissipated. Just because it was more familiar, it was more of a public concept, and because a lot of the world&rsquo;s operating systems took a strong stance on privacy and said, &ldquo;Hey, your biometrics – of course they&rsquo;re not going to leave your device. Of course they&rsquo;re not going to be shared with [insert company].&rdquo; I think we&rsquo;re seeing something similar with passkeys and passwordless authentication now. It&rsquo;s just a matter of time for people to get comfortable with it. MD: How do passkeys work, why are they considered more secure, and what parts are there to them? SW: Passkeys are a specific and popular form of passwordless authentication. They represent the latest evolution of this technology. They&rsquo;re supported by the majority of the world&rsquo;s browsers and operating systems. How they work is that every passkey consists of two different interlocking parts. There&rsquo;s the public key that’s shared with the website and then there&rsquo;s the private key that never leaves your accounts and devices. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/DELDP_wbuE4?si=Q2giJJ0d-SsIjPGC" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> It&rsquo;s probably easiest to understand with a real-world scenario. Imagine you&rsquo;re logging into a website that supports passkeys and you haven&rsquo;t logged into this website before. You want to create an account, so you choose the option to create an account and to secure it with a passkey as opposed to a normal password. You&rsquo;d be prompted to confirm where your private key (that&rsquo;s about to be created) is going to be stored. It could be stored on your device&rsquo;s keychain like iCloud Keychain. It could be stored on a password manager, like 1Password. It could be stored on a hardware security key. Then, after you pick where it&rsquo;s stored, you&rsquo;ll see the confirmation that your account has been created. Behind the scenes, there&rsquo;s a lot happening. The private key obviously has been saved to the place of your choosing. A public key is sent to the server of the website or the app or wherever you&rsquo;re creating your account. Again, you can think of these two keys as interlocking pieces of the same puzzle. They are mathematically connected and together, they make one passkey. You need both pieces for a passkey to work. At this point, you create a passkey. Let&rsquo;s say you want to sign in using that passkey. The next time you visit this website or app, you won&rsquo;t have to enter in a traditional password. You instead use your passkey and you&rsquo;d be asked to authenticate using that passkey. <blockquote> &ldquo;The experience is super simple. You basically unlock wherever your passkey is stored.&quot; </blockquote> The experience is super simple. You basically unlock wherever your passkey is stored. Usually this involves you using biometrics like Touch ID or Face ID, etc., and that&rsquo;s it. You&rsquo;re signed in at that point. Of course, behind the scenes a ton is happening. The website has made a technical challenge and wherever you&rsquo;ve stored your private key needs to accept this challenge. But before that happens, you have to make sure it&rsquo;s you and not someone else that&rsquo;s getting access to your private key to use it. That&rsquo;s why you have to unlock the place where the private key is stored, whether it&rsquo;s iCloud Keychain, a password manager, etc. Only once you do that can this challenge be signed and then sent back to the website (this is behind the scenes). The website checks it with its public key, the two interlocking pieces connect and – voila! – you are allowed access. I find it helpful to think of it as two keys making one passkey. You need your key and you need the website&rsquo;s public key. MD: Something I really like about passkeys is how they work with third-party passkey providers. The companies that own the major operating systems are building in support that third party providers can take control of. <a href="https://blog.1password.com/fido-alliance-import-export-passkeys-draft-specs/">Passkeys are also going to be portable</a>, which is really nice. SW: Yes, we&rsquo;ve seen that and honestly, it&rsquo;s a large part because the whole effort to create passkeys has been so community driven from the beginning. I mentioned the FIDO Alliance before but it&rsquo;s this massive industry association of 200-plus tech companies, including Apple, Google, Microsoft, all the big ones and more. In that association you have the owners of the operating systems and the owners of the browsers and the people that make apps and websites all coming together. They’re all asking: &ldquo;What is the best way to help people securely log in? How do we make that a really good experience?&rdquo; Portability and passkey migration naturally come out of that. The heart and soul of passkeys is a very collaborative, community-driven effort in the security industry. That&rsquo;s in part what makes me really excited about this improvement and also future improvements for passkeys. MD: I don’t think passkeys are as pervasive as we want them to be. Is that a website problem, a provider problem, or a people problem? SW: It&rsquo;s true. Even though there&rsquo;s been great progress made by the security industry, I don&rsquo;t think passkeys are ready to replace passwords, at least just yet, for a few reasons. One is that not all websites and apps and services support them. I know 1Password hosts an index of sorts, <a href="https://passkeys.directory/">passkeys.directory</a>, that can show you some known websites and apps, etc. that support passkeys. If you check the directory, it&rsquo;s lengthy but not comprehensive. There&rsquo;s still a long way to go. <blockquote> &ldquo;Not all websites and apps and services support passkeys.&quot; </blockquote> Also, not all browsers and operating systems have support for passkeys. The vast majority do, including all the ones you&rsquo;re used to using. But last time I checked, it was only around ninety-plus percent adoption. We&rsquo;re not 100% adoption and support for passkeys across all browsers and operating systems. There are still some wrinkles to be ironed out in the user experience. Passkeys, they&rsquo;re easy to use if you&rsquo;re on the happy path, if you&rsquo;re on the predetermined, simplest path you can be. But some edge cases are still kind of tricky. For example, there used to be this case where if you had a passkey saved to your iCloud Keychain and then you got a new MacBook and tried to log in using a passkey, but iCloud syncing was not turned on, you didn&rsquo;t have access to the passkey and got an error. That was one wonky experience. It&rsquo;s probably been solved by now, but these sorts of things happen often, especially when so many players – browsers, operating systems, apps, services, etc. – are required to work together to make a passkey experience work. <blockquote> &ldquo;The biggest barrier is probably the sheer inertia that we&rsquo;re up against.&quot; </blockquote> There&rsquo;s a lot of edge cases that still need to be addressed. Honestly, the biggest barrier is probably the sheer inertia that we&rsquo;re up against. Password use is so prevalent. I mean, three generations of people are using passwords. That&rsquo;s a lot for any sort of change to be up against, especially a new technology like passkeys. MD: What challenges do organizations face when transitioning to passwordless authentication? How can we best drive adoption? SW: There are a couple that organizations usually run into. The first is the account recovery case. If you lose or don&rsquo;t have access to your passkey, it’s super frustrating to not be able to log into your accounts. What I tend to recommend in those situations is to make sure people have a backup when they create their passkey. It could be another passkey stored to a different place. It could be a hardware security key, or some sort of backup. Otherwise, people are going to get stuck. Then you, as the owner of the website, are going to get a lot of requests from people requesting access to their accounts. Another challenge organizations face is general awareness and knowledge of what a passkey is. I did a lot of research with the FIDO Alliance, and part of what we did was talk to maybe 30 American consumers about the concept of a passkey. This was a few years back, but I remember that not a single person at the time had heard of a passkey – not a single one of them! <blockquote> &ldquo;We&rsquo;re still nowhere near the vast majority of people and consumers knowing what a passkey is.&quot; </blockquote> Times have now changed. When I talk to people, usually there&rsquo;s a chance that one of them has heard of a passkey, and maybe even used one. But we&rsquo;re still nowhere near the vast majority of people and consumers knowing what a passkey is. Just the fact that it&rsquo;s still so new hinders its adoption, especially if you&rsquo;re an org that wants everyone to use passkeys. MD: Some companies refer to passkeys as “biometrics” in their authentication flow. Whereas other companies say: &ldquo;Hey, this is a passkey, it&rsquo;s a new concept&rdquo; and deal with it like that. Which approach works better? SW: By and large, at least in the long run, everyone, every organization, is going to be more successful if there&rsquo;s some sort of consistency in how passkeys are referenced. It&rsquo;s very hard to adopt what you don&rsquo;t understand. It&rsquo;s super important that we build towards a state of consistency and a known understanding of what a passkey is. When people create one, they know what they&rsquo;re getting into. This was actually something that came out of some of the early research in the FIDO Alliance. We did a lot of concept testing, and from some of that testing and following research, we developed a series of guidelines that can help an organization optimize its passkey experience. One of those guidelines is: consistently use the name passkey and also the passkey icon because this is a world where the more familiar people are with the concept, the easier it will be to adopt. You don&rsquo;t want to go against the grain and be the one company that doesn&rsquo;t use “passkey” even though you&rsquo;re offering the exact same thing. <blockquote> &ldquo;It&rsquo;s super important that we build towards a state of consistency and a known understanding of what a passkey is.&quot; </blockquote> Another guideline is to always associate passkeys with the familiar, because the icon itself is still rather abstract. But when paired, for example, with little images of biometrics or an icon of a security key and having those familiar elements orbiting the passkey icon, it gives something tangible for people to latch onto. It helps what used to be an abstract concept feel a lot more comfortable because now it&rsquo;s tied to what people already know. Classic example of <a href="https://lawsofux.com/jakobs-law/">Jakob&rsquo;s Law of UX</a>. You can follow those two principles and others to help people more easily adopt passkeys. But they only work if a significant mass of companies use them. So that&rsquo;s why I said it&rsquo;s a long-term play. MD: How do you envision the future of these authentication standards evolving? SW: Sometimes it&rsquo;s useful to think about not how they will change, but what’s going to stay the same? What sort of “rocks” or stable ground with these design standards create for us? The parts I see staying the same include the basic representation of passkeys: the name, the icon, the things that they&rsquo;re associated with, those general hero images that you now see on most browsers and operating systems when they talk about passkeys. I think in general, all of that has to stay the same, otherwise public awareness is going to start following different forks and different paths, and people are going to become more confused than unified. Also, I think the general trend towards optimizing the passkey experience, in part by having really clear additional guidelines that help you do so, that&rsquo;s going to be one direction people move in. <blockquote> &ldquo;I see the industry moving gradually towards passwordless.&quot; </blockquote> Beyond the design standards, I see the industry moving gradually towards passwordless and also towards sometimes more of a state of what we call complete passwordless. This means that instead of mixing passwords with ways of logging in passwordlessly, instead, you have no passwords across your entire service as a business and you are just using passwordless for all of your logins. That&rsquo;s currently still in its nascent stages. Very few companies choose to go completely passwordless, but I do see that as the general trend. MD: Where can people find out about these evolving topics from 1Password? What&rsquo;s the best place? SW: Honestly, from what I&rsquo;ve read so far, <a href="https://blog.1password.com/categories/passwordless/">the 1Password blog</a> is a fantastic resource. There&rsquo;s loads of articles there. You can really get into the details. I would recommend starting there and then see where the rabbit holes take you. <section class="c-call-to-action-box c-call-to-action-box--orange"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Subscribe to Random but Memorable</h3> Listen to the latest news, tips and advice to level up your security game, as well as guest interviews with leaders from the security community. <a href="https://randombutmemorable.simplecast.com/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--orange" data-event-category="CTA" data-event-action="call-to-action-button"> Subscribe to our podcast </a> </div> </section></description></item><item><title>The official password manager of the Golden State Warriors</title><link>https://blog.1password.com/1password-golden-state-warriors-celebrate-partnership/</link><pubDate>Thu, 31 Oct 2024 00:00:00 +0000</pubDate><author>info@1password.com (1Password)</author><guid>https://blog.1password.com/1password-golden-state-warriors-celebrate-partnership/</guid><description> <img src='https://blog.1password.com/posts/2024/1password-golden-state-warriors-celebrate-partnership/header.png' class='webfeedsFeaturedVisual' alt='The official password manager of the Golden State Warriors' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Hey Bay Area, it’s almost been two years since we first teamed up with the Golden State Warriors, and what a partnership it’s been! Whether it’s taking teamwork to the next level, enriching our communities, or continuously striving for innovation, we couldn’t be prouder of what we’ve accomplished with the Golden State Warriors. It’s made every milestone we’ve reached even more rewarding. As we take a look back at some of the things we’ve accomplished together so far, we’re even more excited for the <a href="https://1password.com/promo/warriors">year to come.</a> <h2 id="the-highlight-reel">The highlight reel</h2> One of our <a href="https://1password.com/customer-stories/warriors">customer stories</a> featured Daniel Brusilovsky, VP of Technology with the Warriors, who shared how 1Password helped them step up their security game. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/eAKpKzdc2is" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> We learned how the Golden State Warriors organization has transformed the way they manage and share sensitive data using 1Password. With 18,000 people in the stadium for around 200 events a year, this busy team needed a way to manage everything from apps and API keys to cloud services and credit cards – without getting slowed down by complicated security policies. Before 1Password, sharing this info in a secure and compliant way wasn’t easy. Now, 1Password has streamlined their workflows so teams can share passwords and sensitive data without interruption. This has not only made work faster and more efficient, but now the Golden State Warriors organization can focus on what they do best – delivering unforgettable customer experiences. Quickly seeing how 1Password could scale across the whole team, today, 1Password is part of their day-to-day operations, both securing and streamlining work at every level. As a global brand that has grown immensely, the Warriors needed a tool that could grow with them – and 1Password has done just that, seamlessly fitting in with their infrastructure to support their business goals. And there’s more! <ul> <li>We got to see our name in lights:</li> </ul> <img src="https://blog.1password.com/posts/2024/1password-golden-state-warriors-celebrate-partnership/court1.jpg" alt="Basketball game at Chase Center with 1Password advertising visible on digital banners." title="Basketball game at Chase Center with 1Password advertising visible on digital banners." class="c-featured-image"/> <img src="https://blog.1password.com/posts/2024/1password-golden-state-warriors-celebrate-partnership/court2.jpg" alt="A basketball arena with spectators, a basketball on the court, and an advertisement for 1Password." title="A basketball arena with spectators, a basketball on the court, and an advertisement for 1Password." class="c-featured-image"/> <ul> <li>We hosted an exclusive event at the Chase Center during the annual RSA Conference, featuring a live panel for 1Password customers, partners, and prospects:</li> </ul> <img src="https://blog.1password.com/posts/2024/1password-golden-state-warriors-celebrate-partnership/panel.jpg" alt="Four panelists seated in front of a branded 1Password and Golden State Warriors backdrop." title="Four panelists seated in front of a branded 1Password and Golden State Warriors backdrop." class="c-featured-image"/> <img src="https://blog.1password.com/posts/2024/1password-golden-state-warriors-celebrate-partnership/event.jpg" alt="A group of people posing on outdoor stairs under a sign reading 1 Warriors Way." title="A group of people posing on outdoor stairs under a sign reading 1 Warriors Way." class="c-featured-image"/> <ul> <li>We sponsored a game for the Santa Cruz Warriors, the NBA G League affiliate of the Golden State Warriors:</li> </ul> <img src="https://blog.1password.com/posts/2024/1password-golden-state-warriors-celebrate-partnership/SCW.jpg" alt="A basketball game in an indoor arena with 1Password advertising visible on a digital banner." title="A basketball game in an indoor arena with 1Password advertising visible on a digital banner." class="c-featured-image"/> <ul> <li>We even got to hook up one very lucky fan with amazing swag and prizes:</li> </ul> <img src="https://blog.1password.com/posts/2024/1password-golden-state-warriors-celebrate-partnership/sweepstakes.png" alt="Promotional graphic for a 1Password sweepstakes with gift card and basketball images." title="Promotional graphic for a 1Password sweepstakes with gift card and basketball images." class="c-featured-image"/> <ul> <li>And finally, we got to make a lasting impact in our communities with the STEAM Fest and a laptop donation event:</li> </ul> STEAM Fest The STEAM Fest event is designed to begin exposing students to STEAM fields. Students will have the opportunity to learn about ways technology is used in sports, business, gaming, the environment, art, and more. Students will be able to interact with various organizations centered around STEAM and sports and will get to enjoy a Santa Cruz Warriors game at Chase Center that day. Through 1Password&rsquo;s presenting partnership, the Warriors were able to provide over 1,000 tickets to students and their families. Additionally, during the event, 1Password provided attendees 1 year free when signing up for the 1Password platform. Laptop donation event On International Women’s Day, the Warriors and 1Password hosted 30 young women from the community organization Self-eSTEM for a laptop donation event. At the event, each student was given a laptop, courtesy of 1Password. A representative of 1Password assisted the students in setting up their device, then educated them on the 1Password product which was gifted to the students as well. After the technical portion of the event, Self-eSTEM moderated a panel on Women in Sports and Technology, with panelists Rachel Yarnold, Director Marketing Campaigns of 1Password, and Joy Carson, Senior Manager IT Integrations. In addition to the 30 laptops donated during the event, 1Password donated an incremental 45 to Self-eSTEM, for a total of 75 laptops! <h2 id="theres-still-more-to-come">There’s still more to come</h2> We’re not done yet! We can’t wait to <a href="https://1password.com/promo/warriors">kick off another year partnered with the Golden State Warriors</a>. We know this partnership will help us give more people and families across the Bay Area the all-star security they deserve. And don’t forget, when you sign up for 1Password Families, you’ll <a href="https://start.1password.com/sign-up/family?l=en&amp;c=GSW25">get 25% off your first year with us</a>. Now that’s a slam dunk. 🏀 <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Ready to secure your home court?</h3> Keep all of your accounts secure with 1Password, the most-used password manager. Get started today with 25% off your first year. <a href="https://start.1password.com/sign-up/family?l=en&amp;c=GSW25" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Get 25% off </a> </div> </section></description></item><item><title>1Password and Rails' Kamal: Kindred spirits</title><link>https://blog.1password.com/1password-rails-kindred-spirits/</link><pubDate>Tue, 29 Oct 2024 00:00:00 +0000</pubDate><author>info@1password.com (Jason Meller)</author><guid>https://blog.1password.com/1password-rails-kindred-spirits/</guid><description> <img src='https://blog.1password.com/posts/2024/1password-rails-kindred-spirits/header.png' class='webfeedsFeaturedVisual' alt='1Password and Rails' Kamal: Kindred spirits' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> David Heinemeier Hansson (DHH), the creator and leader of Ruby on Rails, reaffirmed his vision for the framework at <a href="https://rubyonrails.org/world/">Rails World</a> last September. He described his philosophy as “from Hello World to IPO.” Over the past two years, DHH has been ruthlessly simplifying the framework he invented more than two decades ago. Spin up a new Rails 8 application in production today, and you don&rsquo;t need Node.js, Redis, or even a remote database! And yet, despite all that pruning and shearing, there are no compromises. In fact, Rails somehow packs in even more production-grade functionality than ever before. These simplifications are impressive on their own but they were also necessary to achieve something even more remarkable: Hello World to Production in three minutes. To make this possible, DHH and his team created Kamal, a tool that allows you to deploy any Dockerized web application to a remote server via SSH in seconds, without any downtime. If you haven&rsquo;t seen the demo, it&rsquo;s extraordinary. (Start at <a href="https://www.youtube.com/watch?v=-cEn_83zRFw&amp;t=3345">55:45</a>!) <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/-cEn_83zRFw?si=iPEH0FKs_ADOuRLH" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> Kamal is more than just software – it&rsquo;s intended to change hearts and minds. It was purposefully designed to free app builders from what DHH calls &ldquo;the learned helplessness&rdquo; that has led to the popularity of Platform as a Service (PaaS) providers. The goal is to empower teams to confidently step into a world where they get the most powerful compute for their dollar, without paying upwards of a 100x markup for a serviceable deployment model and basic OS patching. At 1Password, this mission hits close to home. We exist in an industry that benefits greatly when people and organizations believe it&rsquo;s too complicated and dangerous to secure themselves, leading them to relinquish control and &ldquo;leave it up to professionals.&rdquo; This fear-driven learned helplessness directly opposes our core values. At 1Password, we believe that everyone who uses computers is entitled to use them with dignity. When we do our job well, 1Password&rsquo;s software should make you feel smarter and more capable – not infantilized. To accomplish this, we make sure our tools teach you how to be more secure. Through Checks, Watchtower, and more, we aim to share security best practices in a way that’s accessible but never condescending. It&rsquo;s these values that makes me so proud to know that 1Password is playing a meaningful part in Kamal&rsquo;s story. Kamal ships with a <a href="https://kamal-deploy.org/docs/commands/secrets/#1password">1Password adapter</a> that allows you to source credentials, like your <code>RAILS_MASTER_KEY</code>, from a shared vault and set them as environment variables on your remote servers. This integration can be further enhanced by using <a href="https://developer.1password.com/docs/ci-cd/github-actions/">1Password&rsquo;s GitHub Actions</a> to both access your 1Password account remotely and fetch the secrets Kamal needs. Here’s where it gets even more exciting: 1Password can also <a href="https://developer.1password.com/docs/ssh/manage-keys">store the SSH keys</a> you use to connect to remote servers in your production environment. Not only can it hold the credentials, but 1Password also comes bundled with an <a href="https://developer.1password.com/docs/ssh/agent/">SSH agent</a>, so you can use 1Password to directly provide your SSH client with the credentials as you sign in. How cool is that? If you&rsquo;re a Rails developer that’s ready to put this into use right now, I&rsquo;ve created a tutorial that makes best use of 1Password’s capabilities. <h2 id="how-to-use-kamal-2-and-1password">How to use Kamal 2 and 1Password</h2> To demonstrate this whole flow, I&rsquo;ll deploy my second-favorite Rails application at 1Password, the Feline Snooker League. This is the Rails app we use at Kolide (<a href="https://blog.1password.com/1password-acquires-kolide/">acquired by 1Password earlier this year</a>) as a take-home exercise when we interview candidates for our Rails developer position. <img src='https://blog.1password.com/posts/2024/1password-rails-kindred-spirits/feline-snooker-league-readme.png' alt='A screenshot of a readme file for a project called Feline Snooker League Score Tracking Application.' title='A screenshot of a readme file for a project called Feline Snooker League Score Tracking Application.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h3 id="step-1-get-a-server-with-linux-and-set-up-ssh">Step 1: Get a server with Linux and set up SSH</h3> Kamal works by directly connecting to Linux servers via SSH. So you&rsquo;ll need an internet-accessible server running Linux – preferably the latest Ubuntu LTS, which is 24.04 as of this writing. For this tutorial I&rsquo;m using DigitalOcean but the setup experience will be similar for any provider. One thing I love about modern VPS providers is they make it easy to set up SSH key-based authentication. 1Password makes the remaining complication – securely encrypting and storing these SSH keys – trivial. With the 1Password browser extension installed in Safari, I can generate and store the SSH key without leaving the webpage. <img src='https://blog.1password.com/posts/2024/1password-rails-kindred-spirits/add-ssh-key-step-1.png' alt='A screenshot with a prompt from 1Password to create a new SSH key.' title='A screenshot with a prompt from 1Password to create a new SSH key.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Next, install the Next, install the <a href="https://developer.1password.com/docs/ssh/get-started/#step-3-turn-on-the-1password-ssh-agent">1Password SSH agent</a>. Once configured, access your server from your terminal via <code>ssh root@example.com</code>. If you&rsquo;ve installed the agent and stored the SSH key correctly, 1Password will pop up and ask you to unlock your vault. (In my case, as soon as I touched my TouchID sensor, I was signed into my server!) <img src='https://blog.1password.com/posts/2024/1password-rails-kindred-spirits/ssh-key-agent-prompt.png' alt='A 1Password pop-up asking you to authorize the use of your stored SSH key.' title='A 1Password pop-up asking you to authorize the use of your stored SSH key.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h3 id="step-2-add-your-rails-secrets-to-the-vault">Step 2: Add your Rails secrets to the vault</h3> Before we discuss how to add secrets to a 1Password vault, you should prepare your Rails application so that your production credentials are separate from the credentials you&rsquo;ll need for local development and testing in CI. Rails has supported multi-environment credentials since Rails 6 but they aren&rsquo;t enabled by default. To enable bespoke credentials for production, run the following command: <pre tabindex="0"><code>$ rails credentials:edit --environment production </code></pre>This will generate a production-specific master.key in <code>config/credentials/production.key</code>. You&rsquo;ll want to immediately store this key in 1Password and delete it from your filesystem when done. In my case, I created a new vault called &ldquo;Snookums&rdquo; and created a new empty password item called &ldquo;Production&rdquo;. From there, I created a new password field called <code>RAILS_MASTER_KEY</code> and pasted the key in the password field. I also created a <code>KAMAL_REGISTRY_PASSWORD</code> for my Docker Hub access token, as described in the <a href="https://kamal-deploy.org/docs/configuration/docker-registry/">Kamal documentation</a>. When everything is said and done, you should have a 1Password vault item that looks like the one below: <img src='https://blog.1password.com/posts/2024/1password-rails-kindred-spirits/1password-vault.png' alt='A screenshot of 1Password with a saved vault item called Production.' title='A screenshot of 1Password with a saved vault item called Production.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h3 id="step-3-configure-kamal">Step 3: Configure Kamal</h3> In this section, you’re going to allow Kamal to programmatically access the information in your 1Password vault. The most crucial step here is <a href="https://developer.1password.com/docs/cli/get-started/">installing the 1Password CLI tool</a>. The <code>kamal secrets</code> 1Password adapter simply wraps the <code>op</code> CLI tool to source the credentials. Once you&rsquo;ve installed the 1Password CLI, you&rsquo;ll want to edit the <code>.kamal/secrets</code> file. Here is what mine looks like: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh">SECRETS=$(kamal secrets fetch --adapter 1password --account kolide.1password.com --from Snookums/Production KAMAL_REGISTRY_PASSWORD RAILS_MASTER_KEY) KAMAL_REGISTRY_PASSWORD=$(kamal secrets extract KAMAL_REGISTRY_PASSWORD ${SECRETS}) RAILS_MASTER_KEY=$(kamal secrets extract RAILS_MASTER_KEY ${SECRETS}) </code></pre></div>You&rsquo;ll also need to edit the config/deploy.yml to add the DNS names for your server and application (for SSL certificate provisioning). My file ended up looking like this: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">service: snookums image: terracatta/snookums servers: web: - feline-snooker-league.com proxy: ssl: true host: feline-snooker-league.com registry: username: terracatta password: - KAMAL_REGISTRY_PASSWORD env: secret: - RAILS_MASTER_KEY clear: SOLID_QUEUE_IN_PUMA: true aliases: console: app exec --interactive --reuse &#34;bin/rails console&#34; shell: app exec --interactive --reuse &#34;bash&#34; logs: app logs -f dbc: app exec --interactive --reuse &#34;bin/rails dbconsole&#34; volumes: - &#34;snookums_storage:/rails/storage&#34; asset_path: /rails/public/assets builder: arch: amd64 </code></pre></div>Remember, we don’t want to hardcode any secrets here or source them from any other place locally than the <code>kamal secrets</code> command, which will run automatically when we invoke Kamal. <h3 id="step-4-deploy">Step 4: Deploy!</h3> That should do it! All you need to do now is run <code>kamal setup</code>. You&rsquo;ll be prompted by 1Password to unlock our vault, which will allow you to SSH to our remote servers and source the Docker Hub credentials and the production Rails Master Key. After a couple of minutes, my deploy was finished, and when I browsed to <a href="https://feline-snooker-league.com">https://feline-snooker-league.com</a>, I was greeted with the following masterpiece. <img src='https://blog.1password.com/posts/2024/1password-rails-kindred-spirits/the-league.png' alt='A screenshot of the completed Snookums project.' title='A screenshot of the completed Snookums project.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Subsequent deployments can happen by simply running <code>kamal deploy</code> right at the root of the Rails app from the terminal. Here&rsquo;s a video of a full 35-second deploy in action. <video class="round shadow" style="display: block; margin: auto; padding: 0;"muted='true'loop="loop" playsinline="" width="100%" alt='' controls> <source src="https://blog.1password.com/posts/2024/1password-rails-kindred-spirits/rails-app-deploy.mp4" type="video/mp4" /> </video> <h3 id="additional-reading">Additional reading</h3> Congratulations, you&rsquo;re now using all that 1Password has to offer with Kamal to deploy Rails apps (or actually any containerized web app) to production while keeping your secrets and server credentials safe and secure. And since these things are in 1Password, you can share the vaults with the production engineers in your company with ease. If you&rsquo;re still looking for more to do, I recommend exploring <a href="https://developer.1password.com/docs/ci-cd/github-actions/">1Password&rsquo;s ability to load secrets from within GitHub Actions</a>. With this, combined with a reasonable <a href="https://jetthoughts.com/blog/automate-your-deployments-with-kamal-2-github-actions-devops-development/">GitHub action for running Kamal itself</a>, you can turn your local development production deployment flow into a true continuous deployment model. Or, even enable <a href="https://world.hey.com/avinash/kamal-2-my-upgrade-journey-a1af9920">both local and GitHub-driven deployments</a>. As Kamal frees software engineers from the <a href="https://world.hey.com/dhh/merchants-of-complexity-4851301b">merchants of complexity</a> telling them that they&rsquo;re in over their head, 1Password stands shoulder to shoulder in that security side of that mission—making it both accessible and empowering. Together, we&rsquo;re reshaping the way developers think about both app deployment and security: reclaiming control, reducing complexity, and elevating confidence. The future belongs to teams who refuse to compromise between simplicity and power, and with tools like Kamal and 1Password working in tandem, that future is closer than ever.</description></item><item><title>Black History Month: Celebrating Black heritage in the UK and the Netherlands</title><link>https://blog.1password.com/black-history-month-2024-uk-netherlands/</link><pubDate>Tue, 29 Oct 2024 00:00:00 +0000</pubDate><author>info@1password.com (Rozalynd Gaubault & Frank Chevannes)</author><guid>https://blog.1password.com/black-history-month-2024-uk-netherlands/</guid><description> <img src='https://blog.1password.com/posts/2024/black-history-month-2024-uk-netherlands/header.png' class='webfeedsFeaturedVisual' alt='Black History Month: Celebrating Black heritage in the UK and the Netherlands' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> October marks Black History Month in the UK and Black Achievement Month (BAM) in the Netherlands. This year’s UK theme, Reclaiming Narratives, focuses on telling our own stories, in our own voices. In the Netherlands, BAM is celebrating New Generations, spotlighting the rising stars and future leaders of Black excellence. Here at 1Password, we have a growing team of wonderfully talented and diverse individuals in Europe. We’re proud to spotlight Black trailblazers who have shaped Europe and beyond in our inaugural BHM celebrations for the region. <h2 id="a-brief-history">A brief history</h2> Black History Month in the UK began in 1987. Led by activist Akyaaba Addai-Sebo, it was started as a way to recognize the contributions of Black Britons and to educate others on their history and struggles. In the Netherlands, Black History Month officially started in 2010 to highlight the achievements of Black people within their nation, many of whom are of Surinamese and African descent. Black people have lived in both countries for centuries, and their stories are deeply intertwined with the cultural fabric of both nations. As Frank Chevannes, Senior Inside Sales Manager at 1Password, eloquently states in his poem: &ldquo;Inventors, visionaries, queens and kings, in history, there isn’t much that we haven’t been. During this month take a journey through time, what you’ll discover and learn will truly open your mind.&quot; Their stories aren’t just chapters in a history book but inspirational blueprints for the future. Here are some of the key figures who have paved the way for others. <h3 id="olaudah-equiano-17451797-nigeriauk">Olaudah Equiano (1745–1797, Nigeria/UK)</h3> Born in what is now Nigeria, <a href="https://www.liverpoolmuseums.org.uk/stories/who-was-olaudah-equiano">Olaudah Equiano</a> was enslaved as a child and later gained his freedom in England. He became a key figure in the abolitionist movement in Britain. His autobiography, The Interesting Narrative of the Life of Olaudah Equiano, offered a harrowing first-hand account of the transatlantic slave trade and was crucial in the fight to end slavery in the UK. <h3 id="mary-seacole-18051881-jamaicauk">Mary Seacole (1805–1881, Jamaica/UK)</h3> Born in Kingston, Jamaica, and based in London during her later years, Mary Seacole was a pioneering nurse who independently traveled to the Crimean War to provide care to British soldiers. Despite facing racial prejudice, she set up the &ldquo;British Hotel&rdquo; near the battlefield to nurse soldiers back to health. While she was overlooked during her time, Seacole’s invaluable contributions during the war have led her to be recognized as one of Britain’s greatest unsung heroes in healthcare. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/xT9BTuBtCJs?si=yhsA6W1S563n7QL9" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h3 id="anton-de-kom-18981945-surinamenetherlands">Anton de Kom (1898–1945, Suriname/Netherlands)</h3> A Surinamese anti-colonial activist and writer, Anton de Kom moved to the Netherlands in the early 1920s. His influential book, We Slaves of Suriname, exposed the atrocities of Dutch colonial rule and inspired movements for independence. He also played a role in the Dutch resistance during World War II, fighting against the Nazi occupation. <h3 id="claudia-jones-19151964-trinidaduk">Claudia Jones (1915–1964, Trinidad/UK)</h3> A Trinidad-born journalist and activist, <a href="https://www.bristol.ac.uk/history/public-engagement/blackhistory/snapshots/claudiajones/">Claudia Jones</a> lived in London and founded the West Indian Gazette. She is also credited with starting the Notting Hill Carnival, one of the largest cultural celebrations in Europe today. The carnival now generates an estimated £396 million annually, showcasing the powerful economic and cultural impact of this Black-led event. Through her journalism and activism, she fought tirelessly for racial equality and women’s rights. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/W_nT5A4aMO8?si=KGNauP9t_caL4DwW" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <hr> &ldquo;I choose not to name drop and do this on purpose, as the names that you’ve heard have barely scratched the surface.&quot; The histories and achievements of these individuals are just a glimpse into the rich legacy of Black communities in both the UK and the Netherlands. For too long, many of these stories were untold or underrepresented, which left a gap in the public’s understanding of their contributions. But there’s power in reclaiming these narratives, as they reveal the beauty, strength, and resilience of Black heritage. <hr> <h3 id="paul-stephenson-1937present-uk">Paul Stephenson (1937–Present, UK)</h3> Born in Essex, <a href="https://www.theguardian.com/society/2020/oct/01/paul-stephenson-the-hero-who-refused-to-leave-a-pub-and-helped-desegregate-britain">Paul Stephenson</a> is a British civil rights activist who led the <a href="https://www.blackhistorymonth.org.uk/article/section/civil-rights-movement/the-bristol-bus-boycott-of-1963/">Bristol Bus Boycott</a> in 1963, a landmark campaign that paved the way for the UK’s first anti-discrimination laws. His activism was instrumental in confronting racial injustices and ensuring greater legal protections for Black Britons. <h3 id="margaret-busby-1944present-ghanauk">Margaret Busby (1944–Present, Ghana/UK)</h3> Born in Ghana and based in London, Margaret Busby became the UK&rsquo;s first Black female publisher when she co-founded Allison &amp; Busby. A writer, editor, and activist, she has spent her life advocating for underrepresented voices in literature. Some of the notable works she helped publish include Sam Greenlee’s The Spook Who Sat by the Door, Ira Aldridge, and The Heart of the Race: Black Women’s Lives in Britain, which contributed to shaping the Black literary landscape in Britain. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/0FW7a-iILus?si=rZhh-juE6H0JZM5O" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h3 id="dame-linda-dobbs-1949present-sierra-leoneuk">Dame Linda Dobbs (1949–Present, Sierra Leone/UK)</h3> As the first Black woman appointed as a High Court judge in the UK, <a href="https://www.blackhistorymonth.org.uk/article/section/inspirational-women/trailblazing-justice-the-inspirational-journey-and-enduring-legacy-of-dame-linda-dobbs/">Dame Linda Dobbs</a> has been a trailblazer in the British legal system. Based in London, her work has helped modernize the judiciary and improve diversity within the field. She has influenced how the courts approach equality, and her contributions continue to inspire future generations of legal professionals. <h3 id="baroness-floella-benjamin-1949present-trinidaduk">Baroness Floella Benjamin (1949–Present, Trinidad/UK)</h3> <a href="http://www.floellabenjamin.com/">Baroness Floella Benjamin</a>, originally from Trinidad, is a broadcaster, actress, and politician who has spent much of her life in London. She was the first Black woman to head the British Academy of Film and Television Arts (BAFTA) and has been a passionate advocate for children’s rights, diversity, and the representation of Black voices in British media. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/MY14lSgbDDk?si=EQ8CQu7dpuYZ0qAY" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h3 id="gloria-wekker-1950present-surinamenetherlands">Gloria Wekker (1950–Present, Suriname/Netherlands)</h3> A renowned scholar, Gloria Wekker is based in Amsterdam and is best known for her work on race, gender, and sexuality. Her book White Innocence challenges the Netherlands' self-perception as a liberal and tolerant society, forcing the country to confront its colonial past and ongoing racial inequalities. <h3 id="diane-abbott-1953present-uk">Diane Abbott (1953–Present, UK)</h3> In 1987, <a href="https://www.britannica.com/biography/Diane-Abbott">Diane Abbott</a> made history as the first Black woman elected to the UK Parliament. Representing Hackney, London, she has been a fierce advocate for social justice and equality. Abbott played a pivotal role in improving healthcare outcomes by opposing cuts to the NHS and advocating for mental health services in schools. She also championed legislation to improve police accountability and diversity in law enforcement, aiming to address systemic issues within the British criminal justice system. <hr> &ldquo;They never told us, they thought we would never find out, there&rsquo;s beauty in our heritage that’s what Black history is about.&quot; For years, too many stories of Black pioneers, inventors, and visionaries were hidden, distorted, or ignored. But reclaiming these narratives helps us see the beauty and strength within our heritage. These figures, and many others, laid the groundwork for the world we live in today, and through their stories, we find inspiration for the future. Black History Month in the UK and the Netherlands is a reminder of the profound impact that Black individuals have had—and continue to have—on the fabric of these nations. At 1Password, we&rsquo;re proud to honor this legacy and remain committed to supporting and uplifting all employees as we continue on this journey of discovery, empowerment, and progress. &ldquo;During this month take a journey through time, What you’ll discover and learn will truly open your mind.&quot;</description></item><item><title>Ending security obstructionism with human-centric security</title><link>https://blog.1password.com/end-security-obstructionism-with-human-centric-security/</link><pubDate>Fri, 25 Oct 2024 00:00:00 +0000</pubDate><author>info@1password.com (Jason Meller)</author><guid>https://blog.1password.com/end-security-obstructionism-with-human-centric-security/</guid><description> <img src='https://blog.1password.com/posts/2024/end-security-obstructionism-with-human-centric-security/header.png' class='webfeedsFeaturedVisual' alt='Ending security obstructionism with human-centric security' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Traditional cybersecurity practices often work to obstruct users rather than help them. In this article, we explore this phenomenon and ways to refocus on user-centered security. At 1Password, we believe that IT folks genuinely want to help their users. We speak to IT leaders every week, and we can feel their excitement when we discuss tools that hold the promise of improving the work lives of end users. If this is the norm — and we genuinely believe it is — why do so many employees see IT teams as obstructors? Is it because of the tools? The organizational structure? Or simply a perception issue? Whatever the root cause, this animosity between end users and IT security is a problem. And the first step of solving a problem is identifying it, describing it, and giving it a name. (And end-user frustration, thy name is security.) Not too long ago, Kelly Shortridge coined a new term: <a href="https://swagitda.com/blog/posts/the-security-obstructionism-secobs-market/">security obstructionism</a> (SecObs). Kelly defines SecObs as the policies, tools, and practices that result in outcomes that impede progress under the guise of maintaining security. Even though Kelly uses the term with her tongue firmly planted in her cheek, we think that the underlying sentiment of the piece has significant merit. In this piece, let&rsquo;s take this term at face value, explore how it self-perpetuates within organizations, and find ways for everyone in IT and security to avoid falling into the SecObs trap. <h2 id="what-is-security-obstructionism">What is security obstructionism?</h2> Instead of achieving better security outcomes to support a business, SecObs causes IT teams to use security outputs as a proxy for progress. Kelly&rsquo;s piece shows many visceral examples of SecObs at your business, including: <ul> <li> Forced device restarts (as a first measure), <a href="https://blog.1password.com/should-you-change-passwords-every-90-days/">arbitrary password resets</a>, access approval, key rotations, and other policies that leave users unable to work. </li> <li> Vulnerability management processes that create long lists of unimportant triage items, which back up workflows and impact operational efficiencies. </li> <li> Manual security reviews or change approvals that block teams from shipping new code without the go-ahead of the security team. </li> <li> Phishing simulations or other training conducted with a &ldquo;gotcha&rdquo; mentality, creating tensions between employees and the IT team (and potentially leadership.) </li> <li> Interfering with or shutting down digital transformation initiatives (e.g., no-code platforms that empower citizen developers to build and publish apps.) </li> <li> <a href="https://blog.1password.com/your-companys-bossware-could-get-you-in-legal-trouble/">The use of bossware</a> as an &ldquo;insider threat&rdquo; detection tool, such as keyloggers and screen recording. </li> <li> Mandatory but perfunctory employee training that fails to address knowledge gaps or improve measurable security outcomes. </li> <li> A culture that expects employees to follow security rules blindly without understanding why things are done. </li> </ul> Essentially, any security measure that requires the excessive hands-on involvement of the security and IT team has the potential to turn into SecObs tactics. <h2 id="whats-wrong-with-security-obstructionism">What&rsquo;s wrong with security obstructionism?</h2> Now you may say: at least the IT team is doing something to keep the company safe &hellip; but is it? SecObs focuses on security output rather than outcomes. The misdirected emphasis can cause a company to spend a lot of time and money on busy work (e.g., locking and unlocking access, superficial security training) without achieving meaningful results. The highly manual processes that drive SecObs only create bottlenecks that impact employee productivity. They can also hamper more impactful digital transformation efforts that automate and democratize IT and security tasks. Moreover, many detection and monitoring methods favored by SecObs are less than <a href="https://honest.security/">honest and transparent</a>. Employees don&rsquo;t know what agents are running on their devices and who has access to their data. The lack of trust often creates friction that can ultimately harm the company&rsquo;s cybersecurity program. Instead of proactively cooperating with IT, employees are more likely to go behind the security team&rsquo;s back. For example, they may use personal devices or other forms of <a href="https://blog.1password.com/what-is-shadow-it/">shadow IT</a> to handle company data, making it harder to track and secure sensitive information. To see the flaws of SpecObs in action, look no further than the healthcare industry. <a href="https://blog.1password.com/healthcare-security-is-a-nightmare/">We&rsquo;ve written previously</a> about the creative ways medical practitioners have found to get around hospital cybersecurity. This isn&rsquo;t because these end users are lazy or don&rsquo;t care about security; it&rsquo;s because they want to do their jobs, and their work is being continuously interrupted by having to log in more than 200 times a day. Meanwhile, IT and security teams are blocked by their own share of SecObs. For instance, <a href="https://blog.1password.com/vulnerability-management-goes-much-deeper-than-patching/">vulnerability and risk management programs</a> that expect them to manually prioritize and patch an ever-growing pile of CVEs – most of which pose no real security risk. All while dealing with the conflicting pressures to secure sensitive data, work within tight budgets, get plans approved by executive leadership, and meet various compliance standards like <a href="https://blog.1password.com/10-minute-guide-to-soc-1-vs-soc-2/">SOC</a> or <a href="https://blog.1password.com/guide-to-iso-27001-compliance/">ISO</a>. SecObs hamstrings innovation, diminishes operational efficiency, erodes employee trust, and even harms security outcomes. <h2 id="how-to-achieve-better-cybersecurity-outcomes">How to achieve better cybersecurity outcomes</h2> SecObs is baked into many existing security solutions, so overcoming it isn&rsquo;t easy. Many applications claim to reinforce IT security but, in effect, create roadblocks to improving network security outcomes. Security requires friction. But there&rsquo;s a limit to how much friction it can add before it starts to hurt more than it helps. Companies must make conscious efforts to avoid falling into the SecObs trap. But how? <img src="https://blog.1password.com/posts/2024/end-security-obstructionism-with-human-centric-security/how-to-battle-security-obstructionism.png" alt="A graphic on how to battle security obstructionism." title="A graphic on how to battle security obstructionism." class="c-featured-image"/> <h3 id="device-restarts">Device restarts</h3> Imagine how frustrating it is if your laptop reboots when you&rsquo;re in the middle of an important task. Forced device restart is not only intrusive, but also impacts productivity, and can even cause data loss. It conveys that the company doesn&rsquo;t respect employees' time and privacy. Instead, use tools like 1Password Device Trust. These give you the ability to enforce compliance without relying on forced restarts. Our device trust agent warns users ahead of time when their device is in an unsecure state, and tells them how and when to remediate the issue. 1Password Device Trust only blocks devices when they&rsquo;ve passed the deadline for the update. Until then, employees have flexibility and control over their workflows, with the ability to install updates when they decide. This is just one way of improving cybersecurity ecosystems with the user in mind. <h3 id="password-management">Password management</h3> According to the 2024 Verizon Data Breach Investigations Report (DBIR), <a href="https://enterprise.verizon.com/resources/reports/dbir/">stolen credentials have factored into almost one-third of breaches over the last 10 years</a>. And yet, our own study found that <a href="https://blog.1password.com/closing-the-sso-security-gap/">61% of employees use weak passwords</a>. But forced password resets or arbitrary password requirements are not the answer to this problem – they add needless friction for end users, with very few security gains. In fact, they&rsquo;re likely to harm security, but many companies still use them. Of course, passwords themselves are a <a href="https://blog.1password.com/authentication-methods/">notoriously weak authentication factor</a>. But rolling out SSO or passwordless auth can take time, or <a href="https://blog.1password.com/closing-the-sso-security-gap/">may not be suited for every login</a>. Solutions like <a href="https://1password.com/product/enterprise-password-manager">enterprise password managers</a> can help users generate secure passwords and mitigate risk when there is evidence that a password was potentially compromised in a breach. And yet, many companies still fail to roll out this table stakes security, even if it provides the best experience for end-users. Of course, when we talk about access management, we also have to talk about multi-factor authentication. We&rsquo;ve written previously on the <a href="https://blog.1password.com/how-mfa-is-falling-short/">ways it can fall short</a>, but using passwordless factors, like <a href="https://blog.1password.com/what-are-passkeys/">passkeys</a>, can help prevent unauthorized access without forcing users to jump through endless hoops of authentication. <h3 id="security-education">Security education</h3> Imposing interruptive mandatory security training may check a compliance box, but does little to bridge the knowledge gap and show employees how your security policy relates to their job functions. Instead, letting employees self remediate security issues teaches them best security practices in the moment, instead of in the abstract. 1Password Device Trust runs regular posture checks on employee devices. When there&rsquo;s an issue, it provides detailed instructions on how to fix it. This is far more effective than watching one training video a year, as it engages employees in security in real time, and lets them learn by doing. <img src="https://blog.1password.com/posts/2024/end-security-obstructionism-with-human-centric-security/quote-end-security-orchestration.png" alt="A graphic with a quote from Xunzi." title="A graphic with a quote from Xunzi." class="c-featured-image"/> Such automation frees the security team from having individual conversations with every user when they do something that puts the company at risk. It also provides end users with the critical information they need to learn about an issue, fix it on their own, and prevent it from happening in the future, improving security in the long term. <h2 id="mindset-changes-to-overcome-secobs">Mindset changes to overcome SecObs</h2> To truly overcome SecObs, IT leaders and teams must change their mindset around security. Their job shouldn&rsquo;t be about &ldquo;protecting the company from employees' stupidity.&rdquo; They must start from a mindset of trusting that employees will do the right thing when given the right information. (This includes understanding that not doing the right thing will result in consequences, such as being blocked from authenticating.) Build policies with the principles of <a href="https://honest.security/">Honest Security</a> in mind. As such, you need the tools to educate employees and teach them how to take appropriate actions at the point of performance. Next, you need to take an &ldquo;outcome over output&rdquo; approach to security. The truth is that in today&rsquo;s fast-paced digital world, it&rsquo;s not feasible to create an airtight environment. We&rsquo;ll restate this for emphasis. There&rsquo;s no such thing as perfect security, no matter how much you lock down your users' devices. If you want realistic ways of reducing the likelihood of cyber incidents, you need a cybersecurity strategy that encourages users to be proactive. When we focus on outcomes rather than output, we need to understand that security works best when it works with people, rather than against them. Tools that prioritize the end user experience are tools that users are more likely to embrace. Don&rsquo;t use solutions that disproportionately hamstring your fellow employees in the pursuit of an impossible goal (you can&rsquo;t mitigate every threat). Instead, focus and prioritize your mission on the highest impact vulnerabilities, and on the highest impact solutions.</description></item><item><title>1Password Device Trust partners with Tailscale and Twingate</title><link>https://blog.1password.com/device-trust-tailscale-twingate/</link><pubDate>Thu, 24 Oct 2024 00:00:00 +0000</pubDate><author>info@1password.com (Rachel Sudbeck)</author><guid>https://blog.1password.com/device-trust-tailscale-twingate/</guid><description> <img src='https://blog.1password.com/posts/2024/device-trust-tailscale-twingate/header.png' class='webfeedsFeaturedVisual' alt='1Password Device Trust partners with Tailscale and Twingate' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Over the past few decades, securing remote access has become monumentally more complex. Remote work, with all of its benefits, has also furthered the threats of <a href="https://blog.1password.com/what-is-shadow-it/">shadow IT</a> and unauthorized remote access. Companies now need to secure their systems by guarding five pillars: identities, applications, devices, data, and networks. Even so, there’s a gap between the people, devices, and applications that we trust to access sensitive data, and those that actually do in practice (this is called the <a href="https://blog.1password.com/explaining-the-access-trust-gap/">“Access-trust Gap”</a>). As such, we created 1Password Extended Access Management® to give companies complete visibility and control over the user identities and devices that access their resources. When it comes to securing data at the network level, companies have various options to add to their security stack. Two such options are <a href="https://tailscale.com/">Tailscale</a> and <a href="https://www.twingate.com/">Twingate</a>. Tailscale and Twingate each take different approaches to better fortify remote network access. Where Tailscale seeks to improve and modernize VPN security, Twingate seeks to replace it altogether. While different, each of their offerings is a best-in-class approach to Zero Trust Network Access (ZTNA). As such, we couldn’t be more excited to announce that both Tailscale and Twingate have new integrations with 1Password Extended Access Management’s Device Trust solution. Here, we’ll explore how these integrations work and how they enable all of our products to better secure the complex systems of the modern workplace. <h2 id="1password-device-trust-and-tailscale">1Password Device Trust and Tailscale</h2> Tailscale improves on legacy VPN options through <a href="https://tailscale.com/blog/how-tailscale-works">techniques like</a> peer-to-peer connections, secure mesh networks, and WireGuard encryption. Their “<a href="https://tailscale.com/kb/1226/tailnet-lock?q=zero+trust">Tailnet lock</a>” also ensures that new nodes can’t be added to a network unless they’re cryptographically signed by the network admins. <h2 id="how-the-tailscale-integration-works">How the Tailscale integration works</h2> Tailscale’s engineers have designed an integration that allows Tailscale Enterprise accounts and 1Password Device Trust plans to communicate and ensure that the network is secured from untrusted or noncompliant devices. <h3 id="for-the-user">For the user</h3> When an end user tries to access a network resource, they start by trying to connect to their company’s Tailscale network (or “<a href="https://tailscale.com/kb/1136/tailnet">tailnet</a>”). At that point, Tailscale queries 1Password Device Trust, which runs a series of posture checks on that user’s device. These checks are designed to ensure that this end user device–whether a managed company computer or a BYOD device–is compliant with company security policy. 1Password Device Trust has a library of <a href="https://www.kolide.com/features/checks">over 100 pre-built checks</a>, including: <ul> <li>Device OS is up-to-date.</li> <li>Browsers and other critical apps are updated.</li> <li>The device has <a href="https://blog.1password.com/do-macs-need-antivirus-for-soc-2/">antivirus enabled</a>.</li> <li>The device itself is trusted and <a href="https://tailscale.com/kb/1407/kolide">matches the device registered to your taillnet</a>.</li> </ul> If a user’s device fails one of these checks–for instance, if the OS isn’t updated–then the device isn’t allowed to access the network until the user resolves the issue. (And as always, whenever the device trust agent blocks a user, it also provides detailed remediation instructions, so they can get unblocked and back to work.) <h3 id="for-the-admin">For the admin</h3> On the admin side, <a href="https://tailscale.com/kb/1407/kolide">setting up this integration is simple</a>. Admins begin in their 1Password Device Trust console, where they generate an API Key and assign an administrator to be responsible for how the key is used. Then, they open Tailscale’s Admin Console. In the Device Management page, they can select the option to Configure the API Key to connect to 1Password XAM. Once they’ve done so, they can: <ul> <li>Inspect individual machines.</li> <li>Adjust the access rules for Tailscale.</li> <li>Schedule regular device posture synchronizations.</li> <li>Start generating audit logs.</li> </ul> In a nutshell: this integration enables admins to make sure that only trusted users and healthy devices are able to access their Tailnet. <h2 id="1password-device-trust-and-twingate">1Password Device Trust and Twingate</h2> Where Tailscale seeks to improve on legacy VPN offerings, Twingate provides an alternative to them altogether. Their ZTNA solution relies on <a href="https://www.twingate.com/docs/how-twingate-works">four components</a>: <ul> <li>The Controller: This serves as the central admin coordination console for managing access.</li> <li>The Client: The client is the Twingate software component installed on user devices.</li> <li>The Connector: This is a mirror component of the client, which verifies the integrity of inbound client connections before forwarding the connection to managed resources.</li> <li>The Relay: This establishes unique, hash-based IDs for clients, and serves as the connection point between Clients and Connectors.</li> </ul> Twingate also works by generating <a href="https://www.twingate.com/blog/access-control-list">Access Control Lists</a> (ACLs), a list of the resources that individual Clients and Connectors are able to access. <a href="https://www.twingate.com/docs/twingate-vs-vpn">As they put it</a>, this means that “&hellip;Twingate allows access to be granted on a per application basis.” This allows for the implementation of least-privileged network access, and reduces the potential scope of breaches. Essentially, users are only able to access the resources that they’ve been authorized to access, and only once they’ve been granted access through those four components. <h2 id="how-the-twingate-integration-works">How the Twingate integration works</h2> Through its new integration with 1Password Device Trust, Twingate admins can also ensure that those resources are only being accessed by trusted and healthy devices. In many ways, this integration works similarly to the one with Tailscale. <h3 id="for-the-user-1">For the user</h3> When users attempt to access one of their work applications, they follow the standard Twingate authentication flow. However, their company has also “<a href="https://www.twingate.com/docs/device-controls-use-case">delegated device trust</a>” to 1Password Device Trust. This means that their device can only authenticate to those resources if it’s also authenticated through 1Password Device Trust. If that user is using an unknown device, they won’t be able to authenticate until they’ve registered it as “trusted.” If they’re using an unhealthy device, they won’t be able to authenticate until they’ve remediated any issues and made sure it passes all of their company’s posture checks. <h3 id="for-the-admin-1">For the admin</h3> For admins, setting up the integration will again require <a href="https://www.twingate.com/docs/device-controls-use-case">generating an API Key</a> through their 1Password Device Trust console. In Twingate, they should navigate to “Settings,” then “Device Integrations,” and select “Connect” next to the 1Password Device Trust option. They can then input the API Key, and Twingate will be able to access the authentication information for each device registered in 1Password Device Trust. After this, admins need to configure the integration into “Device Security Trusted Profiles.” They will create a Trusted Profile, and select 1Password Device Trust as a “Verification Requirement.” Then, they can incorporate that profile in the “Security Policies” required to authenticate with Twingate. <h2 id="better-together-enhance-zero-trust-through-integration">Better together: enhance Zero Trust through integration</h2> We’ll <a href="https://www.twingate.com/docs/twingate-vs-vpn">borrow a metaphor</a> from Twingate: “In the physical world, walled castles have been replaced by borderless cities…” In a modern remote company, systems are sprawling and amorphous, borders are ever-changing, and security needs to be able to secure every entrypoint possible. That’s why these partnerships are so valuable. By integrating 1Password Device Trust with Tailscale or Twingate, teams can take a holistic view of security and unify their Zero Trust architecture. Together, we can ensure that networks are only accessed by trusted and compliant devices. That can make a world of difference in preventing attacks, and ensuring that sensitive data stays secure. We extend our huge thanks to the teams at Tailscale and Twingate for their work in making these integrations happen. Here’s to all of us being able to do even more to secure the companies we serve! Want to learn more about how your team can integrate 1Password Device Trust with your existing security systems? <a href="https://1password.com/contact-sales/xam">Reach out for a demo!</a> Do you have an idea for more <a href="https://developer.1password.com/">amazing integrations</a> with <a href="https://developer.1password.com/">1Password Device Trust</a>? Shoot us an email to start building with us! <a href="mailto:tech-partnerships@agilebits.com">tech-partnerships@agilebits.com</a></description></item><item><title>New IDC InfoBrief + downloadable CISO checklists</title><link>https://blog.1password.com/idc-security-report-ciso-checklists/</link><pubDate>Wed, 23 Oct 2024 00:00:00 +0000</pubDate><author>info@1password.com (Rachel Sudbeck)</author><guid>https://blog.1password.com/idc-security-report-ciso-checklists/</guid><description> <img src='https://blog.1password.com/posts/2024/idc-security-report-ciso-checklists/header.png' class='webfeedsFeaturedVisual' alt='New IDC InfoBrief + downloadable CISO checklists' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Tl;dr: This blog discusses IDC’s 2024 study, “<a href="https://1password.com/resources/idc-report-future-of-access-management/?utm_ref=resources">The Future of Access Management: Identity Security Requirements for a Modern Application Access Approach</a>.” The study identifies the biggest challenges facing security leaders today, especially those exacerbated by hybrid work. Below are IDC’s findings as well as downloadable checklists that security practitioners can use to address the security gaps in their organizations. <a href="https://www.idc.com/getdoc.jsp?containerId=EUR251818124&amp;pageType=PRINTFRIENDLY">IDC ran a recent survey of over 600 international enterprises</a> about the key issues they face in identity and access management (IAM), including a ranking of “organizational risk by user entity.” The top four riskiest groups they named were: hybrid/remote employees; partners, suppliers, and affiliates; machine identities; contractors. There is a shared challenge across all four groups: they are underserved by traditional security tools, and their risk has been exacerbated by the rise in remote work. In a nutshell, it’s more difficult to confidently ascertain a user’s (or device’s) identity and ensure that they are behaving safely when that person/device doesn’t fit neatly into an office building, corporate network, identity provider, or company-owned and managed fleet. <img src="https://blog.1password.com/posts/2024/idc-security-report-ciso-checklists/organizational-risk-by-user-entity.png" alt="A chart showing that hybrid and remote employees are the user type that represents the highest level of risk for organizations." title="A chart showing that hybrid and remote employees are the user type that represents the highest level of risk for organizations." class="c-featured-image"/> As avenues for remote access increase, any CISO (indeed, any security or IT professional) knows that there’s a problem. The study states: <blockquote> “Access is critical to workplace productivity, but it often leads to overly permissive sign-ins from unregistered and untrusted devices and/or invisible sign-ins into undiscovered and unmanaged applications.” </blockquote> Still, it’s only recently that this problem has gotten a name: the <a href="https://blog.1password.com/explaining-the-access-trust-gap/">access-trust gap</a>. What it means is that sensitive data is being accessed by more than just the users, applications, and devices that a business trusts to access it – because these untrusted forms of access aren’t protected by traditional security tools. This gap has proven difficult to solve for a myriad of reasons. For one, in trying to secure hybrid BYOD environments, CISOs face the eternal tension between security and productivity. Every entrypoint brings risk, but every additional point of friction translates to frustration and lost productivity. Recently, IDC released a security study about the challenges facing CISOs. In its study, IDC provides practical guidance for CISOs on how they can close the access-trust gap without upsetting the delicate balance between security and productivity. IDC’s study describes the nature of today’s security challenges and offers concrete solutions to them based on a zero trust access (ZTA) framework and <a href="https://blog.1password.com/guiding-principles-how-least-privilege-leads-to-more-security/">the principle of least privilege</a>. While the ideas in the study are universal and product-agnostic, in this blog post, we’ll use 1Password® Extended Access Management to illustrate these tactics in action. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> For CISOs looking to achieve better oversight and management over remote access, we’ve also provided <a href="https://1password.com/files/resources/access-management-checklist-CISOs-security-leaders.pdf">a checklist of the actions needed to roll out ZTA and extend access management</a> at your company. </div> </aside> <h2 id="securing-user-identities-and-authentication">Securing user identities and authentication</h2> Stolen credentials have factored into almost <a href="https://www.verizon.com/business/resources/reports/dbir/">one third of all breaches this decade</a>. If teams want to reduce the risk of credential-based attacks, they need to secure sign-in processes. There are several ways to do that today, though you’ll most likely need to implement a combination of them instead of relying on just one. <h3 id="single-sign-on-sso">Single sign-on (SSO)</h3> SSO helps ensure that only trusted users are company resources by reducing the number of passwords and allowing for centralized access provisioning. Unfortunately, many vendors charge an exorbitant “SSO tax,” making this <a href="https://blog.1password.com/explaining-the-backlash-to-the-sso-tax/">critical security feature prohibitively expensive</a> to implement across all apps. The study advises CISOs to “secure high-use/high-risk apps through SSO federation” but also to “extend security beyond traditional SSO &hellip; to a universal approach that enables sign-on across all legacy, SaaS, and web applications.” <h3 id="passwordless-authentication">Passwordless authentication</h3> According to the IDC study “almost one-third of all ransomware attacks originate from a phishing email.” And the target of many such attacks is employee credentials, which attackers use to escalate their permissions. Phishing attacks are a stubborn and serious threat, so teams should use phishing-resistant authentication factors. That means taking every opportunity to ditch passwords, SMS, <a href="https://blog.1password.com/authentication-methods/">and other insecure methods</a>. Instead, roll out <a href="https://blog.1password.com/what-are-passkeys/">passwordless factors like passkeys</a>. <h3 id="enterprise-password-manager-epm">Enterprise password manager (EPM)</h3> Of course, it’s no easy task to completely do away with passwords, especially when working with legacy applications. That’s why an enterprise password manager is, frankly, table-stakes security. Admittedly, we’re biased since we make an <a href="https://www.passwordmanager.com/best-enterprise-password-managers/">industry-leading EPM solution</a>. But, we’ll note that CISA <a href="https://www.cisa.gov/secure-our-world/require-strong-passwords">agrees with us</a> on this point. <h2 id="securing-devices-and-applications">Securing devices and applications</h2> IDC’s study stresses the importance of getting visibility and control over untrusted devices and apps. <blockquote> “A future-looking access management solution should extend the strengths of identity access management (IAM) and mobile device management (MDM) to unmanaged apps and devices, ensuring all access attempts are trusted and secure.&quot; </blockquote> This requires a <a href="https://blog.1password.com/what-is-device-trust/">device trust</a> solution that can offer more granular security than MDM and work on devices not eligible for MDM enrollment (such as BYOD, Linux, and contractor devices). It also requires the ability to identify the presence of shadow IT applications so that they can be eliminated or brought under management. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> For more detail on how to achieve that level of oversight, we’ve also provided some <a href="https://1password.com/files/resources/access-management-checklist-CISOs-security-leaders.pdf">downloadable checklists for CISOs</a>. </div> </aside> <h3 id="device-trust-authentication">Device trust authentication</h3> Device trust ensures that users can’t authenticate to company resources unless they’re logging in from a device that is already known, trusted, and associated with their identity. <h3 id="device-posture-checks">Device posture checks</h3> Device trust ensures that each device is in a secure state before it authenticates. That means continuously checking that devices are compliant with all of your security policies, such as having an updated OS and browser, firewall turned on, EDR present, etc. <h3 id="manage-applications">Manage applications</h3> According to The State of Security Enterprise Report, 1Password, 2024, more than <a href="https://blog.1password.com/closing-the-sso-security-gap/">one third of the apps employees use aren’t sanctioned</a> by their workplace. It’s likely that CISOs and IT admins alike are already familiar with the threat of <a href="https://blog.1password.com/what-is-shadow-it/">shadow IT</a>, which has only been growing with the increasing sprawl of remote access. For instance, The IDC study also shows that 59% of companies added more than 20 SaaS apps in the last 18 months. Getting a handle on shadow IT requires centralized visibility over the entire access process from identities, devices, and applications. Anything that touches company data needs proper oversight so that IT can see a full inventory of their ecosystem and provision access accordingly. From there, IT can block unsafe apps, properly manage approved ones and even eliminate unused licenses and redundant applications, potentially saving tens of thousands of dollars. <h2 id="enable-employee-productivity">Enable employee productivity</h2> Every CISO has to find the right balance between security and productivity. IDC’s advice for managing this dilemma focuses on avoiding forced restarts and allowing for end user remediation. <h3 id="end-user-remediation">End user remediation</h3> The IDC study advises that teams “offer users the ability to self-remediate for faster action and lower IT burden.” For example, when a device fails a posture check, 1Password’s Device Trust solution alerts the user of the problem and gives them detailed instructions on how to fix it. It also gives them a deadline, and if they don’t remediate the issue before the time is up, they’ll be blocked from authenticating. This grace period lets users solve their own issues with minimal disruption to workflows. It’s also worth mentioning that with end user remediation, IT teams can expect to see fewer IT tickets due to blocked users. <h2 id="security-meets-productivity">Security meets productivity</h2> Notably, IDC’s study illustrates that Extended Access Management is fundamentally about enabling users to work in the way that’s easiest and most productive for them. IDC avoids advising rigid tactics like banning mobile devices, prohibiting SaaS app downloads, or just going back to the office. Rather, the firm encourages flexible solutions to secure a more flexible workplace. CISOs don’t want to impede the employee experience, and they don’t have to. With thoughtful solutions, they can keep systems secure and enable employees to succeed as we all transition to a new workplace paradigm. <a href="https://1password.com/resources/idc-report-future-of-access-management/?utm_ref=resources">Read the full study from IDC</a>.</description></item><item><title>1Password partners with TD SYNNEX to make Extended Access Management available for IT service providers</title><link>https://blog.1password.com/1password-tdsynnex-partnership-resellers/</link><pubDate>Tue, 22 Oct 2024 00:00:00 +0000</pubDate><author>info@1password.com (Monica Jain)</author><guid>https://blog.1password.com/1password-tdsynnex-partnership-resellers/</guid><description> <img src='https://blog.1password.com/posts/2024/1password-tdsynnex-partnership-resellers/header.png' class='webfeedsFeaturedVisual' alt='1Password partners with TD SYNNEX to make Extended Access Management available for IT service providers' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> At 1Password, our mission has always been clear: to provide robust, human-centric security solutions that meet the needs of today&rsquo;s businesses. Cybersecurity threats are evolving daily so it’s never been more important for businesses to have reliable, user-friendly solutions. Today, we&rsquo;re announcing a strategic partnership with TD SYNNEX, a leading global distributor of technology solutions, services, and products. This collaboration allows more businesses across North America to enhance their security by leveraging 1Password’s password management and Extended Access Management solutions. Together with TD SYNNEX, we’re bringing our enterprise-level security offerings to a wider network of IT service providers, empowering companies of all sizes to manage credentials and protect sensitive information securely. <h2 id="what-is-td-synnex">What is TD SYNNEX?</h2> TD SYNNEX is a trusted distributor for organizations seeking advanced technology solutions. The company has an extensive network and deep industry expertise, making them an ideal partner to help us bring Extended Access Management to more businesses. TD SYNNEX’s focus on delivering value-added services — such as technical expertise, training, and support — is aligned with our goal of providing secure, scalable solutions to organizations of all sizes. Through this partnership, we’re able to reach more businesses and offer them an easier way to implement, manage, and scale 1Password within their existing infrastructure. <h2 id="what-the-partnership-means-for-businesses">What the partnership means for businesses</h2> Our partnership with TD SYNNEX unlocks new possibilities for businesses across North America. Through TD SYNNEX’s distribution channels, IT service providers can now seamlessly add 1Password’s products to their portfolio, offering a world-class, robust security solution. <h2 id="looking-ahead">Looking ahead</h2> It&rsquo;s never been more important for businesses to adopt a cybersecurity strategy that can adapt to the changing digital landscape. We&rsquo;re proud to partner with TD SYNNEX and make it easier for organizations to strengthen their security practices with 1Password’s solutions. Together, we’re not only expanding the availability of our services across North America, but we’re also empowering businesses to protect what matters most — their data, their employees, and their customers. Stay tuned for more updates on this partnership and resources that can help you and your business further simplify security at work.</description></item><item><title>How to spotlight search across every Mac with osquery</title><link>https://blog.1password.com/how-to-spotlight-search-across-every-mac-with-osquery/</link><pubDate>Fri, 18 Oct 2024 00:00:00 +0000</pubDate><author>info@1password.com (Fritz Ifert-Miller)</author><guid>https://blog.1password.com/how-to-spotlight-search-across-every-mac-with-osquery/</guid><description> <img src='https://blog.1password.com/posts/2024/how-to-spotlight-search-across-every-mac-with-osquery/header.png' class='webfeedsFeaturedVisual' alt='How to spotlight search across every Mac with osquery' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> In this article, we discuss how admins can programmatically access Spotlight using a utility called osquery, and we demonstrate useful queries you can run to find evidence of compromise in your organization. Have you ever wanted to find exactly the right file on your system in a hurry? That&rsquo;s why those clever folks at Apple built Spotlight. Originally introduced in Mac OS X Tiger, Spotlight continuously maintains an index of all of the files on your Mac, which allows you to instantly search for files not just by their names, but by their metadata, and even the text content inside of them. <img src="https://blog.1password.com/posts/2024/how-to-spotlight-search-across-every-mac-with-osquery/spotlight-search.png" alt="A screenshot of the spotlight search." title="A screenshot of the spotlight search." class="c-featured-image"/> I lean on Spotlight heavily every day, to quickly locate and pull up the right design assets from the 1000+ Sketch files on my system. While the benefits of Spotlight as a user of macOS are obvious and intuitive, admins may be surprised to learn you can leverage this powerful feature across your Mac fleet to hunt for evidence of malware, data breaches, and other undesirable artifacts in your end-users' devices. In this article, we will discuss how you can programmatically access Spotlight using a utility called osquery, and we&rsquo;ll demonstrate useful queries you can run to find evidence of compromise in your organization. <h2 id="what-is-osquery">What is osquery?</h2> <a href="https://osquery.io/">Osquery</a> is a free open-source project that allows you to query a device with SQL as if it were a real relational database. For example, if you wanted to list all of the apps installed on a device, you can simply open your terminal, type <code>osqueryi</code> (osquery&rsquo;s command line utility) and in the prompt run the following: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">SELECT * FROM apps LIMIT 1; </code></pre></div><pre tabindex="0"><code> name = 1Password 7.app path = /Applications/1Password 7.app bundle_executable = 1Password 7 bundle_identifier = com.agilebits.onepassword7 bundle_name = 1Password 7 bundle_short_version = 7.0.7 bundle_version = 70007000 bundle_package_type = APPL environment = element = compiler = com.apple.compilers.llvm.clang.1_0 development_region = en display_name = info_string = minimum_system_version = 10.12.6 category = public.app-category.productivity applescript_enabled = 0 copyright = Copyright © AgileBits Inc. last_opened_time = 1533860585.5755 </code></pre>When I run this query, osquery translates the SQL into live API calls that list all of the apps currently installed on my device. If I installed more apps and ran this command again, the output would immediately reflect those changes. In our query above, <code>apps</code> is called a &ldquo;virtual table&rdquo; in osquery terminology. Osquery has hundreds of these virtual tables, many of them which work across platforms. To see them all, check out <a href="https://osquery.io/schema">osquery&rsquo;s schema documentation</a>. To download osquery on your device, simply <a href="https://osquery.io/downloads">visit the official website</a> and find the right package for your platform. This article focuses on a special Virtual Table called mdfind. This Virtual Table (named after the CLI utility <code>mdfind</code>) allows us to use Spotlight to locate files on a Mac that meet our search criteria. <h2 id="the-mdfind-virtual-table">The mdfind virtual table</h2> Prior to mdfind&rsquo;s inclusion into osquery, searching for files across the file-system, when their location was unknown, necessitated great deals of recursion, and was best avoided to prevent undue strain on the device being queried. You can read more about the <code>file</code> table in my previous blog post: <a href="https://blog.1password.com/the-file-table-osquerys-secret-weapon/">The File Table: Osquery&rsquo;s Secret Weapon</a>. Enter macOS Spotlight, and the mdfind table! macOS Spotlight (mdfind) is like a lightweight <code>grep</code> without the <code>p</code>. The best part is, because it&rsquo;s built around an index, it&rsquo;s insanely fast and well suited to locating files where the precise location or name is unknown. The <code>mdfind</code> virtual table was born first as a custom osquery go table written by Victor Vrantchan (groob) and later added (v3.2.6) to the core Osquery open-source project by Facebook developer Mitchell Grenier (<a href="https://github.com/obelisk">obelisk</a>). Unlike most osquery virtual tables, where querying is straightforward if you are familiar with SQL, <code>mdfind</code> requires some Apple developer-level knowledge of Spotlight&rsquo;s own unique query language. You should think of <code>mdfind</code> like a pass-through that allows you to access the raw power of Spotlight from osquery. <h2 id="what-can-mdfind-find">What can mdfind find?</h2> Spotlight indexes an absolutely incredible breadth of data across your file system. There are over <a href="https://developer.apple.com/library/archive/documentation/CoreServices/Reference/MetadataAttributesRef/Reference/CommonAttrs.html">125 published metadata attributes</a> that Spotlight is capable of indexing and which you can search by. However most systems actually have closer to double that number, and 3rd-party applications can add even more via custom attributes. You can check to see what metadata attributes are present on your own device by running the following command in the terminal: <pre tabindex="0"><code>mdimport -A </code></pre> <img src="https://blog.1password.com/posts/2024/how-to-spotlight-search-across-every-mac-with-osquery/terminal.png" alt="A screenshot of what the terminal will look like after this command." title="A screenshot of what the terminal will look like after this command." class="c-featured-image"/> The naming schema is straightforward, and all attributes are prepended by <code>kMDItem</code>: <pre tabindex="0"><code>k - (Hungarian Notation for constant, used by Apple since Pascal) MD - (metadata) Item AttributeName </code></pre>The standard stuff is all there of course: <ul> <li> File Name (<code>kMDItemFSName</code>) </li> <li> File Size (<code>kMDItemFSSize</code>) </li> <li> File Creation Date (<code>kMDItemFSCreationDate</code>) </li> </ul> Spotlight also gives you access to metadata that you may not realize even exists across your files, including: <ul> <li> Downloaded File Source (<code>kMDItemWhereFroms</code>) </li> <li> File EXIF Altitude in Meters above sea-level (<code>kMDItemAltitude</code>) </li> <li> PDF Password Security Method (<code>kMDItemSecurityMethod</code>) </li> </ul> While some of these are useful (and others just strange), they still require some basic level of knowledge about the files themselves. What if you&rsquo;re just looking for files of any type that contain specific phrases or confidential information? This is where Spotlight really shines (pun intended). This is accessed through the attribute&hellip; <ul> <li>File Text Contents (<code>KMDItemTextContent</code>)</li> </ul> Spotlight can index the text contents of any ASCII plain-text files, PDFs, Messages, emails, text files, csv&rsquo;s, python files, shell scripts, JSON and other compatible formats. They just have to bewithin an indexable location. That&rsquo;s right, it&rsquo;s pretty much the bee&rsquo;s knees! Let&rsquo;s discuss some practical applications of that utility. <h2 id="using-mdfind-to-prevent-a-data-breach">Using mdfind to prevent a data breach</h2> Unlike other types of devastating cyber security incidents that involve advanced threat actors and malware, most data breaches for SaaS companies can be attributed to innocuous events. For example, a well-intentioned software engineer troubleshoots a customer issue, and then simply forgets to delete a production database backup on their device afterwards. Once a production database backup is on a device, forgetting to encrypt that device and leaving it in the back of a cab is all it takes for a simple oversight to turn into a disastrous headline. <img src="https://blog.1password.com/posts/2024/how-to-spotlight-search-across-every-mac-with-osquery/leaked-personal-info.png" alt="A screenshot of a data breach news story." title="A screenshot of a data breach news story." class="c-featured-image"/> So, let&rsquo;s say you were afraid your engineers had unintentionally left a copy of your production database on their laptop. How would we find it? For this example, I will be using 1Password Device Trust&rsquo;s Live Query feature to run a search across a few of our own devices. You could use <code>osqueryi</code> to test these queries yourself, but it&rsquo;s worth mentioning that we already have this set up as a check template called &ldquo;Sensitive Files&rdquo; in 1Password Device Trust. If you want a simple osquery solution to deploy across your fleet, we&rsquo;ve got your back. For now, I have created a mock production db dump on my device to illustrate the process, located at: <pre tabindex="0"><code>/Users/fritz-imac/dev/pg/backups/backup_2018-07-11T06-57-36Z </code></pre>👀 Let&rsquo;s see if we can find it! For the purposes of this post I am going to assume little experience in writing osquery SQL queries, and share a couple useful tips along the way. If you want to skip ahead to the finished query, feel free to jump ahead to the final attempt. <h3 id="attempt-1--a-basic-mdfind-query-single-condition-zero-complexity">Attempt 1 — A basic mdfind query: Single condition, zero complexity</h3> The most basic approach would be to search for any file containing the string <code>'backup'</code>. All mdfind queries have the same basic building blocks, and they are all joined on a table that contains a <code>path</code> column, most typically the <code>file</code> table. <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">SELECT f.path FROM file AS f JOIN mdfind ON mdfind.path = f.path </code></pre></div>This segment tells osquery to join <code>file</code> against <code>mdfind</code> on <code>path</code> and to return the <code>file.path</code>. Next, we need to provide the <code>mdfind.query</code> component. This will be the method we use to search the device for the desired files and pass the appropriate <code>path</code> to the joined <code>file</code> table. Our condition is represented here as: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">AND mdfind.query = &#34;kMDItemFSName == &#39;*backup*&#39;&#34; </code></pre></div>In it, we are telling the mdfind API to look for any files whose filename contains the partial string <code>'*backup*'</code> with the <code>*</code> characters representing wildcards which would allow us to match things like: <code>01-02-22-backup.zip</code> or <code>fritzsbackupfile.gzip</code> It&rsquo;s important to note that the <code>mdfind.query</code> must be made within double quotations; individual operator comparison strings such as &lsquo;backup&rsquo; must be within single quotes. This gives us a complete and valid mdfind osquery query: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">SELECT f.path FROM file AS f JOIN mdfind ON mdfind.path = f.path AND mdfind.query = &#34;kMDItemFSName == &#39;*backup*&#39;&#34; </code></pre></div>Let&rsquo;s give it a try now to see what is returned: <img src="https://blog.1password.com/posts/2024/how-to-spotlight-search-across-every-mac-with-osquery/running-and-seeing-what-happens.png" alt="A screenshot of mdfind results." title="A screenshot of mdfind results." class="c-featured-image"/> Attempt 1 - <code>2016 Results</code> Oof! With only 9 Devices Targeted, it&rsquo;s going to take a fair bit of sifting to find our needle in the haystack. You can imagine how much larger the result set becomes when you are querying thousands of machines. Furthermore, because the only item returned by mdfind is the path, we need to ask the file table to return some more relevant information in our results: &ldquo;Tell me more, tell me more&rdquo; <h3 id="attempt-2--two-conditions-and-boolean-logic">Attempt 2 — Two conditions and boolean logic</h3> In order to expedite our ability to parse these results, let&rsquo;s return some additional metadata such as: <ul> <li> file size: <code>f.size</code> </li> <li> creation time: <code>f.btime</code> </li> <li> last modified time: <code>f.mtime</code> </li> </ul> Additionally, we will use the <code>datetime</code> function to return time in the standard ISO-8601 format, and we will use the <code>ROUND</code> function on <code>f.size</code> so that it returns in MB instead of bytes. Alright, now that we have some data about the files that we can quickly scan by eye, let&rsquo;s add some more conditional logic. As we discussed earlier, Spotlight has a truly wild feature, which is the ability to search an item&rsquo;s text content (across a pretty wide array of file types, including .pdf, .olm, .py, etc.) We can run our search against a file&rsquo;s contents by calling the <code>kMDItemTextContent</code> metadata attribute in our query: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">...AND mdfind.query = &#34;kMDItemTextContent == &#39;foo&#39;&#34; </code></pre></div>We need to think like a production database backup, and consider what strings we would give a strong signal to noise ratio for filtering down results. For instance, we might look for a <code>CREATE TABLE</code> statement that would indicate the presence of a standard SQL DB. <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">SELECT f.path, f.size AS size_bytes, ROUND((f.size * 10e-7),2) AS size_megabytes, f.btime AS file_created_epoch, datetime(f.btime, &#34;unixepoch&#34;) AS file_created FROM file f JOIN mdfind ON mdfind.path = f.path AND mdfind.query = &#34;kMDItemFSName == &#39;*backup*&#39; &amp;&amp; kMDItemTextContent == &#39;CREATE TABLE&#39;&#34; </code></pre></div> <img src="https://blog.1password.com/posts/2024/how-to-spotlight-search-across-every-mac-with-osquery/search-for-backups-see-file.png" alt="A screenshot of mdfind results." title="A screenshot of mdfind results." class="c-featured-image"/> Attempt 2 - <code>9 Results</code> 🔔 Ding, ding, ding! 🔔 - I see our file! But we can do better!! <h3 id="attempt-3--filtering-down-results">Attempt 3 — Filtering down results</h3> As you might have seen in our results set, there is an additional component we could be scoping our query with. Any uncompressed DB backup will likely range in size from hundreds of MB to hundreds of GB. Therefore, we can add a condition to our query to filter out any results that are below a certain threshold in size. For our example, we will ignore any file that is less than 100 MB. <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">SELECT f.path, f.size AS size_bytes, ROUND((f.size * 10e-7),2) AS size_megabytes, f.btime AS file_created_epoch, datetime(f.btime, &#34;unixepoch&#34;) AS file_created FROM file f JOIN mdfind ON mdfind.path = f.path AND mdfind.query = &#34;kMDItemFSName == &#39;*backup*&#39; &amp;&amp; kMDItemTextContent == &#39;CREATE TABLE&#39;&#34; AND size_megabytes &gt; 100 </code></pre></div> <img src="https://blog.1password.com/posts/2024/how-to-spotlight-search-across-every-mac-with-osquery/nine-out-of-nine-devices.png" alt="A screenshot of mdfind results." title="A screenshot of mdfind results." class="c-featured-image"/> Attempt 3 - <code>1 Result</code> We did it! Using three clauses, we&rsquo;ve isolated our test file! <h3 id="attempt-4--but-wait-theres-more">Attempt 4 — But wait there&rsquo;s more&hellip;</h3> What if I told you there was another identical backup file without such a convenient naming schema located on the device? Well, we are going to miss it with that <code>kMDItemFSName</code> condition. Let&rsquo;s try killing that condition and seeing what happens&hellip; <img src="https://blog.1password.com/posts/2024/how-to-spotlight-search-across-every-mac-with-osquery/results.png" alt="A screenshot of mdfind results." title="A screenshot of mdfind results." class="c-featured-image"/> 🥜 Nuts! — Some false positives in there! But I can see our other file. Let&rsquo;s see if we can filter it down by further refining the kMDItemTextContent argument with some knowledge of the database we&rsquo;re looking for. I happen to know our production database should have a table called alerts, so let&rsquo;s change the string to CREATE TABLE alerts: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">SELECT f.path, f.size AS size_bytes, ROUND((f.size * 10e-7),2) AS size_megabytes, f.btime AS file_created_epoch, datetime(f.btime, &#34;unixepoch&#34;) AS file_created FROM file f JOIN mdfind ON mdfind.path = f.path AND mdfind.query = &#34;kMDItemFSName == &#39;*backup*&#39; &amp;&amp; kMDItemTextContent == &#39;CREATE TABLE alerts&#39;&#34; AND size_megabytes &gt; 100 </code></pre></div> <img src="https://blog.1password.com/posts/2024/how-to-spotlight-search-across-every-mac-with-osquery/searching-for-backups-two-results.png" alt="A screenshot of mdfind results." title="A screenshot of mdfind results." class="c-featured-image"/> Attempt 4 - <code>2 Results</code> Boom goes the dynamite! We have found our db backups, and can now reach out to the responsible end-user and ask that they delete the unused file. Hopefully this iterative example will give you some inspiration into how you might leverage the <code>mdfind</code> table to locate and prevent unintentional catastrophic data breaches. And of course, just to reiterate&hellip;1Password Device Trust does have templates that will let you make these checks a little more easily. In the next section, we will discuss some of the basic syntax that you can use within the <code>mdfind.query</code> <h2 id="mdfind-query-syntax-tips">mdfind query syntax tips</h2> <a href="https://developer.apple.com/library/archive/documentation/Carbon/Conceptual/SpotlightQuery/Concepts/QueryFormat.html">Apple Support Documentation: File Metadata Query Expression Syntax</a> Comparative logic works using the following operators <code>==</code> equals <code>!=</code> not equal <code>&lt;</code> less than <code>&gt;</code> greater than <code>&lt;=</code> less than or equal to <code>&gt;=</code> greater than or equal to <code>c</code> makes string case-insensitive <pre tabindex="0"><code>...mdfind.query = &quot;kMDItemFSName = '*FoO'c&quot; </code></pre><code>d</code> ignores diacritical marks (such as à, ê, ñ, ß, etc.) <pre tabindex="0"><code>...mdfind.query = &quot;kMDItemFSName = '*föo'd&quot; </code></pre><code>*</code> Wildcard lets you search for partial matches on either side of a string <code>...mdfind.query = &quot;kMDItemFSName = '*foo'&quot; &amp;&amp;</code> AND condition <pre tabindex="0"><code>...mdfind.query = &quot;kMDItemFSName = 'foo' &amp;&amp; kMDItemTextContent = 'bar'&quot; </code></pre><code>||</code> OR condition <pre tabindex="0"><code>...mdfind.query = &quot;kMDItemFSName = 'foo' || kMDItemFSName = 'bar'&quot; </code></pre><code>(</code> &amp; <code>)</code> Use parentheses to enclose multiple groups of conditions: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">...mdfind.query = &#34;(kMDItemFSName = &#39;foo&#39; || kMDItemFSName = &#39;bar&#39;) &amp;&amp; (kMDItemTextContent = &#39;paris&#39; || kMDItemTextContent = &#39;france&#39;) </code></pre></div><code>$time.</code> Like constraining to time, for files created in a time range: (eg. <code>$time.now, $time.today, $time.yesterday, $time.this_week, $time.this_month, $time.this_year</code>) These can be further modified by providing a parenthetical number afterwards. The number in parenthesis refers to the unit of time measurement: (eg. <code>now</code> is registered in seconds, <code>today</code> in days, <code>this_week</code> weeks, etc.) Let&rsquo;s modify the <code>$time.now</code> example to search for files created in the last hour. <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">...mdfindquery = &#34;kMDItemFSCreationDate &gt;= $time.now(-3600)&#34; </code></pre></div>&ldquo;Wow! This mdfind thing can do it all! There&rsquo;s no stopping me!&quot; 🐯 Easy tiger&hellip;there are a couple of gotchas that you have to look out for when using mdfind with osquery! <h2 id="caveats-to-the-mdfind-osquery-table">Caveats to the mdfind Osquery Table:</h2> <h3 id="spotlight-can-only-give-you-the-paths-of-matching-files">Spotlight can only give you the paths of matching files</h3> &ldquo;There&rsquo;s no p in this gre&rdquo; While the contents of files can be read by mdfind, they cannot be printed (output) as part of the results set. This is an intentional feature on the part of the osquery team. This limitation keeps the mdfind table within the scope of osquery&rsquo;s privacy-minded development. &ldquo;It&rsquo;s kind of like playing 20 questions&rdquo; You cannot print the surrounding strings that match within a file when querying <code>kMDItemTextContent</code>, or examine the file by arbitrarily reading it in osquery. Therefore, you must construct your query very intentionally in order to avoid false positives. Remember our earlier example. If you wanted to look for downloaded copies of your production database across your infrastructure, you could not simply search for the string <code>CREATE TABLE</code> because it would net too many false positives. Instead, you would want to specify a string that would be found only in a real db backup, and strengthen your argument by adding exclusionary criteria such as scoping to file size. <h3 id="no-regular-expressions">No regular expressions</h3> Regular expressions. I want them. You want them. Sadly, none of us can have them. As useful as regex would be, it is currently unsupported by Spotlight and Apple has shown no sign of intending to add regex functionality ever. This means, no matter how cool it would be, you can&rsquo;t run the following query within mdfind to search for plain-text files containing credit card numbers: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">...AND mdfind.query = &#34;-regex &#39;^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|3[47][0-9]{13})$&#39; </code></pre></div>You have to get more creative when it comes to finding things like files containing credit cards or social security numbers. The easiest way is typically looking for files with strings like <code>cvv</code>, or <code>ssn</code>, but those may produce large quantities of false positives. Another approach is including canary fingerprint values in your db backups, which you can use to key off of (eg. a fake credit card # of a known value that always belongs to a fake user). <h3 id="mdfind-only-indexes-some-of-your-files">mdfind only indexes *some of your files</h3> Because the intended usage of Spotlight is to quickly locate relevant user actionable items (apps, system preferences, files), Spotlight does not index hidden folders or files by default. While mdfind can be forced to import from new directories, Apple prevents system files and hidden directories from being indexed. This means you cannot run the following query to find all of your locally cloned repositories: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">...AND mdfind.query = &#34;kMDItemFSName = &#39;.git&#39;&#34; </code></pre></div>This also means you should forget about indexing your <code>.ssh</code> folders or any items located within hidden folders (those prepended with the &ldquo;<code>.</code>&rdquo; character). <h3 id="macos-spotlight-must-not-be-disabled">macOS Spotlight must not be disabled</h3> It should go without saying that you cannot use the mdfind table on any operating system other than macOS. I would love to see someone take on the challenge of developing a similar table for Windows, (the Linux space has too many options to choose only one) but for the moment we just have to satisfy ourselves with querying solely the Macs in our fleet via this method. Furthermore, due to indexing performance issues in earlier iterations of OS X, there are still those (grumpy developers) who disable mdfind on their system. Users can also exclude directories from being indexed, and globally limit what types of files are imported on their system. <img src="https://blog.1password.com/posts/2024/how-to-spotlight-search-across-every-mac-with-osquery/spotlight-privacy-settings.png" alt="A screenshot spotlight search privacy settings." title="A screenshot spotlight search privacy settings." class="c-featured-image"/> To output any user-specified excluded directories, you can run the following query: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">SELECT value FROM plist WHERE path = &#39;/.Spotlight-V100/VolumeConfiguration.plist&#39; AND key = &#39;Exclusions&#39; AND value IS NOT NULL AND value != &#39;&#39; </code></pre></div> <img src="https://blog.1password.com/posts/2024/how-to-spotlight-search-across-every-mac-with-osquery/check-for-spotlight-exclusions.png" alt="A screenshot of the check for spotlight exclusions." title="A screenshot of the check for spotlight exclusions." class="c-featured-image"/> Categories of files can also be excluded irrespective of their parent directory. For instance, some folks don&rsquo;t love Spotlight indexing their Mail.app, Outlook.app or Messages.app conversation and email history. As a result, querying for these files will often not return results. <img src="https://blog.1password.com/posts/2024/how-to-spotlight-search-across-every-mac-with-osquery/spotlight-preferences.png" alt="A screenshot of the spotlight seatch preferences." title="A screenshot of the spotlight seatch preferences." class="c-featured-image"/> To output the Spotlight preferences of a user, you can run the following query against their device. Unfortunately, due to the handling of nested keys by osquery, the plist XML output will need to be humanly parsed and cannot be procedurally checked. <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">SELECT * FROM plist WHERE path LIKE &#39;/Users/%/Library/Preferences/com.apple.Spotlight.plist&#39;; </code></pre></div><h3 id="easy-mode-isnt-always-so-easy">Easy mode isn&rsquo;t always so easy</h3> The mdfind table can be queried in one of two ways: explicitly, wherein you specify the <code>kMDItem</code> attributes and their desired criteria, or implicitly wherein you simply provide a simple string of text like a user would in the Spotlight Search bar. I didn&rsquo;t discuss the implicit method earlier, because it is my firm belief that it doesn&rsquo;t work as well and results in too many false-positives. But I will demonstrate it here for the sake of being comprehensive. Query for any file that contains <code>foo</code>: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">...AND mdfind.query = &#34;foo&#34; </code></pre></div>Query for any file that contains BOTH <code>foo</code> and <code>bar</code> * *By default, all space delimited strings are treated as AND&rsquo;ed conditions when simple querying Spotlight <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">...AND mdfind.query = &#34;foo bar&#34; </code></pre></div>Query for any file that contains <code>foo</code> but NOT <code>bar</code> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">...AND mdfind.query = &#34;foo(-bar)&#34; </code></pre></div><h3 id="use-the-metadata-attributes-that-work">Use the metadata attributes that work</h3> While using Spotlight in the UI of macOS allows intelligent full-text search across available attributes, the mdfind table in osquery is much more useful if you specify the attributes you wish to search and the criteria you want to match: (eg. <code>kMDItemFSName, kMDItemTextContent,</code> etc.) Because you need to know your metadata attributes by name, it helps to keep a cheat-sheet <a href="https://developer.apple.com/library/archive/documentation/CoreServices/Reference/MetadataAttributesRef/Reference/CommonAttrs.html#//apple_ref/doc/uid/TP40001694-SW1">like this one</a> handy so that you can find what you are looking for. In general, however, the most useful items I have found are: 1. <code>kMDItemFSName</code> Great for finding files of a certain extension type. <pre tabindex="0"><code class="language-sql...AND" data-lang="sql...AND"></code></pre>2. <code>kMDItemTextContent</code> Similar to our article&rsquo;s production backup example, great for finding strings inside of compatible documents. <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">...AND mdfind.query = &#34;kMDItemTextContent == &#39;*ssn,*&#39;&#34; </code></pre></div>3. <code>kMDItemFSCreationDate</code> &amp; <code>kMDItemFSContentChangeDate</code> Great for finding any file that was created / modified on, or within a range. <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">...AND mdfind.query = &#34;( kMDItemFSCreationDate &gt;= $time.iso(2018-08-01T00:00Z) &amp;&amp; kMDItemFSCreationDate &lt;= $time.iso(2018-08-20T00:00Z)) &amp;&amp; (kMDItemFSName = &#39;*.csv&#39;)&#34; </code></pre></div><h3 id="some-mdfind-operators-do-not-work-as-documented">Some mdfind operators do not work as documented</h3> <code>onlyin</code> has only spotty support mdfind has an argument called: <code>-onlyin /path/you/want</code> which would typically constrain the results to only items which are within the specified parent directory (any level of nesting below that parent directory). This argument can be used, but must be formatted accordingly with the string first followed by <code>-onlyin</code>: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">...AND mdfind.query = &#34;foo -onlyin /path/you/want/&#34; </code></pre></div>Because of the way that we are forced to write our query within double quotations, you cannot (to my frustration) constrain to a parent directory with a space in the path. Enclosing the path in single quotes does not work, and \ escaping the spaces does not work. If you can figure out a way, I would love to hear about it. <code>kMDItemKind</code> is kind of garbage You may be tempted to search for files that are pdfs by typing: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">...AND mdfind.query = &#34;kMDFSItemKind == &#39;pdf&#39;&#34; </code></pre></div>but DON&rsquo;T! For some totally unclear reason, the ItemKind metadata attribute is inconsistent at best, and will miss files that it shouldn&rsquo;t. You should instead rely on kMDItemFSName with wildcards, and explicitly name the desired extension, as it is more reliable: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">...AND mdfind.query = &#34;kMDItemFSName == &#39;*.pdf&#39;&#34; </code></pre></div>Chained <code>OR</code> conditions <code>mdfind</code> in the terminal supports strings such as: <code>mdfind foo|bar(-baz)</code> This would return items that matched <code>foo</code> OR <code>bar</code>, but NOT <code>baz</code> These pipe <code>|</code> OR conditions cannot be used in osquery when using the simple syntax. In order to <code>OR</code> conditions, you must use explicit <code>kMDItem</code> conditions separated by double pipes: <code>||</code> eg. <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">...AND mdfind.query &#34;kMDItemFSName == &#39;foo&#39; || kMDItemFSName == &#39;bar&#39;&#34; </code></pre></div>And on that note&hellip; <h3 id="maximum-5-or-conditions-for-a-single-metadata-attribute">Maximum 5 OR conditions for a single metadata attribute</h3> Let&rsquo;s say you wanted to find files that contain any of the following strings. <pre tabindex="0"><code>fritz@acme.com jane@acme.com john@acme.com frank@acme.com stella@acme.com joyce@acme.com rupert@acme.com </code></pre>You would only be able to specify 5 OR&rsquo;ed conditions using: <code>kMDItemTextContent = 'fritz@acme.com' || kMDItemTextContent = 'jane@...</code> With more than 5 Conditions, <code>mdfind</code> stops returning results entirely. If you feel demoralized regarding the usage of mdfind, I am here to tell you that despite these limitations, mdfind has allowed us to build over one hundred compelling queries for our <a href="https://1password.com/contact-sales/xam">1Password® Extended Access Management</a> customers. <h2 id="wrapping-things-up">Wrapping Things Up</h2> <ul> <li>As you can see, there is a wealth of possibility in the mdfind table for quickly locating files or performing aggregation functions.</li> </ul> And if this article got you excited about the possibilities, more mdfind queries can be found in 1Password Device Trust, powering our Checks feature. That&rsquo;s how we keep our customers safe by looking for potential sources of data compromise across their fleets. <a href="https://1password.com/kolidescope-newsletter">If you&rsquo;d like more osquery content, and exciting security content in general, sign up for our biweekly newsletter!</a></description></item><item><title>Presenting the sensitive data report</title><link>https://blog.1password.com/presenting-the-sensitive-data-report/</link><pubDate>Fri, 18 Oct 2024 00:00:00 +0000</pubDate><author>info@1password.com (Elaine Atwell)</author><guid>https://blog.1password.com/presenting-the-sensitive-data-report/</guid><description> <img src='https://blog.1password.com/posts/2024/presenting-the-sensitive-data-report/header.png' class='webfeedsFeaturedVisual' alt='Presenting the sensitive data report' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> In this blog, we summarize the results of a fall 2022 survey of IT, helpdesk, and security professionals about how their companies protect sensitive data. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> This article pulls heavily from the <a href="https://blog.1password.com/files/presenting-the-sensitive-data-report/Dimensional_Research_Report_Kolide.pdf">Sensitive Data Report</a>, which was originally conducted by Kolide, and as such, uses Kolide&rsquo;s name and branding. Now that the team at Kolide has happily <a href="https://blog.1password.com/1password-acquires-kolide/">joined our team at 1Password</a>, we wanted to share the insights and information from this survey with our audience. Rather than edit the report after the fact, we&rsquo;ve left it as-is, in order to preserve the integrity of the information as it was originally gathered. </div> </aside> According to <a href="https://www.forbes.com/sites/karenwalker/2021/10/19/william-crowells-latest-foray-cybersecurity-governance-at-redacted/?sh=e5e44f17c3ac">William Crowell&rsquo;s famous quip</a>, &ldquo;the cybersecurity industry is a thousand points of light and no illumination.&rdquo; And according to our new study, one of the darkest places in the entire field of security may be an employee&rsquo;s downloads folder. In fall 2022, we partnered with Dimensional Research to survey IT, helpdesk, and security professionals about how their companies protect sensitive data – whether that&rsquo;s private customer information, trade secrets, or the keys to the production environment. In particular, we asked what policies and tools they use to govern sensitive data once an employee downloads it onto their device. We found that most companies have neither the appropriate policies to mitigate risk, nor the tools to enforce the policies they have. To read the full report, <a href="https://blog.1password.com/files/presenting-the-sensitive-data-report/Dimensional_Research_Report_Kolide.pdf">go here</a>. <h2 id="the-state-of-sensitive-data">The state of sensitive data</h2> Let&rsquo;s start with some highlights from the report: <ul> <li> Only 46% of companies prohibit employees from downloading sensitive data onto their personal devices. </li> <li> Only 16% set limits on how long sensitive data can reside on an employee device. </li> <li> Only 37% can prevent devices that are in violation of sensitive data policies from further accessing sensitive data. </li> </ul> In other words, at most companies, employees can download sensitive data onto any device, keep it there for any length of time, and experience no consequences. The seriousness of this comes into focus once you realize that these downloads happen all the time. The overwhelming majority of companies (83%) admit that their employees download sensitive data. <img src="https://blog.1password.com/posts/2024/presenting-the-sensitive-data-report/1.jpg" alt="A screenshot of data from the sensitive data report." title="A screenshot of data from the sensitive data report." class="c-featured-image"/> This doesn&rsquo;t mean that 83% of companies are dropping the ball; it just means that employees have to download data to do their jobs. Banning that practice would be unfeasible–but doing nothing to manage it is extremely unsafe. The most dangerous type of sensitive data is the type that acts as the &ldquo;keys to the kingdom&rdquo; for a company&rsquo;s systems–granting bad actors access to a company&rsquo;s cloud apps or production environment. Yet only 38% of the professionals we surveyed had a policy against keeping plain-text access credentials on employee devices. <img src="https://blog.1password.com/posts/2024/presenting-the-sensitive-data-report/2.png" alt="A screenshot of data from the sensitive data report." title="A screenshot of data from the sensitive data report." class="c-featured-image"/> Keep in mind that the graph above is only talking about policies, not having the means to enforce them. And even the best-intentioned policies don&rsquo;t work without tools to back them up, since 91% of respondents report that their employees don&rsquo;t comply with all sensitive data policies. <h2 id="the-c-suiteground-floor-divide">The c-suite/ground floor divide</h2> One of this report&rsquo;s most interesting findings is the large disparity in answers between executives and front-line workers. Executives confidently reported that they have policies and tools to manage sensitive data. But the people who work with those problems on a daily basis don&rsquo;t share that confidence. For example, look at the range of answers when we asked if their organization had an automated solution to detect how long sensitive data has been on employee devices. <img src="https://blog.1password.com/posts/2024/presenting-the-sensitive-data-report/3.png" alt="A screenshot of data from the sensitive data report." title="A screenshot of data from the sensitive data report." class="c-featured-image"/> Another curious finding was that, while executives have a very high opinion of their tools, they regard their employees with suspicion. When we asked how well employees complied with data policies, 28.6% of managers said their employees &ldquo;feel our policies get in the way of their jobs and don&rsquo;t really try to follow them.&rdquo; Only 4.2% of front-line workers shared that dim view. <img src="https://blog.1password.com/posts/2024/presenting-the-sensitive-data-report/4.png" alt="A screenshot of data from the sensitive data report." title="A screenshot of data from the sensitive data report." class="c-featured-image"/> The data itself doesn&rsquo;t tell us why opinions vary so much depending on where you are in the org chart. However, one explanation might be that executives are there for the sales pitch, in which security companies promise them the world. But front-line workers are the ones who encounter the limitations of those tools. For example, many <a href="https://blog.1password.com/pros-and-cons-of-mdms/">device management solutions</a> claim that they can automatically perform OS updates across a fleet. But in practice, that means they have to force restarts on users. It&rsquo;s disruptive and unpopular, so IT teams tend not to go that route, which means the problem remains unsolved, even though executives consider it dealt with. By the same token, executives may be exposed to a &ldquo;scare tactics&rdquo; version of Zero Trust security that treats end users as threats. But the IT and helpdesk teams who work with users daily see them as fallible rather than feckless. <h2 id="device-trust-is-the-missing-piece-of-zero-trust">Device trust is the missing piece of zero trust</h2> The results of our survey are significant and sobering, but they are not intended to be scolding. We recognize that the majority of respondents haven&rsquo;t solved the sensitive data problem because they haven&rsquo;t had the tools to do so. <a href="https://blog.1password.com/pros-and-cons-of-mdms/">MDMs have limited capabilities</a> to get devices in a secure state. On the other end of the spectrum, Data Loss Prevention (DLP) tools are too intrusive for most companies – workers are <a href="https://www.eff.org/deeplinks/2020/06/inside-invasive-secretive-bossware-tracking-workers">surveilled rather than educated</a>. 1Password is interested in these questions because we see ourselves (specifically, 1Password® Extended Access Management) as the Goldilocks solution to the sensitive data problem. <a href="https://blog.1password.com/extended-access-management-okta-guide/">Here&rsquo;s how it works</a>: IT admins use 1Password Extended Access Management to <a href="https://blog.1password.com/write-new-osquery-table/">run queries</a> for specific types of data (as opposed to the invasive method of hoovering it all up), and our agent proactively flags devices that are out of compliance. Then, the next time a user logs into their cloud apps, we inform them of the problem and give them instructions to fix it. For example, if an engineer has a debug log in their downloads folder for 60 days, the 1Password Extended Access Management agent will prevent them from logging in until they&rsquo;ve deleted it. It&rsquo;s an approach that gets to the heart of what we learned from the report: that end users are human beings who generally want to do the right thing, but need communication and (sometimes) consequences to achieve it. Without further ado, we&rsquo;ll leave you to the report itself, which contains many more granular and surprising insights. To read the full report, <a href="https://blog.1password.com/files/presenting-the-sensitive-data-report/Dimensional_Research_Report_Kolide.pdf">go here</a>. (Also if you&rsquo;ve read this far, you really should <a href="https://1password.com/kolidescope-newsletter">sign up for our newsletter</a>, because you clearly care about this stuff as much as we do.)</description></item><item><title>1Password product enhancements [Fall edition]: Autosave, sharing, getting started, and more</title><link>https://blog.1password.com/product-update-features-and-security-q3-2024/</link><pubDate>Thu, 17 Oct 2024 00:00:00 +0000</pubDate><author>info@1password.com (Matt Grimes and Sebastian Cevallos)</author><guid>https://blog.1password.com/product-update-features-and-security-q3-2024/</guid><description> <img src='https://blog.1password.com/posts/2024/product-update-features-and-security-q3-2024/header.png' class='webfeedsFeaturedVisual' alt='1Password product enhancements [Fall edition]: Autosave, sharing, getting started, and more' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Based on our commitment to making 1Password a helpful, intuitive, and easy-to-use password manager, we’ve focused on enhancing even more key features, all thanks to your feedback. In the past few months, we’ve added new features and refined existing ones to make 1Password more secure and user-friendly. From faster logins to a more guided setup, <a href="https://blog.1password.com/product-update-features-and-security/">every change is made with you in mind</a>. Read on for more of what’s new and how these updates can better your 1Password experience: <h2 id="enhanced-browser-experience">Enhanced browser experience</h2> Unlock 1Password.com using the extension If you’re already signed into the 1Password browser extension and you visit 1Password.com, you’ll be automatically logged in, saving you from typing in your account password again. <video class="round shadow" style="display: block; margin: auto; padding: 0;"autoplay='true'loop="loop" playsinline="" width="100%" alt='' controls> <source src="https://blog.1password.com/posts/2024/product-update-features-and-security-q3-2024/03_Unlock%201P%20with%20Extension.mp4" type="video/mp4" /> </video> After we put together all of the time our customers would’ve collectively spent typing in their account password every week, we found this update saves about 2 days worth of time! Filter vaults in the 1Password browser extension We’ve redesigned the vault and account buttons in the browser extension so it’s easier to find and switch between them. <img src='https://blog.1password.com/posts/2024/product-update-features-and-security-q3-2024/Filter%20vaults%20in%20the%201Password%20browser%20extension.png' alt='A screenshot showing vault selections in the 1Password browser extension.' title='A screenshot showing vault selections in the 1Password browser extension.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> You can also choose which vaults you want to appear in your 1Password browser extension, so if you have lots of vaults or switch browsers often, you can stay organized. In beta: unlock the Safari browser extension with Touch ID Now in <a href="https://support.1password.com/betas/">beta</a>, you can enable Unlock using Touch ID within the 1Password browser extension&rsquo;s settings in Safari to start unlocking using Touch ID. With our new update, you can quickly unlock your 1Password account to access your logins and other saved items in the Safari extension even faster, instead of relying on 1Password desktop apps to unlock the browser extension. <h2 id="autofill-and-autosave-enhancements">Autofill and autosave enhancements</h2> Autosave for suggested passwords You can see if the generated password meets the website password requirements before saving it. If it doesn’t, you can keep generating a new password until it does. Then, once the account is successfully created on the site, the autosave prompt will appear and you can save it to 1Password as usual. <img src='https://blog.1password.com/posts/2024/product-update-features-and-security-q3-2024/Autosave%20for%20suggested%20passwords.png' alt='A prompt to save a password generated by 1Password.' title='A prompt to save a password generated by 1Password.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We’ve also improved 1Password’s ability to recognize smart password requirements in general for hundreds of major websites where you can use this feature. Improved inline filling and saving experience Previously, when you selected the 1Password icon in an inline menu, the dropdown only gave you the option to “Save in 1Password.” <img src='https://blog.1password.com/posts/2024/product-update-features-and-security-q3-2024/Improved%20inline%20filling%20and%20saving%20experience.png' alt='A sign-in field with a drop-down showing options for a password generator, extension settings, and reporting an issue.' title='A sign-in field with a drop-down showing options for a password generator, extension settings, and reporting an issue.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Now, you can access the password generator, extension settings, and report an issue directly from the autofill menu across any browser extension, making it easy for you to customize your settings or get in touch quickly without going to a different site. Autosave on Android Whenever you enter new credentials or update existing ones in apps or sites, 1Password’s autofill option will automatically prompt you to save this information, streamlining the entire process. <img src='https://blog.1password.com/posts/2024/product-update-features-and-security-q3-2024/Autosave%20on%20Android.png' alt='A prompt to save a username and password in 1Password.' title='A prompt to save a username and password in 1Password.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> In labs: Generate and fill formatted content with secure snippets Available in <a href="https://blog.1password.com/labs-experimental-features/">labs</a>, you can fill any text, anywhere you need it – from a signature or link to full paragraphs with rich formatting, styles, and dynamic variables. <img src='https://blog.1password.com/posts/2024/product-update-features-and-security-q3-2024/Generate%20and%20fill%20formatted%20content%20with%20secure%20snippets.png' alt='A screenshot showing an email signature autofilled by 1Password.' title='A screenshot showing an email signature autofilled by 1Password.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> That means you can save your snippets with things like bold and italic font, lists, and even the correct date and time. Plus, anything you create will be just as secure as your other 1Password items. <h2 id="a-more-seamless-experience-on-the-iphone-and-ipad">A more seamless experience on the iPhone and iPad</h2> Better biometrics on iOS Before, every time you wanted to autofill something on an iOS device, the full 1Password lock screen appeared, making you authenticate each time, even if you already had. <img src='https://blog.1password.com/posts/2024/product-update-features-and-security-q3-2024/Better%20biometrics%20on%20iOS.png' alt='A sign-in screen with the Face ID logo.' title='A sign-in screen with the Face ID logo.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Now, while still keeping you secure, we’ve reduced the amount of times you have to unlock 1Password, so all you have to do is authenticate with Face ID or Touch ID on iOS. In beta: Fill logins anywhere and two-factor authentication (2FA) integration on iOS 18 1Password’s autofill functionality was limited to specific form fields and certain apps that support 1Password integration. You could fill in logins, credit card info, and addresses in compatible fields, but for non-standard fields or unsupported apps, you had to manually copy and paste information. Additionally, if you <a href="https://support.1password.com/one-time-passwords/">used 1Password as an authenticator</a>, you had to switch between apps and manually copy and paste one-time codes stored in 1Password during the sign-in process. Now in <a href="https://support.1password.com/betas/">beta</a>, we’ve made it possible for you to tap on any input field, access 1Password through the contextual menu, and autofill any login information stored in your vaults. <img src='https://blog.1password.com/posts/2024/product-update-features-and-security-q3-2024/Fill%20logins%20anywhere%20and%202FA%20integration%20on%20iOS%2018.png' alt='A screenshot of 1Password for iOS showing a vault item with the option to autofill.' title='A screenshot of 1Password for iOS showing a vault item with the option to autofill.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Also in beta, you’ll be able to autofill one-time codes from 1Password directly into any app or website during sign-in, just like you could with the built-in Apple system you’re already used to. <h2 id="keep-track-of-your-data">Keep track of your data</h2> Improved search results If you wanted to search 1Password for an item, you needed to use quite specific terms to find it – for example, if you wanted to find your bank login, you couldn’t just type “bank” in the search bar, but instead needed to type in the name of your bank, like “Wells Fargo” or “Chase.” <video class="round shadow" style="display: block; margin: auto; padding: 0;"autoplay='true'loop="loop" playsinline="" width="100%" alt='' controls> <source src="https://blog.1password.com/posts/2024/product-update-features-and-security-q3-2024/04_Smart%20Search.mp4" type="video/mp4" /> </video> Now you can type general terms or categories to find what you need without having to know the exact name or wording you used when saving an item. Sharing improvements Keep track of shared items: Get full visibility into your shared items, including active, expired, and pending share links. Simplified sharing from the desktop app: When you right-click on an item in the 1Password desktop app, an option to share it will appear. Improved experience when receiving an item: When you share 1Password item with anyone – whether they use 1Password or not – they will now see an improved page with dynamic interaction options that let them copy the items to the clipboard, and they’re even invited to check out 1Password themselves. <video class="round shadow" style="display: block; margin: auto; padding: 0;"autoplay='true'loop="loop" playsinline="" width="100%" alt='' controls> <source src="https://blog.1password.com/posts/2024/product-update-features-and-security-q3-2024/06_Shared%20Item.mp4" type="video/mp4" /> </video> QR codes for Wi-Fi sharing: Automatically generate a QR code for any Wi-Fi item – all the recipient needs to do is scan the code with their phone. <video class="round shadow" style="display: block; margin: auto; padding: 0;"autoplay='true'loop="loop" playsinline="" width="100%" alt='' controls> <source src="https://blog.1password.com/posts/2024/product-update-features-and-security-q3-2024/05_Wifi%20QR.mp4" type="video/mp4" /> </video> <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> In our last batch of updates we shared that we released a beta feature that would let you <a href="https://blog.1password.com/product-update-features-and-security/">scan a QR code to set up 1Password on a new device</a>. This is now out of beta and available to all. </div> </aside> <h2 id="optimized-onboarding">Optimized onboarding</h2> Guided setup A centralized set-up guide will be available for anyone new to 1Password. <video class="round shadow" style="display: block; margin: auto; padding: 0;"autoplay='true'loop="loop" playsinline="" width="100%" alt='' controls> <source src="https://blog.1password.com/posts/2024/product-update-features-and-security-q3-2024/01_Guided%20Setup.mp4" type="video/mp4" /> </video> A step-by-step guide will make sure you reach important and useful milestones quickly, like importing data and adding 1Password to all devices. Improved import functionality on mobile You can now import data from any platform, including CSV files from Chrome, Apple (Keychain or Safari), and 1Password on your Android or iOS devices – with more options coming soon. <video class="round shadow" style="display: block; margin: auto; padding: 0;"autoplay='true'loop="loop" playsinline="" width="100%" alt='' controls> <source src="https://blog.1password.com/posts/2024/product-update-features-and-security-q3-2024/02_Mobile%20Import.mp4" type="video/mp4" /> </video> <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> All features are available on the latest versions of 1Password for <a href="https://apps.microsoft.com/detail/xp99c9g0krdz27?hl=en-us&amp;gl=CA">Windows</a>, <a href="https://1password.com/downloads/mac/">Mac</a>, <a href="https://1password.com/downloads/linux/">Linux</a>, <a href="https://apps.apple.com/app/id1511601750?mt=8">iOS</a>, <a href="https://play.google.com/store/apps/details?id=com.onepassword.android">Android</a>, and 1Password browser extensions (<a href="https://1password.com/downloads/browser-extension/">Microsoft Edge, Chrome, Firefox, Safari, and Brave</a>) unless otherwise specified. If you’d like to learn even more about what’s new with the updates we’ve made, <a href="https://releases.1password.com/">check out our release notes for all the details</a>. </div> </aside> <h2 id="thank-you-for-helping-us-make-1password-even-better">Thank you for helping us make 1Password even better</h2> Your feedback helps us focus on what matters most — making 1Password more secure, easy to use, and reliable. We’re always working to improve 1Password so you can manage your digital life easily and securely. This time, we’ve worked on simpler logins, better sharing, a smoother browsing experience, and an easier setup for new accounts – and stay tuned! There’s more to come before the year is over. Keep sharing your feedback – we love working with you! <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Ready to protect yourself?</h3> Keep all of your accounts secure with 1Password, the world’s most-trusted password manager. Get started today with a free 14-day trial. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>3 tips to get everyone on your team using 1Password Enterprise Password Manager</title><link>https://blog.1password.com/three-tips-drive-1password-adoption-during-onboarding/</link><pubDate>Tue, 15 Oct 2024 00:00:00 +0000</pubDate><author>info@1password.com (Courtney Buffie)</author><guid>https://blog.1password.com/three-tips-drive-1password-adoption-during-onboarding/</guid><description> <img src='https://blog.1password.com/posts/2024/three-tips-drive-1password-adoption-during-onboarding/header.png' class='webfeedsFeaturedVisual' alt='3 tips to get everyone on your team using 1Password Enterprise Password Manager' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> A smooth and well-structured onboarding process can encourage strong security habits for your team. And the way you introduce 1Password sets the stage for how your entire organization will use it. Follow our tips and strategies to build an unbreakable foundation that’s baked right into your company’s overall security strategy. Already implemented 1Password Enterprise Password Manager? Keep reading because all of the information shared in this blog remains relevant even after your 1Password account is set up, helping you optimize and improve for the future. <h2 id="tip-1-optimize-your-1password-account-setup">Tip 1: Optimize your 1Password account setup</h2> While going through the setup process, make sure you’re using features in a way that encourages employees to actually use their 1Password account. To do that, you want to focus on three key areas. <h3 id="1-effectively-set-up-your-groups-vaults-and-policies">1. Effectively set up your groups, vaults, and policies</h3> Setting up groups, vaults, and policies before onboarding is essential to ensure that your organization’s security protocols are followed from day one. 1Password administrators should work with other teams within the business to pre-determine what vaults and groups need to be made. Every organization will need to customize according to their business needs, but we recommend starting with defining groups by department or role. We’ve also found that establishing vaults based on department, role, or project can be quite effective for ensuring the right people have access to the information they need. Your policies should be aligned with your organization&rsquo;s security needs, and follow the principle of least privilege – that is, ensuring that users only have access to the data they need. <h3 id="2-automatically-install-1password-apps-and-extensions-and-automate-provisioning">2. Automatically install 1Password apps and extensions, and automate provisioning</h3> The best way to get your teams to use 1Password Enterprise Password Manager is by reducing the number of steps it takes for them to get started. One way to do that is to deploy and install 1Password on all your company devices, skipping the need for employees to take this step themselves. The browser extension is how most people will access and use 1Password daily. That’s because the autofill feature makes signing in to websites faster and the password generation feature makes creating new accounts with strong passwords easier – all without needing to leave the browser. If your organization is using <a href="https://blog.1password.com/pros-and-cons-of-mdms/">mobile device management (MDM)</a>, you can automatically deploy the 1Password applications onto the devices that your team members use. This saves your team time in their setup process, meaning they’re more likely to get started using the tool sooner. <h3 id="3-use-1password-integrations">3. Use 1Password integrations</h3> The more integrated any tool is into your system, the more likely your team is to use it. That’s why we encourage you to fold 1Password Enterprise Password Manager into your existing ecosystem by taking advantage of our many integrations. Here are a few key integrations we recommend you consider: <ul> <li> Single Sign-On (SSO). Simplify the way your team accesses 1Password by integrating with systems like Okta, Microsoft Entra, and others. Check out 1Password’s <a href="https://support.1password.com/sso/">Unlock with SSO</a> to learn how to integrate 1Password with your identity provider. </li> <li> Developer tools. Help your engineering teams work efficiently and securely with integrations for popular CI/CD tools like GitHub Actions, infrastructure tools like Kubernetes, IDE extensions, and more. Learn more about <a href="https://developer.1password.com/">which developer tools integrate with 1Password</a>. </li> <li> Build an integration. Developers can extend 1Password functionality by building their own integrations. Check out our documentation to <a href="https://developer.1password.com/">learn more about building securely with 1Password</a>. </li> </ul> <h2 id="tip-2-implement-a-strong-onboarding-communication-plan">Tip 2: Implement a strong onboarding communication plan</h2> Once you’ve completed the setup of 1Password Enterprise Password Manager, it’s time to enable and roll it out to your team. Creating a strong communication plan before roll-out is something we’ve observed all successful rollouts have in common. It’s not only an opportunity to make team members aware of what 1Password is, but it also encourages them to use it by highlighting how it can benefit them. The following two recommendations will help you communicate with your team to drive adoption. <h3 id="1-use-1passwords-resources-to-build-your-communication-plan">1. Use 1Password’s resources to build your communication plan</h3> You don’t have to start your communication strategy from scratch – the <a href="https://1password.com/1password-launch-kit">1Password Launch Kit</a> is designed to help you navigate our <a href="https://1password.com/resources/">existing resources</a>, and highlight the information most relevant to onboarding. The kit helps educate 1Password administrators, IT, and security teams on the tool’s functionality, including the browser extension, web application for administrators, and desktop apps. It also provides key communication documents like email communication templates and answers to frequently asked questions. The launch kit also contains important training materials and resources to help your end users use 1Password Enterprise Password Manager effectively. Offering structured training sessions early on can significantly improve user confidence and encourage widespread adoption. Remember, a little training will go a long way in helping your team understand and effectively use 1Password. <h3 id="2-identify-your-1password-champions">2. Identify your 1Password champions</h3> Sometimes the best way to get your team to adopt 1Password Enterprise Password Manager is to have their peers advocate on your behalf. Your 1Password champions are the people on your team who are excited about using a password manager and might have even used one in the past. They can help implement your communication plan by: <ul> <li>Using 1Password and encouraging others to use it.</li> <li>Demonstrating best practices.</li> <li>Leading training sessions.</li> <li>Sharing your communication across different channels.</li> </ul> Having team members advocate for 1Password who are outside of the implementation team can add legitimacy to the value of the tool and encourage faster adoption. <h3 id="what-an-effective-communication-plan-looks-like">What an effective communication plan looks like</h3> A communication plan outlines how you’re going to communicate to people, the message you want to send, and what you want them to do next. A few things you should consider when building your communication plan: <ol> <li>Which channels you’ll use to communicate the message, who will help you, and what your timeline is.</li> <li>Your message should highlight why 1Password Enterprise Password Manager is being implemented, when it’s being rolled out, and how employees can get access.</li> <li>Information on where they can find 1Password training resources, including who to contact to recover accounts, or ask questions.</li> </ol> <h2 id="tip-3-incentivize-your-team-to-start-using-1password">Tip 3: Incentivize your team to start using 1Password</h2> The key to successful adoption lies not just in the effective onboarding of a tool, but also in encouraging its continuous use. Making the onboarding process interactive and engaging can be a game-changer in the way your team adopts and uses 1Password Enterprise Password Manager. Here are two ways you can try to boost engagement and adoption in your team. <h3 id="1--store-important-information-in-a-1password-vault">1. Store important information in a 1Password vault</h3> We all know people are more prone to undertake certain tasks if there is an immediate need or reward attached to them. By storing important information that everyone will need to access at some point, like Wi-Fi passwords, building access codes, or the employee handbook in a 1Password vault, employees will need to activate their accounts and start using 1Password to access this essential information. Once they’re using 1Password Enterprise Password Manager, it’ll be easier to keep them engaged and show the value of integrating it into their daily workflows. <h3 id="2-create-interesting-incentives-like-a-hidden-prize">2. Create interesting incentives like a hidden prize</h3> Why not add a little fun to the process? Another way to guide your team members into exploring 1Password Enterprise Password Manager and ensuring active use is by creating an incentive in the form of hidden prizes. For instance, a secret code for a free coffee could be hidden in a shared vault, leading users to sign up and explore the platform in their quest for caffeine. <h2 id="help-everyone-adopt-1password-enterprise-password-manager">Help everyone adopt 1Password Enterprise Password Manager</h2> Building an effective onboarding strategy that drives 1Password adoption is possible with the right tools and the right people. 1Password is dedicated to helping you and your team. The <a href="https://1password.com/1password-launch-kit">1Password Launch Kit</a> and ongoing training sessions are here to help you foster a culture of security and make password management a convenient and intuitive process for everyone on your team.</description></item><item><title>Are we getting better at data breaches? Security expert Troy Hunt weighs in</title><link>https://blog.1password.com/managing-data-breaches-troy-hunt-interview/</link><pubDate>Tue, 15 Oct 2024 00:00:00 +0000</pubDate><author>info@1password.com (Jenn Marshall)</author><guid>https://blog.1password.com/managing-data-breaches-troy-hunt-interview/</guid><description> <img src='https://blog.1password.com/posts/2024/managing-data-breaches-troy-hunt-interview/header.png' class='webfeedsFeaturedVisual' alt='Are we getting better at data breaches? Security expert Troy Hunt weighs in' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Have I Been Pwned, a free site that lets anyone search to see if their information was leaked in a data breach, is now just over 10 years old. We asked its creator and renowned security expert, Troy Hunt, whether the world has gotten any better at protecting itself from fraud and cyber attacks since he began the project. Matt Davey, Chief Experience Officer at 1Password, chatted with Hunt on the <a href="https://randombutmemorable.simplecast.com/">Random But Memorable</a> podcast about a variety of other topics including scraping (is scraping a data breach?) and the ethics of disclosure (has legislation like GDPR and CCPA made organizations more transparent about breaches?) Find answers to these questions and more by reading the interview highlights below or by listening to the <a href="https://randombutmemorable.simplecast.com/episodes/life-admin-selfie-fatigue">full podcast episode</a>. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/XYVwCEiGIj8?si=poJ7sXVTcOBSHWtD" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> Editor’s note: This interview has been lightly edited for clarity and brevity. The views and opinions expressed by the interviewee don’t represent the opinions of 1Password. Matt Davey: How are things since we last caught up? Troy Hunt: Very pwned. Everything is very pwned. There&rsquo;s no bottom, is there? We just keep going and going. We were past 800 breaches the other day. I thought it was impressive when I started with five. So here we are, business as usual. MD: Are you counting all the breaches that keep appearing in the press and thinking: &ldquo;Oh my god, a billion credentials?&quot; TH: There&rsquo;s been a lot in the press lately about <a href="https://www.cnbc.com/2024/08/23/was-my-social-security-number-stolen-national-public-data-breach-questions.html">U.S. social security numbers and the National Public Data (a background-check company) breach</a>. That’s just one breach that&rsquo;s in Have I Been Pwned. What I&rsquo;m not doing is getting sucked into this. For example, earlier this year there was &ldquo;<a href="https://blog.1password.com/what-to-do-mother-of-all-breaches/">the mother of all breaches</a>,&rdquo; which was just a collection of different things. I&rsquo;d rather see discrete incidents so that people can look at it and go: &ldquo;Oh look, I was in <a href="https://www.bbc.co.uk/news/technology-24740873">the Adobe data breach</a>. I know I need to go and have a chat with the folks at Adobe about how I feel about that and change the password I use there.&rdquo; I don&rsquo;t like these amorphous things where it&rsquo;s like: &ldquo;You&rsquo;re in this collection of stuff, who knows what it was.&rdquo; MD: You recently celebrated <a href="https://www.troyhunt.com/a-decade-of-have-i-been-pwned/">10 years of Have I Been Pwned</a>. In that time, it has become an important tool for many individuals and organizations. How has the platform evolved since its creation and what impact do you think it&rsquo;s had on public awareness of data breaches? TH: It&rsquo;s interesting that the platform itself really hasn&rsquo;t changed architecturally until now. We&rsquo;re just doing a rollover of the underlying database model. We got our first ever proper employee yesterday! The platform will still look the same on top, but now that we&rsquo;ve actually got dev resources, we&rsquo;ll be able to invest on top of that, hopefully even give it a little bit of a spruce up. A lot happens in 10 years. <blockquote> &ldquo;We got our first ever proper employee yesterday!&quot; </blockquote> In terms of data breaches, over the space of 10 years, it feels like the overarching picture hasn&rsquo;t changed. We still have lots of breaches from lots of different places. All that&rsquo;s different now is, I think, we&rsquo;ve gone through cycles of different things that were getting breached. Around 2018 it felt like there was a lot of MongoDB being breached. More recently we&rsquo;ve seen <a href="https://www.darkreading.com/cybersecurity-operations/three-ways-to-chill-attacks-on-snowflake">a lot of dependency pipeline breaches where there&rsquo;s a compromised Snowflake</a>. There&rsquo;s a whole other story around how that actually happened but we see a vulnerability like that impact a whole bunch of customers downstream. MD: Does anything surprise you anymore? Or have you become completely desensitized? TH: I do see stuff occasionally where I think: &ldquo;Wow, I&rsquo;ve just learned about a whole subculture genre that I never knew existed.&rdquo; And my eyes have been opened. I&rsquo;m also fascinated by how many government and corporate email addresses are in these breaches. You can&rsquo;t help but go: &ldquo;Have you not been paying attention?&rdquo; Putting aside whether or not you should be using these services, you definitely shouldn&rsquo;t be using them with your work email address, and I&rsquo;m fascinated that that continues to be a thing. MD: Which breaches over the last 10 years really stand out to you? TH: Ashley Madison. No hesitation. <a href="https://www.wired.com/2015/08/happened-hackers-posted-stolen-ashley-madison-data/">Ashley Madison</a> was fascinating for so many reasons. I remember at that time – and this was 2015 – people were saying: &ldquo;Is this going to be the wake-up call? Is this going to be the one where everyone goes, &lsquo;Oh yeah, we should be more careful with our personal data and our cybersecurity?'&rdquo; Of course, it didn&rsquo;t change anything. But what was so fascinating about it was the perfect combination of factors that resulted in massive media attention and a huge human impact. Just in the last year we&rsquo;ve seen two different documentaries come out about this incident. It’s fascinating that it’s a mainstream thing. I&rsquo;ve had random people that I know pop up and go: &ldquo;Hey, I saw you on the Ashley Madison documentary thing.&rdquo; It&rsquo;s like: &ldquo;Well, okay, normal people are watching this.&rdquo; <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/sPEC4yfvoCw?si=FQaCSzxxmgrbULTq" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> I still haven&rsquo;t seen anything that&rsquo;s compared to that in terms of overall impact. We&rsquo;ve seen much bigger breaches. We&rsquo;ve seen breaches that have leaked arguably more sensitive information when it relates to things like health. But that&rsquo;s just the one that captured everyone&rsquo;s attention. MD: Health information is probably more sensitive, but [Ashley Madison] was a service that customers didn&rsquo;t want other people knowing they were using. TH: I think because it was salacious that it got extra attention. Even before the breach, Ashley Madison had attracted a lot of ire from the masses about the ethics and morality of adultery, and it was an interesting thing to watch. It feels like American daytime talk show TV. Of course, we learned so much as the incident unfolded about the mechanics of how the organization worked, about the bots, and the way their business model operated. That&rsquo;s something I find fascinating about breaches in general. It peels back the veneer and you get to see what&rsquo;s actually happening underneath. MD: How do you verify and investigate a data breach? Has that process changed over the last 10 years? TH: It hasn&rsquo;t overtly changed. I&rsquo;ve written before about how I verify data breaches but in a nutshell, being able to reliably attribute the source of an incident is enormously important for a couple of reasons. One is that the individuals in a data breach really want to know who mishandled their data. Where do they go to complain or get upset or ask their records to be deleted or whatever it may be. The other is, from my own self-preservation point of view, I want to get this right. I don&rsquo;t want to go out there and say: &ldquo;Hey, ACME Corp had a data breach” and then discover it wasn&rsquo;t ACME Corp. Or it was someone completely different, and that then damages their organization. Verification and attribution to a source is important. <blockquote> &ldquo;I want to get this right.&quot; </blockquote> Here&rsquo;s one of the easiest ways to do that. A data breach has got lots of email addresses in there. Let&rsquo;s say it&rsquo;s a million email addresses. There&rsquo;s almost always <a href="https://www.mailinator.com/">Mailinator</a> addresses in there. And Mailinator is a public mailbox. You can send a mail to troy[at]mailinator.com, and then go to Mailinator.com, and put Troy in there, and you&rsquo;ll see the mailbox. No one creating a Mailinator account ever expects privacy, they expect it to be a public mailbox. So let&rsquo;s say I look into a data breach, and out of the million email addresses I&rsquo;m able to grab several Mailinator addresses. I can then go to the password reset form on the service that the breach was alleged to have come from, and put one of those Mailinator addresses in, and then see the reset email go to the correct inbox. It&rsquo;s like, wow, what are the chances? I&rsquo;ve got almost five million subscribers on Have I Been Pwned at the moment. That&rsquo;s for the freebie &lsquo;enter your email address&rsquo; service. I&rsquo;ll let you know if you turn up somewhere. Occasionally I will reach out to a bunch of those that are in a new breach and say: &ldquo;Look, you signed up to this service. I think you might have been in a breach. Can you help me verify if this is legitimate? Did you use that service? Did you put your email address in there?&rdquo; A lot of the time people have got receipts. They bought something, or they kept the welcome email. Or, particularly if disclosure is required, I&rsquo;ll go to the company itself and say: &ldquo;Look, I&rsquo;ve got this data, someone sent it to me, I think it&rsquo;s yours. You should know about it.&rdquo; There&rsquo;s nothing like confirmation from the organization itself to be completely confident of the source. MD: In the beginning, did companies believe that disclosure was optional, or go: &ldquo;Nah, we didn&rsquo;t do it.&rdquo; Have things got better behind closed doors? TH: I look at disclosure in two parts. There&rsquo;s my disclosure to the organization of letting them know, and that&rsquo;s pretty much the same for me. I&rsquo;d say it&rsquo;s still painful. It&rsquo;s still one of the hardest things I do. And then there&rsquo;s the disclosure of the organization to the impacted individuals. I do fear, just as a gut feel, that it is worse now than what it was. The sense I get around this is a combination of things – it seems to go from talking to an organization to talking to their lawyers very, very quickly. What I mean by that is not necessarily me getting lawyer letters – that does happen every now and then, and we have a nice chat and so far, it&rsquo;s been OK. But it seems to very quickly go into damage control on behalf of the organization. I suspect a lot of that is due to the prevalence of class actions that happen pretty much overnight now every time there&rsquo;s a data breach. I feel that organizations are going into self-preservation mode to try and protect their interests, and if they’re public, the shareholders’ interests as well – at the detriment of the individuals in the breaches. <blockquote> &ldquo;Organizations are going into self-preservation mode to try and protect their interests.&quot; </blockquote> I&rsquo;ve just seen so many incidents where these organizations are simply not notifying individuals. I lament the fact I feel this burden of responsibility. I have this data and millions of subscribers, and it&rsquo;s up to me to let them know, and to do something that the organization should do. Really, the best outcome for Have I Been Pwned would be for it to be redundant, but we&rsquo;re going in the opposite direction. Organizations aren&rsquo;t doing disclosure at all in some cases. MD: I&rsquo;m really surprised about that. I would have thought it&rsquo;s getting better. TH: Some people would argue: “Well, there&rsquo;s also more regulation.” Since I started this, we’ve had <a href="https://blog.1password.com/get-serious-gdpr-compliance/">GDPR (the UK’s General Data Protection Regulation)</a>, the <a href="https://blog.1password.com/cpra-will-transform-how-companies-treat-employee-data/">CCPA (California Consumer Privacy Act)</a>, a mandatory data breach disclosure scheme in Australia as well – different parts of the world have implemented regulatory controls. But what I think a lot of people don&rsquo;t understand is that a lot of these regulatory controls don&rsquo;t mandate disclosure to the individuals in a breach. They usually mandate disclosure to the local regulator. I&rsquo;ve seen so many examples. Europe is probably a particularly good one because people are like: &ldquo;Let&rsquo;s go and GDPR these guys.&rdquo; I feel like it&rsquo;s a verb. &ldquo;We&rsquo;re going to go and GDPR this company because they didn&rsquo;t disclose to us.&rdquo; But they disclosed to the local regulator and there are only certain conditions that need to be met in order for them to have to tell you as well. That I find is a bit of a shame. As a good faith thing, and frankly a corporate responsibility thing: if you&rsquo;ve lost someone&rsquo;s data, let them know. That doesn&rsquo;t seem too hard to me. MD: What are some of the most common vulnerabilities that currently lead to data breaches? TH: Scraping has definitely been more prevalent in recent years. I can think of multiple examples where there are services that would intentionally expose some data publicly. Then someone will go through, and they&rsquo;ll enumerate it (systematically collect data on a large scale with automated tools). Instead of you using a service that has an API that pulls back someone&rsquo;s profile, and you see just a little bit of data for that person, someone has now gone and pulled out millions, tens of millions, hundreds of millions of records by enumerating through this collection of API endpoints. Many of these APIs will take an email address and come back and give you information about it. They&rsquo;ll collect this huge amount of data and then go: &ldquo;This is the ACME Corp scraped data breach.&rdquo; I&rsquo;ve seen a lot more of that and I suspect part of it is because we have so many services that are, by design, exposing little bits and pieces of information. Let&rsquo;s say, about someone&rsquo;s profile. And there&rsquo;s an argument that if it&rsquo;s scraped data, it&rsquo;s not even a breach, because the data was literally meant to be publicly accessible. <a href="https://www.troyhunt.com/when-is-a-scrape-a-breach/">I&rsquo;ve written before about whether or not a scrape is a breach</a>. To my mind, in any case where there&rsquo;s data that has been misused from the fashion in which it was provided and it was expected to be used, then that does constitute a breach. That&rsquo;s something that we&rsquo;ve seen many times, particularly with some of the big social platforms. That includes Facebook, X, LinkedIn – they&rsquo;ve all got large scraped data breach corpuses in Have I Been Pwned now. MD: I&rsquo;d never really thought about that. It&rsquo;s small bits of information that bundled together and then become dangerous. TH: LinkedIn is a great example because that was a massive scrape. The question is: If someone scrapes your data, and your personal attributes, and the things that, by design, you&rsquo;ve given to LinkedIn to be discoverable by other people, but they&rsquo;ve siphoned up your profile and millions of others’ personal profiles, would you want to know about that? Would that bother you? Most people say: &ldquo;Yeah, that&rsquo;s not what I gave my data for.&rdquo; Of course, scraping is a complete violation of all the terms and services, but that&rsquo;s not really what hackers worry about, is it? They just want the data. MD: I think I&rsquo;d be bothered by it because when you give information to LinkedIn, there is a purpose to that. I&rsquo;d like to be aware when my information is used badly. TH: Exactly. My fear is that we end up having so many different incidents that make a lot of noise that people become a little bit tired (“data breach fatigue” is the phrase I hear sometimes), and are then unwilling to act when there are incidents that happen that do really need their attention. I think unless a data breach has some tangible impact on someone, that they have money lost, or their identity stolen, I suspect they&rsquo;re starting to become a little bit nonchalant to it. <blockquote> &ldquo;I suspect [people] are starting to become a little bit nonchalant to it.&quot; </blockquote> MD: Is there anything in the current zeitgeist that excites, scares, or angers you when it comes to cybersecurity? TH: Lack of disclosure. What angers me? I don&rsquo;t need much time to think about that. The fascinating thing is, as Have I Been Pwned has become more mainstream and more accepted, I&rsquo;ve spent a lot more time with people in law enforcement, and people in politics, and people who are making the regulations, and I&rsquo;ve been interested to see their position on all these things. It&rsquo;s so well aligned with ours. They&rsquo;re like: &ldquo;Yeah, of course people should be told about data breaches&rdquo; and &ldquo;Yeah, we need to clamp down on these organizations.&rdquo; But I see very little actual change. Maybe this is just part of that age-old problem of technology moving forward so quickly, and the law takes a long time to catch up to it, but it just feels like we are much further behind now than where we were before. Maybe that&rsquo;s just reflective of the exposure I&rsquo;ve got now, too – but there&rsquo;s a gap that we need to try and fill. <blockquote> &ldquo;It just feels like we are much further behind now than where we were before.&quot; </blockquote> MD: For the average person who wants to improve their online security and privacy, do you have go-to practical steps that they can take to protect themselves against this? TH: I still feel that having a password manager is the number one thing. The prevalence of reuse is nuts. We can trace back so many different incidents, whether it&rsquo;s the reused password of the individual who&rsquo;s the victim, it&rsquo;s the business email compromise situation, or whether it&rsquo;s a corporate account, which then has the keys to the cloud. So many of these things tie back to compromises of passwords that are just the bare-bones basics. On top of that, the continual lack of multifactor authentication. That is still a stunning thing, particularly when we&rsquo;ve got so many different ways of doing it now. We&rsquo;ve got the emergence of <a href="https://blog.1password.com/what-are-passkeys/">passkeys</a>, which really didn&rsquo;t exist only a few years ago. That&rsquo;s great. We&rsquo;ve got U2F (Universal 2nd Factor) keys, we&rsquo;ve got authentication, we have so many different ways of doing this now. It&rsquo;s still all the same fundamentals, and even as we move forward into passwordless, regardless of which variety that we look at, we are still gathering passwords faster than we&rsquo;re discarding them. This problem really still keeps growing and growing. <blockquote> &ldquo;Even as we move forward into passwordless, we&rsquo;re still gathering passwords faster than we&rsquo;re discarding them.&quot; </blockquote> I remember even 10 years ago, I&rsquo;d do interviews and people would go: &ldquo;Are we still going to have passwords in 10 years?&rdquo; Now when I talk to people, I&rsquo;m like: &ldquo;Do you have more passwords now than what you had 10 years ago?&rdquo; And everyone&rsquo;s like: &ldquo;Yeah, because the old ones don&rsquo;t die. I’ve got more than I&rsquo;ve ever had before.&rdquo; I still feel that this is just the absolute heart, and it&rsquo;s the low-hanging fruit, too. We have easy solutions to this. MD: What do you see as the biggest challenge in combating all of this in the next few years? Do you think the industry is prepared for it? TH: I think so much of it is the usability factor, the human interaction side of things. I&rsquo;ve found it fascinating over the years when I&rsquo;ve written about security, to keep coming back to: why do certain things get traction, or why do certain things not get traction? Well, because they&rsquo;re consumable, because humans can use them. Or conversely, because humans struggle with them. Why does multifactor have such poor uptake when it is such an effective tool? Because humans don&rsquo;t like that it gets in the way. Why do many organizations not force two-factor on their customers? Because a lot of people don&rsquo;t like it, and it creates a barrier to entry, and they lose customers. I think we still have this big challenge of how do we make security implicit and acceptable to the masses? I wonder if part of that is that you’ve just got to get them young enough. I was talking about password managers a couple of days ago. I said, &ldquo;Well, my 12-year-old daughter has been using one for years. She&rsquo;s in our Family 1Password vault. She logs onto everything with unique passwords and she never thinks twice about it. She&rsquo;s like, &ldquo;It&rsquo;s so easy.&rdquo; <blockquote> &ldquo;We still have this big challenge of how do we make security implicit and acceptable to the masses?&quot; </blockquote> Maybe we&rsquo;ve got to get a foothold in the schools and start making security something that kids just grow up with and they don&rsquo;t think twice about. MD: Do you think that&rsquo;s where you can be optimistic about the future of cybersecurity? For example, we have advancements in AI and deep fakes. Do you think it&rsquo;s literally just a generational problem of awareness? TH: It&rsquo;s certainly part of it. I know it&rsquo;s so cliche to say, but I guess older generations, who haven&rsquo;t grown up with the technology as a native part of their everyday life, find it harder to get to grips with concepts than kids, who just live with it day in and day out. I see my kids getting to grips with a lot of technology concepts easier than what I can do, because they&rsquo;re the digital natives and they&rsquo;ve just lived with it. I think that&rsquo;s the opportunity. And then of course, as you&rsquo;ve mentioned, things like AI are going to evolve very quickly. It will be a very different landscape when my kids are probably even just 10 years older, let alone when they&rsquo;re my age. So that is a fascinating area, isn&rsquo;t it? MD: Where can listeners go to learn more about you and the projects that you&rsquo;re working on? TH: Everything&rsquo;s on <a href="https://www.troyhunt.com/">TroyHunt.com</a>. All roads lead from there. <section class="c-call-to-action-box c-call-to-action-box--purple"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Subscribe to Random but Memorable</h3> Listen to the latest news, tips and advice to level up your security game, as well as guest interviews with leaders from the security community. <a href="https://randombutmemorable.simplecast.com/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--purple" data-event-category="CTA" data-event-action="call-to-action-button"> Subscribe to our podcast </a> </div> </section></description></item><item><title>Coming soon: Securely import and export passkeys</title><link>https://blog.1password.com/fido-alliance-import-export-passkeys-draft-specs/</link><pubDate>Mon, 14 Oct 2024 00:00:00 +0000</pubDate><author>info@1password.com (Nick Steele)</author><guid>https://blog.1password.com/fido-alliance-import-export-passkeys-draft-specs/</guid><description> <img src='https://blog.1password.com/posts/2024/fido-alliance-import-export-passkeys-draft-specs/header.png' class='webfeedsFeaturedVisual' alt='Coming soon: Securely import and export passkeys' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Passkeys <a href="https://blog.1password.com/passkeys-vs-passwords-differences/">are superior to passwords</a> in almost every way. They&rsquo;re simpler to use because there’s nothing to memorize, type out, or paste in. They&rsquo;re also always strong and come with multi-factor authentication built right in. In short, passkeys are awesome. But why are passkeys almost always better than passwords? What&rsquo;s the catch? At the moment, you can&rsquo;t securely move your passkeys between different password managers. It&rsquo;s a technical shortcoming that we&rsquo;re committed to solving, and now, after many months of thinking, prototyping, and discussing it with other security companies, we have some news to share. <h2 id="introducing-two-draft-passkey-specifications">Introducing two draft passkey specifications</h2> Today, the FIDO Alliance has <a href="https://fidoalliance.org/fido-alliance-publishes-new-specifications-to-promote-user-choice-and-enhanced-ux-for-passkeys/">published a working draft of a new set of specifications</a> that, once implemented by major passkey providers, will allow you to import and export passkeys in a way that’s both convenient and secure. <aside class="c-technical-aside-box c-technical-aside-box--background" aria-labelledby="whats-the-fido-alliance"> <h2 class="c-technical-aside-box__title" id="whats-the-fido-alliance"> What&#39;s the FIDO Alliance? </h2> <div class="c-technical-aside-box__description"> The FIDO Alliance is an open industry association with a mission to reduce the world’s reliance on passwords. 1Password <a href="https://blog.1password.com/1password-is-joining-the-fido-alliance/">joined the Alliance in 2022</a> and is a board member. </div> </aside> These new specifications are called: <ul> <li>Credential Exchange Protocol (CXP)</li> <li>Credential Exchange Format (CXF)</li> </ul> These specifications provide a universal format and secure mechanism for transferring all kinds of credentials. That includes passkeys, traditional passwords, and everything else typically handled <a href="https://support.1password.com/import/">using a CSV file</a>. If every company adopts these new specifications, it will be simpler for everyone to use and store passkeys wherever they prefer. <h2 id="why-were-doing-this">Why we&rsquo;re doing this</h2> 1Password believes that you own your data. True ownership means you can download the information tied to your account and take it to a new service whenever you like. To be clear, we have no interest in creating a walled garden or locking you into 1Password. Passkeys need to be transferable in a way that&rsquo;s simple and totally secure. Your passkeys are incredibly valuable given that, unlike passwords, they often come with multi-factor authentication built in. Exporting your passkeys in plaintext is therefore way, way too risky. Everyone agrees that something better is needed. The draft specifications released today will make sure your passkeys and other sensitive data always have the protection they deserve. We’ve written these standards in collaboration with industry peers in the FIDO Alliance. By working together we’re creating a truly open and seamless passwordless experience. <h2 id="next-steps">Next steps</h2> The working drafts of these specifications are now available for the security industry to review.. This is an important step to ensure the proposals are truly fit for purpose. If you&rsquo;re interested, <a href="https://fidoalliance.org/specifications-credential-exchange-specifications/">give them a read</a> and provide feedback over <a href="https://github.com/fido-alliance/credential-exchange-feedback">on the FIDO Alliance&rsquo;s GitHub page</a>. We’ll use the community’s feedback to improve the specs as we work toward implementing them in our password manager. 1Password is committed to supporting the new format and exchange protocol, and will let you know once the option to import and export passkeys is available. <h2 id="start-using-passkeys">Start using passkeys</h2> If you haven&rsquo;t done so already, there&rsquo;s no better time to create your first passkeys. A <a href="https://passkeys.directory/">growing number of websites and apps</a> support them including Amazon, LinkedIn, and PlayStation. Read our guide to learn <a href="https://blog.1password.com/how-save-manage-share-passkeys-1password/">how to save, share, and manage passkeys using 1Password</a>. And if you have any questions about passkeys, like how they work and their benefits over passwords, check out <a href="https://blog.1password.com/passkeys-faqs/">this FAQs article</a>. Thank you for joining us on this journey. We&rsquo;re excited by the possibilities of passkeys and how they can make the web a simpler and safer place for everyone.</description></item><item><title>1Password for Good: Giving back during Cybersecurity Awareness Month and beyond</title><link>https://blog.1password.com/1password-for-good-cybersecurity-awareness-month-2024/</link><pubDate>Thu, 10 Oct 2024 00:00:00 +0000</pubDate><author>info@1password.com (Sara Teare)</author><guid>https://blog.1password.com/1password-for-good-cybersecurity-awareness-month-2024/</guid><description> <img src='https://blog.1password.com/posts/2024/1password-for-good-cybersecurity-awareness-month-2024/header.png' class='webfeedsFeaturedVisual' alt='1Password for Good: Giving back during Cybersecurity Awareness Month and beyond' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> It&rsquo;s easy for technology companies to claim they&rsquo;re a force for good. As the age-old saying goes, actions speak louder than words. For this year&rsquo;s <a href="https://www.cisa.gov/cybersecurity-awareness-month">Cybersecurity Awareness Month</a>, the Cybersecurity and Infrastructure Security Agency (CISA) has chosen the theme &ldquo;Secure Our World&rdquo;. It&rsquo;s a reminder that everyone has a right to privacy and the tools, support, and knowledge required to protect their data. In the spirit of CISA’s theme, 1Password is donating $50,000 to three pioneering organizations that teach technology skills to underrepresented youth: <ul> <li><a href="https://missionbit.org/">Mission Bit</a></li> <li><a href="https://www.digitalmoment.org/">Digital Moment</a></li> <li><a href="https://techshecan.org/">Tech She Can</a></li> </ul> It&rsquo;s one of the many ways we&rsquo;re &ldquo;doing our bit&rdquo; to protect our future and help communities both online and offline. <h2 id="mission-bit">Mission Bit</h2> Mission Bit inspires youth of color to explore the world of STEM with project-based computer science education that embraces their identities. Through innovative programming and a commitment to inclusivity, this US-based organization is transforming the lives of students and shaping the future of the tech industry. <img src='https://blog.1password.com/posts/2024/1password-for-good-cybersecurity-awareness-month-2024/mission-bit.png' alt='Two students working together on a laptop.' title='Two students working together on a laptop.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="digital-moment">Digital Moment</h2> Digital Moment is a charity headquartered in Montreal that mobilizes communities to build a better future through literary education. The organization creates programs and experiences around digital skills like coding and AI. 1Password is building on its donation by helping Digital Moment create a cybersecurity education program to teach children about passwords, social engineering, and more. <blockquote> &ldquo;By equipping teenagers, parents, and educators with the knowledge and tools to protect themselves online, we are making meaningful strides toward building a safer and more secure digital future for everyone.&rdquo; – Indra Kubicek, CEO of Digital Moment </blockquote> <h2 id="tech-she-can">Tech She Can</h2> Tech She Can is a charity based in the UK that helps inspire and enable all children – particularly girls – to pursue a career in technology. To date, over 120,000 children have been supported by its programs. <img src='https://blog.1password.com/posts/2024/1password-for-good-cybersecurity-awareness-month-2024/tech-she-can.jpg' alt='A group of schoolchildren working on small whiteboards.' title='A group of schoolchildren working on small whiteboards.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="1password-for-good">1Password for Good</h2> The donations we&rsquo;ve just mentioned are a small part of our philanthropic 1Password for Good initiative. Through our people, products, and presence, we&rsquo;re giving back to communities and striving to make the world a safer place for everyone. <h3 id="our-people">Our people</h3> Here are just a few ways our employees are making an impact and helping us build a diverse company with equal opportunities: <ul> <li>Employee resource groups. These voluntary groups offer a supportive space for members to connect, share, and thrive. They include the Asian &amp; Pacific Islander (A&amp;PI) ERG, Black Caucus, Disability Alliance, Hispanic or Latin American (HOLA) ERG, Pride Employee Resource Group, and Women@1Password.</li> <li>Employee Community Groups. These help foster communication, build community, and highlight cultures within 1Password. We currently have two representing our Jewish and West Asia North African communities.</li> <li>Volunteer days. On top of their usual time-off allowance, every 1Password employee is given two paid days each year to volunteer with a worthwhile cause. Later this month, some of our employees will be volunteering through <a href="https://team4tech.org/">Team4Tech</a> to conduct a design workshop, pro bono, that addresses a cybersecurity challenge faced by one of its non-profit partners.</li> </ul> <h3 id="our-product">Our product</h3> Nonprofits, journalists, and open source-focused developers play vital roles in our modern society. We&rsquo;ve set up programs to help all three groups access 1Password and work in a more secure, streamlined, and collaborative way: <ul> <li><a href="https://1password.com/for-journalists/">1Password for Journalists</a></li> <li><a href="https://1password.com/for-non-profits/">1Password for Nonprofits</a></li> <li><a href="https://github.com/1Password/for-open-source">1Password for Open Source</a></li> </ul> <h3 id="our-presence">Our presence</h3> Finally, we have our internal 1Password Giving Fund that allows 1Password employees to put forward organizations they care about and deserve support. 1Password reviews proposals every quarter and aims to give out up to $100,000 each year. In September, we awarded $7,500 in grants to 15 organizations across the US, Canada, and the UK. Past grant recipients have included <a href="https://www.wedontwaste.org/">We Don’t Waste</a>, <a href="https://futureprojects.org.uk/">Future Projects</a>, and <a href="https://www.mamasformamas.org/program/mamas-for-mamas/">Mamas for Mamas</a>, where one of our employees has been volunteering for five years. <h2 id="just-the-beginning">Just the beginning</h2> Over the years, our team has helped build a water well in Malawi, planted 100,000 trees, donated laptops, fed over 30,000 people in Canada, and so much more. By choosing 1Password, you&rsquo;re supporting our efforts to make a positive difference on this planet we call home. So from the bottom of our hearts: Thank you. We couldn&rsquo;t do this without you!</description></item><item><title>Buying vs building your own osquery solution</title><link>https://blog.1password.com/buying-vs-building-your-own-osquery-solution/</link><pubDate>Wed, 09 Oct 2024 00:00:00 +0000</pubDate><author>info@1password.com (Jason Meller)</author><guid>https://blog.1password.com/buying-vs-building-your-own-osquery-solution/</guid><description> <img src='https://blog.1password.com/posts/2024/buying-vs-building-your-own-osquery-solution/header.png' class='webfeedsFeaturedVisual' alt='Buying vs building your own osquery solution' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> In this article, we compare the various difficulties and costs associated with trying to build your own osquery solution vs buying 1Password&rsquo;s osquery-based device trust product. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Note to readers: This article was initially written in late 2022. We&rsquo;ve done our best to update all of its information and advice, but be sure to do your due diligence when researching further! And of course, you can always reach out to our team with any questions. </div> </aside> When you&rsquo;re making the case for your company to buy 1Password® Extended Access Management, executives and technical procurement managers will inevitably ask if you&rsquo;ve considered alternatives. And since 1Password Extended Access Management&rsquo;s Device Trust solution uses <a href="https://osquery.io/">osquery</a>, an open-source software, you should expect that one of those proposed alternatives will be building it yourself. This should be no surprise; osquery is the most popular open-source endpoint security project on GitHub. So it&rsquo;s reasonable to ask: how much value is 1Password&rsquo;s Device Trust solution really providing on top of it, and how much can I get by just making my own solution? In this article, we are going to cover the differences between our solution and vanilla osquery on its own, and explore what it would take to replicate some of the features 1Password Extended Access Management provides. <h2 id="why-does-1password-extended-access-management-use-osquery">Why does 1Password Extended Access Management use osquery?</h2> Before we get into build vs buy, let&rsquo;s take a moment and explain why 1Password Extended Access Management uses osquery in the first place. At its core, our device trust solution is intended to cover three primary use cases: <ul> <li> Achieve compliance. Measure, achieve, and maintain your compliance goals. </li> <li> Obtain visibility. Obtain complete fleet visibility across Mac, Windows, and Linux endpoints </li> <li> Implement honest security. Make security a core value in your company&rsquo;s culture. </li> </ul> To help your organization accomplish each of these use cases, 1Password&rsquo;s Device Trust solution needs an endpoint agent that can collect the necessary telemetry required across Mac, Windows, and Linux devices without hurting performance. On top of that, we&rsquo;re committed to end user privacy and transparency. With that in mind, we wanted to ensure that the source code for all the binaries we ship to the endpoint could be scrutinized by our customers and end users. Given all of these requirements, osquery was the only open-source tool out there that fit the bill. Even so, it&rsquo;s easy to forget that osquery is a means to an end, not a complete solution itself. While osquery is a great fit for our use case, there are a few things it doesn&rsquo;t do out of the box, which are prerequisites needed by any organization before they can roll it out and manage it competently. This is why we created <a href="https://github.com/kolide/launcher">Kolide Launcher</a>, our own agent that wraps around osquery, extending its data collection capabilities, providing native installation packages, and most importantly, solving the problem of automatic updates. <h2 id="osquery-architecture--deployment">Osquery architecture &amp; deployment</h2> <h3 id="how-to-deploy-osquery-on-your-own">How to deploy osquery on your own</h3> For your in-house osquery solution to work at all, you need to get it onto devices. To do that, you&rsquo;ll need tools like <a href="https://www.chef.io/">Chef</a>, <a href="https://puppet.com/">Puppet</a>, or <a href="https://www.ansible.com/">Ansible</a> to distribute not only the osquery binary itself, but also its configuration file and any future updates to that file. From there, the data osquery provides isn&rsquo;t automatically neatly arranged. Below is an example of a query result for a single device run in a format known as <a href="https://osquery.readthedocs.io/en/stable/deployment/logging/#snapshot-format">snapshot</a>, a mode where each time the query is run, the full results are emitted to a log with some additional metadata about the device. <pre tabindex="0"><code>{ &quot;action&quot;: &quot;snapshot&quot;, &quot;snapshot&quot;: [ { &quot;parent&quot;: &quot;0&quot;, &quot;path&quot;: &quot;/sbin/launchd&quot;, &quot;pid&quot;: &quot;1&quot; }, { &quot;parent&quot;: &quot;1&quot;, &quot;path&quot;: &quot;/usr/sbin/syslogd&quot;, &quot;pid&quot;: &quot;51&quot; }, { &quot;parent&quot;: &quot;1&quot;, &quot;path&quot;: &quot;/usr/libexec/UserEventAgent&quot;, &quot;pid&quot;: &quot;52&quot; }, { &quot;parent&quot;: &quot;1&quot;, &quot;path&quot;: &quot;/usr/libexec/kextd&quot;, &quot;pid&quot;: &quot;54&quot; } ], &quot;name&quot;: &quot;process_snapshot&quot;, &quot;hostIdentifier&quot;: &quot;hostname.local&quot;, &quot;calendarTime&quot;: &quot;Mon May 2 22:27:32 2016 UTC&quot;, &quot;unixTime&quot;: &quot;1462228052&quot;, &quot;epoch&quot;: &quot;314159265&quot;, &quot;counter&quot;: &quot;1&quot;, &quot;numerics&quot;: false } </code></pre>This is in contrast to the <a href="https://osquery.readthedocs.io/en/stable/deployment/logging/#event-format">differential log format</a>, which instead of showing the full result set of a query run, shows only the differences between the current query run and the previous query run. When logging results in the differential logging format, it&rsquo;s up to you to assemble the final state. <pre tabindex="0"><code>{ &quot;action&quot;: &quot;added&quot;, &quot;columns&quot;: { &quot;name&quot;: &quot;osqueryd&quot;, &quot;path&quot;: &quot;/opt/osquery/bin/osqueryd&quot;, &quot;pid&quot;: &quot;97830&quot; }, &quot;name&quot;: &quot;processes&quot;, &quot;hostname&quot;: &quot;hostname.local&quot;, &quot;calendarTime&quot;: &quot;Tue Sep 30 17:37:30 2014&quot;, &quot;unixTime&quot;: &quot;1412123850&quot;, &quot;epoch&quot;: &quot;314159265&quot;, &quot;counter&quot;: &quot;1&quot;, &quot;numerics&quot;: false } { &quot;action&quot;: &quot;removed&quot;, &quot;columns&quot;: { &quot;name&quot;: &quot;osqueryd&quot;, &quot;path&quot;: &quot;/opt/osquery/bin/osqueryd&quot;, &quot;pid&quot;: &quot;97650&quot; }, &quot;name&quot;: &quot;processes&quot;, &quot;hostname&quot;: &quot;hostname.local&quot;, &quot;calendarTime&quot;: &quot;Tue Sep 30 17:37:30 2014&quot;, &quot;unixTime&quot;: &quot;1412123850&quot;, &quot;epoch&quot;: &quot;314159265&quot;, &quot;counter&quot;: &quot;1&quot;, &quot;numerics&quot;: false } </code></pre>If you want to compile or export that data, you&rsquo;ll need tools beyond osquery itself. Here&rsquo;s a diagram showing one example of the free (more accurately, &ldquo;freemium&rdquo;) tools that you would need. <img src='https://blog.1password.com/posts/2024/buying-vs-building-your-own-osquery-solution/osquery-free-architecture.png' alt='A graphic showcasing the freemium tools and programs you&#39;ll need to export this desired data.' title='A graphic showcasing the freemium tools and programs you&#39;ll need to export this desired data.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> It&rsquo;s worth noting that, as you do your research, you may encounter what appear to be free and open-source tools that work with osquery and extend its capabilities. But some are actually paid products with a free tier, while vital features are locked behind subscriptions. Other tools are just outright expensive. For instance, osquery itself <a href="https://osquery.readthedocs.io/en/stable/deployment/aws-logging/">can directly connect</a> to popular data streaming services like Amazon AWS Kinesis Streams, which can cost $10,000 to $20,0000 a year alone. And to use it, you&rsquo;d need to set up an osquery management server that implements <a href="https://osquery.readthedocs.io/en/stable/deployment/remote/">Osquery&rsquo;s remote TLS API</a>. There are many paid management servers. There are also free (and freemium) servers that you can host on your own infrastructure. But either option will also require time and headcount to manage and maintain those servers, and updates will pose their own problems. <h3 id="how-1passwords-device-trust-solution-deploys">How 1Password&rsquo;s Device Trust solution deploys</h3> As you are likely already aware, 1Password Extended Access Management is a SaaS product. In this context, that means we host all of the centralized infrastructure that your endpoints send telemetry to on a regular basis. Hosting isn&rsquo;t just turning on a web server–it includes: <ul> <li> Regularly applying security patches. </li> <li> Automatically scaling the environment. </li> <li> Ensuring the service remains highly available. </li> <li> Safely storing the data devices send to us. </li> </ul> When it comes to rolling out the agent to devices, we wanted to make this as simple for you as possible. This is why we pre-build native installation packages on Mac (.pkg), Windows (.msi), and Linux (.deb and .rpm). These native packages are perfect for distribution via MDM software such as Jamf and Microsoft Intune. Since they are signed and notarized, end users won&rsquo;t see any worrying prompts about untrusted code. As soon as the package is run, the agent automatically connects to the application without any further action needed on your part. If you <a href="https://blog.1password.com/pros-and-cons-of-mdms/">don&rsquo;t want to use MDM software</a> to distribute the agent, you can use our onboarding feature to reach out to end users directly and guide them step-by-step through the process of installing the agent. You can even automatically message new employees on their first day to guide them to self-install the agent. It&rsquo;s a simple process, and as soon as it&rsquo;s installed, you&rsquo;ll immediately have visibility into each device&rsquo;s posture and compliance according to the data compiled by osquery. <h2 id="dealing-with-annual-os-changes">Dealing with annual OS changes</h2> Given Apple&rsquo;s success with shipping annual OS updates, even OS vendors like Microsoft (despite their reputation for changing Windows at a glacial pace) are doing everything they can to substantively change their OS at a faster rate. If you build your own solution, these annual releases (and the shorter and shorter beta cycles that precede them) are extremely disruptive to tools like osquery, which rely on private and undocumented APIs to get the critical data you need. Since osquery often relies on unsupported APIs to gather data, many queries that work in one OS version and CPU architecture can suddenly and inexplicably stop working after even a minor upgrade. There is no better example of this than the macOS screenlock feature that was completely rewritten in macOS 10.13. Fixing it required reverse engineering an undocumented API, and the development of a new osquery capability. To resolve these situations, the operators of your solution will need to regularly test your osquery SQL queries against the latest development and beta releases as soon as they&rsquo;re available. Meanwhile, at 1Password, we have a dedicated team of engineers that think about this problem. They participate vigorously in the osquery open-source project and collaborate with OS vendors to ensure our app works correctly on day one of an OS' official release. <h2 id="configuring-the-data-you-collect">Configuring the data you collect</h2> One of the largest misconceptions about vanilla osquery is that once you&rsquo;ve rolled it out, it will automatically measure your device&rsquo;s compliance. The truth is, osquery is only as good as the queries you run and the tools you use to analyze its data. With vanilla osquery, it&rsquo;s on you to: <ul> <li> Develop/find SQL queries that will help you measure your compliance objectives. </li> <li> Add those queries to the osquery schedule in the configuration. </li> <li> Aggregate the data to produce a meaningful report. </li> </ul> While the official osquery project does <a href="https://github.com/osquery/osquery/tree/master/packs">provide example query packs</a>, most of the packs have not been updated for years. For example, the vast <a href="https://github.com/osquery/osquery/blame/master/packs/unwanted-chrome-extensions.conf">majority of threats in the Unwanted Chrome Extensions Pack</a> are from over four years ago and reference extensions that are no longer distributed in the Chrome Extensions store. In contrast, 1Password Extended Access Management comes prepackaged with over one hundred checks (specially written osquery SQL queries) that, when run on a device, produce an accurate attestation of that device&rsquo;s state. 1Password Extended Access Management aggregates these check results in a dashboard so you can track how well you are doing across your entire fleet. If there isn&rsquo;t a check available for your needs, you can also write a custom check using our templates or starting from scratch. Finally, 1Password&rsquo;s Device Trust solution&rsquo;s most unique feature is its ability to aggregate, persistently store, meticulously document, and make programmatically available thousands of data points about each enrolled device. Not only do we do this at no additional charge, we allow you to query the database this data is stored in with SQL. <h2 id="putting-osquery-data-to-use">Putting osquery data to use</h2> To reiterate, osquery&rsquo;s main function is to gather data about device states. But while it&rsquo;s great to unearth a lot of scary problems in your environment, the other half of that equation is having a way to remediate them, and there are plenty <a href="https://blog.1password.com/pros-and-cons-of-mdms/">that cannot be fixed with automated tools like MDM</a>. Those tricky issues can quickly spiral into an emergency situation where end user remediation will be an essential feature. 1Password Extended Access Management <a href="https://blog.1password.com/extended-access-management-okta-guide/">integrates with SSO providers</a> like Okta and Microsoft Entra to ensure that only healthy devices can access company systems. If a device fails a regularly scheduled query – for instances, the user&rsquo;s chrome browser isn&rsquo;t updated – our agent tells the user: <ol> <li> What the problem is. </li> <li> Then, it provides detailed self-remediation instructions on how to fix the issue. </li> <li> Then, it tells the user that they will be blocked from authenticating if they don&rsquo;t fix it by a certain deadline. </li> </ol> End user-driven remediation of nuanced problems is our core use-case. To enable it, we&rsquo;ve put a lot of work into building out our SSO integrations to make sure that the data gleaned from osquery can be put into action to keep your systems safe. These consequences make our solution a fully-fledged <a href="https://blog.1password.com/what-is-device-trust/">device trust</a> offering. If you are attempting to replicate 1Password Extended Access Management&rsquo;s self-remediation features, you&rsquo;ll need to contend with differentiating instructions between OS versions as features are removed, added, and altered throughout the OS. Building this integration on your own would pose a lot of challenges. For starters, you&rsquo;d need to be able to associate end users with their osquery installation. This sounds easy, but often requires some sleuthing and automatic assignment based on evidence collected from the device itself. Without an osquery management server that is end user aware, you will need to build this understanding yourself in order to gain much security from your osquery build. <h2 id="key-takeaways">Key Takeaways</h2> This was a lot to absorb, but my hope is you take away the following key points when comparing the cost of buying 1Password Extended Access Management to building everything yourself with osquery. The main thing to take away is that osquery, at its core, is a simple producer of telemetry. To make use of it, you need additional tools, time, and headcount to get it onto devices, fit its data gathering capabilities to your needs, and to keep it up-to-date. No matter if your use-case is fleet visibility or compliance, there are several ongoing costs you&rsquo;ll need to consider if you plan on building your own product. These costs might not be obvious for newcomers to osquery, but become relevant quickly when you try to put it to work. With 1Password Extended Access Management, you can easily view and export logs (if you want), and we also give you intuitive visualizations about what&rsquo;s going on inside a device, highlighting and calling out the things that matter. And we go beyond visualization alone, with the assurance that devices that aren&rsquo;t healthy won&rsquo;t be able to authenticate. That can see <a href="https://blog.1password.com/do-macs-need-antivirus-for-soc-2/">huge rewards and savings</a> for compliance reporting alone. It might not be free, but we are a fully-featured product packaged under straightforward pricing. As you think through alternatives, it&rsquo;s important that you consider their true costs, not just during the experimentation phase, but when they are fully deployed in a production setting. We built this product because we saw so much promise in osquery, but found the only organizations who could enjoy it were the ones who had the technical know-how and enormous budgets to operationalize it safely and effectively. We made a big bet that if we built software to dramatically reduce the complexity, risk, and toil needed to tap into that promise, more organizations would be able to experience the value that osquery offers. We strongly believe we&rsquo;ve built something compelling and, when analyzed honestly against building it yourself, we&rsquo;re the obvious choice for nearly all organizations. Want to see our osquery device trust solution in action? <a href="https://1password.com/contact-sales/xam">Reach out for a demo!</a></description></item><item><title>How to set up Windows File Integrity Monitoring using osquery</title><link>https://blog.1password.com/how-to-set-up-windows-file-integrity-monitoring-using-osquery/</link><pubDate>Wed, 09 Oct 2024 00:00:00 +0000</pubDate><author>info@1password.com (Fritz Ifert-Miller)</author><guid>https://blog.1password.com/how-to-set-up-windows-file-integrity-monitoring-using-osquery/</guid><description> <img src='https://blog.1password.com/posts/2024/how-to-set-up-windows-file-integrity-monitoring-using-osquery/header.png' class='webfeedsFeaturedVisual' alt='How to set up Windows File Integrity Monitoring using osquery' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> This article explains how, with 1Password&rsquo;s Device Trust solution, you can use osquery&rsquo;s file monitoring capabilities to oversee your Windows fleet. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Note: This article was written in 2022. We wanted to share it since the information about setting up Windows FIM with osquery is still highly valuable. Even so, the specific UX and admin flow detailed here may have seen minor changes over time. If you ever need help, feel free to reach out with any questions! Our door&rsquo;s always open for fellow osquery fans. </div> </aside> Prior to Osquery 4.2.0, Osquery&rsquo;s File Integrity Monitoring (FIM) capabilities only worked on macOS and supported versions of Linux. To fill this gap, Trail of Bits engineer <a href="https://github.com/woodruffw">@woodruffw</a> created a new virtual table called ntfs_journal_events to finally bring basic FIM capabilities to osquery on Windows. In this tutorial, we will take a look at how you can use 1Password&rsquo;s Device Trust solution to configure and ingest <code>ntfs_journal_events</code> output. <h2 id="what-you-will-need">What you will need</h2> <ol> <li> 1Password&rsquo;s Device Trust solution (formerly Kolide), available as part of <a href="https://1password.com/product/xam">1Password® Extended Access Management</a>. </li> <li> A Windows 10 or 11 device enrolled in 1Password&rsquo;s Device Trust solution. </li> <li> Physical or remote access to the Windows device so that you can generate events to monitor. </li> </ol> <h2 id="osquery-fim-basics">Osquery FIM basics</h2> The FIM in osquery is composed of two distinct pieces: <ul> <li> A FIM category which defines monitored paths. (eg. <code>C:\Users\fritz\Downloads</code>) </li> <li> An events table query which populates results. (eg. <code>SELECT * FROM ntfs_journal_events;</code>) </li> </ul> 1Password&rsquo;s Device Trust solution makes it easy to get up and running with the osquery FIM with minimal configuration. Let&rsquo;s set up a basic FIM configuration to monitor the changes of the User&rsquo;s Downloads folder on a Windows device. To do so we will need to perform three easy steps: <ol> <li> Enable the osquery Options for Windows events. </li> <li> Define a FIM category. </li> <li> Write an <code>ntfs_journal_events</code> query. </li> </ol> <h2 id="enabling-windows-events">Enabling Windows events</h2> To use the FIM, we will first need to Enable the NTFS Event Publisher by going to the &ldquo;Osquery Settings&rdquo; page, and setting the dropdown state to <code>true</code>. <img src='https://blog.1password.com/posts/2024/how-to-set-up-windows-file-integrity-monitoring-using-osquery/kolide-osquery-options.png' alt='A screenshot of the osquery settings page.' title='A screenshot of the osquery settings page.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="define-a-fim-category">Define a FIM category</h2> Next, we will configure a FIM category. A FIM category defines a watched path, or set of paths, which will be flagged as the target of our events query. FIM categories support the usage of wildcards, to accommodate relative paths that may be different across devices. For example, watching directories within a User directory: <pre tabindex="0"><code>C:\Users\fritz\Downloads C:\Users\chris\Downloads C:\Users\kevin\Downloads </code></pre>All of these directories can be distilled down to a single relative path using the following wildcard approach: <pre tabindex="0"><code>C:\Users\%\Downloads </code></pre>Note that a trailing slash or trailing <code>%%</code> wildcard should NOT be used when defining paths, or you will not recursively search subdirectories. <img src='https://blog.1password.com/posts/2024/how-to-set-up-windows-file-integrity-monitoring-using-osquery/kolide-fim-category.png' alt='A screenshot of a new FIM category.' title='A screenshot of a new FIM category.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We can create a new FIM Category by navigating to: &ldquo;Osquery Settings/FIM Categories,&rdquo; and then clicking on the &ldquo;Add New FIM Category&rdquo; button. We can then name our category and define its watched paths. <h3 id="write-an-ntfs_journal_events-query">Write an ntfs_journal_events query</h3> The last piece needed before we can start emitting data is a valid osquery SQL query to populate results. We will need this query to run on a recurring schedule, which we can configure by including it in an osquery Query Pack. <ol> <li> Create a new Query Pack by going to: &ldquo;Log Pipeline/Osquery Packs&rdquo;. </li> <li> Click the button: &ldquo;Add Pack &gt; New Empty Pack&rdquo;. </li> <li> Name your pack and select Windows as the Platform. </li> </ol> <img src='https://blog.1password.com/posts/2024/how-to-set-up-windows-file-integrity-monitoring-using-osquery/kolide-pack-new-query.png' alt='A screenshot of creating a new empty query pack in osquery.' title='A screenshot of creating a new empty query pack in osquery.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Once we&rsquo;ve created our Query Pack, we can add our query to it: <ol> <li> Within the new pack, click the button labeled &ldquo;Add New Query&rdquo;. </li> <li> Type a name for your query. </li> <li> Add the following query: <code>SELECT * FROM ntfs_journal_events;</code>. </li> <li> Select &ldquo;Windows&rdquo; for the platform. </li> <li> Configure an interval (3600 is the default, which is every hour, but we suggest choosing a shorter interval like 10s in the beginning, so that you can verify everything is working.) </li> <li> Choose &ldquo;Diff&rdquo; (additions only) as the log type. (Evented tables in osquery are different from other tables in that diff removals and snapshot results are not semantically meaningful.) </li> <li> Click &ldquo;Save&rdquo;. </li> </ol> <img src='https://blog.1password.com/posts/2024/how-to-set-up-windows-file-integrity-monitoring-using-osquery/kolide-pack-new-query-copy.png' alt='A screenshot of a new query pack within XAM.' title='A screenshot of a new query pack within XAM.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="viewing-results-of-your-fim-configuration">Viewing results of your FIM configuration</h2> Now that you have your new FIM configuration setup, you can test it by downloading some files to your test Windows device. If you set a frequent interval for your <code>ntfs_journal_events</code> query, you should start seeing results quickly once you perform any actions that trigger the FIM. Results can be previewed in the &ldquo;Live Log Viewer.&rdquo; This viewer listens for all logs emitted by the queries in your pack schedule, allows you to preview the output of your configured Query Packs, and confirms that osquery is emitting the desired output. Let&rsquo;s take a look at what we&rsquo;ve got so far by renaming and changing the contents of a file: <img src='https://blog.1password.com/posts/2024/how-to-set-up-windows-file-integrity-monitoring-using-osquery/kolide-live-log-viewer-1.jpg' alt='A screenshot of the XAM live log viewer.' title='A screenshot of the XAM live log viewer.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <img src='https://blog.1password.com/posts/2024/how-to-set-up-windows-file-integrity-monitoring-using-osquery/kolide-live-log-viewer-2.jpg' alt='A screenshot of the XAM live log viewer.' title='A screenshot of the XAM live log viewer.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <img src='https://blog.1password.com/posts/2024/how-to-set-up-windows-file-integrity-monitoring-using-osquery/kolide-live-log-viewer-3.jpg' alt='A screenshot of the XAM live log viewer.' title='A screenshot of the XAM live log viewer.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> As we can see, we have two actions recorded by osquery: a <code>FileRename_NewName</code> and a <code>FileOverwrite</code>. <h2 id="setting-a-log-destination">Setting a log destination</h2> Now that we&rsquo;ve generated useful logs, 1Password&rsquo;s Device Trust solution enables you to forward them to any valid log destinations. For more information on supported Log Destinations and how to configure them, please refer to our <a href="http://help.kolide.com/en/articles/3602052-log-pipeline#log-destinations">help documentation</a>. <h2 id="nuances-to-be-aware-of">Nuances to be aware of</h2> There are a couple of items to consider while configuring your FIM ingestion rules. <h3 id="wildcard-behavior">Wildcard behavior</h3> Since the FIM supports file GLOBs, you may be tempted to specify something like <code>C:\Users\%\Downloads\%%</code> in your FIM category. This doesn&rsquo;t cause errors, but specifying this way – in-lieu of monitoring the directory itself – may result in unexpected behavior, like the following: <ol> <li> The osquery agent retrieves the FIM configuration. </li> <li> It recursively searches paths specified by the FIM category (eg. <code>C:\Users\%\Downloads\%%</code>). </li> <li> It registers each file found via that pattern to be watched for changes. </li> </ol> This means that files created after FIM configuration retrieval (during which, files are registered to be watched) will be ignored by the FIM. <h2 id="further-reading--resources">Further reading &amp; resources</h2> <ul> <li> <a href="https://github.com/osquery/osquery/pull/5371">Read the <code>ntfs_journal_events</code> PR in the Osquery Github Repo</a> </li> <li> <a href="http://help.kolide.com/en/articles/3602052-log-pipeline">Our Log Pipeline Docs</a> </li> <li> <a href="https://osquery.readthedocs.io/en/stable/deployment/file-integrity-monitoring/">Osquery&rsquo;s FIM Documentation</a> </li> </ul> <h2 id="get-started-using-the-windows-fim-in-osquery-today">Get started using the Windows FIM in osquery today</h2> 1Password&rsquo;s Device Trust solution is the easiest to use and most advanced osquery fleet manager available today. Want to learn more about how osquery can help keep your fleet secure? <a href="https://blog.1password.com/">Learn more on the 1Password blog.</a></description></item><item><title>Introducing mobile checks for device trust</title><link>https://blog.1password.com/introducing-mobile-checks-for-device-trust/</link><pubDate>Tue, 08 Oct 2024 00:00:00 +0000</pubDate><author>info@1password.com (Jason Meller)</author><guid>https://blog.1password.com/introducing-mobile-checks-for-device-trust/</guid><description> <img src='https://blog.1password.com/posts/2024/introducing-mobile-checks-for-device-trust/header.png' class='webfeedsFeaturedVisual' alt='Introducing mobile checks for device trust' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> I am excited to announce the immediate availability of Mobile Checks and mobile end-user self-remediation for 1Password® Extended Access Management Device Trust customers. Here&rsquo;s a quick demo. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/Lkn-HXI7XFo" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h2 id="the-checks">The Checks</h2> As part of this release, we are proud to launch the initial set of Checks: <ul> <li> <a href="https://app.kolide.com/x/checks/catalog/77238">Mobile OS - Ensure Device is Enrolled in Organization MDM</a> </li> <li> <a href="https://app.kolide.com/x/checks/catalog/77230">Mobile OS - Ensure Device is Not Jailbroken or Rooted</a> </li> <li> <a href="https://app.kolide.com/x/checks/catalog/77203">iOS - Require Passcode Configuration</a> </li> <li> <a href="https://app.kolide.com/x/checks/catalog/77345">iOS Software Updates - Ensure iOS Version is Up-to-date</a> </li> <li> <a href="https://app.kolide.com/x/checks/catalog/77350">Android - Require Lock Screen Configuration</a> </li> <li> <a href="https://app.kolide.com/x/checks/catalog/77350">Android Software Updates - Ensure Google Pixel OS is Up-to-date</a> </li> </ul> These Checks <a href="https://www.kolide.com/docs/using-kolide/mobile-app#data-collected">leverage the same core set of data</a> that is collected from mobile devices each time a user opens the app to authenticate. <img src='https://blog.1password.com/posts/2024/introducing-mobile-checks-for-device-trust/checks-catalog.png' alt='A screenshot of the checks catalog.' title='A screenshot of the checks catalog.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <blockquote> The new Checks are not enabled by default for existing customers, but you can enable them right in our Check Catalog. </blockquote> This initial set provides great functionality to get you started, and more Checks are on the way! <h2 id="self-remediation">Self-Remediation</h2> In addition to shipping new Checks, we&rsquo;ve updated our Kolide Mobile App to version 8. This version allows end-users to self-remediate any issues <a href="https://www.kolide.com/docs/using-kolide/mobile-app#how-to-fix-issues">directly from the mobile application</a>. When users attempt to authenticate with a device that&rsquo;s not in a good state, they will be asked to launch the mobile app to fix issues. After fixing the issues, they can try to authenticate again or simply swipe back to their web browser to complete the authentication process. <img src='https://blog.1password.com/posts/2024/introducing-mobile-checks-for-device-trust/mobile-app-how-to-get-unblocked.png' alt='A screenshot showing how users will open fix instructions.' title='A screenshot showing how users will open fix instructions.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <blockquote> Just like on their desktop, users can now fix issues during authentication. </blockquote> In addition to fixing issues during authentication, end-users can also launch the Kolide Mobile App directly from their phone to review their devices, including any failing Checks. Just like before, the fix instructions are available right there inside the app. <img src='https://blog.1password.com/posts/2024/introducing-mobile-checks-for-device-trust/mobile-app-explore-issues.png' alt='A screenshot of how it looks to launch the Kolide mobile app.' title='A screenshot of how it looks to launch the Kolide mobile app.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <blockquote> Users can launch the Kolide Mobile App (which can be associated with more than one organization) and review and fix issues. </blockquote> Like Checks that run on desktop devices, users will only be asked to fix issues that are set to &ldquo;notify only,&rdquo; &ldquo;warn then block,&rdquo; or &ldquo;block immediately.&rdquo; Admins can also configure checks to &ldquo;report only,&rdquo; which will not notify users of the issue. Also, just like with our other Checks, you can customize the remediation and fix instructions for any Mobile Check. <img src='https://blog.1password.com/posts/2024/introducing-mobile-checks-for-device-trust/mobile-customize-fix-instructions.png' alt='A screenshot of fix instructions within XAM.' title='A screenshot of fix instructions within XAM.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <blockquote> Customize the fix instructions for any Mobile Check with full markdown support. You can even add links to preference panes to make it easier for your users to complete the steps. </blockquote> <h2 id="mdm-enrollment-verification">MDM Enrollment Verification</h2> One critical Check is the ability to verify that a mobile device is enrolled in a Mobile Device Management (MDM) provider. To enable this, we&rsquo;ve added a new feature called <a href="https://www.kolide.com/docs/using-kolide/devices/device-registration#adding-an-mdm-provider">Device Management Providers</a>. This feature allows you to specify one or more MDM providers associated with your organization. For each MDM provider you add, we will generate a secret key. Once you have the key, simply use your MDM to distribute the Kolide app to your managed mobile devices, with the key as part of the configuration. When the Kolide app starts up on a user&rsquo;s phone, it will look for this key. If it matches the MDM in your account, we know that phone must be enrolled in the MDM! <img src='https://blog.1password.com/posts/2024/introducing-mobile-checks-for-device-trust/mobile-device-details-mdm.png' alt='A screenshot of how an enrolled mobile device looks in an MDM.' title='A screenshot of how an enrolled mobile device looks in an MDM.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <blockquote> If your mobile device is enrolled in an MDM, Kolide will report the name right on the device&rsquo;s summary page. </blockquote> More importantly, you can use this ability to ensure only mobile devices that are enrolled in your MDM are allowed to register and authenticate to Kolide. Just like with desktop devices, you can set the corresponding Check right in the Device Registration configuration page. <img src='https://blog.1password.com/posts/2024/introducing-mobile-checks-for-device-trust/add-device-mobile-registration.png' alt='A screenshot from our docs that shows how to add MDM as a registration requirement.' title='A screenshot from our docs that shows how to add MDM as a registration requirement.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <blockquote> A screenshot from our docs that shows how to add MDM as a registration requirement. </blockquote> Of course, just like any Check, you can ensure that not only is the device enrolled in an MDM at registration time, but you can also make sure it stays that way by blocking a device from future authentications if it ever un-enrolls. To get that capability, you just need to set the Check&rsquo;s device trust settings to block immediately. For more information on this feature, <a href="https://www.kolide.com/docs/using-kolide/devices/device-registration#requiring-mdm-enrollment-on-mobile-devices">check out our documentation</a>. With the launch of Mobile Checks and self-remediation, we&rsquo;re excited to bring even more flexibility and control to <a href="https://1password.com/product/xam">1Password Extended Access Management</a> customers. These new features help ensure that only secure, managed devices are able to authenticate, while empowering end-users to fix any issues directly from their mobile devices. We can&rsquo;t wait for you to start using these new tools to strengthen your device security posture.</description></item><item><title>More security visibility for 1Password Teams accounts with new reporting trial</title><link>https://blog.1password.com/1password-teams-free-business-reports-trial/</link><pubDate>Thu, 03 Oct 2024 00:00:00 +0000</pubDate><author>info@1password.com (Caro Jang)</author><guid>https://blog.1password.com/1password-teams-free-business-reports-trial/</guid><description> <img src='https://blog.1password.com/posts/2024/1password-teams-free-business-reports-trial/header.png' class='webfeedsFeaturedVisual' alt='More security visibility for 1Password Teams accounts with new reporting trial' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> It’s no secret that it’s hard to protect against what you can’t see. One of the biggest challenges facing security and IT experts is visibility into whether their team is following business security best practice – and this is especially true for small businesses. That’s why we’re giving 1Password Teams and Teams Starter Pack (TSP) accounts a chance for more visibility into password health, data breaches, and team usage with a new 1Password reports trial. Starting today, <a href="https://1password.com/product/teams-small-business-password-manager">1Password Teams</a> and Teams Starter Pack (TSP) accounts set up for payment via direct billing using a credit card, debit card, or ACH can <a href="https://support.1password.com/reports-trial/">get instant access to reports and the Activity Log for free, for 14-days</a>. This is the first time that these 1Password Business reporting features will be available as a free trial to Team accounts – all without the need to upgrade. 1Password reports and Activity Log gives better visibility into potential security risks, and provides actionable advice through bespoke recommendations, helping reduce the company’s exposure to threats. Now 1Password administrators responsible for security and IT will have the chance to monitor sign-in attempts, identify if company email addresses were caught in a data breach, and perform audits that show shared items, new devices added, and more. It’s the best way to monitor activity that could affect the health of the business. <h2 id="get-enhanced-visibility-into-business-cybersecurity-with-reports">Get enhanced visibility into business cybersecurity with reports</h2> 1Password reports make it easier to monitor business security over time and help mitigate risks before they become active threats. With the 14-day free trial, IT and security administrators will gain access to more than eight different reports that are part of our 1Password Business accounts, get deeper insights into how teams are using 1Password, and identify security gaps that may need attention. <h3 id="business-watchtower-reporthttpssupport1passwordcomreportscreate-a-business-watchtower-report">Business <a href="https://support.1password.com/reports/#create-a-business-watchtower-report">Watchtower report</a></h3> Get an overview of any security issues in the team’s vaults, and then take recommended actions to reduce risk. Watchtower reports highlight: <ul> <li>Weak, reused, or compromised passwords.</li> <li>Unsecured websites.</li> <li>Inactive two-factor authentication.</li> <li>Items with expiration dates in the past or near future.</li> <li>Items saved in the wrong account, based on the company’s item domains policy.</li> </ul> <div class="download-feature"> Learn about Business Watchtower report. <a href="https://support.1password.com/reports/#create-a-business-watchtower-report" class="call-to-action "> Read support page </a> </div> <h3 id="domain-breach-reporthttpssupport1passwordcomreportscreate-a-domain-breach-report"><a href="https://support.1password.com/reports/#create-a-domain-breach-report">Domain Breach Report</a></h3> Identify data breaches involving team member credentials and also company email addresses that aren’t associated with the company 1Password account. The option to send an email to affected team members helps team members take action quickly to update passwords and prevent a breach. <div class="download-feature"> Learn about Domain Breach Report. <a href="https://support.1password.com/reports/#create-a-domain-breach-report" class="call-to-action "> Read support page </a> </div> <h3 id="usage-reports-for-team-membershttpssupport1passwordcomreportscreate-a-usage-report-for-a-team-member-or-vault"><a href="https://support.1password.com/reports/#create-a-usage-report-for-a-team-member-or-vault">Usage reports for team members</a></h3> See what access team members have and ensure people only have as much access as they need to complete their work. Information found in the usage report: <ul> <li>The number of vaults, groups, and items the team member can access.</li> <li>The vaults where the team member has accessed items.</li> <li>When items were last accessed and the action performed.</li> </ul> <div class="download-feature"> Learn about team member usage reports. <a href="https://support.1password.com/reports/#create-a-usage-report-for-a-team-member-or-vault" class="call-to-action "> Read support page </a> </div> <h3 id="usage-report-for-vaulthttpssupport1passwordcomreportscreate-a-usage-report-for-a-team-member-or-vault"><a href="https://support.1password.com/reports/#create-a-usage-report-for-a-team-member-or-vault">Usage report for vault</a></h3> Get a list of items showing when they were last accessed, the action performed, and the team member who performed the action. <div class="download-feature"> Learn about vault usage reports. <a href="https://support.1password.com/reports/#create-a-usage-report-for-a-team-member-or-vault" class="call-to-action "> Read support page </a> </div> <h3 id="sign-in-attempts-reporthttpssupport1passwordcomreportscreate-a-sign-in-attempts-report"><a href="https://support.1password.com/reports/#create-a-sign-in-attempts-report">Sign-in attempts report</a></h3> Identify sign in attempts over the past 60 days to see sign-ins that: <ul> <li>Are blocked or reported by firewall rules.</li> <li>Failed because the 1Password app is outdated.</li> <li>Failed due to an incorrect 1Password account password, Secret Key, or second factor.</li> </ul> <div class="download-feature"> Learn about sign-in attempt reports. <a href="https://support.1password.com/reports/#create-a-sign-in-attempts-report" class="call-to-action "> Read support page </a> </div> <h3 id="team-reporthttpssupport1passwordcomreportscreate-a-team-report"><a href="https://support.1password.com/reports/#create-a-team-report">Team report</a></h3> See the number of people, groups, and vaults in the 1Password account. And get a list of every team member and guest to help identify how the team is using the account and if adjustments need to be made. Data included in the team report: <ul> <li>Their current status.</li> <li>When they last signed in.</li> <li>The number of devices they’ve signed in with.</li> <li>The number of items in their Employee vault.</li> <li>If they’ve turned on two-factor authentication.</li> <li>If they’ve redeemed their free 1Password Families membership.</li> </ul> <div class="download-feature"> Learn about team reports. <a href="https://support.1password.com/reports/#create-a-team-report" class="call-to-action "> Read support page </a> </div> <h3 id="device-reporthttpssupport1passwordcomreportscreate-a-device-report"><a href="https://support.1password.com/reports/#create-a-device-report">Device report</a></h3> A device report includes the number of active devices and outdated versions of 1Password used by team members. With this information, a security team can identify which team members are using outdated software and proactively prompt employees to update, potentially preventing a threat taking advantage of out-dated software. <div class="download-feature"> Learn about device reports. <a href="https://support.1password.com/reports/#create-a-device-report" class="call-to-action "> Read support page </a> </div> <h3 id="overview-reporthttpssupport1passwordcomreportscreate-an-overview-report"><a href="https://support.1password.com/reports/#create-an-overview-report">Overview report</a></h3> An overview report includes the number of people, vaults, and items in a business account giving a comprehensive view of a company’s security posture. It also provides an account summary including: <ul> <li>Team members and guests, and their current status.</li> <li>Items across all vaults.</li> <li>Employee and shared vaults.</li> <li>Groups.</li> <li>Trusted devices.</li> <li>Secure files and the amount of storage used.</li> </ul> <div class="download-feature"> Learn about overview reports. <a href="https://support.1password.com/reports/#create-an-overview-report" class="call-to-action "> Read support page </a> </div> <h2 id="activity-log">Activity Log</h2> In addition to reports, those taking advantage of the 14-day free trial will also get access to the Activity Log. Businesses will gain insight into important end user actions and events in the 1Password account, such as when team members view reports, attempt to sign in to 1Password in a new country, or set up new devices to 1Password. There are more than 30 activities available. Check out the <a href="https://support.1password.com/activity-log/#read-the-activity-log">complete list of Activity Log activities</a> that will provide the ability to monitor events happening to a team, so risks can be identified early, and prevent threats later. <h2 id="start-your-1password-reports-trial">Start your 1Password reports trial</h2> Administrators of 1Password Teams and Teams Starter Pack (TSP) accounts set up for payment via direct billing using a credit card, debit card, or ACH can take advantage of this <a href="https://support.1password.com/reports-trial/">14-day free trial</a> today by activating it in their account by choosing Reports in the account sidebar, and following our <a href="https://support.1password.com/reports-trial/#start-your-free-trial">support instructions</a>. The trial doesn’t begin until you select “Start my free trial”, so there’s time to better understand 1Password reports and Activity Log. <a href="https://1password.com/contact-us?utm_medium=product&amp;utm_ref=trial-reports">Reach out to our Sales Team</a> today and they can help answer any questions about this opportunity.</description></item><item><title>Expanding accessibility standards at 1Password</title><link>https://blog.1password.com/digital-accessibility/</link><pubDate>Wed, 02 Oct 2024 00:00:00 +0000</pubDate><author>info@1password.com (1Password)</author><guid>https://blog.1password.com/digital-accessibility/</guid><description> <img src='https://blog.1password.com/posts/2024/digital-accessibility/header.png' class='webfeedsFeaturedVisual' alt='Expanding accessibility standards at 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Making a product and website accessible means making a site or app as usable as possible for everyone, regardless of their physical or cognitive disabilities. Disabilities can include: <ul> <li>Hearing impairments like being deaf or hard of hearing.</li> <li>Vision impairments like low vision, color blindness, and myopia.</li> <li>Cognitive disabilities like autism, dyscalculia, dyslexia, and memory loss.</li> </ul> When it comes to 1Password, giving everyone equal access and equal opportunity to use and benefit from our products strengthens our commitment to making online security easier for everyone. <h2 id="accessibility-is-a-win-for-everyone">Accessibility is a win for everyone</h2> One of the many benefits of designing for people with disabilities is that making things more accessible and improving usability is actually better for everyone. This is called <a href="https://uxdesign.cc/the-curb-cut-effect-universal-design-b4e3d7da73f5">the curb-drop effect</a>. The name comes from the pavement curb-drops you see on sidewalks originally being designed for people who use wheelchairs – but in reality, these ramps are also taken advantage of by people with strollers, bikes, carts, and more, significantly improving the experience for everyone. Can you even imagine a world without curb-drops now? Apps and websites can be looked at the same way. For example, adding captions to videos is meant to make content accessible for people who have hearing impairments – however, video captions are used by many, like people who may be on their mobile device in a noisy area, need to keep the volume down, or might just prefer to read along. When it comes down to it, planning, writing, and designing for accessibility isn’t just the right thing to do, but it’s also a great benefit to every one of us. <h2 id="why-accessibility-matters-to-1password">Why accessibility matters to 1Password</h2> In 2023, <a href="https://www.who.int/news-room/fact-sheets/detail/disability-and-health">1.3 billion people globally</a> (16% of the global population and 26% of the U.S. population) identified as having a disability. Part of 1Password’s mission is building a safer, simpler digital future for everyone, and that means everyone. With such a large portion of the population having disabilities, it’s very important that the experience of using 1Password is designed to be inclusive and accessible to all. Because of this, 1Password is committed to meeting the accessibility needs of both employees and customers with disabilities to create a better and more inclusive experience. We are constantly working on improving these practices internally as well as in 1Password products and web pages. <h2 id="what-accessibility-at-1password-looks-like">What accessibility at 1Password looks like</h2> At 1Password, one of our core values is putting people first, and we believe in building a diverse and inclusive community built on trust, support, and respect. There are several ways 1Password works to create an accessible and equitable culture and workplace: <ul> <li>Various employee resource groups (ERGs) and employee community groups (ECGs), including The Disability Alliance ERG, which welcomes allies and individuals who identify as having a disability.</li> <li>Updated accessibility training for all our employees, as needed.</li> <li>Assistive technologies for employees with disabilities, along with closed captioning for virtual meetings.</li> <li>Flexible, remote working, a wellness spending account, a generous PTO policy, company-wide wellness days off scheduled throughout the year, a Wellness Coach membership, and comprehensive health coverage for all employees to use in any way that best fits their various needs.</li> </ul> <h2 id="how-were-making-1password-more-accessible">How we’re making 1Password more accessible</h2> Improving our accessibility standards means that we’re always thinking about how we can incorporate accessibility best practices into how we build 1Password. Now, our design systems and processes help us consider an inclusive user experience whenever we plan and develop features across our products. We now complete regular accessibility audits and remediation cycles to solve any accessibility issues across our products. This helps us ensure conformance to the <a href="https://www.wcag.com/">Web Content Accessibility Guidelines (WCAG)</a> 2.0/2.1 Level A/AA standards developed by the World Wide Web Consortium (W3C) Web Accessibility Initiative (WAI). In the past year, we’ve also made hundreds of accessibility improvements to both the 1Password apps and our website, 1Password.com. This includes enhancements focused on: <ul> <li>Improving keyboard functionality so content can be operated through a keyboard or alternative keyboard.</li> <li>Implementing a contrast ratio of at least 4.5:1, and 3:1 for large-scale text to support people with moderately low vision.</li> <li>Adjusting the presentation formatting to be more adaptable to meet the needs of people who may use a screen reader or other assistive technologies.</li> <li>Improving the alternative text (alt text) on 1Password.com. Using an accessibility style guide for 1Password content.</li> </ul> <h2 id="whats-next-for-accessibility">What’s next for accessibility?</h2> Our goal is to make a password manager that everyone, including people with disabilities, can benefit from, so we’re continually working towards making our 1Password products and web pages easier to understand and navigate. We’ve already identified and made lots of accessibility updates to 1Password, but we know there are always more ways to improve. We would love to hear from you so we can keep making 1Password truly accessible to all. If you’d like to share feedback with us about any accessibility issues you’ve found or an accessibility feature you’d like to see included, please reach out to <a href="mailto:accessibility@1password.com">accessibility@1password.com</a>. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Ready to protect yourself?</h3> Keep all of your accounts secure with 1Password, the most-used password manager. Get started today with a free 14-day trial. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>NIST proposed password updates: What you need to know</title><link>https://blog.1password.com/nist-password-guidelines-update/</link><pubDate>Tue, 01 Oct 2024 00:00:00 +0000</pubDate><author>info@1password.com (1Password)</author><guid>https://blog.1password.com/nist-password-guidelines-update/</guid><description> <img src='https://blog.1password.com/posts/2024/nist-password-guidelines-update/header.png' class='webfeedsFeaturedVisual' alt='NIST proposed password updates: What you need to know' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> This article will be updated over time as NIST password requirements continue to evolve. The latest draft of the <a href="https://pages.nist.gov/800-63-4/sp800-63b.html">National Institute of Standards and Technology (NIST) password guidelines</a> aims to simplify password management by eliminating outdated practices and providing clearer guidance on best practices. <aside class="c-technical-aside-box c-technical-aside-box--background" aria-labelledby="tldr-what-to-know-about-the-updated-password-guidance"> <h2 class="c-technical-aside-box__title" id="tldr-what-to-know-about-the-updated-password-guidance"> TL;DR: What to know about the updated password guidance </h2> <div class="c-technical-aside-box__description"> Start: <ul> <li>Require passwords to be a minimum of eight characters, with a recommended minimal length of 15 characters.</li> <li>Allow passwords to be up to 64 characters long.</li> <li>Accept all printing ASCII [RFC20] characters and the space character in passwords.</li> <li>Accept Unicode [ISO/ISC 10646] characters in passwords, with each Unicode code point counting as a single character towards password length.</li> </ul> Stop: <ul> <li>Stop requiring arbitrary password complexity, such as requiring special characters or a combination of characters (characters, numbers, special characters)</li> <li>Stop requiring mandatory password resets on set intervals unless evidence of compromise is present.</li> <li>Stop allowing users to save or store password hints.</li> <li>Stop the use of security questions when choosing passwords</li> <li>Do not use truncated passwords (in other words, verify the entire password).</li> </ul> Continue: <ul> <li>Offering guidance to subscribers to assist with choosing strong passwords.</li> <li>Using encryption and authenticated protected channels when requesting passwords.</li> <li>Allowing the use of password managers, as they have been shown to increase the likelihood of users using strong passwords.</li> </ul> </div> </aside> <h2 id="nist-password-guidelines-a-primer">NIST password guidelines: A primer</h2> Before we jump into the breakdown of the NIST requirements, it’s worth understanding the <a href="https://pages.nist.gov/800-63-4/sp800-63b.html#def-and-acr">language NIST uses</a> when defining password requirements. <ul> <li>Verifiers: The entity that verifies a user’s identity based on possession or control of an authenticator (a password, for example).</li> <li>Credential service provider (CSP): The entity responsible for registering passwords to subscriber accounts (this may be a third party).</li> <li>Authenticator: The item used to authenticate a subscriber to an account (such as a password or passkey).</li> </ul> <h2 id="password-length-and-complexity-requirements">Password length and complexity requirements</h2> <ul> <li>Verifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length.</li> <li>Verifiers and CSPs SHOULD permit a maximum password length of at least 64 characters.</li> <li>Verifiers and CSPs SHOULD accept all printing ASCII [RFC20] characters and the space character in passwords.</li> <li>Verifiers and CSPs SHOULD accept Unicode [ISO/ISC 10646] characters in passwords. Each Unicode code point SHALL be counted as a single character when evaluating password length.</li> <li>Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.</li> </ul> The first handful of updates are focused on password creation and associated requirements. In terms of password complexity and length, the updated guidance prioritizes password length over the arbitrary complexity provided by requiring a combination of characters, special characters, and numbers. It should be noted that the minimum guidance for password length (eight characters) should still be considered a “weak” password, and <a href="https://blog.1password.com/how-long-should-my-passwords-be/">1Password’s password length guidance</a> is that passwords should be a minimum of 20 characters where possible. While the requirement for special is gone, the updated guidelines also provide a path for increasing the types of characters that can be used when creating passwords. When combined with long passwords, the addition of accepting all ASCII characters (including symbols like !, @, &amp;), Unicode (including characters not used in English like Á, Ü, Ķ), as well as the space character, increases the total number of acceptable characters that can be used, and therefore increases the difficulty in cracking passwords. <h2 id="password-rotation-requirements">Password rotation requirements</h2> <ul> <li>Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.</li> </ul> NIST has recommended for years that organizations remove the requirement that users periodically rotate their passwords. Requiring password updates every few months is a practice that has been shown to actually hurt password strength, as it encourages users to create easy-to-remember passwords that are updated with minimal changes. This latest update strengthens the language to “SHALL NOT” require, emphasizing the need to retire this dated practice. The only exception is when there is evidence that a password or credential has been compromised, in which case a forced update is required. <h2 id="security-questions-and-hint-requirements">Security questions and hint requirements</h2> <ul> <li>Verifiers and CSPs SHALL NOT permit the subscriber to store a hint that is accessible to an unauthenticated claimant.</li> <li>Verifiers and CSPs SHALL NOT prompt subscribers to use knowledge-based authentication (KBA) (e.g., “What was the name of your first pet?”) or security questions when choosing passwords.</li> </ul> Account creation often requires users to select from a variety of security questions that can be used to recover an account should a password be forgotten. The latest NIST guidelines recommend doing away with these requirements, as well as provide direction that password hints not be stored anywhere that is accessible to an unauthorized party. <h2 id="password-verification-requirements">Password verification requirements</h2> <ul> <li>Verifiers SHALL verify the entire submitted password (i.e., not truncate it).</li> </ul> Truncating passwords is a practice that often occurs when a verifier shortens and verifies a password at the time of authentication. While this often is a result of technical limitations, such as storage needs, only verifying a subset of a full password (eight of 20 characters, for example) inherently weakens the security of the user. <h2 id="use-1password-to-meet-nist-password-requirements">Use 1Password to meet NIST password requirements</h2> NIST has long encouraged the use of password managers as a best practice as it relates to password security: <blockquote> Verifiers SHALL allow the use of password managers. Verifiers SHOULD permit claimants to use the “paste” functionality when entering a password to facilitate their use. Password managers have been shown to increase the likelihood that users will choose stronger passwords, particularly if the password managers include password generators <a href="https://pages.nist.gov/800-63-4/sp800-63b.html?utm_source=www.vulnu.com&amp;utm_medium=referral&amp;utm_campaign=nist-no-more-regular-password-resets-and-arbitrary-complexity-rules#ref-managers">[Managers]</a>. </blockquote> <a href="https://1password.com/product/enterprise-password-manager">1Password Enterprise Password Manager</a> helps organizations meet the above guidelines in a variety of ways: <ul> <li>Easily set password requirements, including minimal character count.</li> <li>Store and manage passwords for every login.</li> <li>Easily sign-in to any account from any device, from any location.</li> </ul> Get started securing passwords today with a <a href="https://1password.com/pricing">free 14-day trial</a>.</description></item><item><title>Cyberpsychologist Dr. Erik Huffman explains why social engineering attacks are so effective</title><link>https://blog.1password.com/human-side-cyberattacks-erik-huffman-interview/</link><pubDate>Mon, 30 Sep 2024 00:00:00 +0000</pubDate><author>info@1password.com (Jenn Marshall)</author><guid>https://blog.1password.com/human-side-cyberattacks-erik-huffman-interview/</guid><description> <img src='https://blog.1password.com/posts/2024/human-side-cyberattacks-erik-huffman-interview/header.png' class='webfeedsFeaturedVisual' alt='Cyberpsychologist Dr. Erik Huffman explains why social engineering attacks are so effective' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Social engineering works on all of us, regardless of how tech-savvy we are. Why is that? Dr. Erik Huffman, a founding researcher in the emerging field of cyberpsychology, the study of how the human brain works while in a cyber environment, has answers. Talking with Michael “Roo” Fey, Head of User Lifecycle &amp; Growth at 1Password on the <a href="https://randombutmemorable.simplecast.com/">Random But Memorable</a> podcast, Dr. Huffman revealed social engineering success involves some key factors like the different ways people can influence us, generational mindsets about privacy, and certain personality traits that make people more susceptible to psychological tactics. What can IT and cybersecurity professionals do to more effectively address the human side of security? Read the interview highlights below or listen to the <a href="https://randombutmemorable.simplecast.com/episodes/human-factor-authentication-pitch">full podcast episode</a> to learn about the most impactful strategies, including applying a little cyberpsychology to your day-to-day life. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/fSdEycQXZgY?si=JNnmN3916z5C7loR" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> Editor’s note: This interview has been lightly edited for clarity and brevity. The views and opinions expressed by the interviewee don’t represent the opinions of 1Password. Michael Fey: “Cyberpsychologist” seems pretty niche. Did you invent the term, and how did you end up in that line of work? Dr Erik Huffman: No, I don&rsquo;t think I invented the term. It&rsquo;s new but it&rsquo;s actually not new. If you think back to the old AOL dial-up days, when your mom would pick up the phone and kick you off the internet, the big virus then was <a href="https://edition.cnn.com/2020/05/01/tech/iloveyou-virus-computer-security-intl-hnk/index.html">the ILOVEYOU virus</a>. It was called that because you got an email and the title of the email was &ldquo;I Love You&rdquo;. We all said &ldquo;aww, who loves me?&rdquo; We clicked on those links and fell victim to social engineering, which is a type of psychological attack. But how did I get to doing what I do today? I was an IT manager for a large organization, and I received my bachelor&rsquo;s degree in computer science. I started as a network technician, driving store to store, fixing things. Then I received my master&rsquo;s degree in IT management. <blockquote> &ldquo;I initially thought, just like most people fresh out of college, that only dumb people get hacked.&quot; </blockquote> I initially thought, just like most people fresh out of college, that only dumb people get hacked. Only bad organizations get hacked. And then I found out I sucked at my job because we got hacked. I started thinking, am I stupid? Then I was like, OK, anyone can get hacked once. But then we got hacked again like three months later. My researcher brain kicked in. I started thinking, OK, not just bad organizations get hacked, not just &ldquo;stupid&rdquo; users get hacked. I started thinking about what’s changed, what hasn&rsquo;t changed? There’s the cliche that technology is evolving at an exponential rate – duh, we all know that. When I started unpacking what had changed, I realized computers had changed, processors had changed, networks had changed, IDS systems changed, IPS systems changed. The only thing that has stayed the same is us. When you think about the rate of data breaches and the rate of innovation, they mirror each other. The number of records lost has gone up, the rate of innovation has gone up, the rate of technology has gone up. One would think, if you&rsquo;re just looking at the numbers, that innovation is not helping, it&rsquo;s actually hurting. <blockquote> &ldquo;Let’s look at the people and see how we&rsquo;re contributing to our own problems and data breaches.&quot; </blockquote> But we know that&rsquo;s not true. It’s not true to say, hey, your spam filter, or your IPS system, or your password manager is a problem. So instead, let’s look at the people and see how we&rsquo;re contributing to our own problems and data breaches. That unpacked an entire world for me. I&rsquo;m blessed and thankful for it. But yeah, my path started when I sucked at my job, being honest. MF: Once you took a step back and thought about the human element, what hooked you in? What made you think yes, this is what I want to focus on? EH: The hook was when I found that it exists! That there are legitimate studies that can help us figure out how we could get a little bit better, person by person. For my first study, I went to Black Hat and started asking hackers: how do you start attacking organizations? <blockquote> &ldquo;98% of [hackers] said, we start with people instead of technology.&quot; </blockquote> 98% of them said, we start with people instead of technology. So I started weighing out what we do as IT and cybersecurity professionals versus what the hackers are doing, and it’s not even close to matching up. A lot of our initial thoughts were, “I need to patch this system.” There&rsquo;s even a term: human patching. We need to try to patch the people. Once I started looking at that, I&rsquo;m like, we&rsquo;re actually going about this the wrong way for the everyday attack. I&rsquo;m not talking about the crazy nation-state attacks where they&rsquo;re sitting in their mom&rsquo;s basement, Cheetos dust everywhere, and sipping Mountain Dew. Those people exist. One hundred percent. Those are dangerous threats as well. We shouldn’t say we should stop technological development. But even this year, the Verizon data breach report says over 86% of attacks have a human element involved. Humans are still contributing to data breaches in a massive way that technology isn&rsquo;t ready to patch yet. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/FrNLE1Ixgak?si=xBi3x1iTtoZ5Gcjx" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> MF: There is a generation that knew a time before and after the internet. How do you see the differences between those two generations and mindsets? EH: My research shows that the older generation is actually less susceptible to social engineering than the younger generations. They respect their privacy, they respect their social security number and all that stuff. They don’t want to put it on the Google machine. <blockquote> &ldquo;The older generation is actually less susceptible to social engineering than the younger generations.&quot; </blockquote> There&rsquo;s certainly a lot of social engineering going on with all of us. But what I found is that when we start talking about targeted attacks to reveal financial information, sometimes you’ve got to do a little bit more work for the older generation, because that social security number and bank account number are huge to unpack. On the other hand, it’s not weird for me if someone asks: &ldquo;Hey, fill out this form and put in your bank account number and your routing information.&rdquo; That&rsquo;s what I&rsquo;ve grown up with. But those before the internet, man, that social security number, that bank account information, they&rsquo;re going to want to go into the bank to talk to somebody to have that transaction happen. Us younger folks, the less we can talk to people, the better. <blockquote> &ldquo;I don&rsquo;t believe in there being a more secure generation. It&rsquo;s just different avenues of attack.&quot; </blockquote> There&rsquo;s a paradigm there. Not to say that the older generation is way more secure. I don&rsquo;t believe in there being a more secure generation. It&rsquo;s just different avenues of attack, different psychological barriers to break through for different folks. You&rsquo;re going to have to probably work a little bit harder to get there. MF: I see that in my own mom. I’m amazed at how many times she has shut down scammers. She has a hardwired point of view that she wont' share information. If she wants something, she&rsquo;ll come to you as a customer.&quot; EH: Yes, that&rsquo;s one of the biggest differences. With that study it was fascinating to me that while we think that the technology natives are used to this stuff, they also are so comfortable that it gives attackers a psychological advantage. Our psychological defenses begin to go down when we’re talking to unfamiliar people online because we&rsquo;re usually still at home, we&rsquo;re in this comfort area of being in our chairs, in pajamas, laying on the couch, whatever. <blockquote> &ldquo;Our psychological defenses begin to go down when we’re talking to unfamiliar people online because we&rsquo;re usually still at home.&quot; </blockquote> Also, when you&rsquo;re online, the person is more prone to listen. And especially if you&rsquo;re writing through text, the default voice you read in is your own. You&rsquo;re reading in a comfortable zone, in a comfortable voice, and you&rsquo;re supposed to make the right decision. It’s tough for us technology natives to think about the internet as a scary place when most times it&rsquo;s not, because you&rsquo;re on social media talking to some friends or you&rsquo;re looking up something online, you&rsquo;re watching YouTube and you&rsquo;re just chilling. An attacker comes along when you&rsquo;re just chilling and you&rsquo;re like: &ldquo;Hey, what does this person want? Oh, Fantasy Football, OK, yeah, I&rsquo;ll sign up for that. I&rsquo;m going to use the same password that I always use, because that&rsquo;s what I do.” And then, boom, next thing you know: data breach. MF: Is comfort the main thing that attackers are taking advantage of? Or are there other tactics that are being employed? EH: There&rsquo;s a ton. Comfort definitely helps. The most impactful principle of influence, in my opinion, is the “liking” principle of influence. That is, the more you like someone, the more likely they are to influence your behavior. For example, because you like your friends, you act differently around them than you do around people you don&rsquo;t know. Now, especially with AI, a social engineer can make themselves look like however they want to look, like a handsome man or a beautiful woman. You see that and you begin to like that person, and they influence your behavior although you&rsquo;ve never really seen or heard that person. That’s dangerous, because people fall victim to scams because their &ldquo;friends&rdquo; said to do something. Just a name can make you feel something and act. You see the name you like and you’re like: &ldquo;Hey, what&rsquo;s going on, man?&rdquo; And they can say an inside joke and you laugh and you smile at it. Take that to the workplace. If the CEO sends you an email and you&rsquo;re fearful of your job because there&rsquo;s layoffs everywhere, and the CEO&rsquo;s like: &ldquo;Hey, I need you to transfer $500,000 to this company. Do this right now. We need this deal ASAP.&rdquo; Some people fall victim to that. Some people do think twice, but you have to have a certain relationship with a person to say: &ldquo;Hey, do you really need that?&rdquo; Another principle of influence is reciprocity. You do something for me and I feel obligated to do something back. For example, when you go to a car dealership and they offer you water, coffee, popcorn, and cookies, you are more likely to buy a car because they gave you something for free. <blockquote> &ldquo;Scammers will give you something or they’ll help you out in some regard. You&rsquo;re then more likely to help them.&quot; </blockquote> Scammers will give you something or they’ll help you out in some regard. You&rsquo;re then more likely to help them because they helped you. They gave you a little bit, so you&rsquo;re going to just open the door for them. Scarcity is another one. That&rsquo;s why when you go to Amazon or eBay they say, &ldquo;Hey, there&rsquo;s one left.&rdquo; And it&rsquo;s always in red letters! Or with cars – they only make a hundred cars and so they&rsquo;re worth 10 times more. You may not even like the car, but you&rsquo;re going to want it because it&rsquo;s scarce. Authority influences behavior as well, like “do this or else”. We see a lot of that in government organizations. If you’re general so-and-so, your leadership style is authoritarian, and people are scared of you, they&rsquo;re going to listen to what you have to say. But they&rsquo;re also going to be highly susceptible to social engineering attempts, because they&rsquo;re going to be scared when they see your name. They&rsquo;re going to be like, “Oh my God, I’ve got to do this right now.” MF: With the principles of influence, have you found that there are personality traits that make people more susceptible to being victims of attacks? EH: Yes, there are six personality traits that I’ve found for cyber victims. Whenever I start delivering talks like this, I start talking about personality traits. People are like: &ldquo;But that’s not me.&rdquo; They feel attacked. So let me preface this by saying, none of these personality traits are bad. The number one personality trait is extraversion. The more extroverted you are, the more likely you are to be a victim of social engineering. If you&rsquo;re willing to talk to people you&rsquo;ve never met face to face, you&rsquo;re more willing to talk to an attacker. MF: I&rsquo;m just going to take some notes here, Erik, so I can check off things that you&rsquo;re saying about me as you go through this list! EH: It&rsquo;s all good! So, the more agreeable you are, the more likely you are to fall victim to someone telling you something that is not accurate. How impulsive you are is massive. If you&rsquo;re the type to impulse buy, you might be the type to impulse click. We see that in new variants of ransomware, where they’re trying to get that level of anxiety and impulsiveness up by saying stuff like “you owe us one Bitcoin, which is like eleventy billion dollars, and in 72 hours it&rsquo;s going to double and then in 100 hours it’s going to double on top of that.” Then, when you’ve got three hours left, the CEO is like: &ldquo;Screw it, pay. Pay, we need our stuff back.&rdquo; <blockquote> &ldquo;If you&rsquo;re the type to impulse buy, you might be the type to impulse click.&quot; </blockquote> Also, openness to new experiences. If you like to try new things out or do new things, you&rsquo;re more likely to fall victim to a social engineering attempt. The harshest one for people to swallow is emotional stability. The more emotionally stable you are, the more likely you are to fall victim to a social engineering attempt. Of course, emotional stability is a very good thing. But if you&rsquo;re at a point of emotional instability, it’s actually going to be hard for a social engineer to get you to work with them. You&rsquo;re going to be so all over the place – sad, upset – you&rsquo;re going to respond sometimes and you&rsquo;re not going to respond sometimes. It&rsquo;s hard to get a person who’s emotionally unstable to operate in a straight line. MF: Is there hope? Where do we go from here? How do we help people? EH: There is 100% hope. What it starts with is introspection. You have to understand yourself and understand how you could be victimized. This level of arrogance that we have on the security professional side isn’t good. You can’t say it only happens to people who are stupid users or people who don&rsquo;t understand the technology. That’s actually false. If social engineering is impactful for 80% or 90% of all data breaches, cyber professionals, we are a big portion of that as well! When we conduct social engineering or phishing campaigns in the workplace, often we say, “Hey, you clicked, you go on the wall of shame, take our remedial training,” which is like ‘click next’ eight times and get your gold star! Instead, ask that person why they clicked. You&rsquo;ll hear things that will absolutely blow your mind. If you spoof the CEO, you might hear: &ldquo;I&rsquo;m scared for my job.&rdquo; If you unpack that, then you need to talk to the person in charge and say: “You need to calm everyone down and tell them there won’t be any layoffs.” Because at this point, we’ve got this human vulnerability that technology can&rsquo;t patch. Every phishing campaign that I do for an organization, we always meet with the person who clicks, because I want to understand why and how we can address that. <blockquote> &ldquo;Help them understand how they could be victimized and then practice how you fight.&quot; </blockquote> What level of care do you need to take? When we hire people, we run background checks. Why do we run background checks? We want to make sure their credit&rsquo;s good, make sure they&rsquo;re not a criminal, see if they&rsquo;re honest. But that&rsquo;s just a screenshot at that moment in time. Ten years later, when that person is still in that organization, they&rsquo;re a totally different person. You need to understand who they are if you want to be able to secure the organization. Instead of just saying &ldquo;hey, look at the email header,&rdquo; or &ldquo;this is the type of attack going out,&rdquo; help them understand how they could be victimized and then practice how you fight. MF: I like that framing and emphasizing introspection so people can understand how they could be susceptible, no matter what the attack is. Because the types of attacks are going to continue to evolve and change. EH: And then, see what it takes to secure that endpoint, because your endpoint is not just your computer. The endpoint is the person. What&rsquo;s it going to take to help that person out? If you don’t do this, what&rsquo;s going to happen is the attacker is going to make them assist them in their data breach. <blockquote> &ldquo;The endpoint is the person.&quot; </blockquote> It&rsquo;s like the equivalent of unlocking the door for someone, having them rob you, and then being mad that you just got robbed. Like, dude, you opened the door. We can&rsquo;t be OK with that. You’ve got to talk to that person, see what psychological vulnerabilities are there, and then start training them to that. Not everyone is susceptible to the same things. What&rsquo;s going to get me is not what&rsquo;s going to get you. We&rsquo;re different people, but we all can get had at some point in time. MF: Can you talk about this concept of human factor authentication? What is it and what does it mean? EH: Human factor authentication is a term that I coined that I absolutely love. It’s the checks that we have in our mind to determine, is this person safe? Is this real or not? What you do when you&rsquo;re first online are checks for human factor authentication. You look, you see the name. Do you trust the name? If you trust the name, then you begin to feel, and then from there, you begin to read. Initially, we all read in our own voice, unless you really know the person. If I see something from my mom, my brother, my wife, I read, and I begin to read in their tone. If the tone sounds off or there are a ton of grammatical errors, then you&rsquo;ve lost me. If I got something that seemed off from you, I&rsquo;m probably going to reach out to you and say: &ldquo;Hey, man, we&rsquo;re supposed to have that podcast. I got this email. Is this you?&rdquo; MF: I have to imagine that AI and deep fakes, voice replication and stuff like that can create some really unique challenges. EH: Deep fakes and the emergence of commercialized, general AI is probably what scares me most because it leverages the comfort factor and also the anonymity. Now hackers can be anonymous, but they can also appear and sound however they want. This scares me because it&rsquo;s one thing for you to read the name, it&rsquo;s another thing for you to read the name and see the face. There’s a point in time where your guard&rsquo;s going to go down. This ends up taking that to another level where I could appear as your mother or I could appear as your brother, your cousin, someone that you know at work. I can sound like that person, and you can see, hear it, and you can have a conversation. That breaks down a lot of those psychological barriers that we have, and it makes it very real. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/r0zHPpHRiro?si=wPAKJCk93x2CQ4oN" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> There was this situation in Europe where the CFO had a deepfake conversation with another organization&rsquo;s CFO and transferred them a quarter of a million dollars. Totally fake! That’s going to cause a significant problem, because the speed of business has not slowed down to incorporate security. The speed of business continues to move forward, so this industry of AI, the goal is to appear so human-like you can&rsquo;t tell the difference. Attackers take that and flip it on its head and start exploiting us. It&rsquo;s like ransomware. We created encryption on the good guy side to protect data. Attackers use it and tell you that: &ldquo;Hey, we&rsquo;re going to lock your own stuff out. You&rsquo;re going to have to buy your stuff back.&rdquo; MF: With people being the most vulnerable part of the networks, can people also be the superpower here? Is this something where we can turn our biggest vulnerability into our greatest strength? EH: I think that people actually have been our greatest strength. Everything you look at and say, “that&rsquo;s fake” – we&rsquo;re blocking a lot more attacks than we realize. I firmly believe if we start securing the human and we begin to see some progress – if 90% of attacks include the human element, and if we can cut that down to 70% – we&rsquo;ve changed the game. The economics of cybercrime will begin to tank. I firmly believe if we impact the economics of cybercrime, fewer people will do it and we’ll secure the world. There&rsquo;s just so much money in it now. MF: Where can folks go to learn more about you and the work you&rsquo;re doing? EH: I have <a href="https://youtu.be/r0zHPpHRiro?si=wPAKJCk93x2CQ4oN">two</a> <a href="https://youtu.be/FrNLE1Ixgak?si=W7Qc77nZYUOY4U-Y">TED Talks</a> that are out on YouTube. Or you can go to <a href="https://www.drerikhuffman.com/">drerikhuffman.com</a> to find some of my latest research and all of my talks. If you&rsquo;re curious, feel free to shoot me a message and we can talk about how we&rsquo;re going to save the world together. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Subscribe to Random but Memorable</h3> Listen to the latest news, tips and advice to level up your security game, as well as guest interviews with leaders from the security community. <a href="https://randombutmemorable.simplecast.com/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Subscribe to our podcast </a> </div> </section></description></item><item><title>Do corporate VPNs have a place in a zero trust world?</title><link>https://blog.1password.com/do-corporate-vpns-have-a-place-in-a-zero-trust-world/</link><pubDate>Fri, 27 Sep 2024 00:00:00 +0000</pubDate><author>info@1password.com (Kenny Najarro)</author><guid>https://blog.1password.com/do-corporate-vpns-have-a-place-in-a-zero-trust-world/</guid><description> <img src='https://blog.1password.com/posts/2024/do-corporate-vpns-have-a-place-in-a-zero-trust-world/header.png' class='webfeedsFeaturedVisual' alt='Do corporate VPNs have a place in a zero trust world?' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Corporate VPNs still provide value, but the rise of cloud-based SaaS apps have shifted the threat landscape since their heyday. <blockquote> tl;dr: Many of the security concerns that made corporate VPNs a necessity in the 2000s are less important today. The rise of cloud-based SaaS apps have shifted the threat landscape, and security has broadly shifted to a Zero Trust model. Despite that, corporate VPNs still provide value and the companies that have them aren&rsquo;t rushing to get rid of them any time soon. </blockquote> Let me set the scene. As I write this blog post, I&rsquo;m streaming music on Spotify and listening via Bluetooth headphones. This is a pretty big improvement from my youth, which was full of scratched CDs and tangled headphone wires. But I still haven&rsquo;t gone totally digital; behind me sits an expensive record player and shelves full of vinyl. I love my record collection, and I&rsquo;m not alone. <a href="https://variety.com/2023/music/news/luminate-music-midyear-report-vinyl-sales-1235667540/">The staggering numbers</a> of LP sales show that vinyl has staying power, despite the availability of cloud-based alternatives. <img src='https://blog.1password.com/posts/2024/do-corporate-vpns-have-a-place-in-a-zero-trust-world/rough-trade-nyc-record-store-day-2023.jpeg' alt='An image of people in line waiting for a record store to open.' title='An image of people in line waiting for a record store to open.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://blog.roughtrade.com/us/record-store-day-us-2023/">Source:</a> Rough Trade NYC&rsquo;s line for Record Store Day 2023 This coexistence of the old guard and new is also taking place in the world of corporate data security. Think of records as corporate VPNs, and newer security models such as Zero Trust Network Access (<a href="https://www.gartner.com/en/information-technology/glossary/zero-trust-network-access-ztna-">ZTNA</a>) as streaming apps. The older technology is still around, but the average user has shifted to remote connections that don&rsquo;t require you to flip from side A to side B once the needle stops. (Okay, so it&rsquo;s not a perfect 1:1 comparison.) So what does that mean for the future of corporate VPNs? Where do they belong in today&rsquo;s security stack? <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Note: This article is about corporate VPNs. Curious about the security issues around personal VPNs? <a href="https://blog.1password.com/personal-vpns-can-be-shady/">Check out our blog</a> on that very topic. </div> </aside> <h2 id="the-rise-of-vpns">The rise of VPNs</h2> The advent of the corporate VPN can be traced back to 1996, when <a href="https://www.techradar.com/features/the-evolution-of-the-vpn-and-its-importance-in-the-age-of-cloud-computing">TechRadar</a> writes that: &ldquo;&hellip;a Microsoft engineer by the name of Gurdeep Singh-Pall developed the Peer-to-Peer Tunneling Protocol (PPTP). The goal was to use IP addresses to switch network packets and offer employees a secure and private means of connecting to their organization&rsquo;s intranet.&rdquo; This was before the widespread implementation of HTTPS, when unencrypted data intercepted via wifi was a huge security risk. 1Password VP of Product Jason Meller remembers that time. <blockquote> &ldquo;If you were on a public Wi-Fi or something like that, all of your traffic was just in the clear. Anybody who was on that same network could see exactly what you were doing and what pages you were looking at.&rdquo; </blockquote> <blockquote> &ldquo;Companies were really scared about that. They were like, &lsquo;Oh crap, people are going to be able to see the emails people are sending, or they&rsquo;ll be able to figure out stuff if they&rsquo;re listening to the network. We need to make sure all the traffic is encrypted.&rsquo; That&rsquo;s what a VPN allowed for.&rdquo; </blockquote> VPNs allowed workers to break free from the physical office building while still maintaining a connection to its servers and the corporate network. In that landscape, it&rsquo;s not hard to understand why, in the 2000s, VPNs were as ubiquitous as trucker hats and frosted tips. But innovation stands still for no one. <h2 id="the-vpn-castle-comes-under-siege">The VPN castle comes under siege</h2> By the 2010s, the circumstances that created VPNs began to change. &ldquo;The first thing that happened was mass proliferation of SaaS apps, and then the second thing was HTTPS got adopted everywhere,&rdquo; says Meller. Cloud-based SaaS apps were hosted outside the company&rsquo;s network, and had their own logins and security protocols, instead of being routed through the VPN. And HTTPS ensured that all internet traffic was encrypted, which made it harder to justify paying for VPN as a secondary form of encryption, except in cases where employees accessed systems through vulnerable wi-fi. VPNs were also incompatible with a new technology on the rise. &ldquo;The executives all wanted iPhones,&rdquo; explains Meller. &ldquo;They wanted to get their email on their iPhones, and they weren&rsquo;t willing to go do this whole VPN dance. Not only were they not willing, iPhones weren&rsquo;t capable of even connecting to a VPN back then. So they started punching holes into them,&rdquo; Meller recounts. On top of that, VPNs had (and have) a fundamental security weakness: if one is compromised, the whole network is at risk. VPNs are part of a security paradigm commonly described as &ldquo;castle-and-moat.&rdquo; It&rsquo;s a model built around the idea of a private company network, protected from the internet at large by firewalls, IDS tools, and VPNs. Cloudflare <a href="https://www.cloudflare.com/learning/access-management/castle-and-moat-network-security/">describes</a> the security model like this: &ldquo;Imagine an organization&rsquo;s network as a castle and the network perimeter as a moat. Once the drawbridge is lowered and someone crosses it, they have free rein inside the castle grounds.&rdquo; Now, to push the metaphor, imagine that drawbridge was highly flammable and prone to swinging open on windy days. As they&rsquo;ve aged, corporate VPNs have become increasingly vulnerable; in fact, in 2016, <a href="https://www.theregister.com/2016/02/26/ssl_vpns_survey/">90% of SSL VPNs</a> were found to be &ldquo;hopelessly insecure,&rdquo; according to researchers, with problems like obsolete protocols abounding. And of course, bad actors had never been shy about attacking VPNs, whether through <a href="https://ics-cert.kaspersky.com/publications/reports/2021/04/07/vulnerability-in-fortigate-vpn-servers-is-exploited-in-cring-ransomware-attacks/">ransomware</a> or good old fashioned <a href="https://krebsonsecurity.com/2020/08/voice-phishers-targeting-corporate-vpns/">phishing</a>. Before we move on, let&rsquo;s mention one final VPN flaw: they&rsquo;re annoying. While they&rsquo;re simple enough to roll out and implement at the admin level, VPNs are <a href="https://www.cloudflare.com/learning/access-management/vpn-speed/">notorious for causing latency issues</a> for end users. For a long time now, forward-thinking security practitioners have wanted multiple choke points to stop threats, not a single entry/exit. And the explosion of cloud apps enabled just that – each had its own authentication process to control access, and even if one employee&rsquo;s credentials were compromised on a single app, the others weren&rsquo;t at risk. (That was the theory, anyway. In reality, <a href="https://blog.1password.com/one-breach-one-leak/">poor password hygiene</a> created its own security problems, and led to the rise of SSO, MFA, and <a href="https://1password.com/product/passkeys?utm_source=google&amp;utm_medium=cpc&amp;utm_campaign=19853587186&amp;utm_content=651757510707&amp;utm_term=1password%20passwordless&amp;gad_source=1&amp;gclid=CjwKCAjwl6-3BhBWEiwApN6_kkQLcnQ6UBfdqFgxPOBR2LFEahOpUxwhmsqlJVzXtE01H6QGXoBiLhoCZzQQAvD_BwE&amp;gclsrc=aw.ds">passwordless authentication</a>.) Companies, specifically startups, faced a fork in the road, as an existing and tested security technology was beginning to compete against newer options. <h2 id="enter-zero-trust">Enter zero trust</h2> In 2009, Forrester analyst John Kindervag coined the term <a href="https://blog.1password.com/history-of-zero-trust/">&ldquo;zero trust&rdquo;</a>. Okta <a href="https://www.okta.com/blog/2019/01/what-is-zero-trust-security/">describes</a> zero trust as: &ldquo;&hellip;a security framework based on the belief that every user, device, and IP address accessing a resource is a threat until proven otherwise. Under the concept of &lsquo;never trust, always verify,&rsquo; it requires that security teams implement strict access controls and verify anything that tries to connect to an enterprise&rsquo;s network.&rdquo; Clearly, this approach to security is somewhat at odds with VPNs, where all users within a given network are treated as equally &ldquo;trusted&rdquo; as soon as they authenticate. In 2014, Google <a href="https://research.google/pubs/pub43231/">unveiled</a> its BeyondCorp initiative, and zero trust gained credibility as one of the biggest tech companies in the world decided it was good enough to protect them. And its popularity has only continued to mount in the decade since, culminating in a <a href="https://www.cisa.gov/topics/cybersecurity-best-practices/executive-order-improving-nations-cybersecurity">2021 Executive Order</a> rolling out ZTA at the federal government. Increasingly, businesses started to circumvent VPNs altogether. The model shifted away from on-premises servers, closed networks, and office buildings, and toward SaaS applications, cloud hosted infrastructure, and remote work. &ldquo;The reason we don&rsquo;t use/have need for a VPN, is due to the fact we don&rsquo;t have any self-hosted tools, software or servers and have a very IT literate team,&rdquo; says Josh Barber, a Digital Specialist at 5874 Commerce. <h2 id="the-companies-using-vpns-today">The companies using VPNs today</h2> But even as zero trust becomes the dominant model, the VPN has maintained a strong presence in enterprise security (even as infosec experts of all stripes have been predicting its &ldquo;death&rdquo; for <a href="https://www.itworldcanada.com/blog/the-demise-of-excess-access-a-eulogy-for-traditional-vpn/96655">over a decade now</a>). The COVID-19 pandemic was certainly the source of one recent bump in adoption. VPNs were a known quantity for companies scrambling to accommodate the sudden need for remote access. (It&rsquo;s worth noting that the pandemic years also saw an <a href="https://www.prnewswire.com/news-releases/security-experts-discover-a-1-500-increase-in-attacks-against-vpn-due-to-remote-work-301310925.html">increase of over 1,500%</a> in the number of attacks against VPNs.) And they&rsquo;ve stayed the course since. In our own <a href="https://blog.1password.com/files/unmanaged-devices-run-rampant/the_shadowIT_report.pdf">2023 survey of knowledge workers</a>, 79% reported that their company used a VPN for security; it was second only to MFA (80%) and well ahead of MDM (52%). <img src='https://blog.1password.com/posts/2024/do-corporate-vpns-have-a-place-in-a-zero-trust-world/which-of-the-following-security-tools-does-your-company-use.png' alt='A graphic showing the results of which security tools are used at companies suveyed.' title='A graphic showing the results of which security tools are used at companies suveyed.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://blog.1password.com/files/unmanaged-devices-run-rampant/the_shadowIT_report.pdf">Source:</a> The Shadow IT Report As for why companies keep them, we went to the Mac Admins forum for insights. A VP of Technology at a small analytics company still has a VPN in place, even though they use a majority of SaaS applications. They boil their VPN usage down to: why not? &ldquo;[VPN] was easy to implement, and easy to maintain. And it provides an additional layer of protection when using untrusted WiFi [networks].&rdquo; The fact that VPNs are still the more familiar technology can also be useful for <a href="https://blog.1password.com/10-minute-guide-to-soc-1-vs-soc-2/">third-party compliance</a>. As one IT manager said: &ldquo;It&rsquo;s easier to explain to auditors that your production environment is behind a VPN than it is to walk them through your zero trust platform.&rdquo; (With the aforementioned executive order, growing familiarity with zero trust architecture, and growing anxieties around VPN vulnerabilities, their advantage in compliance may also see diminishing returns). Some companies also keep VPN around simply because their customers demand it, as when a fixed IP is needed for a client&rsquo;s server that has an IP whitelisted. And of course, keeping on-prem servers – and VPNs to guard them – is still the most cost-effective option for some companies. That&rsquo;s particularly true for legacy enterprises, although some younger and smaller companies also go that route. &ldquo;We deal with large amounts of media that would be prohibitively expensive to have 100% cloud (print and digital publishing),&rdquo; explains the IT Director of a medium-sized media company. &ldquo;Hence the need for on premise storage and VPN to access that when not at one of our locations.&rdquo; But is the continued prevalence of enterprise VPNs a problem? The <a href="https://www.cybersecurity-insiders.com/wp-content/uploads/2024-vpn-risk-report-Zscaler-ThreatLabz.pdf">aforementioned survey</a> from Cybersecurity Insiders also found that &ldquo;62% of enterprises agree that VPNs are anti-zero trust.&rdquo; <h2 id="are-vpns-in-conflict-with-zero-trust">Are VPNs in conflict with zero trust?</h2> If you&rsquo;re a VPN fan, breathe a sigh of relief — if you&rsquo;re still getting value out of it, you can keep it. Zero trust and VPN can coexist; they&rsquo;re just designed to protect different things. For instance, 1Password&rsquo;s <a href="https://blog.1password.com/what-is-device-trust/">Device Trust solution</a> falls within the zero trust ecosystem. In a nutshell, our product ensures that only trusted, healthy devices can access SSO-protected apps. We don&rsquo;t consider ourselves to be direct competitors with VPN, because even though some VPNs provide basic device telemetry, it&rsquo;s not their primary function. We also don&rsquo;t think that VPNs inherently conflict with our product, especially for legacy companies and industries using specialized or on-prem tools in addition to typical SaaS apps. However, VPNs can let organizations get complacent about what kinds of devices access their resources. Most companies don&rsquo;t want any ol' device logging into their resources, because it could be infected with malware or belong to a bad actor. But <a href="https://blog.1password.com/files/unmanaged-devices-run-rampant/the_shadowIT_report.pdf">our research</a> found that even though 79% of companies have VPN, 47% of them still let unmanaged devices access their resources. Since corporate VPNs are typically only installed on company-owned devices, it&rsquo;s easy to assume that any employee with VPN on their device is only working on that managed, approved device. But it&rsquo;s just as likely that employees use their work laptops for the VPN and use their personal devices for all those SaaS apps outside the VPN. The two can coexist, and even complement each other, but VPNs simply can&rsquo;t provide the same guarantees that zero trust options can, like making sure that only trusted and secure devices access your sensitive resources. Meanwhile, the security risks of VPNs are far from resolved, with reports showing the number of <a href="https://www.top10vpn.com/research/vpn-vulnerabilities/">corporate VPN vulnerabilities</a> (with consequences as severe as remote code execution) surging in 2023. Recent years have also seen a number of significant attacks on VPN, and the expectation is that <a href="https://www.techtarget.com/searchsecurity/news/366602396/Akamai-warns-enterprises-that-VPN-attacks-will-only-increase">they will only increase</a>. Overall, the choice to hold on or transition away from a VPN is mostly a matter of a company&rsquo;s specific circumstances. But be sure you&rsquo;re aware of your needs if you hold onto yours. <a href="https://web-assets.claroty.com/resource-downloads/claroty-team82-report_secure-access-tool-sprawl.pdf">A 2024 survey</a> shows that 55% of companies surveyed have four or more remote access tools connecting their systems to the outside world. Some have as many as fifteen. And in many cases, that&rsquo;s simply because they&rsquo;ve held onto legacy systems that aren&rsquo;t needed any more. Look closely at your VPN use, and be sure to make a conscious choice about whether to keep that drawbridge open. Want to see how 1Password Extended Access Management manages access to cloud applications with or without VPNs? <a href="https://1password.com/contact-sales/xam">Reach out for a demo!</a> Disclaimer I: Quotes from participants have been modified for clarity and brevity with their permission and acknowledgement. Disclaimer II: The author of this blog has frosted tips.</description></item><item><title>Your company's bossware could get you in legal trouble</title><link>https://blog.1password.com/your-companys-bossware-could-get-you-in-legal-trouble/</link><pubDate>Fri, 27 Sep 2024 00:00:00 +0000</pubDate><author>info@1password.com (Nick Moore)</author><guid>https://blog.1password.com/your-companys-bossware-could-get-you-in-legal-trouble/</guid><description> <img src='https://blog.1password.com/posts/2024/your-companys-bossware-can-get-you-in-legal-trouble/header.png' class='webfeedsFeaturedVisual' alt='Your company's bossware could get you in legal trouble' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Monitoring employees in the name of productivity or security can cause a lot more problems than it solves. On Halloween 2022, National Labor Relations Board (NLRB) General Counsel Jennifer Abruzzo <a href="https://www.nlrb.gov/news-outreach/news-story/nlrb-general-counsel-issues-memo-on-unlawful-electronic-surveillance-and">released a memo</a> that likely horrified plenty of executives. She announced her intention to &ldquo;protect employees &hellip; from intrusive or abusive electronic monitoring and automated management practices.&rdquo; In other words, the NLRB declared war on bossware. And it&rsquo;s not alone. Beyond Abruzzo&rsquo;s memo lies an evolving, growing array of laws and regulations that seek to protect employees' privacy rights against employee monitoring software, otherwise known as bossware. Numerous countries and a handful of US states, such as California and New York, have already imposed restrictions on how companies can digitally surveil their employees. And given the public sentiment swaying against bossware and toward privacy, we can likely expect more laws and tougher enforcement from regulators. If you&rsquo;re in charge of purchasing, implementing, or maintaining employee surveillance tools at your organization, this is a good time to step back and evaluate what tools you&rsquo;re using and how you&rsquo;re using them. <h2 id="what-is-bossware">What is bossware?</h2> &ldquo;Bossware,&rdquo; a term the Electronic Frontier Foundation (EFF) <a href="https://www.eff.org/deeplinks/2020/06/inside-invasive-secretive-bossware-tracking-workers">coined in 2020</a>, refers to technologies that companies use to monitor employees on their devices. What this looks like varies depending on the workplace. Abruzzo&rsquo;s memo cites things like wearable devices for warehouse workers and GPS cameras on truck drivers, but she pays particular attention to computer-based surveillance, calling out &ldquo;keyloggers and software that takes screenshots, webcam photos, or audio recordings throughout the day.&rdquo; The memo goes on to mention tools that keep watching when employees are off the clock, such as those that &ldquo;track employees' whereabouts and communications using employer-issued phones or wearable devices, or apps installed on workers' own devices.&rdquo; Beyond such obvious types of surveillance, bossware can come in more subtle forms, like tools that aggregate employee sentiment from emails or their private social media – ostensibly to gauge their job satisfaction. Bosses who use this technology report that their primary concern is productivity. According to a <a href="https://digital.com/6-in-10-employers-require-monitoring-software-for-remote-workers/">Digital.com</a> survey, the top use cases are checking how employees spend their time (79%) and confirming whether employees are working the entire day (65%). These reasons also overlap with security concerns. The same study shows that 50% of bosses use employee monitoring tools to check whether employees are using work devices for personal use, which touches on both security and productivity. And there are plenty of tools that aren&rsquo;t designed primarily for surveillance but are still prone to misuse–for instance, <a href="https://www.crowdstrike.com/cybersecurity-101/data-loss-prevention-dlp/">data loss prevention (DLP) tools</a> that capture everything a user does. <h2 id="why-now-remote-work-and-the-bossware-backlash">Why now? Remote work and the bossware backlash</h2> The idea of remotely monitoring employees has been around for decades, and many employee monitoring software vendors have been in business for years. But three changes have made the backlash to bossware swifter and harsher than many would have expected: <ol> <li> The development and proliferation of more advanced, automated forms of surveillance. </li> <li> The shift toward remote work. </li> <li> The rise of privacy rights and the labor movement. </li> </ol> Let&rsquo;s look at each of them a little more closely. <h3 id="automation-enables-spying-at-scale">Automation enables spying at scale</h3> In the past, keeping tabs on employees required a human touch. Scientific management, sometimes called Taylorism, emerged in the early 1900s and encouraged factory supervisors to time their employees with stopwatches. Later, CCTV footage helped bosses mind the store, but even that type of surveillance was constrained by the ability of people to go over the footage. Today, bosses don&rsquo;t have to skulk around break rooms to spy on workers; they can require employees to install software that logs their keystrokes, accesses their webcam, and more. Bosses can deploy these tools at scale and run them passively. That means bosses can monitor all employees as standard procedure, not as a result of individual cases of suspicious activity. Companies can now read emails and <a href="https://www.spiceworks.com/hr/engagement-retention/articles/sentiment-analytics-tools-features-price/">analyze the sentiment of their contents</a>, <a href="https://www.teramind.co/features/social-media-monitoring">track employees on social media</a>, <a href="https://www.ekransystem.com/en/product/employee-keylogging">monitor the movements and clicks of employees' mouses and keyboards</a>, <a href="https://www.timedoctor.com/screen-monitoring-software">identify which applications employees are using and for how long</a>, and <a href="https://www.remotedesk.com/solutions/webcam-monitoring">record webcam video</a>. Some bossware can even <a href="https://go.perceptyx.com/platform/sense-employee-lifecycle-surveys">aggregate all of this data</a> so bosses can identify unhappy workers and prevent employees from taking collective action. These tools mark a qualitative leap over earlier forms of surveillance, and their widespread use on employees – who may not even be aware they&rsquo;re being watched – makes plenty of people uncomfortable. <h3 id="remote-work-made-bossware-more-intrusive">Remote work made bossware more intrusive</h3> The current rebellion against bossware and workplace surveillance began with the COVID-19 pandemic, which accelerated the remote work trend. <img src='https://blog.1password.com/posts/2024/your-companys-bossware-can-get-you-in-legal-trouble/change-in-remote-work-trends-due-to-covid-19.png' alt='An image of people in line waiting for a record store to open.' title='An image of people in line waiting for a record store to open.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://www.statista.com/statistics/1122987/change-in-remote-work-trends-after-covid-in-usa/">Source.</a> The rise of remote work makes employee surveillance even more intrusive because employees are likely to be working from home or using personal devices, and bossware tools often aren&rsquo;t capable of recognizing those boundaries. The EFF found, for example, that many bossware products &ldquo;don&rsquo;t distinguish between work-related activity and personal account credentials, bank data, or medical information.&rdquo; <img src='https://blog.1password.com/posts/2024/your-companys-bossware-can-get-you-in-legal-trouble/keylogger-screenshot.png' alt='A screenshot of a keylogger definition.' title='A screenshot of a keylogger definition.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://www.workexaminer.com/features/">Source.</a> This failure to distinguish between professional and private life is especially stark when we consider webcams. In an office setting, requiring employees to keep their webcams on during the workday might be irritating. But the same policy is much more invasive when employees work from home, and the webcam captures their non-consenting partners, roommates, or children. And it&rsquo;s even more troubling if the webcam is on without the worker&rsquo;s knowledge. <h3 id="the-labor-movement-and-the-techlash">The labor movement and the &ldquo;techlash&rdquo;</h3> The fight against bossware isn&rsquo;t happening in isolation; it&rsquo;s piggybacking on the victories in the larger movement for consumer privacy and organized labor. When Facebook first became popular, for example, many users didn&rsquo;t care – or didn&rsquo;t realize they should care – where their data went. Now, after years of data misuse and breaches, many people are wary of giving companies access to their personal data. Laws like the EU&rsquo;s GDPR and California&rsquo;s CCPA have sprung up to prevent unnecessary data collection. Workers might not be able to join in the privacy backlash were it not for the resurgent labor movement and a tight market that has put employers at a disadvantage for the first time in decades. Gallup Research from 2024 shows union approval is at its <a href="https://news.gallup.com/poll/650147/democratic-party-seen-better-union-members.aspx?utm_source=alert&amp;utm_medium=email&amp;utm_contentChe=morelink&amp;utm_campaign=syndication'">highest level since the 1960&rsquo;s</a>. Though unionization in technology companies is still relatively rare, <a href="https://twitter.com/protocol/status/1424415196009881607">Protocol research</a> shows 50% of tech workers are interested in joining a union. And as interest turns into action, workers will have a greater ability to protest intrusive surveillance, especially when it&rsquo;s illegally used to prevent them from organizing. <h2 id="bossware-and-the-law">Bossware and the law</h2> The unspoken truth, known by many executives, is that laws are only as powerful as their enforcement mechanisms. The NLRB, referenced at the top of this article, is <a href="https://www.nlrb.gov/news-outreach/news-story/union-petitions-up-35-unfair-labor-practices-charge-filings-up-7-in-the#:~:text=Last%20month%2C%20Congress%20flat%2Dfunded,backfill%20some%20critical%20staff%20vacancies">chronically underfunded and understaffed</a>. After decades of the Reagan-inspired &ldquo;<a href="https://en.wikipedia.org/wiki/Starve_the_beast">starve the beast</a>&rdquo; mentality, government agencies are often weaker than the industries they are tasked with regulating. But in the U.S., the Biden administration has provided over something of a renaissance in labor, buoyed by Presidential approval. And around the world, regulators are holding scofflaw companies to account. <h3 id="labor-laws-are-on-the-cutting-edge-against-bossware">Labor laws are on the cutting edge against bossware</h3> The NLRB is taking a stand against bossware because of how frequently it is used to suppress or discourage workplace organizing. For example, a &ldquo;productivity tool&rdquo; that tells bosses who each employee speaks to and for how long has a clear potential for misuse. Abruzzo writes in her memo that numerous types of bossware already run afoul of, in her words, &ldquo;settled Board law.&rdquo; For example, monitoring &ldquo;protected concerted activity&rdquo; (i.e. workplace organizing) has been illegal for decades. This kind of monitoring was more clear-cut when it involved taking pictures of picket signs and video recording employees in break rooms, but now, the NLRB is looking into passive, virtual monitoring. And for good reason: in an <a href="https://onezero.medium.com/companies-are-using-employee-survey-data-to-predict-and-squash-union-organizing-a7e28a8c2158">interview with OneZero</a>, the &ldquo;employee listening&rdquo; platform Perceptyx explains that it offers, by default, a &ldquo;union vulnerability index.&rdquo; With it, the company explains, employers can log into their platform and see that &ldquo;20% of that group is at risk of unionization.&rdquo; Abruzzo also makes clear that if companies use tools that aren&rsquo;t strictly for employee monitoring to police protected activities, they run afoul of Section 8(a)(1). In another article, we covered <a href="https://blog.1password.com/employees-guide-to-slacks-privacy-policy/">Slack&rsquo;s privacy policy</a> and explained how bosses could see all of your private messages. A company could face the consequences of using Slack like bossware (such as if a manager downloaded an employee&rsquo;s private messages to see whether they were comparing their salaries or considering collective bargaining). Beyond extant law, Abruzzo also writes about using &ldquo;settled labor-law principles in new ways.&rdquo; This is not an uncommon legal practice because the law, notoriously slow and difficult to update, often evolves via analogy. The Interstate Commerce Act, for example, was established in 1887 to oversee the railroad industry but was an important legal framework for regulating the petroleum, trucking, civil aviation, and telecommunications industries for many decades after its establishment. Regulatory bodies compared new industries to railroads and applied previously settled regulations to new contexts. The same pattern could play out for bossware. In 1992, the NLRB came down on Sands Hotel &amp; Casino because management <a href="https://www.nlrb.gov/sites/default/files/attachments/pages/node-284/naarb-sew-binder-prepared-nlrb.pdf">assigned guards</a> to monitor employees using binoculars. At first glance, such a ruling might not seem to apply to you. But the courts could very well decide that keyloggers are effectively modern day binoculars – meaning a lot of bossware could suddenly become illegal without the creation of new laws. <h3 id="federal-and-state-regulations">Federal and state regulations</h3> The NLRB isn&rsquo;t alone in taking on bossware, though it might be leading the charge. Abruzzo notes that she wants to take an &ldquo;interagency approach&rdquo; to bossware and work with agencies like the Federal Trade Commission, the Consumer Financial Protection Bureau, the Department of Justice, and the Department of Labor to limit the use and abuse of employee monitoring. And that&rsquo;s not all: The Center for Democracy and Technology points out that bossware could also be illegal by way of <a href="https://cdt.org/wp-content/uploads/2021/07/2021-07-29-Warning-Bossware-May-Be-Hazardous-To-Your-Health-Final.pdf">numerous other laws</a>, such as: <ul> <li> The Occupational Safety and Health Act could punish companies for limiting bathroom breaks via monitoring and productivity quotas. </li> <li> The Americans with Disabilities Act could punish companies for treating disabled employees differently due to the results of employee monitoring. </li> <li> Federal wage and hour laws could punish companies for automatically docking employee wages when they leave their workstations. </li> <li> The Family and Medical Leave Act could punish companies for restricting employees with qualifying medical conditions from taking intermittent breaks. </li> </ul> So far, we&rsquo;ve just covered federal laws, but state laws are catching up as well. The laws <a href="https://www.spiceworks.com/hr/hr-compliance/guest-article/bossware-legal-and-practical-implications-of-tracking-employees/">differ from state to state</a>: New York, Connecticut, and Delaware laws all require employers to notify employees of monitoring activities upon hiring them. And as of January 1, 2023, California updated its major data privacy law, extending some of the protections offered by the CCPA, <a href="https://blog.1password.com/cpra-will-transform-how-companies-treat-employee-data/">via the CPRA</a>, to employees. <h3 id="international-bossware-laws">International bossware laws</h3> Outside the U.S., many countries are much more aggressive in balancing the rights of employees against employers. And for companies with remote workforces, this can come as a rude awakening. A particularly good example occurred in 2022 when a Dutch court <a href="https://arstechnica.com/tech-policy/2022/10/florida-firms-webcam-surveillance-violates-human-rights-dutch-court-says/">fined a Florida firm</a> for punishing an employee who refused to keep his webcam on all day on the grounds that it made him uncomfortable. In response, the firm fired him, citing insubordination. The court disagreed, ruling that video surveillance of an employee constituted a &ldquo;considerable intrusion into the employee&rsquo;s private life.&rdquo; The takeaway here isn&rsquo;t that companies should stay out of The Netherlands, of course – it&rsquo;s that a remote, globalized workforce will come with diverse laws and cultures around employee privacy. As a small sample, consider a <a href="https://www.insightful.io/blog/spying-on-your-employees-law">few other European laws</a>: <ul> <li> In Austria, the Austrian Labor Constitution Act requires employers to either get the consent of all employees or of an employee work council before monitoring them. </li> <li> In France, the French Data Protection Authority ruled that, outside of a &ldquo;<a href="https://www.huntonprivacyblog.com/2013/03/25/french-data-protection-authority-rules-on-keylogger-software/">strong business justification,</a>&rdquo; companies cannot use keyloggers. </li> <li> In Germany, employers can&rsquo;t use much of the passive monitoring we&rsquo;ve talked about so far. Instead, German employers can only implement monitoring after establishing reasonable suspicion of unprofessional behavior. </li> </ul> <h2 id="four-questions-to-ask-before-implementing-bossware">Four questions to ask before implementing bossware</h2> So far, we&rsquo;ve sketched the broad strokes of the legal risks of bossware, but how do you assess it on an individual level if you&rsquo;re a CISO, an IT administrator, or a manager? Here&rsquo;s a good place to start to assess whether a particular form of surveillance is legal or necessary. <h3 id="1-does-it-suppress-unionization">1. Does it suppress unionization?</h3> We&rsquo;ve already talked about the potential for bossware to be a de facto union-busting tool, which is clearly illegal. So if your company is investing in a tool for purely productivity or security-related purposes, then discuss how you can prevent it from being misused to suppress organizing. It&rsquo;s also worth considering how an existing union might react to surveillance. In her memo, Abruzzo not only explained how the NLRB would enforce extant laws but signaled that the NLRB would likely support unions complaining about bossware. The previously cited Digital.com research shows that 88% of employers terminated workers after implementing bossware, so new unions would undoubtedly examine these kinds of tools. A <a href="https://content.next.westlaw.com/practical-law/document/Icbf83260aecf11e398db8b09b4f043e0/Employer-that-Revealed-Anonymous-Intelligence-About-Work-Stoppage-Created-Unlawful-Impression-of-Surveillance-NLRB?viewType=FullText&amp;transitionType=Default&amp;contextData=(sc.Default)&amp;firstPage=true">2014 NLRB ruling</a> shows that even giving the impression of unlawful surveillance can make companies liable. <h3 id="2-does-it-pose-a-major-risk-in-the-event-of-a-data-breach">2. Does it pose a major risk in the event of a data breach?</h3> A major reason companies might want to limit the collection of personal information (via bossware or otherwise) is that a data breach could expose personal information to bad actors. Companies might get punished, then, not for the usage of bossware but for poor security practices that made personal information captured by bossware vulnerable to attackers. It&rsquo;s a good reason to return to the classic data security principle of data minimization and consider whether the benefits of bossware outweigh the risks of storing such sensitive data. <h3 id="3-does-it-open-you-up-to-personal-liability">3. Does it open you up to personal liability?</h3> Companies establish LLCs, as the name implies, to limit liability. Companies can collapse while individuals can move on. Increasingly, however, government agencies are targeting individuals. Joe Sullivan, former chief security officer for Uber, for example, <a href="https://www.washingtonpost.com/technology/2022/10/05/uber-obstruction-sullivan-hacking/">pled guilty in 2022</a> to covering up a data breach. Employers will want to be especially careful about implementing dubiously legal policies if they, as individuals, can be found liable. <h3 id="4-does-it-violate-discrimination-laws">4. Does it violate discrimination laws?</h3> As we wrote above, Abruzzo emphasized taking an &ldquo;interagency&rdquo; approach to enforcing laws against workplace surveillance. That means companies have to watch out for restrictions coming from multiple directions. One very likely direction is via anti-discrimination laws. For example, a company might discriminate against a mother by punishing her for taking breaks to breastfeed, among a host of other possibilities. <h2 id="surveil-with-care">Surveil with care</h2> Legal threats aside, there&rsquo;s a simpler reason you should push back against bossware at your organization: It&rsquo;s bad for workers, and there&rsquo;s compelling evidence it&rsquo;s bad for employers, too. For employees, bossware can create intense feelings of stress and anxiety. <a href="https://www.expressvpn.com/blog/expressvpn-survey-surveillance-on-the-remote-workforce/">ExpressVPN research</a> shows that 56% of monitored employees feel stress and anxiety about surveillance, and 32% take fewer breaks because of it. Are short-term productivity gains worth long-term employee unhappiness and burnout? For employers, even if we assume that bossware increases productivity (and researchers are divided on whether it does), its overall effectiveness is doubtful. Employee paranoia and resentment come at their own costs. A <a href="https://hbr.org/2022/06/monitoring-employees-makes-them-more-likely-to-break-rules">Harvard Business Review study</a> showed, for example, that monitored employees were &ldquo;substantially more likely to take unapproved breaks, disregard instructions, damage workplace property, steal office equipment, and purposefully work at a slow pace, among other rule-breaking behaviors.&rdquo; As we covered at the beginning, beneath the desire to monitor employees is the desire to ensure productivity and security – both of which are reasonable goals to pursue. Bossware, however, is a blunt instrument, and likely the wrong instrument, for succeeding here. If you want to monitor productivity, focus less on behavior and more on results. In other words: if an employee is getting their work done, it&rsquo;s really none of your business how often they go to the bathroom. If security is your concern, privacy should be as well – even if that seems counterintuitive at first. The more you intrude on employees, the more likely they are to try to evade surveillance altogether, which increases the likelihood of unsafe behaviors on unmanaged devices. Instead of tracking their every move, be surgical and thoughtful about the data you collect. And if you really, really need to monitor employees: be transparent. Your employees deserve to know how you&rsquo;re monitoring them and what information you&rsquo;re collecting and storing. Plus, if you try to be secretive and your employees find out, the blowback could do irreparable damage to your company&rsquo;s culture. You&rsquo;re much better served by bringing your policies out into the light. Here at 1Password, for example, our <a href="https://blog.1password.com/what-is-device-trust/'">Device Trust solution</a> collects data about employee devices, but it does so in accordance with our philosophy of Honest Security. We practice minimization; we collect only the data we need to keep our customers safe. For example, we keep track of an employee&rsquo;s browser extensions – because those can present a security risk – but we deliberately don&rsquo;t monitor browser history. Likewise, we practice transparency; every end user can visit our Privacy Center to see what data we collect and what it can reveal about them. <img src='https://blog.1password.com/posts/2024/your-companys-bossware-can-get-you-in-legal-trouble/chrome-check-privacy-info.png' alt='A screenshot of xam&#39;s chrome check privacy information.' title='A screenshot of xam&#39;s chrome check privacy information.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> This approach is the best way to get your workforce on your side, while you stay on the right side of the law. Want more security and IT stories like this one right in your inbox? <a href="https://1password.com/kolidescope-newsletter">Sign up for our newsletter!</a></description></item><item><title>Professor Alan Watkins demystifies cybersecurity for small business owners</title><link>https://blog.1password.com/small-business-cybersecurity-alan-watkins-interview/</link><pubDate>Thu, 26 Sep 2024 00:00:00 +0000</pubDate><author>info@1password.com (Jenn Marshall)</author><guid>https://blog.1password.com/small-business-cybersecurity-alan-watkins-interview/</guid><description> <img src='https://blog.1password.com/posts/2024/small-business-cybersecurity-alan-watkins-interview/header.png' class='webfeedsFeaturedVisual' alt='Professor Alan Watkins demystifies cybersecurity for small business owners' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> How worried should small businesses be about cyber attacks? Pretty worried, according to Alan Watkins, a professor for the Cybersecurity Master’s Degree Program at National University, and an expert with a long career in cybersecurity, emergency management, and law enforcement. Small businesses are often at a higher risk because criminals know they’re easier to hack. So, what’s a small business to do? During a podcast interview with Michael “Roo” Fey, Head of User Lifecycle &amp; Growth at 1Password, Watkins revealed that having good “cyber hygiene” – which consists of a handful of basic principles anyone can follow – doesn’t have to cost thousands of dollars or upend other business priorities. To learn more about what small businesses can do to reduce their risk of cyber attack, read the interview highlights below or listen to the <a href="https://randombutmemorable.simplecast.com/episodes/creating-cybersecurity-program-pie">full Random but Memorable podcast episode</a>. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/0wKx7lxmplg?si=w177q5yJhs4cXQOq" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> Editor’s note: This interview has been lightly edited for clarity and brevity. The views and opinions expressed by the interviewee don’t represent the opinions of 1Password. Michael Fey: What was your journey into cybersecurity? Alan Watkins: Those are two different paths. My journey into cybersecurity started in 1998 on a project for the city of San Diego. It was the Y2K bug! I was the manager for the wastewater department at the city, and put in charge of making sure all the systems continued to work. Because wastewater is a national infrastructure item, I got in contact with the national FBI office that was coordinating those things. That took me into the cybersecurity realm even though Y2K wasn&rsquo;t a security issue – it was a cyber issue. I started working with the FBI and had various roles at the city after that. Eventually I became the city&rsquo;s IT security manager. MF: What are the fundamentals of responding to a cybersecurity crisis? AW: Most major cities and big businesses have emergency operations planned so that if something&rsquo;s going wrong, they can pull the people together that need to be there to manage the crisis. Cyber needs to be part of that emergency plan because everybody depends on technology. If you don&rsquo;t plan for a cyber event, then you&rsquo;re not really planning for all the potential emergencies that could happen. There are two main plan documents. One is called the Disaster Recovery Plan, and the other is called a Business Continuity Plan. Business Continuity helps maintain a minimum level of operations while a crisis is going on. IT is part of that. You have to have backup servers, backup communications, backup everything, to make sure that businesses can function. The Disaster Recovery Plan answers: how do you get your business back to normal operations after the event is over? MF: Has your guidance changed in recent years with the ramp-up of ransomware attacks? It feels like it&rsquo;s not so much a question of if we&rsquo;re going to need a disaster recovery plan, but when. AW: “It&rsquo;s a matter of when not if,” has been something IT security has been saying for more than a decade. Because the more people use technology, the more chance they have of being a victim of some sort of cybercrime or cyber attack. It’s like having a family plan for when your house catches on fire. When you have 15 minutes to get things together and leave, what do you take? <blockquote> &ldquo;The principle of “when not if” hasn’t changed – it&rsquo;s just a matter of what you need to prepare for.&quot; </blockquote> In the cyber and business world, what do you need to prepare for, and what do you need to manage that? The principle of “when not if” hasn’t changed – it&rsquo;s just a matter of what you need to prepare for. MF: Your <a href="https://cisodrg.com/project/creating-a-small-business-cybersecurity-program/">new book</a> focuses on cybersecurity programs for small businesses. Why do you think it&rsquo;s important to have a non-technical guide specifically for small business owners? AW: First, let&rsquo;s define what a small business is. The Small Business Administration (SBA) says a small business is a company with less than 500 employees. That small business category makes up about 97% to 98% of all businesses in the U.S. by number count – not by number of employees, obviously. To me, 500 is a rather large number of employees. My book focuses on businesses with 25 to 50 or maybe 50 to 100 employees. Larger organizations tend to have more resources and people who have technical training to help them out. But the small business owner is focused on doing their business. With 50 employees or less, their focus is on their product or their service or whatever they do for their customers. So cyber and maybe some other things take a back seat. While some business owners have a basic knowledge of how computers work and are familiar with the applications or the systems that they use normally, they&rsquo;re not going to be familiar with the network security and the protocols and the things behind the scenes that cybersecurity is meant to protect. Or the configuration of things like firewalls. Most people know what a firewall is but ask them to configure it and you&rsquo;ll get a blank stare. MF: Do you think that cybersecurity is an afterthought for small business owners? Or they just can’t prioritize it? AW: Some do and some don&rsquo;t have it as an afterthought. I think that’s decreasing a lot because every day in the news there&rsquo;s something going on with a cyber attack of some sort. This at least makes the small businesses aware but they&rsquo;re probably thinking: &ldquo;Ah, those are the big guys. I didn&rsquo;t get impacted by that.&rdquo; This is a false sense of security. About a decade ago, about 35% of all cyber attacks reported were on small businesses. In the last couple of years, it&rsquo;s up to 45% of all global cyber attacks are on small businesses. And it&rsquo;s increasing. The reason is that the crooks have figured out there are weak points in small businesses. They can use these to get in and do damage either to them or another company. An example is the <a href="https://www.nbcnews.com/business/business-news/target-settles-2013-hacked-customer-data-breach-18-5-million-n764031">Target breach in 2013</a>. The attackers didn&rsquo;t attack Target directly, initially. They went through a small business vendor of Target’s to sort of get in the back door. <blockquote> &ldquo;Crooks have figured out there are weak points in small businesses. They can use these to get in and do damage either to them or another company.&quot; </blockquote> This has been going on for a long time. Once a small business is hit, then they obviously wake up and have to do something about it. But I think cybersecurity is becoming less of an afterthought and it&rsquo;s more of a conscious priority decision. MF: In your experience, what are some of the biggest cybersecurity challenges that these small businesses face, and how does your book set them up to meet those challenges? AW: I&rsquo;m going to back up a little bit. In the broad spectrum of things, cybersecurity is really a risk management activity. If you think about it, by reducing the potential for an attack or damage to your company&rsquo;s assets, whether it&rsquo;s information assets or its trade secrets, or whatever the case may be, by having cybersecurity, it reduces the risk level. This is good, all around, for business. The challenge is twofold, in my opinion. Not many small businesses are mandated to have cybersecurity measures. So, the challenge is getting the small business owner to realize, 1) that it&rsquo;s not going to cost an arm and a leg, and 2) it&rsquo;s not going to divert too much from the business priorities. It&rsquo;s easy to get things started for a low cost. I can&rsquo;t say no cost because even the low-cost items, you&rsquo;re going to have to train employees. There&rsquo;s going to be time and other things that the business has to put in. It might not be a big direct cost, but it would be a training cost. A lot of the security measures in the book deal with setting up policies and procedures and then training the employees on how to follow them. What can employees do or not do that actually protects the information of the business. We call it “cyber hygiene.” There are about 10 or 12 basic principles that make up cyber hygiene that they could implement without shelling out thousands and thousands of dollars, or even having an employee on staff who is an expert in cyber. MF: You&rsquo;re an ambassador for CIS Controls. What are these and how do they benefit small businesses? AW: The <a href="https://www.cisecurity.org/controls/cis-controls-list">CIS Critical Security Controls</a> (CIS Controls) started about 20 years ago and were formally called the SANS Top 20. They were trying to find a way to tackle what would be the best method for any business to be prepared for a cyber attack. The intent was, if someone implemented those 20 controls, they would probably be protected from at least 85% to 90% of potential attacks. If you&rsquo;re familiar with <a href="https://blog.1password.com/1password-iso-27001-certified/">ISO certification</a>, the CIS Controls are similar. For example, with the ISO environmental certification, companies can be certified to show that they&rsquo;re environmentally friendly. Similarly, there are ISO standards for cyber security, but those are usually on an international level. In the U.S., there is the National Institute for Standards and Technology (NIST) which provides the U.S. with standards and guidelines for cyber. The problem is, there&rsquo;s over 300 controls in the document that NIST produces for control mechanisms. So, CIS came along and said: &ldquo;Well, we&rsquo;ve got 20 basic controls.” In May 2021, CIS released version 8 and reduced the number of controls to 18. In addition, the CIS Controls provide pretty detailed descriptions on implementation and they also offer an assessment tool to help a business assess where they are with cybersecurity and find out what they need to fill in the gaps. MF: If one of the controls is malware defense or data recovery, are you saying: “Here are the safeguards that you can put in place to meet the standards for malware defense? And here are some tools you can use to assess how you would stack up against malware defense.” Is that the right way to think about it? AW: Yes, that&rsquo;s exactly right. I&rsquo;m going to list off some of the areas that cyber hygiene covers. For example, for user account management, who gets a user account in the first place, how do you manage that? Who authorizes it? What are they authorized to access within the company&rsquo;s systems? What do you do when they transfer out to another division if it&rsquo;s a bigger company or they leave the company? User account management is one of the big ones. It&rsquo;s also called Identity and Access Management because it&rsquo;s supposed to certify, identify who the user is, and then based on the role, that user has access to particular resources. There should probably be a wireless access and remote access policy that dictates who and how, or even if remote access into the company&rsquo;s network is going to be allowed. Cyber hygiene would also cover something like BYOD, that&rsquo;s <a href="https://blog.1password.com/byod-policies/">bring your own device</a>. Whether it&rsquo;s a smartphone, iPad, tablet, or laptop, if you&rsquo;re going to connect a personal device and use it for business purposes, there are a lot of caveats that have to go with that, and managing the business data that is stored on the device. For systems' administration security, who is managing your systems? Whether it&rsquo;s a third party contract or an internal employee, you want to make sure they&rsquo;re on the up and up. You have to audit what they do to make sure they&rsquo;re not trying to build some backdoor that if they become a disgruntled employee and leave, the next day your systems go down because they put in a Trojan or something like that. Software updates and patch management. This is the operating system. Usually Windows has automated patches, they call it Patch Tuesday, it&rsquo;s usually the first Tuesday of the month. Other software and applications issue patches that are on sort of a routine basis. You want to make sure that you&rsquo;ve automated as much as you can for security patches, but there are certain updates you don&rsquo;t want to have automatically load because they may cause glitches in your system. You want to test them first and then have them dispersed to the company machines. <blockquote> &ldquo;You want to make sure that you&rsquo;ve automated as much as you can for security patches.&quot; </blockquote> And third party access. We talked a little bit about who comes into your backdoor. You have suppliers and vendors. You also might have distributors on the other end of your process that are not part of your company, but that you interface with. You want to have policies that dictate who and how those interactions take place. The last one would be protecting confidential or sensitive information. Probably every business has confidential information that needs to be protected, whether it&rsquo;s the employee&rsquo;s records or customer information, and there&rsquo;s things like encryption and other tools that can be used to help do that. MF: Where would you recommend that small businesses begin? AW: Management needs to step up and say: &ldquo;Hey, we&rsquo;re going to take cybersecurity seriously.&rdquo; And come up with a cybersecurity strategy statement that says: &ldquo;Over the next three years or three to five years, we plan on becoming the most secure widget producer in the Northern American hemisphere.&rdquo; Strategy statements are intentionally sort of vague. Within that strategy you build a cybersecurity program that contains the policies and procedures that will drive what can and can&rsquo;t be done. <blockquote> &ldquo;Doing the assessment will tell you where you have gaps that need to be filled.&quot; </blockquote> Once that&rsquo;s set, the actual implementation sequence, it can vary. It depends on what might be a high priority. Doing the assessment will tell you where you have gaps that need to be filled. What I would do is then prioritize those gaps: Which is the one that&rsquo;s most critical or would do the most damage to the organization if something happened – and fix that. It&rsquo;s basically damage control from the worst to the least. MF: With small businesses, we&rsquo;re talking about limited budgets. What do you think are some of the more cost-effective cybersecurity measures that these folks can put in place? AW: One other area that I didn&rsquo;t really mention is that for training employees, it is not just about following policies and procedures, but how can they recognize when there might be a potential cyber attack occurring? What&rsquo;s going on with their computer, what&rsquo;s going on with files, how to recognize an attack? There are several forms of social engineering. Phishing emails that try and trap you into providing information or clicking on a link that you shouldn&rsquo;t click on, and the link downloads malware. If you “see something, say something” is what it boils down to. And even if it&rsquo;s not something that&rsquo;s really bad, at least they&rsquo;re trying and hopefully, depending on who they&rsquo;re reporting it to, someone will follow up with them and say, &ldquo;Thanks for that report. Turns out that it was an off-cycle update of some software that we forgot to notify the employees that we were going to do. So, it glitched a system or something.&rdquo; <blockquote> &quot;“See something, say something” is what it boils down to.&quot; </blockquote> Or the alternative, &ldquo;Thanks for letting us know, that same attack has been occurring across the country in different businesses and we stopped it in time. Kudos. The CEO is going to give you an award of some sort for saving the company.” Actually, that brings up incentives. Some companies incentivize employees to make reports. If it turns out to be a report that leads to a definite attack that can be thwarted, then potentially there&rsquo;s an incentive reward for that. MF: In the past we&rsquo;ve <a href="https://blog.1password.com/can-you-hack-plane-ken-munro-interview/">interviewed folks who have done physical penetration testing</a> and their assessment is like, &ldquo;Yes, you should have antivirus and yes, have your firewall set up and malware protection. But if you aren&rsquo;t training the person who is running the reception desk to not let me into the building, it doesn&rsquo;t matter what you do. As soon as I get physical access to that machine, it&rsquo;s game over.” AW: Right. MF: So it&rsquo;s fascinating to hear you double down on that same message of there are some inexpensive things that you can do that will significantly up your cybersecurity game. AW: Social engineering is probably one of the main mechanisms for cyber criminals to get a foothold in a company. And it’s been around for eons. Maybe you’ve heard of dumpster diving? Cyber crooks will go into the trash cans of big corporations looking for bits and pieces of information. They go into personal trash cans too, to look for your bank records, gas and electric, telephone, utility bills, trying to get information about you and your accounts. <blockquote> &ldquo;Cyber crooks will go into the trash cans of big corporations looking for bits and pieces of information.&quot; </blockquote> They put a profile together of their victim so that when they go and talk to that person, they can talk intelligently about, &ldquo;Oh, I&rsquo;m calling from the gas company and your account that ends in the last four digits,&rdquo; which are the last four digits of their account. Because guess what? They went in their trash and they found a statement. Another physical attack method is piggybacking. If you&rsquo;re in a building that has card key access or restricted access and you&rsquo;re an employee walking in, there may be someone waiting by the door with their arms full of papers and a briefcase or whatever. They say: &ldquo;Oh, I can&rsquo;t get to my card key right now, can you just let me in?&rdquo; Of course, most people say, &ldquo;Oh sure, I&rsquo;ll let you in.&rdquo; We have people that steal utility uniforms or other uniforms for service companies and they&rsquo;ll put the uniform on, they&rsquo;ll make a fake ID badge, and they&rsquo;ll go into the company and say: &ldquo;We got a service call to check on X, Y, Z.&rdquo; It could be air conditioning, it could be computer related – almost any maintenance task. And their whole thing is to get them inside the locked doors so they can find the computer room and get the stuff. MF: For small business owners or for people who work for a small business, do you have any advice or words of encouragement when it comes to creating a robust cybersecurity program? AW: You don&rsquo;t have to buy my book, but you should probably get some sort of resource that talks about how to set up basic cybersecurity measures. Because it truly is a matter of “when and not if” every business will be attacked. The book that I have is in basic business terms, so of course I would recommend it. It has templates that come with it, such as for setting policies and for doing a strategy. A common question that businesses ask is &ldquo;how long does it take?&rdquo; It depends on how complex of a program you want to implement. I would say a minimum of six to eight months and a maximum of a year to really get into and through everything. Because some of it you don&rsquo;t want to rush, and even for policy-related things, you need to have sufficient time to get them incorporated and assimilated into the business culture. MF: If folks want to learn more about you, your new book, or CIS Controls, where should they go? AW: I have a <a href="https://www.linkedin.com/in/alan-watkins-9203b630/">LinkedIn profile</a>. You can get my book at <a href="https://cisodrg.com/">cisodrg.com</a> or on Amazon. And go to <a href="http://www.cisecurity.org/">CIS</a> to get information on the CIS Controls. <section class="c-call-to-action-box c-call-to-action-box--yellow"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Subscribe to Random but Memorable</h3> Listen to the latest news, tips and advice to level up your security game, as well as guest interviews with leaders from the security community. <a href="https://randombutmemorable.simplecast.com/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--yellow" data-event-category="CTA" data-event-action="call-to-action-button"> Subscribe to our podcast </a> </div> </section></description></item><item><title>How the 1Password Device Trust agent autoupdates</title><link>https://blog.1password.com/how-the-1password-device-trust-agent-autoupdates/</link><pubDate>Wed, 25 Sep 2024 00:00:00 +0000</pubDate><author>info@1password.com (Becca Mahany-Horton)</author><guid>https://blog.1password.com/how-the-1password-device-trust-agent-autoupdates/</guid><description> <img src='https://blog.1password.com/posts/2024/how-the-1password-device-trust-agent-autoupdates/header.png' class='webfeedsFeaturedVisual' alt='How the 1Password Device Trust agent autoupdates' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> This blog post describes the process for securely updating 1Password&rsquo;s Device Trust agent. From a user&rsquo;s perspective, the agent update process for 1Password Device Trust is functionally invisible. Most users are familiar with having to download new updates for software, or at least having to click &ldquo;yes&rdquo; on a prompt to restart an app so that it can update. But the Device Trust agent doesn&rsquo;t require any action from the user to update – it securely autoupdates itself and its components. Given device trust&rsquo;s importance as a security tool and its role in user authentication, it&rsquo;s really important that the autoupdate process be as secure as possible. So let&rsquo;s explain why we chose this approach, and how we ensure that our process is secure. <h2 id="how-and-why-do-we-autoupdate-the-device-trust-agent">How and why do we autoupdate the Device Trust agent?</h2> The 1Password Device Trust agent autoupdates itself in order to receive new features, improvements, and fixes as quickly as possible. At a high level, these are the steps in the autoupdate process: <ol> <li> Once an hour while the device is awake, the agent checks for updates (both for itself and for the osquery binary). </li> <li> If an update is available, the agent downloads and verifies the update, stores it in its update library, and runs the update. </li> <li> Whenever the device is restarted, the agent chooses the appropriate update from its update library to run. </li> </ol> <h2 id="the-details">The details</h2> To ensure that updates have not been tampered with, we use <a href="https://theupdateframework.io/">The Update Framework</a> (TUF) to verify signatures. TUF defines a specification for secure software update systems. <h3 id="what-is-tuf-and-why-do-we-use-it">What is TUF and why do we use it?</h3> The Update Framework (TUF) is the framework that we use for providing secure software updates to the 1Password Device Trust agent. TUF computes metadata about each update (called a &ldquo;target file&rdquo; in TUF), and then stores that metadata in a new, signed version of its metadata files, creating a trusted line of continuity from the first version of these files to the latest. This trusted line of continuity allows the 1Password Device Trust agent to safely download updates, to confirm the integrity of the updates, and to be certain that it is running the latest update available. <h3 id="how-does-the-1password-device-trust-agent-make-updates-available-using-tuf">How does the 1Password Device Trust agent make updates available using TUF?</h3> We use TUF to serve the checksum and file integrity information for agent updates. We also store which update is the current stable version in TUF. We store this data in a bucket (the &ldquo;TUF metadata bucket&rdquo; in the diagram below), and the binaries in a separate bucket (the &ldquo;Updates bucket&rdquo; in the diagram below). Per <a href="https://theupdateframework.github.io/specification/latest/#key-management-and-migration">the TUF specification</a>, we encrypt and store the signing keys separately from the 1Password Device Trust agent updates and the TUF metadata, in a secret manager. <img src='https://blog.1password.com/posts/2024/how-the-1password-device-trust-agent-autoupdates/mermaid-steps-diagram.png' alt='A diagram showing the update release process.' title='A diagram showing the update release process.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Making an update available is a two-step process. The first step is the upload of the tagged update itself. The second step is promoting that tag to the stable release channel, which will tell the 1Password Device Trust agent that there is a new update to download. First, we tag a new release (for example, v1.0.0 in the diagram above), which then kicks off a series of GitHub actions to perform the upload. The update is built, signed, notarized (for macOS), validated, and uploaded to the download bucket. Then, we use the <a href="https://github.com/theupdateframework/go-tuf">go-tuf package</a> to compute the corresponding metadata for that update, and upload that metadata to the TUF metadata bucket. Before proceeding, we test this update to ensure it is safe to release. At 1Password, we use our own software – so each employee on the device trust team runs this new update for at least a week and reports any issues they see. The engineering team runs automated tests against this update, and also performs manual release validation against this update on macOS, Windows, and Linux devices. Finally, once we have determined the release is ready to be promoted to the stable release channel, we again use GitHub actions to update the TUF metadata for the stable release channel, indicating that the tagged update is our new stable version. <h2 id="how-does-the-1password-device-trust-agent-download-and-verify-updates">How does the 1Password Device Trust agent download and verify updates?</h2> <img src='https://blog.1password.com/posts/2024/how-the-1password-device-trust-agent-autoupdates/mermaid-agent-restart-diagram.png' alt='A diagram showing how the device trust agent downloads and verifies updates.' title='A diagram showing how the device trust agent downloads and verifies updates.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The 1Password Device Trust agent ships with a set of files representing a known, verified state of our TUF repository. While the 1Password Device Trust agent runs, it periodically downloads and verifies incremental, sequential metadata updates to sync the state of its local TUF repository with the state of the metadata in the TUF metadata bucket. The agent checks after each sync to see if the release metadata for the stable channel has been updated to point to a new version as the stable version. If it has, the agent will download the corresponding update from the download bucket. It then validates the downloaded update by comparing the update&rsquo;s metadata against the known, authentic metadata for that update stored in its local TUF repository. If the update is valid, then the agent writes the update to disk and runs it. <h2 id="conclusion">Conclusion</h2> 1Password uses an audited update framework to record identifying metadata about each Device Trust agent update, and the agent itself uses the same framework to validate the updates that it downloads before storing or running them. The result is a secure autoupdate system that doesn&rsquo;t require any effort from the user to ensure the 1Password Device Trust agent is running the latest stable update. Want to learn more about how 1Password Extended Access Management works? <a href="https://1password.com/product/xam">Schedule a demo today</a>!</description></item><item><title>Is Microsoft Defender antivirus enough for SOC 2 compliance?</title><link>https://blog.1password.com/is-microsoft-defender-enough-for-soc-2/</link><pubDate>Wed, 25 Sep 2024 00:00:00 +0000</pubDate><author>info@1password.com (Jason Meller)</author><guid>https://blog.1password.com/is-microsoft-defender-enough-for-soc-2/</guid><description> <img src='https://blog.1password.com/posts/2024/is-microsoft-defender-enough-for-soc-2/header.png' class='webfeedsFeaturedVisual' alt='Is Microsoft Defender antivirus enough for SOC 2 compliance?' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Osquery makes the built-in antivirus in Windows audit ready. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> This article was originally written in 2022. While we&rsquo;ve done our best to update its information, and the osquery advice is still useful, be sure to do your due diligence when looking at the security capabilities of your own Windows fleet! Also, this article is just about Microsoft devices. Want to know our perspective on third-party AV for macOS? Check out &ldquo;<a href="https://blog.1password.com/do-macs-need-antivirus-for-soc-2/">Do Macs need third-party antivirus for SOC 2 compliance?</a>&rdquo; </div> </aside> Third-party malware detection and prevention (what we used to call &ldquo;antivirus&rdquo; over a decade ago) is not every Windows administrator&rsquo;s cup of tea. Some have bigger fish to fry (e.g., getting endpoint visibility, for starters). Others are content with the built-in anti-malware capabilities of Windows, and thus have no plans to deploy AV on its own merits. Unfortunately, SOC 2 and other similar audits are forcing both types of Windows IT Admins to purchase and deploy antivirus-like software, earlier and earlier in the organization&rsquo;s lifecycle. When I ask IT Admins who weren&rsquo;t psyched about deploying AV why they did it anyway, their responses generally fall into two buckets: <ol> <li> They don&rsquo;t believe Windows has sufficient anti-malware capabilities to pass a SOC2 audit.* </li> <li> They cannot pass compliance audits like SOC 2 without enterprise reporting features around malware protection. </li> </ol> In this article, we&rsquo;ll challenge both of these assumptions. Most importantly, I want to show that with open-source tools, you can pass a SOC 2 audit with the built-in anti-malware capabilities of Windows (Microsoft Defender). I&rsquo;ll also explain how you can &ldquo;defend&rdquo; (no pun intended) that position to senior leadership and auditors. *Compliance auditors <a href="https://www.a-lign.com/resources/can-you-fail-a-soc-2-examination">get annoyed</a> when you use binary terms like &ldquo;pass&rdquo; or &ldquo;fail&rdquo; to describe the outcome of an audit. Instead they use terms like &ldquo;modified&rdquo; or &ldquo;qualified&rdquo;. When I use the word &ldquo;pass&rdquo; in this article, I mean that you have obtained a SOC 2 report without negative qualifications. <h2 id="holistically-windows-security-is-better-than-third-party-av">Holistically, Windows' security is better than third-party AV</h2> Ideally, before you face a SOC 2 audit, you should genuinely believe you&rsquo;ve made the best decisions possible regarding the security of your Windows devices. For example, as a security practitioner, I do actually believe that many organizations are better off relying on the built-in security capabilities of Microsoft Defender without a third party supplement. How can that be? Well, for starters, let&rsquo;s first acknowledge that the most basic and cursory research around third party AV portends a horror show of tangible consequences that include: <a href="https://www.av-comparatives.org/tests/performance-test-october-2020/">tanking an endpoint&rsquo;s performance</a>, regularly blocking legitimate software, <a href="https://www.vice.com/en_us/article/qjdkq7/avast-antivirus-sells-user-browsing-data-investigation">indiscriminately selling users' data to undisclosed parties</a>, and even <a href="https://arstechnica.com/information-technology/2016/06/25-symantec-products-open-to-wormable-attack-by-unopened-e-mail-or-links/">the software itself becoming the source of major compromise</a>. Okay, but not every vendor is equally afflicted by these problems, so it&rsquo;s not fair to indict the entire third-party AV industry on just those anecdotes. So now, let&rsquo;s talk about what we mean by &ldquo;better.&rdquo; Most AV security companies build their entire pitch based on a few measurements: <ul> <li> How fast can the AV detect novel/new threats? </li> <li> How many real-time executions of bad things did the AV stop? </li> <li> How many novel areas of visibility can it obtain? </li> </ul> Unfortunately, these measurements fail to consider the costs paid (usually by the end-user) for marginal improvements across these metrics. But the end-user misery of third-party AV isn&rsquo;t typically addressed until it becomes so egregious that it can be linked to a significant adverse financial event. To account for every form of misery that falls short of that bar, we need to adjust how we measure the AV&rsquo;s actual performance. Here is one way. Instead of just looking for the best antivirus performance at any cost, we need antivirus performance per unit of yuck, where yuck is defined as the qualitative degradation of the device&rsquo;s user experience. So who is better incentivized to give us maximum AV performance per yuck? In my view, it&rsquo;s clearly OS vendors (like Microsoft), and here&rsquo;s why: <ol> <li> OS vendors are financially impacted if users think their OS runs like junk. </li> <li> OS vendors rely on a thriving third party ecosystem of useful and fun software to drive the adoption of the OS itself. That means they must care deeply about how OS security impacts the viability of other software. Third party AV does not have any incentive to care about the viability of other software until their customers notice (and then rectify it by adding it to an allowlist). </li> <li> OS vendors can use vertical integration to develop highly efficient security systems deep in the kernel of the OS itself, and rely on the existence of sophisticated security hardware like a TPM. Third party vendors cannot hook in at this deep level, and they cannot successfully advocate for dedicated hardware within the device to make technology better. </li> </ol> Given the above realities, it&rsquo;s easy to see why <a href="https://docs.microsoft.com/en-us/windows/security/">Microsoft has invested heavily into Windows' built-in security capabilities</a> considerably since the Windows XP days of yore. <h3 id="microsoft-defender-antivirus">Microsoft Defender antivirus</h3> Initially released in 2009 (under the name Microsoft Security Essentials), Microsoft <a href="https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide">Defender Antivirus</a> has evolved into a fully featured and well-regarded antivirus app that is included in all versions of Windows (including 10 &amp; 11), as part of Microsoft&rsquo;s <a href="https://www.microsoft.com/en-us/security/business/microsoft-defender">broader family</a> of security products. <img src='https://blog.1password.com/posts/2024/is-microsoft-defender-enough-for-soc-2/windows-defender-key-features.jpg' alt='A graphic of the key features of microsoft defender.' title='A graphic of the key features of microsoft defender.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Microsoft Defender Antivirus offers sufficient protection against malware, ransomware, adware, trojan, and spyware. It can block exploits, prevent network-based attacks, and flag phishing sites. It also has advanced features such as real-time threat protection, cloud-based updates, offline scanning, and limited periodic scanning. Another component, called <a href="https://support.microsoft.com/en-us/microsoft-edge/how-can-smartscreen-help-protect-me-in-microsoft-edge-1c9a874a-6826-be5e-45b1-67fa445a74c8">SmartScreen</a>, promotes secure internet browsing on Edge, and Microsoft has extended the protection to other browsers, such as Chrome and Firefox. Microsoft Defender also lists detected threats in security reports, which you can review on the Microsoft Defender portal. Additionally, the security software uses machine learning, big-data analytics, threat resistance research, and more to protect endpoints from known viruses and zero-day cyberattacks. The features are on-par with paid antivirus software, with the added benefit of being part of the operating system, so you don&rsquo;t have to do extra work to install and maintain the application. <h2 id="perfect-detection-isnt-possible">Perfect detection isn&rsquo;t possible</h2> When pitted against Microsoft&rsquo;s comprehensive built-in security, AV vendors' common arguments to justify their products come down to splitting hairs around detection efficacy. The playbook generally involves the third-party AV vendor pointing to specific malware variants that their product can detect and that Microsoft failed to add to their signature lists promptly (or at all). In my view, this is a foolish argument. It&rsquo;s <a href="https://gca.isa.org/blog/how-ransomware-can-evade-antivirus-software">just as easy</a> to find successful malware campaigns that no antivirus vendor could detect in a timely manner. Perfect detection/prevention is not possible, so we have to consider the other costs we pay. For instance, the trust we lose if we subject end-users to guaranteed performance degradation, false positives, and additional attack surface. If users are keeping a tight ship, applying updates, and not disabling <a href="https://learn.microsoft.com/en-us/windows/security/application-security/application-control/user-account-control/how-it-works">UAC</a>, there&rsquo;s very little chance that any other marginal improvements in protection will impact them. Expanding upon the idea that prevention eventually fails, at some point, it makes sense to find a reasonable baseline of preventative antivirus, and shift focus and resources into building a computer incident response plan. That means when (not if) a Windows PC does become compromised, the organization can better react to mitigate the potentially severe impacts of that compromise going unchecked. The prevention game is one with diminishing returns per dollar spent. On the other hand, incident response development is one of the best cybersecurity investments you can make. <h2 id="compiling-data-to-meet-audit-requirements">Compiling data to meet audit requirements</h2> As we saw above, Microsoft does a reasonable job protecting Windows PC users from malware. That&rsquo;s great news! But there&rsquo;s one problem. You still need to collect data to compile reports for your compliance audit. And Microsoft doesn&rsquo;t offer a way to achieve that level of fleet visibility without purchasing their suite of Endpoint Detection, Management, and Security tools (which is essentially the same thing you would be getting with third party AV). That&rsquo;s where osquery comes to the rescue. You might have heard of using osquery to take device inventory, but did you know it&rsquo;s also a handy tool for compiling data to meet SOC 2 reporting requirements? <h3 id="how-osquery-supports-soc-2-compliance">How osquery supports SOC 2 compliance</h3> Osquery is an open-source tool that allows users to query operating systems. For example, IT can use osquery to gain visibility into macOS, Windows, and Linux devices. You can use osquery to check all the devices in your fleet. This allows you to ensure that they follow platform-specific rules based on your company&rsquo;s data security policy and compliance standards (e.g., disk encryption, firewall status, OS updates, etc.) Osquery can also accumulate and log compliance data to support the SOC 2 reporting and the auditing process. You can see aggregated metrics or drill down to specifics, using various filters to demonstrate that users' devices are compliant with SOC 2 requirements. <img src='https://blog.1password.com/posts/2024/is-microsoft-defender-enough-for-soc-2/osquery.png' alt='A graphic of how osquery works.' title='A graphic of how osquery works.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Many IT professionals favor osquery because it&rsquo;s <a href="https://blog.1password.com/write-new-osquery-table/">simple, reliable, and extensible</a>. And since it works for all three operating systems, you can collect data on every device in your fleet without needing different tools. <h2 id="how-to-use-data-collected-by-osquery-to-support-soc-2">How To Use Data Collected By Osquery to Support SOC 2</h2> To pass your SOC 2 audit, you must create documentation demonstrating that your systems and processes meet specific requirements. For instance, to show that you have the appropriate defense against malware and viruses according to Common Criteria 6.8, you need a report describing your processes for file integrity monitoring (FIM) and endpoint security management. Your documentation should demonstrate that: <ul> <li> You can track updates made to software and configuration files and changes in endpoint protection statuses and events. </li> <li> You have implemented controls to prevent, detect, and act upon unauthorized or malicious software introduced into your infrastructure. </li> <li> Only authorized individuals can install applications and software on devices connected to your network. </li> <li> You have processes to detect changes that could indicate the presence of unauthorized or malicious software. </li> <li> There&rsquo;s a management-defined change control process to monitor the implementation of software and applications. </li> <li> Antivirus and anti-malware software is implemented and maintained to detect and remediate malware. </li> <li> You follow procedures to scan information assets for malware and other unauthorized software. </li> </ul> <h3 id="putting-osquery-into-action-for-soc-2-compliance">Putting osquery into action For SOC 2 compliance</h3> Microsoft Defender can satisfy the technical requirements for SOC 2 certification, and you don&rsquo;t need to use third party antivirus. But it&rsquo;s challenging to compile device data and report at scale. This is where osquery comes in: to provide fleet visibility, monitor activities, and collect the data you need to prove fleet compliance for SOC 2 audit and reporting. Osquery SQL: Windows security center To establish that the overall malware prevention apparatus of Windows is operational, we need to use the built-in reporting that comes with Windows itself, the Windows Security Center (or &ldquo;<a href="https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center">Windows Security</a>&quot;). Introduced back in Windows XP SP2, the Windows Security Center APIs give us a complete health report of the state of the critical security features of Windows. Fast-forward almost two decades, and these APIs still give us high-level insight that we need. And, lucky for you, we&rsquo;ve already <a href="https://github.com/osquery/osquery/pull/6256">contributed a table to osquery</a> for querying this API. It&rsquo;s called <code>windows_security_center</code>.` <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">SELECT * FROM windows_security_center; osquery&gt; select * from windows_security_center; firewall = Good autoupdate = Good antivirus = Good internet_settings = Good windows_security_center_service = Good user_account_control = Good </code></pre></div>While this provides us with a singular health grade for both the antivirus and anti-spyware protection on the Windows device, we can use another osquery table called <code>windows_security_products</code> to get an even deeper look. <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">SELECT * FROM windows_security_products; </code></pre></div><pre tabindex="0"><code> type = Firewall name = Windows Firewall state = On state_timestamp = NULL remediation_path = %windir%\system32\firewall.cpl signatures_up_to_date = 1 type = Antivirus name = Microsoft Defender Antivirus state = On state_timestamp = Sun, 01 May 2022 04:33:50 GMT remediation_path = windowsdefender:// signatures_up_to_date = 1 </code></pre>This table tells us which products are currently responsible for both the Antivirus and application layer firewall, and if the included signatures are up to date. <h3 id="bridging-osquery-and-wmi-for-more-details">Bridging osquery and WMI for more details</h3> As you can see above, osquery can help collect essential details about the state of Windows' built-in malware and virus protection. Unfortunately, this isn&rsquo;t quite enough information. For example, we are missing information about Microsoft Defender&rsquo;s configuration, and we have no idea of the results of Defender&rsquo;s scanning. To get that information, we need to go beyond the built-in capabilities of osquery. Fortunately, 1Password® Extended Access Management&rsquo;s <a href="https://github.com/kolide/launcher">device trust agent</a> extends osquery&rsquo;s, so that it can bridge into Windows Management Instrumentation API (WMI). This is precisely what we need to complete our data gathering story. <h3 id="sql-windows-defender-configuration">SQL: Windows Defender configuration</h3> In the WMI API, Microsoft offers the <code>MSFT_MpComputerStatus</code> class, which allows us to grab all the pertinent details about the current state of Windows Defender. While the WMI query (which also uses SQL) will look something like <code>SELECT * FROM MSFT_MpComputerStatus</code> with 1Password Extended Access Management, we need to be a bit more explicit: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">SELECT * FROM kolide_wmi WHERE class = &#39;MSFT_MpComputerStatus&#39; AND namespace = &#39;\root\Microsoft\Windows\Defender&#39; AND properties = &#39;ComputerID,ComputerState,AMProductVersion,AMServiceVersion,AntispywareSignatureVersion,AntispywareSignatureAge,AntispywareSignatureLastUpdated,AntivirusSignatureVersion,AntivirusSignatureAge,AntivirusSignatureLastUpdated,NISSignatureVersion,NISSignatureAge,NISSignatureLastUpdated,FullScanStartTime,FullScanEndTime,FullScanAge,LastQuickScanSource,LastFullScanSource,RealTimeScanDirection,QuickScanStartTime,QuickScanEndTime,QuickScanAge,AMEngineVersion,AMServiceEnabled,OnAccessProtectionEnabled,IoavProtectionEnabled,BehaviorMonitorEnabled,AntivirusEnabled,AntispywareEnabled,RealTimeProtectionEnabled,NISEngineVersion,NISEnabled&#39; </code></pre></div><pre tabindex="0"><code>+────────────────────────────────────+──────────────────────────────────+─────────+────────+───────────────────────────────────────+──────────────+ | fullkey | key | parent | query | value | whereclause | +────────────────────────────────────+──────────────────────────────────+─────────+────────+───────────────────────────────────────+──────────────+ | 0/ComputerState | ComputerState | 0 | * | 0 | &quot;&quot; | | 0/AntispywareSignatureVersion | AntispywareSignatureVersion | 0 | * | 1.363.1657.0 | &quot;&quot; | | 0/AntispywareSignatureAge | AntispywareSignatureAge | 0 | * | 0 | &quot;&quot; | | 0/QuickScanEndTime | QuickScanEndTime | 0 | * | 20220507001933.450000+000 | &quot;&quot; | | 0/NISEnabled | NISEnabled | 0 | * | true | &quot;&quot; | | 0/AMServiceVersion | AMServiceVersion | 0 | * | 4.18.2203.5 | &quot;&quot; | | 0/AntispywareSignatureLastUpdated | AntispywareSignatureLastUpdated | 0 | * | 20220509023536.000000+000 | &quot;&quot; | | 0/AntivirusSignatureVersion | AntivirusSignatureVersion | 0 | * | 1.363.1657.0 | &quot;&quot; | | 0/IoavProtectionEnabled | IoavProtectionEnabled | 0 | * | true | &quot;&quot; | | 0/AntivirusSignatureLastUpdated | AntivirusSignatureLastUpdated | 0 | * | 20220509023536.000000+000 | &quot;&quot; | | 0/QuickScanAge | QuickScanAge | 0 | * | 2 | &quot;&quot; | | 0/AntispywareEnabled | AntispywareEnabled | 0 | * | true | &quot;&quot; | | 0/NISSignatureVersion | NISSignatureVersion | 0 | * | 1.363.1657.0 | &quot;&quot; | | 0/NISSignatureAge | NISSignatureAge | 0 | * | 0 | &quot;&quot; | | 0/FullScanAge | FullScanAge | 0 | * | '-1 | &quot;&quot; | | 0/NISEngineVersion | NISEngineVersion | 0 | * | 1.1.19200.5 | &quot;&quot; | | 0/RealTimeScanDirection | RealTimeScanDirection | 0 | * | 0 | &quot;&quot; | | 0/AMServiceEnabled | AMServiceEnabled | 0 | * | true | &quot;&quot; | | 0/ComputerID | ComputerID | 0 | * | 9802EC57-A4BB-4137-BB73-51516631CDF9 | &quot;&quot; | | 0/AMProductVersion | AMProductVersion | 0 | * | 4.18.2203.5 | &quot;&quot; | | 0/BehaviorMonitorEnabled | BehaviorMonitorEnabled | 0 | * | true | &quot;&quot; | | 0/RealTimeProtectionEnabled | RealTimeProtectionEnabled | 0 | * | true | &quot;&quot; | | 0/AntivirusSignatureAge | AntivirusSignatureAge | 0 | * | 0 | &quot;&quot; | | 0/QuickScanStartTime | QuickScanStartTime | 0 | * | 20220507001822.844000+000 | &quot;&quot; | | 0/AMEngineVersion | AMEngineVersion | 0 | * | 1.1.19200.5 | &quot;&quot; | | 0/NISSignatureLastUpdated | NISSignatureLastUpdated | 0 | * | 20220509023536.000000+000 | &quot;&quot; | | 0/LastQuickScanSource | LastQuickScanSource | 0 | * | 2 | &quot;&quot; | | 0/LastFullScanSource | LastFullScanSource | 0 | * | 0 | &quot;&quot; | | 0/OnAccessProtectionEnabled | OnAccessProtectionEnabled | 0 | * | true | &quot;&quot; | | 0/AntivirusEnabled | AntivirusEnabled | 0 | * | true | &quot;&quot; | +────────────────────────────────────+──────────────────────────────────+─────────+────────+───────────────────────────────────────+──────────────+ </code></pre>While this is the data we want, it&rsquo;s not quite in a format that is easy to read. Using EAV transform techniques, we can rewrite the query to get a single row containing each property. The Final SQL: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">WITH wmi_raw AS ( SELECT * FROM kolide_wmi WHERE class = &#39;MSFT_MpComputerStatus&#39; AND namespace = &#39;\root\Microsoft\Windows\Defender&#39; AND properties = &#39;ComputerID,ComputerState,AMProductVersion,AMServiceVersion,AntispywareSignatureVersion,AntispywareSignatureAge,AntispywareSignatureLastUpdated,AntivirusSignatureVersion,AntivirusSignatureAge,AntivirusSignatureLastUpdated,NISSignatureVersion,NISSignatureAge,NISSignatureLastUpdated,FullScanStartTime,FullScanEndTime,FullScanAge,LastQuickScanSource,LastFullScanSource,RealTimeScanDirection,QuickScanStartTime,QuickScanEndTime,QuickScanAge,AMEngineVersion,AMServiceEnabled,OnAccessProtectionEnabled,IoavProtectionEnabled,BehaviorMonitorEnabled,AntivirusEnabled,AntispywareEnabled,RealTimeProtectionEnabled,NISEngineVersion,NISEnabled&#39; ), microsoft_windows_defender_config AS ( SELECT MAX(CASE WHEN key = &#39;AMEngineVersion&#39; THEN value END) AS am_engine_version, MAX(CASE WHEN key = &#39;AMProductVersion&#39; THEN value END) AS am_product_version, MAX(CASE WHEN key = &#39;AMServiceEnabled&#39; THEN value END) AS am_service_enabled, MAX(CASE WHEN key = &#39;AMServiceVersion&#39; THEN value END) AS am_service_version, MAX(CASE WHEN key = &#39;AntispywareEnabled&#39; THEN value END) AS antispyware_enabled, MAX(CASE WHEN key = &#39;AntispywareSignatureAge&#39; THEN value END) AS antispyware_signature_age, MAX(CASE WHEN key = &#39;AntispywareSignatureLastUpdated&#39; THEN value END) AS antispyware_signature_last_updated, MAX(CASE WHEN key = &#39;AntispywareSignatureVersion&#39; THEN value END) AS antispyware_signature_version, MAX(CASE WHEN key = &#39;AntivirusEnabled&#39; THEN value END) AS antivirus_enabled, MAX(CASE WHEN key = &#39;AntivirusSignatureAge&#39; THEN value END) AS antivirus_signature_age, MAX(CASE WHEN key = &#39;AntivirusSignatureLastUpdated&#39; THEN value END) AS antivirus_signature_last_updated, MAX(CASE WHEN key = &#39;AntivirusSignatureVersion&#39; THEN value END) AS antivirus_signature_version, MAX(CASE WHEN key = &#39;BehaviorMonitorEnabled&#39; THEN value END) AS behavior_monitor_enabled, MAX(CASE WHEN key = &#39;ComputerID&#39; THEN value END) AS computer_id, MAX(CASE WHEN key = &#39;ComputerState&#39; THEN value END) AS computer_state, MAX(CASE WHEN key = &#39;FullScanAge&#39; THEN value END) AS full_scan_age, MAX(CASE WHEN key = &#39;IoavProtectionEnabled&#39; THEN value END) AS ioav_protection_enabled, MAX(CASE WHEN key = &#39;LastQuickScanSource&#39; THEN value END) AS last_quick_scan_source, MAX(CASE WHEN key = &#39;LastFullScanSource&#39; THEN value END) AS last_full_scan_source, MAX(CASE WHEN key = &#39;NISEnabled&#39; THEN value END) AS nis_enabled, MAX(CASE WHEN key = &#39;NISEngineVersion&#39; THEN value END) AS nis_engine_version, MAX(CASE WHEN key = &#39;NISSignatureAge&#39; THEN value END) AS nis_signature_age, MAX(CASE WHEN key = &#39;NISSignatureLastUpdated&#39; THEN value END) AS nis_signature_last_updated, MAX(CASE WHEN key = &#39;NISSignatureVersion&#39; THEN value END) AS nis_signature_version, MAX(CASE WHEN key = &#39;OnAccessProtectionEnabled&#39; THEN value END) AS on_access_protection_enabled, MAX(CASE WHEN key = &#39;QuickScanAge&#39; THEN value END) AS quick_scan_age, MAX(CASE WHEN key = &#39;QuickScanEndTime&#39; THEN value END) AS quick_scan_end_time, MAX(CASE WHEN key = &#39;QuickScanStartTime&#39; THEN value END) AS quick_scan_start_time, MAX(CASE WHEN key = &#39;RealTimeProtectionEnabled&#39; THEN value END) AS real_time_protection_enabled, MAX(CASE WHEN key = &#39;RealTimeScanDirection&#39; THEN value END) AS real_time_scan_direction FROM wmi_raw GROUP BY parent ) SELECT * FROM microsoft_windows_defender_config; </code></pre></div><pre tabindex="0"><code>+────────────────────+─────────────────────+─────────────────────+─────────────────────+──────────────────────+────────────────────────────+─────────────────────────────────────+────────────────────────────────+────────────────────+──────────────────────────+───────────────────────────────────+──────────────────────────────+───────────────────────────+───────────────────────────────────────+─────────────────+────────────────+──────────────────────────+────────────────────────+─────────────────────────+──────────────+─────────────────────+────────────────────+─────────────────────────────+────────────────────────+───────────────────────────────+─────────────────+────────────────────────────+────────────────────────────+───────────────────────────────+───────────────────────────+ | am_engine_version | am_product_version | am_service_enabled | am_service_version | antispyware_enabled | antispyware_signature_age | antispyware_signature_last_updated | antispyware_signature_version | antivirus_enabled | antivirus_signature_age | antivirus_signature_last_updated | antivirus_signature_version | behavior_monitor_enabled | computer_id | computer_state | full_scan_age | ioav_protection_enabled | last_full_scan_source | last_quick_scan_source | nis_enabled | nis_engine_version | nis_signature_age | nis_signature_last_updated | nis_signature_version | on_access_protection_enabled | quick_scan_age | quick_scan_end_time | quick_scan_start_time | real_time_protection_enabled | real_time_scan_direction | +────────────────────+─────────────────────+─────────────────────+─────────────────────+──────────────────────+────────────────────────────+─────────────────────────────────────+────────────────────────────────+────────────────────+──────────────────────────+───────────────────────────────────+──────────────────────────────+───────────────────────────+───────────────────────────────────────+─────────────────+────────────────+──────────────────────────+────────────────────────+─────────────────────────+──────────────+─────────────────────+────────────────────+─────────────────────────────+────────────────────────+───────────────────────────────+─────────────────+────────────────────────────+────────────────────────────+───────────────────────────────+───────────────────────────+ | 1.1.19200.5 | 4.18.2203.5 | true | 4.18.2203.5 | true | 0 | 20220509023536.000000+000 | 1.363.1657.0 | true | 0 | 20220509023536.000000+000 | 1.363.1657.0 | true | 08FB414B-6118-4183-B65E-3FBA345670EF | 0 | '-1 | true | 0 | 2 | true | 1.1.19200.5 | 0 | 20220509023536.000000+000 | 1.363.1657.0 | true | 6 | 20220502134713.979000+000 | 20220502134622.525000+000 | true | 0 | +────────────────────+─────────────────────+─────────────────────+─────────────────────+──────────────────────+────────────────────────────+─────────────────────────────────────+────────────────────────────────+────────────────────+──────────────────────────+───────────────────────────────────+──────────────────────────────+───────────────────────────+───────────────────────────────────────+─────────────────+────────────────+──────────────────────────+────────────────────────+─────────────────────────+──────────────+─────────────────────+────────────────────+─────────────────────────────+────────────────────────+───────────────────────────────+─────────────────+────────────────────────────+────────────────────────────+───────────────────────────────+───────────────────────────+ </code></pre><h3 id="sql-windows-defender-detected-threats">SQL: Windows Defender detected threats</h3> There&rsquo;s another important piece of data we need: has Windows Defender detected any threats across my devices? Again, there is a WMI class called <code>MSFT_MpThreatDetection</code> (<a href="https://docs.microsoft.com/en-us/previous-versions/windows/desktop/defender/msft-mpthreatdetection">docs</a>) which we can tap into using 1Password Extended Access Management&rsquo;s WMI to osquery bridge. With the same techniques we used with the SQL from the previous section, we can query this WMI class the same way, and produce a single row for each newly detected threat. Here is the final SQL: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">WITH wmi_raw AS ( SELECT *, SPLIT(parent, &#39;/&#39;, 0) AS unique_id FROM kolide_wmi WHERE class = &#39;MSFT_MpThreatDetection&#39; AND namespace = &#39;\root\Microsoft\Windows\Defender&#39; AND properties = &#39;DetectionID,ThreatID,ProcessName,DomainUser,DetectionSourceTypeID,Resources,InitialDetectionTime,LastThreatStatusChangeTime,RemediationTime,CurrentThreatExecutionStatusID,ThreatStatusID,ThreatStatusErrorCode,CleaningActionID,AMProductVersion,ActionSuccess,AdditionalActionsBitMask&#39; ), microsoft_windows_defender_threats AS ( SELECT MAX(CASE WHEN key = &#39;DetectionID&#39; THEN value END) AS detection_id, MAX(CASE WHEN key = &#39;ThreatID&#39; THEN value END) AS threat_id, MAX(CASE WHEN key = &#39;ProcessName&#39; THEN value END) AS process_name, MAX(CASE WHEN key = &#39;DomainUser&#39; THEN value END) AS domain_user, MAX(CASE WHEN key = &#39;DetectionSourceTypeID&#39; THEN value END) AS detection_source_type_id, GROUP_CONCAT(CASE WHEN fullkey LIKE &#39;%Resources%&#39; THEN value END, &#39;, &#39;) AS resources, MAX(CASE WHEN key = &#39;InitialDetectionTime&#39; THEN value END) AS initial_detection_time, MAX(CASE WHEN key = &#39;LastThreatStatusChangeTime&#39; THEN value END) AS last_threat_status_change_time, MAX(CASE WHEN key = &#39;RemediationTime&#39; THEN value END) AS remediation_time, MAX(CASE WHEN key = &#39;CurrentThreatExecutionStatusID&#39; THEN value END) AS current_threat_execution_status_id, MAX(CASE WHEN key = &#39;ThreatStatusID&#39; THEN value END) AS threat_status_id, MAX(CASE WHEN key = &#39;ThreatStatusErrorCode&#39; THEN value END) AS threat_status_error_code, MAX(CASE WHEN key = &#39;CleaningActionID&#39; THEN value END) AS cleaning_action_id, MAX(CASE WHEN key = &#39;AMProductVersion&#39; THEN value END) AS am_product_version, MAX(CASE WHEN key = &#39;ActionSuccess&#39; THEN value END) AS action_success, MAX(CASE WHEN key = &#39;AdditionalActionsBitMask&#39; THEN value END) AS additional_actions_bit_mask FROM wmi_raw GROUP BY unique_id) SELECT * FROM microsoft_windows_defender_threats; </code></pre></div><pre tabindex="0"><code>+─────────────────+──────────────────────────────+─────────────────────+─────────────────────+─────────────────────────────────────+─────────────────────────────────────────+───────────────────────────+────────────────────────+────────────────────────────+─────────────────────────────────+───────────────+────────────────────────────+──────────────────────────────────────────────────────────────────────────────────────────+────────────+───────────────────────────+───────────────────+ | action_success | additional_actions_bit_mask | am_product_version | cleaning_action_id | current_threat_execution_status_id | detection_id | detection_source_type_id | domain_user | initial_detection_time | last_threat_status_change_time | process_name | remediation_time | resources | threat_id | threat_status_error_code | threat_status_id | +─────────────────+──────────────────────────────+─────────────────────+─────────────────────+─────────────────────────────────────+─────────────────────────────────────────+───────────────────────────+────────────────────────+────────────────────────────+─────────────────────────────────+───────────────+────────────────────────────+──────────────────────────────────────────────────────────────────────────────────────────+────────────+───────────────────────────+───────────────────+ | true | 0 | 4.18.2203.5 | 9 | 0 | {041A2E1E-54BB-477F-A953-EDD187B66CC7} | 1 | DESKTOP-2HFBS8U\jason | 20220430211822.148000+000 | 20220501044223.930000+000 | Unknown | 20220501044223.930000+000 | &quot;file:_C:\Users\jason\Downloads\eicar(1).com, file:_C:\Users\jason\Downloads\eicar.com&quot; | 2147519003 | 0 | 106 | | true | 0 | 4.18.2203.5 | 2 | 0 | {08341268-342B-469E-A826-B9B3A90D1037} | 2 | NT AUTHORITY\SYSTEM | 20220501043200.985000+000 | 20220501043227.380000+000 | Unknown | 20220501043227.380000+000 | &quot;file:_C:\Users\jason\Downloads\eicar(1).com, file:_C:\Users\jason\Downloads\eicar.com&quot; | 2147519003 | 0 | 3 | +─────────────────+──────────────────────────────+─────────────────────+─────────────────────+─────────────────────────────────────+─────────────────────────────────────────+───────────────────────────+────────────────────────+────────────────────────────+─────────────────────────────────+───────────────+────────────────────────────+──────────────────────────────────────────────────────────────────────────────────────────+────────────+───────────────────────────+───────────────────+ </code></pre><h2 id="how-do-i-centralize-the-data-for-auditors">How do I centralize the data for auditors?</h2> The question now becomes: how do you best aggregate the data collected via osquery and show it to auditors? Osquery out of the box emits logs that can be aggregated by <a href="https://osquery.readthedocs.io/en/stable/deployment/log-aggregation/">third-party SIEMs and log aggregation tools</a>. Using their native reporting functions, you can build a dashboard that will get you through your audit and give you incredible visibility. If you don&rsquo;t want to build all this yourself, 1Password Extended Access Management can get you up and running fast. Our device trust solution automatically gives you native osquery installers for Mac, Windows, and Linux. Once the agent runs, 1Password Extended Access Management will automatically collect all the pertinent info, aggregate it, and visualize it within your admin dashboard. 1Password Extended Access Management can also give you API access and full documentation about the data it collects. And if your company uses Microsoft Entra as your SSO provider, we have <a href="https://blog.1password.com/extended-access-management-availability-updates/">even further integrations</a>. On top of that, we solve for another question vanilla osquery doesn&rsquo;t have an answer for: remediation. For example, if you find Windows Secure Boot is disabled (which helps ensure the integrity of the underlying Defender system), how do you fix it? You can buy a Windows Device Management product, and apply policies to force certain settings to be turned on. But not everything can be automated this way. There is no way to enable <a href="https://support.microsoft.com/en-us/windows/windows-11-and-secure-boot-a8ff1202-c0d9-42f5-940f-843abef64fad">Secure Boot</a> remotely without the user&rsquo;s help. Again, 1Password Extended Access Management <a href="https://blog.1password.com/extended-access-management-patch-management/#:~:text=1Password%20Extended%20Access%20Management%20creates,they've%20installed%20the%20patch.">can run checks</a> against your Windows PC to verify that these services are enabled. If they aren&rsquo;t, users are <a href="https://blog.1password.com/extended-access-management-okta-guide/">blocked from accessing company resources</a> until they&rsquo;ve fixed the issue. We achieve this through end-user remediation, instructing users on how to re-enable those features (while explaining why it&rsquo;s important to keep them that way). From there, users have a deadline on when they need to remediate the issue, or else they&rsquo;ll be locked out of company systems. And <a href="https://blog.1password.com/pros-and-cons-of-mdms/">unlike MDM</a>, you can apply this approach to device trust to unmanaged, BYOD devices. End user notifications are a part of our <a href="https://honest.security/">Honest Security</a> philosophy. We believe that teaching end-users how to keep their devices secure nets better and more complete security than any AV scan ever could on its own. To see how 1Password Extended Access Management can secure your fleet and achieve 100% compliance, <a href="https://1password.com/contact-sales/xam">reach out for a demo</a>.</description></item><item><title>Introducing multi-cloud secrets management with Pulumi ESC and 1Password</title><link>https://blog.1password.com/pulumi-esc-secrets-management/</link><pubDate>Wed, 18 Sep 2024 00:00:00 +0000</pubDate><author>info@1password.com (Andrew Stiefel)</author><guid>https://blog.1password.com/pulumi-esc-secrets-management/</guid><description> <img src='https://blog.1password.com/posts/2024/pulumi-esc-secrets-management/header.png' class='webfeedsFeaturedVisual' alt='Introducing multi-cloud secrets management with Pulumi ESC and 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Pulumi customers can secure and simplify their secrets management workflows with a new integration built for 1Password. <a href="https://www.pulumi.com/">Pulumi</a> is an infrastructure as code (IaC) platform that enables developers to manage and deploy cloud infrastructure using familiar programming languages like Typescript, Python, Go, C#, Java, and Yaml. Pulumi recently announced the general availability of <a href="https://www.pulumi.com/product/esc/">Pulumi Environments, Secrets and Configuration</a> (Pulumi ESC), their secrets management and orchestration solution. Pulumi ESC helps organizations control the sprawl of secrets that occurs when companies grow by enabling them to centralize their secrets management across all of their applications and development teams. Developers can easily access, share, and manage secrets securely on any cloud, using their favorite programming languages. Pulumi built the new Pulumi ESC integration for 1Password using the <a href="https://developer.1password.com/docs/sdks">1Password Go SDK</a>. Pulumi reached out earlier this year about building the integration in response to customer requests and was one of the first technology partners to participate in the <a href="https://blog.1password.com/sdk-beta/">1Password SDKs beta</a>. Of course, being fans of Pulumi ourselves, we were happy to work with them on the integration. To see it in action, <a href="https://www.pulumi.com/resources/managing-team-secrets-with-1password-pulumi-esc/">join us for a live workshop</a> on September 25, 2024. 1Password Developer Relations Manager Phil Johnston and Pulumi Solutions Architect Diana Esteves will cover how to work with Pulumi ESC and 1Password to make secrets available to approved team members and deployments, securely. <h2 id="how-it-works">How it works</h2> With Pulumi ESC, platform engineering teams can use 1Password as a central store for API keys, database credentials, and other secrets used in their applications and infrastructure while leveraging cloud platform infrastructure (e.g., AWS Secrets Manager, Azure Key Vault, etc.) as the execution environment. It takes a little scripting for Pulumi ESC to orchestrate secrets across multiple cloud environments while maintaining 1Password as the source of truth for every team. The following is an example of an ESC script in YAML with 1Password as the source and AWS as the destination: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">values: 1password: secrets: fn::open::1password-secrets: login: serviceAccountToken: fn::secret: ops_eyJzaWduSW5B..[Redacted] get: aws-access-key: ref: op://Engineering/aws-cli-creds/access-key aws-secret-access-key: ref: op://Engineering/aws-cli-creds/secret-access-key environmentVariables: AWS_ACCESS_KEY_ID: ${1password.secrets.aws-access-key} AWS_SECRET_ACCESS_KEY: ${1password.secrets.aws-secret-access-key} </code></pre></div>Pulumi ESC also offers a UI-driven method to set up the configuration required to pull sensitive information from 1Password. Check out the <a href="https://www.pulumi.com/docs/esc/providers/1password-secrets/">Pulumi ESC docs</a> and the <a href="https://www.pulumi.com/blog/pulumi-esc-public-preview-for-1password-support/">Pulumi ESC launch blog post</a> for more information. <h2 id="easy-and-secure-secrets-management">Easy and secure secrets management</h2> Today’s cloud environments require many configurations – including secrets like API keys, database credentials, etc. Every team stores configuration settings like these in different locations, from secret managers to plaintext configuration files. This secret sprawl results in operational bottlenecks, misconfigurations, and security breaches. With 1Password and Pulumi ESC, platform engineering teams can: <ul> <li>Stop secret sprawl: Use Pulumi ESC to access, share, and manage secrets in 1Password and consume in any application, tool, or CI/CD platform.</li> <li>Trust (and prove) your secrets are secure: With Pulumi ESC, every environment can be locked down with role-based access controls (RBAC) and versioned with all changes fully logged for auditing.</li> <li>Ditch <code>.env</code> files: No more storing secrets in plaintext on local disks. Developers can easily access secrets stored in 1Password via Pulumi ESC’s CLI, API, Typescript, Python, and Go SDKs, and the Pulumi Cloud UI.</li> </ul> <h2 id="expanded-support-for-infrastructure-as-code-iac-practices">Expanded support for infrastructure as code (IaC) practices</h2> Infrastructure as Code (IaC) tools enable the automation and management of cloud infrastructure, allowing for consistent, repeatable, and scalable deployments. They are a critical component of modern infrastructure and engineering practices. At 1Password, we’re excited to partner with Pulumi to expand our <a href="https://developer.1password.com/docs/integrations">developer integrations</a> and better support modern infrastructure teams and workflows. The new integration with Pulumi ESC makes it easier to adopt 1Password as the source of truth while integrating with existing tools and systems across different cloud environments. <img src='https://blog.1password.com/posts/2024/pulumi-esc-secrets-management/1password-pulumi-esc.png' alt='Diagram illustrating Pulumi ESC integration for 1Password' title='Diagram illustrating Pulumi ESC integration for 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="getting-started">Getting started</h2> Learn <a href="https://blog.1password.com/1password-pulumi-developer-secrets-guide/">how to start managing developer secrets with Pulumi ESC and 1Password</a>, or explore the <a href="https://www.pulumi.com/docs/esc/">Pulumi ESC documentation</a> for more information. For a hands-on demonstration, <a href="https://www.pulumi.com/resources/managing-team-secrets-with-1password-pulumi-esc/">sign up for the live workshop</a> on September 25, 2024. <section class="c-call-to-action-box c-call-to-action-box--purple"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Simplify secrets management with 1Password</h3> Streamline how developers manage SSH keys, API tokens, and other infrastructure secrets across the software development life cycle with 1Password Developer. <a href="https://developer.1password.com/?utm_ref=blog" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--purple" data-event-category="CTA" data-event-action="call-to-action-button"> Explore documentation </a> </div> </section></description></item><item><title>How much does a SOC 2 audit cost?</title><link>https://blog.1password.com/how-much-does-a-soc-2-audit-cost/</link><pubDate>Tue, 17 Sep 2024 00:00:00 +0000</pubDate><author>info@1password.com (Elaine Atwell)</author><guid>https://blog.1password.com/how-much-does-a-soc-2-audit-cost/</guid><description> <img src='https://blog.1password.com/posts/2024/how-much-does-a-soc-2-audit-cost/header.png' class='webfeedsFeaturedVisual' alt='How much does a SOC 2 audit cost?' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> This blog breaks down how much businesses can expect to spend on a SOC 2 audit, depending on their size, structure, and what they hope to achieve. Every article you&rsquo;ll find on SOC 2 costs can agree on the following statements: <ol> <li> There&rsquo;s no single, universal answer to the question: &ldquo;How much does SOC 2 certification cost?&rdquo; </li> <li> The total costs of an audit – including all the knock-on expenses associated with it – can range from tens to hundreds of thousands of dollars. </li> </ol> Unfortunately, few articles explain what specific factors influence an audit&rsquo;s cost, and what businesses can do to mitigate them. At 1Password, we know a few things about SOC 2, because we&rsquo;ve gone through the process of becoming SOC 2 compliant ourselves, and because our customers use our products for their own compliance needs. Given that, we&rsquo;re happy to go where few articles on this topic have gone before: into the specifics. For this blog, we talked to Ed Gardner, the CEO and principal consultant at <a href="https://www.newenglandsp.com/">New England Safety Partners</a>. He broke down how much businesses can expect to spend depending on their size, structure, and what they hope to achieve. &ldquo;A SOC 2 audit is as meaningful as you want it to be,&rdquo; according to Ed. &ldquo;And if you need it to be meaningful, you probably need to spend a little money.&rdquo; <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Looking for a more general primer on SOC 1 and SOC 2 audits? <a href="https://blog.1password.com/10-minute-guide-to-soc-1-vs-soc-2/">Check out our blog on the subject</a>! </div> </aside> <h2 id="factors-affecting-soc-2-certification-cost">Factors affecting SOC 2 certification cost</h2> There are many variables that influence the cost of a SOC report. Some are in your control and some aren&rsquo;t, but you can account for each of them in your decision making. <h3 id="company-size-and-audit-scope">Company size and audit scope</h3> This is a pretty straightforward factor: the higher the number of employees and systems within your company, the more information your auditor has to look at, and the greater the cost. For a company with multiple products, in which different teams use different workplace management platforms, costs can quickly balloon, because the auditor has to determine the compliance of each team independently. Still, companies with multiple products and systems can manage costs by narrowing the scope of their SOC 2 audit to a single product. &ldquo;The auditors look at enough back office stuff that it feels like you&rsquo;re attesting to your entire company,&rdquo; Ed says. &ldquo;But you&rsquo;re not; you&rsquo;re just attesting to the product or service, and the back office functions that support that product or service.&rdquo; <h3 id="type-of-soc-2-report">Type of SOC 2 report</h3> Generally, a SOC 2 Type 2 report costs 30-50% more than SOC 2 Type 1, because it looks at data over a period of time, instead of a single point. However, many CPAs will negotiate a deal where they charge roughly equal amounts for each audit, as long as you agree to stick with the same audit firm for a multi-year engagement. <h3 id="the-trust-services-principles-you-cover">The trust services principles you cover</h3> Before preparing for an audit, you need to identify which <a href="https://www.barradvisory.com/resource/the-5-trust-services-criteria-explained/">Trust Services Criteria (TSC)</a> are in scope for your SOC 2 report. Security is a mandatory criteria, so you can consider that as the base cost. Availability and Confidentiality often add 10-20% to the base cost each. Processing Integrity and Privacy are more complicated, and each tends to add 20-50% in additional costs. <img src='https://blog.1password.com/posts/2024/how-much-does-a-soc-2-audit-cost/trust-principles.png' alt='A graphic of the 5 trust services principles of soc 2.' title='A graphic of the 5 trust services principles of soc 2.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h3 id="choosing-a-cpa-firm">Choosing a CPA firm</h3> You must hire a firm certified by the American Institute of Certified Public Accountants (AICPA) to conduct the audit. But there&rsquo;s a huge range in cost (and value) from one CPA to the next. A reputable firm could charge around $35,000, while a specialist firm that focuses on SOC 2 compliance might run closer to $45,000. Meanwhile, if you go with a &ldquo;Big 4&rdquo; accounting firm, the fee could easily be $60,000 or above. According to Ed, more expensive auditors ask tougher questions, and are less likely to take you at your word. But they also come with name recognition, and if you&rsquo;re trying to use your SOC 2 report to close deals, your auditor&rsquo;s reputation will impact your customer&rsquo;s confidence in your data security. &ldquo;You get what you pay for,&rdquo; says Ed. &ldquo;A more expensive auditor will be more experienced, more thorough, and you&rsquo;ll end up with a higher-quality report.&rdquo; When you&rsquo;re budgeting for SOC 2 certification, the audit itself is just the tip of the iceberg. The lion&rsquo;s share of spending will be on the tools and personnel you need to get compliant. One note to keep in mind for this section is that our estimates are based on small to mid-sized companies. For huge enterprises, each cost can run much higher. <h3 id="readiness-assessment-7-15k">Readiness assessment: $7-15k</h3> At the beginning of the SOC 2 compliance process, your auditors will give you a readiness assessment and gap analysis, which will highlight issues you need to address before the final audit. The assessment will make recommendations about various processes you need to document, like an official org chart and an incident response plan. The cost of this report depends on various factors, including the TSCs you choose for your report and how far you are from achieving compliance. <h3 id="soc-2-consultantsoftware-15-85k">SOC 2 consultant/software: $15-85k</h3> Most companies rely on third party help to complete SOC 2 reporting, and this help can come from professional consultants like Ed, compliance software like <a href="https://drata.com/soc-2">Drata</a> or <a href="https://tugboatlogic.com/">Tugboat</a>, or a combination of the two. You can save time and money by using software that relies heavily on automation, especially if you&rsquo;re working with an auditor who is familiar with your software. As Ed explains, &ldquo;a Drata SOC 2 Type 1 audit with a Drata auditor can cost anywhere from $15-25k, as opposed to $30-35k with a consultant.&rdquo; But of course, going the automated route comes with its own drawbacks. Standardized platforms mean a standardized approach to the audit. You either do things their way, or you don&rsquo;t get a shiny green checkmark on your compliance checklist. By contrast, a human consultant can help you take a more customized approach to compliance by advocating for you with the auditors. Their input can save you from making needless (and potentially costly) changes to how you do business. Another thing to keep in mind is that a lot of compliance software includes multiple compliance-adjacent features – from automated employee onboarding/offboarding, to employee training, to ready-made security policies. This SaaS approach can be helpful, especially when you graduate to SOC 2 Type 2, but maintaining these programs means accepting a recurring cost (and the risk of vendor lock), as opposed to the one-time fee of a consultant. <h3 id="new-tools-and-software-5-50k">New tools and software: $5-50k</h3> This cost varies a lot depending on your existing IT infrastructure and cybersecurity posture. If you&rsquo;re a young startup and this is your first audit, you may have to invest in new software to maintain asset inventory, track compliance tickets, and manage compliance reporting. You may also need to purchase security tools for threat and intrusion detection, file integrity monitoring, and vulnerability management if you don&rsquo;t have them already. A DIY approach will likely cost less money but more time. Meanwhile, a commercial solution may cost more, but require less time to implement. <h3 id="legal-fees-10k">Legal fees: ~$10k</h3> You&rsquo;ll want to set aside time and budget to review all customer, vendor, and employee contracts or agreements with your in-house legal team or external attorney. Not everyone does this step, but the process will help you assign responsibilities and establish policies on the various TSCs. <h3 id="employee-training-5k-but-scales-to-the-number-of-employees">Employee training: ~$5k, but scales to the number of employees</h3> The SOC 2 audit emphasizes the importance of employee training, so you&rsquo;ll need to implement cybersecurity education programs and track employees' participation. When it comes to the training, auditors will accept most commercially available solutions, and their costs will correspond to the size of your company. Unfortunately, this is one of those areas where SOC 2 can just be a &ldquo;check the box&rdquo; experience. As Ed points out, &ldquo;auditors are manifestly not equipped to evaluate the quality of the training.&rdquo; So it&rsquo;s up to you to make sure your security awareness training is relevant and effective, and that will likely mean going beyond whatever pre-packaged courses you purchase. <h3 id="internal-resources-50-70k">Internal resources: $50-70k</h3> The time spent on SOC 2 compliance by an employee or team is the easiest to forget about, but it&rsquo;s crucial to account for. An SOC 2 audit is a complex process, and you can&rsquo;t have a junior staff member handle it &ldquo;on the side.&rdquo; Identify a dedicated employee who has sufficient technical knowledge to answer the questions and is senior enough to navigate company politics and make the necessary changes. According to Ed, the point person for SOC 2 can be from operations, legal, IT, security, or engineering. For a smaller company, the SOC 2 Type 1 audit can take roughly five months from start to finish: two months of gap remediation with your consultant, two months to collect evidence and documentation from the auditor&rsquo;s request list, and two weeks for the audit itself. But again, expect this timeline to vary depending on your company&rsquo;s size and needs. <h3 id="audit-cost-5-60k">Audit cost: $5-60k</h3> Last but not least, you need to hire a CPA firm to conduct the audit. As we discussed above, the audit cost will depend on the scope and complexity of your SOC 2 report, the size of your organization, and the CPA firm you choose. When it comes to choosing an auditor, match your budget to the goal of your SOC certification. If you&rsquo;re trying to use your report to close deals with multinational banks, it might be worth springing for a CPA firm with name recognition. But even if your goals aren&rsquo;t that lofty, resist the temptation to cut corners, and instead invest enough to be sure you&rsquo;ll be getting a thorough audit. <img src='https://blog.1password.com/posts/2024/how-much-does-a-soc-2-audit-cost/soc2-cost-breakdown.jpg' alt='A graphic of a soc 2 cerfitication cost breakdown.' title='A graphic of a soc 2 cerfitication cost breakdown.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="soc-2-faqs">SOC 2 FAQs</h2> While we can&rsquo;t provide you with an exact dollar amount for your SOC 2 audit, we can (with Ed&rsquo;s help) answer some of the most common questions we hear about the audit process. <h3 id="how-can-i-reduce-the-cost-of-a-soc-2-audit">How can I reduce the cost of a SOC 2 audit?</h3> We&rsquo;ve already gone over some of the most basic ways to keep costs down, which include: <ul> <li> Limit the audit&rsquo;s scope to a single product or small set of trust principles </li> <li> Do as much preparation as possible in-house </li> <li> Find an auditor whose fee aligns with your needs </li> </ul> The other major way to control long-term compliance costs is to invest in automation throughout your business, and especially in any area that touches on information security. As Ed explains: &ldquo;Auditors care about three things: Is the information complete? Is the information accurate? And is the information available in a timely fashion?&rdquo; He gives the example of a manual vs automated monitoring process for endpoint security. If an IT admin has to go into the Google console to see that a CPU is at 98%, that&rsquo;s a manual process. It leaves a lot of room for human error, and for security issues to go unaddressed. By contrast, in an automated approach, a 98% CPU spike would automatically trigger a support ticket, which can&rsquo;t be closed until the IT team documents how they resolved the issue. In that scenario, the automated workflow ensures that the right people get the right information quickly, and that the entire interaction is documented. The same concept applies for less technical issues, like access control. When an employee is offboarded, an automated solution would immediately cut off their access to customer data, instead of requiring an administrator to manually revoke each permission. <h3 id="can-i-get-multiple-audits-at-the-same-time">Can I get multiple audits at the same time?</h3> Some people advise killing multiple birds with one stone when it comes to compliance, and combining SOC 2 with ISO27001 or HIPAA. Ed strongly discourages this approach. &ldquo;I would never do that, especially in year one, because they&rsquo;re entirely different types of audits,&rdquo; he says. &ldquo;For example, you get a lot of latitude in what you get measured on in a SOC 2, but ISO27001 is much more prescriptive.&rdquo; <h3 id="should-i-get-a-soc-2-type-1-or-soc-2-type-2-audit">Should I get a SOC 2 Type 1 or SOC 2 Type 2 audit?</h3> Ed recommends going the traditional route of getting the SOC 2 Type 1 audit first, instead of jumping straight into SOC 2 Type 2. &ldquo;Type 1 eases your organization into understanding what it means to be audited. It&rsquo;s also easier to pass a Type 1 and then stop, take a breath, look at what you just signed up for, and then season to taste,&rdquo; he explains. &ldquo;The problem with going straight to Type 2 is that you don&rsquo;t know if your internal controls are going to work consistently. You run the risk that you&rsquo;ll discover problems while the audit is happening, and if you have too many of those, you won&rsquo;t pass your audit.&rdquo; The bottom line is that you shouldn&rsquo;t go through either SOC 2 audit unless you have a clear understanding of how it will drive business outcomes. &ldquo;It&rsquo;s really important to have a legitimate driver to do it, because it is an expensive and pedantic process,&rdquo; according to Ed. &ldquo;If you&rsquo;re smart and you&rsquo;re a small company, you can still do some of those things that would make you compliant without taking the next step to be formally evaluated. But before you take that step, make sure you have a good reason, because nobody does it for fun.&rdquo; Want to learn how 1Password Extended Access Management can help with your compliance process? <a href="https://1password.com/contact-sales/xam">Schedule a demo today</a>!</description></item><item><title>Personal VPNs can be shady, but should companies ban them?</title><link>https://blog.1password.com/personal-vpns-can-be-shady/</link><pubDate>Tue, 17 Sep 2024 00:00:00 +0000</pubDate><author>info@1password.com (Elaine Atwell)</author><guid>https://blog.1password.com/personal-vpns-can-be-shady/</guid><description> <img src='https://blog.1password.com/posts/2024/personal-vpns-can-be-shady/header.png' class='webfeedsFeaturedVisual' alt='Personal VPNs can be shady, but should companies ban them?' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Many people are turning to personal VPNs in order to avoid increasing restrictions and oversight over online browsing, but these VPNs can represent risks to personal and corporate cybersecurity. There&rsquo;s a widespread consensus these days about the evolution of life online: <a href="https://www.theatlantic.com/technology/archive/2023/10/big-tech-algorithmic-influence-antitrust-litigation/675575/">the internet is getting worse</a>. We were trained to expect digital services that were cheap and easy, but lately they have become expensive, invasive, or simply impossible. Streaming prices keep increasing while streaming content keeps disappearing, news stories are aggressively paywalled, and <a href="https://www.wral.com/story/major-pornographic-website-blocks-nc-access-days-before-new-law-takes-effect/21213582/">sixteen states (so far)</a> have passed laws requiring pornographic websites to verify the age of their users, often by sharing their driver&rsquo;s licenses. These changes are driving users onto the gray market of Virtual Private Networks (VPNs), which promise a private, secure browsing experience that lets them get around these restrictions. The problem is, VPNs are often neither private nor secure. The VPN industry is riddled with scandal and intrigue, and it&rsquo;s difficult (by design) for the average user to tell responsible vendors from bad operators. Naturally, individual users should be aware of the security risks of VPNs (and if that describes you, keep reading), but security and IT professionals have cause for concern as well. When employees use VPNs on the same devices they use for work, they open the door to all kinds of security issues. So let&rsquo;s talk about why people are flocking to personal VPNs, why they can be so risky, and how companies can provide sensible education and policies around their use. <h3 id="personal-vs-corporate-vpns">Personal vs corporate VPNs</h3> Before we go any further, it&rsquo;s important to distinguish between the two types of VPNs. Many companies use corporate or enterprise VPNs so their employees can securely access their private corporate networks. These <a href="https://blog.1password.com/how-a-vpn-works/">VPNs have some issues of their own</a>, but they are by and large established solutions run by reputable companies. Both corporate and personal VPNs use the same &ldquo;tunneling protocol,&rdquo; which hides an individual&rsquo;s IP address and encrypts their data. But personal VPNs do so with the express goal of anonymous internet usage, and are often less secure and trustworthy. <h2 id="why-people-use-vpns">Why people use VPNs</h2> If you&rsquo;re a security or IT pro concerned about your co-workers endangering online security through VPNs, it&rsquo;s not enough to simply issue a blanket ban on them. For one thing, anyone using a private VPN has already shown that they&rsquo;re willing to go around rules they don&rsquo;t agree with. For another, you probably lack the ability to enforce such a ban on any devices not managed via MDM. Instead, you must start by reckoning with why and how workers are using VPNs. Then you can educate them on the risks and design thoughtful and effective policies. <h3 id="content-piracy">Content piracy</h3> In the past few years, streamers like Netflix and Amazon Prime have steadily increased their prices, cracked down on password sharing, and introduced ads. They&rsquo;ve removed and georestricted content–either as part of Byzantine licensing agreements or <a href="https://www.ign.com/articles/willow-star-warwick-davis-slams-disney-for-removing-the-show-from-disney">to cut costs</a>. As a result, they&rsquo;ve <a href="https://variety.com/vip-special-reports/the-new-face-of-content-piracy-a-special-report-1235497060/">driven people back to media piracy and torrenting sites</a>. <img src='https://blog.1password.com/posts/2024/personal-vpns-can-be-shady/darth-vader-altering-the-deal.jpg' alt='A photo of darth vader altering the deal.' title='A photo of darth vader altering the deal.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> When you arrive on a torrenting or piracy site, one of the first things you&rsquo;ll see is an advertisement for VPNs. A study from the <a href="https://23693881.fs1.hubspotusercontent-na1.net/hubfs/23693881/DCA-Choosing-Your-VPN-A-Matter-of-Trust.pdf">Digital Citizens Alliance</a> and White Bullet estimated that VPN services spend $45 million per year advertising on these sites. (Torrenting sites pose their own security risks, and the report points out that &ldquo;the links between piracy, malware, and credit card fraud have been well documented.&quot;) Some VPN users also value the technology&rsquo;s ability to skirt paywalls on news sites, since if your IP address is constantly changing, you&rsquo;ll never hit the dreaded &ldquo;five article limit.&rdquo; It may not be piracy in the traditional sense, but at least now we know <a href="https://niemanreports.org/articles/hedge-funds-local-news-book/">who to blame for the death of journalism</a>. So, is content piracy a &ldquo;valid&rdquo; use for VPNs? That&rsquo;s a thorny question, but it&rsquo;s at least easy to see their appeal in this scenario; a VPN connection will mask your IP address so you don&rsquo;t have to worry about the FBI banging down your door just because you wanted to watch Andor. <h3 id="bypassing-geo-blocking">Bypassing geo-blocking</h3> The United States isn&rsquo;t among the biggest VPN markets (we were <a href="https://www.digitalinformationworld.com/2023/02/what-country-has-highest-adoption-rate.html">12th at last count</a>); first place belongs to the UAE, followed by Qatar, Singapore, and Saudi Arabia. As you might notice, these are countries that heavily restrict internet usage and police online speech. In such countries, using a VPN is a matter of safety, especially for journalists, dissidents, or anyone whose work or personal life could make them a target of surveillance. Of course, VPN usage itself also poses risks in many of these countries; VPNs are banned or highly restricted in China, Russia, and the UAE, among others. In the United States, recent age verification laws on porn sites show exactly how geographic restrictions drive people to use VPNs. When Virginia enacted its law in July 2023, i<a href="https://www.13newsnow.com/article/news/local/virginia/new-pornography-verification-virginia-ranks-highest-vpn-searches/291-7cc45c63-060a-4ad0-ac02-690e3d476a45">t quickly came to lead the nation</a> in Google searches for &ldquo;VPN.&rdquo; The same thing happened in North Carolina when it enacted its own law a few months later. But using a VPN to get around geographic restrictions doesn&rsquo;t have to be a high-stakes game of politics and freedom; plenty of Western users like to watch Canadian Netflix or UK TV. And if you Google either of those terms, guess what you&rsquo;ll find. That&rsquo;s right: advice on getting a VPN. <h3 id="security-on-public-wifi">Security on public wifi</h3> This was one of the original use cases for corporate VPNs. Before https became standardized across the internet, anyone at a Starbucks could peek at your browsing. These days, public wifi is safer than it used to be, but still not entirely free from <a href="https://helpcenter.trendmicro.com/en-us/article/tmka-19398#:~:text=Man%2Din%2Dthe%2DMiddle,inject%20malware%20into%20your%20device.">man-in-the-middle-attacks</a> and intrusive data collection. VPNs can be a sensible solution if you have to transmit sensitive information while on a public network. <h3 id="evading-personalized-pricing">Evading &ldquo;personalized pricing&rdquo;</h3> This might be the most niche use case for VPNs, but it&rsquo;s interesting enough to warrant a mention. Companies that use personalized pricing adjust their costs based on whatever data they can collect on a consumer. As one <a href="https://www.reactev.com/blog/pricing-strategy-hyper-personalization">vendor excitedly explains</a>, &ldquo;Hyper personalization works more effectively than other <a href="https://www.reactev.com/">pricing strategies</a> as it is based on key user features, such as their willingness to pay — the maximum price users are willing to pay for a product.&rdquo; Many companies deny using dynamic pricing, but many users report that they can get better deals by using an IP address that isn&rsquo;t associated with their identity, and that places them in a less affluent area code. So if you do have a VPN, be sure to test that theory the next time you&rsquo;re booking plane tickets. <h2 id="risks-of-personal-vpns">Risks of personal VPNs</h2> VPNs present a number of security and privacy risks, and the VPN market is plagued by unscrupulous (or at least suspicious) companies. Not every VPN company is shady, of course, but there&rsquo;s no easy way to tell the good from the bad; perhaps the most dangerous aspect of VPNs is how difficult it is to figure out who to trust. <h3 id="vpns-are-extremely-dangerous-if-compromised">VPNs are extremely dangerous if compromised</h3> By their nature, VPNs are designed to bypass security measures like firewalls and proxy servers, so users can access the content they want. But this feature becomes a massive bug if something goes wrong. <a href="https://unit42.paloaltonetworks.com/person-vpn-network-visibility/">Unit 42&rsquo;s report on VPNs</a> lays out one risk, in which VPNs bypass proxy servers: <blockquote> &ldquo;&hellip;proxy servers protect corporate endpoints from communication with malicious command and control (C2) servers. However, through VPNs, users can bypass this protection. For example, if an employee&rsquo;s computer gets infected while using a VPN, the data sent to the C2 server will not be visible to the InfoSec team.&rdquo; </blockquote> VPNs are also vulnerable to exploitation by bad actors if not kept properly patched. The same Unit 42 report includes a table of popular VPNs and their known vulnerabilities, many of which give hackers the ability to escalate their privileges and remotely execute commands. <h3 id="vpns-can-log-store-and-sell-user-data">VPNs can log, store, and sell user data</h3> VPNs work by creating a secure tunnel, through which no one, not even your internet service provider (ISP), can see your online activity. Well, no one can see it except the VPN itself, and the VPN can see everything. You have to put a lot of trust in a VPN to use that power responsibly, and they have not always earned that trust. <blockquote> &ldquo;We typically engage a VPN service to better protect our online privacy, while understanding that all of our data – every click, every site, every background app – is being funneled to a single company, whose servers most of us will never see with our own eyes.&rdquo; -<a href="https://www.cnet.com/tech/services-and-software/what-is-kape-technologies-what-you-need-to-know-about-the-parent-company-of-cyberghost-vpn/">Rae Hodge, CNET</a> </blockquote> The data VPNs can access has value to advertisers, among others, and with that value comes the potential for misuse. As <a href="https://unit42.paloaltonetworks.com/person-vpn-network-visibility/">Unit 42</a> points out, &ldquo;VPN providers could double-dip users and businesses by taking subscription money from users and selling users' web consumption data to the advertising industry. In more extreme cases, they might even supply user data to government authorities.&rdquo; The best way to avoid this risk is to use a no-log VPN, which doesn&rsquo;t store this personal data. But you can&rsquo;t always trust VPNs to tell the truth about their logging policies. <h3 id="vpns-have-been-caught-lying">VPNs have been caught lying</h3> In 2020, over 1TB of user data from tens of millions of customers–including plaintext passwords and browsing histories – was <a href="https://www.tomsguide.com/news/seven-vpns-user-data">found unencrypted on a cloud server</a>. The shocking thing? This data came from seven VPN companies, all of which claimed to have &ldquo;no logging&rdquo; policies. In 2023, Australia&rsquo;s Federal Court ordered two Facebook subsidiaries – Facebook Israel and Onavo Protect VPN – to pay a $20 million fine for secretly recording user activity on a free VPN service and sharing the data with Meta. <a href="https://www.itnews.com.au/news/meta-fined-20-million-for-mining-aussies-data-with-its-vpn-598471">IT News Australia</a> reported that: &ldquo;The VPN was promoted on platforms like Google and Apple App Store as a way to &lsquo;protect personal information&rsquo; and to &lsquo;keep you and your data safe&rsquo;.&rdquo; There are <a href="https://www.cnet.com/tech/services-and-software/expressvpn-cio-among-three-facing-1-6-million-doj-fine-project-raven/">plenty more stories</a> like this, but in the interest of time, we&rsquo;ll just share one more egregious example. In 2015, <a href="https://www.cnet.com/news/privacy/security-researchers-claim-hola-operates-as-insecure-botnet/">cybersecurity researchers exposed</a> Hola, a free VPN that turned out not to be a VPN at all. Instead, Hola was a peer-to-peer network that let anyone else using the network see your activity, not to mention install malware on your device. What&rsquo;s worse is that <a href="https://thehackernews.com/2015/05/hola-widely-popular-free-vpn-service.html">Hola was working with a company called Luminati</a>, which used Hola-connected machines to run massive botnet operations without user knowledge. The most shocking part of this decade-old story is that Hola is still around! It&rsquo;s got a 4.6 rating on the Google Play store and no mention of this scandal on its Wikipedia page. (Luminati is still kicking too, though today it&rsquo;s called &ldquo;Bright Data&rdquo; and has been involved in <a href="https://news.bloomberglaw.com/privacy-and-data-security/bright-data-accused-of-scraping-minors-data-from-instagram">multiple other scandals</a>.) The fact that users can ignorantly download VPNs with such checkered histories isn&rsquo;t an accident. It&rsquo;s because VPN providers spend a lot of effort laundering their reputations and then hiding their footprints. <h3 id="vpn-companies-own-their-competitionand-their-critics">VPN companies own their competition&hellip;and their critics</h3> For the past few years, VPN companies have ridden the same wave of M&amp;A deals as the rest of the tech industry. In 2022, <a href="https://www.cnet.com/tech/services-and-software/3-companies-control-many-big-name-vpns-what-you-need-to-know/">CNET reported</a> that three companies own many of the most popular VPNs on the market, creating the illusion of competition and choice. The big players are Nord Security, which owns NordVPN, Atlas VPN, and Surfshark; Ziff Davis, which owns IPVanish and StrongVPN; and Kape Technologies (formerly Crossrider), which owns CyberGhost VPN, ZenMate VPN, Private INternet Access, and ExpressVPN. The often-confusing ownership structure of these companies makes it even tougher to understand their policies. CNET&rsquo;s Rae Hodges wrote a <a href="https://www.cnet.com/tech/services-and-software/what-is-kape-technologies-what-you-need-to-know-about-the-parent-company-of-cyberghost-vpn/">2020 deep dive</a> in which she tried to determine whether CyberGhost&rsquo;s data policies remained the same after their acquisition. In the end, she concluded that: &ldquo;&hellip;although CyberGhost&rsquo;s business jurisdiction is in Romania, CyberGhost could share your data with not only its UK-based parent company, but with its US-based sibling company.&rdquo; Several VPN companies also own VPN review sites, along with other tech media properties. Ziff Davis owns Mashable, PCMag, and Encrypt.me, among others. Kape Technologies owns vpnMentor and WizCase. Some sites are more or less open about these relationships, and all claim to be editorially independent, but you&rsquo;re still unlikely to see any of them attack their parent companies. Also, you can assume that the examples above are just the tip of the iceberg. If you click on a &ldquo;best VPN&rdquo; listicle at random, you might notice something fishy. That&rsquo;s what I did, and I found a polished-looking website that seems to employ a real team of writers, even if they do acknowledge that they &ldquo;may earn compensation&rdquo; from some of the companies they review. But who owns the website? A &ldquo;media&rdquo; company <a href="https://www.centerfield.com/services/">whose own website</a> shows that they create independent-looking &ldquo;review sites&rdquo; across numerous industries to help their customers make more sales. This isn&rsquo;t to suggest that every person reviewing VPNs is an industry plant–but these murky relationships create an atmosphere of suspicion, even as VPNs ask for our trust. <h2 id="how-to-protect-company-data-from-employee-vpns">How to protect company data from employee VPNs</h2> If you work in security or IT, you might feel a little torn when it comes to VPNs. Maybe you use a VPN in your personal life, but don&rsquo;t want them anywhere near your company&rsquo;s end users and their devices. So what are your options? Well, if you work for an in-person company, you can block most personal VPNs on your office network by blocking commonly used ports like UDP port 500. And it&rsquo;ll be pretty obvious if someone is using a VPN on a local wifi network since their traffic will appear geographically impossible. But it gets trickier once you start thinking about employees working from home and on their personal devices and networks. If you only allow managed devices to access company resources, blocking VPNs shouldn&rsquo;t be a challenge–you can prohibit such downloads via MDM, by maintaining a blocklist of untrusted VPNs (although this requires significant maintenance) or by prohibiting VPNs altogether (although this would stop them from using a corporate VPN if they had one). But, as our own research has shown, nearly half of companies <a href="https://blog.1password.com/unmanaged-devices-run-rampant/">allow unmanaged devices</a> to access their resources. Your options for blocking (or even knowing about) VPNs on those devices are more limited. When we&rsquo;re talking about blocking applications on an employee&rsquo;s personal device, the issues are ethical as much as technical. Is it fair to ban all personal VPNs on employee-owned devices, even knowing that they can be a vital tool for protecting privacy? Is it enough to simply ban the worst offenders and do your best to ensure that more trustworthy VPNs stay updated? There aren&rsquo;t universal answers to those questions, but there is some advice that should apply to most companies. <h3 id="educate-users">Educate users</h3> Most users don&rsquo;t go looking for VPNs – they stumble on them in the course of trying to watch a show, get around a paywall, etc.. And so most users have no idea that they should be very careful about what provider they pick and how they use it. So, the first step in improving safety is to educate users on the risks. Unfortunately, you can&rsquo;t just send out a memo telling users to be cautious when picking a VPN, not when there&rsquo;s so much bad information floating around. Figuring out where a VPN stores data or assessing its log policy is already more work than the average user is equipped to do. And even if they do it, these companies have been caught lying about precisely these policies! The safer route (if you choose to allow/accept VPNs at all) is for someone with a technical/security background to come up with a list of trustworthy VPN providers, as well as vendors to avoid. Likewise, you should discourage or ban the use of &ldquo;free&rdquo; VPNs–these days, everyone should know that if a product is free, it means you&rsquo;re the product. <h3 id="enforce-vpn-policy-even-on-unmanaged-devices">Enforce VPN policy even on unmanaged devices</h3> IT and security teams are well within their rights to ensure that no device that touches company data is susceptible to malware or data leakage. There are two general ways to accomplish this: <ol> <li> Prevent unmanaged personal devices from accessing company data. </li> <li> Ensure that personal devices meet security requirements and aren&rsquo;t using unauthorized VPNs. </li> </ol> In either case, a <a href="https://blog.1password.com/what-is-device-trust/">device trust</a> solution is the most reliable way to accomplish your goals for devices outside the scope of MDM. (Device trust isn&rsquo;t the only way; you can also try to sandbox work resources via VDI or corporate VPNs, but then you&rsquo;re still running the risk of a malware-infected device sneaking past those defenses, for example, via a keylogger.) Any device trust solution ensures that no device can authenticate unless the device trust agent is present–so you automatically block all unknown devices. You can also go further with <a href="https://1password.com/product/xam">1Password® Extended Access Management&rsquo;s</a> device trust solution, which allows you to write custom checks and define your VPN policy as you see fit. Admins can use our custom check editor to ban all third-party VPNs, allow only trusted VPNs, require VPNs to be patched regularly, or ensure that a personal VPN is turned off while the user is working. Crucially, 1Password Extended Access Management doesn&rsquo;t enforce these policies through brute force (like MDM); it notifies end users directly so they can take action themselves, as well as explaining the reasoning behind the policy. The beauty of this user-driven approach is that it doesn&rsquo;t use the same arbitrary, invasive tactics that drove people to VPNs in the first place; it&rsquo;s clear and considerate. <h2 id="workers-and-businesses-need-vpns-they-can-trust">Workers and businesses need VPNs they can trust</h2> When Obi-Wan and Luke are looking for a ride off of Tatooine, they don&rsquo;t go to the shiny, Empire-sanctioned spaceport. They&rsquo;d never make it off the ground! They go to Mos Eisley, where they can find a captain willing to bend the rules. <img src='https://blog.1password.com/posts/2024/personal-vpns-can-be-shady/han-solo-feet-kicked-up.jpg' alt='A photo of han solo with his feet kicked up.' title='A photo of han solo with his feet kicked up.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> It&rsquo;s much the same with VPNs; they have to exist in an ethically gray area in order to function at all. And there are a lot of people who absolutely rely on VPNs to function, especially in states or countries clamping down on internet freedom. But gray areas also leave a lot of room for bad actors to operate, and that&rsquo;s where responsible IT and security teams come in. Want more original and curated stories about IT and security? Subscribe to our <a href="https://1password.com/kolidescope-newsletter">bi-weekly newsletter</a>.</description></item><item><title>How to tell if CrowdStrike Falcon sensor is running</title><link>https://blog.1password.com/how-to-tell-if-crowdstrike-falcon-sensor-is-running/</link><pubDate>Fri, 13 Sep 2024 00:00:00 +0000</pubDate><author>info@1password.com (Micah Sorenson)</author><guid>https://blog.1password.com/how-to-tell-if-crowdstrike-falcon-sensor-is-running/</guid><description> <img src='https://blog.1password.com/posts/2024/how-to-tell-if-crowdstrike-falcon-sensor-is-running/header.png' class='webfeedsFeaturedVisual' alt='How to tell if CrowdStrike Falcon sensor is running' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> This guide for IT and security professionals shows how to detect that the CrowdStrike agent is installed and properly configured, using either vanilla osquery or 1Password® Extended Access Management. CrowdStrike is a security company which is generally classified as an Endpoint Detection and Response (EDR) tool. It primarily operates via the Falcon sensor agent, which is installed on employee devices and detects malware, anomalous behaviors, and other vulnerabilities. As <a href="https://www.crowdstrike.com/products/faq/">CrowdStrike&rsquo;s own website says</a>, the Falcon sensor is &ldquo;extremely lightweight (consuming 1% or less of CPU) and unobtrusive: there&rsquo;s no UI, no pop-ups, no reboots, and all updates are performed silently and automatically.&rdquo; For that reason, end users may be unaware of Crowdstrike&rsquo;s existence on their device, much less whether or not it&rsquo;s working properly. Ensuring that the CrowdStrike agent is properly installed, configured, and running could be the difference between responding to a massive data breach or having a quiet weekend. But ensuring this requires us to gather information that goes beyond checking the apps folder or process table to see that the agent is installed. Merely checking for CrowdStrike&rsquo;s presence doesn&rsquo;t validate that the process is in a good state, or that the agent was configured properly. Most companies with CrowdStrike don&rsquo;t have this kind of reporting readily available. If a device has stopped checking in, they don&rsquo;t have alerts for it because it could just be an old device. The context of why it&rsquo;s missing is missing. To get that crucial context, we need to build some custom tables, which we&rsquo;ll get into next. <h2 id="how-to-tell-if-crowdstrike-is-installed-configured-and-running-on-mac-windows-and-linux">How to tell if CrowdStrike is installed, configured, and running on Mac, Windows, and Linux</h2> To ensure that CrowdStrike is functioning properly, we want to validate various things, such as: <ul> <li> Client ID </li> <li> RFM state (Linux only) </li> <li> Active System Extension (MacOS only) </li> <li> Operational state </li> <li> Version </li> </ul> That&rsquo;s pretty straightforward in Windows, since we can gather the Client ID from the <code>registry</code> table, the operational state from the <code>services</code> table, and the installed version from the <code>programs</code> table. These tables don&rsquo;t exist for MacOS and Linux, so if we want to collect and validate all of these for MacOS and Linux endpoints, then we have to partially implement our own solution. To get the missing information, we&rsquo;ll be querying falconctl, the CrowdStrike sensor binary. It can tell us if CrowdStrike is actually set up and communicating vs just running for its own amusement. Our team made some additional tables in our agent to gather the missing information from the binary for macOS and Linux. We added validation to the Checks for the Client ID, RFM state (Linux only), Active System Extension (MacOS only), and operational state to ensure that the CrowdStrike agent is properly configured and running. This provides a more robust solution, that should be sensitive to hiccups that could happen in the agent, which an &ldquo;is installed and running&rdquo; osquery implementation wouldn&rsquo;t be able to catch. <h2 id="how-to-detect-crowdstrike-using-a-fully-native-osquery-implementation">How to detect CrowdStrike using a fully native osquery implementation</h2> As we said, you can get certain information about CrowdStrike&rsquo;s Falcon agent using generic osquery. That information varies by operating system, but we&rsquo;ve included a general approach for each query below. <h3 id="macos">MacOS</h3> Step 1: We validate that the agent is an active system extension from the <code>system_extensions</code> table. <ul> <li>This tells us if the CrowdStrike agent is installed and enabled on the endpoint. It also shows us what version the system extension is.</li> </ul> Step 2: This is a lot all at once, so let&rsquo;s break it down a bit. Let&rsquo;s start with the columns we care about. <ul> <li> Identifier - The system extension identity. (<code>com.crowdstrike.falcon.Agent</code>) </li> <li> State - The status of the extension. I.e. active and enabled or deactivated and disabled. </li> <li> Version - The version of the extension. </li> </ul> Step 3: With these columns, we construct a <code>JSON_OBJECT</code>, which takes in our columns, and then returns a JSON formatted object for each row. <ul> <li><code>JSON_OBJECT('identifier', identifier, 'state', state, 'version', version)</code></li> </ul> Step 4: Now we can group the objects into an array containing them all. <ul> <li><code>JSON_GROUP_ARRAY(JSON_OBJECT('identifier', identifier, 'state', state, 'version', version))</code></li> </ul> Step 5: We then create another object array, and add filters to them to separate the data. <ul> <li> The first contains the row(s) where the state column is equal to &ldquo;activated_enabled&rdquo;. <ul> <li>FILTER(WHERE state = &lsquo;activated_enabled&rsquo;)</li> </ul> </li> <li> The second contains the row(s) where the state column is not equal to &ldquo;activated_enabled&rdquo;. <ul> <li>FILTER(WHERE state != &lsquo;activated_enabled&rsquo;)</li> </ul> </li> </ul> Step 6: Now we can get all CrowdStrike system extensions by putting this together and adding a WHERE clause to get only CrowdStrike system extensions. <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">SELECT JSON_GROUP_ARRAY(JSON_OBJECT(&#39;identifier&#39;, identifier, &#39;state&#39;, state, &#39;version&#39;, version)) FILTER(WHERE state = &#39;activated_enabled&#39;) AS active_system_extensions, JSON_GROUP_ARRAY(JSON_OBJECT(&#39;identifier&#39;, identifier, &#39;state&#39;, state, &#39;version&#39;, version)) FILTER(WHERE state != &#39;activated_enabled&#39;) AS inactive_system_extensions FROM system_extensions WHERE identifier = &#39;com.crowdstrike.falcon.Agent&#39; COLLATE NOCASE </code></pre></div><h3 id="linux">Linux</h3> Step 1: We first collect the version, and by extension validate installation from the <code>deb_packages</code>/<code>rpm_packages</code> table. <ul> <li>Use <code>deb_packages</code> on debian based Linux, or <code>rpm_packages</code> on rhel based Linux devices.</li> </ul> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">SELECT MAX(version) AS version FROM deb_packages WHERE name = &#39;falcon-sensor&#39; COLLATE NOCASE </code></pre></div>Step 2: We then collect the operational state of the agent from the <code>systemd_units</code> table. <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">SELECT COUNT(*), CASE WHEN LOWER(sub_state) = &#39;running&#39; AND LOWER(load_state) = &#39;loaded&#39; AND LOWER(active_state) = &#39;active&#39; THEN &#39;Yes&#39; ELSE &#39;No&#39; END AS sensor_operational FROM systemd_units WHERE id = &#39;falcon-sensor.service&#39; COLLATE NOCASE </code></pre></div><h3 id="windows">Windows</h3> Step 1: We first collect the Agent ID and Client ID from the <code>registry</code> table. <ul> <li>Only the first 32 characters for each ID are important, so we use SUBSTR to remove extra characters.</li> </ul> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">SELECT MAX(SUBSTR(data, 1, 32)) FILTER(WHERE name = &#39;AG&#39;) AS agent_id, MAX(SUBSTR(data, 1, 32)) FILTER(WHERE name = &#39;CU&#39;) AS client_id FROM registry WHERE key = &#39;HKEY_LOCAL_MACHINE\SYSTEM\CrowdStrike\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\{16e0423f-7058-48c9-a204-725362b67639}\Default&#39; COLLATE NOCASE </code></pre></div>Step 2: We then collect the version, and by extension validate installation from the <code>programs</code> table. <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">SELECT MAX(version) AS version FROM programs WHERE name = &#39;CrowdStrike Sensor Platform&#39; COLLATE NOCASE </code></pre></div>Step 3: Lastly, we collect the operational state of the agent from the <code>services</code> table. <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">SELECT COUNT(*), IIF(LOWER(status) = &#39;running&#39;, &#39;Yes&#39;, &#39;No&#39;) AS sensor_operational FROM services WHERE name = &#39;CSFalconService&#39; COLLATE NOCASE </code></pre></div><h2 id="what-1passwords-device-trust-solution-does-to-help-ensure-the-crowdstrike-agent-is-properly-installed-and-running">What 1Password&rsquo;s Device Trust solution does to help ensure the CrowdStrike agent is properly installed and running</h2> At 1Password, we&rsquo;ve created custom tables to pull extra information from Falcon. (<a href="https://blog.1password.com/write-new-osquery-table/">For a detailed guide on how to write osquery tables, read our blog.</a>) These queries also vary somewhat by OS, so we&rsquo;ve included what data our CrowdStrike Agent Check collects from each. <h3 id="macos-1">MacOS</h3> We gather data reported directly from the CrowdStrike agent by checking the output of this command <code>/Applications/Falcon.app/Contents/Resources/falconctl stats -p</code>. This returns: <ul> <li> Agent ID </li> <li> Client ID </li> <li> Operational state </li> <li> Version of the agent </li> </ul> We then check the <code>system_extensions</code> Osquery table to verify the agent is installed and active. We also check if there&rsquo;s an inactive agent, but it does not change the check&rsquo;s result if one is there. <h3 id="linux-1">Linux</h3> We gather data reported directly from the CrowdStike agent by checking the output of this command <code>/opt/CrowdStrike/falconctl -g –aid –cid –rfm-state –version</code>. This returns: <ul> <li> Agent ID </li> <li> Client ID </li> <li> RFM (Reduced Functionality Mode) </li> <li> Version of the agent </li> </ul> We then check the <code>systemd_units</code> Osquery table to collect the operational state of the agent. <h3 id="windows-1">Windows</h3> For Windows devices, we gather the Agent ID and Client ID from the <code>registry</code> Osquery table. We then collect the operational state from the <code>services</code> Osquery table. Lastly, we check our WMI table for the agent&rsquo;s version. <h2 id="what-is-crowdstrike-zta-zero-trust-assessment">What is CrowdStrike ZTA (Zero Trust Assessment)</h2> Up to this point we&rsquo;ve covered how to detect and validate that CrowdStrike&rsquo;s agent is installed, configured, and running properly. Now we&rsquo;ll discuss how 1Password&rsquo;s Device Trust solution (as part of <a href="https://1password.com/product/xam">1Password Extended Access Management</a>) utilizes an additional security measurement offered by CrowdStrike, their ZTA (Zero Trust Assessment) service. The ZTA service monitors OS and CrowdStrike&rsquo;s Falcon sensor settings to ensure they meet the configured policies for those settings. The ZTA service calculates a security score from 1 to 100 for each host. While a higher score indicates a better posture for the host, the score depends upon the unique configuration of the policies, and therefore ZTA does not define what constitutes a good score. Our end goal is to create a Check that will block devices from authenticating if they don&rsquo;t earn a high enough ZTA score. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Note: ZTA has some prerequisites before it can be used. Foremost, you will need a subscription to Falcon Insight XDR, then you will have to contact CrowdStrike support and request they enable the ZTA feature for your account. If you&rsquo;d like to learn more about CrowdStrike&rsquo;s ZTA service, we recommend watching their <a href="https://www.crowdstrike.com/resources/videos/zero-trust-assessment-demo/">demo</a>. For the rest of this section we&rsquo;ll be assuming you understand what the ZTA service is and how it reports on host devices. </div> </aside> The ZTA security score is generated and stored into a common <code>data.zta</code> file on the host device (except for Linux). This file is an encrypted and signed JSON Web Token (JWT). Parsing this JWT, we can see the various claims being sent. The claims we&rsquo;ll be paying attention to are the <code>assessment</code> (ZTA) claims. These are split into 4 different claims: <ul> <li> The ZTA OS security score. </li> <li> The ZTA Falcon sensor security score. </li> <li> The ZTA overall security score. </li> <li> The ZTA version. </li> </ul> <h2 id="how-1password-extended-access-management-utilizes-crowdstrike-zta-zero-trust-assessment">How 1Password Extended Access Management utilizes CrowdStrike ZTA (Zero Trust Assessment)</h2> There are a few things we had to implement to make use of the CrowdStrike ZTA data. First, we needed a way to parse the JWT, as there&rsquo;s not a native way to do this in osquery. Similarly to the other CrowdStrike tables we had to create, we built a JWT parser table to handle this. Second, we wanted to validate the parsed JWT with the <a href="https://assets-public.falcon.crowdstrike.com/zta/jwk.json">publicly accessible CrowdStrike ZTA JWKs</a>. The JWT parser table accepts an array of signing keys to be passed to it for validating the JWT. Now we have all of the pieces for our CrowdStrike ZTA Check. The Check verifies that the ZTA JWT signature is valid using their JWKs. By default, the Check also verifies that the overall ZTA score is equal to or greater than 75. This is configurable along with the other score&rsquo;s minimum requirements, which are 0 by default. <h2 id="how-1passwords-device-trust-solution-turns-queries-into-checks">How 1Password&rsquo;s Device Trust solution turns queries into Checks</h2> As you can see, between the different operating systems, we had to piece together the CrowdStrike data and state from a few different tables in osquery, plus our own agent. Without our agent&rsquo;s data, the Checks would suffer in quality and sophistication, and in the case of the ZTA Check, it would not exist at all. This should give you a sense of how much work goes into creating our software configuration Checks, but it&rsquo;s still not the complete picture of our final product. We then bundle these disparate queries into Checks, which admins can deploy across their fleet and run automatically or at will (our default setting for these Checks are to run once per hour). In the example of the CrowdStrike Agent Check, if our agent detects any issues, then it will immediately notify the end user via our toolbar app and provide them with remediation instructions. <img src='https://blog.1password.com/posts/2024/how-to-tell-if-crowdstrike-falcon-sensor-is-running/crowdstrike-check-fix-instructions.png' alt='A screenshot of the fix instructions XAM provides for the crowdstrike check.' title='A screenshot of the fix instructions XAM provides for the crowdstrike check.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> If a user attempts to authenticate via their IdP without a functioning CrowdStrike agent, 1Password&rsquo;s Device Trust solution will block them until they have fixed the problem. (As with all our Checks, admins can configure this one to merely warn users, rather than blocking them, but given the seriousness of CrowdStrike&rsquo;s security role, most of our customers choose to make it a requirement.) It&rsquo;s important not to underestimate the value of end user remediation in the case of this CrowdStrike Agent Check. For one thing, it gets end users back to work without requiring the direct intervention of IT. For another, it cuts across departmental silos, since in many organizations CrowdStrike is part of the Security team&rsquo;s purview, but interfacing with users usually falls to IT. While these Checks are specific to CrowdStrike, you can take this approach to other EDR tools and software in general. Details will vary but the overall process should be: <ol> <li> Finding and deciphering configs and/or logs. </li> <li> Creating tables and launcher work to read those files. </li> <li> Writing a Check that uses the custom tables. </li> </ol> If you&rsquo;re a 1Password Extended Access Management customer, you can go through the whole process (including writing end user remediation instructions) using our custom Check editor. If you&rsquo;re not a customer but you want to learn more about how our device trust solution works, <a href="https://1password.com/contact-sales/xam">schedule a demo</a>!</description></item><item><title>Patch Macs with 1Password Extended Access Management</title><link>https://blog.1password.com/patch-macs-with-1password-extended-access-management/</link><pubDate>Fri, 13 Sep 2024 00:00:00 +0000</pubDate><author>info@1password.com (Jason Meller)</author><guid>https://blog.1password.com/patch-macs-with-1password-extended-access-management/</guid><description> <img src='https://blog.1password.com/posts/2024/patch-macs-with-1password-extended-access-management/header.png' class='webfeedsFeaturedVisual' alt='Patch Macs with 1Password Extended Access Management' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> In emergency situations, 1Password® Extended Access Management can get devices patched faster than MDM alone. On February 13th, 2023, <a href="https://support.apple.com/en-us/HT213638">Apple released a series of OS updates</a> to quickly mitigate several serious vulnerabilities (CVE-2023-23514 and CVE-2023-23529) in macOS and Safari. It appeared to be a worst-case scenario: a motivated unauthorized third-party could craft a specific payload to execute arbitrary code on unpatched devices. This type of emergency patching situation is unfortunately all too common, and yet most admins don&rsquo;t have good tools to effectively hasten the speed these devices get patched. With 1Password Extended Access Management&rsquo;s integration with <a href="https://blog.1password.com/extended-access-management-okta-guide/#:~:text=In%20Okta's%20authentication%20flow%2C%201Password,into%20their%20Okta%2Dprotected%20apps.">identity providers like Okta, Microsoft Entra,</a> and Google Workspace, IT admins now have a powerful capability to patch devices faster than ever. Using 1Password Extended Access Management&rsquo;s Device Trust solution allows Mac admins to update their fleets as fast as today. In this blog post, I am going to detail how you can use our Zero Trust Access model to get your Macs patched ASAP. In the tutorial, we&rsquo;ll use CVE-2023-23514 and CVE-2023-23529 as our examples. <h2 id="step-1-write-a-new-check">Step 1: Write a new check</h2> Even though 1Password Extended Access Management has built-in Checks for ensuring macOS has recent patches, we will want to create a separate Check for urgent vulnerabilities like these. Why? Well there are several reasons: <ul> <li> Creating separate checks will enable us to track the remediation of these vulnerabilities much easier. </li> <li> We can use much more aggressive blocking rules than what is used in non-emergency situations (standard updates). </li> </ul> To get started, simply click Checks in the top navigation and then click the &ldquo;Add New Checks&rdquo; button in the upper-right. From there, select the &ldquo;Build Your Own&rdquo; tab, and then finally, &ldquo;Start With a Blank Template.&rdquo; <img src='https://blog.1password.com/posts/2024/patch-macs-with-1password-extended-access-management/kolide-new-custom-check.jpg' alt='A screenshot showing a XAM custom check prompt.' title='A screenshot showing a XAM custom check prompt.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Click &ldquo;Create New Draft&rdquo; and then proceed to the next step. <h2 id="step-2-write-the-check-sql">Step 2: Write the check SQL</h2> The most important part of any Check are the rules to find failing Devices. In 1Password Extended Access Management we write these rules using Osquery SQL. The SQL always should emit at least one row that contains a column called <code>KOLIDE_CHECK_STATUS</code> with a value of <code>PASS</code> or <code>FAIL</code> For this Check, the following SQL does the trick: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">WITH reference_version AS ( SELECT &#39;13.2.1&#39; AS minimum_version), version_split AS ( SELECT version AS current_version, -- Split minimum_version strings CAST(SPLIT(minimum_version, &#34;.&#34;, 0)AS int) AS min_ver_major, CAST(SPLIT(minimum_version, &#34;.&#34;, 1)AS int) AS min_ver_minor, CAST(SPLIT(minimum_version, &#34;.&#34;, 2)AS int) AS min_ver_patch, -- Split installed_version strings COALESCE(major, 0) AS current_ver_major, COALESCE(minor, 0) AS current_ver_minor, COALESCE(patch, 0) AS current_ver_patch FROM os_version LEFT JOIN reference_version ), failure_logic AS ( SELECT *, CASE -- Scope to only 13.x devices WHEN current_ver_major = 13 AND ( -- Check major versions (min_ver_major &gt; current_ver_major) -- Check minor versions OR ( min_ver_major &gt;= current_ver_major AND min_ver_minor &gt; current_ver_minor) -- Check patch versions OR ( min_ver_major &gt;= current_ver_major AND min_ver_minor &gt;= current_ver_minor AND min_ver_patch &gt; current_ver_patch) ) THEN &#39;FAIL&#39; -- Passing Condition: Pass all 12.x versions or &lt; 13.2.1 versions WHEN current_ver_major &lt; 13 OR ( min_ver_major &lt;= current_ver_major AND min_ver_minor &lt;= current_ver_minor AND min_ver_patch &lt;= current_ver_patch ) THEN &#39;PASS&#39; ELSE &#39;UNKNOWN&#39; END AS KOLIDE_CHECK_STATUS FROM version_split ) SELECT * FROM failure_logic; </code></pre></div>Paste the SQL into the editor. Once inserted, do a test run against a few devices and add an example to the sidebar. This will be useful for the last step when we fill out the Privacy Center information. <img src='https://blog.1password.com/posts/2024/patch-macs-with-1password-extended-access-management/kolide-custom-check-osquery-sql.jpg' alt='A screenshot of the XAM custom check screen after putting in sql code.' title='A screenshot of the XAM custom check screen after putting in sql code.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Once you&rsquo;ve tested the query and added an example failure to the sidebar, you are ready to proceed to the next tab, named &ldquo;Check Details.&rdquo; <h2 id="step-3-write-check-details">Step 3: Write check details</h2> The &ldquo;Check Details&rdquo; section lets other admins know what problem this Check detects on Devices. It also allows us to define an issue title that will be display to our end-users on the sign in page. Here is the info I supplied: <ul> <li> Check Name: macOS CVE-2023-23514 </li> <li> Issue Title: macOS Urgent Patch Required </li> <li> Check Description: This Check verifies the Mac is patched against high severity vulnerability CVE-2023-23514 which impacts macOS Ventura systems. </li> </ul> Once entered in, your screen should look like the screenshot below: <img src='https://blog.1password.com/posts/2024/patch-macs-with-1password-extended-access-management/kolide-custom-check-check-details.jpg' alt='A screenshot of XAM custom check details.' title='A screenshot of XAM custom check details.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> From here, let&rsquo;s move on to writing the text our end users will see when they attempt to remediate the problem. This is done in the &ldquo;Notification Text&rdquo; step. <h2 id="step-4-write-end-user-remediation-instructions">Step 4: Write end-user remediation instructions</h2> This critical step ensures end users have all the information they need to solve this problem on their own. On this page there are two important fields to fill out, one being the rationale which explains to users why this is important to do. Here is the markdown I wrote: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-markdown" data-lang="markdown"> Your macOS version needs to be urgently updated to address a serious vulnerability that may allow an unauthorized third-party to execute code on your system without permission. For more information see [Apple&#39;s Support Article](https://support.apple.com/en-us/HT213633) </code></pre></div>The second are the fix instructions the end user should follow to fix the issue. In our case, since this vulnerability only impacts macOS 13, we want our instructions to detail how to go through that process using the updated System Settings app. <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-markdown" data-lang="markdown">1. Click the Apple icon in the top left corner of your screen and then select &#34;System Settings&#34; from the drop-down menu. 2. In the left menu pane of the System Settings window, select the menu item labeled &#34;General&#34;. 3. Once in the &#34;General&#34; menu, select the submenu labeled &#34;Software Update&#34;. 4. Clicking the &#34;Update Now&#34; button will install all missing updates, potentially including major version updates. 5. To install only the missing security update(s), click the &#34;More info&#34; button. This will give you details about each update and you can select specific updates to install. Your device is failing for the following security updates: 6. With the missing update(s) selected, click the &#34;Install&#34; button. If you do not see those updates available, you can use the keyboard shortcut: &#39;Command + R&#39; to refresh the &#34;Software Update&#34; settings panel. This will force your device to search for additional updates. 7. Clicking the &#34;Update Now&#34; button will install *all* missing updates, potentially including major version updates. 8. To install *only* the missing security update(s), click the &#34;More info&#34; button. This will give you details about the available patches. From this list look for the update that says `macOS Ventura 13.1.2` (or higher). 9. With the missing update(s) selected, click the &#34;Install&#34; button. **Please Note**: If you do not see those updates available, you can use the keyboard shortcut: `Command + R` to refresh the &#34;Software Update&#34; settings panel. This will force your device to search for additional updates. </code></pre></div>With both of these fields filled out, the tab should look something like the screenshot below. <img src='https://blog.1password.com/posts/2024/patch-macs-with-1password-extended-access-management/macOS_fix_instructions.jpeg' alt='A screenshot of XAM macOS fix instructions.' title='A screenshot of XAM macOS fix instructions.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> If that&rsquo;s looking good, then let&rsquo;s quickly deal with the Privacy Center tab. This Check does not have any impact on Privacy, so we can simply select the example we generated in the Osquery SQL tab and type in a short-message letting end-users know there isn&rsquo;t any personal data collected for this Check. <img src='https://blog.1password.com/posts/2024/patch-macs-with-1password-extended-access-management/kolide-custom-check-privacy-center.jpg' alt='A screenshot of the XAM custom check in the privacy center.' title='A screenshot of the XAM custom check in the privacy center.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> With this last step done, we can now publish the Check. <h2 id="step-5-publishing-enabling-and-blocking">Step 5: Publishing, enabling, and blocking</h2> To finish publishing simply click the blue button in the upper-right corner that says &ldquo;Review &amp; Publish Check.&rdquo; You&rsquo;ll see a confirmation screen like the one below: <img src='https://blog.1password.com/posts/2024/patch-macs-with-1password-extended-access-management/kolide-custom-check-preview.jpg' alt='A screenshot of the XAM custom check preview.' title='A screenshot of the XAM custom check preview.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Simply click, Publish Check to complete the process. Then in the pop-up, you can click &ldquo;Enable Check&rdquo; as shown below: <img src='https://blog.1password.com/posts/2024/patch-macs-with-1password-extended-access-management/kolide-check-show.jpg' alt='A screenshot showing a XAM check once it&#39;s enabled.' title='A screenshot showing a XAM check once it&#39;s enabled.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Once enabled, click the “View Check Results” link that appears, and then the action menu in the upper-right, and finally Configure. This will bring up the sidebar where you can set the blocking status. <img src='https://blog.1password.com/posts/2024/patch-macs-with-1password-extended-access-management/kolide-check-sidebar-edit.jpg' alt='A screenshot showing the XAM check sidebar to set a blocking status.' title='A screenshot showing the XAM check sidebar to set a blocking status.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> As we said in the intro, this is where you can determine how aggressively you want to mitigate this vulnerability, balancing that around the productivity of end users. For our internal use, this vulnerability was serious enough to warrant an immediate block, but giving folks an extra day is also a reasonable choice depending on your risk tolerance. And for other CVEs, you might allow users even more time before they&rsquo;re blocked. If that&rsquo;s the case, simply click the checkbox that warns you about blocking devices, and decide on a date in the future when you&rsquo;d like the blocking to start. Once you have the Check set up, the blocking will look something like this: <img src='https://blog.1password.com/posts/2024/patch-macs-with-1password-extended-access-management/kolide-check-edit-done.jpg' alt='A screenshot showing the blocking status and end result of an edited XAM check.' title='A screenshot showing the blocking status and end result of an edited XAM check.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> And that&rsquo;s it! The next time your users sign into any app protected by 1Password Extended Access Management, they will be greeted with the following: <img src='https://blog.1password.com/posts/2024/patch-macs-with-1password-extended-access-management/kolide-urgent-patch-required.png' alt='A screenshot of the pop-up your end-users will get once they are failing a check.' title='A screenshot of the pop-up your end-users will get once they are failing a check.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="appendix-just-the-checks">Appendix: Just the Checks</h2> If you&rsquo;ve gotten the hang of the steps above and just want a concise format to work off of to create these or similar Checks, you can use the markdown below as a reference as you build your own Checks. <h3 id="cve-2023-23514-macos-13-only">CVE-2023-23514 (macOS 13 only)</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-markdown" data-lang="markdown">--- name: macOS CVE-2023-23514 issue_title: macOS Urgent Patch Required topics: - custom-check platforms: - darwin --- </code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-SQL" data-lang="SQL">WITH reference_version AS ( SELECT &#39;13.2.1&#39; AS minimum_version), version_split AS ( SELECT version AS current_version, -- Split minimum_version strings CAST(SPLIT(minimum_version, &#34;.&#34;, 0)AS int) AS min_ver_major, CAST(SPLIT(minimum_version, &#34;.&#34;, 1)AS int) AS min_ver_minor, CAST(SPLIT(minimum_version, &#34;.&#34;, 2)AS int) AS min_ver_patch, -- Split installed_version strings COALESCE(major, 0) AS current_ver_major, COALESCE(minor, 0) AS current_ver_minor, COALESCE(patch, 0) AS current_ver_patch FROM os_version LEFT JOIN reference_version ), failure_logic AS ( SELECT *, CASE -- Scope to only 13.x devices WHEN current_ver_major = 13 AND ( -- Check major versions (min_ver_major &gt; current_ver_major) -- Check minor versions OR ( min_ver_major &gt;= current_ver_major AND min_ver_minor &gt; current_ver_minor) -- Check patch versions OR ( min_ver_major &gt;= current_ver_major AND min_ver_minor &gt;= current_ver_minor AND min_ver_patch &gt; current_ver_patch) ) THEN &#39;FAIL&#39; -- Passing Condition: Pass all 12.x versions or &lt; 13.2.1 versions WHEN current_ver_major &lt; 13 OR ( min_ver_major &lt;= current_ver_major AND min_ver_minor &lt;= current_ver_minor AND min_ver_patch &lt;= current_ver_patch ) THEN &#39;PASS&#39; ELSE &#39;UNKNOWN&#39; END AS KOLIDE_CHECK_STATUS FROM version_split ) SELECT * FROM failure_logic; # Description This Check verifies the Mac is patched against high severity vulnerability CVE-2023-23514 which impacts macOS Ventura systems. # Rationale Your macOS version needs to be urgently updated to address a serious vulnerability that may allow an unauthorized third-party to execute code on your system without permission. For more information see [Apple&#39;s Support Article](https://support.apple.com/en-us/HT213633) # Fix Instructions 1. Click the Apple icon in the top left corner of your screen and then select &#34;System Settings&#34; from the drop-down menu. 2. In the left menu pane of the System Settings window, select the menu item labeled &#34;General&#34;. 3. Once in the &#34;General&#34; menu, select the submenu labeled &#34;Software Update&#34;. 4. Clicking the &#34;Update Now&#34; button will install all missing updates, potentially including major version updates. 5. To install only the missing security update(s), click the &#34;More info&#34; button. This will give you details about each update and you can select specific updates to install. Your device is failing for the following security updates: 6. With the missing update(s) selected, click the &#34;Install&#34; button. If you do not see those updates available, you can use the keyboard shortcut: &#39;Command + R&#39; to refresh the &#34;Software Update&#34; settings panel. This will force your device to search for additional updates. 7. Clicking the &#34;Update Now&#34; button will install *all* missing updates, potentially including major version updates. 8. To install *only* the missing security update(s), click the &#34;More info&#34; button. This will give you details about the available patches. From this list look for the update that says `macOS Ventura 13.1.2` (or higher). 9. With the missing update(s) selected, click the &#34;Install&#34; button. **Please Note**: If you do not see those updates available, you can use the keyboard shortcut: `Command + R` to refresh the &#34;Software Update&#34; settings panel. This will force your device to search for additional updates. # Privacy Info No personal or private information is collected for this Check. </code></pre></div><h3 id="cve-2023-23529-macos-11--12">CVE-2023-23529 (macOS 11 &amp; 12)</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-markdown" data-lang="markdown">--- name: Safari Vulnerability (CVE-2023-23529) issue_title: Safari Urgent Patch Required topics: - custom-check platforms: - darwin --- </code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-SQL" data-lang="SQL">WITH reference_version AS ( SELECT &#39;13.2.1&#39; AS minimum_version ), version_split AS ( SELECT version AS current_version, -- Split minimum_version strings CAST(SPLIT(minimum_version, &#34;.&#34;, 0)AS int) AS min_ver_major, CAST(SPLIT(minimum_version, &#34;.&#34;, 1)AS int) AS min_ver_minor, CAST(SPLIT(minimum_version, &#34;.&#34;, 2)AS int) AS min_ver_patch, -- Split installed_version strings COALESCE(major, 0) AS current_ver_major, COALESCE(minor, 0) AS current_ver_minor, COALESCE(patch, 0) AS current_ver_patch FROM os_version LEFT JOIN reference_version ), failure_logic AS ( SELECT *, CASE -- Scope to only 13.x devices WHEN current_ver_major = 13 AND ( -- Check major versions (min_ver_major &gt; current_ver_major) -- Check minor versions OR ( min_ver_major &gt;= current_ver_major AND min_ver_minor &gt; current_ver_minor) -- Check patch versions OR ( min_ver_major &gt;= current_ver_major AND min_ver_minor &gt;= current_ver_minor AND min_ver_patch &gt; current_ver_patch) ) THEN &#39;FAIL&#39; -- Passing Condition: Pass all 12.x versions or &lt; 13.2.1 versions WHEN current_ver_major &lt; 13 OR ( min_ver_major &lt;= current_ver_major AND min_ver_minor &lt;= current_ver_minor AND min_ver_patch &lt;= current_ver_patch ) THEN &#39;PASS&#39; ELSE &#39;UNKNOWN&#39; END AS KOLIDE_CHECK_STATUS FROM version_split ) SELECT * FROM failure_logic; # Description CVE-2023-23529 was recently patched and disclosed by Apple. This vulnerability affects macOS 11 _(Big Sur)_ and macOS 12 _(Monterey)_ devices, running the Safari web browser. The vulnerability is [described by Apple](https://support.apple.com/en-us/HT213638) as: &#34;Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.&#34; # Rationale Devices running a vulnerable version of the Safari web browser are at risk of maliciously crafted web content leading to arbitrary code execution. Due to the severity of this risk, users should update Safari as soon as possible. Safari versions prior to `16.3.1` are vulnerable. You are currently running version: `{{issue.current_version&#39;}}` # Fix Instructions To update Safari, follow the steps below: 1. Open System Preferences by clicking the Apple icon at the top-left of your screen, and clicking the item in the drop-down labeled **System Preferences** 2. In System Preferences, click the preference pane item labeled **Software Update** _(gear icon)_. 3. The Software Update preference pane should automatically begin checking for available updates. 4. When the Safari update is displayed, click the button labeled **Update Now** or **Install Now** 5. You may be presented with a list of available updates, ensure the checkbox next to the Safari update is checked and click the **Install Now** button. Note: If you currently have any other failing Checks which pertain to missing macOS updates, they may also be resolved by following these fix instructions # Privacy Info This Check returns information only about the current version of your Safari web browser, no private information is included. </code></pre></div>If you&rsquo;re not a current 1Password Extended Access Management customer but you want to learn more about how our device trust solution works, <a href="https://1password.com/contact-sales/xam">reach out for a demo!</a></description></item><item><title>1Password deepens partnership with CrowdStrike to streamline and simplify business cybersecurity</title><link>https://blog.1password.com/1password-crowdstrike-partnership/</link><pubDate>Thu, 12 Sep 2024 00:00:00 +0000</pubDate><author>info@1password.com (Matt O'Leary)</author><guid>https://blog.1password.com/1password-crowdstrike-partnership/</guid><description> <img src='https://blog.1password.com/posts/2024/1password-crowdstrike-partnership/header.png' class='webfeedsFeaturedVisual' alt='1Password deepens partnership with CrowdStrike to streamline and simplify business cybersecurity' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Together, CrowdStrike and 1Password are working to ensure every identity, application, and device is protected from threats. Now, you can get the combined power of 1Password and CrowdStrike for less when you <a href="https://www.crowdstrike.com/press-releases/crowdstrike-and-1password-expand-partnership/">bundle 1Password Extended Access Management and CrowdStrike Falcon Go</a>. Too much to do, and not enough time can often feel like the mantra for IT teams. But, with <a href="https://markets.businessinsider.com/news/stocks/cybercriminals-narrow-their-focus-on-smbs-according-to-the-acronis-cyberthreats-report-mid-year-update-1030688981">70% of cyber attacks targeting small businesses</a>, those responsible for business security need to make sure it’s a top priority. However, the constantly evolving security landscape doesn’t make that easy. That’s why more and more small business IT teams are looking for comprehensive security solutions. In fact, nearly one in three teams <a href="https://blog.1password.com/ten-things-about-small-business-cybersecurity/">(30%) have switched security tools or vendors in the past year</a> to ones that provide more complete end-to-end solutions. That’s where 1Password and CrowdStrike come in. <h2 id="what-a-partnership-between-1password-and-crowdstrike-means-for--businesses">What a partnership between 1Password and CrowdStrike means for businesses</h2> The partnership between 1Password and CrowdStrike simplifies security for business customers and provides comprehensive, enterprise-grade protection at an affordable cost. <a href="https://1password.com/">1Password</a> is a leader in identity security, helping secure over 150,000 business customers. <a href="https://1password.com/product/xam">1PasswordⓇ Extended Access Management</a> ensures that every identity is authentic, every app is secure, and every device is healthy – even those outside the scope of traditional management tools. <a href="https://www.crowdstrike.com/">CrowdStrike</a> secures endpoints and cloud workloads, identity, and data to keep customers ahead of today’s threats. And <a href="https://www.crowdstrike.com/products/bundles/falcon-go/">CrowdStrike Falcon Go</a> is a next-gen antivirus that safeguards businesses around the clock from both known and unknown malware. The security landscape can often change in the blink of an eye. 1Password and CrowdStrike together make it easier for security professionals with limited time and technical expertise to manage IT and security operations. <h2 id="1password-and-crowdstrike-a-technology-integration">1Password and CrowdStrike: A technology integration</h2> Spend less time toggling between tools and manually compiling reports across various security solutions when using 1Password and CrowdStrike together. This integration provides deeper visibility into a company’s security posture by centralizing critical events from 1Password directly into CrowdStrike Falcon Next-Gen SIEM. Using the <a href="https://marketplace.crowdstrike.com/listings/1password-business-data-connector">1Password Business Data Collector</a>, CrowdStrike Falcon Next-Gen SIEM can ingest 1Password Business account activity like sign-in attempts, item usage, and audit events. Security teams can then build custom graphs and dashboards to analyze account activity, set up custom alerts, and cross-reference 1Password events with data from other services – all within CrowdStrike. Businesses of all sizes can also use 1Password Device Trust health checks to ensure <a href="https://blog.1password.com/how-to-tell-if-crowdstrike-falcon-sensor-is-running/">CrowdStrike Falcon is installed and running</a> on each device, and that they achieve a minimum Zero Trust Assessment score before logging into company apps and resources. Plus, with our latest integration, you can easily stream logs and OSQuery data from Device Trust directly into your CrowdStrike Next-Gen SIEM instance. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Attending <a href="https://www.crowdstrike.com/events/fal-con/las-vegas/">Fal.con 2024</a> virtually or in-person in Las Vegas? Join Ryan Terry, Senior Product Marketing Manager at CrowdStrike, and Jason Meller, VP of Product at 1Password, to learn how combining 1Password and Falcon Identity Protection provides a comprehensive approach to securing access and stopping adversaries in their tracks. Plus, hear a real-world example from a company using both technologies to protect identities and devices at scale. </div> </aside> And there’s more to come – 1Password and CrowdStrike are actively working on deepening our product integrations. <h2 id="next-steps">Next steps</h2> Want to know more about the <a href="https://www.crowdstrike.com/press-releases/crowdstrike-and-1password-expand-partnership/">1Password and CrowdStrike bundle</a>? If you’re a 1Password or CrowdStrike customer or use a third-party reseller, reach out to your account executive to see how you can save by bundling the two together. New to 1Password and CrowdStrike but want to ditch your existing security tools for a more comprehensive solution designed for users of all levels? <a href="https://1password.com/contact-sales">Reach out to our sales team</a> for more information, and start protecting your business as early as today with our easy roll-out.</description></item><item><title>1Password Extended Access Management now available via AWS Marketplace</title><link>https://blog.1password.com/aws-marketplace-extended-access-management/</link><pubDate>Wed, 11 Sep 2024 00:00:00 +0000</pubDate><author>info@1password.com (Monica Jain)</author><guid>https://blog.1password.com/aws-marketplace-extended-access-management/</guid><description> <img src='https://blog.1password.com/posts/2024/aws-marketplace-extended-access-management/header.png' class='webfeedsFeaturedVisual' alt='1Password Extended Access Management now available via AWS Marketplace' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We’re excited to share some big news: 1Password® Extended Access Management is now available on AWS Marketplace through private offers. Now it’s easier than ever to keep organizations secure while taking advantage of the AWS ecosystem. <h2 id="what-is-extended-access-management">What is Extended Access Management?</h2> Extended Access Management (XAM) is a new category of security software that fills critical gaps in the identity and access management landscape. It is focused on extending the capabilities offered by IAM (Identity Access Management) and MDM (Mobile Device Management) to the unmanaged (or poorly managed) applications and devices that today’s tools cannot secure. XAM secures access to all the places data goes by giving companies the unprecedented ability to manage: <ul> <li>Unsanctioned and unmanaged apps and websites (shadow IT) that are not secured behind SSO.</li> <li>Employee and contractor devices that are either poorly managed by MDM or outside its scope altogether.</li> </ul> In organizations today, too many sign-ins are untrusted because the sign-in is to an unsanctioned application or from an unhealthy or unknown device. This is what we call the <a href="https://blog.1password.com/explaining-the-access-trust-gap/">Access-Trust Gap</a>, and it represents the percentage of sign-ins in a business that aren’t trusted and that aren’t capable of being secured by legacy security solutions. <h2 id="extended-access-management-is-a-game-changer">Extended Access Management is a game-changer!</h2> The goal of XAM is to take a more holistic approach to access management in order to account for vulnerabilities outside the scope of other solutions. XAM is designed to give organizations more control over who can access data and resources. It helps businesses assign permissions, monitor activity, and block unsanctioned forms of access – all while being minimally disruptive for employees and IT. XAM seeks to bridge the Access Trust Gap, and to accomplish this, it needs to bring visibility and enforcement to things like employee personal devices, shadow IT apps, and third-party contractor identities. Below are a few critical components of 1Password Extended Access Management: <ul> <li>Device trust: ensure that a device is both known and in a secure state before it accesses company resources.</li> <li>Application insights: get visibility and oversight over the applications that employees use for work, not just the ones approved by IT.</li> <li>User identity: verify the identity of users before they’re allowed to access sensitive data (think Single Sign-On and Multi-factor Authentication)</li> <li>Enterprise credential management: manage and secure end-user access to shared credentials.</li> </ul> <h2 id="why-being-on-aws-marketplace-is-a-win-win">Why being on AWS Marketplace is a win-win</h2> Now that 1Password Extended Access Management is on <a href="https://aws.amazon.com/marketplace/pp/prodview-kzkd6zfg3zvu2?sr=0-4&amp;ref_=beagle&amp;applicationId=AWSMPContessa">AWS Marketplace</a>, you get some extra perks: <ul> <li>Simplified Procurement: AWS Marketplace makes it super easy to purchase and deploy our solution – just a few clicks, and you’re good to go. Plus, by leveraging the Channel Partner Private Offer (CPPO) program, businesses can work directly with AWS channel partners for a customized approach. Less time on admin work means more time focusing on what’s important.</li> <li>Consolidated Billing: When purchasing through AWS Marketplace, all billing is in one place. It’s one of those little conveniences that makes a big difference when it comes to managing finances.</li> <li>Scalable and Flexible Deployment: Whether a small team or a large enterprise, AWS Marketplace provides scalability and flexibility.</li> <li>Enhanced Security and Compliance: By using AWS’s top-notch security infrastructure, businesses can rest easy knowing their data is protected. Plus, with AWS’s compliance certifications, meeting regulatory requirements is a breeze.</li> </ul> <h2 id="ready-to-get-started">Ready to get started?</h2> We’re thrilled to bring 1Password Extended Access Management to AWS Marketplace, and we can’t wait for you to try it out. Whether you’re looking to tighten up your access controls or start fresh with a new solution, we’ve got you covered. Curious to learn more? Check out the 1Password offering in <a href="https://aws.amazon.com/marketplace/pp/prodview-kzkd6zfg3zvu2?sr=0-4&amp;ref_=beagle&amp;applicationId=AWSMPContessa">AWS Marketplace</a>.</description></item><item><title>Announcing four new administrator controls for 1Password Business</title><link>https://blog.1password.com/four-new-administrator-controls-1password-business/</link><pubDate>Tue, 10 Sep 2024 00:00:00 +0000</pubDate><author>info@1password.com (Tyler Durkin and Allie Dusome)</author><guid>https://blog.1password.com/four-new-administrator-controls-1password-business/</guid><description> <img src='https://blog.1password.com/posts/2024/four-new-administrator-controls-1password-business/header.png' class='webfeedsFeaturedVisual' alt='Announcing four new administrator controls for 1Password Business' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Balancing robust security with user-friendly access is no small feat. As security professionals, you’ve shared the challenges you face—managing security across a diverse workforce, visibility into security issues, streamlining onboarding and offboarding processes, and ensuring compliance with regulatory requirements. And we’ve listened. This September, we’re rolling out significant updates for 1Password Business customers. These four new features take customer feedback into consideration and are designed to enhance security, simplify access management, and drive adoption across your organization. Here’s a closer look at what’s coming your way: <h2 id="1-suspended-users-policy">1. Suspended Users policy</h2> Managing user access can be a complex task, particularly when it comes to handling suspended users. To streamline this process, we&rsquo;re introducing the Suspended Users policy. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/6FufjPvUF94?si=EpSzeTYgcC6KPMY5" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> With this feature, administrators can set a specific time period – after which suspended users will be permanently deleted from your 1Password environment. This not only enhances your organization&rsquo;s security by removing users, but also helps ensure compliance with data protection regulations like GDPR. By automating the deletion process, you reduce administrative overhead and maintain a cleaner user database. <h2 id="2-account-creation-policy">2. Account Creation policy</h2> Onboarding new employees is a common enough task, but if not managed properly, it can lead to security risks. Our new Account Creation policy empowers administrators to prevent employees from creating separate 1Password accounts outside of your company’s verified domains. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/M_-BtqmvGTQ?si=1XT2cUW8K9K_AgcX" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> This feature allows administrators to verify multiple domains, enforce account sign-up restrictions, and ensure that any attempts to create individual accounts are redirected to join your company’s 1Password instead. The result? Greater control over company data and a more streamlined, secure onboarding process. <h2 id="3-invitations-page-redesign">3. Invitations page redesign</h2> Rolling out 1Password across an organization can take time when managing large teams. To simplify this process, we&rsquo;ve redesigned the Invitations Page with a new navigational structure that reduces clutter and enables bulk actions for invites. This saves time for administrators and improves the overall user experience. It also sets the stage for our upcoming customizable email feature – soon you’ll be able to tailor onboarding communications to better align with your company’s brand and messaging. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/t7DTlofVuNo?si=GbrhEn2ku-0Iz91d" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h2 id="4-employee-vault-reporting">4. Employee Vault Reporting</h2> Security visibility is key to maintaining a strong defense against potential threats like data breaches. With our new Employee Vault Reporting feature, we’re expanding the capabilities of Business Watchtower. Now administrators will have a high-level overview of the number of issues and types of security issues across all Employee Vaults, allowing them to mitigate risks before they can be exploited. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/9MryWtBnIhQ?si=q2JxpYs9LxQZ8vCI" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> This feature displays the total count of issues for Business Watchtower looking at each vault, allowing administrators to quickly identify areas that may need attention, without revealing specific details about the employee items. Administrators can also see if their team has vulnerable websites, reused or weak passwords, and more within the Employee Vault. <h2 id="why-you-should-be-excited-about-these-new-updates">Why you should be excited about these new updates</h2> These new features will address some of the biggest administrative challenges faced by IT administrators today. Whether it&rsquo;s enhancing security by automating the deletion of suspended users, simplifying the onboarding process through account creation policies, reducing administrative burden with an improved Invitations Page, or increasing visibility into security issues with Employee Vault Reporting, we’re empowering administrators to manage their employees and businesses security more effectively. <h2 id="ready-to-improve-your-security-and-take-control">Ready to improve your security and take control?</h2> These four new features will be available to 1Password Business customers starting September 10th, 2024. We encourage you to explore these new features and see how they can enhance your company’s security, streamline access management, and improve 1Password adoption across your entire organization. <section class="c-call-to-action-box c-call-to-action-box--orange"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Your business security, simplified</h3> Not a 1Password customer? Get started with 1Password Business today and unlock a more secure, simplified, and controlled experience for your entire organization. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--orange" data-event-category="CTA" data-event-action="call-to-action-button"> Try 1Password </a> </div> </section> <h2 id="try-our-two-new-features-in-beta">Try our two new features in beta</h2> Wish you’d had a chance to try the above features sooner? Join our beta program! We currently have two features in beta: <h3 id="auto-lock-policy">Auto-Lock Policy</h3> Currently, your team members can adjust their 1Password security settings independently. To improve control, we&rsquo;re beta testing a new feature that allows administrators to set and enforce auto-lock periods across the organization. <h3 id="custom-emails">Custom Emails</h3> As an administrator deploying 1Password to your employees, you might have found that the default welcome emails weren’t reflective of your company’s needs, or that the emails might have appeared as phishing attempts to employees. To address this, we&rsquo;re beta testing a new feature that allows you to fully customize the initial emails sent to your team members. <aside class="c-technical-aside-box c-technical-aside-box--background" aria-labelledby="update"> <h2 class="c-technical-aside-box__title" id="update"> Update </h2> <div class="c-technical-aside-box__description"> Our admin beta program is currently full. Thank you to everyone who is participating in the beta and providing valuable feedback for our teams. We&rsquo;ll share when there&rsquo;s another opportunity to join the beta! </div> </aside></description></item><item><title>Do Macs need third-party antivirus for SOC 2 compliance?</title><link>https://blog.1password.com/do-macs-need-antivirus-for-soc-2/</link><pubDate>Mon, 09 Sep 2024 00:00:00 +0000</pubDate><author>info@1password.com (Jason Meller)</author><guid>https://blog.1password.com/do-macs-need-antivirus-for-soc-2/</guid><description> <img src='https://blog.1password.com/posts/2024/do-macs-need-antivirus-for-soc-2/header.png' class='webfeedsFeaturedVisual' alt='Do Macs need third-party antivirus for SOC 2 compliance?' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> This piece answers whether the built-in security of macOS is enough to forgo a third-party antivirus solution, and how admins can document that security for a SOC 2 audit. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> This article was originally written in 2022. While we&rsquo;ve done our best to update its information, and the osquery advice is still useful, be sure to do your due diligence when looking at the security capabilities of your own Mac fleet! Also, this article is just about Macs. Need help proving compliance with your Windows fleet? We have <a href="https://blog.1password.com/extended-access-management-availability-updates/">good news for Microsoft Entra users</a>. Want to skip the preamble? Go right to the <a href="https://blog.1password.com/do-macs-need-antivirus-for-soc-2/#how-to-use-data-collected-by-osquery-to-support-soc-2">osquery SQL</a> at the end of this article. </div> </aside> Third-party malware detection and prevention (what we used to call antivirus) is not every Mac admin&rsquo;s cup of tea. Some have bigger fish to fry (e.g., getting endpoint visibility); others are content with the built-in anti-malware capabilities of macOS and thus have no plans to deploy AV on its merits. Unfortunately, SOC 2 and similar audits are forcing both types of Mac admins to purchase and deploy antivirus-like software earlier and earlier in their organization&rsquo;s life cycle. When I ask IT admins who weren&rsquo;t psyched about deploying AV why they did it anyway, their responses generally fall into two buckets: <ol> <li> They don&rsquo;t believe macOS has sufficient anti-malware capabilities to pass a SOC2 audit.* </li> <li> They cannot pass compliance audits like SOC 2 without enterprise reporting features around malware protection (which Apple doesn&rsquo;t have for its AV features). </li> </ol> In this article, we&rsquo;ll challenge both of these assumptions. Most importantly, I want to show that with open-source tools, you can pass a SOC 2 audit with the built-in anti-malware in macOS, while also being able to defend that position to senior leadership and auditors. To do that, I hope you&rsquo;ll indulge me in shoving the third-party AV industry around a bit in the process. *Compliance auditors <a href="https://www.a-lign.com/resources/can-you-fail-a-soc-2-examination">get annoyed</a> when you use binary terms like &ldquo;pass&rdquo; or &ldquo;fail&rdquo; to describe the outcome of an audit. Instead they use terms like &ldquo;modified&rdquo; or &ldquo;qualified&rdquo;. When I use the word &ldquo;pass&rdquo; in this article, I mean that you have obtained a SOC 2 report without negative qualifications. <h2 id="holistically-macos-security-is-better-than-third-party-av">Holistically, macOS' security is better than third-party AV</h2> Ideally, before you face a SOC 2 audit, you truly believe you&rsquo;ve made the best decisions possible when it comes to your Macs' security with the resources you have available. And as a security practitioner, I do actually believe that many organizations are better off relying on the built-in security capabilities of macOS without a third-party supplement. How can that be? Well, for starters, the most basic and cursory research around third-party AV is a horror show of potential consequences that include: <a href="https://www.av-comparatives.org/tests/performance-test-october-2020/">tanking an endpoint&rsquo;s performance</a>, regularly blocking legitimate software, <a href="https://www.vice.com/en_us/article/qjdkq7/avast-antivirus-sells-user-browsing-data-investigation">indiscriminately selling users' data to undisclosed parties</a>, and even <a href="https://arstechnica.com/information-technology/2016/06/25-symantec-products-open-to-wormable-attack-by-unopened-e-mail-or-links/">the software itself becoming the source of major compromise</a>. Okay, but not every vendor is equally afflicted by these problems, so it&rsquo;s not really fair to indict the entire third-party AV industry on a few anecdotes. So now, let&rsquo;s talk about what we mean by &ldquo;better&rdquo; security. Most AV security companies build their entire pitch based on a few measurements: <ul> <li> How fast can the AV detect novel/new threats? </li> <li> How many real-time executions of bad things did the AV stop? </li> <li> How many novel areas of visibility can it obtain? </li> </ul> Unfortunately, these measurements fail to consider the costs paid (usually by the end-user) for marginal improvements across these metrics. But the end-user misery of third-party AV isn&rsquo;t typically addressed until it becomes so egregious that it can be linked to a significant adverse financial event. To account for every form of misery that falls short of that bar, we need to adjust how we measure the AV&rsquo;s actual performance. Here is one way. Instead of just looking for the best antivirus performance at any cost, we need antivirus performance per unit of yuck, where &ldquo;yuck&rdquo; is defined as the qualitative degradation of the device&rsquo;s user experience. So who is better incentivized to give us maximum AV performance per yuck? In my view, it&rsquo;s clearly OS vendors (like Apple), and here&rsquo;s why: <ol> <li> OS vendors are financially impacted if users think their OS runs like junk. </li> <li> OS vendors rely on a thriving third-party ecosystem of useful and fun software to drive the adoption of the OS itself. That means they must care deeply about how OS security impacts the viability of other software. Third-party AV does not have any incentive to care about the viability of other software until their customers notice (and then rectify it by just simply adding it to an allowlist). </li> <li> OS vendors can use vertical integration to develop highly efficient security systems deep in the kernel of the OS itself, and rely on the existence of sophisticated security hardware like a TPM. Third-party vendors cannot safely hook in at this deep level , and they cannot successfully advocate for dedicated hardware within the device to make their technology better. </li> </ol> Given the above realities, it&rsquo;s easy to see why <a href="https://support.apple.com/guide/security/protecting-against-malware-sec469d47bd8/web">Apple has upped macOS' built-in security capabilities</a> considerably over the past few years. <h3 id="xprotect">XProtect</h3> XProtect is macOS' built-in antivirus technology, which uses a standard industry format called YARA. Here&rsquo;s an example of a YARA rule in the XProtect signature file: <pre tabindex="0"><code class="language-yara" data-lang="yara">rule EICAR { meta: description = &quot;OSX.eicar.com.i&quot; XProtect_rule = true condition: filesize &lt;= 100000000 and hash.sha1(0, filesize) == &quot;3395856ce81f2b7382dee72602f798b642f14140&quot; } </code></pre>The above YARA rule looks for the existence of the famous <a href="https://www.eicar.org/download-anti-malware-testfile/">ECIAR virus test file</a>. While this rule uses basic hash file matching (you can see more powerful examples <a href="https://github.com/knightsc/XProtect/blob/master/XProtect.yara">in this repo from Scott Knight</a>), YARA is a significant leg-up over traditional hash-only matching. Hash-only matching is very similar (if not identical) to how many classic AV vendors approach malware detection, but it fails as soon as the malware author changes a single byte of code. The way YARA rules are put into practice is simple. Under the hood, it scans executables (when first launched or when they change) against a list of signatures. If a file matches any of the signatures, XProtect blocks its execution, generates logs, and finally alerts the user, advising them to put the offending executable to the Trash. <img src='https://blog.1password.com/posts/2024/do-macs-need-antivirus-for-soc-2/do-macs-need-antivirus-for-soc2-xprotect.png' alt='A screenshot of an xprotect popup.' title='A screenshot of an xprotect popup.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Another great benefit is that XProtect updates itself automatically, silently, and separately from manually installed security updates. When signatures are updated, XProtect will re-scan every subsequent app execution. <h3 id="macos-malware-removal-tool">macOS' malware removal tool</h3> Even if XProtect fails to stop malware from launching, you&rsquo;re not doomed. macOS' Malware Removal Tool (MRT) remediates infections based on automated system data files and security updates from Apple, and continues to check for viruses and malware any time the user restarts or logs into the computer. You may remember the <a href="https://techcrunch.com/2019/07/10/apple-silent-update-zoom-app/">MRT playing a significant role in the 2019 Zoom web server vulnerability</a>. This is where Apple removed a vulnerable component of a third-party application using the MRT system. <h3 id="gatekeeper">Gatekeeper</h3> <a href="https://support.apple.com/en-us/102445">Gatekeeper</a> is an integral part of the entire anti-malware apparatus on macOS. It plays a critical role in checking executables' digital signatures to ensure they are coming from verified developers. This ensures that new executables that could be coming from unsafe sources (ex: <a href="https://blog.1password.com/malvertising-on-google-ads/">apps from imposter websites</a>) are handled to prevent them from harming the system until both the user and system can verify they are safe. <img src='https://blog.1password.com/posts/2024/do-macs-need-antivirus-for-soc-2/do-macs-need-antivirus-for-soc2-gatekeeper.jpg' alt='A screenshot of a gatekeeper popup.' title='A screenshot of a gatekeeper popup.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h3 id="tcc-permissions-and-system-integrity-protection">TCC permissions and System Integrity Protection</h3> macOS 10.15 and above <a href="https://support.apple.com/en-by/guide/mac-help/mh35847/mac">requires that all apps get users' permission</a> before logging keystrokes or getting file, camera, or microphone access. Additionally, Apple stores macOS (Catalina and above) on a separate disk volume to separate essential system files from applications. As long as System Integrity Protection is enabled, these files cannot be modified by any processes. <h3 id="other-macos-security-features">Other macOS security features</h3> In 2023, Apple began releasing <a href="https://support.apple.com/guide/deployment/rapid-security-responses-dep93ff7ea78/web">Rapid Security Responses</a>, a way of &ldquo;applying security fixes to users more frequently by not requiring a full software update.&rdquo; These updates typically happen in the background, but may occasionally require that users restart their computers. Apple has also added a recording indicator to let users know if an app records their activities through the mic. Meanwhile, <a href="https://support.apple.com/en-sg/guide/mac-help/mh11785/mac">FileVault</a> can encrypt data stored on a Mac. Additionally, Safari uses anti-phishing technology to detect fraudulent websites and prevent plug-ins such as Silverlight, QuickTime, and Oracle Java from running if they aren&rsquo;t updated to the latest version. <img src='https://blog.1password.com/posts/2024/do-macs-need-antivirus-for-soc-2/do-macs-need-antivirus-for-soc2-filevault.jpg' alt='A screenshot of a filevault popup.' title='A screenshot of a filevault popup.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="perfect-detection-isnt-possible">Perfect detection isn&rsquo;t possible</h2> When pitted against Apple&rsquo;s comprehensive built-in security, AV vendors' common arguments come down to splitting hairs around detection efficacy. The playbook generally involves the third-party AV vendor pointing to specific malware variants that their product can detect and that Apple failed to add to their signature lists promptly (or at all). In my view, this is a foolish argument. It&rsquo;s <a href="https://gca.isa.org/blog/how-ransomware-can-evade-antivirus-software">just as easy</a> to find successful malware campaigns that no antivirus vendor could detect in a timely manner. Perfect detection/prevention is not possible, so we must consider the trust cost we wish to pay in terms of guaranteed performance degradation, false positives, and additional attack surface. If users are keeping a tight ship, applying updates, and not disabling Gatekeeper, there&rsquo;s a very low chance that any other marginal improvements in protection will impact them. Expanding upon the idea that prevention eventually fails, at some point, it makes sense to find a reasonable baseline for antivirus, and shift focus and resources into building a computer incident response plan. That means when (not if) a Mac does become compromised, the organization can better mitigate the potentially severe impacts of that compromise going unchecked. The prevention game is one with serious diminishing returns per dollar spent. On the other hand, incident response is one of the best security investments you can make. <h2 id="compiling-data-to-meet-audit-requirements">Compiling data to meet audit requirements</h2> As we saw above, Apple does a reasonable job protecting Mac users from malware. That&rsquo;s great news! But there&rsquo;s one problem. You still need to collect data in order to compile reports for your compliance audit, and macOS doesn&rsquo;t offer a way to achieve that level of fleet visibility. That&rsquo;s where osquery comes to the rescue. You might have heard of using osquery to take device inventory, but did you know it&rsquo;s also a handy tool for compiling data to meet SOC 2 reporting requirements? <h3 id="how-osquery-supports-soc-2-compliance">How osquery supports SOC 2 compliance</h3> Osquery is an open-source tool that allows users to query operating systems. For example, IT can use osquery to gain visibility into macOS, Windows, and Linux devices. You can use osquery to check all the devices in your fleet. This allows you to ensure that they follow platform-specific rules based on your company&rsquo;s data security policy and compliance standards (e.g., disk encryption, firewall status, OS updates, etc.) Osquery can accumulate and log compliance data to support the SOC 2 reporting and the auditing process. You can see aggregated metrics or drill down to specifics using various filters to demonstrate that users' devices are compliant with SOC 2 requirements. <img src='https://blog.1password.com/posts/2024/do-macs-need-antivirus-for-soc-2/do-macs-need-antivirus-for-soc2-osquery.jpg' alt='A graphic of how osquery works.' title='A graphic of how osquery works.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Many IT professionals favor osquery because it&rsquo;s <a href="https://blog.1password.com/write-new-osquery-table/">simple, reliable, and extensible</a>. Since it works for all three major operating systems, you can collect data on every device in your fleet without using different tools. <h2 id="how-to-use-data-collected-by-osquery-to-support-soc-2">How to use data collected by Osquery to support SOC 2</h2> To pass your SOC 2 audit, you must create documentation to demonstrate that your systems and processes meet specific requirements. For instance, to show that you have the appropriate defense against malware and viruses according to Common Criteria 6.8, you need a report describing your processes for file integrity monitoring (FIM) and endpoint security management. Your documentation should demonstrate that: <ul> <li> You can track updates made to software and configuration files, and changes in endpoint protection statuses and events. </li> <li> You have implemented controls to prevent, detect, and act upon unauthorized or malicious software introduced into your infrastructure. </li> <li> Only authorized individuals can install applications and software on devices connected to your network. </li> <li> You have processes to detect changes that could indicate the presence of unauthorized or malicious software. </li> <li> There&rsquo;s a management-defined change control process to monitor the implementation of software and applications. </li> <li> Antivirus and anti-malware software is implemented and maintained to detect and remediate malware. </li> <li> You follow procedures to scan information assets for malware and other unauthorized software. </li> </ul> <h3 id="put-osquery-into-action-for-soc-2-compliance">Put osquery into action for SOC 2 compliance</h3> macOS can satisfy the technical requirements for SOC 2 certification, without needing to use third-party antivirus. But it&rsquo;s challenging for it to compile device data and report at scale. This is where osquery comes in: to provide fleet visibility, monitor activities, and compile the data you need to prove fleet compliance for SOC 2 audit and reporting. To establish that the overall malware prevention apparatus of macOS is operational, XProtect (the primary component) requires that two things be present and functional for it to work correctly: <ul> <li> The first requirement is that Gatekeeper must be enabled for XProtect to run on recently downloaded executables (basically any file where the quarantine bit is set to &ldquo;true&rdquo;). </li> <li> The second requirement is that System Integrity Protection (SIP) is enabled to ensure the anti-malware services and their definitions are not modified by a bad actor. </li> </ul> Below is a selection of simplified queries that <a href="https://1password.com/xam/extended-access-management">1Password® Extended Access Management&rsquo;s</a> osquery-based agent runs automatically to verify and document that XProtect&rsquo;s requirements are met: Osquery SQL: Is Gatekeeper enabled? What version is installed? <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">SELECT * FROM gatekeeper </code></pre></div><pre tabindex="0"><code>+---------------------+----------------+---------+----------------+ | assessments_enabled | dev_id_enabled | version | opaque_version | +---------------------+----------------+---------+----------------+ | 1 | 1 | 8.0 | 94 | +---------------------+----------------+---------+----------------+ </code></pre><hr> Osquery SQL: When was the last time XProtect signatures were updated? <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">SELECT date(mtime,&#39;unixepoch&#39;) FROM file WHERE path=&#39;/Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.plist&#39;; </code></pre></div><pre tabindex="0"><code>+-------------------------+ | date(mtime,'unixepoch') | +-------------------------+ | 2022-03-11 | +-------------------------+ </code></pre><hr> Osquery SQL: Has XProtect blocked the execution of known malware? <pre tabindex="0"><code>SELECT * FROM xprotect_reports; </code></pre><pre tabindex="0"><code>+-----------------+-------------+------------+ | name | user_action | time | +-----------------+-------------+------------+ | OSX.eicar.com.i | trash | 1650480090 | +-----------------+-------------+------------+ </code></pre><hr> Osquery SQL: Is MRT available? What version is installed? <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">WITH MRT_info AS ( SELECT * FROM plist WHERE path LIKE &#39;/Library/Apple/System/Library/CoreServices/MRT.app/Contents/Info.plist&#39; ) SELECT MAX(CASE WHEN path = &#39;/Library/Apple/System/Library/CoreServices/MRT.app/Contents/Info.plist&#39; THEN &#39;MRT.app&#39; END) AS name, MAX(CASE WHEN path = &#39;/Library/Apple/System/Library/CoreServices/MRT.app/Contents/Info.plist&#39; THEN &#39;/Library/Apple/System/Library/CoreServices/MRT.app&#39; END) AS path, MAX(CASE WHEN key = &#39;CFBundleExecutable&#39; THEN value END) AS bundle_executable, MAX(CASE WHEN key = &#39;CFBundleIdentifier&#39; THEN value END) AS bundle_identifier, MAX(CASE WHEN key = &#39;CFBundleName&#39; THEN value END) AS bundle_name, MAX(CASE WHEN key = &#39;CFBundleShortVersionString&#39; THEN value END) AS bundle_short_version, MAX(CASE WHEN key = &#39;CFBundleVersion&#39; THEN value END) AS bundle_version, MAX(CASE WHEN key = &#39;CFBundlePackageType&#39; THEN value END) AS bundle_package_type, MAX(CASE WHEN key = &#39;LSEnvironment&#39; THEN value END) AS environment, MAX(CASE WHEN key = &#39;LSUIElement&#39; THEN value END) AS element, MAX(CASE WHEN key = &#39;DTCompiler&#39; THEN value END) AS compiler, MAX(CASE WHEN key = &#39;CFBundleDevelopmentRegion&#39; THEN value END) AS development_region, MAX(CASE WHEN key = &#39;CFBundleDisplayName&#39; THEN value END) AS display_name, MAX(CASE WHEN key = &#39;CFBundleGetInfoString&#39; THEN value END) AS info_string, MAX(CASE WHEN key = &#39;LSMinimumSystemVersion&#39; THEN value END) AS minimum_system_version, MAX(CASE WHEN key = &#39;LSApplicationCategoryType&#39; THEN value END) AS category, MAX(CASE WHEN key = &#39;NSAppleScriptEnabled&#39; THEN value END) AS applescript_enabled, MAX(CASE WHEN key = &#39;NSHumanReadableCopyright&#39; THEN value END) AS copyright, MAX(CASE WHEN key = &#39;-- not_available&#39; THEN value END) AS last_opened_time FROM MRT_info GROUP BY path; </code></pre></div><pre tabindex="0"><code> name = MRT.app path = /Library/Apple/System/Library/CoreServices/MRT.app bundle_executable = MRT bundle_identifier = com.apple.MRT bundle_name = MRT bundle_short_version = 1.91 bundle_version = 1 bundle_package_type = APPL environment = element = 1 compiler = com.apple.compilers.llvm.clang.1_0 development_region = en display_name = info_string = minimum_system_version = 10.10 category = applescript_enabled = copyright = Copyright © 2020 Apple, Inc. All rights reserved. last_opened_time = </code></pre><hr> Osquery SQL: Is System Integrity Protection (SIP) turned on? <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">SELECT * FROM sip_config; </code></pre></div><pre tabindex="0"><code>+----------------------------+---------+---------------+ | config_flag | enabled | enabled_nvram | +----------------------------+---------+---------------+ | sip | 1 | 1 | | allow_apple_internal | 0 | 0 | | allow_device_configuration | 0 | 0 | | allow_kernel_debugger | 0 | 0 | | allow_task_for_pid | 0 | 0 | | allow_unrestricted_dtrace | 0 | 0 | | allow_unrestricted_fs | 0 | 0 | | allow_unrestricted_nvram | 0 | 0 | | allow_untrusted_kexts | 0 | 0 | +----------------------------+---------+---------------+ </code></pre><hr> As you can see above, osquery can help collect important details about the state of macOS' built-in malware and virus protection. The question now becomes: how do you best aggregate that data for auditors? Osquery out of the box emits logs that can be aggregated by <a href="https://osquery.readthedocs.io/en/stable/deployment/log-aggregation/">third-party SIEMs and log aggregation tools</a>. Using their native reporting functions, you can build a dashboard that will get you through your audit and give you incredible visibility. If you don&rsquo;t want to build all this yourself, 1Password Extended Access Management can get you up and running fast. Our Device Trust solution automatically gives you native osquery installers for Macs, Windows, and Linux devices. Once the device trust agent runs, it will automatically collect all the pertinent info, aggregate it, and visualize it. Within minutes, IT admins can look at a dashboard reporting on the XProtect configurations of every macOS device in their fleet. From there, they have the necessary assurance and reporting to prove compliance to their SOC auditors. Another question vanilla osquery doesn&rsquo;t have any answer for is remediation. For example, if you find that Gatekeeper or SIP is disabled, how do you fix them? One approach is to use an MDM to force something like Gatekeeper to be enabled. Unfortunately, other settings like SIP cannot be managed by these types of policies. Again, 1Password Extended Access Management <a href="https://blog.1password.com/extended-access-management-patch-management/">can run checks</a> against your Macs to verify that these services are enabled. If they aren&rsquo;t, users are <a href="https://blog.1password.com/extended-access-management-okta-guide/">blocked from accessing company resources</a> until they&rsquo;ve fixed the issue. We achieve this through end-user remediation, instructing users on how to re-enable those features (while explaining why it&rsquo;s important to keep them that way). For instance, remember those Rapid Security Responses from earlier? In the cases where they require updating your computer, 1Password Extended Access Management&rsquo;s agent can see which users haven&rsquo;t updated, and then instruct them on how to do so. From there, users have a deadline on when they need to install the update, or else they&rsquo;ll be locked out of company systems. And <a href="https://blog.1password.com/pros-and-cons-of-mdms/">unlike MDM</a>, you can apply this approach to device trust to unmanaged, BYOd-devices. End-user remediation is a part of our Honest Security philosophy. We believe that teaching end-users how to keep their devices secure nets better and more complete security than any AV scan ever could on its own. To see how 1Password Extended Access Management can secure your fleet and achieve 100% compliance, <a href="https://1password.com/contact-sales/xam">reach out for a demo</a>.</description></item><item><title>How to build custom osquery tables using ATC</title><link>https://blog.1password.com/build-custom-osquery-tables-using-atc/</link><pubDate>Mon, 09 Sep 2024 00:00:00 +0000</pubDate><author>info@1password.com (Fritz Ifert-Miller)</author><guid>https://blog.1password.com/build-custom-osquery-tables-using-atc/</guid><description> <img src='https://blog.1password.com/posts/2024/build-custom-osquery-tables-using-atc/header.png' class='webfeedsFeaturedVisual' alt='How to build custom osquery tables using ATC' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> In this tutorial, we&rsquo;ll break down how you can use osquery&rsquo;s ATC feature to expand osquery&rsquo;s data collection capabilities. As an example, we will look into how to tap into macOS' quarantine events database to search files to help locate malware a user may have downloaded from a web browser. But before we dig into the details, let&rsquo;s start at the beginning. <h2 id="what-is-an-atc-table">What is an ATC table?</h2> ATC (automatic table construction) is a method which can expose the contents of local SQLite database files as an osquery virtual table. ATC was added to osquery by Mitchell Grenier (<a href="https://github.com/obelisk">obelisk</a>) in response to a number of virtual table pull requests which all functioned by parsing SQLite databases. Rather than approving each table as a separate pull request, Mitchell took the opportunity to add a native SQLite parsing method to osquery, which would allow adding any number of new virtual tables on a customizable basis. <h2 id="why-is-parsing-sqlite-dbs-useful">Why is parsing SQLite DBs useful?</h2> Many applications use SQLite databases as a storage method for application data, including things like: <ul> <li> Google Chrome Browser History </li> <li> 1Password Vault Sync Configuration </li> <li> Skype Call History </li> <li> iMessage Chat History </li> <li> macOS Quarantine Events (System-wide Download History) </li> </ul> As these examples illustrate, while application databases can provide tremendous utility, they also represent a potential concern for user privacy (a core tenet of osquery&rsquo;s security philosophy). There are times, however, where the introspection of databases can be invaluable to an incident response team in their forensics gathering (eg. the aforementioned <code>Quarantine Events</code> database). While you may be concerned by the privacy implications of reading databases containing PII, you can take some solace in the fact that ATC tables must be declared at a configuration level in osquery and are not as simple as: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">SELECT * FROM atc_table WHERE path = &#39;/foo/bar.db&#39; </code></pre></div>Let&rsquo;s examine a real life scenario in which ATC tables could be utilized to expand the data collection capabilities of osquery. <h2 id="searching-the-macos-download-history-using-atc">Searching the macOS download history using ATC:</h2> &ldquo;My computer was infected with malware, but don&rsquo;t worry I cleaned it up.&rdquo; There are few things more frustrating to an incident response team than the needless deletion of evidentiary findings. Discovering the active presence of malware on a device is of the highest concern. However, it is equally vital to know about the past-presence of malware and its respective source of origin (eg. an installer download link sent via email). Yet, combing through various download history files is no one&rsquo;s idea of fun, and not all applications keep a record. You might be surprised to learn, however, that if you are using an Apple computer, a record of every file you&rsquo;ve ever downloaded exists on your device. No matter whether it was downloaded in Safari, Chrome, Mail.app, AirDrop, or any other third-party application, it&rsquo;s right there all in one convenient location: <pre tabindex="0"><code>~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 </code></pre> <img src='https://blog.1password.com/posts/2024/build-custom-osquery-tables-using-atc/finder-table-window-copy.png' alt='A screenshot of a finder table window.' title='A screenshot of a finder table window.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Files downloaded from external sources are embedded with metadata exposing their source of origin and the timestamp of when they were downloaded. The historical record of this embedded metadata is subsequently kept in the aforementioned database &ldquo;QuarantineEvents.&rdquo; You can inspect this metadata on an individual file within Finder by right-clicking on an item in your Downloads folder and clicking <code>Get Info</code>: <img src='https://blog.1password.com/posts/2024/build-custom-osquery-tables-using-atc/ubuntu-desktop.png' alt='A screenshot of an ubuntu properties.' title='A screenshot of an ubuntu properties.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> What&rsquo;s more, this metadata, including the <code>Where From</code>, is cached by macOS Spotlight and can be queried against using osquery, as in the following example: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">SELECT f.path, f.size, datetime(f.btime, &#39;unixepoch&#39;) AS file_created FROM file f JOIN mdfind ON mdfind.path = f.path AND mdfind.query = &#34;kMDItemWhereFroms = &#39;*ubuntu.com*&#39;&#34; </code></pre></div><pre tabindex="0"><code>path = /Users/fritz-imac/Downloads/ubuntu-18.04.1-desktop-amd64.iso size = 1953349632 file_created = 2018-10-05 13:25:09 </code></pre>Conceivably, we could get a list of all downloaded files on a device by querying the <code>mdfind</code> table for any file where <code>kMDItemWhereFroms</code> is not blank. However, this would only expose files which were still present on disk. The real beauty of QuarantineEvents is the ability to introspect the historical record of downloads. Unfortunately, there isn&rsquo;t a quarantine_events table in vanilla osquery &hellip; but using a custom ATC configuration, there can be! <h2 id="quarantine-events-atc-table-configuration">Quarantine events ATC table configuration</h2> The basic anatomy of the config block is pretty self explanatory, but we will still break it down for the sake of being thorough: <img src='https://blog.1password.com/posts/2024/build-custom-osquery-tables-using-atc/quarentine-events.png' alt='A screenshot of quarantine events.' title='A screenshot of quarantine events.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> So what does that look like in practice? Using the example of QuarantineEvents, let&rsquo;s examine a sample osquery configuration file which you can try at home: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json">{ &#34;auto_table_construction&#34; : { &#34;quarantine_items&#34; : { &#34;query&#34; : &#34;SELECT LSQuarantineEventIdentifier as id, LSQuarantineAgentName as agent_name, LSQuarantineAgentBundleIdentifier as agent_bundle_identifier, LSQuarantineTypeNumber as type, LSQuarantineDataURLString as data_url,LSQuarantineOriginURLString as origin_url, LSQuarantineSenderName as sender_name, LSQuarantineSenderAddress as sender_address, LSQuarantineTimeStamp as timestamp from LSQuarantineEvent&#34;, &#34;path&#34; : &#34;/Users/%/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2&#34;, &#34;columns&#34; : [&#34;id&#34;, &#34;type&#34;, &#34;agent_name&#34;, &#34;agent_bundle_identifier&#34;, &#34;timestamp&#34;, &#34;sender_name&#34;, &#34;sender_address&#34;, &#34;origin_url&#34;, &#34;data_url&#34;] } } } </code></pre></div><h2 id="passing-the-config-file-to-test-in-osqueryi">Passing the config file to test in Osqueryi</h2> Because ATC tables are generated based on a configuration file, we need to pass that file to osqueryi. We can run the following command to pass a custom config and return the build process and any errors that might occur: <pre tabindex="0"><code>sudo /usr/local/bin/osqueryi --verbose --config_path** /Users/fritz/Downloads/ATC-quarantine_items.json </code></pre>Once the config file has been passed, you should be able to query the table as if it were any other virtual table in osquery (including support for tab completion). So in the case of our earlier example <code>quarantine_items</code>. <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">SELECT agent_name, origin_url, data_url FROM quarantine_items WHERE data_url LIKE &#39;%.dmg&#39; LIMIT 1; </code></pre></div><pre tabindex="0"><code>agent_name = Chrome origin_url = https://www.hopperapp.com/download.html? data_url = https://d2ap6ypl1xbe4k.cloudfront.net/Hopper-4.3.16-demo.dmg </code></pre>It&rsquo;s as simple as that! You&rsquo;ve just extended the data source capabilities of your osquery installation! Let&rsquo;s go over some of the subsequent things you might want to do. <h2 id="closing-the-loop-finding-downloaded-files-on-disk">Closing the loop: finding downloaded files on disk</h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">SELECT mdfind.path, ROUND((f.size * 10e-7),2) AS size_megabytes, datetime(f.btime, &#39;unixepoch&#39;) AS file_created, MAX(CASE WHEN md.key = &#39;kMDItemWhereFroms&#39; THEN md.value END) AS download_source_csv FROM mdfind LEFT JOIN mdls md ON mdfind.path = md.path JOIN file f ON f.path = mdfind.path AND mdfind.query = &#34;kMDItemWhereFroms == &#39;*google.com*&#39;c&#34; GROUP BY f.path; </code></pre></div>Using the <code>mdfind</code> table, we can procedurally return the paths of any file downloaded from the web, still on disk, by cross referencing three tables: <ul> <li> <code>mdfind</code> (finding the path of files that have a <code>kMDItemWhereFroms</code>) </li> <li> <code>extended_attributes</code> (finding the quarantineeventid) </li> <li> <code>quarantine_items</code> (finding the download metadata) </li> </ul> The below query would return the last three items which you downloaded: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">SELECT mdfind.path, f.size, datetime(f.btime, &#39;unixepoch&#39;) AS file_created, ea.value AS quarantine_event_id, (SELECT data_url from quarantine_items WHERE id = ea.value) AS data_url FROM extended_attributes ea JOIN mdfind ON mdfind.path = ea.path JOIN file f ON f.path = mdfind.path AND mdfind.query = &#34;kMDItemWhereFroms = &#39;http*&#39;&#34; AND ea.key = &#39;quarantine_event_id&#39; AND data_url != &#39;&#39; GROUP BY ea.value ORDER BY f.btime DESC LIMIT 3; </code></pre></div><h2 id="caveats-to-atc-functionality">Caveats to ATC functionality</h2> <h3 id="properly-formatting-the-atc-configuration-blocks">Properly formatting the ATC configuration blocks</h3> It&rsquo;s important to note that due to the <code>JSON</code> formatting of the ATC configuration block, you must adhere to certain idiosyncratic patterns. For example, you cannot include line breaks in the content of your query section. Doing so will produce the following error state: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">E1207 09:36:10.862380 249753088 config.cpp:869] updateSource failed to parse config, of source: /Users/fritz/Downloads/quarantine-events.json and content: {...ATC query...} I1207 09:36:10.862442 249753088 init.cpp:618] Error reading config: Error parsing the config JSON </code></pre></div>Likewise, if you mistakenly declare a column that does not exist or select from a table that does not exist, you will encounter a rather vague error: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">I1207 09:40:43.539501 282201600 virtual_sqlite_table.cpp:111] ATC table: Could not prepare database at path: &#34;/Users/fritz/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2&#34; W1207 09:40:43.540674 282201600 auto_constructed_tables.cpp:47] ATC Table: Error Code: 1 Could not generate data: Could not prepare database for path /Users/%/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 </code></pre></div>Double checking that your query works in a terminal first is critical to ensuring your configuration block is going to be interpreted as you expect: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">sudo sqlite3 -header ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 &#34;SELECT LSQuarantineEventIdentifier as id, LSQuarantineAgentName as agent_name, LSQuarantineAgentBundleIdentifier as agent_bundle_identifier, LSQuarantineTypeNumber as type, LSQuarantineDataURLString as data_url, LSQuarantineOriginURLString as origin_url, LSQuarantineSenderName as sender_name, LSQuarantineSenderAddress as sender_address, LSQuarantineTimeStamp as timestamp FROM LSQuarantineEvent;&#34; </code></pre></div><pre tabindex="0"><code>id|agent_name|agent_bundle_identifier|type|data_url|origin_url|sender_name|sender_address|timestamp 2B5CD5A1-C85C-4400-BEC4-469FF01B5CFC|sharingd||6|||Fritz Ifert-Miller||660060258.698253 3863CBCC-3ED5-4000-B127-9D39D5AE718C|sharingd||6|||Fritz Ifert-Miller||660060153.611904 ... </code></pre>Knowing our query actually returns data from the database when queried directly is invaluable! <h3 id="windows-path-nuances">Windows path nuances</h3> Although ATC works with all of the platforms, you must be mindful of differences in path formatting across operating systems. Unix based systems use the <code>/foo/bar/</code> convention. Paths defined in your Windows ATC config will need to be formatted with double <code>\</code> slashes. We use <code>\\</code> to properly escape the <code>\</code> character in SQLite. For example: <pre tabindex="0"><code>\\Users\\%\\AppData\\Local\\Google\\Chrome\\User Data\\%\\History </code></pre><h3 id="no-data-typing">No data-typing</h3> ATC tables do not preserve their respective datatypes when they are parsed and imported by osquery. As a result, all data is stored in the string format and must be <code>CONVERT</code>&lsquo;ed or <code>CAST</code> back to the desired datatype (eg. <code>int, float, boolean,</code> etc.) if you would like to interact with it as a specific type. <h2 id="sample-osquery-atc-configurations">Sample Osquery ATC configurations:</h2> I&rsquo;ve included a few sample configurations here, which you can play with in your own osquery instance if you are so inclined. <aside class="c-technical-aside-box c-technical-aside-box--background" aria-labelledby="privacy-disclaimer"> <h2 class="c-technical-aside-box__title" id="privacy-disclaimer"> Privacy Disclaimer: </h2> <div class="c-technical-aside-box__description"> Some of these configurations expose PII (personally identifiable information) and should only be used for proof-of-concept purposes only. As part of our <a href="https://honest.security/">Honest Security</a> philosophy, 1Password® Extended Access Management does not collect nor does it allow customizations that would enable the agent to collect any data in the examples below. </div> </aside> <h3 id="google-chrome-login-keychain">Google Chrome login keychain</h3> Returns a list of all website logins performed within Google Chrome: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json">{ &#34;auto_table_construction&#34; : { &#34;chrome_login_keychain&#34; : { &#34;query&#34; : &#34;SELECT origin_url, action_url, username_value, password_element FROM logins&#34;, &#34;path&#34; : &#34;/Users/%/Library/Application Support/Google/Chrome/Default/Login Data&#34;, &#34;columns&#34; : [&#34;origin_url&#34;, &#34;action_url&#34;, &#34;username_value&#34;, &#34;password_element&#34;], &#34;platform&#34; : &#34;darwin&#34; } } } </code></pre></div><h3 id="google-chrome-browser-history">Google Chrome browser history</h3> Returns the browser history stored by Google Chrome. If you would like to try all of the mentioned tables for yourself and merely download the configuration file you can find it at the following Gist: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json">{ &#34;auto_table_construction&#34; : { &#34;quarantine_items&#34; : { &#34;query&#34; : &#34;SELECT LSQuarantineEventIdentifier as id, LSQuarantineAgentName as agent_name, LSQuarantineAgentBundleIdentifier as agent_bundle_identifier, LSQuarantineTypeNumber as type, LSQuarantineDataURLString as data_url,LSQuarantineOriginURLString as origin_url, LSQuarantineSenderName as sender_name, LSQuarantineSenderAddress as sender_address, LSQuarantineTimeStamp as timestamp from LSQuarantineEvent&#34;, &#34;path&#34; : &#34;/Users/%/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2&#34;, &#34;columns&#34; : [&#34;id&#34;, &#34;type&#34;, &#34;agent_name&#34;, &#34;agent_bundle_identifier&#34;, &#34;timestamp&#34;, &#34;sender_name&#34;, &#34;sender_address&#34;, &#34;origin_url&#34;, &#34;data_url&#34;] }, &#34;chrome_browser_history&#34; : { &#34;query&#34; : &#34;SELECT urls.id id, urls.url url, urls.title title, urls.visit_count visit_count, urls.typed_count typed_count, urls.last_visit_time last_visit_time, urls.hidden hidden, visits.visit_time visit_time, visits.from_visit from_visit, visits.visit_duration visit_duration, visits.transition transition, visit_source.source source FROM urls JOIN visits ON urls.id = visits.url LEFT JOIN visit_source ON visits.id = visit_source.id&#34;, &#34;path&#34; : &#34;/Users/%/Library/Application Support/Google/Chrome/%/History&#34;, &#34;columns&#34; : [&#34;path&#34;, &#34;id&#34;, &#34;url&#34;, &#34;title&#34;, &#34;visit_count&#34;, &#34;typed_count&#34;, &#34;last_visit_time&#34;, &#34;hidden&#34;, &#34;visit_time&#34;, &#34;visit_duration&#34;, &#34;source&#34;], &#34;platform&#34; : &#34;darwin&#34; }, &#34;chrome_login_keychain&#34; : { &#34;query&#34; : &#34;SELECT origin_url, action_url, username_value, password_element FROM logins&#34;, &#34;path&#34; : &#34;/Users/%/Library/Application Support/Google/Chrome/Default/Login Data&#34;, &#34;columns&#34; : [&#34;origin_url&#34;, &#34;action_url&#34;, &#34;username_value&#34;, &#34;password_element&#34;], &#34;platform&#34; : &#34;darwin&#34; } } } </code></pre></div><h2 id="how-does-1password-extended-access-management-use-atc">How does 1Password Extended Access Management use ATC?</h2> As we&rsquo;ve seen in this article, ATC is an incredibly powerful feature of osquery that can be used to dramatically expand the scope of its data collection. To ensure the integrity of privacy promises, we maintain control over which ATC tables are deployed to the agent and use the feature to power our flagship features like inventory and checks. <a href="https://1password.com/xam/extended-access-management">1Password® Extended Access Management&rsquo;s Device Trust</a> solution uses ATC to enable the following use cases: <ul> <li> To locate two-factor backup codes downloaded via Chrome and Firefox Windows and Linux Devices </li> <li> To enumerate macOS&rsquo; permissions database in inventory </li> <li> To enumerate Windows Update history </li> <li> To verify specific settings in apps that use SQLite DB (like the <a href="https://1password.com/product/enterprise-password-manager">1Password enterprise password manager</a>) </li> </ul> For instance, 1Password Extended Access Management can show admins a straightforward list of the TCC (Transparency, Consent, and Control) permissions on end-users' devices, allowing oversight into what access different apps have to data on the endpoint. <h2 id="additional-reading">Additional reading</h2> If you are interested in some of the other concepts presented in this post I would strongly encourage you to keep your eyes on the 1Password blog. This is just one blog in a series of <a href="https://blog.1password.com/write-new-osquery-table/">published</a> and upcoming posts on all things osquery. <a href="https://1password.com/contact-sales/xam">If you&rsquo;re eager to try out this functionality yourself, reach out for a demo! </a></description></item><item><title>The business guide to ISO 27001 compliance and certification</title><link>https://blog.1password.com/guide-to-iso-27001-compliance/</link><pubDate>Fri, 06 Sep 2024 00:00:00 +0000</pubDate><author>info@1password.com (Elaine Atwell)</author><guid>https://blog.1password.com/guide-to-iso-27001-compliance/</guid><description> <img src='https://blog.1password.com/posts/2024/guide-to-iso-27001-compliance/header.png' class='webfeedsFeaturedVisual' alt='The business guide to ISO 27001 compliance and certification' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Here we provide an overview of the ISO 27001 audit process, so companies can embark on it with a clear idea of what it entails, and how they stand to benefit. If you&rsquo;re trying to prove that your organization is serious about security, ISO 27001 is the gold standard, the Black Card, the bumper sticker bragging that you&rsquo;ve run a full marathon. ISO 27001 certification has such an elite reputation because it&rsquo;s so difficult to attain–it sets exacting standards that must be rigorously documented and continually maintained. Despite the challenges, there are real benefits to achieving ISO 27001 compliance. In a moment where data breaches are rampant, cyber attacks are on the rise, and data privacy laws are being passed around the world, adhering to a strict security standard is <a href="https://blog.1password.com/fluctuating-cyber-liability-insurance/">your best liability insurance</a>. Here, we&rsquo;ll provide an overview of the audit process, so you can embark on it with a clear idea of what it entails and how you stand to benefit. <h2 id="what-is-isoiec-270012013">What is ISO/IEC 27001:2013?</h2> ISO/IEC 27001 is an international standard for data security established by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It provides guidance for creating an information security management system (ISMS) encompassing people, processes, and technology. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> This standard is usually abbreviated as ISO 27001, but its full name is ISO/IEC 27001:2013, in which &ldquo;2013&rdquo; is the year it was most recently revised. </div> </aside> It&rsquo;s the lynchpin of the <a href="https://blog.1password.com/what-you-need-to-know-about-iso-27000-standards/">ISO/IEC 27000 family of standards</a>, which lay out internationally accepted best practices for data security. (The other ISO 27000 standards go into greater detail about specific aspects of information security, but ISO 27001 is the only one for which you can receive certification.) ISO 27001 specifies how an ISMS should function to satisfy the &ldquo;<a href="https://www.rigcert.org/iso_iec_27001-12.htm">C-I-A triad</a>&rdquo; of information security: <ul> <li> Confidentiality (Restricting data access to authorized users) </li> <li> Integrity (Data is complete and free from inaccuracies or corruption) </li> <li> Availability (Users can access the information they need) </li> </ul> The ISO 27001 framework is divided into two sections. The first, &ldquo;Clauses,&rdquo; explains the background and theories of data security, such as defining what to consider in a risk assessment. Meanwhile, Annex A of the standard lays out the recommended controls for ensuring data security. There are 14 sections of the Annex, each of which concerns a different domain, ranging from cryptography to asset management to business continuity management. Within each section are multiple controls touching on various security concerns. For example, Annex A.7 deals with human resource security and includes controls that start with pre-hire screening and end with secure offboarding. <img src='https://blog.1password.com/posts/2024/guide-to-iso-27001-compliance/fourteen-domains.png' alt='A graphic showing the 14 domains.' title='A graphic showing the 14 domains.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="who-is-iso-27001-certification-for">Who is ISO 27001 certification for?</h2> The principles and best practices of the ISO 27001 standard apply to any organization that wants to formalize its information security and data protection processes. But while any organization that handles sensitive data should consider getting compliant with ISO 27001, getting certified is a different matter, and a relatively small number of companies choose to go through the process. According to ISO&rsquo;s most recent <a href="https://www.iso.org/committee/54998.html?t=KomURwikWDLiuB1P1c7SjLMLEAgXOA7emZHKGWyn8f3KQUTU3m287NxnpA3DIuxm&amp;view=documents#section-isodocuments-top">2022 survey</a>, there are roughly 71,550 currently valid ISO 27001 certifications. That&rsquo;s obviously not a huge number, but it&rsquo;s still a significant <a href="https://isotc.iso.org/livelink/livelink/fetch/-8853493/8853511/8853520/18808772/0._Explanatory_note_and_overview_on_ISO_Survey_2020_results.pdf?nodeid=21899356&amp;vernum=-2">increase from 2016</a> when there were 45,500. (It&rsquo;s also worth noting that these numbers are just best guesses since the survey is voluntary, and there&rsquo;s no central directory of certified organizations.) The organizations that have the most to benefit from getting ISO 27001 certified are the ones that deal in highly sensitive information assets. These include information technology companies (e.g., managed services providers,) financial institutions, healthcare providers, telecom companies (e.g., internet services providers,) and government contractors. <h2 id="the-benefits-of-iso-27001-certificationcompliance">The benefits of ISO 27001 certification/compliance</h2> ISO 27001&rsquo;s elite reputation and global usage mean that certification can confer a competitive advantage. And even compliance without certification offers security benefits. <h3 id="guard-against-data-breaches">Guard against data breaches</h3> Complying with the ISO 27001 standard will strengthen your security posture. By identifying and remediating risks, and defining the people and processes responsible for managing risks, you can reduce both your vulnerability to security incidents, and the potential fallout should one occur. This, in turn, offers a meaningful (albeit invisible) ROI, since you&rsquo;ll avoid the high costs of data recovery, remedial actions, loss of business, and regulatory fines. <h3 id="stay-compliant-with-data-privacy-laws">Stay compliant with data privacy laws</h3> ISO 27001&rsquo;s status as a global standard means it has heavily informed multiple international data privacy laws. <a href="https://blog.1password.com/get-serious-gdpr-compliance/">GDPR refers organizations to it</a> as a set of recognized best practices, and Australia&rsquo;s Digital Security Policy was deliberately crafted to adhere to 27001. Broadly speaking, while ISO 27001 certification doesn&rsquo;t guarantee perfect compliance with every data security regulation, it does represent a big step in the right direction for data privacy compliance goals. <h3 id="close-more-deals">Close more deals</h3> ISO 27001 certification shows partners and customers that your company takes information security seriously. This can put you ahead of the competition, particularly among international customers, enterprise clients, and organizations with strict security requirements. <h3 id="improve-risk-management">Improve risk management</h3> The ISO 27001 standard requires organizations to establish accountability for information risk. With the proliferation of information assets, a transparent chain of command helps you clarify roles and processes and maintain appropriate access control. That way, nothing falls through the cracks. <h3 id="reduce-frequent-audits">Reduce frequent audits</h3> As data breaches and attacks become more common, more organizations are auditing their vendors' ISMSs to ensure that their supply chain is protected. An ISO 27001 certification can help reduce the number and costs of these audits, both for existing customers and any during the sales cycle. <h2 id="key-steps-in-the-iso-2001-certification-process">Key steps in the ISO 2001 certification process</h2> ISO 27001 certification is a multi-step process, requiring a great deal of work before an auditor even gets involved. Here&rsquo;s a (non-exhaustive) list of what it entails. <img src='https://blog.1password.com/posts/2024/guide-to-iso-27001-compliance/iso-27001-certification-process.jpg' alt='A graphic showing the iso 27001 certification process.' title='A graphic showing the iso 27001 certification process.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h3 id="1-read-the-iso-270012013-standard">1. Read the ISO 27001:2013 standard</h3> Step one is simply to read the complete ISO 27001:2013 text, which requires <a href="https://www.iso.org/standard/54534.html">purchasing a copy</a>. (At present, it costs roughly $150.) This will help you get a general sense of how labor intensive the certification process will be, based on which requirements you already fulfill. <h3 id="2-get-management-buy-in">2. Get management buy-in</h3> ISO 27001 emphasizes the role of leadership in establishing and maintaining an ISMS. <a href="https://www.isms.online/iso-27001/leadership-commitment/#:~:text=This%20leadership%20focused%20clause%20of,demonstrate%20both%20leadership%20and%20commitment.">Clause 5.1 specifically</a> &ldquo;identifies specific aspects of the management system where top management are expected to demonstrate both leadership and commitment.&rdquo; Auditors will interview leadership and look for evidence of their involvement, so if you don&rsquo;t have enthusiastic buy-in from the C-Suite, you should hit the brakes before you go any further. To secure leadership support, you&rsquo;ll need to build a business case for certification, and the projected ROI can help determine the project&rsquo;s scope and budget. Organizations typically enlist the help of a third-party consultant, automated compliance products such as <a href="https://www.vanta.com/products/iso-27001">Vanta</a> or <a href="https://secureframe.com/">SecureFrame</a>, or a combination of the two. Those are costs you can budget for at the beginning of the process. <h3 id="3-conduct-a-risk-assessment">3. Conduct a risk assessment</h3> The first official document you&rsquo;ll need to produce is a risk assessment. There are various methodologies for determining risk, but the most common is an asset-based approach. Here, you&rsquo;ll list all your organization&rsquo;s information assets – physical devices, intellectual property, software, etc – and assign a risk level to each based on the C-I-A framework we mentioned earlier. Since no two organizations are exactly alike, your approach to risk will vary depending on the specific data assets you maintain, but prioritize anything that could threaten your regulatory or contractual obligations or is business critical. Next, you&rsquo;ll assess how likely each threat is, and what the fallout from it would be. For instance, a sinkhole opening directly under your server room would have a massive impact, but is relatively unlikely. By contrast, the impact of <a href="https://blog.1password.com/no-mdm-for-linux/">someone stealing a developer&rsquo;s unencrypted laptop</a> could be almost as disastrous, and could happen much more easily. Once you&rsquo;ve identified your risks, ISO 27001 lets you choose from four options of risk treatment: <ol> <li> Eliminate: Delete the data in question or stop the risky activity entirely. </li> <li> Share: This can mean either outsourcing risk to a third party or purchasing insurance to minimize the financial impact of a security event. </li> <li> Control: Put policies or technology in place to manage the risk. In the developer&rsquo;s laptop example, this would mean <a href="https://blog.1password.com/extended-access-management-patch-management/">ensuring that all company devices meet your security requirements.</a> </li> <li> Accept: Choosing to accept a risk means that you believe that it&rsquo;s so unlikely or its impact would be so small that it doesn&rsquo;t justify the cost of remediating it. </li> </ol> The next (sub)step is to write a <a href="https://www.vanta.com/glossary/iso-27001-risk-treatment-plan">risk treatment plan, which will include</a>: <ul> <li> A description of the risks. </li> <li> The treatment option for managing each risk. </li> <li> Who is accountable for the risk itself. </li> <li> Who is accountable for the risk mitigation activity. </li> <li> When you plan to complete the mitigation activity. </li> </ul> <h3 id="4-write-a-statement-of-applicability">4. Write a statement of applicability</h3> Once you&rsquo;ve established which information security risks you plan to treat vs. accept, it&rsquo;s time to craft your <a href="https://secureframe.com/blog/iso-27001-statement-of-applicability">Statement of Applicability</a>. This document outlines how you&rsquo;ll apply controls to address your identified risks. (If all this documentation seems a little redundant, welcome to the world of ISO standards.) In the Statement of Applicability, you&rsquo;ll list which controls apply to your organization, the implementation status of each one, and an explanation for any controls you chose to exclude. You may reject a control that doesn&rsquo;t apply to you (for instance, a fully remote company can disregard the section on delivery or loading areas) or because the cost of implementation outweighs the risk. (If you&rsquo;d like to see an example, Secureframe has a <a href="https://secureframe.com/blog/iso-27001-statement-of-applicability">free Statement of Applicability template</a>.) <h3 id="5-update-mandatory-documentation">5. Update mandatory documentation</h3> Documentation is the bedrock of ISO 27001, and you&rsquo;ll need to provide detailed descriptions of every facet of your ISMS. ISMS documentation describes how an organization meets the standard&rsquo;s requirements, including the risk mitigation activities identified earlier. As <a href="https://www.isms.online/iso-27001/determining-the-scope-for-your-isms/">ISMS.online points out</a>, the ISMS needs to obey the same principles of Confidentiality, Integrity, and Availability as the security policies it describes. Therefore, &ldquo;it needs to be available when required and adequately protected from loss of confidentiality, unauthorized use or potential integrity compromise.&rdquo; <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Once you&rsquo;ve completed your ISMS, don&rsquo;t rush to bring in an outside auditor! Make sure your systems work in practice, not just on paper. The most crucial element is conducting employee outreach and education so everyone is aware of and compliant with all policies. The standard also recommends that you conduct two internal audits before certification. </div> </aside> <h3 id="6-undergo-stage-1-audit">6. Undergo stage 1 audit</h3> There are two phases to an ISO 27001 audit. In Stage 1, an external auditor or certification body will conduct a &ldquo;tabletop&rdquo; audit focused on your documentation. At this stage, you can still be in the process of implementing risk mitigation strategies as long as you can show that you do have plans in place. However, <a href="https://www.varonis.com/blog/iso-27001-compliance">according to Varonis</a>, &ldquo;Lack of key documentation, weak support from management, or poorly identified metrics can all bring an ISO 27001 audit to a screeching halt.&rdquo; Assuming there are no giant red flags, auditors will identify any issues they expect you to resolve before the next stage. <h3 id="7-undergo-stage-2-audit">7. Undergo stage 2 audit</h3> Stage 2 of the audit is much more intensive. Whereas in the first stage, auditors review the documentation of your processes, in this stage, they review the processes themselves. Auditors will test your controls and look for proof that when an incident occurs, it triggers the appropriate response from the people responsible. To pass the certification stage, it&rsquo;s absolutely essential that employees are aware of the ISMS and their role in it. You can&rsquo;t create an ISMS &ldquo;for&rdquo; the auditors; if it&rsquo;s not an internally functional document with real stakeholder buy-in, you won&rsquo;t pass this stage. And since the Stage 1 and Stage 2 audits are usually only a month or two apart, you can&rsquo;t plan to conduct this training during the gap. In Stage 2, auditors will note any remaining nonconformities. Major nonconformities can prevent certification entirely, while minor issues can be flagged for further evaluation. Assuming your ISMS works as promised, Stage 2 concludes with the auditor recommending you for certification. But that doesn&rsquo;t mean you&rsquo;re done. <h3 id="8-maintain-compliance">8. Maintain compliance</h3> It takes a lot of work to achieve ISO 27001 certification and a lot of work to keep it. While you won&rsquo;t need to get recertified for three years, you will have to continually maintain your ISMS and Annex A controls to pass your recertification audit. During this time, you&rsquo;ll also need to stay up to date on: <ul> <li> Mandatory internal and external audits (more on those in the FAQ section). </li> <li> Regular employee security training. </li> <li> ISMS policy updates. </li> <li> Changes to the risk assessment. </li> </ul> <h2 id="iso-27001-certification-faqs">ISO 27001 certification FAQs</h2> As we&rsquo;ve said, no two ISO 27001 experiences are exactly alike. However, you can make some rough estimates about the cost and timeline of the certification process based on where your organization is starting from. <h3 id="how-much-does-iso-27001-certification-cost">How much does ISO 27001 certification cost?</h3> The cost of the entire process from preparation to certification will depend on your organization&rsquo;s current security posture, number of employees, and the resources you choose to devote to it. According to <a href="https://www.itgovernanceusa.com/iso27001-certification-costs">ISO/IEC recommendations</a>, the audit itself should cost between $5,400 (for an organization with under 50 employees) and $27,000 (up to 2,000 employees). On top of that, you&rsquo;ll need to account for the costs associated with providing employee training, creating documentation, hiring external assistance, updating technologies, and of course, the certification audit. <h3 id="how-long-does-the-iso-17001-certification-process-take">How long does the ISO 17001 certification process take?</h3> The certification process can take anywhere from three months to a full year. Factors influencing this include: <ul> <li> Whether you have a documented ISMS or are building one from scratch. </li> <li> The scope of your audit (a single business unit will be less time-consuming than your entire organization). </li> <li> Whether you have a dedicated compliance professional, hire outside consultants, or assign a team member to take on compliance in addition to other duties. </li> <li> The number of risks requiring remediation, and the difficulty of the remediation efforts. </li> </ul> <h3 id="how-long-is-the-iso-27001-certification-valid-for">How long is the ISO 27001 certification valid for?</h3> An ISO 27001 certification is valid for three years, but you are required to undergo both internal and external audits during this time. A third-party auditor will conduct &ldquo;<a href="https://www.isms.online/iso-27001/what-is-the-iso-27001-audit-process/">surveillance audits</a>&rdquo; at six or 12 month intervals, usually focusing on areas of your ISMS that were of particular concern or significance in your original audit. In addition, <a href="https://www.isms.online/iso-27001/annex-a-5-information-security-policies/">Annex A.5</a> requires a review of your information security policies on at least an annual basis. <h2 id="take-the-easiest-path-to-iso-27001-compliance">Take the easiest path to ISO 27001 compliance</h2> &ldquo;It&rsquo;s supposed to be hard. If it wasn&rsquo;t hard, everyone would do it.&rdquo; Tom Hanks was talking about baseball in that quote, but it also applies to ISO 27001 certification. The difficulty is part of the point. As a company that recently achieved ISO 27001 certification ourselves, we understand exactly how difficult it can be. But we also learned that, even though meeting this standard is a challenge, there are ways to make it less daunting. Your biggest ally is automation. The fewer manual processes you have, the lower the risk of human error, and the easier it is to maintain documentation. Most compliance software has some automated security features built in, and you can also integrate standalone solutions, including 1Password&rsquo;s. Many of our customers use <a href="https://1password.com/product/xam">1Password® Extended Access Management</a> as part of their approach to compliance because it provides real-time, cross-platform (<a href="https://blog.1password.com/no-mdm-for-linux/">even Linux</a>), data on employee devices while respecting privacy. (ICYMI, those qualities map directly to the C-I-A framework.) At the end of the day, the most important thing isn&rsquo;t that you use 1Password Extended Access Management,or even that you go through an ISO 27001 audit at all. There&rsquo;s enormous value in pursuing compliance with this standard, whether or not you ever pursue certification. Because while certification isn&rsquo;t for everybody, information security absolutely is. Reach out for a <a href="https://1password.com/contact-sales/xam">demo of 1Password Extended Access Management and see how we can help you achieve and maintain ISO 27001 compliance.</a></description></item><item><title>The file table: osquery's secret weapon</title><link>https://blog.1password.com/the-file-table-osquerys-secret-weapon/</link><pubDate>Fri, 06 Sep 2024 00:00:00 +0000</pubDate><author>info@1password.com (Fritz Ifert-Miller)</author><guid>https://blog.1password.com/the-file-table-osquerys-secret-weapon/</guid><description> <img src='https://blog.1password.com/posts/2024/the-file-table-osquerys-secret-weapon/header.png' class='webfeedsFeaturedVisual' alt='The file table: osquery's secret weapon' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> In this article, we&rsquo;ll take a deep dive into osquery tables, by talking about osquery&rsquo;s &lsquo;file table&rsquo; which has some powerful abilities, along with its fair share of limitations. This article is part of an ongoing series in which we look at osquery tables and discuss what they can and cannot do. Check out our previous blog, &ldquo;<a href="https://blog.1password.com/write-new-osquery-table/">How To Write a New Osquery Table</a>&rdquo; for a great place to get started in the basics of osquery. In this article, we&rsquo;ll be taking a slightly deeper dive into osquery tables, by talking about osquery&rsquo;s <code>file</code> table, which has some powerful abilities, as well as its fair share of limitations. Specifically, this post will look at a cross-platform way to find files across your infrastructure. <h2 id="the-file-table-in-osquery">The file table in osquery</h2> The <code>file</code> table in osquery has an incredible degree of utility across many queries, and represents a fundamental cornerstone of osquery&rsquo;s core capabilities. Let&rsquo;s start by taking a look at its basic schema: <pre tabindex="0"><code>+---------------+---------+---------------------------------------+ | COLUMN | TYPE | DESCRIPTION | +---------------+---------+---------------------------------------+ | path | TEXT | Absolute file path | | directory | TEXT | Directory of file(s) | | filename | TEXT | Name portion of file path | | inode | BIGINT | Filesystem inode number | | uid | BIGINT | Owning user ID | | gid | BIGINT | Owning group ID | | mode | TEXT | Permission bits | | device | BIGINT | Device ID (optional) | | size | BIGINT | Size of file in bytes | | block_size | INTEGER | Block size of filesystem | | atime | BIGINT | Last access time | | mtime | BIGINT | Last modification time | | ctime | BIGINT | Last status change time | | btime | BIGINT | (B)irth or (cr)eate time | | hard_links | INTEGER | Number of hard links | | symlink | INTEGER | 1 if the path is a symlink, else 0 | | type | TEXT | File status | | attributes | TEXT | File attrib string. | | volume_serial | TEXT | Volume serial number | | file_id | TEXT | file ID | +---------------+---------+---------------------------------------+ </code></pre>As we can see, there are many metadata attributes that we can use to our advantage both when building queries and refining results. Let&rsquo;s run a sample query against the file table to inspect a file on our local device: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">SELECT * FROM file WHERE path = &#39;/Users/fritz-imac/Downloads/github-recovery-codes.txt&#39;; </code></pre></div>This query returns the following data: <pre tabindex="0"><code>path = /Users/fritz-imac/Downloads/github-recovery-codes.txt directory = /Users/fritz-imac/Downloads filename = github-recovery-codes.txt inode = 20650405 uid = 502 gid = 20 mode = 0644 device = 0 size = 206 block_size = 4194304 atime = 1533646421 mtime = 1532976585 ctime = 1532976860 btime = 1532976585 hard_links = 1 symlink = 1 type = regular </code></pre>Very cool! We can see that we have a fair bit of information about this <code>github-recovery-codes.txt file</code>. Now, let&rsquo;s take a moment to clean it up and return the values in a format that we can quickly parse. Osquery, by default, returns some data in a less than humanly digestible format. <ul> <li> Time is represented in UNIX epoch </li> <li> Size is defined in bytes.<a href="#fn:1" class="footnote-ref" role="doc-noteref">1</a> </li> </ul> Unix epoch date-times are great because they are the easiest to transform. Using the <code>datetime(value,'unixepoch')</code> syntax, we can convert any date-time result in osquery to an easier read value. Then, we will round our size from bytes to megabytes using the ROUND function <code>ROUND((f.size * 10e-7),4)</code>. Finally, we will join our <code>uid</code> and <code>gid</code> on their respective tables (<code>user</code>s and <code>groups</code>) and return their actual names. Let&rsquo;s try it below: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, &#39;unixepoch&#39;) AS file_last_access_time, datetime(f.mtime, &#39;unixepoch&#39;) AS file_last_modified_time, datetime(f.ctime, &#39;unixepoch&#39;) AS file_last_status_change_time, datetime(f.btime, &#39;unixepoch&#39;) AS file_created_time, ROUND( (f.size * 10e - 7), 4 ) AS size_megabytes FROM file f LEFT JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE path = &#34;/Users/fritz-imac/Downloads/github-recovery-codes.txt&#34; </code></pre></div>Running this query results in the following output: <pre tabindex="0"><code>path = /Users/fritz-imac/Downloads/github-recovery-codes.txt file_owner = fritz-imac group_owner = staff file_last_access_time = 2018-08-29 18:43:40 file_last_modified_time = 2018-07-30 18:49:45 file_last_status_change_time = 2018-07-30 18:54:20 file_created_time = 2018-07-30 18:49:45 size_megabytes = 0.0002 </code></pre>Already that is much easier to read! Now we can go hunting for any file we want. But slow down, tiger, there is a big caveat with the <code>file</code> table in osquery. <h2 id="you-have-to-know-where-your-file-is-first">You have to know where your file is first!</h2> Unfortunately, the <code>file</code> table requires a <code>WHERE</code> clause, meaning that you need to know roughly where an item is before you can go querying for it. This protects against the massive recursion that would be necessitated by searching every single directory and their respective subdirectories on the file system. The clause <code>WHERE path =</code> can thankfully be massaged through the use of wildcards and a LIKE argument, e.g., <code>WHERE path LIKE &quot;/foo/%&quot;</code> but there are some tricky things to look out for in terms of the way wildcards are handled! <h2 id="understanding-how-single-wildcards--work-within-the-file-table">Understanding how single wildcards &lsquo;%&rsquo; work within the file table</h2> <pre tabindex="0"><code>SELECT * FROM file WHERE path LIKE &quot;/%&quot;; </code></pre>Single wildcards treat the file table like an ogre, in that it&rsquo;s like an onion: full of layers. A single <code>%</code> in the <code>file</code> table allows you to find items in a specified layer of the file system. For instance: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">SELECT * FROM file WHERE path LIKE &#34;/Users/%/Google Drive/%/%&#34;; </code></pre></div>This query would find any files that were located within directories like: <pre tabindex="0"><code>/Users/username/Google Drive/foo/bar/ /Users/username2/Google Drive/bar/foo/ </code></pre>It will not, however, return any files that were located in subsequent deeper subdirectories. For instance: <pre tabindex="0"><code>/Users/username/Google Drive/foo/bar/baz/filename.ext /Users/username/Google Drive/foo/bar/baz/qux/quux/filename.ext </code></pre>This means you can&rsquo;t print out every file on your file system by running: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">SELECT * FROM file WHERE path LIKE &#34;/%&#34; </code></pre></div>As long as you only use single % wildcards, you will only ever be able to see all files at that layer of the subdirectory hierarchy. So in this instance, the first layer, items in the root directory: <pre tabindex="0"><code>osquery&gt; SELECT path, btime, size, type FROM file WHERE path LIKE &quot;/%&quot;; +----------------------------+------------+------+-----------+ | path | btime | size | type | +----------------------------+------------+------+-----------+ | /Applications/ | 1508949222 | 4114 | directory | | /Library/ | 1508949320 | 2312 | directory | | /Network/ | 1469907150 | 68 | directory | | /System/ | 1508949086 | 136 | directory | | /Users/ | 1469911752 | 170 | directory | | /Volumes/ | 1469907156 | 136 | directory | | /bin/ | 1508949475 | 1292 | directory | | /cores/ | 1469907149 | 68 | directory | | /dev/ | 0 | 4444 | directory | | /etc/ | 1508949384 | 4114 | directory | | /home/ | 0 | 1 | directory | | /installer.failurerequests | 1504228163 | 313 | regular | | /net/ | 0 | 1 | directory | | /private/ | 1519081368 | 204 | directory | | /sbin/ | 1508949475 | 2142 | directory | | /tmp/ | 1519081368 | 1326 | directory | | /usr/ | 1508948533 | 306 | directory | | /var/ | 1510954365 | 986 | directory | +----------------------------+------------+------+-----------+ </code></pre><h2 id="understanding-how-double-wildcards--work-within-the-file-table">Understanding how double wildcards &lsquo;%%&rsquo; work within the file table</h2> To recursively search your filesystem, you can use <code>%%</code> the double wildcard. <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">-- WARNING: Do NOT run the following query it will literally return thousands of -- files on your computer!!! SELECT * FROM file WHERE path LIKE &#34;/%%&#34; </code></pre></div>Double wildcards can only ever be used at the end of a string eg. <code>/foo/bar/%%</code>. <h3 id="double-wildcards-can-never-be-used-mid-string-infix">Double wildcards can NEVER be used mid-string (infix)</h3> This means the following query will never return results: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">SELECT path from file WHERE path LIKE &#34;/Users/%%/UX/%%&#34;; </code></pre></div>However, you can use the double wildcard to your advantage in limited situations where you want to search within a known parent directory and its respective sub-directories. The more possible sub-directories and recursion, the slower and less performant the query will be. <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">SELECT path FROM file WHERE path LIKE &#34;/Users/fritz-imac/Google Drive/UX/%%&#34;; </code></pre></div><h2 id="mixing-single--and-double-wildcards--within-the-file-table">Mixing single &lsquo;%&rsquo; and double wildcards &lsquo;%%&rsquo; within the file table</h2> The last fun thing you can do is mix wildcard types, if you want to restrict certain parts of your WHERE clause to a specific layer and permit recursion at another part of the path. For instance, if I wanted to see how much percentage of disk space the files located in Google Drive are using per device across my entire fleet, I could run the following query: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">SELECT SUM(file.size) AS gdrive_size, (SELECT (mounts.blocks * mounts.blocks_size) FROM mounts WHERE PATH = &#39;/&#39;) AS total_disk_size, (100.0 * SUM(file.size) / (SELECT (mounts.blocks * mounts.blocks_size) FROM mounts WHERE PATH = &#39;/&#39;)) AS gdrive_percentage_used FROM FILE WHERE file.path LIKE &#39;/Users/%/Google Drive/%%&#39;; </code></pre></div>Which produces the following output: <pre tabindex="0"><code>+-------------+-----------------+------------------------+ | gdrive_size | total_disk_size | gdrive_percentage_used | +-------------+-----------------+------------------------+ | 7492526705 | 379000430592 | 1.97691772890512 | +-------------+-----------------+------------------------+ </code></pre>These queries can be run, but you need to be mindful of how many files your system is looking through to produce the end result. <h2 id="limitations-of-wildcard-like-searches-in-the-file-table">Limitations of wildcard LIKE searches in the file table</h2> While undeniably useful, the file table is not without limitations. Knowing what those limitations are and how to avoid them will help you make sure you are accurately returning your expected data. It is worth noting that both of these limitations are outlined in a GitHub issue, in the osquery repository <a href="https://github.com/osquery/osquery/issues/7306">#7306</a>, and may (someday) be addressed.🤞🏻 <h3 id="symlink-loops-may-prevent-complete-recursive-crawling">Symlink loops may prevent complete recursive crawling</h3> If you were to run a query like: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">SELECT * FROM file WHERE path LIKE &#39;/%%&#39; </code></pre></div>You might expect that it would return every file on your file-system, but in practice it does not. This is because osquery will end the query once it encounters something called a <code>symlink loop</code>. <pre tabindex="0"><code>osquery&gt; SELECT COUNT(*) FROM file WHERE path LIKE '/%%'; +----------+ | COUNT(*) | +----------+ | 1172 | +----------+ </code></pre>Symlinks (also known as symbolic links) are frequently referred to as shortcuts. They are files which point to another file or folder on the computer. A symlink loop is when a symlink points back to a parent directory in its path which creates an infinite loop if traversed. We can observe this behavior in practice by querying a folder which contains one of these loops: As we can see in the screenshot below, the directory <code>/tmp/directory-level-0/</code> consists of 6 nested folders. <img src='https://blog.1password.com/posts/2024/the-file-table-osquerys-secret-weapon/symbolic-link-loop.png' alt='A screenshot showing the symbolic link loop.' title='A screenshot showing the symbolic link loop.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The <code>tree</code> command shows the expected output of our nested directories: <pre tabindex="0"><code>➜ directory-level-0 tree . └── directory-level-1 ├── directory-level-2 │ └── directory-level-3 │ └── directory-level-4 │ └── directory-level-5 │ └── directory-level-6 └── symlink-back-to-level-0 -&gt; /tmp/directory-level-0 </code></pre>However, when we recursively query the parent folder using osquery, we receive an incomplete result. This is because the symbolic link is causing a recursive loop of a child pointing back to a parent, which osquery avoids by preemptively terminating the query: <pre tabindex="0"><code>osquery&gt; SELECT path FROM file WHERE path LIKE '/tmp/directory-level-0/%%'; +-------------------------------------------------------------------------------------+ | path | +-------------------------------------------------------------------------------------+ | /tmp/directory-level-0/directory-level-1/ | | /tmp/directory-level-0/directory-level-1/directory-level-2/ | | /tmp/directory-level-0/directory-level-1/directory-level-2/directory-level-3/ | | /tmp/directory-level-0/directory-level-1/symlink-back-to-level-0/ | | /tmp/directory-level-0/directory-level-1/symlink-back-to-level-0/directory-level-1/ | +-------------------------------------------------------------------------------------+ </code></pre>Unfortunately, the recursive searching in the osquery <code>file</code> table is accomplished via <code>glob</code>, which has no method for skipping over symlinks. As a result you have to take a targeted approach when recursively searching. Use double wildcards to avoid recursing through paths that may contain symlinks. <h3 id="hidden-files-are-not-returned-by-recursive-searches">Hidden files are not returned by recursive searches</h3> If a file is marked as hidden in the file-system (typically by prepending the filename with a &ldquo;.&quot;), it will not be returned in the results of any recursive file search. This can be observed in the following example query: <pre tabindex="0"><code>osquery&gt; SELECT * FROM file WHERE path LIKE '/Users/test-macbook/git/kolide/test/%' AND filename = '.git'; osquery&gt; osquery&gt; SELECT path FROM file WHERE path = '/Users/test-macbook/git/kolide/test/.git'; +------------------------------------------+ | path | +------------------------------------------+ | /Users/test-macbook/git/kolide/test/.git | +------------------------------------------+ osquery&gt; SELECT path FROM file WHERE directory = '/Users/test-macbook/git/kolide/test' AND filename = '.git'; +------------------------------------------+ | path | +------------------------------------------+ | /Users/test-macbook/git/kolide/test/.git | +------------------------------------------+ </code></pre>Keep this in mind if you are searching for files that might be marked as hidden in the filesystem. Otherwise, you may be missing results that you expected. <h2 id="when-should-i-use-recursive-queries-in-the-file-table-in-osquery">When should I use recursive queries in the file table in osquery?</h2> Basically, there are two times when it makes sense to use recursive queries in the file table: <ul> <li> When there is literally no other option for locating a file of import. </li> <li> When you can limit the degree of recursion that your search is capable of by scoping it to a particular folder, e.g., (<code>'/Users/%/Downloads/%%'</code>) </li> </ul> If there is ever any doubt on how expensive a query is after you schedule it, osquery comes with great tools to analyze just that. For example, in a product like <a href="https://1password.com/xam/extended-access-management">1Password® Extended Access Management</a>, you can run a live query against your devices that enumerates all of the queries in your schedule by simply running: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">SELECT * FROM osquery_schedule </code></pre></div> <img src='https://blog.1password.com/posts/2024/the-file-table-osquerys-secret-weapon/kolide-osquery-schedule.jpg' alt='A screenshot showing the XAM osquery schedule.' title='A screenshot showing the XAM osquery schedule.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The screenshot shows a line-up of sample queries in our schedule. We can short all of those queries by the <code>wall_time</code> to get a sense of how long these take to complete. We can even see how much memory they may be using during execution. These are all indicators to help us avoid executing file queries with too much recursion potential. Essentially, file tables are a fantastic tool in osquery – so long as you use them wisely. And if you&rsquo;d like an out-of-the-box osquery solution for managing your company&rsquo;s endpoints, why not check out 1Password Extended Access Management? It does all of this, plus <a href="https://1password.com/xam/extended-access-management">a whole lot more</a>. <a href="https://1password.com/dev-subscribe/">If you&rsquo;d like to read more content like this, sign up for our developer newsletter.</a> <section class="footnotes" role="doc-endnotes"> <hr> <ol> <li id="fn:1" role="doc-endnote"> Osquery sizes are returned in bytes but some comp-sci items (RAM vs Hard Drives) <a href="https://randomascii.wordpress.com/2016/02/13/base-ten-for-almost-everything/">calculate their size in base-10</a> and some calculate in base-2.&#160;<a href="#fnref:1" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a> </li> </ol> </section></description></item><item><title>New 1Password SIEM integrations with Rapid7, Blumira, and Stellar Cyber</title><link>https://blog.1password.com/1password-siem-integration-rapid7-blumira-stellar-cyber/</link><pubDate>Thu, 05 Sep 2024 00:00:00 +0000</pubDate><author>info@1password.com (Clarence Wong)</author><guid>https://blog.1password.com/1password-siem-integration-rapid7-blumira-stellar-cyber/</guid><description> <img src='https://blog.1password.com/posts/2024/1password-siem-integration-rapid7-blumira-stellar-cyber/header.png' class='webfeedsFeaturedVisual' alt='New 1Password SIEM integrations with Rapid7, Blumira, and Stellar Cyber' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Spend less time collating security reports and investigating security issues by creating integrated, customizable dashboards with data from 1Password. The new Rapid7, Blumira, and Stellar Cyber integrations for 1Password allow you to monitor potential risks around company data or credentials stored within 1Password. With these new integrations, you can manage all your security reports in one central location by <a href="https://support.1password.com/events-reporting/">integrating your security information and event management (SIEM)</a> with your <a href="https://1password.com/business/">1Password Business account</a>. <h2 id="1passwords-events-api-expedites-security-reviews">1Password’s Events API expedites security reviews</h2> The <a href="https://www.ibm.com/reports/data-breach">global average cost of a data breach in 2024 is 4.88M USD</a> – that’s a 10% increase from 2023. The <a href="https://www.verizon.com/business/resources/reports/dbir/">leading cause of breaches</a>? Stolen credentials (38%). SIEM solutions, like <a href="https://www.rapid7.com/">Rapid7</a>, <a href="http://blumira.com">Blumira</a>, and <a href="https://stellarcyber.ai/">Stellar Cyber</a>, help businesses identify potential security risks and provide a comprehensive view of a company’s security stack. This helps reduce the time companies spend investigating potential risks and helps expedite mitigation. Using the <a href="https://support.1password.com/events-reporting/">1Password Events API</a>, Rapid7, Blumira, and Stellar Cyber customers can now stream 1Password data into their own reporting – putting all security dashboards in one place. IT teams can now spend more time analyzing data, rather than finding and compiling it all themselves. <a href="https://support.1password.com/insights/">1Password Insights dashboard</a> helps your team keep track of data breaches that could be affecting your company, the password health of your team (including the strength of passwords), and also provides an overall view of team 1Password usage. <h2 id="streamline-security-reporting">Streamline security reporting</h2> Save your team time by getting a well-rounded view of your posture and other security events all in one place. With the 1Password Events API integration, Blumira, Stellar Cyber, and Rapid7’s customers can: <ul> <li>Track sign-in events. Be notified when there are both successful and failed login attempts.</li> <li>Monitor item usage. Find out when items have been modified, accessed, or used.</li> <li>Receive threat intel notifications. Be alerted to potential security risks or attacks and get recommendations on how to handle them.</li> </ul> Simplify your security operations and empower your team to monitor and analyze data from 1Password alongside other crucial security information – all in one place. Integrating with Blumira, Stellar Cyber, and Rapid7 is simple and secure, and gives your team everything they need to monitor your organization’s security health. <h2 id="getting-started">Getting started</h2> These SIEM integrations are available to anyone with a 1Password Business account and a Rapid7, Blumira, or Stellar Cyber account. Not a 1Password Business customer? <a href="https://start.1password.com/sign-up/business">Try it free for 14 days</a>! If you’re already using 1Password and either Rapid7, Blumira, or Stellar Cyber, <a href="https://support.1password.com/events-reporting/">you can connect them</a> by selecting the relevant option within the integrations directory. Once you’ve connected your SIEM solution to 1Password, check out <a href="https://support.1password.com/events-reporting/">1Password Support</a> to start enabling features. In addition to Rapid7, Blumira, and Stellar Cyber, 1Password also integrates with the following SIEMs: Datadog, Elastic, Microsoft Sentinel, Panther, Splunk, Sumo Logic. Learn more about <a href="https://support.1password.com/events-reporting/">integrating 1Password with your SIEM</a>. Interested in becoming an integration partner with 1Password? Email <a href="mailto:tech-partnerships@agilebits.com">tech-partnerships@agilebits.com</a> to get started. <h2 id="secure-your-business-without-slowing-it-down">Secure your business without slowing it down</h2> Trusted by over 150,000 businesses, 1Password is the best way to protect your organization’s secrets. <a href="https://start.1password.com/sign-up/business">Try 1Password free</a>.</description></item><item><title>Block Party founder Tracy Chou is building privacy tools that combat online harassment</title><link>https://blog.1password.com/tracy-chou-personal-data-leaks-interview/</link><pubDate>Wed, 04 Sep 2024 00:00:00 +0000</pubDate><author>info@1password.com (Jenn Marshall)</author><guid>https://blog.1password.com/tracy-chou-personal-data-leaks-interview/</guid><description> <img src='https://blog.1password.com/posts/2024/tracy-chou-personal-data-leaks-interview/header.png' class='webfeedsFeaturedVisual' alt='Block Party founder Tracy Chou is building privacy tools that combat online harassment' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Today’s social platforms are “public by default”, from Instagram and LinkedIn to Venmo and Strava. Tracy Chou is founder and CEO of <a href="https://www.blockpartyapp.com/">Block Party</a>, a company that builds online privacy tools, and was one of <a href="https://time.com/collection/women-of-the-year/6150549/tracy-chou/">Time’s 12 Women of the Year in 2022</a>. She says this “opt-out” reality means that most of us – despite our best intentions – are leaking personal data online and don’t even know it. Often the consequences can be surprising and unfortunate. But there are things we can do to take control. Chou talks with 1Password&rsquo;s Michael “Roo” Fey on the <a href="https://randombutmemorable.simplecast.com/">Random But Memorable</a> podcast about her own experiences, including harassment and stalking, that motivated her to develop privacy tools and share them with others so they could also feel safer online. Read the interview highlights below or listen to the <a href="https://randombutmemorable.simplecast.com/episodes/social-media-bad-habits">full podcast</a> to learn more about Chou’s journey, including her advocacy work for diversity and inclusion in tech, and her optimism that the internet can still be a force for good. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/7aXmBYH8Uvk?si=vRyap2ipO13QlcNI" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> Editor’s note: This interview has been lightly edited for clarity and brevity. The views and opinions expressed by the interviewee don’t represent the opinions of 1Password. Michael Fey: How did you get started in tech and cybersecurity? Tracy Chou: Both of my parents are software engineers. I went to Stanford and studied electrical engineering and computer science, so it felt like a very well-paved road straight into tech companies. I interned at Google and Facebook and then, when I graduated from school, I worked at a couple of early-stage startups. I joined Quora as a second engineer. I then joined Pinterest when it was about 10 people. I got to be a part of building some of these platforms from the ground up. It was super fun to be working on everything from infrastructure and APIs to the websites, moderation tools, and thinking about what policies we should have for content and user interactions. In parallel to being an engineer, I started to do a bunch of diversity and inclusion activism work. This led me to personally building more of a platform. I was exposed to some of the less savory parts of the internet, like abuse and harassment – everything from garden-variety sexism and racism to targeted, sustained harassment and stalking. I started to have a very personal interest in security because of that. I would get 10,000 password reset requests. So somebody was trying to get into my account. But I also experienced stalkers who showed up in person, after having flown around the world, to find me. This made me much more sensitive to things like location tagging and sharing photos in real time from where I was. <blockquote> &ldquo;I would get 10,000 password reset requests.&quot; </blockquote> Block Party came directly out of these two different parts of my background: 1) the engineering and product side, building platforms, understanding how they work, and 2) the personal experience of dealing with safety and privacy and security issues, and wanting to build better solutions for me, and also for everybody else who might have similar situations. MF: I imagine it wasn’t difficult to find other people who were in similar situations and needed similar solutions. TC: Yeah, it was pretty unfortunate to hear all the stories that people have shared. I would say there&rsquo;s certain types of stories that are easier to talk about publicly. Often, the people who are dealing with this stuff have a little bit more of a high profile, and they&rsquo;re willing to use their platform to shed light on these issues. But sometimes it&rsquo;s very difficult to talk about security and privacy issues. Also, you don&rsquo;t necessarily want your stalker to know what you’re doing to defend against their attacks, that they&rsquo;re getting through to you, or that you&rsquo;re aware and tracking down what they&rsquo;re doing. <blockquote> &ldquo;You don&rsquo;t necessarily want your stalker to know what you’re doing to defend against their attacks.&quot; </blockquote> I’ve talked to quite a few people, mostly women, who&rsquo;ve dealt with safety and security issues like stalkers. They&rsquo;ve never been able to talk to anybody about these things. They definitely can&rsquo;t use their platforms or talk about these things in a public setting at all. I actually have found quite a few people who really just wanted to tell me because they couldn&rsquo;t talk to anybody else who would understand and really empathize with them. MF: Can you talk a little bit about Privacy Party and what it is, what it does, and how it works? TC: <a href="https://www.blockpartyapp.com/#privacyparty/">Privacy Party</a> is a browser extension that helps you to deep clean your social media, the settings and the notifications, so that you don&rsquo;t have any accidental overexposure of your data. You can also just go clean up all the stuff you don&rsquo;t want on there anymore. We support all the major social media platforms, like Facebook, Instagram, Twitter, and LinkedIn. We also support some platforms that you might not think of as social platforms, like Venmo and Strava. These leak a lot of important data. For example, Venmo has your financial transactions, and also those of some of the people closest to you. Strava has your location, like if you&rsquo;re running and cycling starting from home, or in places that you frequent regularly. Especially with the default public profiles on both Venmo and Strava, you&rsquo;re giving the whole internet a lot of information. MF: There was a story a number of years ago where U.S. troops used Strava during their exercises and accidentally revealed the location of their military base.” TC: Yeah, the heat map would show clearly in the middle of the desert, where there shouldn&rsquo;t be anything. There was also the story of a Russian commander who was sniped and killed on, it seemed like, his daily jog. He was posting all of his runs to Strava publicly. MF: Yikes. So, Privacy Party will go through, and it&rsquo;ll lock down your settings, and it will also scrub old posts and stuff like that? TC: We have a bunch of automations that will help you delete old things if you would like to. For example, remove all of your Instagram posts or old Twitter posts. There&rsquo;s also things like untagging photos on Facebook. The way the extension works is that it will scan through your accounts and your settings and flag you to potential risks. It works in the same way that a virus scanner might run on your computer and let you know, hey, there&rsquo;s some things here, do you want to take a look? <blockquote> &quot;[Privacy Party] will scan through your accounts and your settings and flag you to potential risks.&quot; </blockquote> We have a very strong theme of user empowerment throughout all the products we build. So, it&rsquo;s not just, we&rsquo;re going to do all this for you; instead, we’re going to put it in front of you so it&rsquo;s easy for you to do, but you’re in full control. You can make the decisions, like, yes, I want to click this button to delete all my old posts, or I want to lock down all my settings. MF: This all runs within a browser extension? TC: It does. There are some very nice things about building this product as a browser extension for privacy reasons. It’s almost like we’re a friend who&rsquo;s leaning over your shoulder as you&rsquo;re at your laptop and clicking on things, but we can&rsquo;t do anything when you&rsquo;ve closed your computer. We don&rsquo;t hold your account credentials. We just have access when you have access. MF: What was the catalyst for Privacy Party? Was there a particular moment that made you say “enough is enough”? TC: It&rsquo;s hard to pinpoint one singular moment, because it felt like I was just getting this gradual increase over time of online harassment and stalking and weirdos. But there were a couple of – if I had to call them out – catalytic moments. One was, this is sort of a crazy story, someone who was obsessed with the idea that I was in a secret relationship with James Comey. This person started posting a lot on Twitter and Instagram about this, photoshopping us together, and continuing this crazy narrative that I was, at first, the secret girlfriend, and then, the wife, second wife – I don&rsquo;t know, it was really ludicrous. MF: Wait, James Comey of the FBI? TC: Yes, correct. MF: And just for the record, you were not. TC: I have no connection to James Comey. I was like, I don&rsquo;t know where this came from. They created many accounts to try to advance this conspiracy theory. I went and tried to report the accounts on Twitter and Instagram. I think there were like 40 posts on Instagram that I went and recorded in one go. The reports got returned to me with: “We see no evidence of any issue, but thank you for your contributions to try to make Instagram a welcoming community.” I screenshotted a bunch of this stuff and posted it on my personal Facebook, where I’m friends with some of the people who work at these different companies. Almost immediately, I got a response, which is like: “Oh, this is not cool, we will escalate internally. We&rsquo;ll make sure our trust and safety team is handling this.” They did get some of these accounts taken down, but I really hated the idea that I could have special access. First of all, I don&rsquo;t like that this stuff is happening, but also that I can&rsquo;t do anything about it through normal channels. I just felt like something was super broken. <blockquote> &ldquo;I don&rsquo;t like that this stuff is happening, but also that I can&rsquo;t do anything about it through normal channels.&quot; </blockquote> That was one of the catalyzing moments. The other was dealing with the stalker I mentioned earlier and going to San Francisco Police Department to try to report it. They were like: “This is not really an issue, nothing&rsquo;s happened. We&rsquo;re not going to do anything unless something happens, and he’s probably harmless anyways.” One of the pieces of advice I got when I started talking to more folks, including people in private security, was that it can feel really debilitating to feel like you can&rsquo;t do anything about some crazy people who have decided to target you and potentially upturn your life. But that mindset, feeling that helplessness, can actually be the worst thing. It shades everything else. You feel like you&rsquo;re completely stuck. But what you can do is turn it around and think about what agency you do have. In the case of a stalker, you can think about what information you’re potentially exposing. Think from their perspective. What can they do with the information you put out there to potentially get to you or harm you? Then, you can lock down your stuff so that doesn&rsquo;t happen. <blockquote> &ldquo;Turn it around and think about what agency you do have.&quot; </blockquote> You can be more proactive about it. You may not have full agency, you may not have full control, and it can be very frustrating, but you do have some control. For me, I took it to an extreme of starting a company around building these tools. MF: Would you consider yourself a public figure while all of this was happening? TC: That&rsquo;s a good question. At the point that it got to the James Comey conspiracy theory, I was slightly more of a &ldquo;public figure&rdquo; because I had been doing diversity and inclusion activism for a while. I had tens of thousands, if not a hundred thousand followers on Twitter. So, a reasonable profile, but I would say even well before that, when I was a normal nobody on the internet, I got harassment and crazy stuff, too. I think that was just the experience of being a woman who is online and happening to cross paths with people who, I don&rsquo;t know, had some sort of insecurity or other issues that they were working out. MF: The reason I ask is that I&rsquo;m assuming you were your own alpha and beta tester. Was there a moment when you knew that you were onto something? TC: It was pretty immediate. The first tool that we built was a set of anti-harassment tools on top of Twitter. I plugged it into my Twitter account, and I was immediately breathing a sigh of relief to not have to deal with this stuff. <blockquote> &ldquo;I was immediately breathing a sigh of relief.&quot; </blockquote> It used to be the case that I would check my Twitter to an unhealthy degree at all times of the day: walking to the grocery store, in between meetings, brushing my teeth. On a semi-regular basis, I would get nasty comments in my mentions, and sometimes it just felt like a slap in the face, seeing the nastiness aimed my way. Even if I knew that it was ridiculous, there was no grounding to it, it just feels bad to have somebody send something so nasty to you. I would draw an analogy to walking down the street and somebody harasses you or shouts at you. Even if you can brush it off, it&rsquo;s nothing significant, it can sit with you for a little while and it can disturb your mental peace. Once I had our automatic filtering running on Twitter, I was like: “I&rsquo;m not going to see that stuff anymore, I feel like I&rsquo;m protected.” The product we had then was built on top of the Twitter API – once their ownership changed, we had to put the product on hiatus. The product sorted things into a sort of spam folder, where you could still go see everything that&rsquo;s been filtered, which was important for a couple of use cases. Knowing that I had my filters on pretty strong and I could always go check things later, I didn&rsquo;t have FOMO like I might miss out. I just felt a lot better, like I had this nice little shield. MF: I’m a parent. Does Privacy Party help me with the kids if they&rsquo;re starting to dip their toes into social media and online presence and stuff like that? TC: For sure. If you&rsquo;re a parent who may not know all the ins and outs of a platform that your kid wants to use, you can use Privacy Party as a guide that will walk you through the basic settings. So instead of you having to go look up everything – what is this platform, what are the settings I should know about, and what are the recommendations on what the settings should be set at – we&rsquo;ll take you through those. These recommendations are also good tools as conversation starters to talk about how to be a citizen online, such as what are the things that you should be paying attention to as you participate in these digital spaces. MF: There is this opinion that social media is getting worse when it comes to privacy risks and online safety. Is that something that you agree with, or do you see it slightly differently? TC: I think it&rsquo;s hard to say definitively with data and research, because it’s so hard to measure what exactly we mean. I do think over time the trend has moved towards open and sharing and public by default. If I remember the earliest days of getting online, you weren&rsquo;t supposed to share your real name with strangers because it was dangerous. Now, there&rsquo;s much more of this push towards authenticity, and you share real things and real details about yourself. It’s true that if you are very authentic and share all these aspects of your life, then people can connect with you more, and we can build community online. But the flip side of that is giving up a lot of privacy. There are the really tricky interactions with public figures, whether they&rsquo;re celebrities or micro-influencers and their followers. Such as developing parasocial relationships with them, or people who shouldn&rsquo;t have access to information seeking it out and finding it. I think there&rsquo;s generally that cultural trend, in addition to the technical side, where living culture is somewhat defined by the technology. When platforms have defaults that are all public, that encourages a certain type of behavior. The fact that Venmo has all transactions be public by default, has invested a ton in the emojis – so it&rsquo;s kind of fun to see the transactions that are happening – it creates a certain culture around sharing. Honestly, it&rsquo;s a little wild. MF: I only started using Venmo a couple years ago. I immediately thought: “Why is all this public? Why does everyone need to know what I&rsquo;m paying the babysitter?” It didn’t make any sense to me. TC: There&rsquo;s also cases that are much worse. We&rsquo;ve also heard stories from folks like someone paying their landlord on Venmo, and then getting doxed because of it. Somebody&rsquo;s sees, oh, you&rsquo;re paying your landlord, their information is relatively public about what properties they have, then they can figure out where you live. MF: Apps like TikTok and Instagram are normalizing “public by default”. When you and I started using the internet, we had the mindset that you should be careful and keep a tight, closed circle. For new people getting online, being public is totally normal, which can also be very dangerous. TC: I think people are encouraged to mine their personal lives to create content around everything that&rsquo;s happening. I&rsquo;ve been online with the semi-public presence for a little while now, and I&rsquo;ve been through all of this, like, what are the parts of my personal life I could create content out of? It seemed OK for a while, until it&rsquo;s not. Somebody knows too much about you and it can get used against you. <blockquote> &ldquo;People are encouraged to mine their personal lives to create content.&quot; </blockquote> In terms of other privacy landscape things, the fact that Europe has been pushing forward with a lot of privacy legislation and regulation does indicate to me, also, that there’s a shift in broader public perception and demands around data and privacy. The U.S. is not as far along with that, you see more patchwork regulation. California has some privacy regulation, and a few other states have introduced it. Legislators and regulators don&rsquo;t push stuff through unless people care about it. There’s a bit of a shift in expectations now around data and privacy, which I think is encouraging. I think the tech industry is still trying to figure out what exactly to do with all of this. <blockquote> &ldquo;There’s a bit of a shift in expectations now around data and privacy.&quot; </blockquote> I would say with something like GDPR: mixed success. I think it actually has been pretty good at getting tech companies to store less data – having a reason to store data instead of just storing by default because it could be useful in the future. But it&rsquo;s also been pretty annoying for consumers. It&rsquo;s taking a few steps forward, maybe a few steps back, as well, in user experience and expectations. MF: Where do you think the responsibility lies for prioritization and awareness of privacy and online safety? Is that regulation? Platform vendors? I&rsquo;m sure that part of your answer will be parents and individuals themselves, but where do you think the most responsibility sits? TC: I think it&rsquo;s hard to say that it sits with one group the most. I think it has to be an ecosystem-wide effort. There&rsquo;s a lot of people who call on tech companies to do better and not have so many dark patterns, and not slurp from everybody&rsquo;s data, sure. But also we have to be aware of what their business incentives are, which are going to push in one direction. There&rsquo;s regulation, which has to be a part of the picture. Because if we don&rsquo;t have regulation guardrails in place, there&rsquo;s no reason for tech companies to do things that don&rsquo;t suit their bottom line. I think lost in this discussion about tech companies versus regulators is sometimes the role of individuals and what individual people can do. I think there’s a lot of this helplessness that people sometimes experience, because it feels so overwhelming, or that the systems and powers that be have made it so we can&rsquo;t do anything anyway, that we just stop caring. I would counsel against that sort of feeling of helplessness and push people to think about what agency they do have at many different levels. One is actually pushing for regulation. But I think some of what we need to see around privacy and safety is regulators forcing tech companies to allow for different experiences and better tooling for individuals to be able to insert their rights. MF: OK, switching gears. How do you see your efforts with Privacy Party intersecting with your work in diversity and inclusion, particularly in terms of online safe spaces and marginalized communities? TC: I started off caring more about safety and privacy from the personal experiences of having been a DEI activist and experiencing some of the vitriol that came back to me around that. It led me to very viscerally appreciate and understand how some of the people that we most need to hear from – the activists who are going to say things that feel unpopular or are different than the status quo – will be the ones who are on the forefront of receiving negativity and abuse and harassment that is meant to silence them. This loss of a lot of voices and perspectives hurts all of society when our spaces online can be weaponized in this way, and people who can&rsquo;t be safe and are getting attacked just have to step away. It&rsquo;s not just online. If you look at the political sphere, there have been politicians who have stood down from elections because of the abuse they&rsquo;ve gotten. So even democratic representation becomes a problem. And journalism. Female journalists and journalists of color get targeted a lot more. If we don&rsquo;t solve that problem, what we end up with is, the only people left telling these stories or doing reporting come from specific demographics. Or, they have a very particular sort of personality, where they don&rsquo;t mind dealing with abuse, which is also not so great. <blockquote> &ldquo;There have been politicians who have stood down from elections because of the abuse they&rsquo;ve gotten.&quot; </blockquote> Also, apart from public figures or people who are trying to be a part of public spaces, the internet has been really important and very useful for people from marginalized communities to find each other and be able to build solidarity. When these spaces become unsafe, there&rsquo;s a big loss for people who otherwise might be able to find connection and support. When I look at the people who&rsquo;ve been able to help with our products at Block Party, I feel really good about helping people to stay online and take advantage of the good stuff, which is community and connection and learning, and being exposed to different perspectives. Also, for the people who want to, to be able to speak and have a voice so that the rest of the world can hear from them. They are more protected and can continue to do that speaking. MF: I don&rsquo;t want to sound too cheesy, but that&rsquo;s a really beautiful point of view on all of this, it really is. It&rsquo;s also very noble. TC: I have a more optimistic view on the internet than people sometimes would expect, because they think, you must just be looking at harassment and abuse and privacy invasions and horrible things all the time. But I&rsquo;m actually very optimistic about what is possible with the internet. I personally experienced a lot of the good stuff, like having done activism work and used platforms like Twitter to get a message out, get a movement going, and meet interesting people. I see a lot of good there. I worked at Facebook in 2008, but it was still this early vision of, let&rsquo;s connect the world. I want us to be able to get back to that promise of the internet, to all the good stuff, by cleaning up the bad, so people don&rsquo;t have to throw out the good with the bad. MF: For anyone listening who would love to give Privacy Party a try or learn more about your work, where should they go? TC: This is so ironic because, in the name of trying to advance privacy for other people, I need to be very not private myself. You can find information about Privacy Party at <a href="https://www.blockpartyapp.com/#privacyparty/">privacypartyapp.com</a>, and I am online in most places, including <a href="https://x.com/triketora">Twitter</a> and <a href="https://www.linkedin.com/in/triketora/">LinkedIn</a> as Triketora, which is a made-up word from the era of the internet where we were not supposed to use our name. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Subscribe to Random but Memorable</h3> Listen to the latest news, tips and advice to level up your security game, as well as guest interviews with leaders from the security community. <a href="https://randombutmemorable.simplecast.com/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Subscribe to our podcast </a> </div> </section></description></item><item><title>How to start managing developer secrets with 1Password and Pulumi</title><link>https://blog.1password.com/1password-pulumi-developer-secrets-guide/</link><pubDate>Tue, 03 Sep 2024 00:00:00 +0000</pubDate><author>info@1password.com (Diana Esteves)</author><guid>https://blog.1password.com/1password-pulumi-developer-secrets-guide/</guid><description> <img src='https://blog.1password.com/posts/2024/1password-pulumi-developer-secrets-guide/header.png' class='webfeedsFeaturedVisual' alt='How to start managing developer secrets with 1Password and Pulumi' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Managing developer secrets in a simple and secure way is crucial. It makes your developers more efficient, prevents data breaches, and ensures everyone adheres to your organization&rsquo;s policies. Together, 1Password Developer and Pulumi offer a code-driven approach to tackling secret management challenges. In this guide, we’ll show you how to use <a href="https://www.pulumi.com/docs/esc/">Pulumi ESC</a> (Environments, Secrets, and Configuration) and 1Password together to have a consistent interface for working with secrets, all while following security best practices. <img src='https://blog.1password.com/posts/2024/1password-pulumi-developer-secrets-guide/1password-pulumi-diagram.jpg' alt='A diagram showing what three teams have access to across 1Password, Pulumi, and Google Cloud.' title='A diagram showing what three teams have access to across 1Password, Pulumi, and Google Cloud.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> You&rsquo;ll learn how to declare your 1Password resources (vaults, secrets, and service accounts) using Pulimi IaC (<a href="https://www.pulumi.com/what-is/what-is-infrastructure-as-code/">Infrastructure as Code</a>) and manage the lifecycle via automated and consistent workflows, aligning with DevOps best practices. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Webinar: Managing team secrets with 1Password and Pulumi ESC</h3> Enable approved team members or pipelines to automatically retrieve secrets at runtime for multi-cloud, multi-service environments. Join our webinar on September 25th to learn more! <a href="https://www.pulumi.com/resources/managing-team-secrets-with-1password-pulumi-esc/?utm_source=1Password&amp;utm_medium=member_desktop&amp;utm_campaign=workshop" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Register for the webinar </a> </div> </section> <h2 id="what-is-pulumi-esc">What is Pulumi ESC?</h2> Pulumi ESC is a centralized management solution for secrets and configurations. It is offered as part of <a href="https://app.pulumi.com/">Pulumi Cloud</a> and consolidates various secret managers under a single umbrella, providing a unified consumption interface. For instance, you can use 1Password as your single source of truth to store all your secrets and make them consistently available across all environments via Pulumi ESC. In Pulumi ESC, you organize your secrets and configurations into collections called &ldquo;Environments&rdquo;. Environments can be defined via a YAML/Table editor in the browser, the SDK, or the CLI. Here&rsquo;s an example of an ESC Environment: <pre tabindex="0"><code>imports: - pulumi-esc-dev - oidc-gcp values: 1password: secrets: fn::open::1password-secrets: login: # prod-vault-read-service-account serviceAccountToken: fn::secret: ciphertext: ZXN... get: docker_usr: ref: &quot;op://prod-vault/docker/username&quot; docker_pat: ref: &quot;op://prod-vault/docker/credential&quot; cloudflare_token: ref: &quot;op://prod-vault/cloudflare/credential&quot; cloudflare_zone: ref: &quot;op://prod-vault/cloudflare/zone&quot; cloudflare_domain: ref: &quot;op://prod-vault/cloudflare/username&quot; # same name overrides inherited ones google_oauth_client_id: ref: &quot;op://prod-vault/google-oauth/username&quot; google_oauth_client_secret: ref: &quot;op://prod-vault/google-oauth/credential&quot; environmentVariables: DOCKER_PAT: ${1password.secrets.docker_pat} DOCKER_USR: ${1password.secrets.docker_usr} GOOGLE_OAUTH_CLIENT_ID: ${1password.secrets.google_oauth_client_id} GOOGLE_OAUTH_CLIENT_SECRET: ${1password.secrets.google_oauth_client_secret} CLOUDFLARE_API_TOKEN: ${1password.secrets.cloudflare_token} CLOUDFLARE_ZONE: ${1password.secrets.cloudflare_zone} CLOUDFLARE_DOMAIN: ${1password.secrets.cloudflare_domain} </code></pre>With Pulumi ESC, you gain access to: <ul> <li>Centralization. Manage secret sprawl with a uniform consumption interface for your applications and infrastructure.</li> <li>Hierarchy. Reference secrets and configurations defined in other ESC Environments, even if stored across multiple 1Password vaults.</li> <li>Short-term credentials. Configure OpenID Connect for AWS, Google Cloud, and Azure.</li> </ul> ESC simplifies secret management across diverse cloud infrastructures, enhances security, and streamlines operations for modern DevOps teams. <h2 id="how-to-configure-pulumi-esc-with-1password">How to configure Pulumi ESC with 1Password</h2> Next, we’ll show you how to connect Pulumi ESC with 1Password. You&rsquo;ll learn to set up and use 1Password as a secure storage for your secrets. We&rsquo;ll cover the basic steps to link these tools, making your secret management easier and safer. By the end, you&rsquo;ll be ready to use 1Password and Pulumi ESC in your projects. <h3 id="before-you-start">Before you start</h3> <ul> <li>A 1Password account. You can <a href="https://1password.com/pricing">sign up</a> or <a href="https://start.1password.com/signin?l=en">sign in</a> with any account (Individual, Family, Teams, or Business)</li> <li>A Pulumi Cloud account. You can <a href="https://app.pulumi.com/">sign up for a free individual account</a>.</li> </ul> <h3 id="configurations">Configurations</h3> You can complete the 1Password configuration using the 1Password CLI, 1Password desktop app, or the browser. You will need: <ul> <li>A 1Password vault.</li> <li>A Service Account with read access to the vault. <a href="https://developer.1password.com/docs/service-accounts/get-started">Read 1Password’s guide on how to create one</a>.</li> <li>An &ldquo;API Credential&rdquo; item such as: <ul> <li>username: my-api-key-name</li> <li>password: my-api-key-value Pulumi ESC Providers let you dynamically import secrets and configurations into your Environment. To configure the Pulumi ESC 1Password Provider, <a href="https://www.pulumi.com/docs/esc/get-started/create-environment/#create-an-environment">create a new ESC Environment</a> and add the following definition to your ESC Environment:</li> </ul> </li> </ul> <pre tabindex="0"><code>values: 1password: secrets: fn::open::1password-secrets: login: serviceAccountToken: fn::secret: ops_YOUR_SA_TOKEN get: k: ref: &quot;op://buzz-dev/API Credential/username&quot; v: ref: &quot;op://buzz-dev/API Credential/credential&quot; environmentVariables: KEY: ${1password.secrets.k} VALUE: ${1password.secrets.v} </code></pre>Make sure to substitute <code>ops_YOUR_SA_TOKEN</code> with the 1Password Service Account token. Lastly, <a href="https://www.pulumi.com/docs/pulumi-cloud/access-management/access-tokens/#creating-personal-access-tokens">you&rsquo;ll need to create a Pulumi Access token</a> to access the newly created ESC Environment programmatically. You can <a href="https://www.pulumi.com/docs/esc/environments/#setting-up-access-to-environments">restrict access to the ESC Environment with RBAC</a> if you&rsquo;re on one of Pulumi’s enterprise or business-critical tiers. <a href="https://www.pulumi.com/docs/esc/providers/1password-secrets/">Learn more about all the 1Password Provider options</a>. <h2 id="using-pulumi-esc-to-access-1password-secrets-and-more">Using Pulumi ESC to access 1Password secrets and more</h2> The following scenario assumes you have configured 1Password and Pulumi. You&rsquo;ve followed the configuration steps and are ready to start developing your application named Buzz. <h3 id="environment-variables-in-a-golang-web-app">Environment variables in a Golang web app</h3> Buzz is a Golang web application that requires Google OAuth 2.0 and a Gemini key. Once the user is logged in, Buzz takes in a string input and spells out each letter. This is done by sending the input to Gemini. For example, the input &ldquo;hello&rdquo; would result in &ldquo;Hotel, Echo, Lima, Lima, Oscar&rdquo;. All the code is available in the <a href="https://github.com/desteves/buzz/tree/main">Buzz GitHub repository</a>. Here is a screenshot of the Buzz application after a user signs in and enters &ldquo;pulumi&rdquo; as the input: <img src='https://blog.1password.com/posts/2024/1password-pulumi-developer-secrets-guide/pulumi-buzz-application.png' alt='A screenshot of the Buzz application after a user signs in and enters &#39;pulumi&#39; as the input.' title='A screenshot of the Buzz application after a user signs in and enters &#39;pulumi&#39; as the input.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h3 id="develop-the-application">Develop the application</h3> The first step towards having a secure development environment is to avoid storing secrets as environment variables. To start, let&rsquo;s jump into the following scenario, you are now developing the Buzz Golang web application in your local environment. Here are code snippets for the app: <pre tabindex="0"><code>var googleOauthConfig = &amp;oauth2.Config{ ClientID: os.Getenv(&quot;GOOGLE_OAUTH_CLIENT_ID&quot;), ClientSecret: os.Getenv(&quot;GOOGLE_OAUTH_CLIENT_SECRET&quot;), Scopes: []string{&quot;https://www.googleapis.com/auth/userinfo.email&quot;, &quot;https://www.googleapis.com/auth/userinfo.profile&quot;}, Endpoint: google.Endpoint, } //... other code client, err := genai.NewClient(ctx, option.WithAPIKey(os.Getenv(&quot;GEMINI_API_KEY&quot;))) </code></pre>Traditionally, you would define local environment variables in a file or load them onto a terminal session to test the code. However, in this instance, you want to follow best practices and thus not have any locally stored environment variables. Instead, 1Password and ESC are configured so you can load the needed variables at runtime. <pre tabindex="0"><code># sans secrets management, expected to fail as env vars not set 😢 $ go run main.go 2024/08/11 14:32:09 Starting HTTP Server. Listening at &quot;:8000&quot; Missing required parameter: client_id Error 400: invalid_request </code></pre><h3 id="add-google-oauth-and-a-gemini-key-to-1password">Add Google OAuth and a Gemini Key to 1Password</h3> Now to begin configuring 1Password and ESC, you or a platform engineer adds Google OAuth 2.0 credentials and a Gemini API Key to the 1Password development vault. <img src='https://blog.1password.com/posts/2024/1password-pulumi-developer-secrets-guide/1password-pulumi-dev-vault.png' alt='An item titled &#39;google-oauth&#39; saved in a 1Password vault titled &#39;dev-vault&#39;.' title='An item titled &#39;google-oauth&#39; saved in a 1Password vault titled &#39;dev-vault&#39;.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h3 id="configure-pulumi-esc-to-access-the-1password-secrets">Configure Pulumi ESC to access the 1Password secrets</h3> Next, you need to create a Pulumi ESC Environment to fetch the 1Password-stored credentials. This is done with the Pulumi ESC 1Password provider, as shown below. Learn more about the <a href="https://developer.1password.com/docs/cli/secret-reference-syntax/">secret reference syntax</a>. <pre tabindex="0"><code>values: 1password: secrets: fn::open::1password-secrets: login: # dev-vault-read-service-account serviceAccountToken: fn::secret: ops_YOUR_SA_TOKEN get: google_oauth_client_id: ref: &quot;op://dev-vault/google-oauth/username&quot; google_oauth_client_secret: ref: &quot;op://dev-vault/google-oauth/credential&quot; gemini: ref: &quot;op://dev-vault/google-gemini/credential&quot; environmentVariables: GOOGLE_OAUTH_CLIENT_ID: ${1password.secrets.google_oauth_client_id} GOOGLE_OAUTH_CLIENT_SECRET: ${1password.secrets.google_oauth_client_secret} GEMINI_API_KEY: ${1password.secrets.gemini} </code></pre><h3 id="test-the-application">Test the application</h3> With the configuration in place, you can now go back to your development environment and retrieve 1Password-stored credentials at runtime using the <a href="https://www.pulumi.com/docs/install/esc/">ESC CLI</a>. The secrets are loaded as environment variables so there is no need to make any code changes to adopt this security best practice. <pre tabindex="0"><code># with pulumi esc + 1password integration ✨🔐✨ $ esc login $ esc run pulumi-esc-dev go run main.go 2024/08/11 14:32:09 Starting HTTP Server. Listening at &quot;:8000&quot; </code></pre>In addition, the Pulimi access token given to the developer can be restricted to only access to the pulumi-esc-dev ESC Environment and audit all its activity: <img src='https://blog.1password.com/posts/2024/1password-pulumi-developer-secrets-guide/pulumi-audit-logs.png' alt='A section of Pulumi titled &#39;Audit Logs&#39;.' title='A section of Pulumi titled &#39;Audit Logs&#39;.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="next-steps">Next steps</h2> In this blog post, you’ve learned how Pulumi ESC can enhance security across diverse development environments. Pulumi ESC provides a uniform solution regardless of where secrets are stored. This approach simplifies secret management, ensures appropriate permissions, and reduces potential vulnerabilities associated with traditional storage methods. In particular, we&rsquo;ve covered the manual creation of 1Password Service Accounts, vaults, and secret items and how to use them in a Golang application. We encourage you to dive into the above capabilities and discover how to enhance your workflows and security practices! <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Webinar: Managing team secrets with 1Password and Pulumi ESC</h3> Enable approved team members or pipelines to automatically retrieve secrets at runtime for multi-cloud, multi-service environments. Join our webinar on September 25th to learn more! <a href="https://www.pulumi.com/resources/managing-team-secrets-with-1password-pulumi-esc/?utm_source=1Password&amp;utm_medium=member_desktop&amp;utm_campaign=workshop" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Register for the webinar </a> </div> </section></description></item><item><title>The 10-minute guide to SOC 1 vs. SOC 2</title><link>https://blog.1password.com/10-minute-guide-to-soc-1-vs-soc-2/</link><pubDate>Mon, 02 Sep 2024 00:00:00 +0000</pubDate><author>info@1password.com (Kenny Najarro)</author><guid>https://blog.1password.com/10-minute-guide-to-soc-1-vs-soc-2/</guid><description> <img src='https://blog.1password.com/posts/2024/10-minute-guide-to-soc-1-vs-soc-2/header.png' class='webfeedsFeaturedVisual' alt='The 10-minute guide to SOC 1 vs. SOC 2' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> For companies looking to get SOC 1 or 2 compliant, it can be hard to find out where to start, so we&rsquo;re providing a straightforward guide to the ins and outs of SOC audits. Chances are, if you clicked on this blog post, something like this recently happened to you: <ul> <li> Your boss told you that your company needs to become SOC 1 and/or 2 compliant. </li> <li> You googled &ldquo;what are SOC audits?&rdquo; </li> <li> You quickly realized that you weren&rsquo;t sure if your boss meant SOC 1 Type 2, SOC 2 Type 1, or something else altogether. </li> </ul> Not to worry, we&rsquo;re here to demystify and simplify this SEO mess and help you figure out which type of audit your organization needs. So, what the heck is a <a href="https://www.aicpa-cima.com/resources/landing/system-and-organization-controls-soc-suite-of-services">SOC audit</a>? To put it in plain English, they are independent audits, designed by the American Institute of CPAs (AICPA), that assess how service providers manage risk. Having a SOC certification tells prospective customers that an organization has the appropriate processes and safeguards in place to operate responsibly. The difference is in what each report looks at, which broadly comes down to financial reporting (SOC 1) vs data security (SOC 2). We&rsquo;ll borrow the AICPA&rsquo;s own language to define them further: <ul> <li> <a href="https://us.aicpa.org/interestareas/frc/assuranceadvisoryservices/aicpasoc1report.html">SOC 1:</a> Report on Controls at a Service Organization Relevant to User Entities' Internal Control over Financial Reporting (ICFR) </li> <li> <a href="https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-2">SOC 2:</a> Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy </li> </ul> Before we look at both versions in more detail, you may have heard that each audit has two &ldquo;types.&rdquo; Thankfully, the idea behind Type 1 and 2 is basically the same for each audit. <ul> <li> <a href="https://us.aicpa.org/interestareas/frc/assuranceadvisoryservices/aicpasoc1report.html">Type 1</a> reports on how accurately a service organization describes its system, and how well its controls are designed to achieve its control objectives at a specific point in time. </li> <li> <a href="https://us.aicpa.org/interestareas/frc/assuranceadvisoryservices/aicpasoc1report.html">Type 2</a> reports on all of the above, plus the effectiveness of controls, over a period of time. </li> </ul> Most companies get a Type 1 audit first, and then get regular Type 2 follow-ups to maintain their certification. Now that we&rsquo;ve gone over the basics, let&rsquo;s dig into each audit and figure out whether your company may need SOC 1, SOC 2, or for those very special folks – both! <h2 id="what-is-soc-1">What is SOC 1?</h2> A typical SOC 1 definition goes something like this: A <a href="https://us.aicpa.org/interestareas/frc/assuranceadvisoryservices/aicpasoc1report.html">SOC 1</a> audit is a report that evaluates a service provider&rsquo;s internal controls over financial reporting (ICFR) that may impact its customers' financial statements and reports. After wading through that sentence, let&rsquo;s all let out a collective &ldquo;&hellip;what?&rdquo; Time to break it down piece by piece. First, let&rsquo;s address those &ldquo;internal controls&rdquo; pertaining to financial reporting. They are policies and procedures designed to prevent, mitigate, and/or detect accounting errors and fraud. But what those controls look like isn&rsquo;t the same for every SOC 1 report. Let&rsquo;s compare two very different examples of SOC 1 reports: <a href="https://www.scribd.com/document/440750485/Vertex-Inc-2019-SOC-1-Type-2-Report">Vertex Inc.&rsquo;s</a> and <a href="https://www.ingham.com/wp-content/uploads/2019_Ingham_SOC_1_Type_2_Draft_Report_Final.pdf">Ingham Retirement Group&rsquo;s</a> Type 2 reports. While they are the same audit and type, these businesses do not offer similar services. Vertex Inc. offers cloud tax compliance software, while Ingham acts as an employee benefit firm providing consulting and administrative services. In the audit, Vertex Inc. is concerned with access controls to sensitive data, as well as the physical security of its third-party data center and physical cloud hosting facilities, while Ingham deals more directly with the collection, distribution, and storage of financial information. Their SOC 1 control objectives reflect the distinction in services. For Vertex Inc., some of their control objectives - taken directly from their report - <a href="https://www.scribd.com/document/440750485/Vertex-Inc-2019-SOC-1-Type-2-Report">include</a>: <ul> <li> Physical Security </li> <li> Data Transmission Security </li> <li> Backup Management, Issues And Change Management </li> <li> Logical Access Control </li> </ul> For Ingham, some of their control objectives - taken directly from their <a href="https://www.ingham.com/wp-content/uploads/2019_Ingham_SOC_1_Type_2_Draft_Report_Final.pdf">report</a> - are as follows: <ul> <li> Contribution and Loan Repayment Processing </li> <li> Distribution Processing, Loan Processing </li> <li> Trading </li> <li> Dividends </li> </ul> You can go to each report to find out what each control objective sets out to do in great detail, but for our purposes they are plenty descriptive. Ingham&rsquo;s control objectives focus on loans, trades, reconciliations, and data management, while Vertex&rsquo;s emphasize physical and environmental security. That said, when distilled, all control objectives are about the same thing: anticipating and managing risk, whatever that looks like for an individual company. Think of it this way: if you&rsquo;re going to hire a babysitter so you can enjoy a much-needed night out, you want to make sure the person you hire has a CPR certification, recognizes your children&rsquo;s allergies, and knows how to get in touch with you. SOC 1 establishes the same sort of baseline, but for a service provider, so other businesses know they can trust them with what they hold dearest: their money. <h3 id="does-your-company-need-soc-1">Does your company need SOC 1?</h3> Now that we&rsquo;ve established a cursory understanding of what a SOC 1 audit is, the next step is figuring out whether it&rsquo;s relevant to your business. There&rsquo;s really only one reason companies go through a SOC 1 audit: to close deals faster by showing their current and prospective clients that they&rsquo;re trustworthy. An audit report can speed up due diligence, but it has internal value too. The audit process forces service providers to assess and codify their own processes and identify weaknesses. Below you will find types of businesses that might need a SOC 1 audit. They can include, but are not limited to: <ul> <li> Payroll Processing </li> <li> Trust Departments (a division or an associated company of a commercial bank) </li> <li> Registered Investment Advisors </li> <li> Employee Benefit or Retirement Plan Operators </li> <li> Loan Servicers </li> <li> Financial Services </li> </ul> <blockquote> You&rsquo;re halfway through the article! I know it&rsquo;s a lot to absorb, so this is a good moment to take a sip of whatever you&rsquo;re reading this with, answer that text, or watch a TikTok. Still there? Alright, back to the show. </blockquote> <h2 id="what-is-soc-2">What is SOC 2?</h2> A SOC 2 audit has a broader scope than SOC 1. &ldquo;On what?&rdquo; you may ask. Good question. The cloud (to be read in the voice of the <a href="https://youtu.be/o31UcPeiUCc">little green aliens from Toy Story</a>) and the data it stores. Here&rsquo;s a thorough definition, courtesy of the <a href="https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-2">AIPCA</a>: &ldquo;SOC 2 reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users' data and the confidentiality and privacy of the information processed by these systems.&rdquo; Once again, let&rsquo;s all let out a collective &ldquo;&hellip;what?&rdquo; Stay the course, we&rsquo;re breaking this one down as well. First, it&rsquo;s important to know that the AICPA assesses SOC 2 controls through the lens of five categories known as the <a href="https://us.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/soc2_csa_ccm_report.pdf">Trust Service Principles</a>. They are as follows: <ul> <li> Security: &ldquo;Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems&hellip;&rdquo; </li> <li> Availability: &ldquo;&hellip;systems are available for operation and use to meet the entity&rsquo;s objectives.&rdquo; </li> <li> Processing integrity: &ldquo;System processing is complete, valid, accurate, timely, and authorized&hellip;&rdquo; </li> <li> Confidentiality: &ldquo;Information designated as confidential is protected&hellip;&rdquo; </li> <li> Privacy: This &ldquo;&hellip;addresses requirements regarding collection, use, retention, disclosure, and disposal of personal information. </li> </ul> Think of these principles as gears in a machine – if one is ignored, then the rest are liable to stop working as well. For example, if an organization&rsquo;s cybersecurity is lax, then they can&rsquo;t fulfill their commitment to privacy, since sensitive information could be exposed in a security breach. 1Password had to make sure that the &ldquo;gears&rdquo; were in motion <a href="https://blog.1password.com/a-1password-journey-through-soc2/">when we were becoming SOC 2 compliant</a>. Even though our product assists us (and our clients) with information security and privacy by protecting passwords, it was only a piece to the SOC 2 puzzle. We also had to document our confidentiality policies, prove we had MFA enabled, and <a href="https://1password.com/resources/soc2/?utm_ref=soc">a host of other things</a>. Let&rsquo;s take a look at <a href="https://www.scribd.com/document/588755635/ionlake-SOC2-Type2">ionLake&rsquo;s 2019 SOC 2, Type 2 report</a> as another example. ionLake is a text communication tool for businesses, and its audit was specifically concerned with its hosted customer service system: <ul> <li> Policies – Defines and documents policies for the security of its systems. <ul> <li>Examples include: identifying and documenting the security requirements of authorized users; assessing risks on a periodic basis; preventing unauthorized access; assigning responsibility and accountability for system security; providing training and other resources to support its system security policies.</li> </ul> </li> <li> Communications – Communicates its defined system security policies to responsible parties and authorized users. <ul> <li>Examples of these communications include: informing authorized users about breaches of the system security and submitting complaints; communicating changes to system security management and affected users.</li> </ul> </li> <li> Procedures – Operating procedures to achieve its system security objectives, in accordance with its defined policies. <ul> <li>Examples of these procedures include: routinely identifying potential threats of disruption to system operation that would impair system security commitments; assessing the risks associated with the identified threats; logical access security measures to restrict access to information resources not deemed to be public. identification and authentication of users; registration and authorization of new users.</li> </ul> </li> <li> Monitoring – Monitoring the system and taking action to maintain compliance with its defined system security policies. <ul> <li>An example of this policy includes: system security is periodically reviewed and compared with the defined system security policies.</li> </ul> </li> </ul> As ionLake is a fully remote business, they were not observed nor tested for internal controls such as the Environmental and Physical Security of data. You&rsquo;ve probably noticed that there&rsquo;s a fair amount of overlap between SOC 1 and SOC 2, especially when it comes to security, so organizations that get both audits can use some of the same documentation. <h3 id="does-your-company-need-soc-2">Does your company need SOC 2?</h3> At this point, most B2B companies are collecting customer data, so interest is rising. But as Ed Garner, <a href="https://www.newenglandsp.com/">SOC 2 compliance consultant and CEO of New England Safety Partners</a>, told us: &ldquo;It&rsquo;s really important to have a legitimate driver to do it, because it is an expensive and pedantic process.&rdquo; Here&rsquo;s a brief list of businesses that are most likely to need a SOC 2 audit: <ul> <li> Document Management </li> <li> Healthcare </li> <li> Information Technology </li> <li> Data Center co-locations </li> <li> Software as a Service (SaaS) providers </li> <li> Cloud Service Providers </li> <li> Managed IT Services </li> <li> Digital Marketing Firms </li> </ul> The evolution of data collection and management alongside the evolution of breaches and cyber crime make the SOC 2 audit all the more relevant. Take a SaaS company like Salesforce. As a cloud-based CRM, Salesforce manages important data that its clients do not want to share with the world. If Salesforce did not have procedures, policies, in place to prevent and mitigate risks such as data breaches, customers (especially on the enterprise level) would balk at using their services. But, what&rsquo;s important to note is that getting a SOC 2 audit doesn&rsquo;t guarantee zero chance of a data breach. A SOC 2 audit simply proves that you have processes in place to mitigate potential risks, and that you consider the security ramifications of every decision. <h2 id="what-companies-need-both-soc-1-and-soc-2">What companies need both SOC 1 and SOC 2?</h2> If you&rsquo;ve read down this far and thought to yourself: &ldquo;My company fits into both categories,&rdquo; then ding, ding, ding. You&rsquo;re the lucky winner of getting SOC&rsquo;d not once, but twice. With the evolution of business, especially SaaS companies, there has been the creation of a special bucket of entities that reside in the in between of financial-related institutions and data collectors. These types of businesses can include: <ul> <li> Service Providers </li> <li> Accounts Receivable </li> <li> Collections Services </li> <li> Colocation and Managed Services </li> <li> Financial Software as a Service </li> </ul> For an example of a company with both SOC 1 and SOC 2 certifications, let&rsquo;s look at Oracle Retail, a suite of SaaS solutions for (you guessed it) retailers. This portfolio includes point-of-sale hardware that handles transactions, inventory and supply chain management, and marketing. Oracle Retail&rsquo;s mix of financial services and general business services make them a good fit for both audits. <h2 id="found-the-matching-soc">Found the matching SOC?</h2> Audits aren&rsquo;t what most people would classify as &ldquo;fun.&rdquo; The words more commonly associated with them would be &ldquo;frustrating,&rdquo; &ldquo;painstaking,&rdquo; or &ldquo;miserable.&rdquo; But they are necessary to provide a sense of security to your clients and your team. If you&rsquo;re on the journey to become SOC compliant, you will need to document every process and procedure that falls within the audit&rsquo;s scope. And that absolutely includes the health and security of your apps, passwords, and devices. Tools like <a href="https://blog.1password.com/introducing-extended-access-management/">1Password® Extended Access Management</a> make that easier. 1Password Extended Access Management&rsquo;s <a href="https://blog.1password.com/what-is-device-trust/">Device Trust</a> offering provides visibility to your devices' health, empowers employees to solve device issues on their own, and gives you real-time compliance data that you can show auditors. <img src='https://blog.1password.com/posts/2024/10-minute-guide-to-soc-1-vs-soc-2/kolide-checks-example.png' alt='A screenshot of 1Password XAM checks.' title='A screenshot of 1Password XAM checks.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> That said, a SOC audit process is still a long and arduous process. But hopefully this blog post has helped you figure out where you need to start. May the paperwork be easy to find, the systems working as they should, and the auditor sympathetic. Godspeed. To learn more about how 1Password Extended Access Management could help on your compliance journey, <a href="https://1password.com/contact-sales/xam">reach out for a demo!</a></description></item><item><title>The employee's guide to Slack's privacy policy</title><link>https://blog.1password.com/employees-guide-to-slacks-privacy-policy/</link><pubDate>Mon, 02 Sep 2024 00:00:00 +0000</pubDate><author>info@1password.com (Elaine Atwell & Nick Moore)</author><guid>https://blog.1password.com/employees-guide-to-slacks-privacy-policy/</guid><description> <img src='https://blog.1password.com/posts/2024/employees-guide-to-slacks-privacy-policy/header.png' class='webfeedsFeaturedVisual' alt='The employee's guide to Slack's privacy policy' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We&rsquo;re trying to answer all the privacy questions employees might have around their company&rsquo;s ability to view messages and data within Slack. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Note to readers: This article was originally written in late 2022, and includes a description of the experience of requesting data exports from Slack. We&rsquo;ve done our best to update information, but the experience of directly requesting data from Slack may have changed since our original experiment. </div> </aside> So here&rsquo;s the headline: Your boss can read your Slack DMs. Even if you edit them. Even if you delete them. Even if you leave the company. But even if you&rsquo;re already dimly aware of that fact, you probably don&rsquo;t know how the process of accessing your data works in practice. Unfortunately, you won&rsquo;t learn much about that from <a href="https://slack.com/trust/privacy/privacy-policy">Slack&rsquo;s privacy policy</a>. That document exceeds 5,000 words, includes 15 subsections, and primarily addresses how Slack itself manages data. (It&rsquo;s pretty boilerplate stuff.) For the average employee, the most pressing concern isn&rsquo;t what Slack itself is doing with their DMs; it&rsquo;s what their boss is doing. Employees have questions, such as: <ul> <li> What kinds of data does Slack collect and share with employers? </li> <li> Who at your organization is allowed to access DMs and private channels? </li> <li> Does Slack have privacy guardrails to prevent abuse? </li> <li> Can employers peek inside private conversations on a whim, or do they need to show a valid cause? </li> </ul> The answers to these questions matter because they impact how we behave and what we feel comfortable talking about on Slack. Slack sits at the crossroads of two major trends: a growing labor movement and the rise of remote work, so it&rsquo;s vital that employees know how to communicate safely and responsibly with coworkers. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Don&rsquo;t have time for the whole article? Feel free to <a href="https://blog.1password.com/employees-guide-to-slacks-privacy-policy/#faq">skip ahead to the FAQ</a>. </div> </aside> <h2 id="slacks-approach-to-data-privacy">Slack&rsquo;s approach to data privacy</h2> The first thing you need to understand is that Slack&rsquo;s privacy policies are designed to meet the needs of its customers, which are employers, not employees. The <a href="https://slack.com/trust/privacy-at-slack">&ldquo;Privacy at Slack&rdquo; landing page</a>, for example, states that &ldquo;customer trust is at the forefront of everything we do&rdquo; and that &ldquo;you own and control the content within your Slack workspace.&rdquo; This sounds nice, but it&rsquo;s important to keep in mind that in most cases (outside of community-run Slack instances), the &ldquo;you&rdquo; they&rsquo;re talking to is an employer. Legally, Slack considers itself to be a <a href="https://commission.europa.eu/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/controllerprocessor/what-data-controller-or-data-processor_en">&ldquo;processor&rdquo; of data, while the customer – your employer – is the data&rsquo;s &ldquo;controller.&quot;</a> This framework is essential both to interpreting Slack&rsquo;s messaging and understanding how Slack prioritizes the needs of employers versus employees. <h2 id="employer-access-to-slack-data-varies-by-pricing-tier">Employer access to Slack data varies by pricing tier</h2> In theory, Slack allows all workspace owners to request access to private channels and DMs. Slack provides some oversight to prevent abuse, but ultimately, employers are the data&rsquo;s &ldquo;controllers.&rdquo; However, when you dig into Slack&rsquo;s help documentation, you find that Slack&rsquo;s level of oversight is not universal, and varies depending on a workspace&rsquo;s pricing tier. In other words: employers have more access to employee data if they pay more for Slack. <img src='https://blog.1password.com/posts/2024/employees-guide-to-slacks-privacy-policy/slack-data-policy.png' alt='A screenshot of slack&#39;s data policy.' title='A screenshot of slack&#39;s data policy.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://slack.com/help/articles/201658943-Export-your-workspace-data#enterprise-grid-plan-1">Source: Slack.com</a> There are some valid reasons for not taking a one-size-fits-all approach to privacy. For instance, certain highly-regulated companies and industries are required to maintain records of all internal communications in case of an audit. However, Slack&rsquo;s employee-facing information neglects to explain this crucial context. On top of that, there are contradictions in Slack&rsquo;s own documentation, and we found significant differences between Slack&rsquo;s published policies and our own experience in requesting a data export. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Before reading on, you can check which plan your employer uses by clicking the dropdown menu on the left-hand side of your workspace&rsquo;s web app, or by going to https://[YourWorkspaceHere].slack.com/account/workspace-settings#overview. </div> </aside> <h3 id="free-and-pro-plans-limit-data-access">Free and Pro plans limit data access</h3> Employers using the Free and Pro plans can access and export data from public channels, including links to files but not the files themselves. If employers using a Free or Pro plan want access to private channels and direct messages, they <a href="https://slack.com/help/articles/204897248-Guide-to-Slack-import-and-export-tools#export-overview">must ask Slack directly</a>, and Slack will only provide the data &ldquo;under limited circumstances.&rdquo; Slack claims &ldquo;we will reject applications&rdquo; unless Workspace Owners can show they meet one of the following criteria: <ol> <li> A valid legal process </li> <li> The consent of members </li> <li> A requirement or right under the law </li> </ol> If an employer&rsquo;s request is approved at one of these tiers, they&rsquo;ll receive a one-time export of data from all channels, delivered as a JSON file. At the Enterprise Grid account level, data can be exported via either JSON or TXT format. Whereas every other export would only include file links, TXT includes the exported files themselves. This JSON file will include edited and deleted messages, and even messages from users who have been deactivated, though Slack states that &ldquo;the exports will not include <a href="https://slack.com/help/articles/29414264463635-Updates-to-message-and-file-history-on-free-workspaces">data older than one year that has been deleted</a>.&rdquo; It also includes messages to and from members from outside the company, like third-party contractors who are guests in your workspace. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> JSON is a simple format for storing and transmitting structured data. Each message shows the type of message, the user who sent the message, the text of the message, and the timestamp of when the message was sent. Slack&rsquo;s help <a href="https://slack.com/help/articles/220556107-How-to-read-Slack-data-exports#json-files-1">documentation includes guides</a> to show employers how to read JSON so that they can navigate the file more easily. </div> </aside> We initially requested a complete data export from an account belonging to the Pro tier, which meant we had to message Slack support through a generic &ldquo;Contact Us&rdquo; form (located at https://[yourworkspace].slack.com/help/requests/new). We were deliberately vague in explaining our reasons for requesting an export; we said only we were &ldquo;investigating a privacy-related matter.&rdquo; <img src='https://blog.1password.com/posts/2024/employees-guide-to-slacks-privacy-policy/slack-contact-us-form.png' alt='A screenshot of slack&#39;s contact us form.' title='A screenshot of slack&#39;s contact us form.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> When Slack replied, they did not ask us to prove that we met their requirements for exporting data – they merely said that if we wished to do so, we would have to upgrade to a more expensive plan. <h3 id="business-plans-enable-employers-to-export-data-at-will">Business+ plans enable employers to export data at will</h3> Employers using the Business+ plan also need to apply to Slack to export non-public data. But as opposed to a one-time export, this grants employers access to a &ldquo;self-serve data export tool.&rdquo; To use this tool, <a href="https://slack.com/help/articles/204897248-Guide-to-Slack-import-and-export-tools#export-overview">Slack writes</a> that employers must ensure they have &ldquo;appropriate employment agreements and corporate policies&rdquo; and only use the tool as permitted by applicable law. The most important word here is &ldquo;ensure.&rdquo; At the Free/Pro levels, Slack writes employers must &ldquo;show&rdquo; they meet certain requirements. At Business+, they need only to say they will use this tool responsibly. It&rsquo;s worth noting that there&rsquo;s a material difference between having to ask permission every time you want to export DMs, and doing so at your leisure. The self-serve tool <a href="https://slack.com/help/articles/201658943-Export-your-workspace-data">makes it pretty easy</a>. All you have to do is &ldquo;Click Start Export&rdquo; to get a zip file, in JSON format, containing &ldquo;message history&hellip;and file links from all public channels or from all channels and DMs, depending on your export type.&rdquo; Our experience Once we upgraded our experiment to an account on the Business+ plan, Slack support said the next step was to submit an application for the data export tool, which would be reviewed by a &ldquo;dedicated team.&rdquo; Their language seemed to imply we could expect a drawn-out review process, but that&rsquo;s not what we found. Slack&rsquo;s &ldquo;application&rdquo; for the data export tool turned out to be a three-page legal document that essentially establishes two things: <ol> <li> The employer attests that they have the authority to access this data in accordance with the law, and that they have &ldquo;obtained the appropriate permissions, as set forth through employee handbooks, computer use policies, consent forms or similar documents or electronic notices, to obtain access to all of its employees' communications carried or maintained on Customer&rsquo;s networks and systems&hellip;&rdquo; </li> <li> The employer agrees that Slack will not be responsible for any damages related to this agreement, including liabilities arising from employees or regulators. &ldquo;For clarity, this includes any claims arising out of any failure by Customer to secure the appropriate permissions from its employees&hellip;&rdquo; </li> </ol> We duly signed this document. Next, Slack requested an email from our Workspace Primary Owner acknowledging that this export would contain all message history, and that all Workspace Owners would have access to the export tool. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> You can see the Workspace Owners of your Slack instance by visiting https://[yourworkspace].slack.com/account/workspace-settings#admins </div> </aside> Less than four hours later, Slack informed us that our application had been approved and we could export data as we saw fit. <h3 id="enterprise-grid-plans-enable-easier-deeper-data-collection">Enterprise grid plans enable easier, deeper data collection</h3> Our personal experience with Slack&rsquo;s data export process ended at the Business+ tier, but their help documentation outlines what customers at the Enterprise Grid level can expect. The Discovery API There are a few significant upgrades at this level, but the biggest difference is that employers paying for the Enterprise Grid plan get access to the Discovery API. The Discovery API lets employers connect Slack to approved, third-party eDiscovery and data loss prevention tools. &ldquo;eDiscovery&rdquo; tools capture and store messages and files from Slack in a third-party data warehouse. &ldquo;Data loss prevention&rdquo; tools scan messages and files for policy-breaking content, like someone sharing sensitive data, such as social security numbers. The primary goal of either tool is to help companies meet data management regulations, but they certainly come with some serious power. Compliance admins and legal holds The Enterprise Grid plan also offers more administrative roles than other plans–one of them being the <a href="https://slack.com/help/articles/360018112273-Types-of-roles-in-Slack#additional-roles-on-the-enterprise-grid-plan">&ldquo;Legal Holds Admin.&quot;</a> This person, who&rsquo;s given their powers by the organization&rsquo;s primary owner, <a href="https://slack.com/help/articles/4401830811795-Create-and-manage-legal-holds">can create and manage legal holds</a>. No matter what general retention settings might be in place, or whether an employee edits or deletes content, a legal hold ensures all messages, files, and conversations of a targeted employee are saved. Once compliance admins retain this data, employers can export it or access it via the Discovery API. Slack explains too, in a magic wand adorned tip, that there is &ldquo;no limit on the number of legal holds you can create.&rdquo; <img src='https://blog.1password.com/posts/2024/employees-guide-to-slacks-privacy-policy/slack-legal-hold-tip.png' alt='A screenshot of slack&#39;s legal hold tip.' title='A screenshot of slack&#39;s legal hold tip.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://slack.com/help/articles/4401830811795-Create-and-manage-legal-holds">Source</a> We should note too, that on this page, Slack doesn&rsquo;t explain or define the &ldquo;legal&rdquo; aspect of a legal hold. <h2 id="our-thoughts-on-slacks-approach-to-employee-data-privacy">Our thoughts on Slack&rsquo;s approach to employee data privacy</h2> Before we go any further, let&rsquo;s try and find some nuance in how Slack shares data with your boss, because it&rsquo;s not a black-and-white issue. Take our own experience getting access to Slack&rsquo;s export tool. Slack did not provide the level of oversight we expected. We did not have to prove we were behaving ethically – we merely had to say we were. But that&rsquo;s not really surprising once you think about it, since Slack has no way of investigating every request it receives. How could they possibly tell if an employer is really investigating harassment, or merely using it as a pretext to sniff out union activity? At a certain point, every company, including Slack, has to trust customers not to abuse its products. But even if we assume that the vast majority of employers are behaving ethically, and that Slack&rsquo;s policies are sound, we can still take issue with their lack of transparency toward end users. Slack&rsquo;s privacy policy is evasive when it comes to employee privacy, and its help documentation isn&rsquo;t intended for or easily discoverable by employees. This creates confusion, and that confusion opens employees up to risk. Employees can&rsquo;t make informed decisions about how to behave on Slack without understanding who is looking over their shoulder. Slack doesn&rsquo;t precisely hide the fact that it gives employers surveillance powers, but there&rsquo;s a pervasive sense that it&rsquo;s an uncomfortable topic that Slack would prefer users didn&rsquo;t think about. Our product, <a href="https://1password.com/xam/extended-access-management">1Password® Extended Access Management</a> also collects employee data in the name of endpoint security; we can see when you last rebooted your computer, whether you&rsquo;ve installed updates, and even search for specific files. The difference between us and Slack is that transparency and informed consent – <a href="https://honest.security/">what we call Honest Security</a> – are at the heart of everything we do. It also bears mentioning that we use Slack at 1Password – it&rsquo;s an essential (and often great!) product. Slack is ubiquitous, and it&rsquo;s far from the only tech company who fall short on matters of <a href="https://www.dickinson-wright.com/news-alerts/the-gdpr-covers-employee-hr-data-and-tricky">employee data privacy</a>. So it&rsquo;s not feasible to suggest that anyone with a criticism of Slack (or Meta or Google or Apple) just goes elsewhere – it&rsquo;s incumbent on us to encourage them to do better. <h2 id="how-slacks-privacy-policies-have-evolved">How Slack&rsquo;s privacy policies have evolved</h2> Some of the best advice we can give you about Slack&rsquo;s data privacy policies is to monitor them for changes. Slack maintains a <a href="https://slack.com/policy-archives">privacy policy archive</a> that stretches back to 2013. Though we won&rsquo;t detail the precise evolution of Slack&rsquo;s privacy policy over time, it&rsquo;s worth showing the level to which Slack is willing to change things. In a privacy policy update released in 2018, Slack made a major change to message access <a href="https://www.nbcnews.com/better/business/slack-updates-privacy-policy-employers-can-read-private-dms-without-ncna862811">that broke headlines</a>. From 2014 to 2018, Slack customers (or at least, those who bought a premium plan) were able to download and read messages sent through Slack by downloading a so-called &ldquo;compliance export.&rdquo; When customers requested a compliance export, employees were automatically notified. But in 2018, Slack discontinued the compliance export function and introduced the self service export tool, allowing employers to export data whenever they chose. At the same time, Slack stopped automatically notifying employees of these exports, leaving it up to employers to police themselves. This raised some eyebrows, but Slack claimed they made the change to comply with GDPR and to help employers conduct private investigations into sensitive matters. Still, there&rsquo;s reason to hope that future changes to Slack&rsquo;s policies may increase transparency. California&rsquo;s data privacy law (CPRA) is likely to increase Slack&rsquo;s obligations to employees. So keep an eye on this subject in the coming months and years. <h2 id="how-should-you-conduct-yourself-on-slack">How should you conduct yourself on Slack?</h2> We&rsquo;ve thrown a lot of information at you (and this is the readable, summarized version). So now we&rsquo;d like to provide some guidance for how employees should actually use Slack and stay safe at the same time. First, know that, despite the privacy policy, Slack is contested legal territory for both employees and employers. Furthermore, your vulnerability and privacy are as much dependent on your employer as on Slack. For instance, Apple controversially barred an employee pay transparency channel on Slack, putting them in a legally murky position. Slack is also subject to regulations like the <a href="https://slack.com/trust/compliance/gdpr">General Data Protection Agreement (GDPR)</a> and the <a href="https://slack.com/trust/compliance/ccpa-faq">California Consumer Privacy Act (CCPA)</a>, which means that depending on where you reside, you might have different rights you can exercise, including the right to see what information your boss has requested about you. Given the evolving legal issues at play, we can&rsquo;t provide universal advice to employees. What we can do is provide a guiding question to help you make your own decisions: Which conversations should be on Slack and which should be off Slack? <h3 id="workplace-organizing">Workplace organizing</h3> Labor organizing is surging in the United States, <a href="https://www.insiderintelligence.com/content/big-tech-prepares-wave-of-worker-unionization">among tech companies in particular</a>. Potential organizers are likely considering Slack as a way to communicate to fellow workers, especially on remote teams where there isn&rsquo;t a physical water cooler to huddle around. We want to make clear that discussing your working conditions at work is a <a href="https://www.nlrb.gov/about-nlrb/rights-we-protect/your-rights/employee-rights">federally protected right</a>. As one labor lawyer said regarding Apple&rsquo;s case: &ldquo;If two or more employees are talking about workplace conditions, then they&rsquo;re protected by the NLRA.&rdquo; That said, because your employer can potentially access all of your conversations on Slack without notifying you or getting your consent, it&rsquo;s smart to take conversations about organizing offline. Remote workers may not have this option, but can still move to different platforms like Signal, Discord, or even a separate, worker-run Slack instance. If possible, you should also conduct these activities off of your work-managed laptop or mobile device. <h3 id="conversations-involving-company-information">Conversations involving company information</h3> Part of what makes Slack both appealing and dangerous is that it feels so casual; you can share files and information without pausing to consider security. But once you&rsquo;ve shared something, it can disappear into another user&rsquo;s downloads folder, or any number of unsecure places. So remember: any time you&rsquo;re handling sensitive company data (things like valuable IP or customer data), be careful where you&rsquo;re doing it and consider finding a safer alternative. (For instance, our Enterprise Password Manager comes with the ability to <a href="https://support.1password.com/create-share-vaults-teams/">share documents and other files through encrypted vaults</a>). If you&rsquo;re taking data off company-managed applications, you open the company up to security risks and potentially make yourself liable. You should be especially wary if you&rsquo;re in fields, with stricter regulations. In September 2022, 11 bankers and brokerages admitted to using <a href="https://www.wsj.com/articles/wall-street-to-pay-1-8-billion-in-fines-over-traders-use-of-banned-messaging-apps-11664311392?mod=hp_lead_pos3">banned messaging apps</a>, and had to pay a total of $1.8 billion in fines. <h3 id="conversations-about-other-employees">Conversations about other employees</h3> Collaboration within a company inherently requires talking to and about other employees, but there&rsquo;s a spectrum between acceptable and unacceptable versions of this conversation. Gossip, especially if it&rsquo;s about something you&rsquo;d be uncomfortable with your boss seeing, likely shouldn&rsquo;t be on Slack. If you have serious concerns about a coworker, such as sexual harassment or other inappropriate behavior, your HR department is likely a better place to have that conversation than Slack DMs. If the concern rises to a level where you&rsquo;re not comfortable talking to your manager or your HR department, then you might need to step back. Depending on the severity of the problem, it&rsquo;s likely best to take the conversation off Slack and speak to a lawyer or other outside professional. <h3 id="non-work-conversations">Non-work conversations</h3> Many companies have #random channels and other venues to encourage non-work-related conversations. Participate in these at your discretion, as long as you know that your conversations always have the potential to be accessed. Even if your messages aren&rsquo;t objectionable, the amount of non-work messages might be. Employers might not care about the content of your non-work conversations but care deeply about how much time you&rsquo;re messaging about your weekend plans instead of working. While Slack isn&rsquo;t primarily intended as a productivity monitoring tool, it can be used that way. <h2 id="slack-is-one-battleground-in-a-larger-conflict">Slack is one battleground in a larger conflict</h2> The issue of data privacy in the workplace isn&rsquo;t exclusive to Slack. There&rsquo;s a clear appetite for surveillance fuelling the growth of the &ldquo;bossware&rdquo; sector. ExpressVPN research shows that 78% of bosses/executives use &ldquo;employee monitoring software to track employee performance and/or online activity&rdquo; and 73% say &ldquo;stored recordings of staff&rsquo;s calls, emails, or messages have informed an employee&rsquo;s performance reviews.&rdquo; Even if you&rsquo;re reading this and thinking &ldquo;my boss wouldn&rsquo;t do that,&rdquo; there&rsquo;s no telling what your next boss might try, as <a href="https://www.washingtonpost.com/technology/2022/07/25/work-messages-emails-privacy/">X/Twitter employees learned the hard way</a>. Traditionally, US laws and workplace culture have heavily favored employer rights over employee privacy, with the assumption that employees only have a <a href="https://burnswhite.com/when-do-employees-have-a-reasonable-expectation-of-privacy/">&ldquo;reasonable expectation of privacy.&quot;</a> The case of Slack makes it clear that we desperately need to redefine what &ldquo;reasonable&rdquo; means in the context of remote work. Think of it this way: in a traditional office, it&rsquo;s reasonable to expect that your boss can monitor your emails. But you don&rsquo;t expect them to install recording devices in the bathroom, or follow you to the bar down the street and write down everything you say during happy hour. But in a remote workplace, there isn&rsquo;t a bar where you can blow off some steam; you don&rsquo;t have a reasonable expectation of privacy in any of your communications with coworkers. You are deprived of the universal need to connect on a personal level, to commiserate, to vent. The result of such a stifling, paranoid environment is either that workers feel disconnected from one another or find alternative digital venues to escape surveillance. Neither outcome is good for a company&rsquo;s morale or security. So, if you&rsquo;re alarmed to discover how limited your privacy rights are as an employee, and if you&rsquo;d like to change that, start by talking to your coworkers about your concerns. Just consider taking the conversation off Slack. <h2 id="faq">FAQ</h2> Let&rsquo;s review some of the most common questions employees have about privacy on Slack. <h3 id="can-slack-read-my-direct-messages-and-private-channel-messages">Can Slack read my direct messages and private channel messages?</h3> Yes. Employers can request this kind of visibility from Slack. The process varies based on a workspace&rsquo;s pricing tier. <h3 id="how-long-does-slack-retain-data">How long does Slack retain data?</h3> <a href="https://slack.com/help/articles/203457187-Customize-message-and-file-retention#pro-and-business+-plans-1">Slack gives workspace owners broad control</a> over data retention. For paid plans, owners can choose for Slack to keep everything, keep everything except edits and deletions, or delete messages after a set amount of time. (Some organizations, like banks, are <a href="https://blog.pagefreezer.com/risks-benefits-slack-financial-services#:~:text=Despite%20enterprise%2Dgrade%20level%20security,for%20banks%20that%20use%20Slack.">required to retain</a> all records and export them in a readable format, which basically obligates them to purchase a higher tier of Slack.) <h3 id="does-my-employer-need-my-consent-to-access-my-direct-messages-and-private-channel-messages">Does my employer need my consent to access my direct messages and private channel messages?</h3> Legally speaking, they probably already have your &ldquo;consent.&rdquo; Most employment agreements, especially in the US, include blanket language that gives employers access to your behavior while using company systems and devices. <h3 id="will-slack-inform-me-if-my-employer-has-exported-my-dms-and-private-channels">Will Slack inform me if my employer has exported my DMs and private channels?</h3> No. In the past, Slack informed employees, but changed this policy in 2018. <h3 id="does-slack-provide-user-data-to-advertisers">Does Slack provide user data to advertisers?</h3> Yes. On Slack&rsquo;s <a href="https://slack.com/cookie-table">cookie table page</a>, advertising partners include Facebook, LinkedIn, and Google. <h3 id="is-slack-subject-to-gdpr-or-ccpa">Is Slack subject to GDPR or CCPA?</h3> Yes. Refer to Slack&rsquo;s <a href="https://slack.com/trust/compliance/gdpr">GDPR page</a> and <a href="https://slack.com/trust/compliance/ccpa-faq">CCPA page</a> for more information. <h3 id="has-slack-revealed-customer-and-user-data-to-government-agencies">Has Slack revealed customer and user data to government agencies?</h3> Yes. Its <a href="https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/transparency-report-2023-pub-May-2024.pdf">transparency report</a>, reveals that from January 1st, 2023, to December 31st, 2023 Slack received 22 search warrants, 8 court orders, and 74r government subpoenas (98 of the one-hundred and four cases were in the United States). In 91% of those cases, Slack provided some degree of customer data in accordance with those requests. Want to get more stories like this right in your inbox? <a href="https://1password.com/kolidescope-newsletter">Subscribe to the Kolidescope newsletter today!</a></description></item><item><title>CPRA will transform how companies treat employee data</title><link>https://blog.1password.com/cpra-will-transform-how-companies-treat-employee-data/</link><pubDate>Fri, 30 Aug 2024 00:00:00 +0000</pubDate><author>info@1password.com (Elaine Atwell)</author><guid>https://blog.1password.com/cpra-will-transform-how-companies-treat-employee-data/</guid><description> <img src='https://blog.1password.com/posts/2024/cpra-will-transform-how-companies-treat-employee-data/header.png' class='webfeedsFeaturedVisual' alt='CPRA will transform how companies treat employee data' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> California&rsquo;s data protection law applies not just to consumers, but to employees. And it&rsquo;s finally taking effect. Some revolutions happen overnight. In 1917, it took Russian citizens a little over a week to overthrow centuries of Czarist rule. A new world was born in less time than it takes a loaf of bread to get moldy. Other revolutions are slow, incremental, and involve a lot of paperwork. Such is the case with the <a href="https://cpra.gtlaw.com/cpra-full-text/">California Consumer Privacy Rights Act (CPRA)</a>, the first state privacy law that includes protections for employees. For this part of the law, the path to enforcement has looked a little like a game of Chutes and Ladders: big advancements followed by equally big setbacks. First, although other aspects of the law took effect in January 2023, employers were given a six month grace period to get compliant, until July 2023. Then, the California Chamber of Commerce won a trial court ruling that extended the grace period until March 2024. Then a California Court of Appeal <a href="https://www.littler.com/publication-press/publication/time-employers-complete-california-privacy-rights-act-compliance-court">overturned this ruling</a>, and enforcement powers were officially restored on February 9th, 2024. Despite this meandering path, CPRA is revolutionary in its own right, especially now that the path is clear for enforcement to begin in earnest. <h2 id="what-is-cpra">What is CPRA?</h2> The CPRA is a series of amendments to the California Consumer Privacy Act (CCPA). CCPA was signed into law in 2018, has been in effect since 2020, and was hailed as the United States' first major piece of data privacy legislation. CCPA gave consumers a number of rights and required businesses to develop processes to comply with its obligations, including to let consumers request copies of their personal information, delete said information, and opt out of its sale (among other things). Even though CCPA was a landmark law, it&rsquo;s no secret that plenty of companies didn&rsquo;t take it particularly seriously, and many privacy advocates criticized it as toothless. But while CPRA may be known as &ldquo;CCPA 2.0,&rdquo; it&rsquo;s a different animal entirely. And this one has some very sharp teeth. CPRA is designed for more aggressive enforcement than its predecessors. Changes include: <ul> <li> Creating a new <a href="https://cppa.ca.gov/">California Privacy Protection Agency</a> to enforce the law. </li> <li> Eliminating the 30 day grace period in which companies could correct violations before being subject to enforcement actions. </li> <li> Adding new rights that bring the law closer in alignment with the EU&rsquo;s GDPR. </li> </ul> But the most significant change to CPRA is that it adds an entirely new protected group: employees. CPRA does away with CCPA&rsquo;s so-called &ldquo;employee exemption,&rdquo; meaning that if your organization has California-based employees, you will now be held to a new standard of transparency. If you&rsquo;re not sure whether the law applies to your company, or if your existing policies will need to change, read on. <h2 id="cpras-employee-data-rights">CPRA&rsquo;s employee data rights</h2> Under the new iteration of California&rsquo;s data privacy law, employers are required to give most of the same data rights to their California-based employees as they do to California customers. CCPA granted the following rights, which CPRA now extends to employees: <ul> <li> Right to know: Employees can request copies of the personal information collected about them, and employers must respond within 45 days. </li> <li> Right to correct: Employees can correct inaccurate information. </li> <li> Right to delete: Employees can request that their personal information isn&rsquo;t retained, with exceptions for data the employer is legally obligated to retain. </li> <li> Right to opt out of sale or sharing: CPRA&rsquo;s definition of &ldquo;sale or sharing&rdquo; is quite broad, so this right includes <a href="https://www.legaldive.com/news/CCPA-employee-data-privacy-human-resouces-vendors-service-providers-contracts/693858/">vendors and service providers who handle employee data</a>, unless they have signed a CPRA agreement with the employer. </li> </ul> CPRA also introduces two new rights: <ul> <li> Right to limit use and disclosure of sensitive personal information: CPRA introduces the concept of &ldquo;sensitive&rdquo; personal data, which is subject to greater protections than mere &ldquo;personal&rdquo; data. This category includes things like sexual orientation, race, union membership, biometric data, precise geolocation, and some electronic messages. This right would not prohibit the collection of all such data, but limit its use to reasonable purposes. </li> <li> Right to opt out of automated decision-making technology: This new addition is borrowed from the GDPR, but CPRA leaves it to the new regulatory agency to enumerate the precise opt-out rights employees will have. However, the law does define one type of automated technology,&ldquo;profiling,&rdquo; as processing that attempts to analyze or predict &ldquo;performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.&rdquo; This right could impact the use of automated tools that profile job candidates, particularly if they&rsquo;re found to biased on the basis of race, sex, or other sensitive factors. </li> </ul> <aside class="c-technical-aside-box c-technical-aside-box--background" aria-labelledby="who-is-subject-to-cpras-employee-requirements"> <h2 class="c-technical-aside-box__title" id="who-is-subject-to-cpras-employee-requirements"> Who is subject to CPRA&#39;s employee requirements? </h2> <div class="c-technical-aside-box__description"> <ul> <li> For-profit companies </li> <li> Made over $25 global annual revenue last year </li> <li> Employ at least one California resident </li> </ul> </div> </aside> <h2 id="how-to-get-compliant-with-cpraccpa">How to Get Compliant With CPRA/CCPA</h2> CCPA/CPRA enforcement has gotten off to a slow start – as of August 2024 there have been only <a href="https://www.wilmerhale.com/en/insights/blogs/wilmerhale-privacy-and-cybersecurity-law/20240229-california-ag-announces-second-ccpa-enforcement-action">two publicly-announced settlements</a>, against Sephora and DoorDash, both of which concerned customers, not employees. However, there are clear indicators that the California AG is paying special attention to violations of employee rights under the law. Large employers in California have reported receiving <a href="https://ogletree.com/insights-resources/blog-posts/employers-beware-california-regulators-are-actively-enforcing-the-california-consumer-privacy-act/">inquiry letters</a> that require detailed descriptions of the company&rsquo;s policies for employee personal information, including whether they have provided notices of collection, notices of the right to opt-out, and details about the collection of any personal information not related to employment. Violations can be punishable by up to $2,500 per violation, and up to $7,500 for every violation found to be intentional or to involve the data of minors. In other words: if you get one of those letters, you&rsquo;re going to want to have some very good answers. We asked attorney <a href="https://www.culhanemeadows.com/attorney/caroline-a-morgan/">Caroline Morgan of Culhane Meadows</a>, who specializes in advising companies on data privacy and security laws, how companies can prepare for CPRA&rsquo;s new requirements. She emphasized the importance of a proactive approach, instead of waiting to see how the law is interpreted in court, whether it includes independent contractors, etc. &ldquo;Regulators are not looking for perfection but they certainly want to see good faith compliance, which should be thoughtful, planned, and prospective,&rdquo; Morgan said. &ldquo;Simply drafting a new privacy policy and hoping that is enough is essentially crossing your fingers and hoping you are compliant.&rdquo; <h3 id="step-1-data-mapping">Step 1: Data mapping</h3> The first step in CPRA compliance is to understand what employee data your company collects, where it&rsquo;s stored, who it&rsquo;s shared with (both internally and externally), and how long it&rsquo;s retained. One serious challenge is that American companies – particularly those who&rsquo;ve never had to deal with the GPPR – aren&rsquo;t used to thinking about privacy and data minimization when it comes to their employees. Many companies aren&rsquo;t even aware that they&rsquo;re dealing with &ldquo;sensitive personal data,&rdquo; because that category doesn&rsquo;t just include HR records and payroll. The tools you use for security, authentication, and communication can all fall under this umbrella. The <a href="https://www.natlawreview.com/article/ccpa-business-to-business-and-employment-information-exceptions-ending">National Law Review writes</a> that &ldquo;Employment-Related Information may now include things like network monitoring, video surveillance, photographs, and document metadata. It may also [include] biometric data (including fingerprints and face and voice recognition when used to identify or authenticate the employee)&hellip;&quot; Part of mapping all this data includes mapping how it&rsquo;s accessed and secured, so it&rsquo;s a good time to make sure you have tight access controls, and that no sensitive data is <a href="https://blog.1password.com/explaining-the-access-trust-gap/">leaking onto personal devices or unapproved applications</a>. All this to say: don&rsquo;t underestimate the scope of your data mapping project, and prepare to involve representatives from HR, IT, and operations. <h3 id="step-2-establish-processes-for-handling-employee-requests">Step 2: Establish processes for handling employee requests</h3> For each type of personal employee data you collect, you need a process in place for when employees request to correct, delete, or see it. In some cases, this will be straightforward. Some HR data, for example, should exist only within designated tools, and it should be easy to access a copy of an individual record. In cases where third-party vendors manage employee data, you&rsquo;ll need to assess whether they have CPRA-compliant processes in place to handle requests you pass on. The National Law Review suggests preemptively amending agreements with vendors such as &ldquo;benefits providers, payroll providers, building managers, and other similar organizations who may have access to Employment-Related Information.&rdquo; Then there are the really thorny situations, where the employee data you collect is difficult to parse, likely to upset employees, or both. Take the example of Slack DMs. Slack enables employers to download private messages and channels, but these exports tend to come in the form of massive, difficult-to-read files that include all messages from a workspace. You&rsquo;ll need a process to isolate a single employee&rsquo;s messages in response to a request, but without compromising the privacy of the other parties they&rsquo;re messaging. Moreover, you&rsquo;ll need to prepare for a backlash among employees who had no idea their DMs were being collected in the first place. Good intentions will only take you so far here. Even if no one ever reads those private messages and you conducted the data export for a completely separate purpose, you&rsquo;re still accountable for all your data collection capabilities. And that means you might want to assess whether all that data is really necessary. <h3 id="step-3-eliminate-unnecessary-data-collection">Step 3: Eliminate unnecessary data collection</h3> The process of data mapping may unearth some practices your workforce is uncomfortable with, or would be if they were aware of them. (And they&rsquo;re about to be aware of them.) Obvious examples include so-called &ldquo;bossware&rdquo; that surveils employees via webcam or screen monitoring without their knowledge (<a href="https://www.expressvpn.com/blog/expressvpn-survey-surveillance-on-the-remote-workforce/#firing">a disturbingly common phenomenon</a>). But even generally accepted practices, like tools that give IT admins total visibility and control over devices, deserve a second look to ensure they&rsquo;re minimally invasive. As you assess these practices, it&rsquo;s crucial that your approach reflects the reality of remote work. There&rsquo;s an inevitable bleed between the public and private that&rsquo;s evident in your browser history, the photos on your work laptop, the personal life in the background of your webcam. It&rsquo;s practically impossible to prevent personally sensitive information from getting onto company devices, but you can minimize your exposure to it. <h3 id="step-4-be-transparent-about-employee-data-collection">Step 4: Be transparent about employee data collection</h3> CPRA doesn&rsquo;t do much to prohibit specific kinds of data collection or surveillance but it does require more up-front transparency from employers, in the form of a &ldquo;privacy notice&rdquo; and a &ldquo;notice at collection.&rdquo; The Mintz law firm&rsquo;s blog <a href="https://www.mintz.com/insights-center/viewpoints/2826/2022-10-17-california-privacy-rights-act-key-compliance-tasks">explains the difference</a>: &ldquo;The &lsquo;notice at collection&rsquo; is forward-looking. The &lsquo;privacy notice&rsquo; looks back to that information collected by the employer in the 12 months prior to the effective date of the policy and must be comprehensive.&rdquo; In both cases, the boilerplate language common to employment contracts won&rsquo;t be sufficient – be prepared to enumerate what you collect and why. You can give yourself a leg up in this process by working with vendors who are already dedicated to privacy and transparency. Such as, just as a completely random example, 1Password. (Oh come on, we had to mention ourselves at least once.) 1Password® Extended Access Managment&rsquo;s <a href="https://blog.1password.com/what-is-device-trust/">Device Trust</a> solution has to collect data about employee devices in order to enforce compliance. But our product includes a Privacy Center, where employees can see all the data we collected, its purpose, who can access it, and its impact on privacy. <h3 id="50-states-50-employee-privacy-policies">50 states, 50 employee privacy policies?</h3> If your company is based in California, then CPRA is about to be an unavoidable fact of life. But what about remote companies, with just a handful of California employees? Well, technically you can have a CPRA-compliant set of policies for California, and another for the rest of your workforce. That&rsquo;s the tactic most companies took for implementing CCPA for consumers, after all. (If you&rsquo;re a consumer in one of the other 49 states, you&rsquo;ve probably noticed those &ldquo;California Residents Click Here&rdquo; buttons on your favorite websites, and felt vaguely left out.) But we don&rsquo;t recommend this fragmented approach, for a number of reasons. For one thing, the CPRA may be a groundbreaking law when it comes to employee data privacy, but it won&rsquo;t be the last. &ldquo;Other states will undoubtedly continue to look at CCPA/CPRA as a model for privacy legislation,&rdquo; says Morgan. &ldquo;For example, earlier this year a New York law took effect that requires New York employers engaged in electronic monitoring to give written notice to employees upon hiring regarding surveillance of employee internet usage, calls, texts, and emails and to put information about this surveillance in a &lsquo;conspicuous place.'&rdquo; Even if no more employee data privacy laws were in the works, you have to recognize the fact that your employees communicate across state lines. If an employee in California learns about invasive surveillance, the word (and the backlash) will spread. It&rsquo;s better to get out in front of the narrative. <h2 id="cpra-is-leading-a-revolution-in-employee-data-privacy">CPRA is leading a revolution in employee data privacy</h2> There&rsquo;s a worn-out shibboleth in tech that &ldquo;Americans don&rsquo;t care about privacy.&rdquo; This line gets repeated constantly – quietly by tech CEOs, frustratedly by security professionals, and despairingly by privacy activists. But that phrase doesn&rsquo;t tell the whole story. It may be true that American consumers are willing to accept a loss of privacy as the cost of participating in the economy, but that doesn&rsquo;t mean they don&rsquo;t care. They only shrug at the constant cycle of data breaches and privacy scandals because they have no way to push back. After all, users can&rsquo;t exactly march up to Meta headquarters and ask to speak to the manager. But employees have far greater abilities than consumers to band together and assert their rights. And employees care deeply about their privacy. An <a href="https://www.expressvpn.com/blog/expressvpn-survey-surveillance-on-the-remote-workforce/#firing'">ExpressVPN survey</a> found that 54% of employees would switch jobs to avoid surveillance. Plenty of articles describe the expiration of CPRA&rsquo;s employee exemption as a &ldquo;burden&rdquo; on employers, and there&rsquo;s no denying that getting compliant will take significant effort, including and especially from IT teams. But it&rsquo;s also a great opportunity to get rid of sensitive data you never really wanted, and to be transparent with your employees about the policies you have. Want to get more stories like this right in your inbox? <a href="https://1password.com/kolidescope-newsletter">Subscribe to the Kolidescope newsletter today!</a></description></item><item><title>What you need to know about ISO 27000 standards</title><link>https://blog.1password.com/what-you-need-to-know-about-iso-27000-standards/</link><pubDate>Fri, 30 Aug 2024 00:00:00 +0000</pubDate><author>info@1password.com (Kenny Najarro)</author><guid>https://blog.1password.com/what-you-need-to-know-about-iso-27000-standards/</guid><description> <img src='https://blog.1password.com/posts/2024/what-you-need-to-know-about-iso-27000-standards/header.png' class='webfeedsFeaturedVisual' alt='What you need to know about ISO 27000 standards' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> For companies looking to get their data practices in order, the ISO 2700 standards provide a valuable starting point to use when crafting policy. The Wild West era of data privacy and cybersecurity is coming to an end. The public has soured on companies (including Big Tech) that scooped up their personal data and then failed to protect it from breaches, hacks, and their own worst impulses. And companies themselves have come to see that no industry is safe, as hackers hold hospitals for ransom and paralyze the operations of everything from airlines to casinos. If we were in a Western movie, this would be the part where the townsfolk pray for a Sheriff to show up and restore order, or at least come up with some rules that everyone can agree to follow. And at present, the most comprehensive set of rules is the ISO/IEC 27000 series of standards. <h2 id="what-is-the-isoiec-27000-family-of-standards">What is the ISO/IEC 27000 family of standards?</h2> The ISO 27000 series is a collection of best practices for how organizations can manage information security by creating, maintaining, and evaluating an Information Security Management System (ISMS). This international framework is respected for its rigorousness and applicability across industries, and is valuable to any organization seeking to improve its information security risk management and become compliant with data privacy laws <a href="https://blog.1password.com/get-serious-gdpr-compliance/">such as GDPR</a>. The standards in the 27000 series provide detailed guidance on various aspects of information security. Some standards are technical, some deal with governance and organizational risk management, some are industry specific, and others are directed at auditors. But the uncontested centerpiece of the 27000 series is <a href="https://www.techtarget.com/whatis/definition/ISO-27001">ISO 27001, the only standard for which it&rsquo;s possible to be certified</a>. <aside class="c-technical-aside-box c-technical-aside-box--background" aria-labelledby="how-many-iso-27000-standards-are-there"> <h2 class="c-technical-aside-box__title" id="how-many-iso-27000-standards-are-there"> How many ISO 27000 standards are there? </h2> <div class="c-technical-aside-box__description"> This question seems like it should have a straightforward answer, but it&rsquo;s surprisingly difficult to come up with an exact number. New standards are regularly added to the family, others are withdrawn, and ISO&rsquo;s naming conventions aren&rsquo;t exactly easy to follow. (You&rsquo;d assume that every &ldquo;27&rdquo; standard would concern data security, but ISO 27027 is about aerospace power systems, and 27020 deals with &ldquo;brackets and tubes for use in orthodontics.&quot;) There are roughly 30 security-oriented standards as of this writing, but the exact number isn&rsquo;t particularly important, since you don&rsquo;t need to worry about reading all of them unless you&rsquo;re an auditor. </div> </aside> The 27000 series come to us from two global standards bodies: the International Electrotechnical Commission (IEC) and the International Organization for Standardization (ISO)<a href="#fn:1" class="footnote-ref" role="doc-noteref">1</a>. Its members meet regularly with experts to revise existing standards and add new ones. Recent additions include ISO 27403, which concerns IoT, and a revision of ISO 27031 concerning cybersecurity readiness for business continuity. <blockquote> (Note: even though the full name of all these standards is ISO/IEC, going forward, we&rsquo;ll mostly stick with the more commonly-used &ldquo;ISO.&quot;) </blockquote> <h2 id="an-overview-of-the-iso-27000-standards">An overview of the ISO 27000 standards</h2> It would be prohibitively time consuming to read every standard within this family, but it&rsquo;s worth getting a general sense of what they contain, so you can focus on the ones that apply to you. ISO 27000 introduces the series by defining key vocabulary terms and providing an overview of the other standards. It categorizes the series as follows: <ul> <li> Standards describing requirements </li> <li> Standards describing general guidelines </li> <li> Standards describing sector-specific guidelines </li> <li> Control-specific guidelines </li> </ul> <img src="https://blog.1password.com/posts/2024/what-you-need-to-know-about-iso-27000-standards/blue-iso-27000-family-of-standards.png" alt="A table featuring ISMS family of standards." title="A table featuring ISMS family of standards." class="c-featured-image"/> <aside class="c-technical-aside-box c-technical-aside-box--background" aria-labelledby="where-can-i-read-the-iso/iec-27000-standards"> <h2 class="c-technical-aside-box__title" id="where-can-i-read-the-iso/iec-27000-standards"> Where can I read the ISO/IEC 27000 standards? </h2> <div class="c-technical-aside-box__description"> There are no legally available free copies of these standards, <a href="https://standards.iso.org/ittf/PubliclyAvailableStandards/index.html">with the exception of 27000</a>. They are <a href="https://www.iso.org/store.html">available for purchase via ISO</a> and IEC and typically run between one and two hundred dollars (subject to fluctuation since the price is listed in Swiss Francs). </div> </aside> <h3 id="standards-describing-requirements">Standards describing requirements</h3> ISO 27001 When people talk about ISO 27000 compliance and certification, they really mean this one. Broadly, it defines the requirements for an ISMS. Organizations that meet these requirements can receive certification. This standard covers 14 domains that touch on data security and 114 controls for how an ISMS should manage each. For instance, <a href="https://www.isms.online/iso-27001/annex-a-8-asset-management/">Annex A.8</a> deals with asset management, and its controls include making an asset inventory, documenting an acceptable use policy, and logging any non-returned asset as a security incident. There are three pillars to ISO 27001, and every other standard in the family reinforces them: <ol> <li> Documentation: All data security policies must be clearly documented, and that documentation must be accessible to all relevant stakeholders. </li> <li> Accountability: ISO 27001 auditors expect to see buy-in to the ISMS at every level of the organization–participation from leadership, clear definitions for who is responsible for each organizational risk and its remediation, and a workforce that is aware of and compliant with all policies. </li> <li> Continuous assessment and improvement: Achieving and maintaining ISO 27001 compliance requires ongoing internal and external audits, regular risk assessment and documentation updates, and employee training. </li> </ol> Getting ISO 27001 certified requires a significant investment and is usually reserved for companies with high-risk data and international deals. Because of this there&rsquo;s generally a generous enough window to meet updated guidelines. For instance, the latest update to the standards came in 2022, and became required for compliance on <a href="https://www.cbh.com/guide/articles/iso-270012022-transition-what-you-need-to-know/">April 30, 2024</a>. Companies that were already compliant with the previous version will need to update to the new standards by October 31, 2025. However, many organizations that forego the formal audit process still try to be as compliant as possible, to avoid data breaches and meet their legal and contractual obligations. <aside class="c-technical-aside-box c-technical-aside-box--background" aria-labelledby="whats-the-most-recent-version-of-iso-27001"> <h2 class="c-technical-aside-box__title" id="whats-the-most-recent-version-of-iso-27001"> What&#39;s the most recent version of ISO 27001? </h2> <div class="c-technical-aside-box__description"> ISO 27001&rsquo;s full name is actually &ldquo;ISO/IEC 27001: 2022,&rdquo; since 2022 was the year the most recent version was released. The entire ISO 27000 series of standards follows this naming convention, although revisions are made in off years. ISO 27001, for instance, underwent changes in 2017, but its name wasn&rsquo;t updated until the release of ISO 27001: 2022. </div> </aside> ISO 27006 This is one of the handful of standards intended for auditors and accreditation bodies. It lays out the requirements for anyone hoping to become an auditor. ISO 27009 This standard deals with applying ISO 27001&rsquo;s requirements in sector-specific contexts. Per the 27000 document, &ldquo;It explains how to include requirements additional to those in ISO/IEC 27001, how to refine any of the ISO/IEC 27001 requirements, and how to include controls or control sets in addition to ISO/IEC 27001:2013, Annex A.&rdquo; <h3 id="standards-describing-general-guidelines">Standards describing general guidelines</h3> ISO 27002 ISO/IEC 27002 might be the second-most recognizable entry on this list. It works as a supplement for ISO 27001 and goes into much more detail about the purpose of each control and how to implement it. It&rsquo;s representative of most of the standards in this section, which expand on security principles and get into the specifics of security techniques. ISO 27003 This is another broadly applicable standard that deals with implementing an ISMS. It lays out the role of leadership, the planning process, and how to evaluate and improve upon performance. Per one expert, ISO 27003 is particularly useful for providing &ldquo;a further page of explanation, practical guidance and real-world examples in this area. The end result is that the reader gains a _much _better understanding of the requirements from &lsquo;27001 and a clearer idea of how to go about satisfying them.&rdquo; ISO 27004 The ISO/IEC 27004 document specifically concerns methods for monitoring and evaluating the performance of the ISMS. ISO 27005 The facet of ISO 27001 under the microscope in ISO/IEC 27005 is risk management, and putting organizational processes for it in place. ISO 27007 Regular internal and external audits are a key requirement of ISO 27001 compliance, and this standard offers guidance on how to conduct those audits, including the competence requirements for auditors. ISO 27008 Another standard geared toward auditors, this one lays out how to assess compliance with information security controls. ISO 27013 Data security isn&rsquo;t the only concern when it comes to managing IT assets, and any standard must be able to coexist with other management systems. ISO 27013 describes how to integrate ISO 27001 and ISO/IEC 20000-1, which deals with general IT service management. ISO 27014 This standard deals with governance for information security and the role of governing bodies in providing oversight on security issues. ISO TR 27016 Assessing the risk level of information assets is one of the first steps in achieving ISO 27001 compliance. ISO TR 27016 offers a roadmap for prioritizing those assets based on their value. To quote ISO 27000, it helps organizations &ldquo;to better understand economically how to more accurately value their identified information assets, value the potential risks to those information assets, appreciate the value that information protection controls deliver to these information assets, and determine the optimum level of resources to be applied in securing these information assets.&rdquo; ISO 27021 This document delineates competence requirements for ISMS professionals, which can be helpful for organizations hiring for that role, and individuals aspiring to it. <h3 id="sector-specific-guidelines">Sector-specific guidelines</h3> ISO 27010 This standard provides best practices for information sharing between organizations. It can be useful for maintaining information security when sharing sensitive data across sectors or international borders. ISO 27011 The first truly industry-specific standard, this one governs telecommunications organizations. ISO 27017 This standard–first introduced in 2015–provides security controls specific to cloud computing and has recommendations for cloud services providers and customers. ISO 27018 Here we have another cloud-specific standard, concerned with establishing controls for personally identifiable information (PII) in a public cloud environment. ISO 27019 This standard deals with information security controls for energy utilities. ISO 27799 Another sector-specific standard, this time for healthcare. <h3 id="control-specific-guidelines">Control-specific guidelines</h3> We won&rsquo;t be providing an exhaustive list of these standards, but we will go over a few important and representative samples. It&rsquo;s worth noting that there are significant additions to this group of standards currently in draft form. <a href="https://www.iso27001security.com/html/27090.html">ISO/IEC 27090</a>, for instance, will address security threats to AI systems, and provide guidance on addressing them. ISO/IEC 27559 This standard addresses the privacy risks of (theoretically) de-identified data, and provides guidance on thoroughly anonymizing it. ISO 27701 This standard is classified as an &ldquo;extension&rdquo; to ISO 27001, which means you can actually get ISO 27701 certified as part of the ISO 27001 process. As we mentioned earlier, this standard develops a framework for privacy known as PIMS. To quote <a href="https://www.itgovernanceusa.com/iso-27701">IT Governance</a>, it provides &ldquo;much-needed guidance for complying with global privacy standards, such as the California Consumer Privacy Act (CCPA), EU GDPR (General Data Protection Regulation) and New York SHIELD Act.&rdquo; ISO 27033 This standard concerns network security and is written on a fairly technical level, suited for network administrators and security professionals. ISO 27035 Here we have another entry that provides a how-to guide for implementing a key requirement of the ISO 27001 standard. This one is about information security incident management and includes a guide to creating an incident response plan. ISO 27400 This entry outlines unique risks and controls for the Internet of Things (IoT). <h2 id="use-the-iso-27000-standards-as-a-roadmap-for-security">Use the ISO 27000 standards as a roadmap for security</h2> Before we wrap up, let&rsquo;s make one thing clear: the ISO 27000 family of standards isn&rsquo;t perfect. The vocabulary isn&rsquo;t always consistent from one standard to the next, updates often lag behind technological and societal developments, and the naming conventions leave a great deal to be desired. However, this series performs a valuable service by establishing international standards that security practitioners and governments alike can use to craft policy. If you&rsquo;re trying to get your data security in order, you don&rsquo;t need to try to implement every control or every standard. But you can use their principles as a starting point to <a href="https://blog.1password.com/vulnerability-management-goes-much-deeper-than-patching/">patch up your vulnerabilities</a> and establish a code of practice for your organization and partners. <blockquote> 1Password® Extended access management&rsquo;s device trust solution has helped numerous customers in their ISO 27001 certification process by providing audit-compliant endpoint security. <a href="https://1password.com/contact-sales/xam">Request a demo</a> to see how we can help you. </blockquote> <section class="footnotes" role="doc-endnotes"> <hr> <ol> <li id="fn:1" role="doc-endnote"> You may have noticed that ISO’s full name doesn’t perfectly align with its acronym. That’s because ISO isn’t an acronym! Its founders didn’t want the organization’s name to be abbreviated differently from one language to the next, <a href="https://www.iso.org/about-us.html">so they chose ISO</a> (from the Greek word for equal) as the universal form. Which: very on brand.&#160;<a href="#fnref:1" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a> </li> </ol> </section></description></item><item><title>10 things to know about the state of small business cybersecurity</title><link>https://blog.1password.com/ten-things-about-small-business-cybersecurity/</link><pubDate>Thu, 29 Aug 2024 00:00:00 +0000</pubDate><author>info@1password.com (Stacey Harris)</author><guid>https://blog.1password.com/ten-things-about-small-business-cybersecurity/</guid><description> <img src='https://blog.1password.com/posts/2024/ten-things-about-small-business-cybersecurity/header.png' class='webfeedsFeaturedVisual' alt='10 things to know about the state of small business cybersecurity' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 1Password surveyed 600 small business cybersecurity professionals to better understand their unique challenges. We take a look at our top ten findings of how small and medium-sized businesses are managing their security, what threats they’re facing, and what can be done in the future to meet these challenges. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Check out <a href="https://1password.com/state-of-enterprise-security-report#annual-report-download">1Password state of enterprise security report 2024: Balancing act, security and productivity in the age of AI</a> for the full report. </div> </aside> <h2 id="1-76-of-cybersecurity-professionals-believe-small-business-cybersecurity-isnt-up-to-snuff">1. 76% of cybersecurity professionals believe small business cybersecurity isn’t up to snuff</h2> In our recent survey, we found that 76% of small business cybersecurity professionals don’t feel that their security protections are adequate. A gap in security defenses can leave a business exposed to all sorts of cybersecurity threats. So if they know there’s a gap, why haven’t they fixed it? <h2 id="2-security-teams-are-spread-thin">2. Security teams are spread thin</h2> The main reason: They’re being pulled in too many conflicting directions – with 57% of security professionals admitting to feeling this way. Small business employees are no stranger to wearing many hats. But having to manage multiple priorities means that sometimes security is put on the back-burner. More than two-thirds of security pros at small businesses (69%) admit that they’re at least partly reactive when it comes to security, meaning they’re not proactively working to protect against threats. <h2 id="3-top-cybersecurity-threat-shadow-it">3. Top cybersecurity threat: Shadow IT</h2> Sometimes it’s the threats you know about that can end up causing the most damage. Applications and devices employees use that haven’t been explicitly approved or secured by IT are called <a href="https://blog.1password.com/what-is-shadow-it/">shadow IT</a>. More than 35% of small business security pros acknowledge that internal threats, like shadow IT, are the biggest risk to their business. When IT doesn’t have visibility into what apps employees are using, it leaves a gap in knowledge about where company and client information is saved. If those applications get caught up in a data breach, the business is left blind to how exposed they are. With nearly half of small business employees (47%) using shadow IT, it’s not a risk that can be ignored. <h2 id="4-perpetual-password-failure">4. Perpetual password failure</h2> The risk of shadow IT accounts being protected by weak passwords is high – meaning those accounts could face an even bigger risk of falling victim to a data breach. 60% of small business employees have poor password practices, like reusing passwords or neglecting to reset the IT-selected defaults. <h2 id="5-employees-are-lax-on-overall-security">5. Employees are lax on overall security</h2> It’s not just passwords employees are slacking on. More than half of surveyed employees (58%) admit to being lax about their company’s security policies. Reasons include a desire to get things done quickly and be productive (26%), the belief that security policies are inconvenient (11%), or that they’re too stringent and unreasonable (11%). <h2 id="6-device-security-isnt-guaranteed-when-28-of-employees-never-use-their-work-devices">6. Device security isn’t guaranteed when 28% of employees never use their work devices</h2> Employees are trying to get their work done as efficiently as possible, and sometimes that means working from personal devices. Whether that’s on the go using their personal mobile phone, or a personal laptop, we found that a quarter of surveyed employees (28%) admit to never working on their work provided devices, opting solely for personal or public computers. That’s a lot of unmanaged devices that security might not know about, let alone be securing, which could expose the company to cyberattacks. <h2 id="7-employees-want-convenience">7. Employees want convenience</h2> While looking for security software, only one in 10 security pros we surveyed (10%) say that employee convenience is their top consideration. With two in five employees (41%) motivated by convenience, security professionals set on protecting their business would benefit from finding a solution that meets both the security needs of their business and also the usability needs of their user base. <h2 id="8-ai-is-top-of-mind-in-small-business-cybersecurity">8. AI is top of mind in small business cybersecurity</h2> Generative AI has been top of the news cycle for awhile, and security teams are taking notice with more than 90% of surveyed security pros having security concerns about generative AI. Among their top worries: Employees falling for AI-enhanced phishing attempts (45%), entering sensitive company data into an AI tool (41%), or using AI systems trained with incorrect or malicious data (39%). <h2 id="9-single-sign-on-sso-is-not-enough">9. Single sign-on (SSO) is not enough</h2> While many businesses adopted SSO to protect their information, more than two-thirds of small business security pros (73%) are now saying single sign-on (SSO) tools are not a complete solution for securing employees’ identity. While SSO helps protect businesses by limiting the number of entry points, it does not protect against shadow IT. <h2 id="10-complete-security-solutions-are-preferred">10. Complete security solutions are preferred</h2> With so much to do, and not enough time, small business IT teams are looking for a one-stop-shop solution when it comes to security. Nearly one in three teams (30%) have switched security tools or vendors in the past year to ones that provide more complete end-to-end solutions. Reducing the number of security tools needed helps streamline workflows and make reporting more digestible and easier to act on. Small business cybersecurity professionals are tasked with securing their business against known, and unknown threats. They’re often expected to do so with fewer resources than their enterprise counterparts while actually being a bigger target for criminals. Expected to keep employees secure who are focused on productivity over security, it can feel like an insurmountable challenge. There are a multitude of solutions on the market, but finding one that not only works, but is also convenient enough to make employees want to use it, is the struggle. <h2 id="1password-more-than-a-password-manager">1Password: More than a password manager</h2> 1Password not only encourages strong, unique passwords for every account so critical business data is secure, but it does so in a way that improves employee workflows. With features like <a href="https://1password.com/features/autofill/">autofill</a> and built-in multi-factor authentication, <a href="https://1password.com/product/enterprise-password-manager">1Password Enterprise Password Manager</a> makes it easier than ever to help employees sign in and start working faster – no password resets required. It also encourages secure collaboration across teams and with contractors through secure sharing. And even if employees choose to use shadow IT, a password manager helps make sure that those accounts are secure behind a strong password. And reporting features like Watchtower and 1Password Insights, give IT teams visibility into how secure their teams really are – and advice on how to reduce identified risks. But there’s still the <a href="https://blog.1password.com/explaining-the-access-trust-gap/">Access-Trust Gap</a> – the gap between the users, apps, and devices a business trusts to access sensitive data, and those that can actually access it in practice – to contend with. <a href="https://1password.com/product/xam">1PasswordⓇ Extended Access Management</a> gives businesses more control over identities, applications, and devices – so their team can securely use the tools they need without exposing sensitive information. To learn more about securing your team with 1Password, you can check out our <a href="https://1password.com/webinars/1password-business-demo">1Password Business demo</a>.</description></item><item><title>Healthcare security is a nightmare: Here's why</title><link>https://blog.1password.com/healthcare-security-is-a-nightmare/</link><pubDate>Wed, 28 Aug 2024 00:00:00 +0000</pubDate><author>info@1password.com (Kenny Najarro)</author><guid>https://blog.1password.com/healthcare-security-is-a-nightmare/</guid><description> <img src='https://blog.1password.com/posts/2024/healthcare-is-a-security-nightmare/header.png' class='webfeedsFeaturedVisual' alt='Healthcare security is a nightmare: Here's why' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> When the medical mission is at odds with security policies, patients and clinicians suffer. Do you suffer from <a href="https://my.clevelandclinic.org/health/diseases/22389-nosocomephobia-fear-of-hospitals">nosocomephobia</a>, the intense fear of hospitals? Maybe it&rsquo;s because you&rsquo;re afraid of blood, disease, or fluorescent lighting, but there&rsquo;s another risk to consider – your data. Hospitals and healthcare more generally are at <a href="https://www.npr.org/2023/10/20/1207367397/ransomware-attacks-against-hospitals-put-patients-lives-at-risk-researchers-say">some of the greatest risk</a> for cyberattacks of any industry. A <a href="https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-cyber-insecurity-healthcare-ponemon-report.pdf">2023 Ponemon Institute study</a> found that 88% of healthcare organizations had at least one cyber attack over the past 12 months, and were specifically susceptible to ransomware and business email compromise (BEC) attacks. It&rsquo;s easy to see why. Threats actors know how sensitive healthcare data is: if they release patient medical records, the provider&rsquo;s reputation is ruined. And if they shut down a hospital&rsquo;s operations by locking down their systems, people die. 43% of respondents in the Ponemon study said a data loss or exfiltration event impacted patient care. Of those 43%, 46% said it increased the mortality rate. Given the extremely high stakes, one would think that practicing good security would be a priority for any healthcare organization, but instead, clinicians regularly engage in practices that would send a security professional into cardiac arrest. Ross Koppel, Sean Smith, Jim Blythe, and Vijay Kothari observed how clinicians skirt security policies in their 2015 research paper, <a href="https://www.cs.dartmouth.edu/~sws/pubs/ksbk15-draft.pdf">Workarounds to Computer Access in Healthcare Organizations: You Want My Password or a Dead Patient?</a> Here&rsquo;s a taste of what they found: <ul> <li> Sticky notes with login credentials forming &ldquo;sticky stalagmites&rdquo; on medical devices and in medication preparation rooms. </li> <li> Clinicians offering their logged-in session to the next clinician as a &ldquo;professional courtesy,&rdquo; leading to physicians ordering medications for the wrong patient. </li> <li> Doctors and nurses creating &ldquo;shadow notes&rdquo; for patients, outside of the approved IT tools. </li> <li> A vendor distributing stickers for workers to &ldquo;write your username and password and post on your computer monitor&rdquo;. </li> <li> Nurses circumventing the need to log out of COWs (Computer on Wheels) by placing &ldquo;sweaters or large signs with their names on them,&rdquo; hiding them, or simply lowering laptop screens. </li> </ul> This is healthcare security failing in real time. But before we start waving fingers (or grabbing pitchforks), we need to ask why clinicians engage in such risky workarounds to security. The answer, according to the paper&rsquo;s authors, is that healthcare security systems are not designed for the realities of workers. They write: &ldquo;Unfortunately, all too often, with these tools, clinicians cannot do their job — and the medical mission trumps the security mission.&rdquo; In a <a href="https://thehealthcareblog.com/blog/2016/09/23/for-healthcare-cybersecurity-the-whole-is-weaker-than-the-sum-of-the-parts/">separate paper</a> detailing the friction between end users and healthcare security, Dr. Ross Koppel and Dr. Jesse Walker describe the reality of a clinician&rsquo;s security experience: <blockquote> &ldquo;Asking employees to log in to a system with elaborate codes, badges, biometrics, et cetera 200 or 300 times a day just generates circumventions—not because of laxness or laziness, but because they are just trying to do their jobs and fulfill the mission of the organization.&rdquo; </blockquote> This disconnect between IT and security teams, management, and frontline workers isn&rsquo;t unique to healthcare. Professionals in every industry can learn something from how the situation got this bad, and what can be done to fix it. <h2 id="why-healthcare-data-breaches-happen">Why healthcare data breaches happen</h2> We&rsquo;ve established that healthcare security is not responsive to the needs of clinicians – but whose fault is that? To gain a better understanding, I reached out to Dr. Ross Koppel. When I asked him whose responsibility it was to get better systems — he didn&rsquo;t mince words. &ldquo;99% is the fault of the system, the IT team, the CISO, etc. Also the board, in that they don&rsquo;t hire enough cybersec folk,&rdquo; said Koppel. Those who read Koppel et al&rsquo;s study resonated with that sentiment. In a <a href="https://cohost.org/mononcqc/post/3647311-paper-you-want-my-p#comments">forum discussing the paper</a>, one commenter shared that when they worked for a medical software company, they encountered resistance every time they suggested talking directly to end users. <blockquote> &ldquo;It remains one of the few jobs where I had to raise my voice regularly, because every decision involved someone saying &lsquo;well, how can we know how the end users would use this,&rsquo; and me gesturing emphatically out the conference room window at the hospital across the street. I wanted to walk over and ask people for help, but they hated that idea&hellip;&rdquo; </blockquote> And of course, it&rsquo;s worth mentioning that the healthcare sector is far reaching, and it&rsquo;s not just hospitals and clinicians that share responsibility over sensitive patient data. <a href="https://www.wsj.com/tech/cybersecurity/cyberattacks-hospitals-healthcare-industry-lessons-c31469f3">The Change Healthcare leak</a> is one harrowing example of healthcare business associates like insurance dealers leaking sensitive health information. Similarly, the HSA provider HealthEquity similarly saw a <a href="https://www.tomsguide.com/computing/online-security/43-million-people-hit-in-massive-healthcare-data-breach-full-names-addresses-and-ssns-exposed-online">data breach</a> that leaked the personal information of millions. The hackers first gained access by using the <a href="https://watchtower.1password.com/">compromised credentials</a> of one of HealthEquity&rsquo;s partners. The communication problems of the healthcare system clearly don&rsquo;t stymie bad actors, who are very adept at using one breached system to gain a foothold into another, increasing the vulnerabilities and attack surface surrounding patient information. But for the system itself to become more secure, we have to start with the data, and the hospitals that collect it. <h3 id="a-disjointed-system">A disjointed system</h3> For a better understanding of why healthcare cybersecurity is the way it is, a closer look at the decision makers is required. In Proofpoint&rsquo;s <a href="https://www.proofpoint.com/sites/default/files/white-papers/pfpt-us-wp-board-perspective-report.pdf">Cybersecurity: The 2023 Board Perspective report</a>, only 36% of board members in healthcare said they regularly interact with their CISO — by far the lowest of all sectors surveyed. Given what we know about healthcare security and its ripe attack surface, that statistic alone should be sending shockwaves through the industry&hellip;should be. The Koppel et al study saw the same lack of communication about security, writing that: &ldquo;Cybersecurity and permission management problems are hidden from management, and fall in the purview of computer scientists, engineers, and IT personnel.&rdquo; This disconnect between board members and CISOs plays out between IT/Security teams and end users as well. The <a href="https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-cyber-insecurity-healthcare-ponemon-report.pdf">Ponemon Institute study</a> cited earlier found that 47% of IT and security practitioners in healthcare are concerned that employees don&rsquo;t have a grasp of how sensitive and confidential the information they share via email is. According to those same IT and security practitioners, the top three challenges they experience in having an effective cybersecurity posture are expertise, staffing, and budget. If we read between the lines, it&rsquo;s really budget, budget, and budget, since that&rsquo;s what pays for staffing and expertise. With healthcare board members' (perhaps willful) lack of insight into their organizations' security, they&rsquo;re communicating loud and clear that security isn&rsquo;t a priority when it comes to spending money. <h3 id="the-fallout-of-healthcare-data-breaches">The fallout of healthcare data breaches</h3> If you&rsquo;ve become numb to data breaches, I&rsquo;d understand. The formula for a data breach article usually consists of a headline that states how many thousands or millions were affected, what data was compromised, and then a statement from the victim on what they&rsquo;re doing to mitigate the issue for the affected individuals. Then you go on with your day because that&rsquo;s just how it is in cybersecurity. But in the past few years, healthcare breaches have reached a level of seriousness that should shock even the most jaded observer. Take for instance St. Margaret&rsquo;s Health, hospitals serving Spring Valley and Peru, Illinois. A <a href="https://www.darkreading.com/cyberattacks-data-breaches/illinois-hospital-closure-ransomware-existential-threat">February 2021 ransomware attack</a> caused the closure of the 120 year-old hospitals, leaving its communities without a local medical center. The ransomware attack endured for months, shutting down the hospital&rsquo;s IT network, email systems, and its EMRs. These disruptions left the hospital unable to collect payments from insurers, therefore also unable to charge any payments as the attacks raged on. As DarkReading posits: &ldquo;Often many small, midsized, and rural hospitals lack a full-time security staff. They also have a harder time getting cyber insurance, and when they do, it <a href="https://blog.1password.com/fluctuating-cyber-liability-insurance/">can cost more for less coverage</a>.&rdquo; <h3 id="patients-pay-the-price">Patients pay the price</h3> When these ransomware attacks occur, it&rsquo;s not just the hospitals or healthcare facilities that are affected — it can reach patients. A ransomware group, Hunters International, breached the Seattle-based Fred Hutchinson Cancer Center and sent <a href="https://www.bleepingcomputer.com/news/security/ransomware-gang-behind-threats-to-fred-hutch-cancer-patients/">blackmailing emails</a> not only to the hospital, but to over 800,000 patients as well. The threat actors threatened to leak their protected health information — from social security numbers to lab results — but that didn&rsquo;t work as effectively as they&rsquo;d hoped. Thus, they needed to escalate the stakes. Once the extortion emails failed, Hunters International took extreme measures to force payments. They <a href="https://www.theregister.com/2024/01/05/swatting_extorion_tactics/">threatened to swat patients</a> at their homes. <a href="https://www.darkreading.com/cyberattacks-data-breaches/swatting-latest-extortion-tactic-ransomware-attacks">Swatting</a>, a type of harassment where threat actors call the police repeatedly about a fictitious crime, often results in armed officers arriving at a specified address. Although there is no report that the swatting threats to Fred Hutch patients materialized, <a href="https://www.sentinelandenterprise.com/2024/01/05/athol-hospital-gets-bomb-threat-suspected-swatting/">other hospitals</a> have recently been swatted, and it&rsquo;s not hard to imagine ransomware criminals on the other side of the world eventually crossing this line to get a payout. Patients must wrestle with the possibility of such a traumatic and stressful event happening, as well as all the other ways their sensitive data could be weaponized against them. And that&rsquo;s not the full extent of these data breaches. When ransomware attacks affect hospitals, it&rsquo;s not just sensitive data or a potential shuttering that are on the line, but the care that determines someone&rsquo;s life. Ardent Health Services, a healthcare provider across six U.S. states, <a href="https://www.bleepingcomputer.com/news/security/ardent-hospital-ers-disrupted-in-6-states-after-ransomware-attack/">disclosed in November 2023</a> that its systems were hit by a ransomware attack, leading them to instruct all patients requiring emergency care to go to other hospitals — more often than not, hospitals that were further away – costing valuable time that can be the difference between life and death. All these stories are a testament to how, when healthcare professionals' medical mission is at odds with security policies, more often than not, patients bear the brunt of it. So while we can empathize with clinicians going around security procedures, we can&rsquo;t excuse it. <h2 id="how-to-build-healthcare-security-systems-to-clinicians-needs">How to build healthcare security systems to clinicians' needs</h2> When I asked Dr. Koppel how these healthcare security systems could be functioning better, he advised starting with end users. &ldquo;Study how work is actually performed,&rdquo; he said. &ldquo;View every workaround as a blessed symptom that enables you to see what is wrong with the current workflow process or rules.&rdquo; With all of the blessed symptoms we&rsquo;ve covered, there has to be a cure. <h3 id="budget">Budget</h3> Although we already covered the sizable disconnect between board members and CISOs, <a href="https://www.proofpoint.com/sites/default/files/white-papers/pfpt-us-wp-board-perspective-report.pdf">85% of healthcare board members</a> expect an increase in their cybersecurity budgets in 2023 and beyond – we can only hope! An increased budget will allow these IT and security teams to rework broken systems. Those same systems that are the bane of these clinicians' daily routines and partially responsible for poor security can now evolve into more realistic and reliable systems. For starters, rather than having a bunch of different <a href="https://blog.1password.com/authentication-methods/">authentication methods</a>, ditch the passwords and adopt more secure (and less disruptive) methods such as hardware and/or biometric authentication. This lets workers authenticate <a href="https://1password.com/product/passkeys">securely and instantaneously</a>, without the need to remember passwords. On top of that, make additional IT and security hires, so they&rsquo;ll have the time and bandwidth to train and users, ensure protocols are actually being followed (not just by hospital workers, but by <a href="https://www.tomsguide.com/computing/online-security/43-million-people-hit-in-massive-healthcare-data-breach-full-names-addresses-and-ssns-exposed-online">business partners</a> as well), and adjust them when you (inevitably) need to. Think of it this way: it&rsquo;s cheaper than shutting down. <h3 id="user-first-security">User-first security</h3> From what we&rsquo;ve gathered, healthcare security operates on what should theoretically work, but clinicians don&rsquo;t work in theory. They need practical security measures. Healthcare workers are often understaffed, overworked, and under pressure to see as many patients as possible. If you&rsquo;ve introduced an authentication measure that takes 10 seconds — how do you expect these healthcare workers, who are already under extreme stress, to find the time to authenticate hundreds of times a day? The good news is that fixing those settings doesn&rsquo;t have to require big investments; you can tweak the tools you already have in place. If you communicate with your clinicians, you&rsquo;ll most likely find that things like session sign outs don&rsquo;t need to occur every 30 seconds. The less frequent they become (within reason), the less incentive clinicians will have to institute workarounds. That said, when you do come up with a workable policy, you also need to be firm in enforcing it. For instance, doctors and nurses keeping &ldquo;shadow notes&rdquo; opens the possibility that sensitive data is being kept on public hard drives and other unsafe places, potentially in violation of HIPAA. To address a workaround of this magnitude, once again, discuss with your clinicians why they are doing it, then work together to find a safer, <a href="https://blog.1password.com/find-and-secure-shadow-it/">non-shadow-IT</a> alternative where they can log information. After that, IT and Security teams will need to actively seek out unapproved shadow notes applications and files, eradicate them, and put that particular workaround to bed. Look, no security system is perfect. But if security teams establish effective working relationships with the end users they defend, progress can be made. Listening to end users, educating them about the importance of security, and then firmly and fairly enforcing policies is the heart of <a href="https://honest.security/">Honest Security</a>. Honest Security is a philosophy that lets end users and IT and security teams find common ground, relying on communication rather than top-down mandates. As we&rsquo;ve seen from the stories of healthcare workarounds, restrictive, cumbersome security workflows won&rsquo;t work, even if it&rsquo;s the &ldquo;right way.&rdquo; The facts tell us this! This can mean letting go of automation in favor of giving users agency. For instance, doctors won&rsquo;t tolerate an <a href="https://blog.1password.com/pros-and-cons-of-mdms/">MDM-forced restart</a> of their computer while they&rsquo;re entering patient notes, but they can do the restart themselves, on their own time, with <a href="https://blog.1password.com/what-is-device-trust/">adequate education and consequences</a>. <h3 id="education">Education</h3> One of the tenets of Honest Security is: &ldquo;End-users are capable of making rational and informed decisions about security risks when educated and honestly motivated.&rdquo; Bottom line: clinicians are never going to make time for even the best-designed system, unless they understand why it&rsquo;s important. But healthcare is like many other industries, in that education is treated as an afterthought, or a compliance checkbox. Only 57% of IT and security practitioners <a href="https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-cyber-insecurity-healthcare-ponemon-report.pdf">surveyed</a> say they conduct regular training and awareness programs. But from our own <a href="https://blog.1password.com/unmanaged-devices-run-rampant/#:~:text=1Password%20Extended%20Access%20Management%20comes,accessing%20your%20company's%20cloud%20apps.">shadow IT report</a>, we know that security training is surprisingly popular, if it&rsquo;s done right. 96% of workers (across teams and seniority) reported that training was either helpful, or would be helpful if it were better designed. So give it to them! That takes planning and commitment, since clinicians' time is valuable, and scheduling is a challenge, but you won&rsquo;t get results without it. <h2 id="communication-is-the-best-medicine">Communication is the best medicine</h2> When accessing data is a matter of life or death, there is no time for finger-pointing. For healthcare security to improve, it&rsquo;s paramount to get to the crux of the issue — instituting security policies that reflect the needs of clinicians without sacrificing the security of patients or the organization. And while healthcare is a particularly high-stakes industry, the lessons here apply everywhere. Any CISO or security professional could benefit from opening their eyes to the security workarounds in their organization, and using them as opportunities to learn from their end users about how the system could work better for everyone. Want to read more security stories like this one? <a href="https://1password.com/kolidescope-newsletter">Subscribe to the Kolidescope newsletter!</a></description></item><item><title>How audio deepfakes trick employees (and moms)</title><link>https://blog.1password.com/how-audio-deepfakes-trick-employees/</link><pubDate>Wed, 28 Aug 2024 00:00:00 +0000</pubDate><author>info@1password.com (Rachel Sudbeck)</author><guid>https://blog.1password.com/how-audio-deepfakes-trick-employees/</guid><description> <img src='https://blog.1password.com/posts/2024/how-audio-deepfakes-trick-employees-and-moms/header.png' class='webfeedsFeaturedVisual' alt='How audio deepfakes trick employees (and moms)' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> For bad actors, using synthetic voices is easy, cheap, and worryingly effective. In 1989, Mel Blanc, the originator and primary performer of Bugs Bunny, passed away. This left Warner Brothers with a major casting problem. Mel&rsquo;s performance was pretty distinctive, and finding someone who could do a perfect Bugs (the wry nasal quality, the vague New York accent) seemed an impossible task. Until Jeff Bergman brought two tapes to his audition. One featured Mel Blanc voicing Bugs, while on the other Bergman did his version of the rascally rabbit. In the audition, Bergman played the two recordings and asked if anyone in the room could tell the difference. Nobody could, and Bergman got the job. Thirty years later, another gifted impressionist managed to mimic their way to a paycheck. In 2019, the CEO of a <a href="https://www.wsj.com/articles/fraudsters-use-ai-to-mimic-ceos-voice-in-unusual-cybercrime-case-11567157402">U.K. energy firm</a> received a call from his boss ordering the urgent transfer of $243,000 to a Hungarian supplier. He recognized the slight German accent and timbre of his boss&rsquo;s voice, and duly transferred the money to the bank account given. It wasn&rsquo;t long before he learned that, like those Warner Brothers Executives, he&rsquo;d been fooled by a copycat. Only in this case, the impressionist was a piece of software, and the cost of this AI voice cloning attack was embarrassingly steep. <img src='https://blog.1password.com/posts/2024/how-audio-deepfakes-trick-employees-and-moms/bugs-bunny-sup-doc.jpg' alt='A screenshot of bugs bunny laying on a lounge chair while on the phone.' title='A screenshot of bugs bunny laying on a lounge chair while on the phone.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> In September of 2023, the FBI, National Security Agency (NSA), and Cybersecurity and Infrastructure Security Agency (CISA) released a joint <a href="https://media.defense.gov/2023/Sep/12/2003298925/-1/-1/0/CSI-DEEPFAKE-THREATS.PDF">18-page document</a> warning of the growing risk AI deepfakes pose to organizations, as well as describing a few recent deepfake attacks. While many of these attacks were unsuccessful, they indicate a growing trend of bad actors harnessing generative AI tools to go after businesses. The role that phone calls have played in several recent hacks indicates that voice cloning isn&rsquo;t just being used by small-time scammers committing wire fraud; it&rsquo;s being deployed in complex phishing attacks by sophisticated threat actors. <h2 id="anatomy-of-a-deepfake-voice-attack">Anatomy of a deepfake voice attack</h2> On August 27th, 2023, Retool suffered a spear phishing attack which resulted in the breach of 27 client accounts. Retool described the attack in a <a href="https://retool.com/blog/mfa-isnt-mfa">blog post</a>, detailing a plan that had more layers than an Ari Aster movie. <ol> <li> Retool employees received texts informing them of an issue with their insurance enrollment. The texts included a url designed to look like their internal identity portal. </li> <li> One employee (because it only takes one!) logged into the false portal, including its MFA form. </li> <li> The attacker called the employee after the login. Here&rsquo;s a quote from Retool: &ldquo;The caller claimed to be one of the members of the IT team, and deepfaked our employee&rsquo;s actual voice.&rdquo; </li> <li> During the conversation, the employee provided the attacker with an additional MFA code. Retool notes that: &ldquo;The voice was familiar with the floor plan of the office, coworkers, and internal processes of the company.&rdquo; </li> <li> This code allowed the attacker to add their personal device to the employee&rsquo;s Okta account, thereby allowing them to produce their own MFAs. From there – due in no small part to Google&rsquo;s Authenticator synchronization feature that synced MFA codes to the cloud – the attacker was able to start an active GSuite session. </li> </ol> Again, a plan with a lot of layers! It goes from smishing (a text), to <a href="https://blog.1password.com/what-is-phishing-and-how-can-you-protect-your-business/">phishing</a> (a link), to good old fashioned vishing (a call). Rather than being the main tool of attack, as in the U.K. example, the deepfake element of the Retool leak is more like one particularly interesting knife in a whole arsenal. In fact, Retool&rsquo;s almost off-handed mention of voice deepfaking had <a href="https://arstechnica.com/security/2023/09/how-google-authenticator-gave-attackers-one-companys-keys-to-the-kingdom/">Dan Goodin of Ars Technica</a> speculating that the &ldquo;completely unverified claim — that the call used an AI-generated deepfake simulating the voice of an actual Retool IT manager — may be a similar ploy to distract readers as well.&rdquo; If it is a ploy, it&rsquo;s a successful one, since the artificial intelligence element of the story drew a lot of attention (and potentially distracted from Retool&rsquo;s larger point that Google&rsquo;s MFA policies were at fault). Regardless of its veracity, the role deepfaking plays in the narrative raises some questions: <ul> <li> How easy is it for someone to be audio cloned? </li> <li> How likely are users to be fooled by a voice deepfake? </li> <li> How concerned should security teams be about this? </li> </ul> <h2 id="how-to-clonedeepfake-a-voice">How to clone/deepfake a voice</h2> Let&rsquo;s start with the first question, since understanding the process that goes into creating an audio clone of someone can help us to better understand the likelihood of any one person (be it yourself, your boss,a random IT worker, or a <a href="https://www.npr.org/2024/05/20/1252495087/openai-pulls-ai-voice-that-was-compared-to-scarlett-johansson-in-the-movie-her">famous actress</a>) being deepfaked. Audio deepfakes are created by uploading recorded audio of someone&rsquo;s voice to a program which generates an audio &ldquo;clone&rdquo; of them through AI analysis that fills in blanks like new words, emotional affect, and accent. This voice &ldquo;clone&rdquo; is used either through text-to-speech (you type, and it reads the text out loud in the cloned voice) or speech-to-speech (you speak, and it converts the audio into the cloned voice). The growing ease and availability of speech-to-speech is a particular concern, since it makes real-time conversations easier to fake. <h3 id="how-much-audio-do-you-need-to-make-a-voice-deepfake">How much audio do you need to make a voice deepfake?</h3> We&rsquo;ll start by saying that the fearmongering and ad copy claiming &ldquo;only seconds of your voice are needed&rdquo; doesn&rsquo;t seem to be that realistic, at least not if someone is trying to create a high enough quality voice clone to pull off an attack. Resemble AI, for instance, <a href="https://www.resemble.ai/cloned/">markets itself as being able</a> to &ldquo;clone a voice with as little as three minutes of data.&rdquo; However, <a href="https://resemble.notion.site/resemble/Resemble-AI-Supported-Datasets-64e94dffc7fe4f518989df48d815879f">in their description</a> of their supported datasets, they state: &ldquo;we recommend uploading at least 20 minutes of audio data.&rdquo; <a href="https://elevenlabs.io/voice-cloning">ElevenLabs</a>, meanwhile, a popular text-to-speech company, offers &ldquo;Instant Voice Cloning&rdquo; with only one minute of audio. For &ldquo;Professional Voice Cloning,&rdquo; meanwhile, the minimum <a href="https://elevenlabs.io/docs/voices/voice-lab/professional-voice-cloning">they recommend</a> is 30 minutes of audio, with three hours being &ldquo;optimal.&rdquo; Essentially, three minutes probably can make a clone, but it&rsquo;s not likely to be a clone that meets the demands of, say, calling a man and impersonating his German boss in a real-time conversation. As <a href="https://play.ht/voice-cloning/">Play.HT</a> puts it rather succinctly: &ldquo;the more audio you provide the better the voice will be.&rdquo; One rule of thumb seems to be that audio <a href="https://help.elevenlabs.io/hc/en-us/articles/13434364550801-How-many-voice-samples-should-I-upload-for-Instant-Voice-Cloning-#:~:text=Audio%20quality%20is%20the%20most,the%20stability%20of%20the%20clone.">quality is more important than quantity</a>. A smaller sample of audio recorded on a decent mic in a closed-off room is going to make a better clone than a larger sample of audio that was recorded on your phone at a train station. Most of the companies that make voice clones recommend clean, high quality voice audio, without much or any background noise. Some prefer that any other speakers are edited out as well. So, if attackers need somewhere around 30 minutes to three hours of reasonably high-quality voice recording to generate a voice clone, how many of us are at risk? Unfortunately, a lot. According to a survey by <a href="https://www.mcafee.com/content/dam/consumer/en-us/resources/cybersecurity/artificial-intelligence/rp-beware-the-artificial-impostor-report.pdf">Mcafee</a>, 53% of all adults share their voice online at least once a week (and 49% share it somewhere between five and ten times). For many people, it&rsquo;s easy enough to compile an hour or so of decent audio samples just through social media, like their TikTok or Instagram videos. If they have a podcast or YouTube channel, all the better. For CEOs and other high-level employees, getting audio clips is likely to be even simpler thanks to interviews and recorded speeches. One might hope that the voice cloning companies could be allies against the misuse of their products, and many of these services are adopting some kind of privacy or explicit consent model, having recognized the negative potential of unauthorized cloning. Unfortunately, there are just a whole lot of voice cloning services out there in the <a href="https://blog.1password.com/ai-browser-extension-nightmare/">wild west of AI</a>, many of which make no mention at all of consent. Even the ones that do mention it aren&rsquo;t particularly clear on what their consent process looks like. For instance, one company states: &ldquo;We moderate every voice cloning request to ensure voices are never cloned on our platform unethically (without the consent of the voice owner).&rdquo; But talk is cheap (or has a 30 day free trial), and when the company&rsquo;s &ldquo;sample voices&rdquo; include people like Borack Obama, Kevin Hart, and JFK, such statements ring a little hollow. It&rsquo;s hard to believe that all of those people (or their families) gave their explicit consent to be cloned. <h2 id="how-susceptible-are-we-to-audio-deepfakes">How susceptible are we to audio deepfakes?</h2> To be frank, most of us think we&rsquo;re a lot better at identifying audio deepfakes than we actually are. The term &ldquo;deepfake&rdquo; itself may create a false sense of confidence, since we associate it with online videos that we can usually tell are fakes (or <a href="https://www.ncbi.nlm.nih.gov/pmc/articles/PMC8602050/">like to think</a> we can). And when we think of text-to-speech, we probably imagine the highly artificial voices of Alexa or Siri. However, when it comes to audio-only deepfakes, the evidence indicates that humans just aren&rsquo;t very good at telling the real person from the clone. For instance, <a href="https://www.economist.com/culture/2023/07/20/ai-is-making-it-possible-to-clone-voices">The Economist</a> reported on how Taylor Jones, a linguist, found various statistical flaws in a clone made of his voice, but none of them prevented the clone from fooling his own mother during a conversation. Meanwhile, Timothy B. Lee ran a similar experiment for <a href="https://slate.com/technology/2023/04/descript-playht-ai-voice-copy.html">Slate</a>, and found that &ldquo;people who didn&rsquo;t know me well barely did better than a coin flip, guessing correctly only 54 percent of the time.&rdquo; (Lee&rsquo;s mom was also fooled.) Bear in mind that the people in Lee&rsquo;s experiment knew to be looking for a clone. And a lot of them still couldn&rsquo;t find it. Now consider that most people assume that a deepfake will automatically raise our &ldquo;uncanny valley&rdquo; hackles without us needing to be on the lookout for it. That confidence makes us even more vulnerable. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Want to see if you can detect a voice deepfake? <a href="https://docs.google.com/forms/d/17twq9o-4FpLk8cpHiPivNz0EOBQwP3e7d4oGRpH0t9Q/viewform?edit_requested=true/">Lee&rsquo;s experiment is still online, so you can try it for yourself.</a> Just promise you&rsquo;ll come back and read the rest of the blog! </div> </aside> <h3 id="how-can-audio-deepfakes-compromise-company-security">How can audio deepfakes compromise company security?</h3> In a social engineering attack like the one at Retool, bad actors try to make people feel rushed and stressed out. They&rsquo;ll target new hires who don&rsquo;t know people well and are unlikely to detect something &ldquo;off&rdquo; in the voice of a coworker they only just met. And in a remote workplace, you can&rsquo;t turn to the person in the next cubicle and ask what&rsquo;s going on, how suspicious you should be about this call from IT, or whether your refrigerator is running. A <a href="https://www.ibm.com/downloads/cas/ADLMYLAZ">2022 IBM</a> report found that targeted attacks that integrate vishing (voice phishing) are three times more likely to be effective than those that didn&rsquo;t. This makes sense when we consider how social engineering works. It preys human anxiety and urgency bias, as in the <a href="https://www.wsj.com/articles/fraudsters-use-ai-to-mimic-ceos-voice-in-unusual-cybercrime-case-11567157402">energy firm</a> case we talked about earlier, where &ldquo;the caller said the request was urgent, directing the executive to pay within an hour&hellip;&rdquo; Phone calls in and of themselves already make a lot of people anxious: <a href="https://ffb.co.uk/blog/630-phone-anxiety-affects-over-half-of-uk-office-workers">76% of Millenials and 40% of Baby Boomers</a>, according to a 2019 survey of English office workers. And when that phone call is from our boss, it&rsquo;s guaranteed to make us even more nervous. Just imagine getting a phone call from your boss. Not an email or Slack message. A call. The assumption for a lot of people would be that something urgent, serious, or capital &ldquo;b&rdquo; Bad was going on. When used in conjunction with other phishing attacks, a phone call also seems to confirm legitimacy. (That&rsquo;s in spite of the fact that phones are notoriously insecure – it&rsquo;s trivially easy for a hacker to use <a href="https://usa.kaspersky.com/resource-center/preemptive-safety/phone-number-spoofing">CID spoofing</a> to mask their real phone number.) You get a weird text in isolation and might not think too much of it. You get a weird phone call in isolation and probably won&rsquo;t answer it. But when a text is followed by a phone call, things feel more &ldquo;real.&rdquo; This is especially true when the bad actors have done their research and have enough information about the company to seem legitimate. We see this in the Retool attack, where the voice clone was just one of several methods used to build the sense of urgency and legitimacy required to get someone to slip up. It&rsquo;s also clear in the <a href="https://www.forbes.com/sites/thomasbrewster/2021/10/14/huge-bank-fraud-uses-deep-fake-voice-tech-to-steal-millions/?sh=781e193e7559">2020 case</a> of a Hong Kong branch manager who received a call from the director of his parent business. In this case, the course of the attack went: <ol> <li> The branch manager gets a call from the (deepfaked) director saying that they&rsquo;ve made an acquisition and need to authorize some transfers to the tune of 35 million USD. They&rsquo;d hired a certain lawyer to coordinate the process. </li> <li> The branch manager receives emails impersonating that lawyer (the name the attackers used belongs to an experienced Harvard graduate). The emails provide a general rundown of the merger, with a description of what money needs to go where. </li> <li> It all seems legit, so the manager authorizes the transfers. </li> </ol> This case is something of a middle ground between the Retool attack&rsquo;s complexity and the energy firm attack&rsquo;s simplicity. Make a call, follow-up with some emails, and everything seems kosher to move forward. <h3 id="what-about-voice-authentication">What about voice authentication?</h3> We&rsquo;ve established that it&rsquo;s pretty easy to trick the human ear, but what about authentication systems that use voice as a form of biometrics? The verdict there is a bit more muddled. Voice authentication systems, which are used by some banks, have been the subject of a lot of attention in voice clone discussions. And what research is out there indicates that they are <a href="https://www.vice.com/en/article/dy7axa/how-i-broke-into-a-bank-account-with-an-ai-generated-voice">potentially vulnerable</a> to deepfakes. However, they&rsquo;re hardly the biggest threat to security. <blockquote> &ldquo;&lsquo;While scary deepfake demos are a staple of security conferences, real-life attacks [on voice authentication software] are still extremely rare,&rsquo; said Brett Beranek, the general manager of security and biometrics at Nuance, a voice technology vendor that Microsoft acquired in 2021. &lsquo;The only successful breach of a Nuance customer, in October, took the attacker more than a dozen attempts to pull off.'&rdquo; - The New York Times, &ldquo;<a href="https://www.nytimes.com/2023/08/30/business/voice-deepfakes-bank-scams.html">Voice Deepfakes Are Coming for Your Bank Balance,</a>&rdquo; Aug 30, 2023 </blockquote> If your company uses voice authentication, then maybe reassess that and <a href="https://blog.1password.com/authentication-methods/">use a different biometric or hardware-based authentication method</a>. When it comes to protecting the other vulnerabilities exploited by audio deepfakes, though, it gets a little more complicated. <h2 id="how-can-we-guard-against-voice-cloning-attacks">How can we guard against voice cloning attacks?</h2> To summarize: Audio deepfakes are becoming easier, cheaper, and more realistic than ever before. On top of that, humans (yes, you too) aren&rsquo;t great at identifying them. So what can individuals and security teams do to guard against deepfakes? There are plenty of solid methods that companies can take to add some security to high-impact or high-risk calls in which an employee is being asked to transfer money or share sensitive data. Most of them are even pretty low-tech: <ol> <li> Integrate vishing into your company security training. Companies <a href="https://www.vox.com/technology/2023/9/15/23875113/mgm-hack-casino-vishing-cybersecurity-ransomware">often overlook</a> vishing, and employees need practice to recognize warning signs and think past that &ldquo;urgency bias.&rdquo; In trainings, remove &ldquo;urgency&rdquo; by giving employees explicit permission to always verify, verify, verify, even if it makes processes take a bit longer. </li> <li> If there are real situations in your business where sensitive interactions happen over the phone, establish <a href="https://www.mcafee.com/blogs/privacy-identity-protection/artificial-imposters-cybercriminals-turn-to-ai-voice-cloning-for-a-new-breed-of-scam/">verbal passwords</a> or code phrases (you could even keep them updated and shared <a href="https://1password.com/product/enterprise-password-manager">through an EPM</a>). This is common advice to <a href="https://www.latimes.com/business/technology/story/2023-05-11/realtime-ai-deepfakes-how-to-protect-yourself">families</a> worried about the uptick in &ldquo;kidnapping&rdquo; voice cloning scams. </li> <li> Hang up. No, you hang up! &lt;3 But seriously. Hang up and call the person back. It&rsquo;s <a href="https://www.npr.org/2023/03/22/1165448073/voice-clones-ai-scams-ftc">unlikely</a> that a hacking group has the power to reroute phone calls, unless there&rsquo;s also a <a href="https://blog.1password.com/what-is-sim-swapping/">SIM swapping</a> element to the attack. For high-stakes or unusual calls, establish as a best practice that recipients hang up, personally call the number on record for the person in question, and confirm the call and the request. </li> <li> Finally, yes, there are advancements in audio deepfake detection tools that promise the ability to detect fake voices (including offerings from the <a href="https://www.resemble.ai/deepfake-detection/">deepfake makers themselves</a>). It&rsquo;s certainly worth keeping an eye on these developments and considering how useful they may or may not be. Still, a tech solution focused only on deepfakes is not likely to be the most permanent or comprehensive solution for the broader problems that make vishing attacks successful. </li> </ol> <h3 id="de-fang-deepfakes-with-device-trust">De-fang deepfakes with device trust</h3> These are all protections against audio deepfake technology specifically. But in sophisticated cyberattacks, an audio clone probably won&rsquo;t be the silver bullet that single-handedly conquers a company&rsquo;s security. Compensating for them alone might not prevent an attack. For instance, in the case of the <a href="https://www.vox.com/technology/2023/9/15/23875113/mgm-hack-casino-vishing-cybersecurity-ransomware">MGM Casino Hack</a>, &ldquo;&hellip;it appears that the hackers found an employee&rsquo;s information on LinkedIn and impersonated them in a call to MGM&rsquo;s IT help desk to obtain credentials to access and infect the systems.&rdquo; By all accounts, artificial intelligence wasn&rsquo;t even necessary – just someone impersonating someone else the old fashioned way. In cases like Retool and <a href="https://blog.1password.com/mgm-hack/">MGM Casinos</a>, the goal isn&rsquo;t a one-time money transfer but a foothold into your systems, with the potential for an even bigger ransomware payout in the end. To protect against these kinds of attacks, you need <a href="https://blog.1password.com/how-zero-trust-strategy-interview/">Zero Trust</a> security to make sure that it&rsquo;ll take more than a phished set of credentials to get into your apps. For instance (pitch time) if a company like Retool was using <a href="https://1password.com/product/xam">1Password® Extended Access Management</a> device trust solution, this one phone call may not have been quite so destructive. As Retool describes that deepfaked phone call: &ldquo;Throughout the conversation, the employee grew more and more suspicious, but unfortunately did provide the attacker one additional multi-factor authentication (MFA) code&hellip; The additional OTP token shared over the call was critical, because it allowed the attacker to add their own personal device to the employee&rsquo;s Okta account.&rdquo; In a company using 1Password Extended Access Management, however, the user would have needed to: <ol> <li> Gotten approval to add our device trust agent to a new device. With 1Password Extended Access Management, no device can authenticate via Okta unless our agent is installed, which requires confirmation from the user (on their existing device) or an admin. </li> <li> Meet eligibility requirements. Even if the user or admin did approve the registration prompt, the device would have still needed to pass device posture checks in order to authenticate. Usually, this would include checking that the device is enrolled in the company&rsquo;s MDM, and can also include checking the device&rsquo;s location and security posture. </li> </ol> 1Password Extended Access Management is customizable when it comes to which checks a company requires. It&rsquo;s possible that an organization might not require an <a href="https://www.kolide.com/docs/using-kolide/devices/device-registration#requiring-mdm-enrollment-on-mobile-devices">MDM check</a>, in which case the eventual MFA authentication still would have gone through. But with the right checks in place, this attack would have been much less likely, if not impossible. With all that in mind, we do want to stress that no single solution can stop all social engineering attacks, and there are no technological substitutes for good employee training. <h2 id="ai-voice-cloning-is-a-new-twist-on-an-old-trick">AI voice cloning is a new twist on an old trick</h2> It&rsquo;s no surprise that audio deepfaking is a headline-grabbing issue. It&rsquo;s new, it&rsquo;s high-tech, and it plays on some of our deepest fears about how easily AI technology can do things that once felt intrinsically human. Nonetheless, while voice cloning seems cutting edge, the principle behind it is as old as security itself. There&rsquo;s a <a href="https://www.smbc-comics.com/?id=2526">Saturday Morning Breakfast Cereal</a> cartoon that describes this very phenomenon as early as 2012. <img src='https://blog.1password.com/posts/2024/how-audio-deepfakes-trick-employees-and-moms/comic.gif' alt='A saturday morning breakfast cereal cartoon from 2012 about audio deepfakes.' title='A saturday morning breakfast cereal cartoon from 2012 about audio deepfakes.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Audio deepfakes represent a significant risk, but it&rsquo;s not a new risk. Voice cloning&rsquo;s biggest power lies in the ways it can enhance the believability of vishing attacks. But that advantage disappears if employees are clear about what they should believe and listen for on a call. Keeping teams educated and adding checks and stopgaps takes time, and that can be a tough sell, especially when there are AI vendors promising that their algorithm can do all the work for you. But to guard against social engineering attacks, security teams need to put as much focus on the human element as social engineers do. Adding a little time and friction are exactly what can make the difference between a &ldquo;split-second mistake&rdquo; and a &ldquo;measured response.&rdquo; Always give people the information they need to make the right call. Want to read more security stories like this one? <a href="https://1password.com/kolidescope-newsletter">Subscribe to the Kolidescope newsletter!</a></description></item><item><title>Journalist Geoff White reveals how high-tech money laundering networks operate</title><link>https://blog.1password.com/how-tech-money-laundering-works-interview/</link><pubDate>Tue, 27 Aug 2024 00:00:00 +0000</pubDate><author>info@1password.com (Jenn Marshall)</author><guid>https://blog.1password.com/how-tech-money-laundering-works-interview/</guid><description> <img src='https://blog.1password.com/posts/2024/how-tech-money-laundering-works-interview/header.png' class='webfeedsFeaturedVisual' alt='Journalist Geoff White reveals how high-tech money laundering networks operate' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> When it comes to hiding dirty money, it’s not just cryptocurrency we have to worry about, according to author, speaker, and investigative journalist Geoff White. White, who wrote the book <a href="https://geoffwhite.tech/book/">Rinsed: From Cartels to Crypto: How the Tech Industry Washes Money for the World&rsquo;s Deadliest Crooks</a>, talked with 1Password&rsquo;s Matt Davey on the <a href="https://randombutmemorable.simplecast.com/">Random But Memorable</a> podcast about how cybercriminals are getting more and more creative in hiding their tracks. Read highlights from the interview or listen to the <a href="https://randombutmemorable.simplecast.com/episodes/worst-computer-outage-apocalypse">full podcast episode</a> as White reveals the intricacies of money laundering networks and dives into a fascinating overview of criminal tactics to wash stolen funds, from using real-world mule networks to volunteers’ bank accounts. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/WIBjxahKnok?si=T4VOQc-FvMj6aC-f" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> Editor’s note: This interview has been lightly edited for clarity and brevity. The views and opinions expressed by the interviewee don’t represent the opinions of 1Password. Matt Davey: Could you give a brief overview of your new book, and what inspired you to write it? Geoff White: Rinsed is about money laundering and specifically how technology has started to change the industry of money laundering. It’s an industry. It’s a very professionally set up network of criminals who launder money. The reason I wrote the book was because I&rsquo;ve done a lot of stuff on North Korean computer hacking. Notably, a podcast series and book called <a href="https://www.amazon.co.uk/Lazarus-Heist-Based-Hit-podcast/dp/0241554276">The Lazarus Heist</a>, which is about North Korea and how North Korea became a computer hacking superpower. North Korea, for various reasons, has been sanctioned by the international community, so it&rsquo;s been cut off from international trade and finance. North Korea struggles for money. The accusation is that North Korea has tasked its government computer hackers with pulling in cash for the regime. When I investigated this, what I found was that they were very good at breaking into cryptocurrency companies and banks and insurance companies. But when they get their hands, digitally, on the money, moving, hiding, and extricating it was something that they relied on a whole different set of characters for. These people are equally technologically savvy but in a different way. They understand international finance, how to set up money mule accounts, how to move money from one jurisdiction to another, and how to launder cryptocurrency. <blockquote> &ldquo;Money is increasingly being digitized and washed through high-tech money laundering networks.&quot; </blockquote> What I found was this cybercrime community – it&rsquo;s not just North Korea but cybercriminals in general – were reliant on these money laundering networks. Many types of organized crime, like cartel drug dealing, large-scale prostitution, and fraud rings exist to make money. That money is increasingly being digitized and washed through these high-tech money laundering networks. That&rsquo;s what made me want to write a book about it. MD: How has the transition to a digital economy impacted money laundering? GW: There&rsquo;s a couple of things that have happened. It&rsquo;s happened in both traditional finance and what you might call “new finance”. In traditional finance, including normal, standard banks and very old financial institutions, we&rsquo;ve had this sudden rush towards digitization, virtualization, and a frictionless, faster economy. Look at things like online account creation, faster payments, contactless payments, and so on. The idea of all these innovations is: make it easy, smooth, and quick. The COVID pandemic really pushed that forward. Banks were largely closed – we weren&rsquo;t going out. Online account creation and management had to be part of the deal. That fast-forwarded a trajectory that was already happening. For money launderers, what that means is you can bounce your money through many banks very quickly, which makes it potentially hard for law enforcement agencies to keep up. You&rsquo;ve also got the emergence of what you might call “new finance”. You’re probably familiar with cryptocurrencies like Bitcoin. But there&rsquo;s also things like NFTs and video game currencies. There are huge amounts of money sloshing around video games like Call of Duty. Money launderers have spotted these new fringe bits of the financial community that a lot of people don&rsquo;t really think of as “money”. <blockquote> &ldquo;There are huge amounts of money sloshing around video games like Call of Duty.&quot; </blockquote> The money launderers are thinking: &ldquo;If I can put some of my funds into that, great. It&rsquo;s international. It&rsquo;s not particularly well regulated and it moves at lightning speed. That&rsquo;s ideal territory for me as a money launderer to get involved in.&rdquo; Both on the traditional finance side and the new finance side, we&rsquo;ve seen innovations that, mostly inadvertently and unwittingly, assist the kind of high-tech money laundering that I&rsquo;m talking about. MD: I&rsquo;ve never really thought about video game currency being a way to do that. It&rsquo;s kind of fascinating. GF: Absolutely, yeah. I mentioned Call of Duty. The way these games work is there&rsquo;s often an in-game market. With Call of Duty, there was a sort of side market where you could buy and sell assets for the game. At one point, that side market was suspended because the makers of the game said: &ldquo;Look, we believe this entire market has been taken over by criminals, people washing money through this marketplace.&rdquo; Millions and millions of dollars were being laundered through the game without anybody realizing it. MD: Your book describes how organized criminals and cybercriminals are joining forces. Can you elaborate on how these alliances operate? GF: I think people have the idea that cybercrime happens in cyberspace. It&rsquo;s ethereal, it&rsquo;s ones and zeros. And often, they feel it&rsquo;s almost a victimless crime. I think that&rsquo;s particularly the case with crimes around cryptocurrency. I think a lot of people think: &lsquo;If a person loses their stash of bitcoins, a) Have they really lost anything? It was never real in the first place, and b) more fool them because they were speculating on this bizarre cryptocurrency.&rsquo; However, all that stuff is real money, it has real value. What’s interesting is, at a certain point, digital cybercrime starts to hit street level. Because at some stage, criminals (I include North Korea in this and the allegations against it) and also cybercrime gangs, they want to buy a yacht, a nice apartment, a nice dinner in a fancy restaurant. In North Korea&rsquo;s case, they might want to buy nuclear weapons and missiles, which is obviously the very serious side of this. <blockquote> &ldquo;At a certain point, digital cybercrime starts to hit street level.&quot; </blockquote> You need to pull your money into some kind of real-world environment. Often, what’s going on there is street-level money muling gangs. You need people who&rsquo;ve got dudes who go round to ATMs and withdraw the money for you. In one of the North Korean cases in 2018, they hacked into a bank in India. They managed to compromise the bank&rsquo;s ATM software. What that meant was anybody at an ATM or cashpoint, anywhere around the world with one of this bank&rsquo;s cards, could put it into a machine and withdraw as much money as they liked. That&rsquo;s fantastic for the North Korean hackers who allegedly were behind this, but, of course, they&rsquo;ve got a problem. They&rsquo;ve got to get people around the world to go to cashpoints. They managed to pull out, I think it was $11 million in 29 different countries, and all within two hours. They had a street team of people, hundreds of people, going from cashpoint to cashpoint. It needed to be coordinated in multiple different countries, with people speaking multiple different languages. It was an immense operation to configure and to get on the go. It&rsquo;s an absolutely fascinating story. Of course, at that point, you&rsquo;ve got dudes running around in 29 countries with wads of physical cash. How do the hackers in Pyongyang, the capital of North Korea, get the money reconciled back to them? I found that really fascinating, this sort of border space between very, very high-tech cybercrime, but also street-level gangs and money launderers. MD: There&rsquo;s a bunch of wild stories in your book. Could you share one or two that really stood out to you during your research? GW: The one I think that really stunned me was a very bizarre journey that ended up in a very strange space. Again, it&rsquo;s an alleged North Korean job. They were accused of breaking into a video game that was popular in Southeast Asia called Axie Infinity, back in 2022. At one point, the company behind it was valued at about $2 billion, so it was hugely successful. In the game, you were playing with these little characters called Axies, which were based on salamanders. You were wrestling them and fighting them in the game. That was the gameplay, but what was actually behind it was a cryptocurrency marketplace. You could buy and sell your little characters in the game, and what you were effectively buying and selling was cryptocurrency. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/oMa8cc6YxSI?si=KjFISBFaBOcguxhe" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> Hackers spotted the massive amounts of money sloshing around in this game and decided to steal as much of it as they could. They broke into the game by sending an employee of the company a phishing message, pretending to recruit them for a really highly paid, fancy job. The employee of the company thinks, &ldquo;Well, that&rsquo;s great. I&rsquo;ll get more salary.&rdquo; They fall for the phishing attempt and download a document laced with the virus, which allowed the hackers access to the game and the game&rsquo;s servers. <blockquote> &ldquo;They broke into the game by sending an employee of the company a phishing message.&quot; </blockquote> After a bit of chicanery, they managed to pull out $625 million. I think that’s the largest amount of money stolen in one go from one victim. And this is certainly the fastest heist of all time, because stealing that cryptocurrency – which was in the form of crypto and could be transferred out digitally – took 1 minute and 55 seconds. You know that you can trace cryptocurrency transactions through this publicly available online ledger called the blockchain. So, the hackers can steal the money, but it&rsquo;s obvious where it&rsquo;s gone – it&rsquo;s gone into particular crypto wallets. So, what they did next was to take the currency and put it into what&rsquo;s called a mixer, a thing called Tornado Cash. As the name suggests, it mixes the incoming crypto with existing crypto and then spits it back out to a fresh wallet address. The idea is to sever the connection between the incoming money and the outgoing money. <blockquote> &quot;[Tornado Cash] mixes the incoming crypto with existing crypto and then spits it back out to a fresh wallet address.&quot; </blockquote> About half a billion dollars of the stolen Axie Infinity money goes through Tornado Cash, is mixed, and is now out there in the wild. We have no idea who&rsquo;s got it or where it went. You could think: &ldquo;Well, what a terrible thing Tornado Cash is, what a terrible thing they&rsquo;ve done to launder half a billion dollars for the North Koreans.&rdquo; But a lot of people in the crypto community and tech community have actually defended Tornado Cash and said, &ldquo;Well, look, that&rsquo;s not great, but we need services like Tornado Cash to preserve our privacy, to preserve basic freedoms and liberties when we&rsquo;re using cryptocurrency, which is, after all, all traceable.&rdquo; We now have this amazing freedom of speech, privacy-type debate at the heart of the U.S. government, stemming from this attempt to launder the money from the North Koreans, based on a video game involving salamanders. If you wrote it as a fiction, people probably wouldn&rsquo;t believe it happened, but it&rsquo;s all true. MD: Do you think there&rsquo;s movie scripts for this in the process of being made into a movie? In <a href="https://en.wikipedia.org/wiki/The_Beekeeper_(2024_film)">The Beekeeper</a>, I enjoyed how they made the ransomware company almost like multi-level marketing, like sales-driven. They had bells and cheering and that type of thing. It was a good way to kind of visualize it. GW: It was. It was sort of like The Wolf of Wall Street meets cybercrime. That&rsquo;s actually based on reality. These scam organizations and ransomware organizations, they are professional Monday to Friday, 24-hour operations. They have workers who clock in and out. They have recruitment, they have payroll, they have, to a certain extent, marketing. That is how it works. MD: Do you think we stop at some point using the term “cybercriminal” and instead just use “organized crime”? Because it does seem like both are very organized. GW: Yes, cybercrime is almost always a branch of organized crime. Here&rsquo;s something I&rsquo;ve started thinking about quite a lot recently: when you or I work for a legitimate organization, if something goes wrong, you can complain. You can maybe sue in the courts. You might go to the police or the government or whatever. If you&rsquo;re in an organized crime gang, you can&rsquo;t do that. If a drug gang stitches you up and doesn&rsquo;t pay you, you can&rsquo;t go to the police. Organized crime has to organize people together who are innately untrustworthy. They&rsquo;re all crooks. How do you trust people who are fundamentally not to be trusted? The answer to that, traditionally, has been violence. If you rip me off, I will break your legs. Increasingly, in organized cybercrime particularly, and also in a lot of organized financial crime, you don&rsquo;t have that. You&rsquo;re not working in the same country. You&rsquo;re not physically close enough to somebody to do violence to them. A lot of these cybercrimes, people are working under pseudonyms. You don&rsquo;t even know, even if you could work out where they are, whose legs to break. <blockquote> &ldquo;Organized crime gangs are starting to use intricate trust networks and trust systems.&quot; </blockquote> As organized crime becomes more distributed, as it becomes more digitized and more virtual and the money becomes more virtual, more of those organized crime gangs are starting to use intricate trust networks and trust systems. It&rsquo;s working: fraud rings are happening across the world. Clearly, they&rsquo;re prepared to cooperate together and there&rsquo;s a level of trust there that allows all this to happen that goes way beyond the trust you would get just from being able to inflict violence on people. MD: Going back to Tornado Cash, wasn&rsquo;t the founding principle of Bitcoin supposed to be this kind of open ledger that everybody could track? GW: Yes, it&rsquo;s a good question. The issue that virtual currencies had prior to Bitcoin was what&rsquo;s called the double-spend problem. That means, if I&rsquo;m sending a virtual currency, I could send that to two people at the same time simultaneously. Both of them would apparently have received a transfer from me, and I&rsquo;ve effectively spent one of my virtual coins twice on two people. The way Bitcoin got around that was the blockchain, this open-source ledger where you could instantly see who&rsquo;d sent what money to whom. There were voluntary auditors who would check all those transactions, make sure nobody had pulled the fast one, and in return, be rewarded with virtual currency. That was the massive innovation of Bitcoin and the blockchain behind it. Now, obviously, you can see the transaction go from a wallet to a wallet, but you can&rsquo;t necessarily know who owns those wallets. There&rsquo;s no names attached to them. It was always meant to be pseudonymous. There were arguments about whether it&rsquo;s anonymous because your wallet address is kind of a pseudonym for you. Increasingly, the game is, can we link those wallet addresses to individuals? On the dark web, for example, if I set up shop and I say: &ldquo;Hey, if you want to pay me for stolen credit cards or whatever, pay me into this Bitcoin wallet address.&rdquo; Well, from then on, you know that my dark web identity is linked to that Bitcoin wallet address. If I get arrested and exposed, you can link my name to that Bitcoin wallet address. Deanonymizing this network&rsquo;s been part of the game. <blockquote> &ldquo;if you use it correctly, you can use Bitcoin anonymously.&quot; </blockquote> But if you use it correctly, you can use Bitcoin anonymously. It&rsquo;s just for a lot of people, that&rsquo;s not necessarily what they&rsquo;re after. And for some people, they try and be anonymous, but they get caught out. What&rsquo;s interesting now is the debate within the crypto community of people saying: &ldquo;Well, yeah, I understand all of that, but I want anonymity. I get that with cash. I can withdraw cash and no one can attach it to me. I want the same thing from cryptocurrency. I want privacy. I don&rsquo;t want to be tracked.&rdquo; Interestingly, we&rsquo;re seeing this around this thing called Central Bank Digital Currencies, CBDCs. This is the idea that, at a government level, these blockchain ledgers and these tracking systems will be used. There are some people who are very concerned about that in terms of government surveillance and privacy. That side of the debate is saying: &ldquo;We need privacy and we need these sort of mixers like Tornado Cash.&rdquo; So yeah, the debate is super fascinating and a lot wider, I think, than people would think at first blush. MD: What are some of the other techniques and technologies that cybercriminals are using to launder money in today&rsquo;s digital age? GW: One of the cases I&rsquo;ve covered in the book is a crime group called <a href="https://www.bbc.co.uk/news/world-africa-59614595">The Black Axe</a>, which originated in Nigeria in the 1970s. It&rsquo;s become an international conglomerate. I think I describe it in the book that they have people everywhere. Wherever you want to launder money, there&rsquo;s usually a Black Axe operative who can help you out. What&rsquo;s fascinating is the ground operation that they&rsquo;ve got. People like you and me who, in exchange for a small fee, will hand over their bank details and allow their bank account to be used for money to be washed through. You might think: &ldquo;Well, that&rsquo;s street level, that&rsquo;s not particularly advanced or sophisticated.&rdquo; First, you need those street-level operatives, because changing it into cash is the ultimate step of obscuring the money trail and laundering the money. <blockquote> &ldquo;Changing it into cash is the ultimate step of obscuring the money trail.&quot; </blockquote> Second, there is a very high-tech aspect to this because social media is being used as the recruiting tool. If you go on Instagram and Snapchat and you follow the right hashtags and accounts, you&rsquo;ll see, I don&rsquo;t know what the figure would be, it&rsquo;s certainly in the hundreds or thousands worldwide, possibly even millions of accounts that are encouraging people into this. They say: &ldquo;Look, you can make big money. Here&rsquo;s the expensive watches you can buy if you take part in this exercise.&rdquo; There&rsquo;s this use of advanced social media recruitment tactics to pull people in. And of course, if your money mule gets caught weeks, months, or years later, who cares? You&rsquo;ve rinsed the money to their account, it&rsquo;s their problem, they&rsquo;re the ones getting taken to court. I find that super fascinating in terms of using high-tech means of social media for what is quite, in the end, a low-tech exercise. MD: Fascinating that people do it, especially coming from social media. I think the inherent untrustworthiness of the number of scams, you&rsquo;d really avoid it. But I guess the watches and the cars really draw people in. GW: Gangs are extremely used to convincing people. One of the interesting things they will say is: &ldquo;Empty your bank account of money, then give us your bank account login, and there&rsquo;s no money there for us to steal. We&rsquo;re just going to push money through your account. By the way, once we&rsquo;re done, you&rsquo;ll be left with £500,&rdquo; or whatever it is. MD: In terms of the authorities, what do you think is the biggest challenge they face when trying to crack down on these networks? GW: First, it&rsquo;s knowledge. There&rsquo;s this interesting cultural aspect, certainly in British policing, and it might be the case in other countries as well. I feel like people join the police because they want to jump in a fast car with blue lights and sirens flashing and put someone in handcuffs who&rsquo;s an evil wrongdoer. I think that&rsquo;s still a motivation for a lot of people signing up for the police. Increasingly, crime is being virtualized, it&rsquo;s becoming economic. We have epidemic rates, I believe, of fraud in the UK and worldwide at the moment. With those fraud gangs, you&rsquo;re not going to jump in a car, bash down a door and put that person in handcuffs because they&rsquo;re based in different jurisdictions. We talked earlier about that case, the 29 different countries. That&rsquo;s a deliberate tactic by the crime gangs. The more countries you base yourself in, the harder it&rsquo;s going to be for any one country&rsquo;s law enforcement team to track you down. <blockquote> &ldquo;The more countries you base yourself in, the harder it&rsquo;s going to be for any one country&rsquo;s law enforcement team to track you down.&quot; </blockquote> There are efforts to coordinate this. In the UK, we have the National Crime Agency that does international operations. They will work with the FBI. There&rsquo;s, of course, Interpol and Europol who do work around this. But so many of these scams are happening to individuals at a local level. From a lot of people&rsquo;s experiences that I hear about, going into your local police station to report this, you just don&rsquo;t feel you&rsquo;re getting anywhere. That&rsquo;s the other issue: if you report it to your local police station, they will log it, they will record the details. It could be years down the line – your case and your evidence helped with the prosecution of some massive case. But by that stage, your local police officer is not going to phone you up and say, &ldquo;Oh, by the way, you reported two years ago. It turns out we arrested the person &hellip; By the way, you&rsquo;re not going to get your money back, but thank you for your help.&rdquo; That just doesn&rsquo;t happen. I think the public for the most part thinks: &ldquo;What&rsquo;s the point of reporting? I&rsquo;m not going to get my money back. I&rsquo;m not going to be seeing my perpetrator in handcuffs.&rdquo; For all of these different reasons, cybercrime is a difficult one to crack for law enforcement. MD: What is the best way that the average person or organization can prevent themselves from becoming targets of cyber attacks? GW: You may not be tempted in with the promise through social media of a few hundred pounds or dollars or euros or whatever to make your bank account available. But you will have younger friends, maybe sons or daughters who might be. It&rsquo;s worth alerting them and saying: &ldquo;Look, there&rsquo;s a scam going round where they try and get access to your bank account. You do realize that&rsquo;s a criminal offense, you&rsquo;ll go to jail for that.&rdquo; More generally, be wary of fraud and impersonation crimes. You’ll see phishing messages coming into your Facebook account, Instagram, Twitter direct messages, LinkedIn, and that kind of thing. It’s increasingly difficult to really know that a message actually came from the person who appeared to send it. Particularly, the scaling up of artificial intelligence and the use of deep fakes. Voice calls in the voice of the person that you think you know are increasingly doable. Next, you&rsquo;ll be able to get a video call from somebody who really does look like your friend on a video call. We all have to up our defenses. To start, if there&rsquo;s a message you receive that has anything to do with money, credit card details, bank account transfers, passwords, anything like that, the alarm bell should ring to say, &ldquo;I think this is my friend or my colleague or my son or daughter or whatever, but I need to check. I just need to put some extra thing in place to check.&rdquo; We&rsquo;re seeing cases all over the place. We&rsquo;re seeing elderly relatives getting calls apparently from their younger family members saying, &ldquo;I&rsquo;m trapped in this country. I&rsquo;ve lost my passport. Can you send me money?&rdquo; We&rsquo;re seeing it at a really high level as well. In Hong Kong, a big firm called Arup was caught out losing $25 million because there was a fake video of not just the chief executive, but senior members of the team that a senior finance person fell for and transferred $25 million. I think basically any conversation, any contact that you get that has anything to do with money, the alarm bell just immediately needs to ring for us, whether it&rsquo;s in our private life or professional life. MD: Where can people go to learn more about you or purchase the book? GW: My website&rsquo;s <a href="https://geoffwhite.tech/">geoffwhite.tech</a>. And the book, Rinsed, is on <a href="https://www.amazon.co.uk/dp/0241624835">Amazon</a> and also <a href="https://uk.bookshop.org/p/books/rinsed-how-tech-is-revolutionizing-money-laundering-geoff-white/7618854?ean=9780241624838">bookshop.org</a>, for those in the UK. <section class="c-call-to-action-box c-call-to-action-box--orange"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Subscribe to Random but Memorable</h3> Listen to the latest news, tips and advice to level up your security game, as well as guest interviews with leaders from the security community. <a href="https://randombutmemorable.simplecast.com/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--orange" data-event-category="CTA" data-event-action="call-to-action-button"> Subscribe to our podcast </a> </div> </section></description></item><item><title>Top 11 cybersecurity podcasts we're listening to</title><link>https://blog.1password.com/top-11-cybersecurity-podcasts/</link><pubDate>Fri, 23 Aug 2024 00:00:00 +0000</pubDate><author>info@1password.com (Kenny Najarro)</author><guid>https://blog.1password.com/top-11-cybersecurity-podcasts/</guid><description> <img src='https://blog.1password.com/posts/2024/top-11-cybersecurity-podcasts/header.png' class='webfeedsFeaturedVisual' alt='Top 11 cybersecurity podcasts we're listening to' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We are lucky enough to be living through the golden age of podcasts. Whatever subject you&rsquo;re into, you can bet there&rsquo;s someone out there talking into a microphone about it, and cybersecurity is no exception. In fact, when it comes to security, IT, and digital trends, there are so many choices that it can be tough to know where to start. Luckily, we did the work for you, and we&rsquo;ve come up with a list of podcast recommendations that has something for everyone. While we&rsquo;re particularly proud of our own podcast, <a href="https://randombutmemorable.simplecast.com/">Random but Memorable</a> (more on that later), we wanted to highlight some of our other favorite podcasts in the infosec space. Whether you&rsquo;re looking for a deep dive into new tech, a juicy data breach story, or just a laugh, you&rsquo;ll find something on this list worth checking out. And while reading blog articles from your favorite cybersecurity companies (ahem) will always be a good way to stay in the know, sometimes it&rsquo;s nice to give your eyes a break and listen to the news. So buckle in, grab some headphones, and have fun discovering what might be your new favorite podcast! In no particular order&hellip; <h2 id="1-cyberwire-daily-securitys-six-oclock-news">1. CyberWire Daily: Security&rsquo;s Six O&rsquo;Clock News</h2> <ul> <li> Hosted By: Dave Bittner </li> <li> Website: <a href="https://thecyberwire.com/podcasts/daily-podcast">https://thecyberwire.com/podcasts/daily-podcast</a> </li> <li> X: <a href="https://twitter.com/thecyberwire">https://twitter.com/thecyberwire</a> </li> <li> Episode Frequency: Every weekday </li> <li> Average Episode Length: 20 to 30 minutes </li> </ul> Through host Dave Bittner&rsquo;s Walter-Kronkite-like-delivery, you will find yourself immersed in the state of cybersecurity with daily breakdowns of the biggest news stories and interviews with a wide-ranging rolodex of experts. Bittner&rsquo;s pace during the news portion of the podcast is steady but swift, while the interview portion slows down and focuses on fluid conversations. Although Cyberwire produces many podcasts in the realm of cybersecurity, CyberWire Daily is the flagship podcast of the network for a reason - its format and host just work. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/4ogk9GiVbOM" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h2 id="2-smashing-security-hot-takes-real-laughs">2. Smashing Security: hot takes, real laughs</h2> <ul> <li> Hosted By: Graham Cluley and Carole Theriault </li> <li> Website: <a href="https://www.smashingsecurity.com/">https://www.smashingsecurity.com/</a> </li> <li> X: <a href="https://twitter.com/SmashinSecurity">https://twitter.com/SmashinSecurity</a> </li> <li> Episode Frequency: Every Wednesday </li> <li> Average Episode Length: 40 to 60 minutes </li> </ul> Cybersecurity podcasts aren&rsquo;t particularly well-known for being funny. However, hosts Graham Cluley and Carole Theriault say: away with your preconceived notions! They deliver weekly ribbings to the world of computer security by covering hacking, cybercrime, online privacy, and everything in between. Come for the latest cyber news stories and stay for the expert commentary wrapped in friendly banter. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/VDtwD3ZcW5o" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h2 id="3-risky-business-gateway-to-the-world-of-cybersecurity">3. Risky Business: gateway to the world of cybersecurity</h2> <ul> <li> Hosted By: Patrick Gray and Adam Boileau </li> <li> Website: <a href="https://risky.biz/">https://risky.biz/</a> </li> <li> X: <a href="https://twitter.com/riskydotbiz">https://twitter.com/riskydotbiz</a> </li> <li> Episode Frequency: Every Wednesday </li> <li> Average Episode Length: 50 to 60 minutes </li> </ul> Patrick Gray and Adam Bioleau have been covering cybersecurity since 2007, and use their years of experience to discuss the latest news with authority and strong opinions. From their staunch stance against push-based 2FA to their belief in corporate responsibility regarding hacks, Risky Business' weekly download of news stories provides the ideal inbetween for security newcomers to even the most seasoned security professionals. As Jason Meller put it: &ldquo;I like Risky Business because Patrick Gray (the host) is a journalist that understands the stories at a deep level and often has unique insights versus other coverage, which is just repeating basic facts.&rdquo; <a href="https://risky.biz/soapbox88/">Listen to an episode, here.</a> <h2 id="4-darknet-diaries-the-serial-of-cybersecurity">4. Darknet Diaries: the &ldquo;Serial&rdquo; of cybersecurity</h2> <ul> <li> Hosted By: Jack Rhysider </li> <li> Website: <a href="https://darknetdiaries.com/">https://darknetdiaries.com</a> </li> <li> X: <a href="https://twitter.com/DarknetDiaries">https://twitter.com/DarknetDiaries</a> </li> <li> Episode Frequency: 1 to 2 a month </li> <li> Average Episode Length: 40 to 70 minutes </li> </ul> &ldquo;Scams going on out there today are getting&hellip;wild.&rdquo; We couldn&rsquo;t have said it better ourselves. Host Jack Rhysider understands that the internet is as wide as it is deep and its underbelly doesn&rsquo;t get talked about enough. Darknet Diaries' mission is to uncover and explain these little-covered stories of cybercrime, but what DD does best is how it packages the information. The podcast does an incredible job in setting a noirish ambiance with a synthesizer-heavy score to turn dry stories into compelling narratives. 1Password Rails engineer Caitlin Cabrera finds a lot of positive value in learning about these dark stories, saying: &ldquo;these concepts of preventing outside intrusion and mitigating threats relate directly to our mission of Honest Security. Specifically these stories show how when employees and customers trust security products and feel valued, it can reduce intrusion.&rdquo; <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/Tzu6dmWopE0" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h2 id="5-mac-power-users-an-apple-a-week-keeps-the-os-updated">5. Mac Power Users: an Apple a week keeps the OS updated</h2> <ul> <li> Hosted By: David Sparks and Stephen Hackett </li> <li> Website: <a href="https://www.relay.fm/mpu">https://www.relay.fm/mpu</a> </li> <li> X: <a href="https://twitter.com/macpowerusers">https://twitter.com/macpowerusers</a> </li> <li> Episode Frequency: Every Sunday </li> <li> Average Episode Length: 90 to 120 minutes </li> </ul> Apple fans: look no further. Mac Power Users is a no-frills podcast that features the macro to the micro on all things Apple. Since 2009, hosts David Parks and Stephen Hackett have been one of the biggest authorities discussing Apple – devices, updates, best practices – all while sprinkling in helpful anecdotes on how Apple has evolved over the years. Whether you&rsquo;re looking for a history lesson on the evolution of Apple Maps, or to understand the intricacies of data storage across Apple&rsquo;s fleet of devices, or simply what to expect in the next iOS/OS update, Mac Power Users is your one-stop-shop for all your Apple needs. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/546lfTM-m8c" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h2 id="6-hacked-general-interest-genuinely-interesting">6. Hacked: General Interest, Genuinely Interesting</h2> <ul> <li> Hosted By: Jordan Bloemen and Scott Francis Winder </li> <li> Website: <a href="https://www.patreon.com/hackedpodcast">https://www.patreon.com/hackedpodcast</a> </li> <li> X: <a href="https://twitter.com/hackedpodcast?lang=en">https://twitter.com/hackedpodcast?lang=en</a> </li> <li> Episode Frequency: Twice a month </li> <li> Average Episode Length: 30 to 60 minutes </li> </ul> Some podcasts focus on rigorous research and journalistic narratives. Others focus on two guys chatting. Hacked splits the difference. Every month, they release two episodes: one hour-ish-long deep dive into a tech topic (historical or contemporary, so long as it&rsquo;s &ldquo;weird&rdquo;), typically featuring an interview with a guest expert. The next episode, two weeks later, will be an informal chat in which the two hosts, Jordan Bloemen and Scott Francis Winder, explore the weirder tech and cybersecurity headlines of that month. Neither host is a security professional, so Hacked isn&rsquo;t the best fit for listeners looking for in-depth analysis. But the show thrives on its accessibility and sense of curiosity (you might even convince your luddite friends to listen). For anyone looking for well-told stories from the weird side of the industry, Hacked has your back. <a href="https://open.spotify.com/episode/7kMKq3Ag5DZMKsnk36jQoL?si=Wl1o1lEyRXy30DldabjNqA">Listen to an episode, here.</a> <h2 id="7-cyber-security-headlines-news-for-those-in-a-hurry">7. Cyber Security Headlines: News For Those In A Hurry</h2> <ul> <li> Hosted By: Various narrators </li> <li> Website: <a href="https://cisoseries.com/category/podcast/cyber-security-headlines/">https://cisoseries.com/category/podcast/cyber-security-headlines/</a> </li> <li> X: <a href="https://twitter.com/cisoseries?lang=en">https://twitter.com/cisoseries?lang=en</a> </li> <li> Episode Frequency: Every Weekday </li> <li> Average Episode Length: 5 to 10 minutes </li> </ul> So many cybersecurity stories, so little time. CISO Series' Cybersecurity Headlines podcast is perfect for the busy professional looking for a quick rundown of the day&rsquo;s news. Clocking in at less time than it takes to unload the dishwasher, episodes feature (admittedly dry) narrated versions of the day&rsquo;s noteworthy security stories. If you&rsquo;re on-the-go, prefer audio to writing, or want to accomplish the lofty goal of &ldquo;multi-tasking,&rdquo; this podcast provides the latest on cybersecurity in bite-sized portions. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/watch?v=r9hwMrjbNew&amp;list=PLPu6_3GKMYa_OK6SKqb8A1cCoXymw4PPD&amp;index=7" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h2 id="8-digital-citizen-the-thinking-persons-security-podcast">8. Digital Citizen: The Thinking Person&rsquo;s Security Podcast</h2> <ul> <li> Hosted By: Ricardo Signes and Haley Hnatuk </li> <li> Website: <a href="https://www.fastmail.com/digitalcitizen/">https://www.fastmail.com/digitalcitizen/</a> </li> <li> X: <a href="https://x.com/fastmail">https://x.com/fastmail</a> </li> <li> Episode Frequency: Every other Tuesday </li> <li> Average Episode Length: 20 to 60 minutes </li> </ul> We hope it&rsquo;s not too weird to plug another security company&rsquo;s podcast (it&rsquo;s worth saying – we have no affiliation with Fastmail), but this recommendation comes straight from 1Password&rsquo;s own podcast producer, Anna Eastick. And Digital Citizen is a podcast with a mission that we can all get behind: musing on the many ways that we can all be better to each other online. True to that mission, Digital Citizen finds strong but nuanced stances on complicated topics like productivity culture or accessibility in the tech world. Part of the trick lies in their guest experts, who come from a variety of sources both in and outside of the industry – everyone from linguistic scholars to sci-fi authors. <a href="https://open.spotify.com/episode/2sWEJNKJro74sIcj9HgHFG?si=acca56eba09f48bf">Listen to an episode, here.</a> <h2 id="9-microsoft-security-insights-the-windows-stay-shut">9. Microsoft Security Insights: The Windows Stay Shut</h2> <ul> <li> Hosted By: Edward Walton, Frank Grimberg, Rod Trent, and Brodie Cassell </li> <li> Website: <a href="https://microsoftsecurityinsights.com/">https://microsoftsecurityinsights.com</a> </li> <li> X: <a href="https://twitter.com/Frank_Grimberg">https://twitter.com/Frank_Grimberg</a> </li> <li> Episode Frequency: Every Monday </li> <li> Average Episode Length: 60 to 80 minutes </li> </ul> Remember briskly walking to the water cooler on Monday morning to discuss the latest episode of Game of Thrones with your work buddies? Mix that camaraderie with the latest news in the world of Microsoft security and you end up with The Microsoft Security Insights podcast. Filled with news, analysis, tips, and (most importantly) well-timed banter - security professionals who use Microsoft products can consider this a go-to podcast. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/nYp5kAMkuXA" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h2 id="10-hacking-humans-learn-the-why">10. Hacking Humans: Learn The Why</h2> <ul> <li> Hosted By: Dave Bittner, Joe Carrigan, and Maria Varmazis </li> <li> Website: <a href="https://thecyberwire.com/podcasts/hacking-humans">https://thecyberwire.com/podcasts/hacking-humans</a> </li> <li> X: <a href="https://twitter.com/HackingHumansCW">https://twitter.com/HackingHumansCW</a> </li> <li> Episode Frequency: Twice a week (Once a week for [Word Notes]) </li> <li> Average Episode Length: 40 to 50 minutes (5 to 7 minutes for [Word Notes]) </li> </ul> Cyber crime is about psychology as much as technology, and Hacking Humans sets out to shed light on why we fall for the scams we do. Hosts Dave Bittner and Joe Carrigan present stories from across the web along with listener submissions that dig into how sophisticated these dubious campaigns have become. What sets Hacking Humans apart from the crowd (aside from their social engineering angle) is the bonus series within their feed, titled [Word Notes] - concise episodes explaining new cyber security terms as they occur, along with real world examples. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/watch?v=ldAnC6ClU9c&amp;list=PL7JW9Q3mhniQWxd-8GE9Wr31gn2B9u6vY&amp;index=5" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h2 id="11-the-404-media-podcast-tech-journalism-that-dives-deep">11. The 404 Media Podcast: Tech Journalism That Dives Deep</h2> <ul> <li> Hosted By: Jason Koebler, Joseph Cox, Emanuel Maiberg, and Sam Cole </li> <li> Website: <a href="https://www.404media.co/tag/podcast/">https://www.404media.co/tag/podcast/</a> </li> <li> X: <a href="https://x.com/404mediaco">https://x.com/404mediaco</a> </li> <li> Episode Frequency: Every Wednesday </li> <li> Average Episode Length: 40 to 60 minutes </li> </ul> In the year since their founding, 404 Media has earned an <a href="https://www.eff.org/press/releases/electronic-frontier-foundation-present-annual-eff-awards-carolina-botero-connecting">award-winning</a> reputation for quality journalism and breaking news stories around all things tech. That&rsquo;s no small feat for a digital media company that was independently founded by its journalists. In their weekly podcast, the 404 Media journalists discuss the pieces they published the previous week, laying out the facts and behind-the scenes details of their stories. Whether the episode discusses AI-Powered TikTok hustlers, or provides insight on how the Ticketmaster hack occurred, you&rsquo;ll walk away equally knowledgeable and skeptical of your own online habits. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/watch?v=WbdHukwbRPk&amp;list=PLEqxQrBidl78UI_EI_icYESWITDMTdvji&amp;index=2" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Bonus: Listen to one of their hosts, Joseph Cox, sit down with us to <a href="https://blog.1password.com/joseph-cox-crime-app-sting-interview/">discuss his new book</a>. </div> </aside> <h2 id="bonus-random-but-memorable-our-shameless-but-sincere-plug">Bonus! Random But Memorable: Our Shameless (but Sincere) Plug</h2> <ul> <li> Hosted By: Matt Davey, Sara Teare, Michael &ldquo;Roo&rdquo; Fey, and Anna Eastick </li> <li> Website: <a href="https://randombutmemorable.simplecast.com/">https://randombutmemorable.simplecast.com/</a> </li> <li> X: <a href="https://twitter.com/1Password">https://twitter.com/1Password</a> </li> <li> Episode Frequency: Every other week </li> <li> Average Episode Length: 50 to 65 minutes </li> </ul> Forgive us for a little self-promotion, but we&rsquo;re quite proud of our own in-house podcast. Every other week or so, a team of hosts from 1Password (guided by Anna, our intrepid producer) share advice, play some silly cybersecurity games, and interview industry experts about their work. We&rsquo;re biased, of course, but we like to think we strike a good balance between informal and informative while we chat about all the latest in the cybersecurity space. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/7aXmBYH8Uvk?si=fGheSwZ1IAalCf0H" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> Disclaimer: The following podcasts - Darknet Diaries, Risky Business, Mac Power Users, and Smashing Security are/have been sponsored by 1Password and/or Kolide. <hr> Did we leave out your favorite security podcast? <a href="https://1password.com/kolidescope-newsletter">Subscribe to our bi-weekly newsletter and to find out what else we&rsquo;re listening to!</a></description></item><item><title>New incentive: Higher rebates for 1Password partners</title><link>https://blog.1password.com/higher-rebates-1password-partners-2024/</link><pubDate>Thu, 22 Aug 2024 00:00:00 +0000</pubDate><author>info@1password.com (Monica Jain)</author><guid>https://blog.1password.com/higher-rebates-1password-partners-2024/</guid><description> <img src='https://blog.1password.com/posts/2024/higher-rebates-1password-partners-2024/header.png' class='webfeedsFeaturedVisual' alt='New incentive: Higher rebates for 1Password partners' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Earlier this year, we introduced our <a href="https://blog.1password.com/partner-rebate-program/">initial partner rebate</a> in conjunction with the launch of our <a href="https://1password.com/partnerships">partner program</a>. We understand the value of partnerships and are committed to creating opportunities that enhance the success and profitability of our partners. Now, 1Password partners can earn even more through our partner program. We’re adding extra incentives to our partner rebate for the remainder of 2024, giving you more opportunities to grow and strengthen your business. <h2 id="update-to-our-competitive-displacement-incentive">Update to our competitive displacement incentive</h2> As of August 14th, all eligible 1Password partners will receive an additional 10% backend rebate when they help a business switch to 1Password from another password management tool. You’ll receive this extra rebate for every opportunity submitted and closed won, and paid out monthly. <h2 id="plus-stackable-incentives">Plus, stackable incentives</h2> On top of the above 10% rebate, partners can qualify to stack other incentives. <a href="https://static.ziftsolutions.com/files/8a9997ed9175c43a0191760ba6521aef/Reseller_Incentive_Program_Addendum_v2.pdf">Read more about our incentives and how to get started here</a>. <h2 id="what-does-this-mean-for-you">What does this mean for you?</h2> In short, partner earning potential just got even bigger! With this new rebate offer, partners can unlock additional financial rewards for every sale they make. It allows you to maximize your earnings while continuing to provide your customers with the top-tier security solutions they need. The stackable incentives are cumulative, so the more you sell, the more you earn. And that’s on top of your current commissions. <h3 id="how-it-works">How It works</h3> <ol> <li>Automatic enrollment for eligible partners: All new and existing partners who meet the <a href="https://static.ziftsolutions.com/files/8a9997ed9175c43a0191760ba6521aef/Reseller_Incentive_Program_Addendum_v2.pdf">eligibility criteria</a> are automatically enrolled in our improved rebate program. We’ve also simplified the payout process!</li> <li>Stackable earnings: Your incentives will stack as you continue to sell 1Password, increasing your overall compensation. This is in addition to any existing commissions or bonuses, providing a substantial boost to your revenue.</li> <li>Seamless process for payments: The new rebate program is interwoven with our existing partner compensation structure. Your payments will reflect the added incentives, making it easy to track your increased earnings.</li> </ol> <h2 id="why-1password">Why 1Password</h2> Partnering with 1Password means aligning with a leader in cybersecurity. Our solution is trusted by over 150,000 businesses and millions of customers. We’re committed to helping partners succeed by offering industry-leading products, comprehensive support, and now, even more lucrative financial rewards. <h2 id="ready-to-boost-your-earnings">Ready to boost your earnings?</h2> The additional rebate incentive is just one of the many ways we’re dedicated to supporting our trusted partners. We believe that when you succeed, we succeed — and this program is designed to help you achieve even greater success. If you’re not yet a 1Password partner, now is the perfect time to <a href="https://1password.com/partnerships">join us</a>. We encourage our current partners to take full advantage of these stackable incentives and start maximizing your revenue today. We’re excited to embark on this journey together and help your business reach new heights. Visit the <a href="https://1password.com/partnerships">1Password Partner Portal</a> for more details on our rebate offer and our partner program in general.</description></item><item><title>Malvertising on Google Ads: It's hiding in plain site</title><link>https://blog.1password.com/malvertising-on-google-ads/</link><pubDate>Tue, 20 Aug 2024 00:00:00 +0000</pubDate><author>info@1password.com (Kenny Najarro)</author><guid>https://blog.1password.com/malvertising-on-google-ads/</guid><description> <img src='https://blog.1password.com/posts/2024/malvertising-on-google-ads/header.png' class='webfeedsFeaturedVisual' alt='Malvertising on Google Ads: It's hiding in plain site' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Look closer before clicking that link at the top of your search results. Let&rsquo;s start with a hypothetical: If I asked you to download a piece of open source software, what would you do? Chances are you&rsquo;d open your browser, go to Google, and type in the name of the software. Then you&rsquo;d proceed to click on the first official-looking link you saw, even if it&rsquo;s an ad. After all, it doesn&rsquo;t really make a difference if you click on an ad or an organic link as long as you wind up on the site you&rsquo;re looking for. You won&rsquo;t think too hard about clicking a Google ad because you have no reason to be suspicious of them – they&rsquo;re just part of the background noise of your digital life. It&rsquo;s the same reason you don&rsquo;t check to make sure that gas, and not water, is coming out of the pump when you fill up your car. But that assumption of safety is exactly what cybercriminals are counting on. It&rsquo;s at the heart of the latest form of malvertising, in which bad actors purchase Google ads that sit at the top of search results and masquerade as legitimate open source software. But when you click the download button, what you&rsquo;re getting is malware. Open source software seems like a curious choice as an attack vector until you understand how much the technology has permeated corporations. In <a href="https://www.openlogic.com/success/2023-state-open-source-report">OpenLogic&rsquo;s 2023 State of Open Source Report</a>, 80% of those surveyed reported that their organization increased the use of open source software over the last 12 months. Furthermore, their <a href="https://www.devopsdigest.com/state-of-open-source-software-2024">2024 report</a> showed 95% either increasing or maintaining their use of it. With little mainstream news coverage, malvertising has evolved to become an extremely worrisome attack vector. And as open source software becomes more common in the business world, the threat is shifting from individuals to organizations. To protect not only your end-users, but your corporate fleet, IT and security folks need to start figuring out how to guard against this threat. <h2 id="what-is-malvertising">What is malvertising?</h2> Malvertising is a broad term for when bad actors use digital advertisements to deliver malware. Malicious advertising has taken many forms over the years – display ads, <a href="https://www.malwarebytes.com/glossary/drive-by-download">drive-by downloads</a>, and forced redirects – with <a href="https://www.theguardian.com/technology/2016/mar/16/major-sites-new-york-times-bbc-ransomware-malvertising">headline-worthy results</a> affecting organizations from the New York Times to the NFL. The goal of these past malvertising campaigns was to get users to inadvertently download ransomware. Some malvertising required a click; some didn&rsquo;t; some took the form of urgent looking pop-ups; some looked like regular ads. Regardless, they all had the same effect: encrypting the user&rsquo;s device until the ransom was paid. However, all these variations can be seen as traditional malvertising, which peaked in the 2010s. In this article we&rsquo;re going to focus on malvertising&rsquo;s newest form, which has some unique characteristics. For one thing, in open source malvertising, users aren&rsquo;t unknowingly downloading a file; they&rsquo;re doing it on purpose. And paradoxically, that makes it more dangerous. <h3 id="how-open-source-malvertising-works">How open source malvertising works</h3> Victims of Google ad malware typically follow this flow: <img src='https://blog.1password.com/posts/2024/malvertising-on-google-ads/malvertising-flow-chart.png' alt='A flowchart of how malvertising is executed.' title='A flowchart of how malvertising is executed.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> First, users see the promoted search result, which most likely features a <a href="https://www.csoonline.com/article/3600594/what-is-typosquatting-a-simple-but-effective-attack-technique.html">typosquatted URL</a> that’s easy to miss if you’re not paying close attention. (In the example below, “audacity” becomes “audacite.”) Next, they click on the URL that takes them to a web page that’s nearly identical to the real company’s homepage. <img src='https://blog.1password.com/posts/2024/malvertising-on-google-ads/real-audacity-website.jpg' alt='A screenshot of the legitimate Audacity website.' title='A screenshot of the legitimate Audacity website.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <img src='https://blog.1password.com/posts/2024/malvertising-on-google-ads/audacity-malvertising-website.png' alt='A screenshot of the mimicked Audacity website.' title='A screenshot of the mimicked Audacity website.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://threatresearch.ext.hp.com/adverts-mimicking-popular-software-leads-to-malware/">Source</a> And that&rsquo;s where the trouble begins. Once victims download the fake Audacity software they&rsquo;re met with <a href="https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar">Vidar Stealer</a> — an information-stealing malware capable of <a href="https://support.1password.com/watchtower/">gathering passwords</a> and information from two-factor authentication software. When the user opens the downloaded file, they find a malware file named &ldquo;update.zip&rdquo; that is wrapped in a bloated file – <a href="https://threatresearch.ext.hp.com/adverts-mimicking-popular-software-leads-to-malware/">343MB!</a> – which mimics the size of a real installer to avoid initial suspicion from users and malware detectors. <h3 id="malvertising-examples">Malvertising Examples</h3> Search engine malvertisements have proliferated to such an extent that the <a href="https://www.ic3.gov/Media/Y2022/PSA221221?=8324278624">FBI released a bulletin</a> about it (among other things, they recommend individuals protect themselves by using ad blockers). To become so notorious, Vidar Stealer can&rsquo;t be the only malware distributed in these targeted attacks. <a href="https://news.risky.biz/risky-biz-news-google-search-and-65c0ecb2a0e6da001a37e1fb/">Risky Business News</a> collected a comprehensive list of malware attached to Google Ad malvertising over 2022, including (get ready): <a href="https://www.trendmicro.com/en_us/research/22/l/icedid-botnet-distributors-abuse-google-ppc-to-distribute-malware.html">IcedID</a>, <a href="https://www.mandiant.com/resources/blog/seo-poisoning-batloader-atera">BatLoader</a>, <a href="https://intel471.com/blog/privateloader-malware">PrivateLoader</a>, <a href="https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/">NullMixer</a>, <a href="https://blog.avast.com/fakecrack-campaign">FakeCrack</a>, <a href="https://cyber-anubis.github.io/malware%20analysis/redline/">RedLine Stealer</a>, <a href="https://www.malware-traffic-analysis.net/2023/01/03/index.html">Rhadamanthys Stealer</a>, <a href="https://redcanary.com/threat-detection-report/threats/yellow-cockatoo/">Yellow Cockatoo</a>, <a href="https://www.cyfirma.com/outofband/vagusrat-a-new-entrant-in-the-external-threat-landscape/">VagusRAT</a>, and <a href="https://labs.guard.io/masquerads-googles-ad-words-massively-abused-by-threat-actors-targeting-organizations-gpus-42ae73ee8a1e">MasquerAds</a>. This generation of malware delivers many types of malicious code: credential stealing, remote access installation, ransomware, additional loaders, and even the ability to steal cryptocurrency. Audacity isn&rsquo;t the only open source tool being used in malvertisements. Bleeping Computer <a href="https://www.bleepingcomputer.com/news/security/hackers-push-malware-via-google-search-ads-for-vlc-7-zip-ccleaner/">reports</a> that tools such as Rufus, Notepad++, 7-Zip, Blender 3D, and others have been used as vehicles in this malware delivery method. <a href="https://www.techradar.com/pro/security/this-dangerous-new-mac-malware-is-being-spread-by-google-ads">Techradar</a> more recently shared a story about a particularly nasty Mac malware being marketed to users looking to download the Arc browser. If you&rsquo;re overwhelmed by all the possible permutations of this type of attack, I think I can speak for the threat actors: that&rsquo;s the point. <h2 id="why-malvertising-is-a-threat-to-corporate-security">Why malvertising is a threat to corporate security</h2> With the proliferation of search engine malvertising, end-users run the risk of their personal and work information being stolen any time they open up a browser. It&rsquo;s not because end-users are dumb. It&rsquo;s not because you&rsquo;re not doing your job as a security practitioner. And it&rsquo;s certainly not because these bad actors are geniuses. It&rsquo;s because these malvertisements combine unexpected and tried-but-true tactics that have morphed into a malware snowball rushing down exploit mountain. Let&rsquo;s break it down. <h3 id="malvertising-is-a-surprisingly-popular-attack-vector">Malvertising is a surprisingly popular attack vector</h3> Part of the reason malvertising is so effective as a delivery vector for malware is that it gets comparatively little attention compared to email. In HP Wolf Security&rsquo;s <a href="https://threatresearch.ext.hp.com/wp-content/uploads/2024/05/HP_Wolf_Security_Threat_Insights_Report_Q1_2024.pdf">Q1 2024 Threat Insights Report</a>, 53% of the malware campaigns they analyzed occurred through email, making it by far the most popular method. However, taking the silver medal are web browser downloads at 25%. &ldquo;In total, we found 92 typosquatted domains likely related to the IcedID campaign, indicating the growing popularity of this delivery mechanism among threat actors,&rdquo; said <a href="https://threatresearch.ext.hp.com/adverts-mimicking-popular-software-leads-to-malware/">HP malware analyst Patrick Schläpfer</a> when his team analyzed a recent malvertising campaign affecting established software. While email is efficient at targeting a specific business or individual, search engine malvertising has a broader scope that can affect many businesses in one deployment. As the Vidar Stealer malware exemplifies, hackers can steal information from users and find themselves with a treasure trove of both personal and business logins. They&rsquo;ll be able to quickly deduce what company a user works for, crack 2FAs nearly effortlessly, and access your systems. While not an example of malvertising, a major 2022 data breach was a case study in how consumer-facing software can be used for corporate cybercrime. In this attack, a hacker accessed a senior DevOps engineer&rsquo;s home computer through <a href="https://arstechnica.com/information-technology/2023/02/lastpass-hackers-infected-employees-home-computer-and-stole-corporate-vault/">media player Plex</a>, and used it to install a keylogging malware that was able to scrape the engineer&rsquo;s credentials. The hacker could then access their victim&rsquo;s customer database and make off with the sensitive information of their users. <h3 id="malvertising-evades-traditional-detection-methods">Malvertising evades traditional detection methods</h3> As we mentioned earlier, one reason open source malware has been so successful is artificial inflation of file size. <blockquote> &ldquo;First, a larger file size is more likely for a software installer. Secondly, and more importantly, extremely large file sizes can be used to bypass the automatic scanning of some antivirus software.&rdquo; - <a href="https://threatresearch.ext.hp.com/adverts-mimicking-popular-software-leads-to-malware/">HP Threat Research Blog</a> </blockquote> So, not only are malware detection tools fooled, but most end-users won&rsquo;t notice the difference until it&rsquo;s too late. And even when the software they thought they were downloading fails to install, plenty of users will think it&rsquo;s a harmless glitch or a problem with their computer. <h3 id="users-arent-trained-to-detect-malvertising">Users aren&rsquo;t trained to detect malvertising</h3> In order to avoid falling for a malvertising scheme, users have to know what to look for. That requires being skeptical about websites, closely looking at URLs, and not simply trusting a link because it&rsquo;s the first result on Google. Users aren&rsquo;t taught this, especially not at work. Phishing emails and social engineering attacks are well-covered in most corporate security trainings. But these courses usually skip over malvertising, since in the past it wasn&rsquo;t aimed at businesses. <h3 id="malvertising-is-difficult-to-keep-up-with">Malvertising is difficult to keep up with</h3> Since malvertising isn&rsquo;t new, you&rsquo;d think more end users would be aware of it. But we&rsquo;re talking about a constantly evolving threat that never looks the same way twice. IT teams and security practitioners would be hard-pressed to hunt down individual malicious ads, since the ads on search engine result pages (SERPs) change often. So getting ahead of this problem isn&rsquo;t even whack-a-mole–it&rsquo;s more like whack-a-ghost. Despite the difficulty of keeping track of all the search engine malvertisement campaigns, the cybersecurity community has taken it into their own hands to report on it. Security researchers such as <a href="https://twitter.com/wdormann">Will Dormann</a>, <a href="https://twitter.com/1ZRR4H">Germán Fernández</a>, and the <a href="https://twitter.com/malwrhunterteam">MalwareHunterTeam</a> have been especially diligent about sourcing and relaying Google ad malvertisements to the public. But as long as bad actors can buy a spot on Google, the security world will always be playing catch-up. <h3 id="the-rising-popularity-of-free-and-open-source-software">The rising popularity of free and open source software</h3> As we&rsquo;ve noted, more and more companies are adding open source software to their tech stacks. Companies know they are at a disadvantage, and <a href="https://www.openlogic.com/success/2023-state-open-source-report">41.97% of organizations</a> already admit that maintaining security policies or compliance for open source software is their biggest challenge; there&rsquo;s a chance that malvertising could make some companies conclude that it&rsquo;s just not worth the risk. <h2 id="how-to-protect-your-users-from-malvertisements">How to protect your users from malvertisements</h2> Most articles related to search engine malvertising are geared toward end-users, not admins, so they offer basic tips about adopting a think-before-you-click mentality. However, in a business setting, you may want stronger safeguards. To protect your endpoints from malvertisements, you must implement scalable, reliable, and secure practices. And that&rsquo;s easier said than done, since, as the saying goes: users be downloadin'. Nevertheless, here are some actionable steps you as an IT administrator and security practitioner can take to protect your end-users and business. <h3 id="create-blocklists-for-commonly-used-malicious-tlds">Create blocklists for commonly used malicious-TLDs</h3> Preventing exposure to malicious websites is key to maintaining a safe fleet. Users have traditionally used ad blockers to prevent being exposed to Google ads; however, Google has an <a href="https://blog.chromium.org/2024/05/manifest-v2-phase-out-begins.html">update to their extension manifest</a> that effectively makes Chrome ad blockers obsolete as Chrome will now have the ability to severely limit extensions from making network request modifications. To prepare for that upcoming reality, the National Security Agency recommends using your existing network functions, such as your firewall, to allow DNS traffic through corporate servers only. The NSA also recommends utilizing DNS to block malicious ad domains. While it may be a daunting task to compile a blocklist of top-level domains (TLDs), the key is to just start. Fortunately, IT teams can use regularly updated, reputable, and <a href="https://blocklistproject.github.io/Lists/malware.txt">community-maintained blocklists</a> to catch malware. And for max coverage, ensure domains such as .site, .tk, and, recently, .top domains that have been featured in these malvertising attacks are part of your growing blocklist as well. Create a weekly or even monthly task of updating the blocklist, and your team can stay ahead of the game. <h3 id="implement-an-application-whitelisting-process">Implement an application whitelisting process</h3> Installing new software is usually a pretty solitary activity: you pick the software you want, you download it, you use it. Pretty simple. However, as we&rsquo;ve learned, with malvertisements, that user flow needs a bit of an adjustment — a democratic one. Take <a href="https://github.com/google/santa#screenshots">Santa</a>, for example. A binary authorization system for macOS, Santa allows organizations to monitor install executions and alerts users if a binary is malicious. If a user wants to install an unknown binary, they must apply for it to be whitelisted internally. However, tasking your IT team to look over each execution can be inefficient and arduous. That&rsquo;s part of why we built Application Insights, a tool to help businesses manage employee access to managed and unmanaged apps. It&rsquo;s <a href="https://blog.1password.com/extended-access-management-availability-updates/">currently in beta</a> as part of 1Password® Extended Access Management. Even so, the problems of malvertising are complex, and our solution would still be best used in tandem with a process like Santa, which can help teams prevent the installation of malicious files. <h3 id="createupdate-end-user-security-training">Create/update end-user security training</h3> Let&rsquo;s face it. Annual cybersecurity trainings are traditionally an hour-long chore that end-users only half pay attention to. They watch the videos, fill out three question quizzes per module, and the course tells them they &ldquo;passed.&rdquo; And usually, these trainings are outdated or repeating the same tired phishing stories. To break out of this model and get your team&rsquo;s attention, find time during the next all hands, team meeting, or catch-up call to talk about malvertising. Since malvertising affects all end users, it&rsquo;d behoove your organization to be proactive. Show your colleagues examples of what malvertising looks like, explain what steps the organization is taking to mitigate exposure, provide tips on what they can do to protect themselves on their personal devices, what they can do if they think they&rsquo;ve been infected, and of course, share this blog with them. <h3 id="create-a-1password-extended-access-management-check">Create a 1Password Extended Access Management check</h3> 1Password Extended Access Management includes a device trust solution that checks end user devices for <a href="https://www.kolide.com/docs/using-kolide/checks">a multitude</a> of vulnerabilities or security issues. It comes with over a hundred checks already included (for instance, checking whether each device&rsquo;s OS is updated). More than that, it makes it easy for security teams to write their own custom checks to find specific issues that they hope to solve. For example, you can write an <a href="https://github.com/chainguard-dev/osquery-defense-kit/blob/main/detection/initial_access/unexpected-diskimage-source-macos.sql">osquery query</a> that alerts you any time a .dmg, .iso, or .pkg file is downloaded from an unknown source. It&rsquo;ll provide an early warning sign to malicious downloads so you can catch them before the package is opened. <h2 id="what-is-google-doing-about-it">What is Google doing about it?</h2> We&rsquo;ve talked about how IT teams and end users can protect themselves from malvertising, but let&rsquo;s be real: a lot of responsibility for this epidemic belongs to Google. Google knows they have a problem and that their advertising network can be abused. Their <a href="https://blog.google/products/ads-commerce/ads-safety-report-2021/">2021 Ads Safety Report</a> says as much, as they: <ul> <li> Removed over 3.4 billion ads, restricted over 5.7 billion ads and suspended over 5.6 million advertiser accounts </li> <li> Blocked or restricted ads from serving on 1.7 billion publisher pages </li> <li> Took broader site-level enforcement action on approximately 63,000 publisher sites </li> </ul> Yet even with millions of advertiser accounts suspended, the problem isn&rsquo;t going away. And as bad as malvertising is for users, it&rsquo;s even more alarming to the businesses being mimicked, since they risk being branded as &ldquo;unsafe.&rdquo; We ourselves at <a href="https://archive.ph/xF1D9">1Password</a> had to alert followers that there were malicious impersonations of our product going around. Many other companies are actively pleading for Google to do something. Here are a few tweets about the issue: <ul> <li> <a href="https://archive.is/cdlhz">Bitwarden</a> calling out search engines for being the location of malicious links. </li> <li> Open source broadcast software <a href="https://archive.is/DVZIj">OBS</a> relaying to users that they do not run Google ads and directing them to know what scams look like. </li> <li> Open source multimedia tool <a href="https://archive.is/H6DK5">VideoLAN</a> explicitly stating how much trouble they&rsquo;re having with Google taking down the malicious ads. </li> </ul> <div class="tweet"> <img src="https://blog.1password.com/img/icons/twitter.svg" alt="@wdormann tweet" /> This is probably crazy, but hear me out&hellip; What if, before Google pushes a paid advertisement link at customers, they checked with the Google-owned VirusTotal site to confirm that the site isn&rsquo;t distributing known malware? You know, to at least pretend that they care&hellip; 🤔 - @wdormann <a href="http://twitter.com/user/status/1614757300081655808" title="@wdormann" class="view-tweet" target="_blank" rel="noopener">View tweet</a> </div> You can certainly sense VideoLAN&rsquo;s frustration when they ask Google &ldquo;how are those things a grey area?!?&rdquo; The answer can be found in Google&rsquo;s <a href="https://support.google.com/adspolicy/answer/6020954?hl=en&amp;ref_topic=1626336#">advertising policies</a>, which seem to prioritize advertiser experience (and revenue) over user safety. Google classifies four things as &ldquo;abusing the ad network:&rdquo; <ul> <li> Malicious or unwanted software </li> <li> Unfair advantage </li> <li> Evasive ad content </li> <li> Circumventing systems </li> </ul> From the list, malvertising falls directly into two categories: malicious software and evasive ad content, which is described as &ldquo;manipulation of ad components (text, image, videos, domain, or subdomains) in an attempt to bypass detection and / or enforcement action.&rdquo; With those boxes ticked, malvertisers are in clear violation of Google policy. So what&rsquo;s the punishment? Per Google: <blockquote> Violations of this policy will not lead to immediate account suspension without prior warning. A warning will be issued, at least 7 days, prior to any suspension of your account. </blockquote> Sure, mistakes happen. Sure, your website could be hacked and injected with malicious content. But these threat actors are actively mimicking popular websites, exploiting the loopholes of the ad network, and reaping the reward–including a 7 day grace period. You&rsquo;d think to yourself: there has to be a safeguard for extreme violators, right? You&rsquo;d be correct – sort of. Per <a href="https://support.google.com/adspolicy/answer/7187501">Google</a>: <blockquote> If we detect an egregious violation your account will be suspended immediately and without prior warning. An egregious violation of the Google Ads policies is a violation so serious that it is unlawful or poses significant harm to our users or our digital advertising ecosystem. Egregious violations often reflect that the advertiser&rsquo;s overall business does not adhere to Google Ads policies or that one violation is so severe that we cannot risk future exposure to our users. </blockquote> Unfortunately, the search engine does not provide a definition nor examples of what falls under &ldquo;egregious violations.&rdquo; And given how easy it is for bad actors to simply make a new account when a new one is shut down, this approach doesn&rsquo;t meet the requirements for reliability or scalability. Still, when you look at things from Google&rsquo;s perspective, these policies make sense. In Q4 of 2022, Google search advertising accounted for <a href="https://abc.xyz/investor/static/pdf/2022Q4_alphabet_earnings_release.pdf">$42.6 billion in revenue</a>. There&rsquo;s an understandable reluctance to put restrictive policies on a revenue stream as lucrative as ads are. Still, the attacks are starting to hit a little closer to home. In <a href="https://www.malwarebytes.com/blog/news/2024/07/threat-actor-impersonates-google-via-fake-ad-for-authenticator">July of 2024</a>, a false version of Google&rsquo;s own Authenticator app was pushed out through Google Ads. The false app instead downloaded malware that stole users' personal data. Just to reiterate – Google&rsquo;s own site was used to push a false, malware-ridden impersonator of their own security app. It&rsquo;s not a great look, and doesn&rsquo;t speak well to their oversight of their ad platform. Hopefully, as the problem gets more and more egregious, we&rsquo;ll see a big enough outcry to force Google to address the issue as a whole. <h2 id="if-you-educate-them-they-will-avoid-it">If you educate them, they will avoid it</h2> The war against malware is neverending, and the solution is not to lock down every device so users can&rsquo;t download anything. (<a href="https://blog.1password.com/what-is-shadow-it/">That approach will just drive them to shadow IT.</a>) What you can do is guard against known malicious software, make sure every employee&rsquo;s malware blockers are up-to-date and running, and that employees aren&rsquo;t accessing company resources on vulnerable, personal devices. And conveniently, you can do all that with <a href="https://1password.com/product/xam">1Password Extended Access Management</a>! (You knew we had to plug the product at least one more time.) Finally, whether you use 1Password Extended Access Management or not, don&rsquo;t neglect the important role of end-user education. In the end, the easiest vulnerability to patch here might be ignorance. Because your end users will continue to use Google every day. It&rsquo;s about as inevitable as the search engine stating it has &ldquo;put in place new certification policies and advertiser verification policies to better detect malvertising scams.&rdquo; Education and detection can prevent one bad click from turning into a security nightmare. All you need is the right mindset and the right tools. (Just double-check you&rsquo;re downloading them from the right source.) Want to see how <a href="https://1password.com/product/xam">1Password Extended Access Management</a> can get your entire fleet updated, patched and compliant? <a href="https://1password.com/contact-sales/xam">Reach out for a demo</a>.</description></item><item><title>What's the deal with enterprise browsers?</title><link>https://blog.1password.com/what-is-the-deal-with-enterprise-browsers/</link><pubDate>Tue, 20 Aug 2024 00:00:00 +0000</pubDate><author>info@1password.com (Rachel Sudbeck)</author><guid>https://blog.1password.com/what-is-the-deal-with-enterprise-browsers/</guid><description> <img src='https://blog.1password.com/posts/2024/what-is-the-deal-with-enterprise-browsers/header.png' class='webfeedsFeaturedVisual' alt='What's the deal with enterprise browsers?' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Enterprise browsers are built on a sensible idea, but how they work in practice can be another story. In 1968, Robert Probst, research director for office furniture company Herman Miller, released an office design called the &ldquo;Action Office II.&rdquo; It was the culmination of almost a decade studying the psychological core of the corporate workspace. The Action Office II would provide privacy while still fostering communication. It would encourage workers to move more freely and adapt their space to their needs. Its innovative movable walls would make workers happier, healthier, and more productive than ever! It was a daring, forward-looking plan, but below, we have a picture of what that plan looked like in the real world. <img src='https://blog.1password.com/posts/2024/what-is-the-deal-with-enterprise-browsers/cubicle-farm.jpg' alt='A black and white photo of a cubicle farm.' title='A black and white photo of a cubicle farm.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://www.vintag.es/2019/04/cubicle-farm.html">Source</a> Yup. The Action Office II is now best known for giving us the dreaded cubicle. The bane of the modern office worker. The rat maze of the rat race. <blockquote> The birth of the cubicle illustrates how workplace technologies often start as exciting ideas, but are then reshaped by managers, executives, and vendors who don&rsquo;t actually have to use the technology. </blockquote> In the infosec space, enterprise browsers recently arrived on the scene as an innovative way to protect company data by funneling it through a secure, corporate-managed internet browser. The idea behind enterprise browsers is solid: many employees work primarily via browsers, so they should be kept secure. But in practice, they tend to make employees feel a bit &hellip; boxed in. Here, we&rsquo;ll get into what these browsers promise to do, how they work in practice, and which use cases they&rsquo;re best suited for. <h2 id="what-are-enterprise-browsers">What are enterprise browsers?</h2> Enterprise browsers are simply internet browsers that are centrally managed by an organization, as opposed to consumer browsers like Firefox, Safari, or Chrome, which are managed by individual users. Enterprise browsers give organizations a way of securing sensitive enterprise data, preventing unsafe or unapproved activity, and monitoring user activity. When it comes to managing remote workers, there are various chokepoints where a team might try to monitor and secure data. VPNs do it at the network level, device trust solutions do it at the device level, and enterprise browsers do it at the (you guessed it) browser level. The best argument in favor of enterprise browsers is security, given that the open internet is a pretty dangerous place these days. A user can inadvertently fall for <a href="https://thehackernews.com/2023/10/malvertisers-using-google-ads-to-target.html">malvertising</a>, download <a href="https://blog.1password.com/ai-browser-extension-nightmare/">shady browser extensions</a>, and access unapproved <a href="https://blog.1password.com/find-and-secure-shadow-it/">shadow IT</a> tools. Plus, we&rsquo;re in an era dominated by web apps. A lot of employees can access everything they need for a whole workday without once leaving their browser. With all of that in mind, it makes a lot of intuitive sense that IT and security teams want to exercise some control over this hugely important tool. But how? The idea of giving companies some authority over workers' browsers isn&rsquo;t new; browsers like Chrome and Edge have had some security and policy management options built in since <a href="https://www.windowscentral.com/how-disable-microsoft-edges-first-run-page-windows-10">at least 2017</a>. But it wasn&rsquo;t until <a href="https://medium.com/@VDIHacker/enterprise-browser-battle-v1-0-march-2023-961d89093c47">late 2021</a> that the Island and Talon startups first offered the &ldquo;enterprise browser,&rdquo; browsers built specifically to secure enterprise data. These are secure browsers that employees must use to access certain sensitive web apps. So, in theory, an admin can ensure that you can&rsquo;t access an app like Salesforce from an unsecured browser. After that, the enterprise browser market got really crowded, really fast. These products include browsers, as well as products designed to make regular internet browsers act more like enterprise browsers. Here are some of the popular enterprise browsers on the market today: <ul> <li> <a href="https://docs.citrix.com/en-us/citrix-enterprise-browser.html">Citrix Enterprise Browser</a> </li> <li> <a href="https://www.microsoft.com/en-us/edge/business?form=MA13FJ">Microsoft Edge for Business</a> </li> <li> <a href="https://chromeenterprise.google/browser/download/#windows-tab">Chrome Enterprise Browser</a> </li> <li> Surf Security&rsquo;s <a href="https://www.surf.security/">&ldquo;Zero Trust Enterprise Browser&rdquo;</a> </li> <li> Mammoth Cyber&rsquo;s <a href="https://mammothcyber.com/use-cases">&ldquo;Enterprise Access Browser&rdquo;</a> </li> </ul> There are also products that operate more like browser extensions, including: <ul> <li> <a href="https://layerxsecurity.com/">LayerX Enterprise Browser Extension</a> </li> <li> <a href="https://seraphicsecurity.com/">Seraphic Security</a> </li> <li> <a href="https://redaccess.io/">Red Access</a> </li> </ul> The number of enterprise browsers and related products that have sprung up in just a few years show that there&rsquo;s clearly interest (and funding) in this space. And these vendors make big promises about the types of problems enterprise browsers can solve. Talon alone claims to &ldquo;secure third-party access, replace VDI and DaaS, secure BYOD, and more.&rdquo; If they can do all that (and we&rsquo;ll be digging more into the &ldquo;if&rdquo;) it explains why <a href="https://chromeenterprise.google/gartner-report-enterprise-browsers/#form-section">Gartner predicts</a> that &ldquo;by 2030, enterprise browsers will be the core platform for delivering workforce productivity and security software.&rdquo; That&rsquo;s a bold claim, but remember, Gartner made similar predictions <a href="https://www.gartner.com/en/newsroom/press-releases/2022-09-13-gartner-outlines-six-trends-driving-near-term-adoptio">about the metaverse</a>. So before you order all your users to uninstall Firefox, let&rsquo;s ask some follow-up questions. <h2 id="how-do-enterprise-browsers-work">How do enterprise browsers work?</h2> Different enterprise browsers have different capabilities and employ different mechanisms to function. But on the whole, enterprise browsers have three major tactics to improve security and productivity: restriction, monitoring, and isolation. <h3 id="restrict">Restrict</h3> Enterprise browsers allow a company&rsquo;s IT or security team to restrict what employees do in the browser. Some of the more common restrictions include: <ul> <li> Blocking employees from certain websites </li> <li> Preventing employees from downloading or uploading malicious files </li> <li> Preventing employees from installing any <a href="https://blog.1password.com/ai-browser-extension-nightmare/">unapproved extensions</a> </li> <li> Requiring that the browser be updated </li> <li> Preventing employees from downloading, storing, screenshotting, screen sharing, printing, copy-pasting, emailing, or even thinking about sensitive documents </li> </ul> The reasoning behind these restrictions might be security or productivity. In other words, companies invest in enterprise browsers both to prevent the leakage of sensitive data, and to prevent employees from slacking off on social media. <img src='https://blog.1password.com/posts/2024/what-is-the-deal-with-enterprise-browsers/meme.jpeg' alt='A meme of a disgruntled looking man holding his phone with his arms crossed.' title='A meme of a disgruntled looking man holding his phone with his arms crossed.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Most enterprise browsers let admins apply different policies according to different groups (contractors have one set of rules, engineers have another). Depending on the browser, policies can get more granular, like allowing employees to <a href="https://talon-sec.com/wp-content/uploads/2023/04/VDISEC-Enterprise-Browser-Compare-March-2023.pdf">only download files</a> that match certain Azure Information Protection tags. <h3 id="monitor">Monitor</h3> To enforce these restrictions and detect unusual activities, enterprise browsers monitor user browser activity. <ul> <li> <a href="https://talon-sec.com/blog/product/7-steps-for-crafting-a-robust-enterprise-browser-security-policy/">Talon</a>&rsquo;s tools &ldquo;observe web traffic in real-time.&rdquo; </li> <li> Island&rsquo;s <a href="https://www.island.io/blog/do-you-really-know-whats-going-on-inside-your-saas-apps">browser</a> reports &ldquo;rich details about the web activity, paired with contextual details like the user identity.&rdquo; </li> </ul> To be fair, there are other tools that give companies these abilities. Google&rsquo;s Workspace (including their browser) logs just about <a href="https://support.google.com/a/answer/9725452">all user activity</a> on their various apps, like Google Drive activity and Chrome <a href="https://support.google.com/a/answer/9142478?sjid=11143741107666226191-NC">chat conversations</a>. VPNs monitor <a href="https://vpn-services.bestreviews.net/faq/can-vpn-provider-see-traffic-history/">all network and browsing activity</a>, and VDIs see everything that happens on their virtual desktop. Keeper Privileged Access Management (PAM) also does <a href="https://blog.1password.com/1password-vs-keeper-security/">similar tracking</a> of privileged users (Island has also recently begun to promise <a href="https://www.island.io/solutions/privileged-user-account-management">PAM-esque</a> capabilities). But regardless of who is doing this kind of monitoring, it&rsquo;s important to recognize its potential for misuse and bad employee experiences. It&rsquo;s a thin line between security tools and <a href="https://www.nlrb.gov/news-outreach/news-story/nlrb-general-counsel-issues-memo-on-unlawful-electronic-surveillance-and">bossware</a>, and no one wants to work for a company that won&rsquo;t let them check their horoscope during their lunch break. Enterprise browser developers are hardly unaware of the privacy issues. Some, <a href="https://www.surf.security/use-cases?tab_id=employee-privacy">like SURF</a>, try to maintain privacy by &ldquo;reporting only violations against corporate policies, without recording any personal browsing activities.&rdquo; Still, depending on those policies, admins could still get reports about an alarming chunk of browsing. And a lot of enterprise browsers are happy to give admins <a href="https://www.island.io/resource/using-your-browser-as-an-auditing-support-tool">the ability to</a>, &ldquo;capture clicks, keystrokes, screenshots, source and destination details including device and user data&hellip;&rdquo; Some browsers, like Island, recommend that users simply have <a href="https://www.island.io/blog/do-you-really-know-whats-going-on-inside-your-saas-apps">another browser</a> for their personal use. Use the work one for work stuff, and the personal one for personal stuff. It&rsquo;s simple! But that could cut into any promised productivity gains, since switching between two browsers is almost guaranteed to lead to &ldquo;Increased Cognitive Load and Context Switching&rdquo; and &ldquo;fragmented workflows,&rdquo; as <a href="https://kasm.medium.com/the-enterprise-web-browser-isolating-corporate-data-security-risks-1b58fb92091f">Kasm</a> puts it. One newer Enterprise Browser, Here, even makes <a href="https://venturebeat.com/virtual/here-launches-to-transform-the-enterprise-web-browser-into-a-full-workspace-and-eliminate-the-toggle-tax/">direct reference</a> to the &ldquo;toggle tax.&rdquo; Also, if employees can use multiple browsers at will, then what&rsquo;s the point in blocking non work-related websites in the first place? <h3 id="isolate">Isolate</h3> The most powerful capability of enterprise browsers is <a href="https://www.zscaler.com/resources/security-terms-glossary/what-is-remote-browser-isolation#:~:text=Remote%20browser%20isolation%20(RBI)%20is,to%20reduce%20its%20attack%20surface.">Remote browser isolation</a> (RBI). David Strom calls RBI a &ldquo;sleight-of-hand trick.&rdquo; As he reported for <a href="https://siliconangle.com/2023/06/07/theres-lot-enterprise-grade-secure-browsers-ready-prime-time/">Silicon Angle</a>, &ldquo;When the browser is fired up, the user is transported to the vendor&rsquo;s data center and runs a virtual session, or a complete Linux virtual machine so that any phishing or malware attempt can&rsquo;t touch the endpoint.&rdquo; RBI is a doozy. If an employee tries to open a webpage, the page is first routed to a remote cloud server. That server then streams the webpage back to the employee&rsquo;s device. The <a href="https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-remote-browser-isolation-rbi/">two options</a> for this are: <ol> <li> A filtered mirror of the page. This option filters out some of the more suspicious content on the page and sends the rest back to the user. </li> <li> A pixel-by-pixel reconstruction of the page that is rendered by the browser and streamed back to the user. </li> </ol> The goal here is that if an employee, say, clicks a link in a phishing email, then it doesn&rsquo;t really matter. What the employee clicked is just a copy of that webpage, or a filtered out link that&rsquo;s being streamed to their computer in real(ish) time. Any malware gets downloaded to an isolated server that can&rsquo;t touch anything else at the company. Then, when the browser&rsquo;s closed, everything&rsquo;s gone. When employees open sensitive web-based apps on their enterprise browser, then that app is never actually touching the endpoint. And even if they download malware via their personal browser, there&rsquo;s no way for that malware to infect company systems–at least, not via the enterprise browser. RBI is a concept that&rsquo;s existed since at least 2017 (along with earlier versions that predate the cloud). It was initially used by government agencies like the <a href="https://web.archive.org/web/20180302225500/https://www.yahoo.com/news/tuCloud-and-Kaviza-Sign-Up-iw-1580315433.html">Nuclear Security Administration</a> and <a href="https://fedscoop.com/disa-internet-browser-isolation-pentagon-dod-rfi/">the Pentagon</a>. And RBI is kind of the nuclear option when it comes to access control. It&rsquo;s a very powerful addition to a <a href="https://blog.1password.com/history-of-zero-trust/">zero-trust architecture</a>, since it completely stops the browser from communicating with the endpoint. It&rsquo;s also &hellip; intense. Like a full suit of medieval armor, it makes it pretty hard to stab you, but it also slows you down. A lot. <img src='https://blog.1password.com/posts/2024/what-is-the-deal-with-enterprise-browsers/Armor.jpeg' alt='A meme of a disgruntled looking man holding his phone with his arms crossed.' title='A meme of a disgruntled looking man holding his phone with his arms crossed.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://www.metmuseum.org/toah/hd/aams/hd_aams.htm">Source</a> And historically, RBI options have been painfully <a href="https://perception-point.io/guides/endpoint-security/remote-browser-isolation-rbi-an-in-depth-look/#Challenges_of_RBI_Technology">slow, expensive, and resource-hungry</a>. But what many enterprise browsers now promise is a product that uses the <a href="https://www.youtube.com/watch?v=Zfds0TPJzJE">techniques of RBI</a> without its sacrifices to usability. Wow, &ldquo;nuclear launch code&rdquo; level security available for any old company without any drawbacks? Sounds pretty great. But wait…how does that make sense? According to <a href="https://www.island.io/resource/5-myths-of-the-enterprise-browser">Island</a>: &ldquo;The Enterprise Browser achieves the same outcomes as RBI&hellip;but does so from within the browser itself. This means no added latency for the user.&rdquo; But why or how would doing RBI from the browser remove the latency issue? <h3 id="no-seriously-how-_do_-enterprise-browsers-work">No, seriously, how do enterprise browsers work?</h3> I wish this were an easier question to answer, but very few enterprise browser developers are willing to provide much detail about their behind-the-scenes processes. And for a product that accesses a lot of sensitive company information, we might appreciate a little more transparency. When I reached out to David Strom, the writer of the <a href="https://siliconangle.com/2023/06/07/theres-lot-enterprise-grade-secure-browsers-ready-prime-time/">Silicon Angle piece</a>, about how he established that these browsers use RBI, he told me: &ldquo;You can track the originating packets from these browser environments and see that they come from a different TCP/IP network that is geographically distant from the user&rsquo;s own location. You can also do some browser canvas fingerprinting to get more details.&rdquo; What that means is that most enterprise browsers (at least the ones David tested) are using some version of the back-and-forth method of RBI. And RBI is a process that&rsquo;s going to involve latency. When you route browsing to another server, wait for it to generate a perfect pixel-by-pixel replica of each page, and then wait for it to stream that copy back to your computer, it&rsquo;s just not going to be that zippy. It&rsquo;s possible that enterprise browsers use the mirror rendering RBI option. That one&rsquo;s less secure, but also faster. It&rsquo;s also possible that they do some other twist on RBI. <a href="https://www.surf.security/">SURF&rsquo;s option</a>, for instance, doesn&rsquo;t work through the cloud, but provides an &ldquo;Isolated work environment&hellip;locally on the endpoint, by encrypting, sandboxing and rendering content.&rdquo; <a href="https://talon-sec.com/product/talon-enterprise-browser/">Talon&rsquo;s browser</a> does similar web encryption. But rerouting, encryption, sandboxing, rendering – all of these things, by definition, take more time and processing power than just opening a web page does. Now, let&rsquo;s acknowledge that every security tool creates some friction or leads to some loss in performance. In some ways, security is friction! It&rsquo;s just that there&rsquo;s a limit to how much a tool can inconvenience its users while still justifying its value to security. &ldquo;No added latency&rdquo; strikes us as an impossible promise. But if enterprise browsers can at least achieve &ldquo;manageable amounts of latency,&rdquo; it could still be enough for them to even the scales between RBI&rsquo;s security benefits and usability costs. Assuming, of course, that they are otherwise pretty user friendly. This means that the first question security professionals should ask when considering enterprise browsers is: what&rsquo;s it like to use them? <h2 id="what-is-it-like-to-use-enterprise-browsers">What is it like to use enterprise browsers?</h2> Unfortunately, this is a very difficult question to answer. Because when it comes to enterprise browsers, end-user reviews – positive or negative – are almost bizarrely hard to find. We can find <a href="https://www.gartner.com/reviews/market/data-loss-prevention/vendor/island/product/island-enterprise-browser">glowing reviews</a> from C-suite members, but no testimonials from employees. For instance, one CISO <a href="https://www.computerworld.com/article/3648597/start-up-emerges-with-an-enterprise-browser.html">testing Island said</a> &ldquo;users aren&rsquo;t pushing back on it at all.&rdquo; But that claim seems a little dubious given that his firm has &ldquo;purchased 4,000 seats, though just 100 employees have so far downloaded.&rdquo; Even on Reddit, very few people are talking about the user experience of enterprise browsers. Still, here are the most common complaints we could find: <ul> <li> Slow and Demanding on CPU: One <a href="https://www.reddit.com/r/workfromhome/comments/18lcksz/comment/ke6s8k4/?context=3">Reddit user says</a> that when their company required an enterprise browser, &ldquo;it required so much processing power that my 8gb ram laptop was completely unusable. Ended up getting a top of line Mac instead…the bottom line is it slows things down&hellip;&rdquo; </li> <li> Time-consuming to set up: &ldquo;talon and island would become a nightmare to manage 100s and thousands of users, cuz each dep/team has different reqs.&rdquo; </li> </ul> Still, Reddit being the unverified source that it is, we wanted to test these claims ourselves. The original title of this piece was going to be, &ldquo;What It&rsquo;s Like to Use Enterprise Browsers?&rdquo; If I couldn&rsquo;t find end-user reviews, I&rsquo;d make my own. I&rsquo;d get an enterprise browser demo, have our admin apply some policies and restrictions to my browsing, and then I&rsquo;d try it out for a week and see how it went. It did not go well. <h3 id="demo-attempt-1-chrome-for-enterprise">Demo attempt 1: Chrome for Enterprise</h3> By and large, enterprise browser vendors don&rsquo;t offer demos unless you&rsquo;re actively in the sales process, and they&rsquo;re (perhaps understandably) not inclined to do favors for blog writers. But, good news! Chrome for Enterprise has a free trial. Since we already used Google products, this seemed like the most low-lift, user-friendly option. I started getting that trial set up with Antigoni, our Google admin. For the experiment to work, she&rsquo;d have to play panopticop and start monitoring and restricting my Chrome browsing. &ldquo;I don&rsquo;t want to do that!&rdquo; she said. Like many normal people, she found the idea of monitoring someone&rsquo;s browsing to be weird and creepy. I, too, found the idea of having my browsing monitored to be weird and creepy. Nonetheless, we were willing to make that sacrifice. For you, the reader. When it comes to Chrome enterprise management, there are two options: <ol> <li> Chrome Browser Cloud management, which lets Chrome admins manage and monitor enrolled Chrome browsers. </li> <li> Chrome Enterprise Upgrade, which adds additional features to manage device posture on ChromeOS devices. </li> </ol> <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Note: Since this experiment, Chrome has released another <a href="https://www.theregister.com/2024/06/26/google_chrome_enterprise/">enterprise browser</a> offering, &ldquo;Chrome Enterprise Premium,&rdquo; which was not factored into our original analysis. </div> </aside> We don&rsquo;t use ChromeOS on our team, so Antigoni and I started with Chrome Browser Cloud Management. This service is free for companies that already use Chrome browsers. I expected it to be fairly simple. Robert Shield, Director of Engineering, Chrome Enterprise, made things sound easy enough in this podcast, talking about how much admins could do with &ldquo;all with these built-in controls in the browser.&rdquo; It wasn&rsquo;t simple. Antigoni is no slouch at managing rollouts. But Chrome&rsquo;s cloud management instructions and documentation are labyrinthine, often outdated, and (in my professional opinion), poorly written and difficult to follow. We enrolled in the trial for Chrome&rsquo;s paid &ldquo;Enterprise Upgrade,&rdquo; thinking that even though it&rsquo;s geared toward Chromebooks, it might still offer simplified processes for enrolling browsers. Not really. The most significant challenge we came across, quite early on, was adding me to my own group. We very much did not want to roll out monitoring and restrictions to everyone at the company, especially without their knowledge. We tried creating a new Gmail address, re-registering my Chrome, creating a child organization within our company, and a host of other things to try to get me, one little writer, monitored. But in the end, this fundamental early step of the process stymied us. And looking through Chrome&rsquo;s documents for applying policies, it was clear that each individual policy would require its own fair share of busy-work; some are as easy as flicking a switch, some require some light coding, and some are just tedious. (They also let you stop users from <a href="https://support.google.com/chrome/a/answer/2657289#Learn&amp;zippy=%2Cincognito-mode%2Csafesearch-and-restricted-mode%2Cclipboard%2Cdinosaur-game">playing the dinosaur game when Chrome is offline</a>, which just feels cruel.) We gave it a good faith effort, but after a couple of hours of frustration, we gave up. It would be too much of a trial to get this trial going. <h3 id="demo-attempt-2-red-access">Demo attempt 2: Red Access</h3> Setting up Chrome for Enterprise was a bust (and we aren&rsquo;t <a href="https://support.google.com/chrome/a/thread/126324191/google-chrome-browser-cloud-management-my-never-ending-nightmare-of-adding-accounts?hl=en">the only ones who feel that way</a>). But Google&rsquo;s enterprise browser option probably isn&rsquo;t the top priority of a company with <a href="https://www.reuters.com/legal/us-judge-rules-google-broke-antitrust-law-search-case-2024-08-05/">so much else going on</a>. Next, I got a Zoom product demo from a vendor focused exclusively on browser security: Red Access. Naturally, no vendor is going to show off their flaws in their own demo, but deploying Red Access seemed much easier than what we saw with enterprise Chrome, with some pre-set policies, advised blocklists, and toggles for different SaaS apps. It&rsquo;s worth noting that, technically, Red Access isn&rsquo;t an enterprise browser. Their promise is to &ldquo;turn any browser into a secure enterprise browser&rdquo; through what the CEO called an &ldquo;<a href="https://docs.appdynamics.com/appd/23.x/latest/en/end-user-monitoring/browser-monitoring/browser-real-user-monitoring/inject-the-javascript-agent">injectable agent</a> that gets presence on the endpoint during the session.&rdquo; Essentially, their option is an agentless combination between the abilities of an <a href="https://www.paloaltonetworks.com/cyberpedia/what-is-security-service-edge-sse">SSE</a> and an enterprise browser. In practice, this means that browsing is only rerouted from within certain browser profiles. Your work Chrome profile will launch a virtual remote session even while your personal profile stays unmonitored (to the point that two Chrome windows, open on the same device, access data from different IP addresses). They also don&rsquo;t do RBI proper, instead rerouting browsing with something more akin to a lightweight corporate VPN. Red Access isn&rsquo;t necessarily representative of enterprise browsers as a whole, and they were eager to highlight some of their competitive advantages, such as: <ul> <li> Unimpacted streaming speeds. </li> <li> Lightweight CPU requirements. </li> <li> They don&rsquo;t see the security patch delays of other enterprise browsers (most of which are built on Chromium). </li> </ul> That final point is worth repeating. The majority of these browsers are built using Chromium. Unlike Chrome itself, Chromium often requires manual patching. As Gregg Keizer <a href="https://www.computerworld.com/article/3261009/googles-chromium-browser-explained.html">wrote for Computerworld</a>: &ldquo;The omission of an update service is the single greatest security threat to Chromium.&rdquo; <h2 id="what-are-the-potential-use-cases-for-enterprise-browsers">What are the potential use-cases for enterprise browsers?</h2> From what we can tell, enterprise browsers have somewhat limited use cases. They&rsquo;re expensive (as opposed to consumer browsers, which are free), time consuming to maintain, and, it&rsquo;s safe to assume, unpopular with end users. To even start considering enterprise browsers, you need to clear a couple bars: <ol> <li> They make the most sense for workers who do most or all of their jobs via the browser. This means that they&rsquo;ll rarely work for a whole company&rsquo;s workforce, since many workers (like developers) have to use standalone programs with no web apps. </li> <li> They&rsquo;re much more useful for managing <a href="https://dzone.com/articles/the-enterprise-browser-a-security-hardened-product">remote employees</a> than on-prem. The problems they solve are typically already solved on the network level, or are just less of a concern, in an on-premises environment. </li> </ol> For companies with those needs, the question is: when is this option worth considering? And when is it still not worth it? <h3 id="to-replace-vdi-daas-or-vpn">To replace VDI, DaaS, or VPN</h3> Virtual desktop infrastructures (VDI), desktop as a service (DaaS), and virtual private networks (VPNs) all solve some of the same problems that enterprise browsers do. VDI (which you can read more about <a href="https://www.kolide.com/blog/can-vdi-secure-byod">here</a>) and DaaS work similarly to enterprise browsers in terms of creating a sandboxed work environment, but they apply to multiple applications, not just the browser. VPNs create secure tunnels through which data is encrypted and inspected. All three secure cloud data and make some provisions around how employees can access sensitive information. They also come with some of the same drawbacks; they monitor user activity and often <a href="https://www.cnet.com/tech/services-and-software/your-vpn-is-destroying-your-internet-speed-heres-how-to-fix-it/">slow down internet speed as well</a>. In terms of trading one of these for an enterprise browser, it will come down to your security needs, your end-users, and <a href="https://www.linkedin.com/pulse/enterprise-browser-vdi-question-patrick-coble">your budget</a> (it&rsquo;s hard to find consistent price estimates for enterprise browsers, but they are likely a cheaper option). <h3 id="contractor-devices">Contractor devices</h3> Evginiy Kharam, a CISO, <a href="https://open.spotify.com/episode/34hqo2PFrbGx0mjZdBpuvQ">told the Adopting Zero Trust podcast</a>: &ldquo;Right now I feel the perfect use case [for enterprise browsers] is the part-time contractor.&rdquo; Imagine, for example, a company that outsources customer service to a call center. These call center workers only need to do a few, repetitive tasks, which they can accomplish via the browser alone. Issue a fleet of Chromebooks equipped with the Chrome enterprise browser, and you&rsquo;ve basically got security covered for those workers. They&rsquo;re similarly useful with <a href="https://open.spotify.com/episode/34hqo2PFrbGx0mjZdBpuvQ">third-party vendors</a> – assuming they agree to use them. This could prevent attacks like the one made against Boston hospitals, where hackers first hacked an HVAC vendor who had hospital blueprint copies floating around in their systems. An enterprise browser could have prevented the vendor from downloading that file in the first place &hellip; though they may have objected that they needed to download it in order to do their job. Of course, all these use cases only work if we assume you have a successful deployment and are able to ensure that workers can only access company resources via the enterprise browser. That shouldn&rsquo;t be a huge hurdle if you have Google as your identity provider, and Chrome as your browser and OS, since those products are designed to be integrated. But if you&rsquo;re using Okta for identity, Island as your browser, and macOS, you should make sure these disparate systems will play nicely together. <h3 id="byod">BYOD</h3> Most of these browsers (save obvious exceptions like Microsoft Edge for Business) are platform-agnostic. That means that they&rsquo;re genuinely useful for managing a <a href="https://blog.surf.security/byod-risk">varied BYOD</a> scenario, since you don&rsquo;t have to manage a whole fleet of devices, just the browser. In a couple of podcasts, hosts and experts discuss how these browsers could let employees hop onto their <a href="https://open.spotify.com/episode/1uMGUOTPFWBPMSPSeHNPuZ">kid&rsquo;s school chromebook</a> to get a few things done in a pinch. However, just because you can use enterprise browsers this way, doesn&rsquo;t mean you should. Overly lax <a href="https://blog.1password.com/byod-policies/">BYOD policies can bring a lot of security</a> vulnerabilities, and you&rsquo;d be hard-pressed to find an enterprise browser saying they should be your only point of security. In the call with Red Access, for instance, they fully admit that their solution should be combined with other tools, like firewall and <a href="https://blog.1password.com/what-is-device-trust/">device authentication</a>. &ldquo;Cybersecurity works in layers,&rdquo; as they put it. Generally, letting people access company systems on otherwise unsecured and unmanaged devices could make it a bit too easy for threat actors, especially if logging into the browser requires nothing but phishable, credential-based <a href="https://www.island.io/blog/a-closer-look-at-mfa-in-the-browser">authentication</a>. <h3 id="productivity">Productivity</h3> We highly doubt that these browsers will improve employee productivity. You&rsquo;ll be lucky if they don&rsquo;t hinder it. Employees (even contractors) are adults who know what they need to be productive. And it&rsquo;s pretty telling that Google&rsquo;s enterprise policies are <a href="https://support.google.com/chrome/a?sjid=14253643302500437044-NC#topic=7679105">the same ones</a> used to monitor school chromebooks. Treating employees like literal children isn&rsquo;t likely to boost morale (<a href="https://www.ox.ac.uk/news/2019-10-24-happy-workers-are-13-more-productive">or productivity</a>). You can&rsquo;t justify invasive monitoring by expecting people to totally compartmentalize their personal and work activities on separate browsers; that&rsquo;s just not how people work. And monitoring employees <a href="https://hbr.org/2022/06/monitoring-employees-makes-them-more-likely-to-break-rules">damages productivity and general well-being</a> precisely because people resent a workplace that doesn&rsquo;t trust them. Bottom line: at some point you have to trust the people you hired to do their jobs. If you&rsquo;re concerned about productivity, there are other ways to measure it (like how much work they get done). And if you&rsquo;re concerned about unsafe behaviors on the browser, there are ways to detect malware and block <a href="https://blog.1password.com/ai-browser-extension-nightmare/">unsafe browser extensions</a> while letting users maintain more agency and privacy. <h3 id="security-training">Security training</h3> On the Security Weekly podcast, Robert Shield from Chrome Enterprise <a href="https://open.spotify.com/episode/4sqRPUYSC66WWLPK1y48qo">described a policy</a> to get around &ldquo;employee frustration.&rdquo; With this policy, certain actions like downloading or printing will be &ldquo;automatically approved&rdquo; once employees request permission and fill out a log. If actions are reaching the point of auto-approval, you&rsquo;re not worried about stopping malicious users. This kind of policy is clearly aimed more to reinforce employees' best data practices and encourage them to be thoughtful about what they download and print. Island claims to provide <a href="https://www.island.io/blog/embracing-generative-ai-in-the-workplace">security education</a> &ldquo;at the moment it&rsquo;s relevant,&rdquo; by providing &ldquo;a clear message explaining why the action was prevented. Showing this type of information in context&hellip;makes it more effective than alternatives like a company-wide email message.&rdquo; We agree with the spirit of this claim, but Island&rsquo;s example leaves much to be desired. <img src='https://blog.1password.com/posts/2024/what-is-the-deal-with-enterprise-browsers/island-chat-gpt-terms-of-service.png' alt='A screenshot of Island&#39;s Chat GPT TOS.' title='A screenshot of Island&#39;s Chat GPT TOS.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://www.island.io/blog/embracing-generative-ai-in-the-workplace">Source</a> This feels less like education on why AI is risky, and more like a reminder that &ldquo;we&rsquo;re watching you.&rdquo; <blockquote> In general, the restriction and monitoring aspects of enterprise browsers are more likely to annoy your good employees than to stop a truly determined bad actor. </blockquote> For instance, a policy against screenshots could remind a well-intentioned remote employee that they shouldn&rsquo;t have copies of sensitive docs floating around on their device. But a malicious insider can get around this by simply taking a picture of their computer screen with their phone. <img src='https://blog.1password.com/posts/2024/what-is-the-deal-with-enterprise-browsers/Goofus-and-Gallant.jpg' alt='An image of two Goofus and Gallant comics drawn in the classic style.' title='An image of two Goofus and Gallant comics drawn in the classic style.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Not to mention, it&rsquo;s not like education requires invasive monitoring. With 1Password® Extended Access Management, we&rsquo;re proud of our ability to <a href="https://blog.1password.com/introducing-extended-access-management/">educate employees</a> about security while still enforcing of corporate <a href="https://www.kolide.com/docs/using-kolide/checks">data principles and posture checks</a>. And we do it without monitoring browsing history. <h2 id="enterprise-browsers-arent-a-silver-bullet">Enterprise browsers aren&rsquo;t a silver bullet</h2> Before the 1960s, offices were inspired by <a href="https://www.wired.com/2009/03/pl-design-5/">factory floors</a>. Regimented rows of desks were crammed so tightly together that employees bumped shoulders as they worked. Only managers had private offices, with large windows to let them peer out over their workers. This is the environment that inspired the &ldquo;movable privacy walls&rdquo; of Robert Probst&rsquo;s cubicles. And you could argue that cubicles were an improvement over what came before! But you&rsquo;d also have to agree that they came with their own problems. Enterprise browsers suit specific uses. RBI is a powerful tool for companies that really want to secure data that passes through web apps. And focusing security at the browser level is a simple and cost-effective approach for large teams of remote workers who only need the browser to do their jobs (like in the call center example). But for the average organization, the drawbacks of enterprise browsers are too extreme, the benefits are too few, and the products are too opaque and untested to justify tampering with such a vital tool. Want more original and curated stories about IT and security? Subscribe to our <a href="https://1password.com/kolidescope-newsletter">Kolidescope newsletter</a>.</description></item><item><title>1Password Extended Access Management's Okta integration</title><link>https://blog.1password.com/extended-access-management-okta-guide/</link><pubDate>Fri, 16 Aug 2024 00:00:00 +0000</pubDate><author>info@1password.com (Caitlin Cabrera)</author><guid>https://blog.1password.com/extended-access-management-okta-guide/</guid><description> <img src='https://blog.1password.com/posts/2024/extended-access-management-okta-guide/header.png' class='webfeedsFeaturedVisual' alt='1Password Extended Access Management's Okta integration' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 1Password® Extended Access Management includes (among other things) a device trust agent. This agent serves as part of a user&rsquo;s authentication process with their company&rsquo;s SSO – for instance, Okta. What that means is that, with 1Password Extended Access Management, when devices are out of compliance, users can&rsquo;t log into their Okta-protected cloud apps until they&rsquo;ve resolved the issue. This change has several implications for IT admins and end users: <ul> <li> End users can no longer ignore device security problems – they have to fix them in order to do their jobs. </li> <li> IT teams can ensure that your entire fleet gets compliant with no interventions from them, which is particularly important for urgent security issues like browser and OS patching. </li> <li> 1Password Extended Access Management can help your team with its <a href="https://blog.1password.com/what-is-device-trust/">Zero Trust/device trust initiative</a> since we now restrict access to sensitive resources based on device health. </li> </ul> For now, 1Password Extended Access Management is compatible with Okta and Microsoft Entra, with more IdP integrations coming soon. We&rsquo;re going to spend the rest of this blog post digging into how our Okta integration works, and how the integration fits into the 1Password Extended Access Management product as a whole. <h2 id="what-is-okta">What is Okta?</h2> Okta is an Identity-as-a-Service (IDaaS) platform, which in turn is a subset of the Identity and Access Management (IAM) field. Okta provides organizations with a suite of powerful identity management features for their workforce. <h2 id="why-we-integrated-with-okta">Why we integrated with Okta</h2> For a device trust product to be effective, there have to be consequences for devices that are out of compliance. (<a href="https://honest.security/compliance/">Jason Meller wrote more about this idea in Honest Security</a>). Eventually, we realized that the best and least invasive way to ensure compliance is to make device security part of authentication. That, in turn, required us to work with SSO providers. We chose to start with Okta because we truly value how much they have invested in their platform, as well as their impact in the SSO community. Okta has an intentionally narrow focus and is easier to use compared to similar solutions, and many of our existing customers were already Okta users. <h2 id="how-our-device-trust-agent-integrates-with-okta">How our device trust agent integrates with Okta</h2> 1Password Extended Access Management integrates with the newest version of Okta Identity Engine. What makes Okta Identity Engine different from traditional SSO providers is its ability to utilize custom authentication hooks at each step of the authentication and authorization process. Thus, it drives user behavior more effectively than traditional SSO methods. In Okta&rsquo;s authentication flow, 1Password Extended Access Management&rsquo;s agent functions as a possession factor. That is, the presence of the agent on a device is a precondition for authentication, so only devices that have the agent and pass our compliance checks can log into their Okta-protected apps. 1Password Extended Access Management also ensures that only the registered device owner can authenticate. This means that phished credentials become a problem of the past. Without the physical work computer present, credentials alone won&rsquo;t satisfy authentication. And even if credentials are compromised, the device trust solution comes integrated with our powerful <a href="https://1password.com/product/enterprise-password-manager">Enterprise Password Manager</a>, which can alert users to stolen credentials, keep passwords safe, and even provide <a href="https://blog.1password.com/authentication-methods/">passwordless authentication</a>. <h3 id="a-quick-guide-to-okta-products">A quick guide to Okta products</h3> Okta has several applications and iterations, which can get a bit confusing. Here&rsquo;s a brief list of some other terms you may encounter. <ul> <li> Okta Identity Engine: Okta Identity Engine consists of a sequence of steps to authenticate and authorize users. Identity Engine is the updated version of Okta Classic and is supported by 1Password Extended Access Management. </li> <li> Okta Classic: Okta Classic is the first iteration of Okta SSO and the predecessor to Okta Identity Engine. 1Password Extended Access Management does not integrate with this version. </li> <li> Okta Verify: Okta Verify is an MFA (multi-factor authentication) mobile app that is compatible with both version of Okta, although with significant improvements in Okta Identity Engine. </li> <li> Okta FastPass: Okta FastPass allows users to sign into Okta without using a password, and essentially adds FIDO2 auth to Okta Verify. With FastPass, users are generally authenticated through their device&rsquo;s biometrics. FastPass cannot be used without Okta Verify. <ul> <li>For those using Okta Fastpass, Okta offers some basic device based conditional access abilities, but it&rsquo;s primarily concerned with verifying user identity. 1Password Extended Access Management&rsquo;s role is to complement it by running a robust series of checks on every device.</li> </ul> </li> </ul> <h2 id="1password-extended-access-management-and-okta-factor-sequencing-options">1Password Extended Access Management and Okta factor sequencing options</h2> There are several authentication methods available with Okta and 1Password Extended Access Management today, all of which employ our agent as a possession factor: <ul> <li> Classic 2FA - Okta Password + 1Password Extended Access Management </li> <li> Passwordless - FIDO2 + 1Password Extended Access Management </li> <li> 3FA - Okta Password + 1Password Extended Access Management + Biometric/Posession Factor (Multiple options, including Okta Verify and YubiKey) </li> </ul> <a href="https://www.kolide.com/docs/getting-started/connect-kolide-to-okta#overview">For a more detailed guide to factor sequencing, check out our documentation page.</a> Regardless of the authentication methods used for Device Trust, the overall process flow works similarly. <ol> <li> When a user initiates the authentication process after signing into Okta, a signed SAML request is sent from Okta to the agent. </li> <li> After this request is sent, 1Password Extended Access Management validates it and checks in with the agent installed on the device. </li> <li> 1Password Extended Access Management then runs its checks against the user&rsquo;s device to determine if there are currently any blocking issues. </li> <li> If blocking issues exist, the user is required to fix them before finishing the authentication process. </li> <li> After this process is complete, a signed SAML response is sent back to Okta from 1Password Extended Access Management. Okta then validates the response and authenticates the user. </li> </ol> <img src='https://blog.1password.com/posts/2024/extended-access-management-okta-guide/flowchart.png' alt='A flowchart of how devices are granted access with device trust.' title='A flowchart of how devices are granted access with device trust.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="how-this-works-for-end-users">How this works for end users</h2> It&rsquo;s important to understand that while our SSO integration is central to our product, it&rsquo;s not the only way users interact with us. After all, we wanted to make 1Password Extended Access Management part of authentication and block non-compliant devices, but we didn&rsquo;t want to create any needless friction (or unpleasant surprises) for users. To that end, not all issues trigger an immediate block. IT can determine how long the grace period should be before users are blocked, depending on an issue&rsquo;s level of urgency. So, hand-in-hand with our Okta integration, we created an app that alerts users to blocking issues as soon as we detect them. That way, a user never learns that their device has an issue when they&rsquo;re trying to log in for an important meeting. <img src='https://blog.1password.com/posts/2024/extended-access-management-okta-guide/menubar-anonymous.jpg' alt='A screenshot showing when the menubar alerts a device is blocked from access.' title='A screenshot showing when the menubar alerts a device is blocked from access.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The menubar application directly integrates with the desktop agent. When there&rsquo;s an issue with a device, the menubar app gives users an alert, telling them: <ul> <li> What the problem is. </li> <li> How long they have to remediate it before their device will be blocked from authenticating. </li> </ul> From there, it lets users navigate to remediation instructions with just one click. We chose this method because it saves time and energy for IT admins and end users alike. For instance, browser updates need to get done, but it&rsquo;s typically fine if users get them done within a week or so, and pushing a forced update through an MDM might interrupt workflows. It also requires needless busywork from IT, since most users have the knowhow needed to update Chrome. With our menubar app and Okta integration, users are told that if they fail to fix the problem within a certain amount of time, they&rsquo;ll be blocked from authenticating through Okta. But until then, they have the flexibility to remediate issues, on their own, according to their needs. <h2 id="whats-next">What&rsquo;s next?</h2> If you have Okta and are interested in 1Password Extended Access Management, <a href="https://1password.com/contact-sales/xam">reach out for a demo</a>!</description></item><item><title>How to write a new osquery table</title><link>https://blog.1password.com/write-new-osquery-table/</link><pubDate>Fri, 16 Aug 2024 00:00:00 +0000</pubDate><author>info@1password.com (Jason Meller)</author><guid>https://blog.1password.com/write-new-osquery-table/</guid><description> <img src='https://blog.1password.com/posts/2024/how-to-write-a-new-osquery-table/header.png' class='webfeedsFeaturedVisual' alt='How to write a new osquery table' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> One of my favorite features of osquery is the delightful user experience associated with developing new virtual tables. In this guide, we will work together to implement a new high-value table from scratch that, as of this writing, currently doesn&rsquo;t exist in osquery. Specifically, we will implement a <code>bluetooth</code> table that works on macOS. We&rsquo;ll first review table design theory, including what makes a good table great and how to balance user privacy concerns with the value needed by the security team. After a bit of theory, we&rsquo;ll set up an osquery development environment and code our table in Objective-C++. Finally, after some testing, we&rsquo;ll walk through preparing a pull request for submission to the osquery project. My goal is that after reading this guide, you will be inspired and empowered to contribute new tables to the osquery ecosystem. Barring that excellent outcome, you should at the very least walk away with a much greater appreciation for the process. <h3 id="what-is-osquery">What is osquery?</h3> <a href="https://osquery.io/">Osquery</a> is a performant, open-source, multi-platform host agent created at Facebook. It allows you to query details about the systems in your fleet as if they were in a relational SQL database. Osquery comes bundled with <a href="https://osquery.io/schema/">hundreds of tables</a>, covering everything from running processes, to details on nearby WiFi networks, to loaded kernel extensions. While these included tables cover most use-cases, many important tables have yet to be written. Since osquery is 100% free and open-source software, instead of waiting for a commercial vendor to support a new operating system version or feature, anyone motivated can fill these gaps and contribute their own tables and features. <h3 id="my-qualifications">My qualifications</h3> Over the years, I have contributed many full tables to the osquery agent: <ul> <li> <code>gatekeeper</code> &amp; <code>gatekeeper_approved_apps</code> (<a href="https://github.com/osquery/osquery/pull/3461">GitHub PR</a>) </li> <li> <code>sharing_preferences</code> (<a href="https://github.com/osquery/osquery/pull/3509">GitHub PR</a>) </li> <li> <code>shared_folders</code> (<a href="https://github.com/osquery/osquery/pull/3510">GitHub PR</a>) </li> <li> <code>battery</code> (<a href="https://github.com/osquery/osquery/pull/4168">GitHub PR</a>) </li> <li> <code>screenlock</code> (<a href="https://github.com/osquery/osquery/pull/6243">GitHub PR</a> | <a href="https://www.kolide.com/blog/how-kolide-built-its-macos-screenlock-check">Blog post</a>) </li> <li> <code>windows_security_center</code> (<a href="https://github.com/osquery/osquery/pull/6256">GitHub PR</a>) </li> <li> <code>location_services</code> (<a href="https://github.com/osquery/osquery/pull/6826">GitHub PR</a>) </li> </ul> In this guide, we will contribute a brand new table that doesn&rsquo;t currently exist in osquery. In fact, we will stop short of actually contributing to the project. This will ensure future folks who find this article can enjoy the feeling of adding something new to the project on their local machine. While the novelty of the code we are writing is a good lure to get you to try this out, even without that, I sincerely hope that this guide demystifies the process to help you feel that contributing a table is within your reach. <h3 id="you-dont-have-to-be-a-c-expert">You don&rsquo;t have to be a C++ expert</h3> C, C++, and Objective-C are the primary languages we use to write virtual tables in osquery. For many folks who are only familiar with more modern compiled languages like Golang, Swift, or Rust, this can feel like a non-starter. But I don&rsquo;t think it should be. Before my first contribution, I hadn&rsquo;t written a lick of production code in any of those languages. My only exposure was briefly in college, in an introduction to computer science class, and it was very superficial. Even today, if you pressed me to write an iPhone app in Objective-C, I would have to look up introductory courses online. It&rsquo;s not happening. Even with this limited skillset, I was shocked at how easy it was for me to get started. My first contribution took me less time than writing this guide! It turns out I got very lucky. Writing osquery tables is perhaps one of the best ways to be introduced to C, C++, Objective-C, and their association build tooling. If these are languages you&rsquo;re interested in learning, you&rsquo;ll find the osquery project to be the perfect proving ground to hone your skills. Thanks to osquery&rsquo;s superb documentation and well-reasoned code organization, getting a productive working development environment up and running is a snap. <h3 id="prerequisites">Prerequisites</h3> While I tried to make this guide as accessible as possible, there are a few things you should know before we get started: <ul> <li> Some familiarity with osquery, relational databases, and SQL. </li> <li> You don&rsquo;t need a lot of C++ or Objective-C experience, but some brief exposure will help. Understanding data types and how to call classes and methods in Objective-C will make the example code a bit easier to read. Also, you should have a basic knowledge of coding (variables, loops, conditionals, etc.). I come from a Ruby/Python background, if that tells you anything. </li> <li> How to use <code>git</code> and the GitHub pull request process. </li> <li> Basic familiarity working with the terminal. </li> <li> A text editor suitable for writing code. I use <a href="https://code.visualstudio.com/">Microsoft&rsquo;s Visual Studio Code</a>. </li> </ul> Don&rsquo;t worry if you have only a tenuous grasp of some of the concepts above. I&rsquo;ll be going through the technical areas step-by-step. <h2 id="why-you-should-write-an-osquery-table">Why you should write an osquery table</h2> At this point in the post, you might be thinking to yourself: &ldquo;Even if it&rsquo;s as easy as you claim, why should I spend valuable time and effort writing my own osquery table?&rdquo; I don&rsquo;t blame anyone who has this perspective. One of the significant advantages of using osquery is enjoying the benefits of the hard work previous developers put into the tool and not having to suffer as you try to source the data yourself. Even though that is true, I have a pitch for you. And no, it&rsquo;s not an appeal to &ldquo;give back to the community.&rdquo; Forget the community. Write an osquery table for yourself. It may sound like a selfish attitude but even if you are building osquery tables to benefit your organization or individual needs, it likely won&rsquo;t be time wasted. In my experience, building an osquery table yourself has the following advantages: <ol> <li> Even when accounting for lack of experience, building a table yourself is the fastest way for your new table to ship in a stable release of osquery. While the development community members build requested tables all the time, it&rsquo;s unlikely they will do it on your preferred timeline. </li> <li> You will increase your understanding of that operating system concept by building a table. This will not only make you a more informed person about how operating systems work, but you will also be able to use your table (and likely other tables) with more precision and produce actionable results. For the tables I wrote, I definitely have a lot of tips and tricks for querying them effectively. </li> <li> When you build a table, you are likely building it to solve real use-cases for you or your organization. If someone else builds the table for you, they may exclude a critical column or piece of data you need to make the data actionable. The adage &ldquo;if you want something done right, do it yourself&rdquo; absolutely applies. </li> <li> Thousands of people will shower you with adoration. Your name will be forever etched in the slate of computing history as a titan of the security industry. </li> </ol> &hellip;well, maybe not that last one, but still, there is a lot in it for you and not a lot to lose except a few hours of your time. Even during the rare instances I was writing a table and bit off more than I could chew, I had enough of the leg-work done to motivate much more experienced engineers to help me complete it. Now that you are sufficiently convinced, it&rsquo;s time to get down to brass tacks and create our table. Before we write any code, we need to think about our new table, which leads us to our first step in this process. <h2 id="step-1-choosing-the-table-to-write">Step 1: Choosing the table to write</h2> The hardest part of contributing a new osquery table is picking a table that will be a net-positive addition to the project. Just because a new table returns correct data doesn&rsquo;t mean that it should be merged with the upstream osquery project. <h3 id="myth-if-a-table-can-be-written-it-should-be-written">Myth: If a table can be written, it should be written</h3> A common myth is that new tables are &ldquo;free&rdquo; since they introduce a brand-new concept without disrupting the existing osquery table ecosystem. Nothing could be further from the truth. New tables not only increase the size of the osquery binary itself, but they also increase osquery&rsquo;s complexity, compile-time, length of the documentation, attack surface, and the chances of memory leaks and instability. Even if a table is written perfectly, it must be aggressively maintained through every supported OS version once accepted. Deleting or changing the schema of a table is very challenging once users of osquery rely on its existence. We have to get as much as we can right on the first try. With these considerations in mind, tables should always solve a real need, not add to the cacophony of irrelevant data that many security, IT, and operations professionals must comb through daily. <h3 id="where-to-talk-about-your-table-before-you-write-it">Where to talk about your table before you write it</h3> If you want to talk through a table idea before you commit to writing it, one of these three options works best: <ol> <li> Solicit opinions from experts in the <a href="https://osquery.slack.com/join/shared_invite/zt-1wi6cdgf7-zR2wt7FZ0ClHj6tEym6KFQ#/shared-invite/email">official osquery Slack</a>. The people there are very welcoming and friendly. Each platform has its specific channel where IT and security admins often lurk who can provide input. </li> <li> <a href="https://github.com/osquery/osquery/blob/master/CONTRIBUTING.md#blueprints">Open a Blueprint issue</a> in the repo, and folks will comment there. </li> <li> Come to osquery&rsquo;s office hours and discuss the idea directly with the technical steering committee. Office hours are held every other week and announced in the official osquery Slack within the <code>#officehours</code> channel. </li> </ol> <h3 id="what-makes-a-good-table">What makes a good table?</h3> Before writing a new table, I first pause and consider if the table will exhibit the following properties: <ul> <li> High value. Can I think of at least one high-value use-case/query made possible by this table? Is that use-case only valuable to my organization, or will others benefit? (If it only helps you, <a href="https://osquery.readthedocs.io/en/stable/development/osquery-sdk/">consider making your new table an extension</a>). </li> <li> Accurate. Do you expect the data to be accurate enough for a user to draw actionable insights and conclusions? </li> <li> Future-proofed. Does this table represent an OS concept that will stay relevant for at least two years? </li> <li> Considerate of privacy. If this table reduces user privacy, do these high-value use-cases offset the privacy concerns? </li> </ul> <hr> <h3 id="a-quick-note-about-user-privacy">A quick note about user privacy</h3> Facebook created the osquery agent to gain visibility and insight into their systems, not the people behind them. That&rsquo;s a crucial distinction. Newcomers to osquery often ask why <code>browser_history</code> isn&rsquo;t a table. The simple answer is that for most ethical organizations, the privacy implications of such a table vastly outweigh any benefits of having visibility. These people are often quick to point out several tables and features that allow, with some effort, access to personal data. This, to me, is a logical fallacy. There is a big difference between a generic utility table used with bad intentions and a purpose-built table like <code>browser_history</code>. The latter would guarantee a privacy violation and provide a de facto endorsement of this violation. Organizations who legitimately need features like these are welcome to implement this functionality in an osquery extension. But for the rest of us, they reduce osquery&rsquo;s credibility and add unnecessary political friction to the deployment process. Therefore, they do not belong in the default project. If you are curious about balancing end-user privacy with security, detection, and compliance goals, I recommend reading the <a href="https://honest.security/">Honest Security Guide</a>. <hr> <h3 id="our-new-table--bluetooth-info">Our new table — Bluetooth info</h3> In this tutorial, we will create a table related to gathering the details about the Bluetooth support on macOS. For this new table, our motivation is to provide a way for a Mac administrator to query the state of the Bluetooth radio. After doing a quick Google search and asking around, it seems most administrators query this information by running <code>system_profiler</code> <code>SPBluetoothDataType</code>, which produces the following (abridged) output: <pre tabindex="0"><code>Bluetooth: Bluetooth Controller: Address: BC:D0:74:48:DD:2D State: On Chipset: BCM_4387 Discoverable: Off Firmware Version: v424 Product ID: 0x0001 Supported services: 0x382039 &lt; HFP AVRCP A2DP HID Braille AACP GATT Serial &gt; Transport: PCIe Vendor ID: 0x004C (Apple) Paired Bluetooth Devices: HomePod: Address: D0:81:7A:E2:87:4C Living Room: Address: DC:56:E7:3F:21:F8 iPad: Address: EC:2C:E2:BA:3A:07 </code></pre>So let&rsquo;s follow the first step: working through the checklist. <h3 id="is-it-high-value">Is it high value?</h3> Over the years, Bluetooth has developed a bad reputation for being a viable vector for remote attackers to gain unauthorized access to otherwise secured systems. The first time I went to Black Hat in 2010, several nasty attacks were circulating, and I was only allowed to go if I ensured my laptop and phone had Bluetooth fully disabled. Over a decade later, not much has changed. In specific secure working environments, ensuring the Bluetooth radio is off unless it is absolutely needed is a best practice. Having a high-confidence report that enumerates when the feature is off would be useful to security practitioners and Mac admins alike. On the opposite end, IT admins may want to know the status of Bluetooth to troubleshoot a user that is having trouble with Airdrop, their Magic Keyboard, or headphones. Enumeration of the connected devices might also be helpful for IT admins to get an accurate inventory of peripherals that the device utilizes, and potentially help with troubleshooting. <h3 id="is-it-accurate">Is it accurate?</h3> Unless we can entirely rely on the output of this data, the table is not worth writing. Luckily, as we saw earlier, there is already a command-line application that returns a set of seemingly accurate data. Further, searching on Apple&rsquo;s developer docs reveals two Apple Frameworks that we might be able to use to verify the data is accurate, specifically, <a href="https://developer.apple.com/documentation/corebluetooth?language=objc">CoreBluetooth</a> and <a href="https://developer.apple.com/documentation/iobluetooth?language=objc">IOBluetooth</a>. <h3 id="is-it-considerate-of-privacy">Is it considerate of privacy?</h3> Bluetooth is also now controversial <a href="https://www.indiatoday.in/technology/news/story/bluetooth-on-phone-can-reveal-the-location-of-a-user-a-new-study-finds-1874760-2021-11-09">for enabling apps to track users' location</a>. This has become such a problem that Apple and Google have agreed on a <a href="https://techcrunch.com/2024/05/13/apple-and-google-agree-on-standard-to-alert-people-when-unknown-bluetooth-devices-may-be-tracking-them/">standard to alert users</a> when unknown bluetooth devices might be tracking them through their iPhone or Android devices. Unfortunately, the Mac doesn&rsquo;t have similar privacy protections. It&rsquo;s therefore helpful to detect if Bluetooth is enabled so users can be advised to turn it off through a product like <a href="https://1password.com/product/xam">1Password Extended Access Management</a>. In that same vein, earlier, we also toyed with the idea of enumerating the connected devices ourselves; however, for the same reasons, we should avoid enumerating these connected devices. The use case above around gathering device peripheral inventory is just not valuable enough to warrant the privacy violation. So we are only going to implement the Bluetooth status portion. If someone needs this feature, they should build an osquery extension. <h3 id="is-it-future-proofed">Is it future proofed?</h3> Apple relies on Bluetooth for its wireless products. It&rsquo;s likely to be a relevant technology for many years. It also seems logical to assume apps will always be able to enumerate the state of the Bluetooth radio at least, so they can present an alternative user experience if Bluetooth is not available. <hr> Based on the above, I think our table deserves to be made (though the maintainers will ultimately decide during the review process). We also decided on a major caveat that we will not enumerate connected devices for privacy reasons. Now that we feel confident this will add value, it&rsquo;s time to start thinking carefully about how to design and ultimately develop our table. <h2 id="step-2-designing-your-table">Step 2: Designing your table</h2> A lot of osquery tables are good, but some are great. What is the difference between good and great tables? While it&rsquo;s just my opinion, I think that a good table should try to achieve all of the following: <ul> <li> A great name. The table&rsquo;s name should help facilitate user discovery. The primary way osquery users find tables is by <a href="https://osquery.io/schema/">perusing the schema</a>. Unless you plan on making the table multi-platform in the future, care should be taken to pick a name that best represents that concept on the targeted platform (ex: on macOS, &ldquo;apps&rdquo; is a better platform-specific term than &ldquo;programs&rdquo;). </li> <li> A use-case-driven schema. A table&rsquo;s columns should be chosen to enable practical use-cases. Even when developing a platform-specific table, one should choose column names that are still valid if the table eventually works across platforms. If a table enumerates data that can be different per user, include a username or UID column for easier joining. </li> <li> Accurate data. Data should be procured from accurate sources and normalized to standard units (ex: timestamps are always UNIX epoch). In non-privileged environments, a good table returns as much data as practically possible. </li> <li> Complete documentation. Great table documentation should include relevant examples and descriptions that help users interpret numerical codes and other data that aren&rsquo;t obvious at face value. If a user can&rsquo;t understand the output of the table, then it doesn&rsquo;t do them much good. </li> <li> Performant. When queried naively (ex: <code>SELECT * FROM table</code>), the table should return results with the lowest performance overhead possible. If specific columns are computationally expensive, they should be excluded by default unless the user queries explicitly for them. </li> </ul> <hr> <h3 id="a-quick-word-about-table-names-that-end-in-events">A quick word about table names that end in &ldquo;events&rdquo;</h3> Don&rsquo;t end your table name with the word events unless you know what you are doing. In osquery, tables like <code>process_events</code>, <code>disk_events</code> and <code>file_events</code> behave differently than standard tables. As their name implies, they produce logs of events that have happened since the last time the table was queried, not the system&rsquo;s current state. You can read more <a href="https://osquery.readthedocs.io/en/stable/development/pubsub-framework/">here</a>. <hr> <h2 id="step-3-strategizing-development">Step 3: Strategizing development</h2> The paradoxical secret of new table development is that it&rsquo;s all been done before. What I mean is, while the table itself may be new and innovative, the underlying strategies it uses to collect the data necessary to populate the table are likely not. For all of the macOS tables I&rsquo;ve developed, the data is sourced by implementing one of the following simple strategies: <ul> <li> Reading a <code>.plist</code>. macOS stores and continuously updates a surprisingly amount of valuable data in <code>plists</code> (dictionaries of properties) littered throughout the operating system. I&rsquo;ve used this strategy in many of the macOS tables I wrote, including <code>gatekeeper</code>, portions of <code>sharing_preferences</code>, and some of the columns in the <code>apps</code> table. </li> <li> Reading an SQLite database file. When plists aren&rsquo;t enough, macOS often uses SQLite database files to store logs and other structured data on the file system. I used this strategy when writing the <code>gatekeeper_approved_apps</code> and tables. If all the data you need is in an SQLite database, you may not need to write a full-fledged table and instead can do what&rsquo;s known as <a href="https://github.com/rotadsr/osquery-Custom-ATCs?tab=readme-ov-file">Automatic Table Configuration (ATC)</a>. </li> <li> Using a macOS API. Apple&rsquo;s APIs are surprisingly well documented, and many command-line utilities leverage these APIs to produce their output. For example, the <code>shared_folders</code> table leverages the public Directory Services API to output all files and folders that a computer has shared on the network. This is the best-case scenario because these public APIs come with some guarantees to developers, ensuring their viability as future versions of macOS are released. This means our table will likely not break when new macOS versions are released. On the opposite end of the spectrum, sometimes Apple&rsquo;s tools will use private APIs that don&rsquo;t carry such a contract and should be used only as a last resort (I ran into this for several fields in the <code>sharing_preferences</code> table). </li> </ul> <hr> <h3 id="what-about-shelling-out-to-a-binary">What about shelling out to a binary?</h3> Sometimes when a user of osquery is advocating for a new table, they point to a command-line tool that produces the exact output they are looking for (in our case, <code>system_profiler</code> <code>SPBluetoothDataType</code> does the job). These users might expect the table to be easily developed by quickly asking the osquery process to execute the command-line tool, read its output, and produce a table. This practice, casually called &ldquo;shelling out,&rdquo; is an anti pattern in the osquery codebase, and any contributions that shell out will not be acceptable. While shelling out often results in a table that can be developed quickly, it comes with many nefarious side effects and disadvantages: <ul> <li> Performance can be poor and unreliable when shelling out to external tools; it&rsquo;s often orders of magnitude faster to use the API the tool uses to produce the same output. </li> <li> The table will stop working if the tool is renamed, removed from your <code>$PATH</code>, deleted, or changed. </li> <li> Command-line tools can change all the time (renamed command-line arguments, differences in output formatting), which can break a table unexpectedly. These can produce errors nearly impossible to debug. </li> </ul> While some of these disadvantages can be realized even when developing tables the right way, they occur less frequently, and the extra development time is well worth reducing the likelihood our table will be slow or break unexpectedly. Sometimes, shelling out is the only way to get the data you need in a modern world with protected APIs and entitlements. If this is the case, building an <a href="https://osquery.readthedocs.io/en/stable/development/osquery-sdk/">osquery extension</a> that shells out is a great option. <hr> Back to our Bluetooth information table. After doing some Googling, I found <a href="https://github.com/toy/blueutil">a command-line tool on GitHub</a> called <code>blueutil</code> that produces the information we want. It does this by interacting with a public API called <a href="https://developer.apple.com/documentation/iobluetooth?language=objc">IOBluetooth</a>. If we look <a href="https://github.com/toy/blueutil/blob/master/blueutil.m#L44-L51">at the source code</a>, we see something like the following: <pre tabindex="0"><code class="language-objective_c" data-lang="objective_c">// private methods int IOBluetoothPreferencesAvailable(); int IOBluetoothPreferenceGetControllerPowerState(); int IOBluetoothPreferenceGetDiscoverableState(); </code></pre>This implies that we need to use a few private methods that exist in the library to get the data we want, but are not explicitly defined in the header file. One thing that caught my eye here was this <code>IOBluetoothPreferenceGetDiscoverableState</code>. When we enumerated the Bluetooth information using <code>system_profiler</code> <code>SPBluetoothDataType</code>, it included: &ldquo;<code>Discoverable: On.</code>&rdquo; But running this third-party blueutil CLI app, I get a different set of data&hellip; <pre tabindex="0"><code>$ blueutil Power: 1 Discoverable: 0 </code></pre><a href="https://github.com/toy/blueutil/issues/3#issuecomment-372228473">There is an issue open for this</a> in the <code>blutil</code> repo. <blockquote> Just tested the discoverability [&hellip;] To me, it seems that opening the pref pane always overrules the setting. And is not reported in the IOBluetoothPreferenceGetDiscoverableState however, the System Report does show the setting and is updated when opening the pref pane&hellip; </blockquote> This is not good. Even though this tool uses a private method for obtaining the status of the Bluetooth devices, it&rsquo;s not showing an important piece of data accurately. It also calls into question the accuracy of other data in this API. This API already has one strike against it, and this isn&rsquo;t baseball. In fact, in my testing of the original CLI command, we found that <code>system_profiler</code> <code>SPBluetoothDataType</code> seems to be the only CLI tool that accurately reports on discoverability. We should do our best to emulate the method it&rsquo;s using. Remember, the goal is to become familiar with the data before writing our table. Suppose we, the table&rsquo;s authors, don&rsquo;t understand the underlying Operating System concepts the table is trying to convey? In that case, we have little hope of producing a table that considers the nuances and variability in the data. <hr> <aside class="c-technical-aside-box c-technical-aside-box--background" aria-labelledby="a-quick-note-on-using-objective-c"> <h2 class="c-technical-aside-box__title" id="a-quick-note-on-using-objective-c"> A quick note on using Objective-C </h2> <div class="c-technical-aside-box__description"> You may have noticed we are quickly going down a rabbit hole that will require us to write Objective-C, not C++ (the language used to write most osquery tables). Fortunately for us, the osquery core team has created a build environment where you can intermingle both Objective-C and C++ code within the same file. We won&rsquo;t get into the dark compiler magic that makes it possible. Instead, we can appreciate all the hard work done for us to use as little Objective-C as possible to call these APIs, and we can use the much easier to understand (in my opinion) C++ syntax and libraries for everything else. </div> </aside> <hr> Now that we know what information we can obtain from this API, let&rsquo;s design our Bluetooth info table. After looking at various docs and the output of system_profiler, I think our table should look like the following: Table name - <code>bluetooth_info</code> <ul> <li> <code>state</code> - One of the following: 1 (for &ldquo;On&rdquo;) or 0 (for &ldquo;Off&rdquo;) </li> <li> <code>discoverable</code> - One of the following: 1 (for &ldquo;On&rdquo;) or 0 (for &ldquo;Off&rdquo;) </li> <li> <code>address</code> - The MAC address of the Bluetooth radio (colon-delimited hexadecimal) </li> <li> <code>vendor_id</code> - A hexadecimal number representing the <a href="http://domoticx.com/bluetooth-company-identifiers/">Bluetooth Radio vendors manufacturing ID</a> </li> <li> <code>chipset</code> - Text representing the underlying chipset used by the Bluetooth radio </li> <li> <code>firmware_version</code> - Text representing the currently loaded firmware on the Bluetooth radio </li> <li> <code>supported_services</code> - A comma-separated list of <a href="https://en.wikipedia.org/wiki/List_of_Bluetooth_profiles">Bluetooth Supported services and profiles</a> </li> </ul> Notice I haven&rsquo;t written code. I am just writing notes to myself that I can use to start quickly developing my table. These notes will directly translate to our table specification. When designing the schema, it becomes apparent that this table should only produce a single row describing the internal Bluetooth radio that ships with a Mac. While we could design the table to enumerate all Bluetooth devices, in my mind, this would muddy our proposed use cases, and therefore makes our decision to limit the scope of this table relatively easy to accept. <h3 id="starting-development-and-next-steps">Starting development and next steps</h3> After all that discussion and design, we will finally move away from the conceptual and academic and get our hands dirty while facing the harsh (but sometimes enjoyable) realities of writing system software. <h2 id="step-4-setting-up-our-osquery-development-environment">Step 4: Setting up our Osquery development environment</h2> If you are like me and had the misfortune of spending hours or even days trying to set up poorly thought out C projects to contribute a small one-line fix, osquery will seem like a breath of fresh air. The team has put in a lot of effort to make this process ridiculously painless, with great automated tooling and concise yet accurate documentation. Instead of rehashing the already well-written docs, I encourage you to <a href="https://osquery.readthedocs.io/en/stable/development/building/">follow them</a> and come back when you are ready. If you just want the tl;dr and happen to be running macOS, here is the short version: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Install Homebrew /bin/bash -c &#34;$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)&#34; # Install prerequisites xcode-select --install brew install ccache git git-lfs cmake python clang-format flex bison # Optional: install python tests prerequisites pip3 install --user setuptools pexpect==3.3 psutil timeout_decorator six thrift==0.11.0 osquery </code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Download source git clone https://github.com/osquery/osquery cd osquery </code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Configure build to target earliest supported version of macOS mkdir build; cd build cmake -DCMAKE_OSX_DEPLOYMENT_TARGET=10.15 -DOSQUERY_BUILD_TESTS=ON .. </code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Build cmake --build . -j $(sysctl -n hw.ncpu) </code></pre></div>The first build process will take a while (for me, it takes almost 15 minutes on a 2021 Macbook Pro with an M1 Pro) and may produce many warnings that you can safely ignore. If all goes well in the end you&rsquo;ll see something like: <pre tabindex="0"><code>[100%] Linking CXX static library libosquery_main.a [100%] Built target osquery_main [100%] Generating empty_osqueryd_target_source_file.cpp [100%] Building CXX object osquery/CMakeFiles/osqueryd.dir/empty_osqueryd_target_source_file.cpp.o [100%] Linking CXX executable osqueryd [100%] Built target osqueryd [100%] Generating osqueryi [100%] Built target create_osqueryi </code></pre>Once completed, we will want to verify that osquery works. Since <code>osqueryi</code> is easier for us to test, simply run <code>./osquery/osqueryi</code> and try running a query like <code>SELECT version FROM osquery_info;</code>. If it&rsquo;s working, you will see the version number and the most recent commit SHA1 hash that you compiled against. <pre tabindex="0"><code>osquery&gt; select version from osquery_info; +---------------------+ | version | +---------------------+ | 5.2.2-23-gda909acb8 | +---------------------+ </code></pre>If things didn&rsquo;t work out after following the steps above, I suggest you <a href="https://osquery.readthedocs.io/en/stable/development/building/">read the official documentation</a> first. If you are still stuck, don&rsquo;t despair! You can <a href="https://osquery.slack.com/join/shared_invite/zt-1wi6cdgf7-zR2wt7FZ0ClHj6tEym6KFQ#/shared-invite/email">join the osquery slack</a> and get help right away. <h2 id="step-5-create-a-table-specification">Step 5: Create a table specification</h2> Now that we&rsquo;ve got our development environment up and running, it is time for us to take our first steps towards writing our table, the table specification. The table specification files are located in the <code>specs</code> folder. Platform-specific specs live in a child directory labeled with their respective platform. Here is an example of the spec for the nvram table. <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python">table_name(&#34;nvram&#34;) description(&#34;Apple NVRAM variable listing.&#34;) schema([ Column(&#34;name&#34;, TEXT, &#34;Variable name&#34;), Column(&#34;type&#34;, TEXT, &#34;Data type (CFData, CFString, etc)&#34;), Column(&#34;value&#34;, TEXT, &#34;Raw variable data&#34;), ]) implementation(&#34;nvram@genNVRAM&#34;) </code></pre></div>While technically written in Python, these specification files are a custom DSL (<a href="https://en.wikipedia.org/wiki/Domain-specific_language">a domain-specific language</a>) that describes a table and its associated schema. These files are important not only because they contain the structure of your table, but they also tell the compiler where to find the code that produces the data for the table. Not only that, these files power the documentation on the <a href="https://osquery.io/">osquery.io</a> website! My recommendation when writing a spec is to copy an existing spec and replace the column names, data types, and descriptions with the correct information. Don&rsquo;t worry about getting it perfect on the first try. As we play with the actual data coming from real systems, we are likely to change the spec file as our understanding of the underlying concept of Bluetooth information improves. <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"># osquery/tables/system/darwin/bluetooth_info.table table_name(&#34;bluetooth_info&#34;) description(&#34;Provides information about the internal bluetooth radio of a Mac.&#34;) schema([ Column(&#34;state&#34;, INTEGER, &#34;1 if Bluetooth is enabled. Otherwise 0&#34;), Column(&#34;discoverable&#34;, INTEGER, &#34;1 if The Bluetooth radio is in discovery mode and advertising itself to other devices. Otherwise 0.&#34;), Column(&#34;address&#34;, TEXT, &#34;The MAC address of the Bluetooth radio in colon delimited hexadecimal&#34;), Column(&#34;vendor_id&#34;, TEXT, &#34;A hexadecimal number representing the Bluetooth Radio vendors&#39; manufacturing ID. Ref: http://domoticx.com/bluetooth-company-identifiers/&#34;), Column(&#34;chipset&#34;, TEXT, &#34;Text representing the underlying chipset used by the Bluetooth radio.&#34;), Column(&#34;firmware_version&#34;, TEXT, &#34;Text representing the currently loaded firmware on the Bluetooth radio.&#34;), Column(&#34;supported_services&#34;, TEXT, &#34;A comma separated list of codes and strings representing supported Bluetooth services and profiles. Ref: https://en.wikipedia.org/wiki/List_of_Bluetooth_profiles&#34;), ]) implementation(&#34;bluetooth_info@genBluetoothInfo&#34;) </code></pre></div>There are a few things I want to call out in these specs. First, the concept of column data types (the things that say <code>TEXT</code>, <code>INTEGER</code>, <code>DOUBLE</code>, etc.) These types help users who will be querying this table know what type of data to expect (printed text, numbers, numbers with decimals, true or false values, etc.). SQLite, the engine osquery uses to make virtual tables, translates these types into affinities (the internal structures used to store this data). For most tables, you don&rsquo;t need to know more than the four basic types mentioned above, but if you are curious, you can read more about types and affinities <a href="https://www.sqlite.org/datatypes.html">in the SQLite documentation</a> and learn some interesting tidbits. For example, did you know SQLite has no concept of a boolean (true/false)? This is why we use <code>INTEGER</code> in our specs above with additional documentation to simulate that datatype. <hr> The second thing I want to discuss is the <code>implementation</code> statement. This statement describes the compiler&rsquo;s function to produce data that powers this table. It&rsquo;s essential to name the functions as uniquely and descriptively as possible. These names must be unique across all table implementation source-code files. Naming them generically could cause you or another developer in the future a <code>duplicate symbol for architecture</code> error. <h2 id="step-6-write-a-placeholder-table-implementation">Step 6: Write a placeholder table implementation</h2> Now that we&rsquo;ve written our specification, we need to write the implementation source file. Let&rsquo;s start by making a bare-bones implementation that will output something when we query our table. <h3 id="the-implementation-file">The implementation file</h3> First, let&rsquo;s create a blank file called <code>bluetooth_info.mm</code> in the <code>osquery/tables/system/darwin</code> folder. Earlier, we learned we need to query an Apple API to get this Bluetooth information, using a little Objective-C. By giving our file the extension <code>.mm</code>, we tell the compiler that some Objective-C++ code lives here. Objective-C++ is amazing because it allows us to write both native Objective-C (interfacing with Apple&rsquo;s APIs) and mix that with the much more developer-friendly C++. In our blank file, let&rsquo;s start with the following basic structure: <pre tabindex="0"><code class="language-objective_c" data-lang="objective_c">// osquery/tables/system/darwin/bluetooth_info.mm /** * Copyright (c) 2014-present, The osquery authors * * This source code is licensed as defined by the LICENSE file found in the * root directory of this source tree. * * SPDX-License-Identifier: (Apache-2.0 OR GPL-2.0-only) */ #include &lt;osquery/core/tables.h&gt; namespace osquery { namespace tables { QueryData genBluetoothInfo(QueryContext &amp;context) { QueryData results; Row r; r[&quot;state&quot;] = INTEGER(1); r[&quot;discoverable&quot;] = INTEGER(0); r[&quot;chipset&quot;] = TEXT(&quot;THX-1138&quot;); results.push_back(r); return results; } } // namespace tables } // namespace osquery </code></pre>While you may not understand everything, there is a lot here that we can understand. Here are the most important things: <ul> <li> We&rsquo;ve defined a function that matches the implementation section in our tables' specification file. This function accepts a context argument and returns typed objects that osquery knows how to convert into SQL results. </li> <li> We can set a column&rsquo;s information using the following syntax <code>r[&quot;column_name&quot;] = TYPE(value);</code> </li> <li> We are only returning one row of information in this table, so we can populate the row and push it into the results <code>QueryData</code> object all at once. If we wanted to return many rows, we would loop through a list of stuff and then push each row individually to the result set at the end of the loop. </li> <li> We didn&rsquo;t have to return all the columns (we are missing quite a few in this primitive implementation). </li> <li> Most importantly, look at all the code we&rsquo;re not writing! We don&rsquo;t need to know anything about the underlying SQL subsystem, essentially. Osquery just handles this for us! </li> </ul> <h3 id="how-to-compile-our-new-table">How to compile our new table</h3> Believe it or not, this code snippet will run with a bit of extra work. Don&rsquo;t believe me? Let&rsquo;s compile it! Before we can do that, we need to tell <code>cmake</code> (the tool we used to compile osquery earlier) where to find our new table specs and implementation. This is done in two files shown below: <h3 id="osqueryspecscmakeliststxt">osquery/specs/CMakeLists.txt</h3> <pre tabindex="0"><code>&lt;snip...&gt; set(platform_dependent_spec_files &quot;arp_cache.table:linux,macos,windows&quot; &quot;atom_packages.table:linux,macos,windows&quot; &quot;darwin/account_policy_data.table:macos&quot; &quot;darwin/ad_config.table:macos&quot; &quot;darwin/alf.table:macos&quot; &lt;snip...&gt; &quot;darwin/authorizations.table:macos&quot; &quot;darwin/battery.table:macos&quot; &quot;darwin/bluetooth_info.table:macos&quot; &quot;darwin/browser_plugins.table:macos&quot; </code></pre>As you can see above, we have inserted the relative path to both of our table specification files in alphabetical order, under the <code>platform_dependent_spec_files</code> set. Each entry in this set contains: <ul> <li> The file </li> <li> A colon as a delimiter </li> <li> A comma-separated list of valid platforms. </li> </ul> <h3 id="osquerytablessystemcmakeliststxt">osquery/tables/system/CMakeLists.txt</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-txt" data-lang="txt">&lt;snip...&gt; elseif(DEFINED PLATFORM_MACOS) list(APPEND source_files darwin/account_policy_data.mm darwin/acpi_tables.cpp darwin/ad_config.cpp darwin/apps.mm &lt;snip...&gt; darwin/battery.mm darwin/block_devices.cpp darwin/bluetooth_info.mm darwin/certificates.mm </code></pre></div>Just like before, we have inserted the relative path to our implementation file, in alphabetical order, in the section under <code>DEFINED PLATFORM_MACOS</code>. This tells the compiler to include and link these source code files if the compilation target matches the <code>PLATFORM_MACOS</code> constant. With that part complete, all we need to do is rerun our cmake command from earlier&hellip; <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Make sure you are still in the ./build folder cmake --build . -j $(sysctl -n hw.ncpu) </code></pre></div>Once your compilation completes, execute <code>osqueryi</code> and try the following query: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">SELECT * FROM bluetooth_info; </code></pre></div><pre tabindex="0"><code>+-------+--------------+---------+-----------+----------+------------------+--------------------+ | state | discoverable | address | vendor_id | chipset | firmware_version | supported_services | +-------+--------------+---------+-----------+----------+------------------+--------------------+ | 1 | 0 | | | THX-1138 | | | +-------+--------------+---------+-----------+----------+------------------+--------------------+ </code></pre>With minimal effort, we have just created a table that produces results. Sadly, the results are not real, but that&rsquo;s okay! Let&rsquo;s start working towards our goal of getting this table to produce real outputs. <h2 id="step-7-explore-the-data-with-debug-statements">Step 7: Explore the data with debug statements</h2> Now it&rsquo;s time to make the leap from fake data to starting to play with the actual OS internals that will get us what we need. This is the most challenging part of creating a new table, so we will want to get familiar with ways to quickly iterate through ideas without having the ceremony of converting data types into the final forms osquery needs to display info in the table. <h3 id="introducing-nslog">Introducing NSLog</h3> One of those ways is writing debug statements you can read in the console. Since this is a macOS table, we will likley be dealing with NextStep (NS) and other Objective-C data types like <code>NSDictionary NSArray</code>, <code>BOOL</code>, etc. The class <code>NSLog</code> allows us to quickly output these objects in human-readable forms, to determine if we&rsquo;ve found a viable way of returning our data. We will use it liberally later on in this step. <h3 id="how-do-we-get-data-out-of-system-profiler">How do we get data out of System Profiler?</h3> Now for the key question. We know the data we want is in System Profiler, and we know we aren&rsquo;t allowed to shell out and get it. So how do we do this? My usual first step is to take the command-line tool and throw it into a dissembler like <a href="https://www.hopperapp.com/">Hopper</a>. I like Hopper a lot because – despite not knowing much about dissembling binaries or how to read raw ASM – I can generally grep around for strings that give me clues to help me come up with more targeted Google searches. But this time, there was no need for Hopper. With some simple Google searches, I discovered a <a href="https://eclecticlight.co/2020/12/10/controlling-processes-and-environments/">great article</a> by Dr. Howard Oakley of the Electric Light Company that breaks down how <code>system_profiler</code> works in a deep level of detail. <blockquote> system_profiler is surprisingly complex. The command tool in /usr/sbin/ turns out to be a small stub which relies on calling helper tools stored in the /System/Library/SystemProfiler folder as .spreporter bundles. Each of those contains another Mach-O executable complete with its own localised strings, and in some cases such as SPiBridgeReporter.spreporter there are also XPC services, which in turn have their localised strings </blockquote> Further down, he reproduces the following console logs: <pre tabindex="0"><code>0.544816 com.apple.SPSupport Reporting system_profiler SPSupport -[SPDocument reportForDataType:] -- Dispatching helperTool request for dataType SPiBridgeDataType. </code></pre><code>[SPDocument reportForDataType]</code> looks like what we need. Let&rsquo;s see if we can get that working. In these cases, I like to get a simple single file program working before I start dealing with integrating it into the osquery source. I do this because it&rsquo;s usually faster, and I can further reduce my program to just the essential elements I need for testing. Here is the simple source file that I came up with that we can use as a playground to test our theory around <code>SPDocument</code>. Feel free to stick this file anywhere outside of the osquery codebase (we don&rsquo;t submit it later on accidentally). <pre tabindex="0"><code class="language-objective_c" data-lang="objective_c">// bluetooth.mm #import &lt;Foundation/Foundation.h&gt; #import &lt;AppKit/NSDocument.h&gt; // Define a private method for NSDocument that is not included in the // header file. @interface SPDocument : NSDocument {} - (id)reportForDataType:(id)arg1; @end int main() { // Create a URL ref for the private framework we need CFURLRef bundle_url = CFURLCreateWithFileSystemPath( kCFAllocatorDefault, CFSTR(&quot;/System/Library/PrivateFrameworks/SPSupport.framework&quot;), kCFURLPOSIXPathStyle, true); // Load the framework CFBundleLoadExecutable(CFBundleCreate(kCFAllocatorDefault, bundle_url)); // A metaprogramming way of typing `id = [SPDocument new]` id cls = NSClassFromString(@&quot;SPDocument&quot;); SEL sel = @selector(new); id document = [cls performSelector:sel]; // My best guess on how to use this private method NSDictionary* data = [document reportForDataType:@&quot;SPBluetoothDataType&quot;]; // Let's see what we get NSLog(@&quot;%@&quot;, data); return 0; } </code></pre>And we can compile it by running <code>gcc</code> with the appropriate flags. <pre tabindex="0"><code>gcc -framework Foundation -framework AppKit bluetooth.mm -o bluetooth </code></pre>Now let&rsquo;s run our newly compiled program and see what we get! <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Don&#39;t forget to mark it executable chmod +x bluetooth # Run it! ./bluetooth </code></pre></div>This is what happened when I ran it on my device&hellip; <pre tabindex="0"><code>2022-03-23 14:02:47.181 bluetooth[21892:5171488] { &quot;_SPCommandLineArguments&quot; = ( &quot;/usr/sbin/system_profiler&quot;, &quot;-nospawn&quot;, &quot;-xml&quot;, SPBluetoothDataType, &quot;-detailLevel&quot;, full ); &quot;_SPCompletionInterval&quot; = &quot;0.02909505367279053&quot;; &quot;_SPResponseTime&quot; = &quot;0.04006195068359375&quot;; &quot;_dataType&quot; = SPBluetoothDataType; &quot;_detailLevel&quot; = &quot;-1&quot;; &quot;_items&quot; = ( { &quot;controller_properties&quot; = { &quot;controller_address&quot; = &quot;BC:D0:74:48:DD:2D&quot;; &quot;controller_chipset&quot; = &quot;BCM_4387&quot;; &quot;controller_discoverable&quot; = &quot;attrib_off&quot;; &quot;controller_firmwareVersion&quot; = v424; &quot;controller_productID&quot; = 0x0001; &quot;controller_state&quot; = &quot;attrib_on&quot;; &quot;controller_supportedServices&quot; = &quot;0x382039 &lt; HFP AVRCP A2DP HID Braille AACP GATT Serial &gt;&quot;; &quot;controller_transport&quot; = PCIe; &quot;controller_vendorID&quot; = &quot;0x004C (Apple)&quot;; }; &quot;devices_list&quot; = (&lt;REDACTED FOR PRIVACY&gt;); } ); &quot;_name&quot; = SPBluetoothDataType; &quot;_parentDataType&quot; = SPHardwareDataType; &quot;_properties&quot; = { &quot;_name&quot; = { &quot;_detailLevel&quot; = &quot;-1&quot;; &quot;_isColumn&quot; = YES; &quot;_isOutlineColumn&quot; = YES; &quot;_order&quot; = 0; }; &quot;controller_address&quot; = { &quot;_detailLevel&quot; = 0; &quot;_order&quot; = 2; }; &quot;controller_name&quot; = { &quot;_detailLevel&quot; = 1; &quot;_order&quot; = 1; }; &quot;controller_properties&quot; = { &quot;_detailLevel&quot; = &quot;-1&quot;; &quot;_order&quot; = 1; }; &quot;controller_state&quot; = { &quot;_detailLevel&quot; = &quot;-1&quot;; &quot;_order&quot; = 3; }; &quot;device_address&quot; = { &quot;_detailLevel&quot; = 0; &quot;_order&quot; = 1; }; &quot;device_connected&quot; = { &quot;_detailLevel&quot; = &quot;-1&quot;; &quot;_order&quot; = 2; }; &quot;device_productID&quot; = { &quot;_detailLevel&quot; = 0; &quot;_order&quot; = 4; }; &quot;device_vendorID&quot; = { &quot;_detailLevel&quot; = 0; &quot;_order&quot; = 3; }; &quot;devices_list&quot; = { &quot;_detailLevel&quot; = &quot;-1&quot;; &quot;_order&quot; = 100; }; volumes = { &quot;_detailLevel&quot; = 0; }; }; &quot;_timeStamp&quot; = &quot;2022-03-23 18:02:47 +0000&quot;; &quot;_versionInfo&quot; = { &quot;com.apple.SystemProfiler.SPBluetoothReporter&quot; = 1; }; } </code></pre>Wow! First shot out right out of the box, and we got the data we needed! That is extremely promising. Okay, I recognize we just went through a lot of new concepts here, but essentially, this code is just doing the following: <ol> <li> Initializing a new instance of a class called <code>SPDocument</code>. </li> <li> Calling the method <code>reportForDataType</code> with an NString argument of <code>SPBluetoothDataType</code>. </li> <li> Logging the resultant Dictionary to the screen via <code>NSLog</code>. </li> </ol> Because this is a private framework, we are doing the above to allow us to call the class and function in the library without explicitly linking it to the compiler (which I couldn&rsquo;t get to work). We must write the definitions manually because we aren&rsquo;t linking to an actual library in the compiler. We do that using objective-c syntax at the very top of the file. Now we know that the structure of the data we are dealing with can alter the last time just to enumerate the last entry in the <code>NSArray</code> that lives at the <code>_items</code> key. From there, we only want to grab the data in <code>controller_properties</code>. We can accomplish this with the following code&hellip; <pre tabindex="0"><code class="language-objective_c" data-lang="objective_c"> NSDictionary* report = [[document reportForDataType:@&quot;SPBluetoothDataType&quot;] objectForKey:@&quot;_items&quot;] lastObject]; NSDictionary* data = [report objectForKey:@&quot;controller_properties&quot;]; </code></pre>Rerun it, and we should get a smaller subset of the data as shown below&hellip; <pre tabindex="0"><code>2022-03-24 09:48:45.007 bluetooth[71205:210836] { &quot;controller_address&quot; = &quot;B8:E6:0C:2E:A4:BB&quot;; &quot;controller_chipset&quot; = &quot;BCM_4387&quot;; &quot;controller_discoverable&quot; = &quot;attrib_off&quot;; &quot;controller_firmwareVersion&quot; = &quot;19.5.432.4739&quot;; &quot;controller_productID&quot; = 0x0001; &quot;controller_state&quot; = &quot;attrib_on&quot;; &quot;controller_supportedServices&quot; = &quot;0x382039 &lt; HFP AVRCP A2DP HID Braille AACP GATT Serial &gt;&quot;; &quot;controller_transport&quot; = PCIe; &quot;controller_vendorID&quot; = &quot;0x004C (Apple)&quot;; } </code></pre><h3 id="dynamically-calling-a-private-api-safely">Dynamically calling a private API safely</h3> You may be thinking, &ldquo;if shelling out isn&rsquo;t allowed in osquery, are we allowed to use private frameworks and APIs?&rdquo; The answer is a resounding yes. Most information that is interesting to security and IT practitioners isn&rsquo;t info that most developers need, and thus never makes it into a public API. If we couldn&rsquo;t use private APIs, much of the functionality that makes osquery valuable would be missing. Even better, the way we called that private API earlier – by loading it in at run-time and calling it dynamically – is the preferred way to implement it in the osquery project. Why? It helps make osquery extremely portable. On just Macs alone, osquery must run on a diverse set of macOS versions and architectures. If we want to link to a library or framework at compile-time, we have to be sure it will be available on every version of macOS that osquery supports. If we don&rsquo;t, osquery won&rsquo;t even start up! But in our simple program above, because we are loading a library dynamically, osquery will still run even if that library doesn&rsquo;t exist or is substantially different. Only our specific table will fail to run if either is the case. That&rsquo;s a much better outcome! We need to be careful, or else our table could cause osquery to segfault or even kernel panic the entire device. To be cautious, we must sanity check every step of the dynamic calling process. We also need to clean up any memory we allocate, as the garbage collector will not automatically release memory references when we load and call the library. Given the above, let&rsquo;s modify our program further to include these sanity checks. Here is the final result, annotated with comments to help you understand each new change. <pre tabindex="0"><code class="language-objective_c" data-lang="objective_c"> // bluetooth.mm #import &lt;Foundation/Foundation.h&gt; #import &lt;AppKit/NSDocument.h&gt; // Define a private method for NSDocument that is not included in the // header file. @interface SPDocument : NSDocument {} - (id)reportForDataType:(id)arg1; @end int main() { // BEWARE: Because of the dynamic nature of the calls in this function, we // must be careful to properly clean up the memory. Any future modifications // to this function should attempt to ensure there are no leaks. CFURLRef bundle_url = CFURLCreateWithFileSystemPath( kCFAllocatorDefault, CFSTR(&quot;/System/Library/PrivateFrameworks/SPSupport.framework&quot;), kCFURLPOSIXPathStyle, true); // Is the bundle URL itself faulty? if (bundle_url == nullptr) { NSLog(@&quot;Error parsing SPSupport bundle URL&quot;); return 0; } // Is there actually a bundle at that bundle_url? CFBundleRef bundle = CFBundleCreate(kCFAllocatorDefault, bundle_url); CFRelease(bundle_url); if (bundle == nullptr) { NSLog(@&quot;Error opening SPSupport bundle&quot;); return 0; } // Ok it seems safe to load! CFBundleLoadExecutable(bundle); // The compiler will complain about memory leaks. Since we are being // careful we can suppress that warning with the `pragmas` below. #pragma clang diagnostic push #pragma clang diagnostic ignored &quot;-Warc-performSelector-leaks&quot; // // the rest of this is the safe equivalent of `document = [SPDocument new]` // // Does the `SPDocument` class exist? id cls = NSClassFromString(@&quot;SPDocument&quot;); if (cls == nullptr) { NSLog(@&quot;Could not load SPDocument class&quot;); CFBundleUnloadExecutable(bundle); CFRelease(bundle); return 0; } // Does the `SPDocument` does it respond to the `new` method? SEL sel = @selector(new); if (![cls respondsToSelector:sel]) { NSLog(@&quot;SPDocument does not respond to new selector&quot;); CFBundleUnloadExecutable(bundle); CFRelease(bundle); return 0; } // Did calling `new` actually result in something being returned? id document = [cls performSelector:sel]; if (document == nullptr) { NSLog(@&quot;[SPDocument new] returned null&quot;); CFBundleUnloadExecutable(bundle); CFRelease(bundle); return 0; } // Let's undo the change to the compiler state we did earlier #pragma clang diagnostic pop // Okay let's proceed with the program as before and to remember to unload // the bundle and release it from memory NSDictionary* report = [[[document reportForDataType:@&quot;SPBluetoothDataType&quot;] objectForKey:@&quot;_items&quot;] lastObject]; NSDictionary* data = [report objectForKey:@&quot;controller_properties&quot;]; NSLog(@&quot;%@&quot;, data); // Release all the objects we owned that ARC has no knowledge of so we don't // leak memory. CFRelease((__bridge CFTypeRef)document); CFBundleUnloadExecutable(bundle); CFRelease(bundle); return 0; } </code></pre>If you compile and rerun this, the output should not have changed, but now we have a much safer approach to loading this private framework and running the private API inside it. <h2 id="step-8-wire-it-all-together">Step 8: Wire it all together</h2> In step seven, we ended up with a simple program that gives us some output we want. Let&rsquo;s incorporate this code into our osquery implementation source code file and, in the process, clean it up. Merging this code with our earlier mock table implementation (and also removing the instructive comments) gives us the following: <pre tabindex="0"><code class="language-objective_c" data-lang="objective_c">// osquery/tables/system/darwin/bluetooth_info.mm /** * Copyright (c) 2014-present, The osquery authors * * This source code is licensed as defined by the LICENSE file found in the * root directory of this source tree. * * SPDX-License-Identifier: (Apache-2.0 OR GPL-2.0-only) */ #import &lt;Foundation/Foundation.h&gt; #import &lt;AppKit/NSDocument.h&gt; #include &lt;osquery/core/tables.h&gt; @interface SPDocument : NSDocument {} - (id)reportForDataType:(id)arg1; @end namespace osquery { namespace tables { QueryData genBluetoothInfo(QueryContext &amp;context) { Row r; QueryData results; // BEWARE: Because of the dynamic nature of the calls in this function, we // must be careful to properly clean up the memory. Any future modifications // to this function should attempt to ensure there are no leaks. CFURLRef bundle_url = CFURLCreateWithFileSystemPath( kCFAllocatorDefault, CFSTR(&quot;/System/Library/PrivateFrameworks/SPSupport.framework&quot;), kCFURLPOSIXPathStyle, true); if (bundle_url == nullptr) { NSLog(@&quot;Error parsing SPSupport bundle URL&quot;); return results; } CFBundleRef bundle = CFBundleCreate(kCFAllocatorDefault, bundle_url); CFRelease(bundle_url); if (bundle == nullptr) { NSLog(@&quot;Error opening SPSupport bundle&quot;); return results; } CFBundleLoadExecutable(bundle); #pragma clang diagnostic push #pragma clang diagnostic ignored &quot;-Warc-performSelector-leaks&quot; id cls = NSClassFromString(@&quot;SPDocument&quot;); if (cls == nullptr) { NSLog(@&quot;Could not load SPDocument class&quot;); CFBundleUnloadExecutable(bundle); CFRelease(bundle); return results; } SEL sel = @selector(new); if (![cls respondsToSelector:sel]) { NSLog(@&quot;SPDocument does not respond to new selector&quot;); CFBundleUnloadExecutable(bundle); CFRelease(bundle); return results; } id document = [cls performSelector:sel]; if (document == nullptr) { NSLog(@&quot;[SPDocument new] returned null&quot;); CFBundleUnloadExecutable(bundle); CFRelease(bundle); return results; } NSDictionary* report = [[[document reportForDataType:@&quot;SPBluetoothDataType&quot;] objectForKey:@&quot;_items&quot;] lastObject]; NSDictionary* data = [report objectForKey:@&quot;controller_properties&quot;]; #pragma clang diagnostic pop NSLog(@&quot;%@&quot;, data); CFRelease((__bridge CFTypeRef)document); CFBundleUnloadExecutable(bundle); CFRelease(bundle); r[&quot;state&quot;] = INTEGER(1); r[&quot;discoverable&quot;] = INTEGER(0); r[&quot;chipset&quot;] = TEXT(&quot;THX-1138&quot;); results.push_back(r); return results; } } // namespace tables } // namespace osquery </code></pre>The most significant material change is that since we are now in a function that returns <code>QueryData</code>, we have to update our early returns to <code>return results</code> instead of <code>0</code>. To get our data out, we need to grab it strategically from the dictionary and put it into the final result set. <pre tabindex="0"><code class="language-objective_c" data-lang="objective_c">// if the data we asked for is not populated clean up and don't proceed further if (data == nullptr) { CFRelease((__bridge CFTypeRef)document); CFBundleUnloadExecutable(bundle); CFRelease(bundle); return results; } NSString* state = [data objectForKey:@&quot;controller_state&quot;]; NSString* discoverable = [data objectForKey:@&quot;controller_discoverable&quot;]; NSString* address = [data objectForKey:@&quot;controller_address&quot;]; NSString* chipset = [data objectForKey:@&quot;controller_chipset&quot;]; NSString* vendorId = [data objectForKey:@&quot;controller_vendorID&quot;]; NSString* firmwareVersion = [data objectForKey:@&quot;controller_firmwareVersion&quot;]; NSString* supportedServices = [data objectForKey:@&quot;controller_supportedServices&quot;]; if (state) { if ([state isEqualToString: @&quot;attrib_on&quot;]) { r[&quot;state&quot;] = INTEGER(1); } else { r[&quot;state&quot;] = INTEGER(0); } } if (discoverable) { if ([discoverable isEqualToString: @&quot;attrib_on&quot;]) { r[&quot;discoverable&quot;] = INTEGER(1); } else { r[&quot;discoverable&quot;] = INTEGER(0); } } if (address) { r[&quot;address&quot;] = [address UTF8String]; } if (chipset) { r[&quot;chipset&quot;] = [chipset UTF8String]; } if (vendorId) { r[&quot;vendor_id&quot;] = [vendorId UTF8String]; } if (firmwareVersion) { r[&quot;firmware_version&quot;] = [firmwareVersion UTF8String]; } if (supportedServices) { r[&quot;supported_services&quot;] = [supportedServices UTF8String]; } </code></pre>Here, we are simply pulling the values out of the dictionary and, if they exist, assigning them to the correct column. In the case of the integer style columns we created, a simple <code>if</code> statement with a string comparison allows us to easily convert the API&rsquo;s response into the desired <code>0</code> or <code>1</code> output. Adding this in and compiling again, I get the following output: <pre tabindex="0"><code>osquery&gt; select * from bluetooth_info; +-------+--------------+-------------------+----------------+----------+------------------+----------------------------------------------------------+ | state | discoverable | address | vendor_id | chipset | firmware_version | supported_services | +-------+--------------+-------------------+----------------+----------+------------------+----------------------------------------------------------+ | 1 | 1 | BC:D0:74:48:DD:2D | 0x004C (Apple) | BCM_4387 | v424 | 0x382039 &lt; HFP AVRCP A2DP HID Braille AACP GATT Serial &gt; | +-------+--------------+-------------------+----------------+----------+------------------+----------------------------------------------------------+ </code></pre>🎉🎉🎉 WE DID IT! OUR TABLE HAS REAL DATA IN IT! 🎉🎉🎉 <h3 id="cleaning-up">Cleaning up</h3> Before we move on to the testing, let&rsquo;s just clean up the code slightly. First, instead of using <code>NSLog</code> to return run-time errors, let&rsquo;s use osquery&rsquo;s built-in logging facility to return those logging messages correctly. Simple replace <code>NSLog(@&quot;message&quot;)</code> with <code>LOG(INFO) &lt;&lt; &quot;message&quot;</code>. We also need to include the logger headers at the top of the file. Finally, we should also clean up any debug logs from earlier. Beyond the logging, there is one more change we can make. It appears we are calling the same two clean-up lines when our dynamic loading dance sanity checks fail. It would be nice to distill that down to an inline function called <code>cleanup()</code>. We can re-define it again later, as the cleanup routine adds more steps. <h3 id="the-final-source-code">The final source code</h3> Considering all of our cleanup work, we have the following final file: <pre tabindex="0"><code class="language-objective_c" data-lang="objective_c">// osquery/tables/system/darwin/bluetooth_info.mm /** * Copyright (c) 2014-present, The osquery authors * * This source code is licensed as defined by the LICENSE file found in the * root directory of this source tree. * * SPDX-License-Identifier: (Apache-2.0 OR GPL-2.0-only) */ #import &lt;AppKit/NSDocument.h&gt; #import &lt;Foundation/Foundation.h&gt; #include &lt;osquery/core/tables.h&gt; #include &lt;osquery/logger/logger.h&gt; @interface SPDocument : NSDocument { } - (id)reportForDataType:(id)arg1; @end namespace osquery { namespace tables { QueryData genBluetoothInfo(QueryContext&amp; context) { QueryData results; Row r; // BEWARE: Because of the dynamic nature of the calls in this function, we // must be careful to properly clean up the memory. Any future modifications // to this function should attempt to ensure there are no leaks. CFURLRef bundle_url = CFURLCreateWithFileSystemPath( kCFAllocatorDefault, CFSTR(&quot;/System/Library/PrivateFrameworks/SPSupport.framework&quot;), kCFURLPOSIXPathStyle, true); if (bundle_url == nullptr) { LOG(INFO) &lt;&lt; &quot;Error parsing SPSupport bundle URL&quot;; return results; } CFBundleRef bundle = CFBundleCreate(kCFAllocatorDefault, bundle_url); CFRelease(bundle_url); if (bundle == nullptr) { LOG(INFO) &lt;&lt; &quot;Error opening SPSupport bundle&quot;; return results; } CFBundleLoadExecutable(bundle); std::function&lt;void()&gt; cleanup = [&amp;]() { CFBundleUnloadExecutable(bundle); CFRelease(bundle); }; #pragma clang diagnostic push #pragma clang diagnostic ignored &quot;-Warc-performSelector-leaks&quot; id cls = NSClassFromString(@&quot;SPDocument&quot;); if (cls == nullptr) { LOG(INFO) &lt;&lt; &quot;Could not load SPDocument class&quot;; cleanup(); return results; } SEL sel = @selector(new); if (![cls respondsToSelector:sel]) { LOG(INFO) &lt;&lt; &quot;SPDocument does not respond to new selector&quot;; cleanup(); return results; } id document = [cls performSelector:sel]; if (document == nullptr) { LOG(INFO) &lt;&lt; &quot;[SPDocument new] returned null&quot;; cleanup(); return results; } #pragma clang diagnostic pop cleanup = [&amp;]() { CFRelease((__bridge CFTypeRef)document); CFBundleUnloadExecutable(bundle); CFRelease(bundle); }; NSDictionary* report = [[[document reportForDataType:@&quot;SPBluetoothDataType&quot;] objectForKey:@&quot;_items&quot;] lastObject]; NSDictionary* data = [report objectForKey:@&quot;controller_properties&quot;]; if (data == nullptr) { cleanup(); return results; } NSString* state = [data objectForKey:@&quot;controller_state&quot;]; NSString* discoverable = [data objectForKey:@&quot;controller_discoverable&quot;]; NSString* address = [data objectForKey:@&quot;controller_address&quot;]; NSString* chipset = [data objectForKey:@&quot;controller_chipset&quot;]; NSString* vendorId = [data objectForKey:@&quot;controller_vendorID&quot;]; NSString* firmwareVersion = [data objectForKey:@&quot;controller_firmwareVersion&quot;]; NSString* supportedServices = [data objectForKey:@&quot;controller_supportedServices&quot;]; if (state) { if ([state isEqualToString:@&quot;attrib_on&quot;]) { r[&quot;state&quot;] = INTEGER(1); } else { r[&quot;state&quot;] = INTEGER(0); } } if (discoverable) { if ([discoverable isEqualToString:@&quot;attrib_on&quot;]) { r[&quot;discoverable&quot;] = INTEGER(1); } else { r[&quot;discoverable&quot;] = INTEGER(0); } } if (address) { r[&quot;address&quot;] = [address UTF8String]; } if (chipset) { r[&quot;chipset&quot;] = [chipset UTF8String]; } if (vendorId) { r[&quot;vendor_id&quot;] = [vendorId UTF8String]; } if (firmwareVersion) { r[&quot;firmware_version&quot;] = [firmwareVersion UTF8String]; } if (supportedServices) { r[&quot;supported_services&quot;] = [supportedServices UTF8String]; } cleanup(); results.push_back(r); return results; } } // namespace tables } // namespace osquery </code></pre><h2 id="step-9-test-your-table">Step 9: Test your table</h2> &ldquo;Well, it ran on my machine&rdquo; is not a phrase you want to be sheepishly uttering to the osquery core team when it becomes clear the table doesn&rsquo;t work across most of the millions of devices that run osquery. To gain confidence in our table, we must test it. My approach is to do two types of testing: automated integration testing and obsessive manual verification. <h3 id="basic-integration-tests">Basic integration tests</h3> Programmatically testing osquery tables is pretty tough. Most integration tests in the repo run a basic version of the query and validate that the data return matches the data types you expect. The file below implements that basic testing strategy. You will also need to add the file to <code>tests/integration/tables/CMakeLists.txt</code> before compilation. <pre tabindex="0"><code class="language-objective_c" data-lang="objective_c">// tests/integration/tables/bluetooth_info.cpp /** * Copyright (c) 2014-present, The osquery authors * * This source code is licensed as defined by the LICENSE file found in the * root directory of this source tree. * * SPDX-License-Identifier: (Apache-2.0 OR GPL-2.0-only) */ // Sanity check integration test for location_services // Spec file: specs/darwin/bluetooth_info.table #include &lt;osquery/tests/integration/tables/helper.h&gt; namespace osquery { namespace table_tests { class bluetoothInfo : public testing::Test { protected: void SetUp() override { setUpEnvironment(); } }; TEST_F(bluetoothInfo, test_sanity) { auto const data = execute_query(&quot;select * from bluetooth_info&quot;); ASSERT_EQ(data.size(), 1ul); ValidationMap row_map = { {&quot;state&quot;, IntType}, {&quot;discoverable&quot;, IntType}, {&quot;address&quot;, NormalType}, {&quot;vendor_id&quot;, NormalType}, {&quot;chipset&quot;, NormalType}, {&quot;firmware_version&quot;, NormalType}, {&quot;supported_services&quot;, NormalType}, }; validate_rows(data, row_map); } } // namespace table_tests } // namespace osquery </code></pre>To run the tests (and all the other tests in the repo), run <code>cmake --build . --target test</code>. You should get output like the following. <pre tabindex="0"><code>80/82 Test #80: tools_tests_testosqueryd .............................................. Passed 26.67 sec Start 81: tools_tests_testosqueryi 81/82 Test #81: tools_tests_testosqueryi .............................................. Passed 11.62 sec Start 82: tests_integration_tables-test 82/82 Test #82: tests_integration_tables-test ......................................... Passed 12.70 sec 100% tests passed, 0 tests failed out of 82 Total Test time (real) = 120.39 sec </code></pre><h3 id="manual-verification">Manual verification</h3> The key to ensuring your table works well is to compile it and run it on various Mac hardware and operating systems. Generally, I take the following approach when deciding what to look for: <ol> <li> What happens when I add a third-party Bluetooth radio to the Mac (like a USB dongle?). </li> <li> What happens when I run it on a macOS VM running the latest OS? </li> <li> What happens when I run it on Apple Silicon on macOS 11 - macOS 12? </li> <li> What happens when I run it on an Intel-Based Mac running on macOS 10.9 - 12? </li> <li> Any differences between a laptop vs. a desktop (like an iMac)? </li> </ol> In our case, I am leaving the above exercise to the reader. Still, the testing logistics are simply compiling the project under the correct architecture, zipping up the binary, and then sending it to the device and running the same query. I can&rsquo;t tell you how many times I&rsquo;ve had to go back to the drawing board after learning a crucial fact during this testing process. You should not skip it! <h2 id="step-10-submit-a-pr-to-the-osquery-team">Step 10: Submit a PR to the osquery team</h2> Okay, so while we may believe our table is the pinnacle of software engineering, it&rsquo;s time for the experts to weigh in. While we won&rsquo;t actually submit this table to the team, I&rsquo;ll walk you through the process I would typically go through. Much of what I am about to go through here can be found in the excellent <code>CONTRIBUTION.MD</code> document <a href="https://github.com/osquery/osquery/blob/master/CONTRIBUTING.md">in the osquery GitHub repository</a>. <h3 id="check-for-memory-leaks-code-errors-and-formatting">Check for memory leaks, code errors, and formatting</h3> Before you submit your pull request (PR), you will want to run a bunch of automated tooling to verify you haven&rsquo;t introduced memory leaks and security issues into the codebase. Getting these done before you submit a PR is an excellent signal to the team that you&rsquo;ve read their contribution guide, and that you are going to be respectful to the overall process. <h4 id="do-a-leaks-check">Do a leaks check</h4> For our table, this will be the most important check. We can run the check just for our table directly out of the build folder, by typing: <pre tabindex="0"><code>../tools/analysis/profile.py --leaks --shell ./osquery/osqueryi --query &quot;select * from bluetooth_info;&quot; </code></pre>If you didn&rsquo;t make any changes to the source code above, you should get the following confirmation: <pre tabindex="0"><code>Analyzing leaks in query: select * from bluetooth_info; definitely: 0 leaks for 0 total leaked bytes. </code></pre><h3 id="fix-your-code-formatting">Fix your code formatting</h3> One other thing you should do is make sure your code is formatted like the osquery team prefers. Luckily, we can do this automatically. To auto-format your code, first stage your changes by navigating up one directory and then running <code>git add ..</code> (assuming you are in the <code>build/</code> folder). From there, you can run <code>cmake --build . --target format</code>. If there were some formatting changes, you&rsquo;d see something like the following: <pre tabindex="0"><code>changed files: tests/integration/tables/bluetooth_info.cpp </code></pre>Now that your changes are staged, you can push them up to your public fork and submit your contribution as a GitHub pull request. <h3 id="write-a-great-pull-request">Write a great pull request</h3> Writing a great PR in GitHub could be a whole blog post. For osquery virtual table contributions specifically, I like to generally adhere to a structure that consists of three distinct sections: <h3 id="section-1-what-is-this-change">Section 1: What is this change?</h3> In this section, I like to cover the table&rsquo;s name, briefly describe what it does, and provide a sample output. For this PR, I might write something like: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-markdown" data-lang="markdown"> This PR implements a new Virtual Table called `bluetooth_info` which will report the state, discoverability of the embedded Bluetooth radio in a inside of Mac, along with high-level information about it. Here is the example output of the table on my local machine, a Macbook Pro... </code></pre></div>Ensure you include relevant examples from at least your device and other devices you may have tested. The more detailed this is, the more confidence others will have in approving and merging your PR. <h3 id="section-2-implementation-information">Section 2: Implementation information</h3> Here, I like to call out how I achieved gathering the information at a high level, so the context is available to the reviewer before they look at any code. If you ran the leaks test earlier, call that out here. <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-markdown" data-lang="markdown"> To create this table, I disassembled the system_profiler binary. After analyzing the executable, it appeared that the binary simply included `&lt;SPSupport/SPDocument.h&gt;` (a Private macOS framework) and calls the reportForDataType method with SPBluetoothDataType as the sole argument. This PR dynamically loads in the `SPSupport` Private Framework so that it can obtain the information the same way the `system_profiler` tool currently collects the data. I also checked for leaks and am happy to report this implementation appears to be leak-free. Before discovering the system_profiler, I also investigated the IOBluetooth framework. I found while it had private APIs that could provide similar information, the data these APIs were returning seemed unreliable and the Framework itself seemed heavily deprecated, so I quickly abandoned this approach. </code></pre></div>The goal here is to head off any &ldquo;what if you did this?&rdquo; style questions at the pass. You want to leave the team with the accurate impression you thought about this from multiple angles and didn&rsquo;t just settle on the first viable thing that worked. <h3 id="section-3-concernsconsiderations">Section 3: Concerns/considerations</h3> This section will discuss anything you may be worried about in this PR, that you didn&rsquo;t have a chance to test earlier. You may also want to talk about any privacy concerns. <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-markdown" data-lang="markdown"> I could use some help verifying this consistently returns data from the correct Bluetooth device in situations where a user may also have a Bluetooth radio dongle plugged in via USB. If anyone has one of those lying around and wants to test my table, let me know, and I&#39;d be happy to send you a pre-compiled binary (or you can use the binaries compiled by the build process in this PR). While the SPSupport approach allowed me also to enumerate paired devices, I felt that this was not worth it. Listing devices could be a potential privacy issue for end-users. It reveals the name of personal objects in their vicinity and could be used to track a user&#39;s movements or precise geolocation. </code></pre></div><h3 id="how-to-be-a-great-reviewee">How to be a great reviewee</h3> There are a couple of things to keep in mind while waiting for a review that will improve your chances: <ol> <li> Be responsive. When folks come in with questions or suggestions, it&rsquo;s in your best interest to swiftly take action by responding and updating your code accordingly. The more responsive you are, the more likely your reviewer will be motivated to continue helping you get your PR across the finish line. </li> <li> Be nice. It is easy to slip into a defensive mindset when something you worked hard on is being scrutinized critically by others. If someone doesn&rsquo;t like the approach, do your best to understand the path forward to getting your PR mergeable. The maintainers try very hard to create a great experience for new contributors. </li> <li> Be patient. Sometimes people are busy, and you may not get your review right away. Pinging specific reviewers on GitHub or Slack isn&rsquo;t always a good idea. Instead, look for opportunities to get help testing your table so you can further improve it while you wait for a review. If there isn&rsquo;t any natural movement for several weeks, try bringing it up respectfully in the <code>#code-review</code> channel on the <a href="https://osquery.slack.com/join/shared_invite/zt-1wi6cdgf7-zR2wt7FZ0ClHj6tEym6KFQ#/shared-invite/email">osquery Slack</a>. Respectful pings there are encouraged. </li> </ol> Sign the Contributor License Agreement (CLA). When you first submit a PR, a bot will automatically flag it if you haven&rsquo;t signed osquery&rsquo;s CLA. It would help if you took care of that right away so reviewers know their efforts looking at the PR won&rsquo;t be wasted on a last-minute licensing concern. <h2 id="additional-resources">Additional Resources</h2> Check out the following helpful resources you can use to continue your osquery table development journey: <ul> <li> The <a href="https://osquery.readthedocs.io/en/stable/development/creating-tables/">osquery documentation</a> has an excellent write-up for new developers looking to contribute tables. </li> <li> <a href="https://github.com/osquery/osquery">The osquery GitHub repo</a> contains everything you need to learn by example. Just find the .cpp file that implements your favorite table and work backward from there! </li> <li> <a href="https://osquery.slack.com/join/shared_invite/zt-1wi6cdgf7-zR2wt7FZ0ClHj6tEym6KFQ#/shared-invite/email">The osquery community Slack</a> is chock full of people who can help you develop your next table. Don&rsquo;t be scared to reach out for help if you get stuck! </li> </ul> <hr> <a href="https://1password.com/dev-subscribe/">If you&rsquo;d like to read more content like this, sign up for our developer newsletter!</a></description></item><item><title>How we augmented our design values with UX principles</title><link>https://blog.1password.com/design-values-ux-prinicples/</link><pubDate>Thu, 15 Aug 2024 00:00:00 +0000</pubDate><author>info@1password.com (Ryan Bigge)</author><guid>https://blog.1password.com/design-values-ux-prinicples/</guid><description> <img src='https://blog.1password.com/posts/2024/design-values-ux-principles/header.png' class='webfeedsFeaturedVisual' alt='How we augmented our design values with UX principles' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> If you work on a small team, designing by vibes (also known as intuition-based design) might feel like a natural and convenient way to get things done. The rules of design are understood, even if they’re often unspoken, and there’s no pesky documentation to get in the way. But as your design team grows it can be very difficult to design by intuition alone. The vibe starts to fracture, and people start to produce work that looks and feels quite different. When you don&rsquo;t have a shared language to pull from, your meetings get much longer or you create a very inconsistent product experience. In some cases, both. Which is frustrating for the design team and their customers. <h2 id="vibes-dont-scale">Vibes don’t scale</h2> To be clear, intuition is and can be a very useful tool. But when it comes to design, intuition alone isn’t enough to make good decisions. Gut feel should be a signal, but you also need to make sure you have a repeatable approach. Otherwise it’s hard to take the decisions you made in one project and apply it to other products and features. In other words, vibes don’t scale. Design by vibes can also make your team vulnerable to bias and stereotypes. It’s too easy to exclude entire groups of people who don’t appear in the sweep of your vibes radar. So what do you do instead? How about some good ol’ fashioned design principles? <h2 id="the-principle-of-the-matter">The principle of the matter</h2> I have anticipated your first objection: design principles are imperfect. A quick browse through Medium or LinkedIn will reveal that not everyone loves UX principles. The common complaint is they’re easy to ignore and hard to interpret. You can also find a similar set of articles explaining why personas are a bad idea. Yet principles and personas remain quite useful when deployed correctly. Every design thinking tool has limitations, but that doesn&rsquo;t mean you can’t use them. You just have to minimize their specific weaknesses. Speaking of which, the motivation to create new UX principles at 1Password was inspired, in part, by the need to augment our existing design values. We didn’t refer to those values as often as we should and they were open to multiple (and sometimes conflicting) interpretations. In her <a href="https://www.smashingmagazine.com/design-systems-book/">book about design systems</a>, Alla Kholmatova argues that: “Good principles don&rsquo;t try to be everything for everyone. They have a voice and actively encourage a designer to take a perspective.” She also believes that principles should be: <ul> <li>Authentic</li> <li>Actionable</li> <li>Opinionated</li> <li>Memorable</li> </ul> As you have probably figured out, this list was a great starting point for our design team’s new principles. <h2 id="developing-new-principles">Developing new principles</h2> Work began in September of last year at a team-wide offsite. In a workshop led by then-content design manager Kate Wilhelm, our design and research team were asked to apply design principles from other companies to a handful of 1Password mockups. This “gateway drug” approach allowed the team to discuss the value of UX principles and see what it felt like to apply them to our own work. After that, a UX principles working group was formed. The group brainstormed, frameworked, clustered digital sticky notes, and gathered feedback from design leads. There were debates about what the principles should and should not do. There were debates about aspirational versus realistic principles. There was even a late stage request for a fifth principle from Steve Won, our Chief Product Officer. <img src="https://blog.1password.com/posts/2024/design-values-ux-principles/ux-principles-figjam.png" alt="A Figjam board a collection of digital sticky notes under the columns &#39;What we need to be successful&#39;, &#39;How we work&#39; and &#39;What we make&#39;." title="A Figjam board a collection of digital sticky notes under the columns &#39;What we need to be successful&#39;, &#39;How we work&#39; and &#39;What we make&#39;." class="c-featured-image"/> Rapid prototyping with words was a critical part of the process. Boiling down complex ideas into three or four word “t-shirt slogans” wasn’t easy – I brainstormed at least 30 different options for our inclusive design and accessibility principle. But by early February 2024 the principles were complete. <h2 id="the-final-five">The final five</h2> And now, the moment you’ve been waiting for! Our new UX principles: <ol> <li>Embrace the problem. We clearly identify the user problem that needs to be solved and keep it close to our hearts.</li> <li>Advocate for accessibility. Every day we learn a little bit more about accessibility and apply that knowledge to our product work, aiming for progress over perfection.</li> <li>Build for beginners. We make it easy for people new to 1Password to reach their goals, which also improves the experience for power users.</li> <li>Connect the dots. From onboarding to error messages and from desktop to mobile, we make sure users have a seamless experience.</li> <li>Iterate until it&rsquo;s great. We explore multiple possible solutions and evaluate them together with cross-functional partners.</li> </ol> These UX principles provide a shared language and rationale across the team to help us agree and focus on key UX priorities. They are our non-negotiables, and represent the floor but definitely not the ceiling for how we work. Finally, the new principles can be applied and assessed in a clear and unambiguous manner. And, as a fantastic bonus, our new principles look amazing, thanks to our all-star illustrator Joanna Nowak. <img src="https://blog.1password.com/posts/2024/design-values-ux-principles/ux-principles-illustrations.png" alt="Five colorful characters that convey the following principles: Embrace the problem, advocate for accessibility, connect the dots, and iterate until it&#39;s great." title="Five colorful characters that convey the following principles: Embrace the problem, advocate for accessibility, connect the dots, and iterate until it&#39;s great." class="c-featured-image"/> <h2 id="launch-and-learn">Launch and learn</h2> Our design and research team has grown a lot recently, so we’ve had to figure out new ways to stay connected and informed. For the past few months we’ve met every Monday for an hour. Sometimes we provide a quick update on our projects, speed dating style. Other times we learn a new skill. In mid-May, our Chief Experience Officer Matt Davey and I shared the new UX principles with the team. To let everyone know we meant business, I wore a homemade t-shirt with our five new UX mascots. After the big reveal we divided up into five groups. Each group was given one principle and a realistic scenario designed to put the new principle through its paces. <img src="https://blog.1password.com/posts/2024/design-values-ux-principles/ux-principle-exercise.png" alt="A Figjam board explaining a group exercise around the principle &#39;Build for Beginners&#39;. Participants are asked to think about a scenario where Watchtower is expanded to include more categories." title="A Figjam board explaining a group exercise around the principle &#39;Build for Beginners&#39;. Participants are asked to think about a scenario where Watchtower is expanded to include more categories." class="c-featured-image"/> The exercise generated some excellent discussion and ideas. It also encouraged our team to start using our new principle-specific Slack emojis, FigJam stickers, and Zoom wallpaper. To keep the discussions going, we also created digital summary cards for each principle for use in our weekly design critiques. We know that our mid-May launch wasn’t the end of the process, but just the beginning. That’s why we found five people to be principle ambassadors. Their job is to support the team by sharing relevant links about the principle they’re responsible for. For example: <ul> <li>Embrace the problem with <a href="https://www.atlassian.com/team-playbook/plays/5-whys">the five whys exercise</a></li> <li>Advocate for accessibility <a href="https://stephaniewalter.design/blog/a-designers-guide-to-documenting-accessibility-user-interactions/">through Figma annotations</a></li> <li>Build for beginners with <a href="https://medium.com/curiosity-by-design/the-handy-list-of-human-words-a70f13dde55e">plain language</a></li> <li>Connect the dots by <a href="https://www.howtomakesenseofanymess.com/">making sense of any mess</a></li> <li>Iterate until it’s great by <a href="https://medium.com/google-design/3-ux-takeaways-from-redesigning-google-translate-3184038f43bf">managing change aversion</a></li> </ul> And we didn’t stop there. Six weeks after launching the new principles, we awarded an embroidered UX principles baseball cap to Michael McKeever, a Senior Product Designer who best embodied the spirit of the new principles. If that sounds like a lot of moving parts, it is. But we know that without steady, gentle reminders and snazzy swag, it’s too easy to forget about UX principles. Of course, even if everyone memorizes the principles and/or puts them on a t-shirt, design utopia isn’t guaranteed. We have to continue to discuss, debate, and evolve our principles as we update existing features and build new ones. Our principles will also need to be interpreted in slightly different ways depending on our audience, what they’re trying to accomplish, and how long they’ve been using 1Password. Our plan is to assess the success of the principles in late November of this year. We fully anticipate that our principles will need to be tweaked. Perhaps one will be removed. Or heck, maybe we&rsquo;ll add a sixth principle. Because when we say “iterate until it’s great” we truly mean it. <h3 id="resources">Resources</h3> <ul> <li><a href="https://indeed.design/article/indeeds-design-principles-and-how-we-made-them">https://indeed.design/article/indeeds-design-principles-and-how-we-made-them</a></li> <li><a href="https://jonlax.framer.ai/writing/design-principles">https://jonlax.framer.ai/writing/design-principles</a></li> <li><a href="https://principles.design/">https://principles.design/</a></li> <li><a href="https://spotify.design/article/introducing-spotifys-new-design-principles">https://spotify.design/article/introducing-spotifys-new-design-principles</a></li> </ul> Huge thanks to everyone who helped develop the principles and create a rollout plan.</description></item><item><title>Improve developer security with 1Password® Extended Access Management</title><link>https://blog.1password.com/extended-access-management-developer-security/</link><pubDate>Wed, 14 Aug 2024 00:00:00 +0000</pubDate><author>info@1password.com (Jason Meller)</author><guid>https://blog.1password.com/extended-access-management-developer-security/</guid><description> <img src='https://blog.1password.com/posts/2024/extended-access-management-developer-security/header.png' class='webfeedsFeaturedVisual' alt='Improve developer security with 1Password® Extended Access Management' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> With 1Password Extended Access Management, customers can now require users to secure unencrypted SSH keys on their devices by importing them into 1Password before they can access sensitive company data. Like many, you might assume that software developers have an advantage over non-technical end users when securing their devices. After all, they understand how computers work at a deep level, and reasoning about security is a significant part of software engineering. Not exactly. Software engineers have access to organizations' most sensitive systems and intellectual property, but they are also the most likely group to successfully advocate to be an exception to the security and IT team’s normal practices. Additionally, they regularly encounter, handle, and even generate sensitive credentials, making them a prime target for bad actors. In fact, in <a href="https://www.verizon.com/business/resources/T9f5/reports/2024-dbir-data-breach-investigations-report.pdf">Verizon’s 2024 Data Breach Investigations Report</a>, the top “initial action” taken by attackers in the breaches analyzed was “stolen credentials.” The credentials developers encounter are everywhere. They live in the code they write, the terminal, and they are even the way most developers sign into remote servers. Once you have one of these credentials, that’s often all it takes to access the system or service it&rsquo;s associated with because, more often than not, it’s running right on the public Internet. <a href="https://blog.1password.com/exposed-developer-secrets-gitguardian/">Developer secrets leaks are a pervasive problem</a>, but have been especially acute for the financial services industry recently. Among the top 200 financial services apps in the United States, United Kingdom, France, and Germany, <a href="https://www.businesswire.com/news/home/20230302005470/en/">92% of financial services apps contained easy-to-extract secrets</a> that could be used in scripts to steal data (<a href="https://info.approov.io/secret-report">Mobile App Security Report, Approov, 2023</a>). Existing approaches like privileged access management (PAM) only secure the systems and credentials you manage. What happens to credentials stored on local devices or unmanaged devices? <a href="https://1password.com/product/xam">1Password Extended Access Management</a> goes further by identifying and protecting systems outside your control, including BYOD devices your employees use for work. For example, with 1Password Extended Access Management, admins can check for insecure SSH keys on any devices their employees use for work before those employees sign in to sensitive apps. If unencrypted SSH keys are found, users are prompted to secure them by importing the keys into their 1Password vault. If they ignore the prompts, access to sensitive apps can be automatically blocked end-users have complied with the request. <img src="https://blog.1password.com/posts/2024/extended-access-management-developer-security/1password-xam-ssh-key-import.png" alt="1Password Extended Access Management warning that an unencrypted SSH key has been detected, and outlining steps to import that SSH key into 1Password" title="1Password Extended Access Management warning that an unencrypted SSH key has been detected, and outlining steps to import that SSH key into 1Password" class="c-featured-image"/> This combination of detection, providing the end-user with tools to fix the problem, and finally, proportional consequences if they don’t take care of the problem, is a potent approach that results in a miracle: your developers meaningfully participated in your company’s remediation story, with near-perfect efficacy. <h2 id="out-of-sight-out-of-mind">Out of sight, out of mind</h2> SSH keys, or Secure Shell keys, are used by IT and engineering teams to securely authenticate and establish encrypted connections to remote servers and systems. Compromised keys can lead to unauthorized access, security incidents, and potential loss of sensitive information. SSH keys stored on devices can pose significant security risks when they are unencrypted or use outdated encryption formats. Unencrypted SSH keys are vulnerable to unauthorized access, as they can be easily exploited by attackers who gain access to a device. Similarly, SSH keys that use outdated encryption formats are susceptible to modern cryptographic attacks. Unfortunately, both security teams and developers usually lack visibility into the health of SSH keys on devices. Once developers create an SSH key, it gets added to the ~/.ssh directory on their device. They may use it daily, but will likely never check the encryption algorithm again. <h2 id="better-security-better-productivity">Better security, better productivity</h2> In January, we announced that <a href="https://blog.1password.com/watchtower-ssh-keys/">1Password Watchtower now provides SSH key security insights</a> for individual users. And now administrators can configure SSH security checks for every device in their fleet. When 1Password Extended Access Management performs a check, it will alert users to any unencrypted SSH keys on their devices. They will be prompted to import their unencrypted keys into their 1Password vault for safekeeping. Once saved in 1Password, SSH keys are end-to-end encrypted in vaults and available for use in developer’s day-to-day workflows via the <a href="https://1password.com/developers/ssh">built-in SSH agent</a>. They can authenticate SSH connections and <a href="https://blog.1password.com/git-commit-signing/">sign Git commits with biometrics</a>, reducing friction and improving security. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/BMFvhl0WRFQ" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h2 id="getting-started">Getting started</h2> Admins can easily configure a pre-built contextual access policy for unencrypted SSH keys by visiting the “Checks” tab within the <a href="https://blog.1password.com/what-is-device-trust/">Device Trust</a> component of 1Password Extended Access Management. From there, they can choose whether to warn users for a certain period when an unencrypted key is found or begin blocking access immediately. <img src="https://blog.1password.com/posts/2024/extended-access-management-developer-security/ssh-check-config.png" alt="1Password Extended Access Management policy option to require SSH keys to be encrypted" title="1Password Extended Access Management policy option to require SSH keys to be encrypted" class="c-featured-image"/> If devices fail this check when attempting to sign in, users will be provided with step-by-step instructions on how to move their unencrypted keys into 1Password. As soon as the problem is resolved, they will be able to recheck the device and continue signing in without any intervention from IT. <h2 id="secure-developer-devices-code-and-infrastructure">Secure developer devices, code, and infrastructure</h2> 1Password Extended Access Management ensures the security of your devices, and works with 1Password <a href="https://1password.com/product/enterprise-password-manager">Enterprise Password Manager</a> to extend that protection to your code and infrastructure. With 1Password you can: <ul> <li>Secure developer devices: Protect your systems by identifying and fixing security risks from unencrypted SSH keys stored on employee and BYOD devices.</li> <li>Keep secrets out of code: Help developers identify exposed secrets in code, import them into 1Password, and replace secrets with references.</li> <li>Reduce secrets sprawl: Centralize and manage secrets across cloud environments in 1Password, and use CI/CD and infrastructure integrations to securely deploy your applications.</li> </ul> <a href="https://1password.com/developer-security">Developer security tools</a> are included in all 1Password plans. You can <a href="https://developer.1password.com/">explore the documentation</a> to learn more, and <a href="https://1password.com/contact-sales/xam/?utm_ref=blog">schedule a demo</a> to see 1Password Extended Access Management in action. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Secure every sign-in for every app on every device.</h3> Modern security and IT teams need to make sure every identity, device, and application is secure. Only 1Password® Extended Access Management (XAM) checks every box. <a href="https://1password.com/contact-sales/xam/?utm%5C_ref=blog" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Request a demo </a> </div> </section></description></item><item><title>Back-to-school tips: A step-by-step guide to getting your family started with 1Password</title><link>https://blog.1password.com/back-to-school-onboarding-checklist/</link><pubDate>Tue, 13 Aug 2024 00:00:00 +0000</pubDate><author>info@1password.com (1Password)</author><guid>https://blog.1password.com/back-to-school-onboarding-checklist/</guid><description> <img src='https://blog.1password.com/posts/2024/back–to-school–onboarding-checklist/header.png' class='webfeedsFeaturedVisual' alt='Back-to-school tips: A step-by-step guide to getting your family started with 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> It’s that time of year. Back to school preparation is in full swing, from last minute shopping lists and school supplies to pick-up schedules and extracurricular activities. It’s that time of year. Back to school preparation is in full swing, from last minute shopping lists and school supplies to pick-up schedules and extracurricular activities. So far, we’ve shared <a href="https://blog.1password.com/getting-started-students-and-families/">tips to help you navigate back-to-school in the digital age</a>, along with <a href="https://blog.1password.com/password-checklist-students-parents/">all the ways you can use 1Password</a> to make the back-to-school season and your everyday family life a lot simpler]. Now, we’re sharing a step-by-step guide to help get you and your loved ones onboarded and set up with 1Password Families so you can get a head start on the first day of school – and every other day, too. We’ve broken it down into a step-by-step process with written instructions as well as video walkthroughs. If you prefer to follow along entirely with a video, our <a href="https://www.youtube.com/watch?v=seMl5imFNCQ">How to get started with 1Password</a> video will show you exactly what the process looks like. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Already using 1Password and want to upgrade to 1Password Families? <a href="https://blog.1password.com/upgrade-to-1password-families/">Follow our step-by-step guide</a>. </div> </aside> <h2 id="1-set-up-your-account-in-no-time">1. Set up your account in no time</h2> <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/Bnb0JrHe8KM" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> To get started, sign up for 1Password Families. When you create your account, you’ll be the <a href="https://support.1password.com/family-organizer/">family organizer</a>. As a family organizer, your role is to manage your family members and the items they have access to. You can also have more than one family organizer – for example, both you and your partner can manage things like billing, settings, and guests – but no need to worry about that until later. <div class="download-feature"> Sign up for 1Password Families <a href="https://start.1password.com/sign-up/family?l=en" class="call-to-action "> Sign up </a> </div> <h2 id="2-add-family-members">2. Add family members</h2> <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/JMwW5bF4x_Y" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> After you sign up, it’s time to invite the rest of your loved ones. Each family member you invite will create their own account password to sign in to 1Password and receive their own <a href="https://support.1password.com/secret-key-security/">Secret Key</a> and <a href="https://support.1password.com/emergency-kit/">Emergency Kit</a>. When you get the email notification that says they’ve signed up, select the link to confirm their account. <div class="download-feature"> Find out how to invite loved ones <a href="https://support.1password.com/add-remove-family-members/" class="call-to-action "> Adding users </a> </div> <h2 id="3-download-the-browser-extensions-mobile-and-desktop-apps">3. Download the browser extensions, mobile, and desktop apps</h2> <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/Vugw_bbZqFw" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> 1Password will sync across all of your and your loved ones’ devices, including your phones, tablets, web browsers, and computers. You can access your data everywhere you need it and any changes you make on one device are immediately available everywhere else. There’s no limit to the number of devices where you can use 1Password. Install it on all your computers and mobile devices to always have your information with you. Plus, after everything is in sync, it’ll be available even if you need to go offline for a bit. For a seamless experience, download 1Password on your computer: <ul> <li><a href="https://apps.microsoft.com/detail/xp99c9g0krdz27?hl=en-us&amp;gl=CA">Windows</a></li> <li><a href="https://1password.com/downloads/mac/">Mac</a></li> <li><a href="https://1password.com/downloads/linux/">Linux</a></li> </ul> On your phone: <ul> <li><a href="https://apps.apple.com/app/id1511601750?mt=8">iOS</a></li> <li><a href="https://play.google.com/store/apps/details?id=com.onepassword.android">Android</a></li> </ul> And as an <a href="https://support.1password.com/getting-started-browser/">extension</a> for the web browser you use: <ul> <li><a href="https://1password.com/downloads/browser-extension/">Edge</a></li> <li><a href="https://1password.com/downloads/browser-extension/">Chrome</a></li> <li><a href="https://1password.com/downloads/browser-extension/">Firefox</a></li> <li><a href="https://1password.com/downloads/browser-extension/">Safari</a></li> <li><a href="https://1password.com/downloads/browser-extension/">Brave</a></li> </ul> If you want to begin with just one download first, the 1Password browser extension is the place to start. <h2 id="4-import-from-another-password-manager">4. Import from another password manager</h2> <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/smiMXKDt7RM" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> Wherever you’ve been keeping your passwords up until now, you can easily import them over to 1Password. You can import data into 1Password from: <ul> <li><a href="https://support.1password.com/import/#edge">Edge</a></li> <li><a href="https://support.1password.com/import/#chrome">Chrome</a></li> <li><a href="https://support.1password.com/import/#firefox">Firefox</a></li> <li><a href="https://support.1password.com/import/#brave">Brave</a></li> <li><a href="https://support.1password.com/import/#safari">Safari</a></li> <li><a href="https://support.1password.com/import/#dashlane">Dashlane</a></li> <li><a href="https://support.1password.com/import/#keepass">KeePass</a></li> <li><a href="https://support.1password.com/import/#keepassx">KeePassX</a></li> <li><a href="https://support.1password.com/import/#lastpass">LastPass</a></li> <li><a href="https://support.1password.com/import/#roboform">RoboForm</a></li> </ul> You can also import data from other applications using the <a href="https://support.1password.com/import/#import-a-csv-file-from-another-app">comma-separated values (CSV) file format</a>. Even if you’ve just been keeping your passwords stored on paper or in your memory, <a href="https://support.1password.com/1password-com-items/#create-and-edit-items">you can manually add new items to 1Password, too</a>. <h2 id="5-protect-and-organize-your-data-with-vaults">5. Protect and organize your data with vaults</h2> <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/YYho5Qr5JQY" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> Items in 1Password are stored in vaults. Your family account includes a Shared vault for items everyone in your family needs, like your Wi-Fi password or Netflix login. You can also have a Private vault for yourself, and you can create additional vaults to share information with specific people – for example, you can have a vault only you and your partner can access. Regardless of how you set up your vaults, thanks to 1Password’s <a href="https://support.1password.com/1password-security/">robust security model</a>, you can rest assured that your data will be kept private and secure, <a href="https://blog.1password.com/how-1password-protects-your-data/#:~:text=If%20you%20use%201Password%2C%20your%20information%20is%20safe.&amp;text=Our%20dual%2Dkey%20encryption%20ensures,information%20stored%20in%20your%20vaults.">even in the unlikely event of a data breach</a>. <div class="download-feature"> Find out how to create and share vaults <a href="https://support.1password.com/create-share-vaults/#:~:text=To%20create%20a%20vault%20in%201Password%20for%20Android%2C%20tap%20Items,Give%20your%20vault%20a%20name" class="call-to-action "> Use vaults </a> </div> Here are some examples of useful vault ideas our customers have shared with us that you might want to get started with to help you stay organized: <ul> <li>School vault: You can include school portals, contact information for your child’s teacher, school calendars and extracurricular calendars, and more.</li> <li>Identity vault: Store everyone’s important identity-related documents like driver’s licenses, passports, health insurance cards, birth certificates, and social security or social insurance numbers.</li> <li>Medical vault: Keep sensitive data like medical records, vaccines and immunizations, contact information for your pediatrician, allergy lists, and medication lists.</li> <li>Guest vault: You can add guests to 1Password, like babysitters and dog walkers. In a guest vault, you can store things you know will come in handy for them, like your door alarm code, instructions for child care, and emergency contacts like the phone number for your child’s school or your work phone number.</li> <li>Emergency vault: You can keep a vault ready for any emergencies, like storing any important phone numbers, or temporarily sharing your credit card if your child forgot their lunch box and you want them to buy a healthy meal in the cafeteria.</li> </ul> <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> <a href="https://blog.1password.com/password-checklist-students-parents/">Get more tips</a> on all the ways you can use 1Password to make going back to school – and every day – a much easier experience for you and your family. </div> </aside> <h2 id="6-share-passwords-with-your-family">6. Share passwords with your family</h2> <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/auLBJr4mcZY" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> You can now start sharing passwords seamlessly across everyone’s devices regardless of what type they are. If you ever need to update a password the whole family uses, no need to let everyone know – the update will automatically sync to everyone who has access to it. <div class="download-feature"> Find out how to share passwords with your family <a href="https://support.1password.com/create-share-vaults/#:~:text=To%20create%20a%20vault%20in%201Password%20for%20Android%2C%20tap%20Items,Give%20your%20vault%20a%20name." class="call-to-action "> Start sharing </a> </div> Plus, you can also safely share items stored in 1Password with anyone outside your family – even if they don’t use 1Password. <div class="download-feature"> Share passwords with anyone outside of 1Password <a href="https://support.1password.com/create-share-vaults/#:~:text=To%20create%20a%20vault%20in%201Password%20for%20Android%2C%20tap%20Items,Give%20your%20vault%20a%20name." class="call-to-action "> Share items </a> </div> <h2 id="7-save-and-autofill-everything">7. Save and autofill everything</h2> <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/TssmP7nmrf8" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> Now that you have your credentials saved in 1Password, you can start taking advantage of <a href="https://1password.com/features/autofill/">autofill</a>. Automatically enter your logins and personal information like addresses and credit cards rather than manually typing the details into each field. If you haven’t saved a credential yet or are signing up for a new account, you can easily save it to 1Password for a quick log in next time. Plus, you can even choose default options, like a certain email address or payment card you always prefer to use, to automate things even further. <div class="download-feature"> Find out how to save and autofill your information <a href="https://support.1password.com/create-share-vaults/#:~:text=To%20create%20a%20vault%20in%201Password%20for%20Android%2C%20tap%20Items,Give%20your%20vault%20a%20name." class="call-to-action "> Start autofilling </a> </div> <h2 id="7-create-a-recovery-plan">7. Create a recovery plan</h2> <ul> <li> <a href="https://support.1password.com/family-organizer/#add-or-remove-a-family-organizer">Assign any additional family organizers</a>: Family organizers can <a href="https://support.1password.com/recovery/">restore access</a> for family members who forget their 1Password account password or can’t find their Secret Key. Assigning at least one other family organizer is a great way to make sure no one is ever locked out of 1Password. </li> <li> <a href="https://support.1password.com/emergency-kit/">Decide where to store your Emergency Kits</a>: Your Emergency Kit is a PDF document with your account details and a place to write your 1Password account password. There is no one right answer on where to store your kit, but options like a fire-resistant safe and an encrypted USB drive are good examples. We share more ideas in our blog, <a href="https://blog.1password.com/where-to-store-your-emergency-kit/">Where to store your 1Password Emergency Kit</a>. </li> <li> <a href="https://support.1password.com/recovery-codes/">Have everyone create a recovery code</a>: If you forget your password and lose your Emergency Kit with your Secret Key, you can use the recovery code you created to get back into 1Password. Once you’ve created your recovery code, as long as you all have access to the email addresses associated with your 1Password accounts, you can use the recovery code on 1Password.com any time to regain access to your accounts and create new sign-in details. </li> </ul> <div class="download-feature"> Find out how to implement a recovery plan <a href="https://support.1password.com/create-share-vaults/#:~:text=To%20create%20a%20vault%20in%201Password%20for%20Android%2C%20tap%20Items,Give%20your%20vault%20a%20name" class="call-to-action "> Get started </a> </div> <h2 id="8-get-to-know-1password">8. Get to know 1Password</h2> If it’s your first time using 1Password, you can join our <a href="https://1password.community/">1Password Community</a> to share ideas, ask questions, and get answers. You can also check out our <a href="https://support.1password.com/">Support site</a> as well, where you can find step by step walkthroughs and guides on everything you can do with 1Password. Hang out with us on social media, where we share tips, best practices, breaking news, and lots of other fun stuff. Find us on <a href="https://www.instagram.com/1passwordofficial/">Instagram</a>, <a href="https://www.facebook.com/1Password">Facebook</a>, <a href="https://www.reddit.com/r/1Password">Reddit</a>, <a href="https://twitter.com/1Password">X (formerly Twitter)</a>, and <a href="https://1password.social/@1password">Mastodon</a>. <h2 id="enjoy-a-simplified-life">Enjoy a simplified life</h2> Whether it’s a new school year or you’re just trying to get your family and life admin organized, 1Password is the perfect way to help get you and your loved ones on track. When you&rsquo;re less worried about keeping track of all the little things you’re always trying to stay on top of, you can take more time to focus on what matters most – like quality time, special moments, and the well being of your family. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Ready to protect yourself?</h3> Keep all of your accounts secure with 1Password, the world’s most-trusted password manager. Get started today with a free 14-day trial. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>The 1Password lock screen: A SwiftUI story</title><link>https://blog.1password.com/lock-screen-swiftui-ios-app/</link><pubDate>Tue, 13 Aug 2024 00:00:00 +0000</pubDate><author>info@1password.com (Adam Hou)</author><guid>https://blog.1password.com/lock-screen-swiftui-ios-app/</guid><description> <img src='https://blog.1password.com/posts/2024/lock-screen-swiftui-ios-app/header.png' class='webfeedsFeaturedVisual' alt='The 1Password lock screen: A SwiftUI story' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Five years ago, the SwiftUI framework <a href="https://developer.apple.com/videos/play/wwdc2019/204/">was revealed at WWDC19</a>, offering developers a new way to build apps on Apple platforms. Despite the framework’s infancy, its simplicity and clarity in developing user interfaces displayed incredible potential. That’s why when we started working on 1Password 8 in early 2020, we decided to go all-in on SwiftUI for our iOS app. After all, it was being touted as the future of UI development on Apple platforms. Since then, SwiftUI has served us really well. It’s helped our team <a href="https://blog.1password.com/1password-8-ios-android/">bring 1Password 8 for iOS to life</a> and move quicker than ever in delivering new, exciting features to users. We’re having a great time with SwiftUI today but it hasn’t always been smooth sailing for everything we’ve needed to build. One of those things was our lock screen. In this post, we’ll share our team’s experience of being early SwiftUI adopters through the lens of our lock screen. We’ll cover our initial struggles that led to an initial UIKit implementation, followed by our eventual SwiftUI reimplementation, which has made our lives much easier. It’s a peek behind the curtain at how we build 1Password and we hope it will help inform your own decisions about adopting SwiftUI. <h2 id="the-lock-screen-how-it-started">The lock screen: How it started</h2> <img src='https://blog.1password.com/posts/2024/lock-screen-swiftui-ios-app/1password-ios-lock-screen.png' alt='A screenshot fo the 1Password for iOS app lock screen. The screen includes the 1Password logo, an account image, and a password field.' title='A screenshot fo the 1Password for iOS app lock screen. The screen includes the 1Password logo, an account image, and a password field.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The 1Password lock screen is a deceptively complex piece of UI that has to adapt to a number of different sizes, orientations, locking modes, and account types. It’s also the first thing every user sees when they open the app, so it’s critical that we nail its implementation. By the time we started the initial development of the lock screen, we had bumped up our minimum deployment target to iOS 14. That choice meant SwiftUI had already received its first major update. However, the framework still had numerous limitations that we found difficult to overcome when it came to the lock screen portion of the app. The most notable roadblocks that we hit related to animations and layout. <h3 id="animations">Animations</h3> Animations were problematic because we needed to chain a few of them together alongside asynchronous procedures on the lock screen. The unlock animation consists of the following steps that need to happen one after another: <ol> <li>Partial rotation of the lock for the loading state</li> <li>Full rotation of the lock upon successful unlock</li> <li>The door opening effect</li> </ol> <img src='https://blog.1password.com/posts/2024/lock-screen-swiftui-ios-app/1password-ios-lock-screen-loop1.gif' alt='An animated GIF showing the 1Password lock screen and, after a successful Face ID unlock, the door opening effect that leads to the customer&#39;s vaults.' title='An animated GIF showing the 1Password lock screen and, after a successful Face ID unlock, the door opening effect that leads to the customer&#39;s vaults.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Each animation has different durations with specific delays in between them. We found these details messy to coordinate because SwiftUI, unlike UIKit, didn’t provide completion handlers for animation blocks. These limitations started us down a road of creating a fragile chain of events that had to be controlled by numerous magic numbers for delays and dispatching asynchronously to the main queue. Certainly not a tenable nor maintainable situation. <h3 id="layout">Layout</h3> The other can of worms was the implementation of our lock screen layout on larger devices such as the iPad. The design called for the following specifications: <ol> <li>The account password field needs to be placed vertically and horizontally centered within the available area.</li> <li>The account avatar row and status message should be placed a fixed vertical distance above/below the anchored account password field.</li> <li>The lock needs to be horizontally placed a fixed distance from the leading edge of the account avatar row. Its center should be vertically aligned to the center of the account avatar row.</li> <li>The left door’s trailing edge needs to be aligned horizontally to the center of the lock.</li> <li>The right door’s leading edge should be aligned horizontally to the center of the lock.</li> </ol> This set of layout requirements is a cakewalk to implement with UIKit’s Auto Layout constraints. But could we accomplish the same layout with SwiftUI? Our team was still in the process of pulling ourselves away from our UIKit brains and ramping up on SwiftUI. So we had a difficult time getting this right. The task went well beyond the simple use of vertical and horizontal stacks and although we knew of alignment guides, it wasn’t clear how to replicate the amount of control that Auto Layout had. Alongside these two roadblocks, we encountered other difficulties. For example, we couldn’t control text field focus, and there wasn’t a simple way to support a flow layout for the account avatars. Taking all of these challenges into consideration, we decided to fall back to UIKit for our lock screen experience and revisit SwiftUI when the framework was more mature. Although this meant some additional code to interface between the lock screen (UIKit) and the rest of the app (SwiftUI), it was the best way to keep moving forward. <h2 id="the-uikit-lock-screen-in-2023">The UIKit lock screen in 2023</h2> Let’s fast forward to 2023. 1Password 8 for iOS had been released and the UIKit-powered lock screen had been in service for a few years. How was it faring? The rest of the 1Password app had moved on to an almost exclusively SwiftUI-based implementation. New features, components, and utilities were all being built with SwiftUI in mind but these advancements would never make their way to the lock screen. In some cases, we even had to recreate some of our SwiftUI components in UIKit to get the consistency we needed between the lock screen and the rest of the app. As time marched on, our requirements slowly changed and new features were added to the lock screen as hosted SwiftUI views. We found ourselves doing quite a bit of extra work to get the UIKit implementation to behave nicely with the rest of the app. Slowly, the lock screen code ballooned into a fragile behemoth that was difficult to work with. Debugging became a nightmare and fixing one bug would often lead to another. The lock screen was being crushed under the weight of its own tech debt, which made it clear to us that it was time for a course correction. <h2 id="the-move-to-swiftui">The move to SwiftUI</h2> Clearly, we needed a large refactor to break out of this tech debt cycle and figure out how to implement the lock screen in a smarter, easier to maintain fashion. Ideally this refactor would be done entirely in SwiftUI to make the implementation more homogenous with the rest of the app. So the questions we had to ask ourselves were: “Are we still bound by the same challenges we had with SwiftUI a few years ago? What has changed since then?” We had been following SwiftUI’s advancements and found ourselves in a promising position once we bumped up our minimum deployment target to iOS 16. <h3 id="new-layout-apis">New layout APIs</h3> Moving up our minimum deployment target was a huge help. Multiple versions of SwiftUI had gone by and the framework had made great strides since then. We got access to new layout tools such as <code>ViewThatFits</code> and the ability to create custom layout containers using the <code>Layout</code> protocol, which allowed us to easily replace the <code>UICollectionView</code> used for the flow layout in the account avatar row. In the UIKit implementation we had to worry about a variety of implementation details such as recomputing view dimensions after device orientation changes, hooking up data sources and ensuring they are reloaded appropriately, and enabling/disabling horizontal scrolling when necessary. The declarative nature of SwiftUI meant we no longer had to worry about all that! We even had a <code>HorizontalFlowLayout</code> written for displaying the tags of an item that could be reused here. All of those concerns we had to worry about in the UIKit implementation were automatically addressed in SwiftUI by just declaring what we want on the screen – and without a Storyboard in sight! <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-swift" data-lang="swift">struct LockScreenAccountAvatarsView: View { // ... var body: some View { switch layoutMode { case .small: horizontalScroll case .medium, .large: horizontalFlow } } @ViewBuilder private var horizontalScroll: some View { ViewThatFits(in: .horizontal) { content ScrollView(.horizontal, showsIndicators: false) { content } } } @ViewBuilder private var content: some View { HStack(spacing: Self.avatarSpacing) { ForEach(accounts) { account in LockScreenAccountAvatarsCellView( account: account, iconSize: iconSize ) } } } @ViewBuilder private var horizontalFlow: some View { HorizontalFlowLayout(spacing: Self.avatarSpacing) { ForEach(accounts) { account in LockScreenAccountAvatarsCellView( account: account, iconSize: iconSize ) } } } } </code></pre></div><h3 id="swift-evolution">Swift evolution</h3> Not only has SwiftUI evolved over time, but the Swift language itself has as well. For example, the introduction of Swift Concurrency and async-await was an immense help in writing asynchronous procedures in a readable and easy-to-maintain way. While we didn’t have access to completion handlers for SwiftUI animations in iOS 16, coordinating animation durations and delays became a breeze with async-await. <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-swift" data-lang="swift">@MainActor func animate( animationCurve: AnimationCurve, duration: CGFloat, delay: CGFloat = 0, _ body: @escaping () -&gt; Void ) async { if #available(iOS 17, *) { withAnimation(animationCurve.curve(duration: duration).delay(delay)) { body() } completion: { continuation.resume() } } else { withAnimation(animationCurve.curve(duration: duration).delay(delay)) { body() } DispatchQueue.main.asyncAfter(deadline: .now() + duration + delay) { continuation.resume() } } } </code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-swift" data-lang="swift">func openDoors() async { await rotateKeyhole(to: .full) await animate( animationCurve: Self.doorOpeningAnimationCurve, duration: Self.doorOpeningDuration, delay: Self.keyholeRotationToDoorOpeningDelay ) { self.areDoorsOpen = true } } </code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-swift" data-lang="swift">func rotateKeyhole(to keyholeRotation: LockScreenKeyholeRotation) async { await animate( animationCurve: Self.keyholeRotationAnimationCurve, duration: keyholeRotation.duration ) { self.keyholeRotation = keyholeRotation } } </code></pre></div>Considering the previous implementation involved numerous callbacks combined with <code>Combine</code> publishers, this was a major step up in making everything easier to understand. <h3 id="growing-alongside-swiftui">Growing alongside SwiftUI</h3> As SwiftUI evolved throughout the years, so did our familiarity with the framework and its new paradigms. The layout system was less of a mystery (especially since the introduction of the <code>Layout</code> protocol) and best practices became second nature. The previous layout constraints of the lock screen – which we could only imagine implementing in Auto Layout – started to have clear solutions in SwiftUI. Let’s see how we can implement the layout constraints in the section above with SwiftUI. To get started, we’ll just slap everything onto the screen: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-swift" data-lang="swift">var body: some View { ZStack { logo controls } .background { HStack(spacing: .zero) { leftDoor rightDoor } } } @ViewBuilder private var controls: some View { VStack(alignment: .leading, spacing: Self.controlsSpacing) { avatarRow passwordField statusMessage } .frame(width: Self.controlsWidth) } </code></pre></div> <img src="https://blog.1password.com/posts/2024/lock-screen-swiftui-ios-app/app-lock-screen-1.png" alt="A screenshot of a work-in-progress lock screen for the 1Password for iOS app." title="A screenshot of a work-in-progress lock screen for the 1Password for iOS app." class="c-featured-image"/> Well unsurprisingly that looks terrible. Everything is smack in the middle of the screen! We can start by fixing the 1Password logo, which should be: <ul> <li>Vertically aligned to the center of the avatar row</li> <li>A fixed horizontal distance from the leading edge of the avatar row</li> </ul> To accomplish this, we can make use of some simple alignment guides: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-diff" data-lang="diff">var body: some View { - ZStack { + ZStack(alignment: .logoToAccountAvatars) { logo + .alignmentGuide(Alignment.logoToAccountAvatars.vertical) { + $0[VerticalAlignment.center] + } + .alignmentGuide(Alignment.logoToAccountAvatars.horizontal) { + $0[HorizontalAlignment.center] + } controls } .background { ... } } @ViewBuilder private var controls: some View { VStack(alignment: .leading, spacing: Self.controlsSpacing) { avatarRow + .alignmentGuide(Alignment.logoToAccountAvatars.vertical) { + $0[VerticalAlignment.center] + } + .alignmentGuide(Alignment.logoToAccountAvatars.horizontal) { + $0[.leading] - logoCenterToControlsLeadingHorizontalSpacing + } </code></pre></div> <img src="https://blog.1password.com/posts/2024/lock-screen-swiftui-ios-app/app-lock-screen-2.png" alt="A screenshot of a work-in-progress lock screen for the 1Password for iOS app." title="A screenshot of a work-in-progress lock screen for the 1Password for iOS app." class="c-featured-image"/> While the logo has moved to its correct position relative to the avatar row, the doors haven’t followed! We can leverage the alignment guide we’ve already created to get this right as well: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-diff" data-lang="diff"> controls } - .background { + .background( + alignment: Alignment( + horizontal: Alignment.logoToAccountAvatars.horizontal, + vertical: .center + ) + ) { HStack(spacing: .zero) { leftDoor rightDoor } + .alignmentGuide(Alignment.logoToAccountAvatars.horizontal) { + $0[HorizontalAlignment.center] + } } </code></pre></div> <img src="https://blog.1password.com/posts/2024/lock-screen-swiftui-ios-app/app-lock-screen-3.png" alt="A screenshot of a work-in-progress lock screen for the 1Password for iOS app." title="A screenshot of a work-in-progress lock screen for the 1Password for iOS app." class="c-featured-image"/> The lock screen now looks pretty close to what we want. All that remains is to properly center the password field in the middle of the screen. We know that SwiftUI will center our content by default for us… so what’s the deal here? After moving the logo to its proper position, SwiftUI is now centering the combined boundary of both the logo and the vertical stack of controls (think <code>CGRectUnion</code>). This means the layout of the logo is affecting the controls even though the logo’s position should be solely dependent on the controls. We can remedy this by moving the logo into a <code>background</code> modifier so that SwiftUI naturally centers the controls, or by using different layout priorities. <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-diff" data-lang="diff">var body: some View { - ZStack(alignment: .logoToAccountAvatars) { - logo - .alignmentGuide(Alignment.logoToAccountAvatars.vertical) { - $0[VerticalAlignment.center] - } - .alignmentGuide(Alignment.logoToAccountAvatars.horizontal) { - $0[HorizontalAlignment.center] - } - - controls - } + content .background(...) { ... } } +@ViewBuilder private var content: some View { + controls + .background(alignment: .logoToAccountAvatars) { + logo + .alignmentGuide(Alignment.logoToAccountAvatars.vertical) { + $0[VerticalAlignment.center] + } + .alignmentGuide(Alignment.logoToAccountAvatars.horizontal) { + $0[HorizontalAlignment.center] + } + } +} </code></pre></div> <img src="https://blog.1password.com/posts/2024/lock-screen-swiftui-ios-app/app-lock-screen-4.png" alt="A screenshot of a work-in-progress lock screen for the 1Password for iOS app." title="A screenshot of a work-in-progress lock screen for the 1Password for iOS app." class="c-featured-image"/> It’s looking good! However, we&rsquo;re not done yet. Remember that one of the desired specifications is to have the password field centered in the screen, not the vertical stack of controls. We’re already fine on the horizontal axis since the width of the password field corresponds to the vertical stack, but not on the vertical axis. Let’s use one last alignment guide to get that working: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-diff" data-lang="diff">var body: some View { - content + ZStack(alignment: .passwordFieldToContainer) { + // Represents the container for alignment purposes + Color.clear + .alignmentGuide(Alignment.passwordFieldToContainer.vertical) { + $0[VerticalAlignment.center] + } + + content + } .background(...) { ... } } @ViewBuilder private var controls: some View { VStack(alignment: .leading, spacing: Self.controlsSpacing) { avatarRow .alignmentGuide(Alignment.logoToAccountAvatars.vertical) { $0[VerticalAlignment.center] } .alignmentGuide(Alignment.logoToAccountAvatars.horizontal) { $0[.leading] - logoCenterToControlsLeadingHorizontalSpacing } passwordField + .alignmentGuide(Alignment.passwordFieldToContainer.vertical) { + $0[VerticalAlignment.center] + } </code></pre></div> <img src="https://blog.1password.com/posts/2024/lock-screen-swiftui-ios-app/app-lock-screen-5.png" alt="A screenshot of a work-in-progress lock screen for the 1Password for iOS app." title="A screenshot of a work-in-progress lock screen for the 1Password for iOS app." class="c-featured-image"/> And there you have it! We’ve implemented all the required layout constraints fully in SwiftUI. There’s nothing mind boggling about the techniques we’ve used here. But the subtle decisions we had to make around how the layout system and alignment guides worked weren’t apparent when we first started out with SwiftUI. The fact it’s now so much easier to figure out and implement this layout in SwiftUI is a small testament to how far our team has grown in its understanding and usage. It also reflects our declining dependence on the UIKit crutch. These advancements in SwiftUI, Swift, and ourselves meant it was now the perfect time to refactor the lock screen and take advantage of the simplicity of SwiftUI. With its feasibility confirmed, we began carefully rebuilding the lock screen at the start of 2024. After several pull requests, we had wrapped it all up by early March. We now have ourselves a maintainable well-oiled SwiftUI lock screen. <h2 id="the-wins">The wins</h2> From an internal perspective, this new lock screen is a huge win. It’s allowed us to replace the house-of-cards UIKIt/SwiftUI hybrid implementation that we had across our app, and put us in a position where making future changes is simpler and safer to do. When you’re designing software, seeing the future – and what changes in requirements are coming – is a superpower that every developer strives for. This refactor was an opportunity for us to simulate that superpower and design the lock screen, along with its numerous unlock methods, into a nice cohesive system. While lines of code isn’t always the best measure, the refactored implementation reduced the amount of code we had by 973 lines. That’s a 39% decrease! And we weren’t exactly conservative with lines either! With this project, we’ve taken a major step forward in fully embracing the productivity multiplier that SwiftUI is and reducing our dependence on UIKit. The refactor also allowed us to clear out numerous long-standing UX paper cuts. Problems that were previously difficult to debug were addressed in one fell swoop. This includes but is not limited to fixing: <ul> <li>Improper keyboard avoidance</li> <li>Overlapping buttons/labels</li> <li>Excessive icon refreshes</li> </ul> Another benefit of this project was that it opened the door for some polishing work that we had wanted for a long time. Specifically, a smooth launch screen transition. <img src='https://blog.1password.com/posts/2024/lock-screen-swiftui-ios-app/1password-ios-lock-screen-loop2.gif' alt='An animated GIF showing the 1Password lock screen experience on an iPad.' title='An animated GIF showing the 1Password lock screen experience on an iPad.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> For any iOS app, the launch screen is a static screen that’s instantly displayed while it launches and quickly replaced by the first screen. For us, in order to accomplish a smooth transition, we’d need to have our launch screen match up with the initial state of the lock screen, followed by animating everything into position afterward. This issue had been on our team’s backlog for a long time but always lost out to more important work. Once we had a more robust SwiftUI implementation, it was easier than ever to accomplish this transition with a few lines of code! <h2 id="conclusion">Conclusion</h2> SwiftUI has come a long way since it was originally released in 2019. As the gaps between this new framework and UIKit slowly get filled in, it’s become easier to embrace for app development and reap the benefits of its simplicity. While we had some challenges with our lock screen – and were forced into a UIKit implementation for a couple years – we knew that SwiftUI would eventually come around. And boy did it deliver! The journey of the lock screen is a perfect example of all the great changes that have taken place with the framework – and it’s only going to keep getting better. WWDC24 gave us a glimpse into the future of SwiftUI, and we’re excited to figure out all the neat ways we can continue leveraging it to continue building everyone’s favorite password manager.</description></item><item><title>How Extended Access Management helps with patch management</title><link>https://blog.1password.com/extended-access-management-patch-management/</link><pubDate>Mon, 12 Aug 2024 00:00:00 +0000</pubDate><author>info@1password.com (Elaine Atwell)</author><guid>https://blog.1password.com/extended-access-management-patch-management/</guid><description> <img src='https://blog.1password.com/posts/2024/extended-access-management-patch-management/header.png' class='webfeedsFeaturedVisual' alt='How Extended Access Management helps with patch management' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> In theory, patch management should be trivially easy for a company to manage. An IT team – potentially helped by an MDM, a dedicated patch management tool or an MSP – tests and deploys patches, every endpoint gets updated at roughly the same time, and users are barely aware it&rsquo;s happening at all. Most articles about patch and vulnerability management describe this idealized flow as if it represents the real world. <img src='https://blog.1password.com/posts/2024/extended-access-management-patch-management/orchestra.gif' alt='A gif of a orchestra playing a symphony.' title='A gif of a orchestra playing a symphony.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://giphy.com/gifs/borusansanat-borusan-sanat-bifo-S5QverBEuePVBMwmeP">Source</a> But the situation look a little different on the ground. <img src='https://blog.1password.com/posts/2024/extended-access-management-patch-management/community-fire.gif' alt='A gif of Donald Glover walking into a room on fire.' title='A gif of Donald Glover walking into a room on fire.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://giphy.com/gifs/community-troy-chaos-137TKgM3d2XQjK">Source</a> In reality, IT teams are constantly battling a never-ending torrent of updates and constantly falling behind; <a href="https://www.orangecyberdefense.com/global/security-navigator">Security Navigator&rsquo;s research</a> shows that businesses still take an average of 215 days to patch a known vulnerability. In <a href="https://blog.1password.com/vulnerability-management-goes-much-deeper-than-patching/">vulnerability management</a>, the stakes for just a single error can be monumental. In a <a href="https://www.ibm.com/downloads/cas/YLQPAJZV">Ponemon Institute study</a>, 42% of organizations that suffered a data breach reported it &ldquo;occurred because a patch was available for a known vulnerability but not applied.&rdquo; Clearly, patch management is harder than it looks. It&rsquo;s a messy process in which there are often as many exceptions and edge cases as there are rules, and any workflow must balance competing pressures from IT, Security, management, and end users. Furthermore, &ldquo;patch management&rdquo; encompasses a huge range of issues, including: <ul> <li> OS updates </li> <li> OS upgrades (which turns out to be a pretty big distinction, especially for Macs) </li> <li> Browsers </li> <li> Other third-party software </li> </ul> There are different tactics for dealing with each of these, and they also vary depending on whether you&rsquo;re talking about macOS, Windows, <a href="https://blog.1password.com/no-mdm-for-linux/">Linux</a>, mobile devices, servers, etc. We&rsquo;ll tackle each of those topics in detail in other blog posts, but here, we&rsquo;re going to take a high-level look at why the patch management process on end user devices is so painful, the limits of automation, and what&rsquo;s missing from the accepted list of past management best practices. <h2 id="what-is-patch-management">What is patch management?</h2> Patch management refers to the practice of updating software to fix bugs, address security issues, and add new features. The term is sometimes used interchangeably with &ldquo;vulnerability management,&rdquo; but is really a subset of it, and only makes up one part of a comprehensive risk mitigation strategy. From an IT perspective, the security angle of patch management is by far the most important, since any time a vendor announces they&rsquo;re plugging a vulnerability, hackers race to exploit it on any machine that hasn&rsquo;t downloaded the patch yet. The term &ldquo;patch management&rdquo; applies to a device&rsquo;s operating system and firmware as well as third-party applications, though IT professionals often use it to only mean one or the other. (That&rsquo;s why when someone tells you they&rsquo;ve got patch management under control, it&rsquo;s a good idea to ask what they mean, because they&rsquo;re usually not including third party apps in their definition.) Most companies use <a href="https://blog.1password.com/pros-and-cons-of-mdms/">mobile device management (MDM) solutions</a> to automatically deploy patches to their fleet, but this is an imperfect solution. Updates often fail due to errors or bugs and patching via forced restarts is so disruptive that many teams try to avoid it. <h3 id="the-role-of-auto-updating-apps">The role of auto-updating apps</h3> Over the years, many vendors have tried to make patching as frictionless as possible for users. &ldquo;Evergreen apps&rdquo; manage their own updates with little or no user interaction. However, the difference between &ldquo;little&rdquo; and &ldquo;no&rdquo; user interaction turns out to be extremely problematic. For example, Google Chrome – the app I&rsquo;m using to write this blog – will update automatically the next time I restart it. But truthfully, I don&rsquo;t restart Chrome (or my laptop) nearly as often as I should. Left to my own devices, I&rsquo;ll click &ldquo;remind me later&rdquo; until I literally have no other choice. <img src='https://blog.1password.com/posts/2024/extended-access-management-patch-management/update-min.png' alt='A screenshot of Google Chrome needing an update.' title='A screenshot of Google Chrome needing an update.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> And since I&rsquo;m on a Mac, IT has a very limited ability to force me to update, other than sending me increasingly annoying &ldquo;nudges&rdquo; via MDM. (There is actually a better way to enforce updates on your Mac fleet, but we&rsquo;ll get to that later.) <h2 id="why-enterprise-patch-management-is-so-hard">Why enterprise patch management is so hard</h2> Patch management in a business setting presents a whole array of challenges, even beyond the technical challenges of deploying multiple types of updates to multiple types of devices. Organizations face more pressure than individuals to keep up with patching because they&rsquo;re bigger targets for hackers, and they may be required to have an updated fleet to meet their legal and compliance obligations. Yet, IT teams must balance urgency with caution because patching can introduce new problems. For one thing, updates can be incompatible with existing software and/or hardware. In 2020, Apple disabled kernel extensions in macOS Big Sur which effectively disabled VPNs and some other security tools. In situations like that, an enterprise needs to defer the upgrade until either Apple or their VPN can adapt. But to complete the catch-22, critical security patches might be gated behind these major upgrades, so enterprises can&rsquo;t put them off indefinitely. All this to say that even if there were a magic button that could deploy every update as soon as it&rsquo;s released (and there emphatically isn&rsquo;t), managing patches while minimizing disruption would still take significant human oversight. And it just gets more complicated from there. <h3 id="employee-disruption-leads-to-exceptions">Employee disruption leads to exceptions</h3> One dirty little secret of IT is that the devices with the most unpatched vulnerabilities often belong to people near the top of the org chart. The reason for that is simple: those are the people with enough clout to demand that they be exempt from automated reboots. To be fair, there are valid reasons why workers ask for exceptions from automated reboots aside from &ldquo;they&rsquo;re annoying,&rdquo; but the fact remains that every machine that isn&rsquo;t included in the patch management process is an open door for hackers. This problem is endemic; according to <a href="https://www.ivanti.com/company/press-releases/2021/71-of-it-security-pros-find-patching-to-be-overly-complex-and-time-consuming-ivanti-study-confirms">an Ivanti survey</a>, &ldquo;61% of IT and security professionals said that line of business owners ask for exceptions or push back maintenance windows once a quarter because their systems cannot be brought down.&rdquo; <h3 id="work-from-home-byod-policies">Work from home/ BYOD policies</h3> The shift to remote work has created or exacerbated several problems with patch management. In particular, WFH has increased the Shadow IT problem, since you can&rsquo;t patch what you can&rsquo;t see. When the COVID lockdowns started, many employees started working on their personal (meaning unmanaged) computers, which IT teams have no way to remotely patch. These unmanaged devices can carry all kinds of vulnerabilities, and companies don&rsquo;t have the visibility or authority to fix them. <h3 id="lack-of-it-bandwidth">Lack of IT bandwidth</h3> The average IT team simply can&rsquo;t keep up with the volume of patches that come from vendors every month. The <a href="https://nvd.nist.gov/general/visualizations/vulnerability-visualizations/cvss-severity-distribution-over-time">NIST reported</a> that over 20,000 new vulnerabilities were discovered in 2021 alone, and prioritizing, testing, and deploying even a fraction of that number is a Herculean (or perhaps Sisyphean) task. <img src='https://blog.1password.com/posts/2024/extended-access-management-patch-management/chrome-update-comic.jpg' alt='A comic of never-ending Google Chrome updates.' title='A comic of never-ending Google Chrome updates.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://1password.com/kolidescope-newsletter">We even made a newsletter comic about it!</a> Some companies augment their in-house IT with Managed Service Providers (MSPs) or Managed Security Service Providers (MSSPs), but even then it&rsquo;s hard to keep up. In fact, a recent argument in patch management discourse (yes, it&rsquo;s a thing), is that companies should stop <a href="https://www.orangecyberdefense.com/global/blog/threat/stop-trying-to-patch-everything-and-focus-on-the-real-organizational-risk">trying to patch everything</a> and focus on triaging the most critical patches on the most important apps. <h3 id="so-how-should-you-prioritize-patches">So how should you prioritize patches?</h3> For what it&rsquo;s worth, there are effective ways of prioritizing patches so you get to the most dangerous issues without fatiguing end users or IT. <a href="https://1password.com/xam/extended-access-management">1Password Extended Access Management</a> creates and deploys <a href="https://www.kolide.com/features/checks">checks</a> that detect vulnerable software and block devices from authenticating to their company&rsquo;s cloud apps until they&rsquo;ve installed the patch. Our system is based on end users remediating problems themselves (instead of relying on forcing changes), and it&rsquo;s very effective at enforcing patches, but we don&rsquo;t write a new check every time we hear about a new vulnerability. Instead, we assess it based on the following questions: <img src='https://blog.1password.com/posts/2024/extended-access-management-patch-management/question-flow-chart.png' alt='A chart showing when end-user remediation should be used.' title='A chart showing when end-user remediation should be used.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> This isn&rsquo;t a universal method, but it&rsquo;s a good approach for triaging the vulnerabilities best suited for end users to deal with. This methodology also helps with the boy who cried wolf – <a href="https://www.bleepingcomputer.com/news/security/dev-rejects-cve-severity-makes-his-github-repo-read-only/">or rather, when people claim bogus vulnerabilities</a> – complicates the CVE landscape and you&rsquo;re left parsing out what&rsquo;s urgent and what isn&rsquo;t. (Also, it should be noted that it doesn&rsquo;t apply to browsers, which are so critical that they are worth bypassing these questions and pinging end users about.) <h3 id="no-consequences-for-unpatched-devices">No consequences for unpatched devices</h3> The chief danger of an unpatched endpoint is that it is infectious. In a typical cyberattack, the bad actor will use a single vulnerability to gain a toehold on a device, then leverage it to move laterally between systems, deploying keyloggers and the like to steal credentials and gain access to more resources. A central tenet of Zero Trust security is to assume that a hacker has already infiltrated your network and act accordingly, by limiting their lateral movements. There&rsquo;s an obvious solution here: prohibit devices with critical vulnerabilities from accessing sensitive resources. Yet most patch management solutions don&rsquo;t have the ability to enforce their policies, so users who (for whatever reason) weren&rsquo;t included in the automated update can continue to work without interruption. In SMBs, IT can individually reach out to these users, but once we&rsquo;re talking about companies with thousands of devices, that approach becomes untenable. <h3 id="inadequate-patch-management-tools">Inadequate patch management tools</h3> None of the issues we&rsquo;ve just gone through would be serious problems if there were an automated solution that could consistently search for and deploy new patches across an organization&rsquo;s fleet. But while there are plenty of vendors who claim to do precisely that, they all fall short in some way. <a href="https://blog.1password.com/pros-and-cons-of-mdms/">MDMs are the go-to patch deployment solution for most IT teams</a>, but they come with all the problems mentioned above. Disruptive restarts? Check. Long lists of exemptions? That&rsquo;s them. MDMs are frequently rigid and offer little flexibility in patch management policy for IT or security teams, much less users. While first-party MDMs like Microsoft Intune and Apple Business Essentials do a pretty good job managing those endpoints, you then have to have separate solutions for a cross-platform fleet (which makes it extremely difficult to have a single source of truth). Oh, and <a href="https://blog.1password.com/no-mdm-for-linux/">none of them work on Linux endpoints</a>. Just full stop. There are also a host of dedicated patch management tools, some of which offer a great deal of flexibility in how IT teams design workflows, such as writing custom scripts and accounting for time zones in their deployment schedule. Still, even the best of them struggle to keep up with the constant deluge of new patches. (It doesn&rsquo;t help their credibility that many of them claim to support thousands of applications, but the bulk of them are just separate versions of a single application.) Also, none of them provide consequences for unpatched devices, so the work of enforcement gets passed back to IT. <h2 id="a-user-first-approach-to-patch-management">A user-first approach to patch management</h2> The problem at the heart of patch management is that these tools want to cut users out of the equation. Go to the website of any patch management tool and you&rsquo;ll see them promise to work &ldquo;invisibly,&rdquo; &ldquo;silently,&rdquo; or &ldquo;without any need for user interaction.&rdquo; But if the patch management problem could be automated out of existence, it would have been already. Instead, it&rsquo;s led to devices that are so over-managed they&rsquo;re difficult to use, while non-managed devices are invisible and out of scope. <a href="https://1password.com/xam/extended-access-management">1Password Extended Access Management</a> works with users to keep their devices compliant, and ensures noncompliant devices can&rsquo;t access sensitive resources. Patch management isn&rsquo;t the only thing our product does, but it is one of our most popular use cases for device trust. This is how 1Password Extended Access Management solves patch management: <ol> <li> Preserve user agency. No user likes it when their device is suddenly out of their control. So instead of relying on forced reboots, 1Password Extended Access Management reaches out to users with remediation instructions, so they can solve problems themselves, at a time that works for them. This approach lets us solve issues that can&rsquo;t be solved with automation alone, <a href="https://www.kolide.com/features/checks/ubuntu-unattended-upgrades">including patch management on Linux endpoints</a>. </li> <li> Ensure unpatched devices can&rsquo;t access company apps. As we mentioned earlier, a key idea of Zero Trust security is that if a device isn&rsquo;t healthy, it isn&rsquo;t permitted to access company resources. So devices that fail 1Password Extended Access Management&rsquo;s checks can&rsquo;t log into their company&rsquo;s apps. That doesn&rsquo;t mean users are immediately locked out; IT decides how much of a grace period to give. But if a device is missing critical patches (like for an operating system or browser), you can implement blocking quickly, and get a fully patched fleet in hours. </li> <li> Educate users. (Really.) Every time 1Password Extended Access Management notifies users about an issue–whether it&rsquo;s from our library of checks or one that IT writes with our custom check editor – the notification gives context for why this issue matters, and its potential impact on both security and privacy. </li> </ol> As we see, patch management isn&rsquo;t something any piece of software can fully achieve for you – it takes a combination of automation, IT decision-making, and user cooperation. However, if you leverage tools and adopt a mentality that puts your users first while teaching them how and why to patch their devices and app, you&rsquo;re well on your way to achieving that lauded &ldquo;100% compliance&rdquo; you&rsquo;re searching for. <img src='https://blog.1password.com/posts/2024/extended-access-management-patch-management/chrome-browser-fix-instructions-min.png' alt='A screenshot showing XAM&#39;s chrome browser fix instructions.' title='A screenshot showing XAM&#39;s chrome browser fix instructions.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Want more info on how 1Password Extended Access Management works? <a href="https://1password.com/xam/contact-us">Request a demo</a>.</description></item><item><title>What everyone got wrong about the MGM hack</title><link>https://blog.1password.com/mgm-hack/</link><pubDate>Mon, 12 Aug 2024 00:00:00 +0000</pubDate><author>info@1password.com (Rachel Sudbeck)</author><guid>https://blog.1password.com/mgm-hack/</guid><description> <img src='https://blog.1password.com/posts/2024/mgm-hack/header.png' class='webfeedsFeaturedVisual' alt='What everyone got wrong about the MGM hack' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> It was a scene straight out of a casino heist movie, but without George Clooney&rsquo;s suavity to soften the chaos. Various systems at MGM Casinos–ranging from slot machines, to hotel key cards, to escalators–had been shut down. Guests were locked out of their rooms while hotel staff scrambled to compensate, taking food orders with pen and paper and cashing out gambling winnings from a fanny pack. One customer said, &ldquo;I asked them how long this was gonna be, and they said it could be one day, it could be three weeks.&rdquo; <img src='https://blog.1password.com/posts/2024/mgm-hack/mgm_hack_notice-min.jpg' alt='A photo of a notice in a casino after the hack happened.' title='A photo of a notice in a casino after the hack happened.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://www.reviewjournal.com/business/casinos-gaming/russian-hackers-claim-mgm-resorts-breach-irritating-visitors-2903998/">Source</a> MGM Resorts, proprietors of some of the most famous hotels and casinos on the Vegas strip, had been hacked. And what happens in Vegas certainly didn&rsquo;t stay there this time; <a href="https://www.usatoday.com/story/tech/news/2023/09/11/mgm-cyber-attack-impact-resorts-hotels-us/70828503007/">all of MGM</a> Grand&rsquo;s Hotels and Casino properties saw outages. Systems as far-flung as New York, Ohio, and Michigan were affected by one breach. An attack that hinged on a simple <a href="https://www.techtarget.com/searchunifiedcommunications/definition/vishing">vishing</a> call (that&rsquo;s phishing over the phone) to MGM&rsquo;s IT desk had snowballed into one of the most notorious ransomware attacks of 2023. Cybersecurity journalists immediately started predicting that the MGM hack would be spoken of in the same breath as the disastrous Uber and Marriott data breaches before it. In a story this bombastic, in which both the hackers and victims pulled some headline-worthy shenanigans, it can be genuinely hard to know where to focus our attention. But when we look past the sequins and neon, we see that the MGM hack isn&rsquo;t unique; in fact, it sits at the nexus of several emerging trends. For one thing, hackers are increasingly gaining access to corporate networks through calls to the help desk, and they&rsquo;re getting better at it all the time. But we shouldn&rsquo;t be too quick to blame IT workers. Instead, we need to look at the security gaps that set them up to fail. (And when it comes to MGM&rsquo;s security, we&rsquo;re about to find a lot of gaps.) <h2 id="how-the-mgm-hack-happened">How the MGM hack happened</h2> As with almost every hack, the full details of what happened to MGM will likely never be known – the company has a vested interest in, ahem, keeping its cards close to the chest (to the point of <a href="https://www.reuters.com/legal/casino-operator-mgm-sues-ftc-block-probe-into-2023-hack-2024-04-15/">suing the FTC</a> in order to block a probe into the incident). Even the reporting we do have contains conflicting reports on the incident and the groups and methods involved. Adding to the confusion is the fact that Caesars, another famous casino, suffered a very similar attack at almost the same time, though not necessarily by the same hackers. As such, we&rsquo;ll explore both the knowns and unknowns of the MGM attack in order to piece together what seems like a likely – albeit uncertain – timeline of events. We&rsquo;ll begin with a behind-the-scenes look at the hack itself. We&rsquo;ll be drawing from <a href="https://www.wsj.com/tech/cybersecurity/mgm-hack-casino-hackers-group-0366c641">timelines made</a> by news sources like The Wall Street Journal. Much of the specifics are also drawn from <a href="https://databreaches.net/2023/09/15/alphv-responds-to-mgm-incident-and-sloppy-reporting/">a statement</a> published by alleged members of notorious ransomware group ALPHV (also known as BlackCat), in which they take credit for the hack, explain their actions, and take several potshots at MGM&rsquo;s security team and corporate leadership. Of course, we have to take any report claiming to be from a group of cybercriminals with several grains of salt. For one thing, there&rsquo;s no confirmation that this statement is actually from ALPHV – this was a high profile crime, and <a href="https://www.ft.com/content/a25d2897-b0ce-4ba7-92ed-ff5df09d1b47">more than one</a> statement has tried to take credit. For another thing, these groups are, you know, criminals who lie for a living, and who likely want to protect their trade secrets. (It&rsquo;s worth saying that we&rsquo;ll also be treating statements from MGM with a healthy dose of skepticism). However, the statement is at least realistic in terms of how it describes the process of hacking MGM. Regardless of veracity, then, it can still provide some useful insight to help fill in the gaps in the official version of events. <aside class="c-technical-aside-box c-technical-aside-box--background" aria-labelledby="who-exactly-hacked-mgm"> <h2 class="c-technical-aside-box__title" id="who-exactly-hacked-mgm"> Who exactly hacked MGM? </h2> <div class="c-technical-aside-box__description"> This is a surprisingly difficult question to answer, partly because there&rsquo;s no standardized naming system for hacking groups. The MGM attack has <a href="https://thehustle.co/scattered-spider-alphv-and-the-mgm-hack-explained/">commonly been attributed</a> to the hacker groups Scattered Spider (which sometimes goes by UNC3944, Muddled LIbra, and StarFraud) and ALPHV (which is sometimes known as BlackCat and Noberus). To complicate things further, it&rsquo;s not clear if the two groups collaborated on this hack, if Scattered Spider merely used ALPHV&rsquo;s ransomware, or if one group attacked MGM while the other hacked Caesars. We&rsquo;ll go into a little more detail on them later, but for now, in this timeline, we&rsquo;re citing a report attributed to ALPHV specifically; when we&rsquo;re referencing that source, we&rsquo;ll be referring to them as such. </div> </aside> <h3 id="part-one-the-vishing-call">Part one: The vishing call</h3> The MGM attack began when <a href="https://www.vox.com/technology/2023/9/15/23875113/mgm-hack-casino-vishing-cybersecurity-ransomware">social engineers called MGM&rsquo;s help desk</a>. The Wall Street Journal <a href="https://www.wsj.com/tech/cybersecurity/mgm-hack-casino-hackers-group-0366c641">reported that</a>, &ldquo;The person on the line said they were an employee, but had forgotten their password&hellip;They gave some personal information over the phone. It all checked out.&rdquo; As for what &ldquo;some personal information&rdquo; entails, according to Bloomberg, MGM <a href="https://www.bloomberg.com/news/articles/2023-09-16/mgm-resorts-hackers-broke-in-after-tricking-it-service-desk">was basically using the honor system</a>: <blockquote> &ldquo;&lsquo;A former MGM employee who was familiar with the company&rsquo;s cybersecurity policies…said that to obtain a password reset, employees would only have to disclose basic information about themselves–their name, employee identification number and date of birth–details that would be trivial to obtain for a criminal hacking gang.'&rdquo; - Andrew Martin, Ryan Gallagher, and Katrina Manson – Bloomberg, Sep 15, 2023 </blockquote> The Wall Street Journal went on to report that, &ldquo;A few minutes later, the real MGM employee received a notification that his password had been reset and reported this to the IT department. By then, it was too late.&rdquo; <h3 id="part-two-mgm-tries-to-shut-out-the-hackers">Part two: MGM tries to shut out the hackers</h3> The initial call happened on Friday. Reports vary in terms of when MGM truly noticed that something was amiss (Saturday evening, at the earliest). But regardless, MGM didn&rsquo;t first take action until that Sunday. Their initial response was to shut down their Okta sync servers, which connected their Okta and Azure systems. But it was too late, and ALPHV&rsquo;s statement said that they &ldquo;continued having super administrator privileges to their Okta, along with Global Administrator privileges to their Azure tenant.&rdquo; In an effort to evict the hackers, MGM next began taking down its own infrastructure, causing chaos for its guests. <h3 id="the-hackers-deploy-ransomware">The hackers deploy ransomware</h3> The ALPHV statement claims that &ldquo;No ransomware was deployed prior to the initial take down of [MGM&rsquo;s] infrastructure by their internal teams.&rdquo; When MGM failed to communicate with the hackers, they used ransomware to encrypt, &ldquo;more than 100 ESXi hypervisors in [MGM&rsquo;s] environment.&rdquo; Whether or not that sequence of events is perfectly accurate, what&rsquo;s not disputed is that MGM refused to pay the ransom. Their competitor <a href="https://www.cpomagazine.com/cyber-security/caesars-entertainment-discloses-cyber-attack-ransom-payment-made-weeks-before-mgm-heist/">Caesars</a> made the opposite choice when they were attacked a week or so earlier, and reported paying $15 million to bad actors to ensure that their customer data wasn&rsquo;t leaked. ALPHV&rsquo;s statement claims that MGM refused to pay not out of a principled stance, but because of &ldquo;insider trading&rdquo; that ensured no one at the top would lose money. We&rsquo;ll let the <a href="https://simplywall.st/stocks/us/consumer-services/nyse-mgm/mgm-resorts-international/news/dont-ignore-the-insider-selling-in-mgm-resorts-international">financial press</a> assess that particular claim, but regardless, the MGM and Caesars hacks have certainly stoked the ongoing debate over whether it&rsquo;s ethical to pay up in a ransomware attack. <h2 id="public-fallout-and-mgms-losses">Public fallout and MGM&rsquo;s losses</h2> <a href="https://techcrunch.com/2023/10/06/mgm-resorts-admits-hackers-stole-customers-personal-data-cyberattack/">After ten days</a> of consistent outages, MGM announced that &ldquo;all of our hotels and casinos are operating normally.&rdquo; This is contradicted by a <a href="https://www.sec.gov/ix?doc=/Archives/edgar/data/789570/000119312523251667/d461062d8k.htm">regulatory filing</a> they made 25 days after the initial breach, in which they admitted they were still restoring client-facing systems. And after 3 weeks, MGM Resorts International CEO Bill Hornbuckle <a href="https://www.cnbc.com/video/2023/10/10/mgm-resorts-ceo-bill-hornbuckle-cyberattack-is-behind-us-and-were-looking-forward.html">reported</a> that the whole incident was &ldquo;totally behind us.&rdquo; Unfortunately, the same couldn&rsquo;t be said for their customers. MGM <a href="https://www.mgmresorts.com/en/notice-of-data-breach.html">confirmed</a> that breached customer data included: names, driver&rsquo;s license numbers, dates of birth, and for a &ldquo;limited number of customers,&rdquo; social security numbers and passport numbers. The company offered credit monitoring and identity protection to the people impacted. It seems MGM&rsquo;s employees may also have been victimized by this attack. A <a href="https://cybernews.com/news/mgm-touts-cyber-attack-recovery-on-track-employees-tell-different-story/">Nevada-based blogger</a> reported an MGM employee telling him that the hackers had gotten all of their employment records, from social security numbers to bank info. Without yet accounting for the many lawsuits being levied against them (fifteen consumer class-actions, at their <a href="https://fingfx.thomsonreuters.com/gfx/legaldocs/lgvdnbrwyvo/MGM%20v%20FTC%20-%2020240415.pdf">last count</a>), MGM anticipates around $100 million in revenue loss from this incident, but expects cybersecurity insurance to cover most of that. &ldquo;I can only imagine what next year&rsquo;s bill will be,&rdquo; Hornbuckle quipped in a panel at G2E. (He <a href="https://www.businessinsurance.com/article/20231109/NEWS06/912360957/MGM-Resorts-reports-cybersecurity-commitment,-profit-turn-">later complained</a> about the &ldquo;staggering&rdquo; rise in <a href="https://blog.1password.com/fluctuating-cyber-liability-insurance/">cybersecurity insurance costs</a>). There has been a significant backlash in the press for MGM&rsquo;s handling of this attack. <a href="https://www.vox.com/technology/2023/9/15/23875113/mgm-hack-casino-vishing-cybersecurity-ransomware">Sara Morrison at Vox</a> asked, &ldquo;Did prominent casino chain MGM Resorts gamble with its customers&rsquo; data?&rdquo; But the bigger question is whether this hack will have a long-term impact on MGM&rsquo;s – or other companies'-behavior. <h2 id="scattered-spider-and-alphv-the-hackers-behind-the-mgm-attack">Scattered Spider and ALPHV: The hackers behind the MGM attack</h2> It&rsquo;s worth taking a slight detour to talk about the bad actors behind the MGM and Caesars hacks, since these groups bear a lot of responsibility for the current wave of help desk attacks. While various reports say it &ldquo;<a href="https://www.engadget.com/hackers-claim-it-only-took-a-10-minute-phone-call-to-shutdown-mgm-resorts-143147493.html?guccounter=1">only took a 10-minute phone call to shut down MGM Resort</a>,&rdquo; that&rsquo;s seriously underselling the sophistication of this attack, which combined social engineering and ransomware into a scarily effective combo. The threat actors known as &ldquo;Scattered Spider&rdquo; (also known by, or associated with: Scattered Swine, Oktapus, Octo Tempest, and a variety of other monikers) have been <a href="https://www.reuters.com/technology/moodys-says-breach-mgm-is-credit-negative-disruption-lingers-2023-09-13/">widely blamed</a> for the MGM hack. They&rsquo;re a versatile and prolific English-speaking group known for their skill in social engineering and SIM-swapping attacks. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Side note: hacker groups don&rsquo;t name themselves. Instead, they get their names from security vendors who study them, much like viruses or distant stars. The question being, why give your enemies cool nicknames? Aren&rsquo;t they intimidating enough without adding sunglasses and a leather jacket? </div> </aside> As we already said, ALPHV/BlackCat have also been linked to the attack. They&rsquo;re a notorious Eastern European ransomware group that have targeted hundreds of organizations worldwide (including <a href="https://www.theverge.com/2023/6/19/23765895/reddit-hack-phishing-leak-api-pricing-steve-huffman">Reddit</a>). Their RaaS (ransomware as a service) software is one of the <a href="https://securityintelligence.com/x-force/blackcat-ransomware-levels-up-stealth-speed-exfiltration/">most used</a> ransomware families observed by IBM. Scattered Spider and ALPHV bring rather disparate skillsets to the table, so the idea that they might be collaborating is concerning to security experts. In 2023, <a href="https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/?ref=404media.co">Microsoft reported</a> on a spate of attacks in which hackers use sophisticated social engineering techniques to get a foothold in a network, then use subtle techniques to establish persistence, and finally use their targets' own EDR and MDM tools to deploy devastating ransomware. Microsoft theorized that this new combo attack is the result of some type of partnership between members of Scattered Spider and ALPHV. <a href="https://www.reuters.com/technology/cybersecurity/fbi-struggled-disrupt-dangerous-casino-hacking-gang-cyber-responders-say-2023-11-14/">Reuters reported</a> that the specific members involved in the casino jobs call their team &ldquo;Star Fraud&rdquo; (the result we get when hacker groups do name themselves). Even with the <a href="https://www.theverge.com/2024/7/19/24202142/uk-teen-mgm-hack-arrested-fbi">recent arrest</a> of a British teenager connected to the hack, not much has been confirmed about the group&rsquo;s formation, and they continue to <a href="https://www.insurancejournal.com/news/national/2024/05/13/773885.htm">target new victims</a>. Regardless of the exact nature of their partnership, as Joseph Cox of <a href="https://www.404media.co/sim-swappers-are-working-directly-with-ransomware-gangs-now/">404 Media</a> puts it, &ldquo;The unlikely bedfellows make powerful partners in crime.&rdquo; <h2 id="the-growing-pattern-of-help-desk-attacks">The growing pattern of help desk attacks</h2> One of the most damning aspects of the casino attacks is that the victims were warned ahead of time. Shortly before the MGM attack, <a href="https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection">Okta reported</a> on &ldquo;a consistent pattern of social engineering attacks against IT service desk personnel&hellip;&rdquo; And indeed, this type of attack has been behind a lot of recent high-profile breaches: <ul> <li> Caesars <a href="https://www.cybersecuritydive.com/news/caesars-social-engineering-breach/695995/">confirmed</a> that their attack started with their third-party IT desk. It then escalated to ransomware, and their payout of $15 million. </li> <li> The 2021 <a href="https://therecord.media/hackers-leak-full-ea-data-after-failed-extortion-attempt">source code leak at Electronic Arts</a> took place when attackers &ldquo;mimicked an already-logged-in EA employee&rsquo;s account&hellip;and then tricked an EA IT support staffer into granting them access to the company&rsquo;s internal network.&rdquo; </li> <li> It&rsquo;s <a href="https://www.fastcompany.com/90967250/how-old-fashioned-hacking-may-have-taken-clorox-off-store-shelves-for-months">suspected</a> that the recent Clorox hack (a mess even bleach couldn&rsquo;t clean up) also began with social engineering-and may have been the work of the same group that hit MGM. </li> </ul> IT service desks make a lot of sense as a target for social engineering attacks. The very nature of their job means that they have incredible access and power. Most importantly, they hold the keys to authentication – <a href="https://www.gartner.com/smarterwithgartner/embrace-a-passwordless-approach-to-improve-security">over 40%</a> of all help desk tickets are related to password resets. And while <a href="https://www.youtube.com/watch?v=IOxpPJYUTDM">passwords</a> are widely acknowledged as insecure (all the more reason to use an <a href="https://1password.com/product/enterprise-password-manager">Enterprise Password Manager</a>), IT can get hackers past tougher authentication methods as well. Okta observed that attackers would ask IT to &ldquo;reset all Multi-factor Authentication (MFA) factors&rdquo; for the accounts they wanted to breach. It&rsquo;s easy to hear these stories and ask why IT workers weren&rsquo;t more suspicious. But vishing attackers can be extremely convincing, and in a massive company, it&rsquo;s not as though the person on help desk duty knows everyone else on a first name basis. On top of that, IT desks are often <a href="https://www.nbcnews.com/tech/security/mgm-las-vegas-hackers-scattered-spider-rcna105238">under pressure</a> to solve problems quickly; they aren&rsquo;t always afforded the luxury of taking things slow when someone calls for help. The actual problem goes much deeper than IT help desk workers trying to do their jobs, since the judgment of a single person simply shouldn&rsquo;t be the only failsafe. And, when it comes to preventing these types of attacks, companies are securing the wrong vulnerabilities entirely. <h2 id="the-conventional-wisdom-on-preventing-phishing-attacks">The conventional wisdom on preventing phishing attacks</h2> A lot of observers have laid the blame for the MGM hack on poor identity verification methods. In the case of MGM, that&rsquo;s a fair critique, since it seems like their only verification came in the form of easily-phished information. To learn what a more secure flow looks like, we reached out to an engineer for a third party IT help desk service. <blockquote> &ldquo;For anything like password resets, permission changes, or access to sensitive data, we require verification. I wrote an integration with DUO so that we can use Duo push verification if the user has that. If not, we go to SMS (all of our users have contacts that include their cell phone numbers). If neither of those options are available, we generally reach out to the point of contact and have them contact the user and reach back out to us. We document how we verified the user&rsquo;s identity in the ticket.&rdquo; - Ryan W, Security Automation Engineer </blockquote> This is certainly better, but it&rsquo;s still far from perfect. It defaults back to SMS (&ldquo;we still can&rsquo;t get away from that,&rdquo; Ryan laments), which is vulnerable to SIM-swaps and other man-in-the-middle (MITM) attacks. These are both <a href="https://therecord.media/cisa-fbi-warn-of-scattered-spider-cybercrime-group">known tactics</a> of the threat actors that hit MGM. <a href="https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection">Okta</a> and <a href="https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/?ref=404media.co">Microsoft</a> both recommend a long list of methods to better verify employee IDs. Among others, they suggest: <ol> <li> Implement multi-factor authentication. This is good advice, even if it&rsquo;s just table stakes for a secure organization. If possible, <a href="https://help.okta.com/en-us/content/topics/security/healthinsight/strong-factors.htm">don&rsquo;t</a> enable weak factors like security questions or SMS. </li> <li> Explore <a href="https://1password.com/product/passkeys?utm_source=google&amp;utm_medium=cpc&amp;utm_campaign=19853587186&amp;utm_content=651757510707&amp;utm_term=1password%20passwordless&amp;gad_source=1&amp;gclid=Cj0KCQjw8MG1BhCoARIsAHxSiQmwSZ6Odz-8bgmDwG_kfD2pAR87xcrvyrxQqSoQDpicYEsCJWb57ZQaArl1EALw_wcB&amp;gclsrc=aw.ds">passwordless</a> authentication options. Passwords are one of the <a href="https://blog.1password.com/authentication-methods/">least secure</a> authentication methods, and are due for <a href="https://www.okta.com/resources/whitepaper-passwordless-future/">retirement</a>. Even if you can&rsquo;t get rid of them for your entire company, require that super administrators use more secure methods like biometrics or a YubiKey. </li> <li> Limit the number of super administrators. Microsoft also suggests &ldquo;Reducing the number of users with permanently assigned critical roles.&rdquo; Continually updating permissions to practice the principle of least access isn&rsquo;t easy, but it is a <a href="https://blog.1password.com/history-of-zero-trust/">core requirement for Zero Trust</a> security. </li> <li> Use tougher authentication for highly sensitive data. Okta recommends that &ldquo;privileged applications&rdquo; should require re-authentication at every sign in. </li> </ol> It&rsquo;s unsurprising that a lot of these recommendations concern user identification and authentication. Accessing super admin accounts should certainly require more verification than knowing the person&rsquo;s birthday. However, these attacks have breached a lot of companies, many of whom did have more strenuous security, like MFA. As <a href="https://www.darkreading.com/operations/identity-alone-wont-save-us-tsa-paradigm-mgm-hack">Paul Martini put it</a> on DarkReading: <blockquote> &ldquo;Many analysts have become fixated on the idea that MGM could have prevented the incident if only it had been using better identity solutions or stronger methods of verifying user identities…the reality is that identity products alone would not have prevented this attack.&rdquo; - Paul Martini - DarkReading, Nov 07, 2023 </blockquote> Our own solution, <a href="https://1password.com/product/xam">1Password Extended Access Management</a>, works in part through securing user identities, like offering passwordless authentication and app insights. But the conversation around the MGM hack is part of a <a href="https://blog.1password.com/what-is-device-trust/">long tradition of security pros</a> focusing on user identity and missing another crucial angle: the user&rsquo;s device. <h2 id="how-device-trust-prevents-phishing">How device trust prevents phishing</h2> It&rsquo;s clear that bad actors are very good at impersonating employees, using their names, their personal information, and even their <a href="https://www.wsj.com/articles/fraudsters-use-ai-to-mimic-ceos-voice-in-unusual-cybercrime-case-11567157402">voices</a>. But they&rsquo;re still stuck using their own devices. That&rsquo;s where device trust comes in. <a href="https://blog.1password.com/what-is-device-trust/">Device trust is the idea that a user&rsquo;s device has to be known and in a secure state before it can access a company&rsquo;s sensitive resources.</a> Let&rsquo;s break down that definition. Device trust is also a core aspect of 1Password Extended Access Management, so we&rsquo;ll use ourselves as an example: <ul> <li> &ldquo;Known&rdquo; means that when you install the 1Password Extended Access Management agent, you register your device with it. When you do that, the agent sets up a secret and unique way to identify the device whenever you log in. Crucially, this identifier is unspoofable, so hackers can&rsquo;t phish it or fake it. (For a more technical explanation of how this works, check out <a href="https://www.kolide.com/docs/about-kolide/device-trust-architecture#architecture-goals">our docs</a>.) </li> <li> &ldquo;In a secure state,&rdquo; means that the device meets an organization&rsquo;s security requirements. This could include being enrolled in the company&rsquo;s MDM, having EDR installed, and a host of other things that are difficult for a hacker to fake. 1Password Extended Access Management&rsquo;s device trust solution lets admins choose from a library of over 100 policy checks that determine whether or not a device is considered secure. </li> <li> &ldquo;Access to a company&rsquo;s sensitive resources&rdquo; is controlled by making 1Password Extended Access Management part of user authentication. If their device doesn&rsquo;t have the agent or can&rsquo;t pass its posture checks, it can&rsquo;t authenticate. </li> </ul> Thus, if MGM had 1Password Extended Access Management, the attack would have happened something like this: <ol> <li> The bad actors call the IT help desk. They get a password reset or an MFA reset. (So far, so bad.) </li> <li> When they try to log into the vished account, though, they&rsquo;re stopped. Their device doesn&rsquo;t have 1Password Extended Access Management installed, so it can&rsquo;t authenticate. </li> <li> They try to install the agent, but their device can&rsquo;t register without approval from IT. </li> <li> Even assuming the hacker is able to install our agent on their device, they then have to pass the various compliance checks. This will be a time-consuming process, in which every minute increases the chance that someone (likely the end user being impersonated) notices this suspicious activity. </li> </ol> Both Microsoft and Okta briefly mention device trust in their list of suggestions on preventing MGM-style attacks. Microsoft makes two device-related suggestions: <ul> <li> &ldquo;Enforce MFA registration from trusted locations from a device that also meets organizational requirements.&rdquo; </li> <li> &ldquo;Review recently registered device identities.&rdquo; </li> </ul> Okta, meanwhile, devotes one sentence: <ul> <li>&ldquo;Turn on and test New Device and Suspicious Activity end-user notifications.&rdquo;</li> </ul> These are both steps in the right direction, but don&rsquo;t go far enough in preventing intrusions, instead of just responding to them. For one thing, maintaining a list of &ldquo;trusted locations&rdquo; can be hard for a sprawling remote organization, and it&rsquo;s especially flawed when bad actors<a href="https://www.lumificyber.com/threat-content/scattered-spider-oktapus-unc3944-scatter-swine-mgm-resorts-compromise/"> are known to use VPNs</a> to mask their location. End-user notifications for things like new devices or <a href="https://watchtower.1password.com/">breached passwords</a> are worth having. But by the time someone checks their email, it might be too late. If you&rsquo;re reviewing already registered devices, then it&rsquo;s definitely too late. To put it in the simplest terms possible: an unknown device shouldn&rsquo;t be able to authenticate in the first place. <img src='https://blog.1password.com/posts/2024/mgm-hack/You_Shall_Not_Pass-min.jpg' alt='A photo of Gandalf.' title='A photo of Gandalf.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://i.kym-cdn.com/entries/icons/facebook/000/002/144/You_Shall_Not_Pass!_0-1_screenshot.jpg">Source</a> Microsoft and Okta&rsquo;s offhand mentions of device trust among a sea of user verification suggestions indicates how badly overlooked this aspect of security is. Device trust is way more than a helpful asterisk or something that&rsquo;s &ldquo;worth a mention.&rdquo; It&rsquo;s a crucial factor in a multi-factor authentication flow. And it&rsquo;s the missing key that could have prevented many of the attacks we&rsquo;ve mentioned, including MGM&rsquo;s. <h2 id="place-your-bets-on-extended-access-management">Place your bets on extended access management</h2> Stage magicians and social engineers share one key tactic: misdirection. They want audiences and victims to look at the fluffy white rabbit or the &ldquo;urgent phone call&rdquo; from a high-ranking employee – anything except their own sleight of hand. In the case of the MGM hack, the attention has focused on the phone call and the hapless help desk worker. But the deeper story is about a company that didn&rsquo;t give its own IT department the tools to identify a hacker, or to limit the damage once one was inside. Lackluster ID verification isn&rsquo;t at the core of every social engineering attack. If you refocus your vision away from the headlines, you can notice that they&rsquo;re missing something obvious – the very device you&rsquo;re reading them on. Want to know more about how device trust can keep your team safe from phishing attacks? <a href="https://1password.com/contact-sales/xam">Reach out for a demo</a>!</description></item><item><title>August 2024 security update</title><link>https://blog.1password.com/august-2024-security-update/</link><pubDate>Sat, 10 Aug 2024 00:00:00 +0000</pubDate><author>info@1password.com (Pedro Canahuati)</author><guid>https://blog.1password.com/august-2024-security-update/</guid><description> <img src='https://blog.1password.com/posts/2024/august-2024-security-update/header.png' class='webfeedsFeaturedVisual' alt='August 2024 security update' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> At 1Password, we’re committed to transparency about our security practices and keeping our customers safe. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> 1Password has not been breached or compromised. This blog details vulnerabilities that have been addressed in the latest version of 1Password. These vulnerabilities can only occur when a device has been compromised, by malware for example, and a malicious actor has control over the device as a result. </div> </aside> At DEF CON 2024, <a href="https://robinhood.com/us/en/">Robinhood</a>, a 1Password customer, presented on vulnerabilities discovered by their Red Team in a prior version of 1Password. We appreciate that Robinhood’s Red Team disclosed and collaborated closely with us to address these vulnerabilities ahead of their talk. Strong security requires a collective effort from the entire technology ecosystem, and we believe that through active collaboration, the cybersecurity industry can create a more secure digital landscape for everyone. We addressed the vulnerabilities within our control with the latest updates rolled out in the 8.10.38 client app release. As per industry standard practice, we also submitted the appropriate common vulnerabilities and exposures (CVEs) to the MITRE corporation. Robinhood’s Red Team found vulnerabilities that can occur only when a device is compromised, by malware for example, and a malicious actor has control over the device as a result. Further, when malware or a malicious user gains control over a user’s device, little can be done to guarantee its security. Resolving these issues has been a top priority, and we will continue to do everything we can to protect our users. <h2 id="technical-background">Technical background</h2> Security researchers from <a href="https://robinhood.com/us/en/">Robinhood’s</a> Red Team disclosed that they had discovered six vulnerabilities in 1Password for Mac. All the vulnerabilities are local and require a device to be compromised, by malware for example, and controlled by a bad actor. We have addressed the issues within our control with the latest updates rolled out in the 8.10.38 client app release, and have not seen any evidence of them occurring in real life. The one unresolved issue involves how Chromium-based browsers (for example, but not limited to: Chrome, Edge, Brave, etc.) and Firefox manage communication between all browser extensions and all desktop apps. This isn&rsquo;t an issue unique to 1Password. When malware or a malicious user gains full control of a device, they can essentially take over communication between an app and the browser. Please see “NMH Binary manipulation through browser process impersonation” in the next section for more information. For security professionals who would like additional details, we have published two CVEs to provide additional transparency and an overview of the issues below. <h2 id="vulnerability-details">Vulnerability details</h2> Biometric enforcement flag missing (<a href="https://support.1password.com/kb/202408/">CVE-2024-42218</a>) Issue: There is an issue that affects 1Password’s platform security protections in 1Password 8 for Mac. This issue enables attackers to use out-of-date versions of the 1Password 8 for Mac app to bypass platform-specific security mechanisms applied on macOS. This could be used to steal secrets from the app. Resolution: This issue was resolved in 1Password for Mac version 8.10.38 (August 2024). If you’re using an affected version of 1Password 8 for Mac, <a href="https://support.1password.com/update-1password/">update to the latest version</a>. Browser Help XPC Bypass (<a href="https://support.1password.com/kb/202408a/">CVE-2024-42219</a>) Issue: There is an issue that affects 1Password’s platform security protections in 1Password 8 for Mac. This issue enables a malicious process running locally on a machine to bypass inter-process communication protections. This issue is the root cause for two additional issues that were reported by Robinhood: <ul> <li>XPC authorized CLI session riding</li> <li>XPC session type manipulation</li> </ul> Resolution: This issue was resolved in 1Password for Mac version 8.10.36 (July 2024). If you’re using an affected version of 1Password 8 for Mac, <a href="https://support.1password.com/update-1password/">update to the latest version</a>. NMH Binary manipulation through browser process impersonation (originally reported as: Browser Support getppid bypass) Issue: “Connect with 1Password in the browser” is a feature of 1Password that allows for communication between the 1Password desktop application and browser extensions. The channel between the application and browser extension is subject to spoofing, which could allow a local attacker to pretend to be the browser and communicate with 1Password to obtain user secrets. Resolution: This issue stems from browser limitations with Chromium-based browsers (for example, but not limited to: Chrome, Edge, Brave, etc.) and the Firefox browser. It can’t be resolved because third-party desktop applications communicating with browsers, including 1Password, are unable to detect if a browser is being controlled by malware, and thus verify the browser authenticity. There is no alternative or more secure technology provided. For more information about options, please see <a href="https://support.1password.com/kb/202408b/">this support article</a>. The 1Password app and browser extension connection security details can be found in <a href="https://support.1password.com/1password-browser-connection-security/">this support article</a>. Setting file unprotected from unauthorized changes Issue: 1Password Settings are stored in a JSON file on disk. Lack of protections allowed settings to be changed by updating the JSON file, which required standard user access to the computer. No authentication to 1Password was required to change these settings. As a result, it was possible for 1Password settings to be modified by malicious actors. Resolution: This issue was fixed in 1Password version 8.10.38 (August 2024) by enforcing additional integrity protections. For more information, see <a href="https://support.1password.com/kb/202408c/">this support article</a>. We would like to extend our sincere thanks to Robinhood’s Red Team and the company’s cybersecurity team in identifying these issues and partnering with us to address them before their presentation at DEF CON 2024. Please contact us at <a href="mailto:security@1password.com">security@1password.com</a> if you have any questions.</description></item><item><title>Can VDI secure BYOD?</title><link>https://blog.1password.com/can-vdi-secure-byod/</link><pubDate>Fri, 09 Aug 2024 00:00:00 +0000</pubDate><author>info@1password.com (Rachel Sudbeck)</author><guid>https://blog.1password.com/can-vdi-secure-byod/</guid><description> <img src='https://blog.1password.com/posts/2024/can-vdi-secure-byod/header.png' class='webfeedsFeaturedVisual' alt='Can VDI secure BYOD?' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> In 2006, Joanna Rutkowska stepped on stage at the Black Hat Conference and demonstrated a hack she called the &lsquo;Blue Pill.&rsquo; In 2006, <a href="https://www.computerworld.com/article/2546441/black-hat--microsoft-hopes-to-swallow-blue-pill.html">Joanna Rutkowska</a> stepped on stage at the Black Hat Conference and demonstrated a hack she called the &ldquo;Blue Pill.&rdquo; She gave it this Matrix-themed name because this attack made it almost impossible for victims to realize that they were trapped in a false virtual world – or in this case, a false virtual desktop. <img src='https://blog.1password.com/posts/2024/can-vdi-secure-byod/matrix-keanu.jpg' alt='A photo of Keanue Reeves in the Matrix.' title='A photo of Keanue Reeves in the Matrix.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://medium.com/@mattszwec/i-know-kung-fu-6b632e09c8cb">Source</a> Rutkowska&rsquo;s attack worked by taking control of Windows Vista hypervisors, which let her command the server&rsquo;s entire VDI ecosystem and access the data it protected. Still, this was just a demonstration. It wouldn&rsquo;t be until 2022 that bad actors managed to pull off a &ldquo;hyperjacking&rdquo; attack in real life, and show exactly how devastating it can be. In the years since this demonstration, virtual desktop infrastructure (VDIs) have become popular tools, and are often recommended for large enterprises managing Bring Your Own Device (BYOD) scenarios and a remote workforce. But, just like the virtual world of The Matrix, VDI solutions are not free from vulnerabilities and <del>require human batteries to function</del> come with significant operational costs. VDI can solve problems for some teams, while for others, it creates unmanageable technical complexity. Let&rsquo;s figure out which camp you fall in. <h2 id="what-is-vdi">What is VDI?</h2> VDI is a technology that lets end-users access remote desktops on their devices. To the employee, using VDI feels as though a desktop and all its applications are running on their machine, but it&rsquo;s all hosted on a distant server that potentially provides virtual desktops to many machines. VDI has been around since the mid 2000s, but it saw a <a href="https://www.marketresearchfuture.com/reports/virtual-desktop-infrastructure-market-7673">sharp uptick</a> during the COVID-19 pandemic. When stay-at-home orders hit, companies had very little time to shift to remote work and employees were abruptly stuck at home, often with no way to work except on their personal devices. VDI appeared as an option to let all of those varied endpoints access company systems remotely and securely. Even without a global pandemic, this is how VDI tends to be used: to manage distributed workforces and as an alternative to other forms of device management. There are a lot of VDI options out there – Citrix, Microsoft, and VMware are a few of the major players. They have various differences in terms of things like privacy policies and software requirements, but we&rsquo;re not going to delve into those specifics in detail. Instead, consider this a broad overview of how VDI works. As an example: we mentioned that VDI is mainly used by larger enterprises. That doesn&rsquo;t mean that there aren&rsquo;t any VDI <a href="https://v2cloud.com/solutions/vdi-for-small-business">options</a> looking to serve smaller businesses. But it&rsquo;s fair to say that broadly speaking, VDI is <a href="https://www.parallels.com/blogs/ras/4-major-reasons-why-vdi-doesnt-appeal-to-small-and-medium-enterprises-smes/">much better suited</a> to large enterprises who can afford to host and maintain its complex infrastructure. <h3 id="how-vdi-works">How VDI works</h3> VDI works in three stages: <ol> <li> Data is hosted on <a href="https://www.techtarget.com/searchvirtualdesktop/definition/virtual-desktop-infrastructure-VDI">physical servers in a data center</a>. </li> <li> On top of the physical server is a hypervisor. The hypervisor is a software layer that cuts up the <a href="https://youtu.be/LMAEbB2a50M">server&rsquo;s hardware</a> capacity, then allocates and virtualizes those physical resources into separate virtual desktops. </li> <li> Once a user installs the virtual machine software, they can open the remote simulated computer <a href="https://nordvpn.com/blog/virtual-machines/#:~:text=After%20the%20setup%2C%20you%20can,firmware%20components%20called%20a%20hypervisor.">just like any other application</a> on their device. The OS feels like a typical Windows or Linux desktop, but it&rsquo;s being run and managed on the server and is sandboxed from all other applications on the host device. </li> </ol> <aside class="c-technical-aside-box c-technical-aside-box--background" aria-labelledby="vdi-vs-daas"> <h2 class="c-technical-aside-box__title" id="vdi-vs-daas"> VDI vs DaaS </h2> <div class="c-technical-aside-box__description"> These two terms are sometimes used interchangeably. But the essential difference between VDI and DaaS (desktop as a service) is that VDI, <a href="https://www.techtarget.com/searchvirtualdesktop/definition/virtual-desktop-infrastructure-VDI">by definition, requires that</a> &ldquo;the business itself owns and operates the VDI servers.&rdquo; With DaaS, you use servers owned and rented out by the DaaS provider. There&rsquo;s plenty of overlap in how they work, but for the purpose of this article, we&rsquo;re focusing on VDI and its various bugaboos. </div> </aside> <h2 id="persistent-vs-non-persistent-virtual-desktops">Persistent vs non-persistent virtual desktops</h2> Virtual desktops come in two flavors, with marked differences to security and user experience: <ul> <li> Persistent VDI: a user has one virtual desktop assigned to them. They can save changes, download software, and customize it to their needs. It works like an apartment. The company owns it, but the user chooses the furniture. </li> <li> Non-persistent VDI: a user is assigned a temporary virtual desktop every time they log in. When they log out, everything is reset to the &ldquo;golden image,&rdquo; or the default desktop designed by their company. It works like a hotel room. Workers check in and use whatever&rsquo;s there. When they leave, anything left behind gets wiped down and remade back to the uniform standard. </li> </ul> Non-persistent VDI makes the most sense for employees like call center workers who just need to log in, use certain pre-selected apps, and then leave. It&rsquo;s also commonly considered <a href="https://www.parallels.com/blogs/ras/persistent-vdi-vs-non-persistent/https://www.parallels.com/blogs/ras/persistent-vdi-vs-non-persistent/">more secure</a>, since the desktop and files get rebooted and wiped clean after every session. <h2 id="the-benefits-of-vdi">The benefits of VDI</h2> For large enterprises that can afford the maintenance and IT costs, VDI can be a viable and even cost-saving technology. When rolled out at scale, and to workers who can tolerate its limitations, VDI offers security and compliance benefits. <h3 id="data-governance">Data governance</h3> With so many people working from home, data leakage has become a more pressing concern. Employees might <a href="https://www.securitymagazine.com/articles/94495-remote-workers-are-printing-confidential-documents-at-home">print out sensitive files</a> (a particular concern in healthcare and law) or download sensitive data to endpoints that are vulnerable to theft, malware, or shadow IT. Keeping data on remote servers, far away from the endpoint, helps protect it from bad actors or general data leakage. As Erica Mixon puts it for <a href="https://www.techtarget.com/searchvirtualdesktop/definition/virtual-desktop-infrastructure-VDI">TechTarget</a>: &ldquo;A thief who steals a laptop from a VDI user can&rsquo;t take any data from the endpoint device because no data is stored on it.&rdquo; VDI also lets IT teams exert a lot of control over user behaviors, and these capabilities can be customized <a href="https://www.vmware.com/topics/glossary/content/virtual-desktop-infrastructure-security.html">pretty thoroughly</a> through a lot of <a href="https://kb.vmware.com/s/article/2003626">granular policies</a>. For instance, IT can stop certain users – depending on role or need – from downloading records onto their physical computer, printing, copy-pasting from the virtual desktop, or using USB devices at all. Teams could even go so far as to <a href="https://www.makeuseof.com/what-is-virtual-desktop-infrastructure/">encrypt</a> any data that passes across the network, including by layering it with a VPN. However, none of these features are foolproof, and none of them come without tradeoffs. Malicious insiders can still find workarounds for some of these safeguards (like taking photos of their computer screen). These features can also harm productivity and employee morale, since losing the ability to copy-paste has a significant impact on usability and is likely to make workers feel like they&rsquo;re under suspicion. Still, security requires friction, and VDI may create the friction that your team needs to protect sensitive data. <h3 id="regulatory-compliance">Regulatory compliance</h3> Sectors like <a href="https://uit.stanford.edu/service/vdi">higher education</a>, finance, and healthcare all have strict regulations around keeping client data safe. VDI can help prove compliance with those standards, so organizations can pass internal and external audits. For instance, IT consultants IP Pathways published a <a href="https://www.ippathways.com/wp-content/uploads/2022/03/Brodstone_CaseStudy-Final.pdf">case study</a> describing their rollout of VDI at Brodstone Memorial Hospital. The small hospital wanted a way to access electronic patient records across different facilities. However, &ldquo;Because of the stringent requirements of HIPAA HITECH, disaster recovery and continuity of patient records was imperative.&rdquo; In this case, VDI suited their needs and provided an &ldquo;attestable&rdquo; way of proving that they were meeting the various requirements around sensitive patient records. <a href="https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/partners/vmw-metro-health-university-of-michigan-case-study-hpe.pdf">Other case studies</a> show VDI being used to let &ldquo;clinicians use BYOD&rdquo; to provide virtual healthcare while maintaining HIPAA compliance. <h3 id="device-flexibility">Device flexibility</h3> In fact, if your company needs to maintain compliance on a variety of devices, VDI is a very flexible option. With VDI, the server hosts almost all of the processing for each employee&rsquo;s desktop. While those servers need to be powerful, not that much <a href="https://www.zeetim.com/advantages-disadvantages-of-virtual-desktop-infrastructure/">actual computing happens</a> on the endpoint itself. This means that you can run a cutting-edge OS on a device that would normally not be powerful enough to support it. (Think of it as putting a Ferrari engine in a Toyota Corolla.) It also means that companies can keep older devices in circulation longer, instead of paying to upgrade them every few years. With VDI, companies can have employees use older or lower-spec devices – like Chromebooks – without as much cost to usability. That cost-effective Chromebook is essentially just serving as a monitor and keyboard to interface with a much more powerful virtual machine. Companies can also install VDI on <a href="https://www.dell.com/en-us/shop/sfc/sf/thin-clients">specialized endpoints</a> like zero clients (which have no OS of their own, just enough firmware to access the server) or thin clients (which have a very limited OS). These are devices that are basically only designed to access the server. To give an idea–the average Chromebook has historically been considered <a href="https://www.techtarget.com/searchvirtualdesktop/opinion/Is-it-time-for-a-new-name-for-thin-clients">too powerful</a> to count as a true thin client. Both of these options are cheap, or even free if you convert your company&rsquo;s <a href="https://www.techtarget.com/searchvirtualdesktop/tip/The-right-way-to-do-old-PC-to-thin-client-conversions">older computers</a> into thin clients. That reduces costs and <a href="https://www.cloudwards.net/e-waste-statistics/">e-waste</a>, which is definitely a plus. <img src='https://blog.1password.com/posts/2024/can-vdi-secure-byod/captain-planet.jpg' alt='A promotional image of Captain Planet.' title='A promotional image of Captain Planet.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://m.imdb.com/title/tt0098763/plotsummary/">Source</a> Companies can also use &ldquo;thick clients,&rdquo; or &hellip; regular computers (or tablets or phones) to access the virtual desktop. The point is, VDI is basically device-agnostic, and that&rsquo;s one reason that it&rsquo;s so <a href="https://www.esecurityplanet.com/endpoint/secure-access-for-remote-workers-rdp-vpn-vdi/">often recommended</a> for managing contractor devices or other common BYOD scenarios where traditional device management tools <a href="https://blog.1password.com/pros-and-cons-of-mdms/">like MDM</a> won&rsquo;t work. <h3 id="user-privacy">User privacy</h3> BYOD security often comes up against the issue of employee and contractor privacy. Employees wonder if the data on their personal devices is safe from their company&rsquo;s monitoring, and often resist IT&rsquo;s attempts to manage those devices via MDM and other tools. VDI isn&rsquo;t the worst option on that front. It doesn&rsquo;t have to be invasive because, in theory, it doesn&rsquo;t ever interact with the data on a device. The only data accessed is the data needed for the employee to do their job - all of which is hosted on the virtual desktop. Certainly there are options that give managers more visibility into user activity. But generally speaking, the monitoring VDI does is more geared toward diagnostics and monitoring network issues. Overall, of the options available for use on personal devices, VDI is fairly non-invasive. But VDI still brings its share of usability issues. <h2 id="the-drawbacks-of-vdi">The drawbacks of VDI</h2> Plenty of companies would love a solution that enables BYOD, solves their compliance headaches, and keeps their data secure. But there are good reasons VDI hasn&rsquo;t caught on outside large enterprises. It&rsquo;s not a particularly realistic option if you don&rsquo;t have a lot of resources to support it. And even if you do have the budget and the IT staff to roll out VDI, the juice still may not be worth the squeeze. <h3 id="theres-no-apple-vdi">There&rsquo;s no Apple VDI</h3> As a rule, VDI comes in two flavors: Windows or Linux. Apple&rsquo;s licensing agreement forbids using or hosting macOS &ldquo;virtualized copies&rdquo; for the purpose of &ldquo;terminal sharing&rdquo; or similar uses. Virtualized Macs exist, but the structure and scale of that virtualization operates differently than VDI and is usually intended for MacOS developers. This might not be an issue if your workforce is already on Windows, but if you try and roll out VDI on knowledge workers who prefer Mac, there&rsquo;s going to be a fair amount of frustration. Anyone who&rsquo;s ever switched OSes knows that there&rsquo;s a learning curve, and you&rsquo;ll have to expect a productivity dip from users who keep forgetting where the downloads folder is. And of course, for users who need access to Apple-specific software – like Final Cut Pro for film editing – you&rsquo;ll have a bigger issue. <h3 id="speeddevice-performance">Speed/device performance</h3> VDI requires that users access a desktop that&rsquo;s hosted somewhere else. That creates some unavoidable issues, for the same reason that sending a letter across the country is more complicated than handing one to your roommate. There are ways to mitigate VDI&rsquo;s latency problems, but as David Linthicum reported for <a href="https://www.infoworld.com/article/3651451/the-truth-about-vdi-and-cloud-computing.html">Infoworld</a>, &ldquo;&hellip;even if you pay for the faster stuff, a few days of detailed monitoring will show that latency and speed are pretty bursty overall.&rdquo; On top of that, the way VDI works means that multiple employees are sharing the resources of one server. Companies obviously want to get the maximum sustainable number of virtual machines out of each server, but finding that number is pretty complicated. <img src='https://blog.1password.com/posts/2024/can-vdi-secure-byod/virtualization-calculator.png' alt='A screenshot from the virtualization calculator.' title='A screenshot from the virtualization calculator.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://wintelguy.com/vmcalc.pl">Source</a> It&rsquo;s very easy for IT to <a href="https://www.techtarget.com/searchvirtualdesktop/tip/How-to-avoid-VDI-overprovisioning">overprovision a server</a> and promise too much of its power to too many devices (especially when the CFO is pushing them to err on the side of &ldquo;lots&rdquo;). We previously established VDI&rsquo;s use in healthcare, where urgency and security <a href="https://www.cs.dartmouth.edu/~sws/pubs/ksbk15-draft.pdf">often conflict</a>. Other case studies indicate the problems that VDI can cause in that kind of setting. <a href="https://www.dell.com/en-us/dt/apex/compute-hci/private-cloud.htm#accordion0">One from Dell</a> mentions that &ldquo;VDI latency issues were decreasing productivity and threatening to impact care levels.&rdquo; Finally, just in case it doesn&rsquo;t go without saying, VDI as a rule won&rsquo;t work at all without an internet connection. That might not be a dealbreaker for some employees, who already rely on the internet to do their jobs. But it&rsquo;s worth considering whether you can afford work grinding to a halt every time there&rsquo;s an internet outage. <h3 id="deployment-and-maintenance-expenses">Deployment and maintenance expenses</h3> Perhaps the biggest hurdle of VDI is that it&rsquo;s expensive. For starters, buying, housing, and maintaining servers represents a lot of cost. IT services vendor Intelligent Technical Solutions <a href="https://www.itsasap.com/blog/server-cost">reported that</a>, &ldquo;a server that 20-25 people will use will cost around $15,000-$20,000 per server.&rdquo; Depending on company size and the number of employees you need to cover, the costs of running a <a href="https://www.streamdatacenters.com/glossary/data-center-cost/#:~:text=The%20average%20yearly%20cost%20to,maintenance%20of%20applications%20and%20infrastructure.">large enough data center</a> can get into the millions pretty quickly. Still, that&rsquo;s far from the only cost of VDI. As <a href="https://www.techtarget.com/searchvirtualdesktop/feature/How-to-keep-VDI-costs-to-a-minimum">Robert Sheldon</a> put it for TechTarget: &ldquo;The total cost of software can be one of the most expensive parts of implementing VDI. At the top of the list is the VDI software itself.&rdquo; VDI licensing costs are hard to predict, and involve <a href="https://www.appsanywhere.com/resource-centre/vdi/exploring-the-hidden-license-costs-in-application-delivery-and-vdi-solutions">various et ceteras</a>. To manage your server&rsquo;s virtualization, you might need <a href="https://www.heroix.com/blog/virtualization-licensing/">any number</a> of licenses or <a href="https://docs.vmware.com/allproducts.html">management tools</a> for your hypervisors. You might also need to pay for a Windows license to run their OS. It all varies, again, depending on what you&rsquo;re doing with each machine, like whether you&rsquo;re going to operate on a <a href="https://www.parallels.com/blogs/ras/vdi-cost/">per-user or per-device</a>. A lot of VDI&rsquo;s costs come down to the specific needs of your company, meaning it&rsquo;s hard to get estimates ahead of time. But Tatiana S., writing for the <a href="https://systemadminspro.com/vdi-cost-comparison-local-vs-public-cloud/">SystemAdminsPro</a> Blog, shared her figures from helping the Evaluator Group figure out their infrastructure needs. Her estimate had VDI software costs for 5,000 knowledge workers coming out to $2,061,430 – easily the most expensive part of their rollout. That blog is from 2020. In recent years, VDI hasn&rsquo;t been immune to the price hikes and corporate squeezing that seem to be impacting every product in every industry. Since VMware was purchased by Broadcom in November of 2023, they&rsquo;ve stopped <a href="https://arstechnica.com/information-technology/2023/12/broadcom-ends-vmware-perpetual-license-sales-testing-customers-and-partners/">selling or supporting</a> perpetual licenses that they previously offered for many of their VDI management software tools. They now operate on an <a href="https://redresscompliance.com/broadcom-vmware-licensing-and-subscription-changes-explained/">exclusively subscription</a> model. <h2 id="the-security-vulnerabilities-of-vdi">The security vulnerabilities of VDI</h2> Overall, VDI has earned a reputation for security – and that reputation might be its biggest vulnerability. <a href="https://www.vmware.com/topics/glossary/content/virtual-desktop-infrastructure-security.html#:~:text=VDI%20security%20risks,-Although%20known%20for%20its%20intrinsic">VMware themselves fully admit</a>: &ldquo;Although known for its intrinsic security capabilities, VDI can present unique security risks.&rdquo; As specific points of vulnerability, they list: hypervisors, networks, employees, and unpatched virtual machines. <h3 id="vulnerable-endpoints">Vulnerable endpoints</h3> There seems to be a misconception that if a device uses VDI, then you don&rsquo;t have to worry about that device, since it&rsquo;s isolated from your systems. But all of this software still connects, and bad actors can use those connections. There&rsquo;s a good reason that <a href="https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-endpoints-vdi?view=o365-worldwide">Microsoft</a> recommends endpoint protection even for non-persistent VDI, saying &ldquo;Like any other system in an IT environment, [VDI Devices] too should have an Endpoint Detection and Response (EDR) and Antivirus solution to protect against advanced threats and attacks.&rdquo; <a href="https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmwcb-whitepaper-best-practices-for-securing-horizon-vdi-with-vmware-carbon-black-cloud.pdf">VMware</a> explicitly recommends using <a href="https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/products/vmw-horizon-security.pdf">endpoint protection</a> as part of a Zero Trust model, saying, &ldquo;Continuous verification of device and desktop state &hellip; can help determine and put into effect the level of access that a user should have in any given situation.&rdquo; <h3 id="malware-and-unpatched-vulnerabilities">Malware and unpatched vulnerabilities</h3> An end user on VDI can still let malware onto a virtual machine, where it can lurk like a parasite and potentially move upstream into other systems. Even malware downloaded to a <a href="https://www.kaspersky.com/blog/vdi-protection/37703/">non-persistent VDI</a> might have time to move from the virtual desktop into company networks before everything gets wiped. <a href="https://its.ny.gov/system/files/documents/2023/07/skipper-sinc-keynote-exposing-adversarial-conversations-v4.pdf">Remote Access Trojans</a> (RAT) are one example of how a device that&rsquo;s already infected with malware can be used by bad actors to force infections into a company&rsquo;s VDI system. Similarly, unpatched devices (<a href="https://i.dell.com/sites/csdocuments/Shared-Content_data-Sheets_Documents/en/Dell_Threat_Defense_for_Thin_Clients_whitepaper.pdf">even thin clients</a>) can still leave VDI and servers vulnerable. Tenable described one path in which the Log4Shell vulnerability could let an unpatched Linux device connect to Microsoft&rsquo;s Active Directory and then &ldquo;escalate its local privilege and move laterally to all Tier-1 machines.&rdquo; <h3 id="hypervisor-attacks">Hypervisor attacks</h3> Hypervisors still haven&rsquo;t ever been hacked as subtly as Joanna Rotkowska&rsquo;s Blue Pill attack. But when the hypervisor gets attacked, things still get scary pretty quick. The <a href="https://arstechnica.com/information-technology/2022/09/mystery-hackers-are-hyperjacking-targets-for-insidious-spying/">2022 hyperjacking attack</a> let bad actors push files to companies' hypervisors, controlling and accessing every virtual desktop on that server. Ransomware gangs have also targeted hypervisors more and more in recent years. During the <a href="https://www.wsj.com/tech/cybersecurity/mgm-hack-casino-hackers-group-0366c641">MGM hack</a>, ALPHV <a href="https://www.bleepingcomputer.com/news/security/mgm-casinos-esxi-servers-allegedly-encrypted-in-ransomware-attack/">claimed to have</a> &ldquo;encrypted more than 100 ESXi hypervisors.&rdquo; Similar hypervisor ransomware attacks <a href="https://www.techtarget.com/searchsecurity/news/366537519/CrowdStrike-warns-of-rise-in-VMWare-ESXi-hypervisor-attacks">had compromised</a> &ldquo;more than 3200 servers&rdquo; by February of 2023, locking companies out of vital systems. These cases of compromised hypervisors tend to start with credential-based attacks. You can&rsquo;t pull this off like this with any old employee credentials, of course, but if bad actors get the credentials of super-admins, they can use them to access a company&rsquo;s hypervisors. As Mandiant consultant <a href="https://www.wired.com/story/hyperjacking-vmware-mandiant/">Alex Marvi put it</a>, &ldquo;&hellip;you can compromise one machine and from there have the ability to control virtual machines en masse…&rdquo; The hypervisor touches everything on your server, from virtual machines to private data. And that goes both ways – everything else leads back to the hypervisor. One superadmin&rsquo;s compromised credentials can let bad actors work their way laterally across your systems. (The moral of this story is that your superadmins' authentication factors should be airtight.) <h2 id="vdi-isnt-secure-enough-to-secure-byod-on-its-own">VDI isn&rsquo;t secure enough to secure BYOD (on its own)</h2> Say you&rsquo;re a beekeeper who&rsquo;s deathly allergic to bees (hey, we&rsquo;re not here to question your life choices). You&rsquo;re going to wear your beekeeper&rsquo;s outfit when you visit the hives – but you&rsquo;ll also still carry your EpiPen. VDI&rsquo;s reputation has a lot of companies treating it like an impenetrable force-field strong enough to let them neglect other forms of security. That&rsquo;s despite the fact that the VDI companies themselves advise using their products with additional protections. VDI is still vulnerable, and the endpoint very much still matters. A lot of those vulnerabilities can be nullified if you make sure that only known and secure devices can access your servers. That&rsquo;s the principle of device trust, which you can read more about <a href="https://blog.1password.com/what-is-device-trust/">here</a>. Bottom line: VDI is a powerful solution, but it&rsquo;s not designed to work on its own, and it&rsquo;ll take careful consideration to figure out if it&rsquo;ll work for your company. Want more original and curated insights into IT and security? <a href="https://1password.com/kolidescope-newsletter">Subscribe to our newsletter</a>!</description></item><item><title>Mac patch management is an urgent, unsolved problem</title><link>https://blog.1password.com/mac-patch-management/</link><pubDate>Fri, 09 Aug 2024 00:00:00 +0000</pubDate><author>info@1password.com (Elaine Atwell & Nick Moore)</author><guid>https://blog.1password.com/mac-patch-management/</guid><description> <img src='https://blog.1password.com/posts/2024/mac-patch-management/header.png' class='webfeedsFeaturedVisual' alt='Mac patch management is an urgent, unsolved problem' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Few ad campaigns have ever had such a long-lasting impact as the iconic &lsquo;I&rsquo;m a Mac/I&rsquo;m a PC&rsquo; commercials that ran in the mid-aughts. In those commercials, John Hodgman&rsquo;s PC was the stuffy, corporate computing option – not good for anything more exciting than a spreadsheet. By contrast, Justin Long&rsquo;s Mac was the laidback computer you used at home – Mac was your buddy, not your manager. The ad campaign was a smash hit for Apple, but nearly 20 years later, IT admins are still living with the fallout. Because in the years since these commercials aired, something unexpected happened. That friendly, casual Friday computer entered the workforce and loosened Microsoft&rsquo;s stranglehold on the corporate network. By 2021, <a href="https://www.computerworld.com/article/3604601/macs-reach-23-share-in-us-enterprises-idc-confirms.html">Macs made up roughly a quarter</a> of all US enterprise fleets (and we can assume it&rsquo;s grown significantly, since the most recent data is from before the release of the M1 Macs). This remarkable rise has meant that IT pros and sysadmins have had to learn how to manage Macs. In particular, admins consistently struggle with Mac patch management, which in this case means updates to macOS and first-party Mac apps. These updates are critical to security, but unfortunately, Apple spent years convincing its users that they were immune from security threats. (Remember <a href="https://www.youtube.com/watch?v=sdF5IsyOxU4">&ldquo;Macs don&rsquo;t get PC viruses?&quot;</a>) As a result, it&rsquo;s difficult to persuade users to install updates in a timely manner, IT resorts to working around (or even against) them, and it takes weeks to get the entire fleet updated. <h2 id="why-patching-macs-cant-wait">Why patching Macs can&rsquo;t wait</h2> A three-week lag time for patch installation is no longer acceptable in a world where zero-day exploits for Mac are more and more common. (MacBookProSlow.com has a <a href="https://www.macbookproslow.com/apple-data-breaches/#Does_Apple_Disclose_the_Number_of_Users_Impacted_by_Data_Breaches">good timeline of the greatest hits</a>, most of which led to Apple issuing emergency patches.) One example came in August 2022, when Apple released an update to patch two vulnerabilities – one in the kernel, the other in WebKit – which Apple acknowledged &ldquo;may have been actively exploited.&rdquo; While that cagey language is typical for Apple, it&rsquo;s no secret that black and gray hat organizations <a href="https://www.nytimes.com/2021/09/13/technology/apple-software-update-spyware-nso-group.html">such as NSO Group</a> constantly search for weaknesses in Apple&rsquo;s armor, which they sell for top dollar to both state and private actors. The recent <a href="https://www.forbes.com/sites/gordonkelly/2023/05/06/apple-ios-16-4-1-a-rapid-security-response-release-new-iphone-ipad-update/?sh=257787e7249d">introduction of Rapid Security Response updates (RSRs)</a> is a tacit acknowledgement by Apple that its security issues have become more urgent – otherwise, why develop a new delivery mechanism for them? The issue is that you only benefit from RSRs if you install them immediately. <a href="https://support.apple.com/en-us/HT213758">Apple&rsquo;s security notes</a> for its release of the Ventura 13.4 macOS version revealed that the May 1st RSR had patched two serious WebKit vulnerabilities, including one that enabled remote code execution. These aren&rsquo;t the kinds of patches you can afford to wait several weeks to get installed. Here, we&rsquo;ll talk about the existing options for Mac patch management, why they&rsquo;re both bad, and how to solve the problem while still letting Macs and Mac users be themselves. <h2 id="the-state-of-mac-patch-management">The state of Mac patch management</h2> Let&rsquo;s walk through a common situation. Apple has just released a macOS update, and immediately the clock to get it installed across the fleet starts ticking. Every hour that passes is a chance for a breach to happen, and yet, the average company takes weeks to months to patch a critical vulnerability. The reason for this disconnect is that IT admins only have two options for Mac patch management, and neither of them can get you to 100% compliance in a reasonable amount of time. <h2 id="option-1-the-big-red-button-mdm">Option 1: The big red button (MDM)</h2> <a href="https://blog.1password.com/pros-and-cons-of-mdms/">Mobile device management solutions (MDMs)</a> are a virtually foolproof way to enforce updates for every Mac in your fleet. IT can use MDM to deploy patches that install automatically and restart devices with no input from users whatsoever. But if patch management were that simple, this would be the last sentence of this article. (And it&rsquo;s not.) In reality, managing Apple updates via MDM is so disruptive that many IT teams are reluctant to go that route. Here&rsquo;s the problem: significant OS updates and upgrades require a Mac to restart, and forcing restarts without a user&rsquo;s permission risks that they&rsquo;ll lose whatever they&rsquo;re working on. Even Apple&rsquo;s documentation <a href="https://support.apple.com/guide/deployment/use-mdm-to-deploy-software-updates-depafd2fad80/web">cites this risk</a>, warning that &ldquo;InstallForceRestart may result in data loss.&rdquo; IT admins do their best to minimize disruption by scheduling deployments for the middle of the night and warning users ahead of time to save their work, but even so, someone always gets upset. We&rsquo;ve been over some of this before in our piece on <a href="https://blog.1password.com/pros-and-cons-of-mdms/">the pros and cons of MDMs</a>. But broadly, many employees (especially executives) simply won&rsquo;t tolerate forced restarts, so you wind up with a long list of exempt users, and you&rsquo;re left right back where you started: with wildly vulnerable devices. In fairness, Apple has gotten better at helping Mac admins manage updates and patches as part of their larger push to make Macs more enterprise-friendly. They&rsquo;ve released a first-party MDM (Apple Business Essentials) and created a web portal (<a href="https://support.apple.com/guide/apple-business-manager/intro-to-apple-business-manager-axmd344cdd9d/web">Apple Business Manager</a>) that enables easier integration with third-party MDMs like Jamf and Kandji – though the features are primarily limited to automatic device enrollment and centralized management for AppleIDs. Apple has also made it easier to remotely install updates and upgrades without a local admin. Their <a href="https://support.apple.com/guide/deployment/about-software-updates-depc4c80847a/web">documentation</a> explains that, prior to macOS 12.3, only local administrators could perform software upgrades, but after macOS 12.3, Apple gave any user the ability to upgrade. For Macs with Apple silicon, a user must be a volume owner to upgrade or update, and admins can act as volume owners via a bootstrap token. The <a href="https://support.apple.com/guide/deployment/use-secure-and-bootstrap-tokens-dep24dbdcf9e/web">introduction of volume owners</a> as a class of user also enables enterprises to give end users some ability to maintain their devices without granting them full administrator privileges. (Though we&rsquo;d still generally argue against that.) Companies go to all sorts of elaborate lengths to control their endpoints, but at a certain point, the medicine becomes worse than the disease. Taking agency from users makes their devices nearly unusable; a Mac user without admin abilities can&rsquo;t change their own time zone without help from IT. Meanwhile, feature-heavy endpoint management tools take a measurable bite out of CPU performance; and then what good are those fancy new silicon chips? At the end of the day, the core problem remains: deploying patches without user consent leads to data loss events, so it&rsquo;s an untenable option to deploy at scale. <h2 id="option-2-the-nudge">Option 2: The nudge</h2> Since we&rsquo;ve established that brute force automation is so disruptive that it can&rsquo;t get your Mac fleet updated, how about asking users nicely? This, in essence, is the philosophy behind Nudge, a UI tool that admins can deploy via MDM to remind users to update. These reminders get more frequent and more intense until, eventually, users no longer have the option to &ldquo;defer.&rdquo; <img src='https://blog.1password.com/posts/2024/mac-patch-management/nudge-2.png' alt='A screenshot of the Nudge tool on a Mac.' title='A screenshot of the Nudge tool on a Mac.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://almenscorner.io/implement-nudge-in-microsoft-endpoint-manager-for-macos/">Source</a> Nudge (and some other tools like it) somewhat streamline the patching process by downloading updates in the background and only bothering users once it&rsquo;s time to install them. And they do represent a step in the right direction; MacAdmins Slack is full of IT pros who swear by nudge tools and found that they&rsquo;ve significantly improved patching time. Even so, this is a clearly imperfect system because – surprise! – nagging people often makes them less eager to do what you want. At best, users ignore reminders for as long as possible (Nudge deferment periods are typically around 30 days), and at worst, <a href="https://blog.1password.com/unmanaged-devices-run-rampant/">they escape them altogether by turning to shadow IT</a> (which is also a risk with heavily locked down devices). <h2 id="is-patch-management-really-harder-for-macs-than-pcs">Is patch management really harder for Macs than PCs?</h2> Most of the issues we&rsquo;ve described so far aren&rsquo;t unique to Macs. On a technical level, the only real advantages PCs have are Nudge-style tools built into Windows and an MDM ecosystem built primarily around their needs. So if, on a technical level, patching Macs isn&rsquo;t more difficult than Windows, why does it give admins so much more trouble? Part of the problem – though difficult to quantify – goes back to those famous Mac vs PC commercials. Macs feel more like personal computers, even when they&rsquo;re technically work devices, and that feeling makes Mac users more resistant to intrusive measures. One IT admin we work with said, &ldquo;We have no problem using MDM to manage updates on our PC fleet, but our Mac and Linux users want more independence, so we have to have a lighter touch.&rdquo; On a psychological level, Apple&rsquo;s reputation for security could contribute to why users don&rsquo;t take patching seriously. If you&rsquo;ve had Macs as your personal computers for years and never had any problems with malware, you may not understand that you&rsquo;re at much greater risk in a corporate environment or be aware that threats to Macs are generally on the rise. And we haven&rsquo;t even addressed the threat posed when end users use their personal Mac devices to access work resources. Both solutions we just went over assume that you&rsquo;re managing a Mac via MDM. If a device is unmanaged (whether because of a <a href="https://blog.1password.com/byod-policies/">BYOD policy</a> or because it belongs to a third-party contractor), then you really don&rsquo;t have a way to enforce updates. <h2 id="mac-patch-management-takes-both-technical-and-people-skills">Mac patch management takes both technical and people skills</h2> Technologists tend to assume that for any problem, technology has to be the solution. And when there isn&rsquo;t an obvious technical improvement to be made, it&rsquo;s easy to flip to the other extreme and assume that the problem lies between the chair and the keyboard. Unfortunately, once you&rsquo;ve classified something as a user behavior problem, a lot of IT people just throw up their hands and give up. (Not that we blame them; their ability to reach out to users and fix behaviors are limited, especially for large organizations and distributed teams.) That&rsquo;s how we got to the current status quo of devices running an outdated OS for weeks or months. But the status quo won&rsquo;t cut it anymore. Getting to 70 or 80% compliance won&rsquo;t satisfy auditors, regulators, or executives. We have to get to 100% patching, and to do that, we need users. Specifically, we need solutions that force people to change their habits. For an idea of how to accomplish this, let&rsquo;s look at a different example: seatbelt laws. Nowadays, most of us put on a seatbelt as soon as we get in the car, likely without thinking about it. But that wasn&rsquo;t always the case – in fact, <a href="https://twitter.com/StrictlyChristo/status/1624144076542193665?s=20">a lot of people were very resistant to seat belt laws</a>. Normalizing this behavior required a full-court press effort involving: <ul> <li> Technical solutions: Laws mandating that all new cars had to have seatbelts. </li> <li> Education: Public relations campaigns explaining the value of seatbelts. </li> <li> Consequences: Fines for driving without a seatbelt. </li> </ul> It was a significant effort, but once the lesson was learned, it stuck; these days, the biggest factor reinforcing the seatbelt behavior is probably just habit. Helping users build the habit of immediately installing updates will be harder because updates are infrequent, but we can still apply the same tactics. <h2 id="how-to-get-end-users-to-update-their-macs">How to get end users to update their Macs</h2> We&rsquo;ve established that taking away user agency can&rsquo;t solve patch management. But relying exclusively on users won&rsquo;t work either, because they don&rsquo;t understand the seriousness of the threat, and there are no immediate consequences for breaking the rules. A new approach has to address all these issues, like so: <ol> <li> Technical Solutions: Automation absolutely has a role to play in patch management. You don&rsquo;t have to abandon your MDM to get updates deployed – the goal is to do as much work as possible before users have to get involved. Once you&rsquo;re there, provide clear, non-technical instructions so users can install updates themselves at a time that works for them. </li> <li> Education: Do not assume that your end users know that an unpatched OS is among your company&rsquo;s most serious security threats. Most security training programs do not emphasize this, which means that any solution has to educate users about why timely updates are so important, so they&rsquo;ll be willing to accept the inconvenience. </li> <li> Consequences: The distant, unlikely chance that a user&rsquo;s inaction will cause a security incident is too abstract; a new approach has to create clear and proportionate consequences, so users can&rsquo;t just click &ldquo;remind me later&rdquo; indefinitely. </li> </ol> This approach is how <a href="https://blog.1password.com/introducing-extended-access-management/">1Password Extended Access Management</a> handles <a href="https://blog.1password.com/what-is-device-trust/">device trust</a> – for which one of our most popular use cases is Mac patch management. <ol> <li> Technical Solution: Our lightweight agent detects when a device is missing a critical update and reaches out with remediation instructions. </li> <li> Education: Along with fix instructions, 1Password Extended Access Management explains why an issue is a serious security risk. </li> <li> Consequences: If a user doesn&rsquo;t update their device within a set time limit, they cannot authenticate to their SSO-protected work apps until they&rsquo;ve fixed the issue. Stopping potentially compromised devices from accessing company resources is a fundamental tenet of zero trust, so the blocking function is reasonable and proportionate. </li> </ol> <img src='https://blog.1password.com/posts/2024/mac-patch-management/kolide_blocking_notification-min.png' alt='A screenshot of a XAM blocking notification.' title='A screenshot of a XAM blocking notification.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> With 1Password Extended Access Management, users can install updates and upgrades at a time that works for them, but they can&rsquo;t delay it forever. And while our solution is compatible with MDMs and other endpoint security tools, it doesn&rsquo;t require them, so you can deploy it even on unmanaged devices. We (unsurprisingly) believe we have the best product for managing a Mac fleet. But whether or not you buy our solution, the more urgent issue is to acknowledge that as of now, Mac patch management has not kept up with the threat landscape. Fixing it will require both new tools and a new mindset. As somebody smart once said, think different. <a href="https://1password.com/contact-sales/xam">Want to see more of how 1Password Extended Access Management handles patch management? Reach out for a demo!</a></description></item><item><title>1Password SDKs are now out of beta</title><link>https://blog.1password.com/sdks-version-0/</link><pubDate>Thu, 08 Aug 2024 00:00:00 +0000</pubDate><author>info@1password.com (Andrew Stiefel)</author><guid>https://blog.1password.com/sdks-version-0/</guid><description> <img src='https://blog.1password.com/posts/2024/sdks-version-0/header.png' class='webfeedsFeaturedVisual' alt='1Password SDKs are now out of beta' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> In May, we <a href="https://blog.1password.com/sdk-beta/">announced</a> the availability of 1Password software development kits (SDKs) in beta. Those SDKs – available as open-source libraries for <a href="https://github.com/1Password/onepassword-sdk-js">Javascript</a>, <a href="https://github.com/1Password/onepassword-sdk-python">Python</a>, and <a href="https://github.com/1Password/onepassword-sdk-go">Go</a> – are now production-ready. 1Password SDKs provide the easiest way to integrate 1Password into your app. They support a variety of secrets management use cases, and we’ve already seen hundreds of fantastic integrations built by the community. This includes partner integrations by <a href="https://learning.postman.com/docs/sending-requests/postman-vault/1password/">Postman</a> and <a href="https://www.pulumi.com/docs/esc/providers/1password-secrets/">Pulumi</a>, as well as open source projects like <a href="https://github.com/twpayne/chezmoi">Chezmoi</a> and <a href="https://github.com/helmfile/vals">Helmfile</a>. We built the SDKs with minimal abstraction and extendable interfaces to give you the most flexibility in how you build integrations with 1Password. We also took care to <a href="https://blog.1password.com/sdk-beta/#why-1password-sdks">preserve 1Password’s unique security and privacy model</a> by maintaining end-to-end encryption until the moment a secret is needed in your application. With the version 0.1.0 release, 1Password SDKs are ready to meet the scalability and stability requirements of production- and mission-critical workflows. <h2 id="support-for-secrets-management-use-cases">Support for secrets management use cases</h2> Version 0.1.0 adds features for item and secrets management use cases. You can now list items in a vault and perform create, read, update, and delete (CRUD) operations on items stored in your vaults. Here’s a small taste of the supported use cases: <ul> <li>Retrieving an API key</li> <li>Rotating passwords or API keys on an automatic schedule</li> <li>Syncing secrets from 1Password to other systems and secrets stores</li> <li>Injecting secrets into CI/CD pipelines</li> <li>Managing secrets alongside your infrastructure as code (IaC) tools</li> <li>Migrating password and credentials</li> <li>…and more!</li> </ul> If you’d like to learn more about how to get started with 1Password SDKs, <a href="https://1password.com/webinars/introducing-1password-sdks/?utm_ref=blog">sign up now for the live webinar on August 28</a>, 2024 with Simon Barendse, Engineering Team Lead for the 1Password SDKs project. You will learn how to use 1Password SDKs for common secrets management use cases like retrieving secrets and rotating credentials, and we’ll end with a Q&amp;A session to field your questions about working with the SDKs. <h2 id="what-does-version-0-mean-for-1password-sdks">What does version 0 mean for 1Password SDKs?</h2> With the launch of version 0.1.0, 1Password SDKs are officially out of beta and can meet the stability and scalability requirements of production use cases. We’ll continuously expand 1Password SDKs in the coming months with support for additional functionalities and programming languages. And as always, we’d love to hear your feedback on the functionality you’d like to see next. We expect to have much more frequent releases during version 0 as we add significant new support for additional features and languages to the SDKs. These releases could require us to introduce breaking changes to function structures and signatures to improve the overall experience of working with 1Password SDKs. Here is what you can expect with version 0 releases: <ul> <li>There is a possibility for breaking changes when upgrading from one release to another, for example, 0.1.X to 0.2.0. Minor releases (0.1.X to 0.1.Y) will not have breaking changes.</li> <li>Integration authors may need to update their code when updating the SDK version. Running code and integrations won’t be affected, as these will have the SDK pinned at a specific version via package.json (JS), requirements.txt (Python), go.mod (Go).</li> <li>When we do make breaking changes, we’ll provide clear instructions on how to update your code, and we’ll offer support if needed. You can find information about the latest releases and upgrade instructions on the <a href="http://releases.1password.com">releases website</a> and the <a href="https://developer.1password.com/docs/sdks">documentation website</a>.</li> <li>We will provide three months support and security patches for v0 SDKs so you can upgrade when it makes sense for your workflows and teams.</li> </ul> Once we reach version 1, you can expect much fewer changes. Breaking changes would only be introduced in major version changes, if at all (for example, going from version 1.X to version 2.0), and would be clearly documented with instructions. We will also provide support and security patches for one year for all v1 releases of the SDKs. <h2 id="get-started">Get started</h2> Visit the <a href="https://developer.1password.com/docs/sdks">1Password Developers portal</a> for additional documentation and resources for 1Password SDKs, or explore the GitHub repos for the <a href="https://github.com/1Password/onepassword-sdk-js">Javascript</a>, <a href="https://github.com/1Password/onepassword-sdk-python">Python</a>, and <a href="https://github.com/1Password/onepassword-sdk-go">Go</a> SDKs. If you’d like to learn more, <a href="https://1password.com/webinars/introducing-1password-sdks/?utm_ref=blog">sign up for the live webinar</a> on August 28 for an in-depth introduction to 1Password SDKs. You’ll learn how to use the SDKs to retrieve secrets, rotate credentials, and more from Simon Barendse, Engineering Team Lead for the 1Password SDKs project. We can’t wait to see what you build with 1Password SDKs! <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Start building with 1Password SDKs</h3> Leverage open-source 1Password SDKs for Javascript, Python, and Go to easily and securely integrate your application with 1Password. <a href="https://developer.1password.com/docs/sdks/?utm_ref=blog" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Explore the documentation </a> </div> </section></description></item><item><title>1Password®️ Extended Access Management now available for Microsoft Entra and in private beta for Google Workspace customers</title><link>https://blog.1password.com/extended-access-management-availability-updates/</link><pubDate>Wed, 07 Aug 2024 00:00:00 +0000</pubDate><author>info@1password.com (Steve Won)</author><guid>https://blog.1password.com/extended-access-management-availability-updates/</guid><description> <img src='https://blog.1password.com/posts/2024/extended-access-management-availability-updates/header.png' class='webfeedsFeaturedVisual' alt='1Password®️ Extended Access Management now available for Microsoft Entra and in private beta for Google Workspace customers' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> With remote work, bring-your-own-device, and shadow IT apps becoming commonplace, the number of unsanctioned apps and untrusted devices is rapidly climbing. And cybersecurity and IT leaders have been stuck with tools that only secured access to some applications, some devices, and some people, creating an <a href="https://blog.1password.com/explaining-the-access-trust-gap/">Access-Trust Gap</a>. That’s why we pioneered a new software cybersecurity category: Extended Access Management (XAM). Extended Access Management solves the <a href="https://1password.com/extended-access-management">Access-Trust Gap</a> by securing every sign-in, for every app, from every device. It’s also why we launched <a href="https://1password.com/product/xam">1Password®️ Extended Access Management</a> in May 2024. It’s the only product on the market that solves the Access-Trust Gap. 1Password Extended Access Management has been available to Okta customers since its release. Due to the demand we’ve seen from companies of all sizes, including those who use identity providers like Microsoft Entra and Google Workspace, we’ve accelerated our product roadmap. As a result, 1Password Extended Access Management is now available to Microsoft Entra customers and in private beta for Google Workspace customers. Today’s advancements accelerate key capabilities of 1Password Extended Access Management: <ul> <li>Device Trust support for Microsoft Entra is now generally available, and support for Google Workspace is now in private beta testing. Device Trust keeps unknown and unhealthy devices away from sensitive data by checking the health of every device, and providing step-by-step guidance for end users to bring those devices into compliance before granting access.</li> <li>Application Insights is now in private beta testing. Application Insights gives businesses visibility into the applications their employees are actually using, so they can guide users toward company-approved applications, or manage access to unmanaged apps.</li> <li>User Identity is now in private beta testing. User Identity gives businesses who don’t currently have an identity security solution an easy way to manage end-user identities throughout their entire lifecycle. It provides an access gateway to both managed and unmanaged apps.</li> <li>Universal Sign On provides a unified login experience across managed and unmanaged apps, whether accessed through passwords, passkeys, MFA, or third-party identity security solutions.</li> </ul> <h2 id="whats-new-in-1password-extended-access-management">What’s new in 1Password Extended Access Management</h2> <h3 id="device-trust-support-for-microsoft-entra-and-google-workspace">Device Trust support for Microsoft Entra and Google Workspace</h3> Device Trust is now compatible with Microsoft Entra ID (now generally available) and Google Workspace (now available to select customers in private beta). This means that in addition to Okta customers, Microsoft Entra customers can now implement the Device Trust component of 1Password Extended Access Management. A limited number of Google Workspace customers will also be able to begin testing the integration, with more users being invited to participate in the beta over time. With Device Trust implemented, device compliance becomes a requirement for accessing company resources. It also saves precious IT time, too, by giving end users step by step instructions to bring their device into compliance. And that holds true not just for employees, but third parties like contractors, too. Extend single sign-on to every application with User Identity User Identity fills the gaps for 1Password customers who don’t have an identity security solution in their stack, positioning 1Password as an access gateway to both managed and unmanaged apps. Extending single sign-on to every application secures access to every website and app to mitigate vulnerabilities, and gives admins the ability to manage identity lifecycles from provisioning access to offboarding. Take control of shadow IT with Application Insights Application Insights gives admins visibility into the applications employees are actually using. From there, they can: <ul> <li>Secure access to unmanaged apps</li> <li>Consolidate unused licenses to reduce spend</li> </ul> Instead of trying to stamp out every instance of shadow IT that pops up, admins can manage access to those applications, or guide employees toward company-approved apps. <h3 id="secure-every-authentication-method-no-matter-how-employees-sign-in-with-universal-sign-on">Secure every authentication method, no matter how employees sign in, with Universal Sign-On</h3> 1Password Extended Access Management now offers comprehensive Universal Sign-On. This means that your employees can use any authentication method to create an account for a particular site or service. They could use a traditional username and password, MFA, or a passkey. They could sign in with their Google or Microsoft credentials. Or they could use the new User Identity functionality (which, again, uses 1Password as an access gateway to managed and unmanaged apps). No matter the underlying authentication method, employees don’t need to think about how they sign in. All they have to do is click, and 1Password will sign in for them. <h2 id="device-trust-in-action-microsoft-entra-edition">Device Trust in action: Microsoft Entra edition</h2> Let’s look at how end users will encounter Device Trust in their day-to-day work, and how it protects your business. <ul> <li>Imagine an employee is signing in to a service – Microsoft 365, for example – in a web browser.</li> <li>Prior to completing the sign-in process, that user will be asked to verify the health of the device they’re using to sign in.</li> <li>A simple click starts the Device Trust verification process. The Device Trust agent then checks the health of the device against parameters determined by the 1Password account admin.</li> <li>Once device health is verified, the sign-in process continues, and the user is signed in.</li> <li>If a device fails a health check (if the web browser they’re signing in with isn’t up-to-date, for example), the user is given instructions on how to fix the issue, and they can run the check again once that’s done.</li> </ul> <img src="https://blog.1password.com/posts/2024/extended-access-management-availability-updates/microsoft-sign-in.png" alt="The Microsoft sign-in page, with 1Password offering to autofill credentials" title="The Microsoft sign-in page, with 1Password offering to autofill credentials" class="c-featured-image"/> <img src="https://blog.1password.com/posts/2024/extended-access-management-availability-updates/approve-with-kolide.png" alt="Microsoft sign-in flow, with 1Password Extended Access Management asking to verify the identity of the user signing in." title="Microsoft sign-in flow, with 1Password Extended Access Management asking to verify the identity of the user signing in." class="c-featured-image"/> We’ll be demoing Device Trust and other 1Password Extended Access Management functionality at BlackHat on August 7–9th. If you’re in the neighborhood, stop by Booth 968 to see it in action. In the meantime, you can also <a href="https://1password.com/contact-sales/xam">schedule a demo</a> to see it all in action. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Request a demo</h3> Schedule a demo of 1Password Extended Access Management to learn how to secure every sign-in, to every app, from every device. <a href="https://1password.com/contact-sales/xam/?utm_ref=blog" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Schedule a demo </a> </div> </section></description></item><item><title>The risks of end of life software and how to address them</title><link>https://blog.1password.com/end-of-life-software/</link><pubDate>Tue, 06 Aug 2024 00:00:00 +0000</pubDate><author>info@1password.com (Kenny Najarro)</author><guid>https://blog.1password.com/end-of-life-software/</guid><description> <img src='https://blog.1password.com/posts/2024/end-of-life-software/header.png' class='webfeedsFeaturedVisual' alt='The risks of end of life software and how to address them' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The thing about nostalgia is that it conveniently omits all the past&rsquo;s imperfections. Regardless of what car dads will tell you, older isn&rsquo;t always better. American muscle cars are beloved for their admittedly cool looks, but we&rsquo;d rather not think about their safety features (spoiler: <a href="https://driversed.com/trending/timeline-car-safety-through-years">there weren&rsquo;t many</a>). <img src='https://blog.1password.com/posts/2024/end-of-life-software/old-versus-new-car-crash.jpg' alt='A still of a test car crash between older and newer car models.' title='A still of a test car crash between older and newer car models.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://youtu.be/fPF4fBGNK0U?si=-8MPlGDe5789ziVR">Source: 2009 Chevy Malibu vs 1959 Bel Air Crash Test | Consumer Reports</a> Though we may be fond of our classic cars, the cold, hard truth is that nothing is built to last, including software. Regardless of your attachment to a piece of software — for sentimental, technical, or (most likely) monetary reasons — every app, plugin, and OS you use will one day be put out to pasture. And that may put you and your company in a precarious position because it&rsquo;s dangerously easy to keep using software past its EOL date. Many organizations struggle to muster the will or the budget to get rid of EOL software, and take an &ldquo;if it ain&rsquo;t broke, don&rsquo;t fix it&rdquo; attitude. But keeping software around when it&rsquo;s no longer getting security patches is extremely risky – on par with driving one of those pre-seatbelt muscle cars down the highway. <blockquote> Updating or replacing any part of your tech stack is expensive, difficult, and frustrating, but between that or a data breach, we know what outcome most would prefer. </blockquote> So let&rsquo;s explore what it means for software to be at its end of life, why organizations continue to use software past its expiration date, and how you can best manage the risks associated with them. <h2 id="what-is-end-of-life-eol-software">What is end of life (EOL) software?</h2> End of Life (EOL) software describes the moment a developer or vendor decides to no longer provide technical support, security patches, or updates to their software. Software has a pretty simple and predictable life cycle. After it&rsquo;s released to the general public, a piece of software is available until its creator decides to stop selling it. (If the software is free, then you can skip to the next step.) Then, for a variable amount of time, the no-longer-for-sale software will continue to receive security patches and updates until the vendor stops supporting it. <img src='https://blog.1password.com/posts/2024/end-of-life-software/EOL-CYCLE.jpg' alt='An infographic displaying the lifecycle of software from the first version of a product to its end of sales to its end of life/support while the subsequent product version follows.' title='An infographic displaying the lifecycle of software from the first version of a product to its end of sales to its end of life/support while the subsequent product version follows.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Once a software is no longer supported, it is effectively sunsetted, and using it becomes very dangerous. There are a few reasons for that, but the main one is that if any vulnerabilities are discovered in the software, there&rsquo;s no one to fix them, so they will remain exposed. <h2 id="how-do-you-know-when-software-has-reached-its-end-of-life">How do you know when software has reached its end of life?</h2> Unfortunately, it&rsquo;s difficult to keep track of which software in your tech stack will be next to get a vendor&rsquo;s ax. Sometimes you&rsquo;ll get an email from the vendor letting you know about a sunsetting date; sometimes you won&rsquo;t. (Especially if that vendor is no longer in business.) If the software is popular enough, it may get a blog post or two on your favorite cybersecurity publication; it also may not. So you&rsquo;ll have to find other avenues like this <a href="https://endoflife.date/">aggregator</a> that keeps track of over 200 products' most recent updates, EOL dates, and technical and security support dates. One of the more important distinctions to understand about EOL software is that more often than not, it&rsquo;s a version of a software that is no longer being supported rather than the software as a whole. Firefox, Microsoft Office, and many other applications have kept the same names for years or even decades, but have gone through numerous versions that are no longer supported. To understand how to keep track of these changes, let&rsquo;s look at the example of macOS. When Apple releases a new OS – especially one like Ventura, which introduced Rapid Security Responses – admins need to update the OS across their fleet to take advantage of security upgrades. However, upgrading your entire fleet to a new OS may be a tall order and take weeks or months to accomplish. That&rsquo;s not the end of the world, as long as the versions across your fleet are still being supported and patched. Yet, as we can see, the same day Apple debuted macOS 14 Sonoma it stopped supporting macOS 11 Big Sur, so anyone still hanging onto that OS needed to update ASAP. Unfortunately, those Big Sur users may not be aware that they can&rsquo;t put off updating anymore. <img src='https://blog.1password.com/posts/2024/end-of-life-software/macOS-EOL-table.jpg' alt='A screenshot from endoflife.date showing the end of life dates of past macOS versions as well as active ones.' title='A screenshot from endoflife.date showing the end of life dates of past macOS versions as well as active ones.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://endoflife.date/macos">Source: macOS End of Life Table</a> You&rsquo;d think a company like Apple would keep an official accounting of EOL dates for its operating systems — they don&rsquo;t, leading it to be a community effort to keep track of it. (However, they do provide <a href="https://support.apple.com/en-us/HT201624">a list of obsolete hardware products</a>, if you were wondering.) Operating systems have increasingly frequent updates, but they pale in comparison to web browsers. <a href="https://endoflife.date/firefox">Firefox</a> updates once a month and the support windows for each previous update are a month long as well. <h2 id="end-of-life-software-risks">End of life software risks</h2> Tick, tick, tick. That&rsquo;s the sound a piece of software starts making once it reaches EOL. The risks of using EOL software include increasing the likelihood of a data breach, the data breach becoming more costly, and <a href="https://gdpr.eu/compliance-checklist-us-companies/">increasing your legal liability</a> if you knew about the risk and failed to update. Once a piece of software reaches its End of Life, it will no longer receive security patches or updates, leaving it to be feverishly picked apart by bad actors looking for vulnerabilities. For example, <a href="https://www.sonicwall.com/support/product-notification/urgent-security-notice-critical-risk-to-unpatched-end-of-life-sra-sma-8-x-remote-access-devices/210713105333210/">SonicWall&rsquo;s customers</a> were hit by ransomware attacks when its end-of-life VPN appliances were exploited. SonicWall provided its customers an <a href="https://www.sonicwall.com/support/product-lifecycle-tables/sonicwall-secure-mobile-access-100-series/hardware/">official product life table</a> and warned its customers to update their firmware when they became aware of the threat, but not everyone listened. In <a href="https://www.bleepingcomputer.com/news/security/sonicwall-warns-of-critical-ransomware-risk-to-eol-sma-100-vpn-appliances/">a statement</a> to BleepingComputer, SonicWall took an urgent tone, saying: &ldquo;The continued use of unpatched firmware or end-of-life devices, regardless of vendor, is an active security risk.&rdquo; Using EOL software doesn&rsquo;t just increase your likelihood of a data breach, it makes a beach more costly. According to a <a href="https://www.kaspersky.com/blog/it-security-economics-2020-part-2/">Kaspersky report</a>, data breaches cost 47% (about $389,000) more in organizations that use outdated software. &ldquo;The cost of a data breach rises by 47% to an estimated $1.225m in enterprises that still deploy outdated technology, compared to $836k where all software and hardware are up-to-date,&rdquo; states the report. And it&rsquo;s even worse for SMBs, where outdated technology makes breaches 54% more costly. These higher costs can be attributed to two factors. For one thing, you have to immediately pay for upgrades to the compromised software. For another, it often takes longer for companies to discover a breach in EOL software, and the longer one goes on, the more costly it becomes. <h2 id="why-do-organizations-keep-eol-software">Why do organizations keep EOL software?</h2> Resisting change seems like a fool&rsquo;s errand, unless you&rsquo;re a <a href="https://www.smithsonianmag.com/history/what-the-luddites-really-fought-against-264412/">proud Luddite</a>. So why do so many companies still have old, rickety, and dangerous software still kicking around? The reasons why companies don&rsquo;t replace their EOL software are multifaceted, but as you can (always) assume: money is at the top of the list. <h3 id="money">Money</h3> One of the industries with a pervasive EOL software problem is healthcare. A 2022 <a href="https://www.watchguard.com/wgrd-resource-center/infographic/cybersecurity-healthcare-industry">Gartner Peer Insight survey</a> of IT and security professionals working in healthcare found that nearly half had suffered a breach in the last two years, and named end-of-life systems as a &ldquo;root cause.&rdquo; A <a href="https://www.kaspersky.com/about/press-releases/2021_73-of-healthcare-providers-use-medical-equipment-with-a-legacy-os">2021 Kaspersky report</a> reveals that more than 73% of healthcare providers use medical equipment that runs on a legacy OS, which creates frightening risks. In 2022, the FBI released a <a href="https://www.ic3.gov/Media/News/2022/220912.pdf">bulletin</a> that unpatched and outdated medical devices were primed for cyberattacks that could force insulin pumps and pacemakers to provide inaccurate readings and drug overdoses. Clearly, the stakes could not be higher. So what could possibly be standing in the way? Sadly, it comes down to cost. The healthcare sector relies on specialized software and hardware that&rsquo;s extremely difficult and expensive to replace. Ordr CEO Jim Hyman <a href="https://healthitsecurity.com/features/outdated-operating-systems-remain-key-medical-device-security-challenge">laid out the problem in an interview with HealthITSecurity</a>: &ldquo;For an industry that is already under pressure from a budgetary perspective, the thought of replacing a ton of devices that are running outdated systems without patches, unfortunately is just not an option for a lot of these organizations.&rdquo; Instead, Hyman advocated practicing better security through zero trust and network segmentation. <h3 id="vendors-havent-informed-them">Vendors haven&rsquo;t informed them</h3> Sometimes it&rsquo;s a breakdown in communication between your vendors and their vendors that leaves your organization vulnerable. Accellion&rsquo;s legacy file transfer application (FTA) was <a href="https://www.mandiant.com/resources/blog/accellion-fta-exploited-for-data-theft-and-extortion">breached in 2021</a>. TechRepublic <a href="https://www.techrepublic.com/article/kroger-data-breach-highlights-urgent-need-to-replace-legacy-end-of-life-tools/">reported</a> that Accellion&rsquo;s software ran on the <a href="https://cloud.google.com/compute/docs/eol/centos6">CentOS 6</a> operating system, which reached its EOL date on November 30, 2020, just weeks before the attacks started. While Accelion encouraged its customers to migrate to a new product that didn&rsquo;t run on CentOS, it&rsquo;s not clear that they made it clear that migration was an urgent security matter. And with that lapse in communication, large corporations like <a href="https://www.kroger.com/i/accellion-incident">Kroger</a> and <a href="https://techcrunch.com/2021/07/08/the-accellion-data-breach-continues-to-get-messier/">Morgan Stanley</a> fell victim to the outdated product, resulting in sensitive data being exposed. As Karen Walsh, CEO at Allegro Solutions explained, &ldquo;As CentOS 6 moved to end-of-life, Accellion needed to move their customers to a new platform. In the meantime, these malicious actors used a traditional SQL injection methodology to gain access.&rdquo; Oliver Tavakoli, CTO of Vectra, told TechRepublic that the lesson here is to keep a close eye on products approaching legacy status, since they may not be getting adequate vulnerability testing. Furthermore, take requests to migrate to a new product seriously, even if security isn&rsquo;t explicitly mentioned as a driver. &ldquo;When the vendor&hellip;spends 3 years trying to coax you to their new product, you may want to consider the subtext of that communication,&rdquo; Takavoli said. <h3 id="eol-software-can-be-shadow-it">EOL software can be Shadow IT</h3> So far, we&rsquo;ve assumed that we&rsquo;re talking about company-managed software sanctioned by the IT and Security teams. But if we&rsquo;re being realistic, that&rsquo;s not always the case. There is an epidemic of <a href="https://blog.1password.com/shadow-it-employee-productivity/">shadow IT</a> in the workforce, and which certainly includes EOL software. In fact, <a href="https://blog.1password.com/unmanaged-devices-run-rampant/">our Shadow IT Report</a> found that 47% of companies allow unmanaged devices – which are functionally invisible to security and IT teams – to access their company resources. That&rsquo;s why any strategy for ridding yourself of EOL software must include a <a href="https://blog.1password.com/what-is-device-trust/">device trust solution</a> that can detect these vulnerable programs on employee devices, and stop them from accessing sensitive data until the program is updated or uninstalled. <h2 id="how-to-manage-the-risks-of-eol-software">How to manage the risks of EOL software</h2> If you were hoping for tips on how to keep using your EOL software, we sadly can&rsquo;t give it to you. The only truly safe strategy is to identify and eliminate software once it&rsquo;s no longer supported, but we can give you some concrete advice on how to do that. <h3 id="monitor-eol-status">Monitor EOL status</h3> As we mentioned earlier, it can be quite arduous to keep up with EOL dates and announcements manually. For a more programmatic approach, the wonderful people at the endoflife.date aggregator have <a href="https://endoflife.date/docs/api">created an API</a> to be alerted whenever a software reaches EOL. While it&rsquo;s by no means foolproof, if your software is listed on the site, it may be one of your best bets to keep as up-to-date as possible. <h3 id="remove-eol-software-from-your-system">Remove EOL software from your system</h3> Once you know a piece of software is approaching its EOL date, start planning your migration to a new version – or potentially, a new application altogether. Depending on how disruptive the changeover will be, you may want to stagger the transition over multiple weeks or even months, but the important thing is to start. Don&rsquo;t wait until a program is no longer supported to transition off it! For employee-facing applications, particularly those that require end user input to update, focus on direct communication. Let users know about the coming change, the reasons for it, and set a firm deadline, after which the old software will no longer be permitted. Ideally, you can get end users to take action themselves, rather than forcibly uninstalling software via <a href="https://blog.1password.com/pros-and-cons-of-mdms/">MDM</a>, since that can lead to data loss events and general frustration. <h3 id="identify-and-block-eol-software-on-end-user-devices">Identify and block EOL software on end user devices</h3> Rooting out legacy software on servers or IoT devices isn&rsquo;t easy, but can still be accomplished with centralized control. It&rsquo;s much more complex to phase out EOL software when it lives on employee devices. For one thing, updating software via MDM often requires forced restarts, which are unpopular to the point of nonviability. On top of that, as we mentioned, IT has no ability to enforce policy on unmanaged devices. What&rsquo;s needed is a programmatic solution that identifies and blocks EOL software without causing havoc for end users and IT. And that calls for device trust. <a href="https://www.kolide.com/blog/kolide-announces-okta-device-trust-integration">Device trust</a> is the idea that a device must meet an organization&rsquo;s minimum security requirements before it can access sensitive data. 1Password Extended Access Management, our device trust solution – which we promise we&rsquo;re only mentioning because it&rsquo;s the best – lets you write custom checks that can stop users from authenticating if they are running an unsupported version of a given piece of software. (It will also instruct users on how to update or uninstall the application so they can authenticate successfully.) <img src='https://blog.1password.com/posts/2024/end-of-life-software/macOS-out-of-date-check.jpg' alt='A screenshot of Kolide&#39;s macOS out of date Check blocking an end user.' title='A screenshot of Kolide&#39;s macOS out of date Check blocking an end user.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Let&rsquo;s take <a href="https://learn.microsoft.com/en-us/lifecycle/announcements/update-adobe-flash-support">Adobe Flash</a> as an example. Since it sunsetted in 2020 – pour one out for Flash, those <a href="https://gamerant.com/best-classic-flash-games/#clear-vision">games</a> will live in internet history – it should be long gone from any corporate devices. But just in case it&rsquo;s not, you can input an SQL query to 1Password Extended Access Management&rsquo;s Custom Check editor to create a Check that effectively prohibits its presence, alerts your end users to uninstall it, and provides fix instructions (written by you – but we make it easy!) so your end users know what to do and why this issue is important. <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql">WITH forbidden_program_names (forbidden_program_name) AS ( -- Supply forbidden program names wrapped in parentheses and comma-separated -- below. For example: (&#39;Microsoft Teams&#39;),(&#39;Zoom&#39;)... -- Wildcard % characters are supported for partial matches VALUES (&#39;Adobe Flash%&#39;) ), -- This section looks for matches of your provided program identifiers or names -- with those installed on your device forbidden_programs AS ( SELECT p.name, p.version, p.identifying_number, p.install_location FROM forbidden_program_names fpn LEFT JOIN programs p ON p.name LIKE fpn.forbidden_program_name WHERE name NOT NULL ), matching_forbidden_programs AS ( SELECT COUNT(*) AS matching_programs_count FROM forbidden_programs ), -- Using LEFT JOINS against the &#39;time&#39; table we return attestable output even -- when no matches are found merge_data AS ( SELECT matching_programs_count, fp.* FROM time LEFT JOIN matching_forbidden_programs LEFT JOIN forbidden_programs fp ), failure_logic AS ( SELECT *, CASE WHEN ( matching_programs_count = 0 ) THEN &#39;PASS&#39; WHEN ( matching_programs_count &gt; 0 ) THEN &#39;FAIL&#39; ELSE &#39;UNKNOWN&#39; END AS KOLIDE_CHECK_STATUS, CONCAT(name,&#39; - (&#39;,version, &#39;)&#39;) AS primary_key FROM merge_data ) SELECT * FROM failure_logic; </code></pre></div><h2 id="the-final-countdown">The final countdown</h2> Although outdated software may be technically functional, that doesn&rsquo;t mean it&rsquo;s safe for your organization. Each passing day that End of Life software remains across your fleet is another roll of the dice. And hopefully, this article can help you convince your company&rsquo;s leadership that this isn&rsquo;t a gamble worth making. Want more security and IT insights like this? <a href="https://1password.com/kolidescope-newsletter">Subscribe to the Kolidescope newsletter!</a></description></item><item><title>What's driving the fluctuating costs of cyber liability insurance?</title><link>https://blog.1password.com/fluctuating-cyber-liability-insurance/</link><pubDate>Tue, 06 Aug 2024 00:00:00 +0000</pubDate><author>info@1password.com (Elaine Atwell and Aida Knežević)</author><guid>https://blog.1password.com/fluctuating-cyber-liability-insurance/</guid><description> <img src='https://blog.1password.com/posts/2024/fluctuating-cyber-liability-insurance/header.png' class='webfeedsFeaturedVisual' alt='What's driving the fluctuating costs of cyber liability insurance?' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> When you tell people you&rsquo;re writing a piece on cybersecurity insurance, they tend to look at you with a mix of confusion and pity. Even when you interview cyber insurance professionals, they preemptively apologize for boring you. The truth is, cyber liability insurance – like any other kind of insurance – is pretty boring, right up until the point that the people who need it can&rsquo;t get it. Then it becomes not only interesting, but vital. And that&rsquo;s the point we&rsquo;re approaching now. In the past three years, the cost of cyber liability premiums hasn&rsquo;t so much skyrocketed as it has teleported. In 2021, the cost of cyber insurance <a href="https://www.ciab.com/download/31507/">increased 25.5% year-over-year</a>, making it the fastest growing premiums of all lines of insurance. 2022 was even worse, with <a href="https://fortune.com/2023/02/15/cost-cybersecurity-insurance-soaring-state-backed-attacks-cover-shmulik-yehezkel/">rates doubling in the first quarter</a> and increasing a further <a href="https://www.marsh.com/uk/about/media/global-commercial-insurance-rates-continue-moderate-trend-q2-2022.html">79% in Q2</a>. As of 2024, these massive price jumps have <a href="https://www.cybersecuritydive.com/news/cyber-insurance-prices-moderate-q1/648807/">stabilized somewhat</a>, with increased competition in the market even leading to <a href="https://www.darkreading.com/cyber-risk/cyber-insurance-prices-decline-market-competition-grows">a decline</a> in average premium costs – though prices still remain far higher than they were in 2021. <blockquote> (A note on data: sources differ in the exact percentages of price changes depending on whether they&rsquo;re studying U.S. or global markets, or new versus renewed policies, but they all tell the same basic story.) </blockquote> If you&rsquo;re looking at your own cyber insurance policy and scratching your head (or pulling out your hair), you likely have three questions: <ol> <li> What is causing cybersecurity insurance costs to fluctuate so dramatically? </li> <li> Do I really need cyber insurance or can I go without it? </li> <li> What can I do to reduce my cyber liability premiums? </li> </ol> Let&rsquo;s try and answer all three. <h2 id="why-is-cybersecurity-insurance-so-expensive-now">Why is cybersecurity insurance so expensive now?</h2> There&rsquo;s a simple and a complicated answer to this question. As far as why premiums rose so sharply in recent years, you could probably figure out the simple answer on your own: cyber insurance costs more now because of the huge rise in data breaches and hacks in the post-COVID world. When the pandemic hit and employees started working remotely en masse, it created a <a href="https://blog.1password.com/unmanaged-devices-run-rampant/#the-origins-of-the-unmanaged-device-problem">cybersecurity crisis</a>. Workers accessed sensitive data on their personal, unmanaged devices and outside the protection of the company VPN, and bad actors seized on the chance to launch a campaign of phishing, ransomware, and other cybercrime attacks that targeted vulnerable employees on vulnerable devices. All these breaches created a tidal wave of insurance claims that threatened the profitability of the entire field. <a href="https://www.theinformation.com/articles/companies-are-ditching-cybersecurity-insurance-as-premiums-rise-coverage-shrinks?rc=xw1brz">The Information</a> reported that &ldquo;collectively, insurers' payouts to customers nearly exceeded the amount they collect via premiums.&rdquo; In response, insurers not only jacked up prices, they instituted much tougher underwriting requirements (more on that later), and trimmed what their policies would cover. In general, it&rsquo;s not hard to understand why <a href="https://www.cnbc.com/2024/07/24/crowdstrike-biggest-test-yet-for-cyber-insurance-buffett-warned-about.html">Warren Buffet warned</a> against cyber insurance as an investment option, given the field&rsquo;s continuous change and potential for loss at a major scale. The <a href="https://www.msspalert.com/news/what-questions-should-you-be-asking-your-cyber-insurance-provider">massive outages</a> of summer 2024 are just one example of the kind of unprecedented events that cyber insurance companies have to contend with. The more complicated answer to our original question is that companies themselves helped create this crisis by investing more in insurance than they did in actual security. As far back as 2017, <a href="https://www.business.att.com/content/dam/attbusiness/reports/cybersecurity-report-v6.pdf">AT&amp;T named</a> &ldquo;overreliance on cyber insurance&rdquo; as one of its three chief cybersecurity concerns. According to their report: &ldquo;Nearly 3 in 10 survey respondents (28%) plan to allocate all or most of their cybersecurity budget to insurance in anticipation of future incidents. &quot; That&rsquo;s not to say that every company is to blame for its own misfortunes. In insurance, a few irresponsible actors and careless underwriters can drive premiums up for everyone. Finally, some of these premium increases over the last few years are probably just normal price corrections, since the concept of cyber insurance is still quite new (some <a href="https://slate.com/technology/2022/08/cyberinsurance-history-regulation.html">date the first policy to 1997</a>.) &ldquo;When cyber liability insurance entered the marketplace, it was kind of an unknown,&rdquo; says <a href="https://amplifiedinsurance.com/staff/andrew-bucci/">Andrew Bucci</a>, VP of Sales at Amplified Insurance Partners. &ldquo;It was a new product and I don&rsquo;t think the underwriters really knew how to price it.&rdquo; <h2 id="do-i-need-cyber-liability-insurance">Do I need cyber liability insurance?</h2> The question everyone asks when insurance gets too expensive is: can I go without it? Unfortunately, if you digitally store sensitive customer data and/or payment information (so if you run anything more complicated than a lemonade stand) then you probably need a policy. We&rsquo;re not here to sell you cyber insurance, and plenty of small businesses still go without it, but hackers are <a href="https://www.forbes.com/sites/edwardsegal/2022/03/30/cyber-criminals/?sh=5d0eeaa752ae">increasingly targeting SMBs</a>, so you can&rsquo;t automatically assume you&rsquo;re too small to be a target. These days, a data breach costs businesses an average of <a href="https://www.ibm.com/reports/data-breach">$4.88 million</a> (a 10% increase from the year before). That could put a small company out of business if they lacked insurance. And beyond a simple payout, cyber insurance providers often help companies hire forensic experts to recover data, negotiate with ransomware attackers, and inform customers of a breach. Still, you can tailor your cyber insurance coverage to your budget and risk level. Standalone policies typically provide more coverage and assistance in the aftermath of a breach, but if you&rsquo;re not in a particularly vulnerable industry (such as healthcare), you can likely buy insurance as part of a larger business policy. This is common even in large organizations. According to <a href="https://www.forrester.com/blogs/the-state-of-cyber-insurance-2023/">Forrester&rsquo;s report</a>, The State of Cyber Insurance, 2023, 84% of enterprise decision-makers have cyber insurance, but only 26% report having a standalone cyber insurance policy. Furthermore, according to <a href="https://www.theinformation.com/articles/companies-are-ditching-cybersecurity-insurance-as-premiums-rise-coverage-shrinks?rc=xw1brz">The Information</a>, some major enterprises with expensive policies are exploring alternative forms of insurance. &ldquo;In some cases, companies set up a captive insurer, an arrangement in which a company uses its capital to create an insurer whose only customer is the company.&rdquo; Small businesses, on the other hand, don&rsquo;t have such exotic options for going without traditional cyber insurance. Bucci acknowledges the tough position businesses are in when insurance becomes truly unaffordable: &ldquo;It&rsquo;s going to come to a point where some people may have to self-insure, which means that they don&rsquo;t take a cyber policy out and they just cross their fingers they don&rsquo;t have some sort of breach.&rdquo; In fact, as of late 2023, <a href="https://www.infosecurity-magazine.com/news-features/cyber-insurance-better-for-business/">only 17%</a> of small businesses were found to have cyber insurance at all. <h2 id="how-much-does-cybersecurity-cost">How much does cybersecurity cost?</h2> Beyond the broader shifts in cyber insurance costs, premiums will also depend on several variables, so it&rsquo;s tough to come up with an &ldquo;average cost.&rdquo; But there are a few factors that can drive the cost of a policy up or down. <h3 id="your-industry">Your industry</h3> Certain industries are subject to higher premiums because they are more susceptible to threats. Hospitals, for example, are a major target of ransomware attacks because they store sensitive patient data and will often choose to pay ransoms rather than risk their patients' lives by going offline. &ldquo;Healthcare businesses see substantial premiums. Because if they get hacked and one HIPAA-protected record gets into the wrong hands, that&rsquo;s going to be detrimental,&rdquo; Bucci explains. &ldquo;So you need a standalone cyber policy that&rsquo;s going to include coverage for social engineering and ransomware.&rdquo; On top of that, if you file a claim, &ldquo;You&rsquo;re going to need an experienced resource to come in and do forensics. And you will also need a policy that&rsquo;s going to pay to alert the individuals whose records have been breached, which typically costs $150 to $200 per notification.&rdquo; Some industries are considered so vulnerable that carriers may refuse to cover them at all. Dan Garcia-Diaz, managing director of the U.S. Government Accounting Office (GAO), <a href="https://www.cnbc.com/2022/10/11/companies-are-finding-it-harder-to-get-cyber-insurance-.html">told CNBC</a> that &ldquo;one insurer reported that it opted not to insure the energy sector because of its vulnerability to attacks and because of concerns that energy operators do not follow robust cyber security protocols.&rdquo; <h3 id="revenue">Revenue</h3> Your revenue plays a key role in how much you end up paying for your premium because insurance providers use <a href="https://foundershield.com/blog/understanding-insurance-costs-company-grows/">revenue for the rating basis</a>. If the provider&rsquo;s rate is $15 per $1000 in revenue, and your projected revenue is $900K, then your premium will be $13.5K. &ldquo;When you have $500K in revenue, you can get a $1 million or $2 million policy for much cheaper versus when you have $5 million in revenue,&rdquo; explains <a href="https://www.linkedin.com/in/joe-morrison-87525460/">Joe Morrison of Collard Advisory Group</a>. <h3 id="history-of-breaches">History of breaches</h3> Unsurprisingly, insurance carriers tend to charge more if you&rsquo;ve been breached in the past. But the correlation isn&rsquo;t necessarily as strong as you might think, depending on how your company responded to the breach. Says Bucci: &ldquo;It&rsquo;s always going to be a question on your application, but it&rsquo;s not the end-all, be-all. Maybe you were breached, but the claim was never paid out because you got the breach under control. What it&rsquo;s really going to come down to is what protections you have in place to keep a breach from happening again.&rdquo; That brings us to the next factor. <h3 id="cybersecurity-assessment">Cybersecurity assessment</h3> The evaluation of your security system and protocols is a critical step in the underwriting process. Typically, the insurance provider will require you to fill out a lengthy questionnaire that asks security-related questions. For example, you might need to provide information on your backup and recovery procedures. Most of the questions will be familiar to anyone who has gone through <a href="https://www.techtarget.com/searchsecurity/definition/Soc-2-Service-Organization-Control-2">SOC 2 certification</a>. Here&rsquo;s a (non-exhaustive) sampler from a questionnaire we reviewed: <ul> <li> Do you have third party software to protect your network such as antivirus and firewalls? </li> <li> Do you have an incident response plan in the event of a breach? </li> <li> Do you conduct an annual review and test of all your system backup and recovery procedures? </li> <li> Do you store health information? </li> <li> Do you store payment information? </li> <li> Do you use any software or hardware past its end of life date? </li> <li> Do you implement all required software updates for known vulnerabilities? </li> </ul> When going through the cybersecurity assessment, it&rsquo;s important to be honest, or you risk shooting yourself in the foot later on. &ldquo;Let&rsquo;s say that a company states it has a security measure in place and then a claim happens. When the insurance provider comes to investigate, and if the company said it had multifactor authentication but didn&rsquo;t, the insurer can deny the claim,&rdquo; says Bucci. Also, it&rsquo;s important to recognize the limits of your policy. <a href="https://www.fortinet.com/resources/cyberglossary/cyber-insurance#:~:text=A%20cyber%20insurance%20policy%20helps,services%2C%20and%20refunds%20to%20customers.">Fortinet explains</a> that cyber insurance policies &ldquo;often exclude issues that were preventable or caused by human error or negligence.&rdquo; They name poor security, insider attacks, and breaches arising from previously known vulnerabilities as examples of issues that can get your claim denied. <h2 id="how-can-you-reduce-cyber-liability-insurance-costs">How can you reduce cyber liability insurance costs?</h2> It&rsquo;s easy to feel helpless in the face of rising insurance costs, but there are ways to negotiate for a better rate. If you&rsquo;re shopping for a new cyber liability insurance policy or renewing an existing one, the following tips can help you pay less. <h3 id="shop-around">Shop around</h3> The insurance marketplace changes, so if you&rsquo;ve been renewing your policy with the same company and their prices keep increasing, your broker can help you re-negotiate a more favorable rate. Bucci recommends brokers shop rates out every three years to multiple companies, which will help you pay less for similar coverage. <h3 id="bolster-your-cybersecurity-measures">Bolster your cybersecurity measures</h3> Improving your company&rsquo;s security is the best way to ensure that coverage remains accessible and affordable for everyone, and that your claim is actually approved in the event of a breach. In fact, the average fall in costs through 2024 has been at least <a href="https://www.reuters.com/technology/cybersecurity/cyber-insurance-rates-fall-businesses-improve-security-report-says-2024-06-30/">partially attributed</a> to the many businesses that improved their security practices. According to Bucci, some insurance providers now require customers to have multifactor authentication (MFA) to protect against phishing and other credential-based attacks. That&rsquo;s just one in the <a href="https://www.infosecurity-magazine.com/news/growing-disparity-cyber-insurance/">growing number</a> of requirements and exemptions to insurance policies, which have left many companies not receiving the coverage they were relying on. The cyber insurance company <a href="https://info.coalitioninc.com/download-2022-cyber-claims-report.html">Coalition</a> recommends creating backups of critical data that you can use to avoid paying the ransom in a ransomware attack. Likewise, they advise keeping up-to-date on patching of both servers and employee devices, to protect against known vulnerabilities. Investing in security for your insurance provider is time-consuming and expensive, but it may actually protect you from a breach. According to Forrester, companies with standalone cyber insurance policies were the least likely to report a breach in the last 12 months. Granted, this is a small dataset, but it speaks to the larger value of taking security seriously. <img src='https://blog.1password.com/posts/2024/fluctuating-cyber-liability-insurance/graph-min.png' alt='A graph from Forrester that asks how many times do you estimate that your organization&#39;s sensitive data was potentially compromised or breached in the last 12 months.' title='A graph from Forrester that asks how many times do you estimate that your organization&#39;s sensitive data was potentially compromised or breached in the last 12 months.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="about-1password">About 1Password</h2> At 1Password, we&rsquo;re a security company, not an insurance company, so we can only talk about rising premiums as observers (and customers). But we have observed that insurance costs seem to be one of the factors driving interest in our product and in security more broadly. The same circumstances that drove up cyber attacks and insurance premiums are also driving interest in Zero Trust security, and in our subset of it: extended access management. 1Password Extended Access Management&rsquo;s <a href="https://blog.1password.com/what-is-device-trust/">device trust</a> solution reduces the likelihood of a breach by ensuring that only secure devices access company resources. And since <a href="https://blog.1password.com/unmanaged-devices-run-rampant/#:~:text=1Password%20Extended%20Access%20Management%20comes,accessing%20your%20company's%20cloud%20apps.">nearly half of companies</a> still allow unmanaged devices to access their apps, we have a rather large hole to fill. <img src='https://blog.1password.com/posts/2024/fluctuating-cyber-liability-insurance/managed-devices-shadow-it-report-question-min.jpg' alt='A graph from our Shadow IT report asking about managed devices.' title='A graph from our Shadow IT report asking about managed devices.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> In addition, our enterprise password manager (EPM) helps guard against credential-based attacks, which are the leading cause of breaches, year after year. If you&rsquo;re looking for more peace of mind in a world full of cyber risks, <a href="https://1password.com/product/xam">read more here</a> about our security solutions.</description></item><item><title>Explaining the Access-Trust Gap</title><link>https://blog.1password.com/explaining-the-access-trust-gap/</link><pubDate>Mon, 05 Aug 2024 00:00:00 +0000</pubDate><author>info@1password.com (Elaine Atwell)</author><guid>https://blog.1password.com/explaining-the-access-trust-gap/</guid><description> <img src='https://blog.1password.com/posts/2024/explaining-the-access-trust-gap/header.png' class='webfeedsFeaturedVisual' alt='Explaining the Access-Trust Gap' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> In life, we’ve all encountered the gaps between the idealized world and the world as it is. You’d love your favorite sports team to have a perfect season, but you’re prepared for them to lose a few games. Retailers want to sell their entire inventory, but they plan for a certain percentage of their goods to be damaged or stolen. IT and security professionals try to ensure that only the right people can access their company’s resources, but acknowledge that some data will inevitably slip through the cracks. These gaps are acceptable, until they are not. When your favorite team loses all its games, it might be time for a new coach (or to stop being a <a href="https://www.theringer.com/nfl/2018/1/8/16861824/cleveland-browns-perfect-season-parade">Browns fan</a>). If a store’s merchandise keeps getting shoplifted, they need a security guard. And if a company’s sensitive data keeps being accessed by unapproved users, devices, and apps, then their security stack might not be up for the job. As you’ve probably guessed, we’re here to talk about that third example, which we call “The Access-Trust Gap.” <h2 id="what-is-the-access-trust-gap">What is the Access-Trust Gap?</h2> The Access-Trust Gap refers to the difference between the users, applications, and devices that a business trusts to access sensitive data, and those that can access it in practice. Put another way: every company agrees that access to its resources should be restricted to the people who need it, and that even those people need to treat it carefully. These are the most basic tenets of security, and you can see them every day in the physical world; you don’t let some random person waltz into your bank vault, and you don’t let a bank teller take a duffel bag full of cash to the nearest bar. In cybersecurity, however, determining trust and restricting access is much more complex, and that leads to a lot of unsanctioned access to sensitive data. In the inner circle of the our Access-Trust graphic, you can see the types of access that are generally considered trustworthy because they are managed by a company’s IT team. <img src="https://blog.1password.com/posts/2024/explaining-the-access-trust-gap/access-trust-gap.png" alt="An illustration of the Access-Trust Gap with managed users, devices, and apps at the center, and BYOD and unmanaged apps falling outside of the traditional security stack" title="An illustration of the Access-Trust Gap with managed users, devices, and apps at the center, and BYOD and unmanaged apps falling outside of the traditional security stack" class="c-featured-image"/> <ul> <li>In the case of devices, “trusted” means company-owned computers and phones that are usually <a href="https://blog.1password.com/pros-and-cons-of-mdms/">managed via MDM</a>, which can enforce certain security settings and remotely lock and wipe devices if needed.</li> <li>When we’re talking about users, trusted means employees whose access is centrally managed via an identity provider such as Okta, Microsoft, or Google.</li> <li>Trusted applications are those that are approved of and managed by the IT team, who can provision and deprovision users as needed.</li> </ul> Unfortunately for security, a lot of business takes place outside this trusted inner circle. Users often do work on their personal, unmanaged devices. Not all end users are employees at all – some are guests and contractors. And teams increasingly rely on “shadow IT” applications that IT doesn’t even know about. To understand how this plays out in real life, imagine a chain of events in which: <ol> <li>A third party contractor</li> <li>Uses their personal device to log into</li> <li>An unapproved file-sharing application</li> </ol> Every element of this path presents risk. The contractor isn’t enrolled in Okta, so they can’t take advantage of its MFA for a secure sign-in. The contractor’s device isn’t managed by MDM and doesn’t have EDR installed, so it could be infected with malware. The file sharing application is known to be prone to breaches, so the sensitive data stored there isn’t really secure. Every issue snowballs on the next to create, well, a really big snowball of risk. <h3 id="how-big-is-the-access-trust-gap">How big is the access-trust gap?</h3> Research indicates that “untrusted” access is rampant in businesses across industries. 1Password’s <a href="https://1password.com/state-of-enterprise-security-report?utm_medium=social&amp;utm_source=blog&amp;utm_campaign=annual-report-2024">State of Enterprise Security report</a> found that over a third of workers use unapproved applications or tools for work, with tech workers leading the pack. <img src="https://blog.1password.com/posts/2024/explaining-the-access-trust-gap/shadow-it.png" alt="Chart highlighting that one in three workers use shadow IT, with a breakdown of shadow IT usage in common industries" title="Chart highlighting that one in three workers use shadow IT, with a breakdown of shadow IT usage in common industries" class="c-featured-image"/> Meanwhile, a <a href="https://blog.1password.com/unmanaged-devices-run-rampant/">2023 survey by Kolide</a> found that 47% of companies allow their workers to access company resources on unmanaged devices. So a little unscientific, back-of-the-napkin math tells us that something like half of companies have these vulnerabilities. (In reality, the number is probably bigger, because these problems are inherently invisible until something goes wrong.) <h3 id="this-seems-bad-how-did-we-get-here">This seems bad. How did we get here?</h3> There are two big factors that have widened the Access-Trust Gap in the past few years: <ol> <li>The proliferation of SaaS apps</li> <li>The growth of hybrid work.</li> </ol> In the first case, the number of apps used by the average organization has exploded since the 2010’s. <a href="https://www.statista.com/statistics/1233538/average-number-saas-apps-yearly/">One study found</a> that in 2015, the average company used 8 SaaS apps, by 2020 it had grown to 80, and by 2022 it was a whopping 130 apps. Moreover, workers increasingly seek out and purchase these apps without IT’s knowledge or approval. (That doesn’t mean your company isn’t paying for those apps, by the way, it just means that workers make a budget instead of an IT request.) Ideally, you would want all these apps protected by SSO, so authentication is more secure and IT can manage identities from a central dashboard. Unfortunately, that’s extremely difficult to achieve even for the apps you do know about, given the <a href="https://blog.1password.com/explaining-the-backlash-to-the-sso-tax/">dreaded SSO tax</a> that frequently makes this feature unaffordable. The other factor at play here is the growth of a “work-from-anywhere” culture, which had been building for a while, but got a major pandemic boost. When workers left the office, many companies adopted BYOD policies, or simply accepted that they couldn’t stop users from working on their preferred, personal devices. And why couldn’t they stop them? Because of all those SaaS apps that you can log into from any device, without needing to be on a corporate network or VPN. Thus, you can see that these three seemingly disparate problems: unsecured identities, apps, and devices, are really all part of the same phenomenon. Three sides of the same extremely wonky coin, if you like – or maybe, three heads of the <a href="https://en.wikipedia.org/wiki/Cerberus">same fearsome dog</a>. <h2 id="closing-the-access-trust-gap">Closing the Access-Trust Gap</h2> Let’s be clear: there is more than one way to address the problems we’ve just gone over. For example, you could: <ul> <li>Eliminate BYOD by buying everyone a company-owned phone and laptop</li> <li>Roll out VDI or similar software for third-party contractors to control their access</li> <li>Put every application behind SSO</li> <li>Manage employee devices to the degree that they are unable to access any application or website not approved by IT.</li> </ul> The problem with those tactics is that they are extremely expensive, labor intensive, and damaging to productivity and worker experience. <img src='https://blog.1password.com/posts/2024/explaining-the-access-trust-gap/compliance-comic.png' alt='Comic showing two compliance officers on a boat monitoring a worker tapping away on a laptop underwater. One of the officers remarks to the other that they&#39;ve successfully reduced the risk of fire.' title='Comic showing two compliance officers on a boat monitoring a worker tapping away on a laptop underwater. One of the officers remarks to the other that they&#39;ve successfully reduced the risk of fire.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> So, for the remainder of this section, we’re going to talk about how 1Password solves the Access-Trust Gap through 1Password®️ Extended Access Management (XAM). As you might guess from the name, our approach is based not on eliminating all the forms of access that fall outside traditional solutions, but extending protection to them. <h3 id="devices">Devices</h3> Your goal here is to ensure that only devices that are known (associated with an employee) and secure (in a compliant state) can access your company’s resources. This basic concept is known as <a href="https://blog.1password.com/what-is-device-trust/">device trust</a>. To accomplish this, you have basically two options: <ol> <li>Ban BYOD. Prohibit any unmanaged device from authenticating to your systems.</li> <li>Secure BYOD. Allow unmanaged devices to authenticate, but only if they meet your security requirements (updated software, firewall turned on, etc.).</li> </ol> Regardless of which route you take, 1Password Extended Access Management can help you get there. Our device trust solution makes the device itself into an authentication factor, so if a device doesn’t have the agent installed, it can’t log into the company’s apps. That means a bad actor with stolen employee credentials is out of luck unless they also have that employee’s device. If you want to eliminate BYOD, you could make a device being enrolled in MDM a requirement for authentication, and lock out personal devices. Alternatively, you can use device trust to manage devices outside the scope of MDM. Unlike MDM, XAM device trust can go onto personal and contractor devices, because it allows the user to maintain much more agency over their device, and (deliberately) does not have the ability to remotely wipe devices. That being said, device trust has a lot to offer for endpoints that are enrolled in MDM. It provides admins with much more comprehensive and customizable abilities to check for various device properties. 1Password Extended Access Management includes a library of over 100 pre-built checks, plus the ability to write custom checks. By contrast, <a href="https://blog.1password.com/pros-and-cons-of-mdms/">MDM solutions can only manage a few types of issues</a>. An end user&rsquo;s laptop can be enrolled in MDM and still be running an unpatched browser, using unsecured software, and have plaintext credentials sitting in its hard drive. Device trust, on the other hand, would not permit a user to authenticate until they have fixed these issues. In conclusion, there’s a bigger argument to be had as to whether those managed devices in the inner circle of the access-trust graphic should really be considered “trusted” at all, but for now, let’s move on to the other elements of 1Password Extended Access Management. <h3 id="user-identities">User identities</h3> Here the goals are threefold: <ol> <li>Ensure with a high degree of confidence that a user is who they claim to be – let’s call that secure authentication.</li> <li>Easily grant and revoke access so workers have the resources they need, but avoid excessive permissions, AKA role-based access control (RBAC).</li> <li>Quickly and easily grant and remove access when someone joins or leaves the company, AKA onboarding/offboarding.</li> </ol> In both cases, your most useful tool is single sign-on (SSO), but as we’ve discussed, managing those integrations can be difficult and cost-prohibitive. 1Password Extended Access Management approaches this problem from multiple angles. User identity allows you to apply SSO to your apps and enable Universal Sign-On for your end users. This is ideal for small or new companies who haven’t signed onto an IAM solution like Okta or Microsoft Entra, and need a more streamlined and affordable way to manage access. You can also use user identity to centrally manage access for third-party contractors – assign them to a group and only grant that group access to specific apps. User identity also integrates with other IdPs so, for example, if you remove someone from your Google instance, that will automatically revoke their permissions via 1Password Extended Access Management, as well. Another key way of securing access is through the 1Password Enterprise Password Manager (EPM), the product we’re best known for. An EPM shores up authentication, especially on apps for which SSO is incompatible or unaffordable. It ensures workers are using secure, unique passwords, as well as enabling more secure forms of authentication, such as passkeys. <h3 id="applications">Applications</h3> Finally, you need to get visibility into the applications end users employ for work. That in itself is a huge challenge, because you have to collect relevant data without accidentally scooping up information about an employee’s personal apps. But your overall goal, much like with devices, is to ensure that only apps that are known and secure can access your company’s resources. Once you’ve identified the apps employees use for work, you can do three things: <ol> <li>Ban unsanctioned shadow IT that you have determined to be a security risk or a financial burden.</li> <li>For Shadow IT apps you don’t object to, implement SSO to make them more secure.</li> <li>For both managed and unmanaged apps, eliminate unnecessary access for licenses that are going unused.</li> </ol> The first two goals here are primarily about security, while the third is more about budget. Although users who maintain access to resources after they no longer need it can lead to data breaches, most notably in the <a href="https://www.akingump.com/en/insights/blogs/ag-data-dive/ftc-takes-rare-step-in-bringing-an-enforcement-action-against-drizly-and-its-ceo">Drizly hack</a>. 1Password Extended Access Management enables administrators to accomplish all three goals by flagging work-based apps being used and surfacing that list to admins, indicating whether those apps are being managed by SSO, who is using it, and how often it’s actually being used. <h2 id="conclusion-mind-the-gap">Conclusion: Mind the gap</h2> As we said in the introduction, gaps are acceptable until they’re not. Once a gap becomes so wide that it’s more of a canyon than a crack, people start getting worried and writing blog posts. We’ve now lived through years of preventable data breaches stemming from weak credentials, unsecured devices, and shadow IT – so much so that even the annual Verizon Data Breach Investigation Report is <a href="https://blog.1password.com/verizon-data-breach-report-2024-analysis/">starting to sound a little fed up</a>. Clearly, the Access-Trust Gap is something we can no longer live with. Thankfully, with 1Password Extended Access Management, we don’t have to. To learn more about how 1Password Extended Access Management can help close the gaps in your security stack, <a href="https://1password.com/contact-sales/xam">reach out to us here</a>.</description></item><item><title>Journalist Joseph Cox reveals how an ‘encrypted’ app sting took down organized crime</title><link>https://blog.1password.com/joseph-cox-crime-app-sting-interview/</link><pubDate>Mon, 05 Aug 2024 00:00:00 +0000</pubDate><author>info@1password.com (Jenn Marshall)</author><guid>https://blog.1password.com/joseph-cox-crime-app-sting-interview/</guid><description> <img src='https://blog.1password.com/posts/2024/joseph-cox-crime-app-sting-interview/header.png' class='webfeedsFeaturedVisual' alt='Journalist Joseph Cox reveals how an ‘encrypted’ app sting took down organized crime' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> What happens when the FBI gets a backdoor into an encrypted platform? Journalist and 404 Media podcaster Joseph Cox tells the weirder-than-fiction true story about how the FBI ran its own tech company for organized crime in his book, <a href="https://www.amazon.com/Dark-Wire-Incredible-Largest-Operation/dp/1541702697">Dark Wire: The Incredible True Story of the Largest Sting Operation Ever</a>. Cox joined Michael “Roo” Fey, Head of User Lifecycle &amp; Growth at 1Password, on the Random But Memorable podcast to explain all of the cloak-and-dagger action and dig into the larger question of privacy versus security. Read highlights from the interview below or <a href="https://randombutmemorable.simplecast.com/episodes/doughnut-panic-sting-operation">listen to the full podcast episode</a> for more fascinating tidbits like just how global organized crime is today and how a reporter goes about contacting sources in the underworld. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/NoJlHSaHpY4?si=QuxuZSgVSZgdRs4R" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> Editor’s note: This interview has been lightly edited for clarity and brevity. The views and opinions expressed by the interviewee don’t represent the opinions of 1Password. Michael Fey: How have things been going since the book launch? Do you want to start by giving listeners a brief overview? Joseph Cox: Let me speed-run the plot. In 2018, there was an encrypted messaging app that started to get popular among organized criminals. We&rsquo;re talking drug traffickers, hit men, money launderers, and smugglers. It starts in Australia and then gets popular in Europe. They’re using this app because it says it sends end-to-end encrypted messages; explicitly: &ldquo;We are going to keep your communications out of the hands of law enforcement.&rdquo; But some weird stuff happens. Some drug shipments get seized, some drug labs get raided, and eventually it turns out that ANOM, the app, was run by the FBI. It was an audacious and brazen operation in which the FBI ran its own tech company for organized crime. MF: That’s unreal. First of all, there&rsquo;s a movie plot here for sure! But also, it&rsquo;s just wicked fun to hear that the FBI went outside of the bounds of normal law enforcement to do something like this. JC: It&rsquo;s a crazy story. There are, of course, many cybersecurity and encryption implications but you can&rsquo;t ignore that it&rsquo;s a true crime thriller on a global scale. We&rsquo;re talking more than a hundred countries with thousands upon thousands of devices, and thousands upon thousands of criminals. <blockquote> &ldquo;It&rsquo;s a true crime thriller on a global scale.&quot; </blockquote> MF: How did the FBI go from nothing to an app that had effectively infiltrated a criminal underworld? JC: To step back a little bit, there’s what I call a shadow industry of encrypted phone firms. Most of us get our phones from Apple, Google, Samsung or some other kind of Android hardware. Back in the day, maybe we got Blackberries. Around that time, companies started taking that hardware, especially Blackberries, and adding encrypted email software onto them so you could send messages that would not be susceptible to a normal wiretap. They also took out the microphone, the camera, the GPS, and radically modified the device. Fast-forward a bit and these phones are very annoying to law enforcement, and the FBI shuts down a company called Phantom Secure that was used by the Sinaloa drug cartel. It was used by biker gangs in Australia. It was a real heavy-hitter in this industry. The FBI shuts the company down thinking: &ldquo;Oh, there was a gold rush of selling phones to organized criminals. But maybe this is the end of it. Or maybe this is the start of the end of this industry.&rdquo; In the wake of that, a person who calls himself Afgoo – who was selling phones for Phantom Secure and another company called Sky – had been making what they called the &ldquo;next generation of encrypted phone.&rdquo; That was ANOM. They offered it to the FBI so they wouldn&rsquo;t face prosecution for charges because of their involvement in the industry. That&rsquo;s how ANOM fell into the FBI&rsquo;s lap. The FBI didn&rsquo;t go out and say, &ldquo;Let&rsquo;s make an encrypted phone company&rdquo;. At least initially. <blockquote> &ldquo;ANOM fell into the FBI&rsquo;s lap. The FBI didn&rsquo;t go out and say, &ldquo;Let&rsquo;s make an encrypted phone company.&quot; </blockquote> Afgoo was offering to provide the technical infrastructure and a very, very large slice of organized crime, rather than just one criminal organization. That’s what eventually happened. But it wasn’t clear when the organization first started that anybody would actually buy the phones. MF: Was ANOM already used by criminal organizations at this point, or was that a step that the FBI then had to get to? JC: It was exceptionally small at the start. It was more of a brainchild of Afgoo. I believe people had the devices but it was on absolutely no sort of scale. Afgoo provided five phones, literally just a handful, to a seller in Australia, Domenico Catanzariti. Australian authorities alleged he was connected to the Italian mafia in Australia. The mafia is really big in Australia when it comes to money laundering and drug trafficking, and everything you would expect. Very quickly the Australians see that: &ldquo;Everybody on this platform is using it a hundred percent for crimes.&rdquo; Word of mouth spreads and the phones become more popular. <blockquote> &ldquo;The FBI let it develop on its own.&quot; </blockquote> The FBI said they never got hands-on with the actual selling of ANOM because they didn’t want to be called out for entrapment. It&rsquo;s one thing to have ANOM organically spread among criminals and then you piggyback on the back door, and you just listen to communications. It&rsquo;s another to deliberately approach somebody and be like: &ldquo;Hey, do your crimes on this platform.&rdquo; That could be very dicey. That&rsquo;s why the FBI let it develop on its own. MF: It really revealed some interconnectedness and efficiency of the criminal networks that the FBI wouldn&rsquo;t have had visibility into otherwise. JC: A key thing about organized crime nowadays, is that it’s more globalized than ever. It no longer makes sense to talk about organized crime groups, which just operate on their own turf. You now have to talk about organized crime networks. What that meant for the encrypted phone industry is that when the phones started to get a bit more popular in Australia, Afgoo and ANOM would get these requests asking: &ldquo;Hey, can you ship phones overseas? Because I have people there who also need these phones.&rdquo; That especially happened, at least at first, in Europe. Europe is not just a massive consumer of drugs – I think it&rsquo;s actually overtaken the U.S. for the consumption of cocaine – it&rsquo;s now becoming a massive producer of drugs, including amphetamine and methamphetamine. It has completely flipped from being a passive, or a transit hub, to being an epicenter of drug production. You can see why people on ANOM wanted to get phones over there, and that was the next step in ANOM&rsquo;s growth. MF: I&rsquo;m assuming there was some intense investigative work that you had to do for this book. How do you even go about researching something like this? JC: I&rsquo;m not going to sugarcoat it. This was the hardest journalistic investigation I&rsquo;ve ever done. I spoke to people from every part of the operation. That included FBI agents, Australian law enforcement, European police officers. And then the criminal side. I spoke to drug traffickers who used the phones, who have used other encrypted phone devices, and people who sold ANOM phones to organized criminals. I also spoke to some of the people who coded the ANOM app, who did not know they were working on a surveillance tool. MF: What were some of the key ethical boundaries and dilemmas that law enforcement faced during the sting operation? You mentioned earlier not actually selling the phones, but I have to imagine that those boundaries were razor-thin throughout this. JC: There&rsquo;s a constant tension throughout the book and the operation. When the FBI starts to get intelligence from the ANOM platform – in addition to a ton of European partners who get involved and the Australians – there’s this constant question of: &ldquo;Well, what do we do with this intelligence? Do we act on it? Do we go and seize this massive cocaine shipment? Do we raid this drug lab? Do we potentially arrest this person?&rdquo; Ordinarily those would be pretty straightforward considerations. &ldquo;We&rsquo;re police officers, we go and grab the cocaine.&rdquo; But, if you do too much the criminals may start to suspect the phones and ditch the platform altogether. <blockquote> &ldquo;If you do too much the criminals may start to suspect the phones and ditch the platform altogether.&quot; </blockquote> That was an ethical dilemma that these agents faced every single day. It&rsquo;s like: &ldquo;Well, if we let that cocaine walk, that&rsquo;s tons of coke getting into Europe, or Australia, or wherever.” Another major ethical consideration connected to that is that it&rsquo;s one thing to decide whether to &ldquo;let the drugs walk,&rdquo; as they say, but it&rsquo;s another when there are threats to life transmitted across the platform. This is when somebody is going to be planning an assassination on ANOM, which is a very common occurrence in the world of organized crime. Maybe they&rsquo;re going to torture somebody, maybe they&rsquo;re going to kidnap somebody. The agents saw this constantly, and in order to get approval, they had to promise higher ups to the DOJ: &ldquo;Whenever we detect a threat to life, we’re going to act to warn the relevant authorities. We&rsquo;re going to try to do something.&rdquo; They said they did this in around 150 cases. Which is a great success. I reveal in the book that at least one person did die because of an assassination that was fully planned on ANOM. MF: Can you walk through how it all came to an end for both law enforcement and the criminal world? JC: In early 2021, the FBI had a bit of a problem. ANOM was too successful. They started to lose control of the platform. The FBI would push back against that statement. They would say: &ldquo;We could turn it off whenever we wanted.&rdquo; But distribution of the phones was actually now under the control of a gangster and another very top-tier drug trafficker. They were making the phones whenever they wished and giving them to whomever they wanted. Then, the court order that legalized the operation was going to expire in around June 2021. That&rsquo;s when they decide to wrap it all up. June 7th, 2021 is going to be the big day, and the way they do that is by following the sun. <blockquote> &ldquo;The court order that legalized the operation was going to expire in around June 2021. That&rsquo;s when they decide to wrap it all up.&quot; </blockquote> It starts in Australia, and the Australian authorities, the AFP Federal Police, and the state agencies, they do a bunch of raids. They kick off the first dominoes in that line, which is then stretching across to Europe. As the day continues and the sun moves over there, European officials start arresting people as well. Until eventually the sun moves to the West Coast in the U.S.. The prosecutors and the FBI in San Diego, they come forward and they clarify: &ldquo;We&rsquo;ve been running ANOM the entire time. This was not an ordinary phone company. We&rsquo;ve been managing it and we&rsquo;ve been getting all of the messages.&rdquo; That drops a grenade among the organized criminal community – not just ANOM users themselves, who are now in really big trouble, but the wider underground. The FBI, as was its goal, has now shattered the trust in the encrypted phone industry. They didn&rsquo;t just want to arrest people, they wanted criminals to doubt whether they could trust these encrypted phones in the first place, so then maybe they would go back to more old school techniques that perhaps the FBI could surveil better. I don&rsquo;t know, social media, ordinary phones, even face-to-face meetings, but not the end-to-end encryption. And in general, the FBI has been pretty successful at that. <blockquote> &ldquo;They didn&rsquo;t just want to arrest people, they wanted criminals to doubt whether they could trust these encrypted phones in the first place.&quot; </blockquote> MF: That&rsquo;s a fascinating outcome. The FBI was able to sew fear, uncertainty, and doubt, and have probably capitalized on that since then. JC: And even if they don&rsquo;t feed it, the paranoia is still going to be there. After the FBI came clean, I was speaking to an encrypted phone seller from Europe, and they said it is basically impossible to build a customer base now. All of the users are thinking, &ldquo;Well, what&rsquo;s to say the FBI isn&rsquo;t behind this one as well? Or maybe it&rsquo;s the Australians this time, or maybe it&rsquo;s the Dutch? Who knows?&rdquo; More and more criminals, at least the ones I&rsquo;ve spoken to or the ones I&rsquo;ve heard about, are moving to consumer platforms, like Signal, that we all use. And that brings up, obviously, a very key question, which I deliberately do not answer in the book, because I don&rsquo;t think it&rsquo;s my place. <blockquote> &ldquo;More and more criminals are moving to consumer platforms.&quot; </blockquote> I think this is for people in InfoSec, cybersecurity, privacy, lawmakers, whoever, to discuss now. It’s: What happens in terms of privacy when more criminals move to a platform that&rsquo;s used by all of us? Will the FBI then do some operation on that as well? MF: Did completing the book change your perspective on the cybersecurity landscape? JC: I&rsquo;ve been covering surveillance and privacy for a long time. I&rsquo;ve been covering how the FBI will use hacking tools or network investigative techniques in either a targeted fashion or in a very broad fashion, where they hack all of the users of a single site. I see three different ways forward when it comes to encryption, data access, and cybersecurity of these platforms. The first is the front door. That&rsquo;s companies giving data to the authorities under a legal order. Discord does this all the time. It could be Twitter, Facebook, or whatever. The very normal: &ldquo;We send you a subpoena or a search warrant depending on what the data is.&rdquo; For encrypted communications platforms, that would introduce a vulnerability. If Signal just provided a copy of the messages, I don&rsquo;t think people would like that and it would have ramifications. The second way is – if you&rsquo;re not using the front door, then maybe the FBI is going to do these large-scale operations where they secretly run a tech company for organized crime. Maybe people are okay with that or maybe people aren’t, but we haven&rsquo;t had that discussion yet. To be clear, I think the ANOM operation is a consequence of companies not providing data to law enforcement. I&rsquo;m not saying whether that&rsquo;s good or bad, but that is the chronology of what happened. In this case, it was these sketchy encrypted phone companies who work for organized crime, but it could easily be a Telegram or a Signal next. Then the third option, and the one which I probably lean towards, is targeted hacking. You get a warrant or a narrow legal order to collect a narrow piece of information about a specific user, from a specific device. If those are the three options, that seems like the worst out of all of them. I think some people in cybersecurity, InfoSec, or privacy will just tell the cops: &ldquo;Well, police harder.&rdquo; When they do that, the consequence is ANOM. I don&rsquo;t think the status quo is sustainable, and we need to, collectively, at least discuss what we&rsquo;re going to do. Otherwise, the FBI and partners are going to launch these massive operations. MF: Where can folks go to learn more about you, the 404 Media Podcast, or to buy the book? JC: If you enjoy listening to my rambling and you want to hear more from my co-founders of 404 Media, you can search for the <a href="https://www.404media.co/the-404-media-podcast/">404 Media podcast</a>. It&rsquo;s everywhere you might expect. We talk about three stories that we published that week. They&rsquo;re always original reporting. We don&rsquo;t talk about other people&rsquo;s stories, so you literally cannot get what we talk about anywhere else. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/NMRT5re_ixU?si=kRX2E43OlrMdg4Af" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> For the articles themselves, go to <a href="https://www.404media.co/">404media.co</a>. For the book, just search for <a href="https://www.goodreads.com/book/show/59644256-dark-wire">Dark Wire</a>. It&rsquo;s on Amazon and wherever books are sold. And I really, really hope more people get to read the story because I do genuinely think it&rsquo;s an important case study for InfoSec. I&rsquo;m not just saying that. I think this is a real chance for us to have a new debate about privacy, cybersecurity, encryption, and all of that. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Subscribe to Random but Memorable</h3> Listen to the latest news, tips and advice to level up your security game, as well as guest interviews with leaders from the security community. <a href="https://randombutmemorable.simplecast.com/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Subscribe to our podcast </a> </div> </section></description></item><item><title>2024's least and most secure authentication methods</title><link>https://blog.1password.com/authentication-methods/</link><pubDate>Fri, 02 Aug 2024 00:00:00 +0000</pubDate><author>info@1password.com (Rob Glover)</author><guid>https://blog.1password.com/authentication-methods/</guid><description> <img src='https://blog.1password.com/posts/2024/authentication-methods/header.png' class='webfeedsFeaturedVisual' alt='2024's least and most secure authentication methods' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Any security professional will tell you there&rsquo;s a simple way to keep data secure: encase it in concrete and toss it in the ocean. Unfortunately, while that approach will keep hackers out, it&rsquo;ll also lock out legitimate users. The next best thing is to set up authentication protocols that don&rsquo;t make access too easy for hackers or too tough for end users. Broadly, there are three best practices that play into that decision. You need to: <ol> <li> Reflect current opportunities and threats. Companies have to choose authentication methods that balance (sometimes competing) needs for security and usability, which is challenging, since the right choice might be different in 2024 than it was a year ago. The state of the art constantly shifts in response to breakthroughs by both vendors and hackers - like this guy that <a href="https://www.vice.com/en/article/dy7axa/how-i-broke-into-a-bank-account-with-an-ai-generated-voice">beat a bank&rsquo;s &ldquo;secure&rdquo; voice recognition software</a> with a free AI tool. </li> <li> Choose the appropriate level of security for the user and resource. The &ldquo;right&rdquo; approach to authentication has to be tailored to the resources it&rsquo;s designed to protect and the users trying to access it. The same company might use different forms of authentication for its customers, workers, and contractors. And even within the category of workers – which we&rsquo;ll be primarily focusing on in this blog – you might use tougher authentication for senior engineers who access your source code than, say, a marketer who just writes about it. </li> <li> Don&rsquo;t rely on a single form of authentication. None of the authentication methods we&rsquo;re about to go over should be considered in isolation but as part of a holistic approach to verifying user and device identity and security. </li> </ol> Tl;dr: No matter your mix of users and resources, choosing authentication methods isn&rsquo;t about picking the single, infallible option. It&rsquo;s about building a multi-layered approach that makes hacking more trouble than it&rsquo;s worth, and gives access to the right people at the right time. <h2 id="the-three-types-of-authentication-factors">The three types of authentication factors</h2> Most security practitioners sort authentication methods into three categories, called factors. (As we&rsquo;ll see, they don&rsquo;t all fit neatly into a single bucket, nor does the number of factors have to be capped at three, but it&rsquo;s still a good starting place.) <ol> <li> A knowledge factor is something you know. Passwords, PINs, and security questions are all knowledge factors. </li> <li> A possession factor is something you have. Security cards, external hardware dongles, and even devices themselves fall into the possession factor bucket. </li> <li> An inherence factor is something you are. These are biometrics, like fingerprint readers, facial scanners, etc. </li> </ol> A security best practice is to combine multiple forms of user authentication into a multi-factor authentication (MFA) protocol. The goal of MFA is to pull from two or more factors so a threat actor can&rsquo;t gain access using a single attack vector. For example, a hacker can swipe your password and security question answers (knowledge) in a single spearfishing attack. With phishing-resistant MFA, the thief would also need your fingerprint (inherence) or hardware fob (possession) to breach your system. Lastly, all methods within a factor aren&rsquo;t equally secure. For instance, a one-time code from an authentication app is considered safer than an easily stealable SMS-delivered password. That&rsquo;s what we&rsquo;ll break down next. <h2 id="least-secure-passwords">Least secure: passwords</h2> <aside class="c-technical-aside-box c-technical-aside-box--background" aria-labelledby="passwords"> <h2 class="c-technical-aside-box__title" id="passwords"> Passwords </h2> <div class="c-technical-aside-box__description"> Pros: Familiar to users; simple UX; easy to deploy Cons: Vulnerable to many types of attacks; attractive to threat actors Best suited for: Primary authentication for non-sensitive assets; securing internal docs protected externally by other methods; customer accounts with strong secondary authentication factors </div> </aside> In 1961, <a href="https://www.wired.com/2012/01/computer-password/">the first computer passwords</a> protected private files and logged user time on MIT&rsquo;s Compatible Time-Sharing System (CTSS). Late one Friday night in 1962, MIT researcher Allan Scherr entered a punch card into CTSS, asking the machine to print all the passwords. The system complied, and the first password theft was a success. Scherr may have been the first to break into a computer via stolen passwords, but he&rsquo;s certainly not the last. Compromised credentials consistently rank <a href="https://www.verizon.com/business/resources/reports/dbir/">as the most common way hackers breach organizations</a>. Despite their inherent vulnerabilities, passwords are the most popular authentication factor. That&rsquo;s mostly down to their simple deployment (no hardware needed) and lack of a learning curve for users. But <a href="https://www.healthcareitnews.com/news/tech-giants-expand-support-passwordless-world">tech giants</a>, <a href="https://www.okta.com/resources/whitepaper-passwordless-future/">authentication providers</a>, and <a href="https://www.hstoday.us/subject-matter-areas/cybersecurity/what-a-passwordless-future-looks-like-for-federal-agencies/">government agencies</a>, (<a href="https://1password.com/product/passkeys">plus, of course, us</a>) are creating a path to a passwordless future. <h3 id="the-vulnerabilities-of-passwords">The vulnerabilities of passwords</h3> In fairness to passwords, they really aren&rsquo;t the problem here–we are. Users fall for phishing attacks and practice poor password hygiene, while companies often fail to protect their databases of passwords or block credential-based attacks. And hackers are only too happy to exploit these human failures. Here are a few examples: <ul> <li> Social engineering attacks: This is really a weakness of all knowledge factors: if something can be known, it can be phished. Bad actors use phishing emails, create <a href="https://www.theguardian.com/technology/2016/mar/16/major-sites-new-york-times-bbc-ransomware-malvertising">fake websites</a>, and pretend to be tech support to trick users into exposing their credentials. Even though users get regular reminders to guard against these attacks, we still fall for them. In 2021, <a href="https://umbrella.cisco.com/info/2021-cyber-security-threat-trends-phishing-crypto-top-the-list">86% of organizations</a> knew at least one person on their team had clicked a phishing email. </li> <li> Brute force credential-based attacks: Thieves use a variety of methods to either guess user credentials (password spraying) or apply known credentials to multiple websites (credential stuffing). Brute force attacks, made possible by weak passwords, are the <a href="https://www.darkreading.com/threat-intelligence/rdp-attacks-persist-near-record-levels-in-2021">number one threat to remote access protocols</a> like Microsoft&rsquo;s RDP. </li> <li> Password storage breaches: Like Allan Scherr&rsquo;s credential caper in the 1960s, threat actors continue to swipe vast numbers of credentials (usually to sell on the dark _web). This wouldn&rsquo;t be an issue if organizations who maintain passwords <a href="https://blog.1password.com/what-is-hashed-password/">properly hashed</a> and salted them, and yet here we are. </li> <li> Man-in-the-middle attacks: Hackers sometimes steal passwords by hijacking communication channels using DNS spoofing or WiFi eavesdropping. While not as common as they once were with the advent of stronger cryptography, MiiM attacks are evolving with new technology, like <a href="https://www.techspot.com/news/96321-drones-helped-hackers-penetrate-financial-firm-network-remotely.html">drones equipped with proximity penetration kits</a>. (But hey, at least the hackers have to work harder now.) </li> </ul> <h2 id="passwords-as-part-of-mfa">Passwords as part of MFA</h2> While it&rsquo;s not feasible for every company to give up passwords cold turkey, you should at least avoid pairing them with another knowledge factor. For example, companies sometimes use security questions as a password recovery method, but these are even less secure than passwords. Not only are they vulnerable to the attacks listed above, they&rsquo;re based on information — like your favorite pet&rsquo;s name — that hackers can find after 10 minutes of social media sleuthing. <h3 id="single-sign-on-and-password-managers-are-just-the-start">Single Sign-On and password managers are just the start</h3> At this point, it&rsquo;s widely accepted that passwords are inherently insecure and should be phased out. Even Apple, Google, Microsoft, and we here at 1Password can agree on that, and we&rsquo;re helping usher in a passwordless future with the <a href="https://support.1password.com/save-use-passkeys/">introduction of passkeys</a>. Still, it will take years before we rid ourselves of passwords, and in the meantime, password managers and Single Sign-On (SSO) can help mitigate some of their risks. Password managers like ours at 1Password give users strong passwords and a safe place to store them – and <a href="https://1password.com/product/enterprise-password-manager">Enterprise Password Managers</a> provide a way to secure your whole team&rsquo;s passwords at once. Meanwhile, SSO reduces password fatigue by allowing users to enter one set of credentials to access multiple resources. Unfortunately, neither SSO nor password managers are as widely-adopted as they should be, given their importance. SSO, in particular, is frequently <a href="https://blog.1password.com/closing-the-sso-security-gap/">cost-prohibitive and technically difficult</a> to implement. <h2 id="more-secure-one-time-passwords">More secure: one-time passwords</h2> <aside class="c-technical-aside-box c-technical-aside-box--background" aria-labelledby="one-time-passwords"> <h2 class="c-technical-aside-box__title" id="one-time-passwords"> One-time Passwords </h2> <div class="c-technical-aside-box__description"> Pros: Some versions are secure secondary authentication factors; they&rsquo;re inexpensive to deploy Cons: SMS OTPs are vulnerable to attack; users need to keep up with an extra device Best suited for: Simple secondary authentication; customer users (SMS OTPs), or remote professional users (authenticator apps and security fobs) </div> </aside> One-time passwords (also called one-time codes or dynamic passwords) are unique, algorithmic-generated codes. They&rsquo;re usually used as a step-up authentication method if a user takes a certain action (like initiates a transaction) or if there&rsquo;s something fishy about a login attempt (like if it&rsquo;s from an unrecognized device). OTPs can be delivered in a variety of ways, some of which require a secondary device and are more like possessions factors than knowledge factors. <ul> <li> Email </li> <li> SMS </li> <li> Authenticator apps </li> <li> Hardware security tokens (smart cards and fobs) </li> </ul> More secure OTPs require a second device or piece of hardware, which is less vulnerable to interception. But once a user has the code, it becomes a knowledge factor that can be phished, just like a password. Ideally, they should be paired with a biometric factor for true MFA. <h3 id="sms-and-email-otps-are-weaker">SMS and email OTPs are weaker</h3> It&rsquo;s understandable why OTPs delivered via SMS or email are popular. Anyone with an email account or a cell phone can use them without downloading yet another app. On-demand OTPs are also popular with threat actors. Hackers can intercept OTPs through weaknesses in SMS or email delivery methods. For example, in SIM swapping attacks, thieves convince a cell service provider to switch their victim&rsquo;s number to a different SIM. Then there&rsquo;s the MiiM-style tactic where hackers eavesdrop on their victim&rsquo;s texts via a weakness in the ss7 protocol — the one that connects mobile carriers. OTPs sent by email are exposed to a broad attack surface. Email service providers, wireless networks, and internet protocols are all points of ingress for industrious hackers. Then think about the multiple devices you use to read emails. The same OTP could be sent to your cell phone, a work laptop, a home computer, and a smartwatch. The codes themselves aren&rsquo;t very secure either. Both SMS and email OTPs are plain text. Once a hacker has them, they can go right to resetting the user&rsquo;s password. Like passwords, these OTPs may be on their way out. In 2020 <a href="https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/it-s-time-to-hang-up-on-phone-transports-for-authentication/ba-p/1751752">Microsoft published an article</a> calling for the move away from text as an authentication method. <a href="https://techcrunch.com/2016/07/25/nist-declares-the-age-of-sms-based-2-factor-authentication-over/">NIST deprecated SMS OTPs</a> in 2016. And the <a href="https://www.zdnet.com/article/fbi-warns-about-attacks-that-bypass-multi-factor-authentication-mfa/">FBI warns against using them</a> for MFA. <h3 id="authenticator-tokens-are-a-better-otp-option">Authenticator tokens are a better OTP option</h3> Authenticator tokens generate time-based OTPs locally via an app or a device. They&rsquo;re not delivered over a network, so SIM switching, ss7, or internet eavesdropping attacks are useless. However, they are still vulnerable to phishing or the physical theft of the device itself. Hard tokens are external devices, like a fob or dongle with a small screen. The token generates an original TOTP for each login and presents it to the user on a small screen. Soft tokens are apps, like <a href="https://www.microsoft.com/en-us/security/mobile-authenticator-app">Microsoft Authenticator</a>, that exist only as software. Like hard tokens, authenticator apps produce unique TOTP codes for each authentication request. <a href="https://help.okta.com/en-us/Content/Topics/Mobile/okta-verify-overview.htm#:~:text=Okta%20Verify%20is%20a%20multifactor,gain%20access%20to%20the%20account.">Okta Verify</a> also functions as an authenticator app built into Okta&rsquo;s larger MFA function. Users first log in to their Okta account with a password or biometric, then confirm that they possess their device by entering the app-generated code. In rare cases, hackers have breached authentication app providers. Authy, for example, <a href="https://www.twilio.com/blog/august-2022-social-engineering-attack">was hacked</a> via its parent company Twilio in 2022. The &ldquo;sophisticated social engineering attack&rdquo; allowed hackers to add new devices to 93 different Authy accounts. <h2 id="more-secure-biometrics">More secure: biometrics</h2> <aside class="c-technical-aside-box c-technical-aside-box--background" aria-labelledby="biometrics"> <h2 class="c-technical-aside-box__title" id="biometrics"> Biometrics </h2> <div class="c-technical-aside-box__description"> Pros: Secure method of primary authentication; user convenience; available on many devices Cons: Can&rsquo;t be reset if compromised; privacy concerns; low-tech versions can be spoofed Best suited for: Employee and customer authentication, particularly for sensitive resources </div> </aside> <img src='https://blog.1password.com/posts/2024/authentication-methods/fingerprint-reader.jpg' alt='An image of a finger scanner.' title='An image of a finger scanner.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://commons.wikimedia.org/wiki/File:161129-Dulles-OFO-Ops-GF-010_(30519292054).jpg">Source</a> Biometric authentication methods rely on something you are. That makes them hard to steal, difficult to misplace or share, and impossible to forget. Users are <a href="https://www.iproov.com/press/consumers-prefer-biometric-face-verification">comfortable with them</a>, and they increasingly come built-in on our devices. For all these reasons, biometrics are the heir apparent to passwords to become the default authentication method. But the immutable and personal nature of biometrics is its biggest Achilles heel. Once someone gets ahold of your biometric data, you can&rsquo;t just reset it like a password. Gathering and storing personally identifiable information raises all sorts of <a href="https://www.marketwatch.com/story/facial-recognition-technology-is-one-of-the-biggest-threats-to-our-privacy-11640623526">privacy concerns</a>, and the racial and gender-based shortcomings of these tools introduce a <a href="https://hbr.org/2019/05/voice-recognition-still-has-significant-race-and-gender-biases">potential for bias</a>. Also, some forms of biometrics are much more secure than others. For instance, most security experts are wary of voice recognition, <a href="https://www.vice.com/en/article/dy7axa/how-i-broke-into-a-bank-account-with-an-ai-generated-voice">which can be tricked by a free AI tool</a>. All this to say: biometrics can be a formidable part of your MFA system, but they&rsquo;re not foolproof, and they should be handled with care. <h3 id="fingerprint-scans-are-secure-when-data-is-stored-properly">Fingerprint scans are secure when data is stored properly</h3> The unique ridges on our fingertips provide a convenient way to verify user identity. That&rsquo;s why so many devices let us tap to log in. Still, it&rsquo;s possible to spoof these scanners. One way to hack a fingerprint scan is to lift a physical print (à la CSI) and create a mold. It&rsquo;s how a German computer club <a href="https://www.theguardian.com/technology/2013/sep/22/apple-iphone-fingerprint-scanner-hacked">beat the iPhone&rsquo;s first fingerprint sensor</a> two days after it launched. That could put a single device at risk if stolen. But in practice, <a href="https://www.lookout.com/blog/why-i-hacked-apples-touchid-and-still-think-it-is-awesome">it&rsquo;s difficult to recreate a fingerprint</a>, especially with newer <a href="https://www.vice.com/en/article/pgavwy/with-ultrasonic-fingerprint-sensing-googles-security-could-beat-apples">ultrasonic scanners</a>. Like passwords, fingerprints need to be stored securely. A breach in 2019 exposed over one million prints, showing why you shouldn&rsquo;t create a trove of unencrypted biometric data. Most devices don&rsquo;t. The iPhone, for example, stores fingerprint data locally. Also, most biometric data is, or should be, stored as numeric data, not images. So even if a hacker gets ahold of it, they&rsquo;d need to reconstruct the mathematical representation to make it work. <aside class="c-technical-aside-box c-technical-aside-box--background" aria-labelledby="fingers-offer-more-than-prints-for-authentication"> <h2 class="c-technical-aside-box__title" id="fingers-offer-more-than-prints-for-authentication"> Fingers offer more than prints for authentication </h2> <div class="c-technical-aside-box__description"> The arrangement of veins just below our skin&rsquo;s surface is as unique as fingerprints. Near IR imaging sensors can map out these distinctive patterns, creating a new option for authentication called vascular biometrics. Unlike prints, we don&rsquo;t leave our vascular map behind every time we tap a phone screen. And a loss of skin integrity doesn&rsquo;t leave vascular scans unviable. The real barrier to a wider rollout is the high cost of VB scanners. If the technology is made more affordable, it would be a great option for user authentication. </div> </aside> <h3 id="facial-recognition-continues-to-improve">Facial recognition continues to improve</h3> Facial recognition is a popular authentication option for MFA. However, early face scanners weren&rsquo;t hard to fool. But, as with all forms of authentication (except maybe security questions), as attacks get more sophisticated, so does the technology to thwart them. At first, smartphone facial recognition scanners relied on the 2D, front-facing cameras already available on the device. Hackers quickly proved that a photograph — even one as <a href="https://www.biometricupdate.com/202210/stolen-passport-photos-fraudsters-and-facial-fusion-technology-pose-a-threat-to-national-security">low-tech as a passport photo</a> — could spoof that technology. Apple&rsquo;s FaceID uses three infrared technologies to make a topographical map of your mug. 3D facial recreation is much harder to fool than its 2D predecessor. Vietnamese researchers <a href="https://www.vice.com/en/article/qv3n77/iphone-x-face-id-mask-spoof">did it with a 3D-printed mask</a>. And you could get a false positive <a href="https://www.brusselstimes.com/347829/improved-facial-recognition-on-phones-still-not-100-secure-say-experts">from someone who looks a lot like you</a>. More recently, most facial recognition tech has added &ldquo;liveness&rdquo; tests, which make it harder to bypass them with a 2D photo. Like a visual Turing test, the software attempts to prove it&rsquo;s encountering a physically present human being. A smile or blink may be all it takes to prove you&rsquo;re not just a printed Facebook pic. Let&rsquo;s face it, the odds of your evil identical twin breaking into your device are slim, and most hackers won&rsquo;t go through the trouble of printing a &ldquo;you&rdquo; mask. That&rsquo;s why 3D facial scans are secure for most applications, especially if they&rsquo;re backed up by another authentication factor. <h3 id="behavioral-biometrics-add-ongoing-security-but-at-a-cost-to-privacy">Behavioral biometrics add ongoing security, but at a cost to privacy</h3> Behavioral biometric software builds unique profiles of users based on measurable behavior patterns, like how you type. Your keystroke rhythm, mouse usage, typing speed, and length of time holding keys down form a recognizable pattern that&rsquo;s unique to you and hard to replicate. Behavioral biometrics are generally used as continuous authentication measures. That is, they assess your behavior after you&rsquo;ve logged in and flag any deviations from your norm. It&rsquo;s a way to verify that someone — or more likely, a non-human program — hasn&rsquo;t hijacked your device. But there&rsquo;s a troubling potential for this type of surveillance to <a href="https://www.skadden.com/insights/publications/2022/09/quarterly-insights/every-move-you-make">cross the line into bossware</a> or <a href="https://www.nytimes.com/2022/12/22/nyregion/madison-square-garden-facial-recognition.html">public surveillance</a>. Lawmakers and privacy advocates are scrutinizing biometrics. Some <a href="https://pro.bloomberglaw.com/brief/biometric-data-privacy-laws-and-lawsuits/">laws prevent companies</a> from profiting off of collected biometric information. Several <a href="https://news.bloomberglaw.com/tech-and-telecom-law/analysis-7th-circuits-bipa-rulings-provide-state-court-roadmap">lawsuits have accused companies</a> of abusing this data. As Jennifer Lynch, a senior lawyer for the Electronic Frontier Foundation, <a href="https://www.nytimes.com/2018/08/13/business/behavioral-biometrics-banks-security.html">told The New Yorker</a>: &ldquo;It&rsquo;s a very small leap from using this to detect fraud to using this to learn very private information about you.&rdquo; <h2 id="most-secure-hardware-keys">Most secure: hardware keys</h2> <aside class="c-technical-aside-box c-technical-aside-box--background" aria-labelledby="hardware-keys"> <h2 class="c-technical-aside-box__title" id="hardware-keys"> Hardware Keys </h2> <div class="c-technical-aside-box__description"> Pros: Immune to MiiM, phishing and keylogging attacks Cons: Inconvenience of carrying an external device; a physical key that can be stolen Best suited for: Workforce authentication, especially for highly sensitive data; remote and in-office employees </div> </aside> <img src='https://blog.1password.com/posts/2024/authentication-methods/hardware-authentication-security-keys.jpg' alt='An image of a finger scanner.' title='An image of a finger scanner.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://commons.wikimedia.org/wiki/File:U2F_Hardware_Authentication_Security_Keys_(Yubico_Yubikey_4_and_Feitian_MultiPass_FIDO)_(42286852310).jpg">Source</a> External <a href="https://blog.1password.com/hardware-security-keys-explained/">hardware keys</a>, like <a href="https://www.yubico.com/">Yubikeys</a>, are among the strongest authentication factors available. Also called FIDO keys, they generate a cryptographically secure MFA authentication code at the push of a button. FIDO keys differ from OTP hardware because they send codes directly to the device via a USB port or NFC connection. That gives hackers no chance to phish the code or steal it in a MiiM or keylogging attack. FIDO keys are very secure devices. They don’t hold any personal information, and cracking them is beyond the skill of most hackers. So they’re an excellent method to bundle with an identity provider (like Okta or Microsoft Entra) and a device trust solution, like <a href="https://1password.com/product/xam">1Password Extended Access Management</a>. With all three in place, a hacker would need the user’s laptop or phone, a fingerprint, and the FIDO key to pass authentication. The trade-off for hardware keys is the inconvenience of toting around a physical object. Some users leave their key plugged in all the time, which renders it useless if a thief snatches both the device and the key. Losing your key can also be a pain, and replacing them is expensive for companies at scale. That’s why most organizations reserve these keys for users who access particularly sensitive resources. <h2 id="most-secure-device-authentication-and-trust-factors">Most secure: device authentication and trust factors</h2> <aside class="c-technical-aside-box c-technical-aside-box--background" aria-labelledby="device-authentication-factors"> <h2 class="c-technical-aside-box__title" id="device-authentication-factors"> Device Authentication Factors </h2> <div class="c-technical-aside-box__description"> Pros: Proves that the device is known and secure Cons: Must be used in conjunction with user authentication Best suited for: Employee and contractor authentication </div> </aside> So far, we&rsquo;ve talked about methods to verify a user&rsquo;s identity. But it&rsquo;s also important to verify that you recognize (and trust) the device they&rsquo;re using. Otherwise, a well-meaning employee could unknowingly access your network with a malware-infected laptop. Or a threat actor could use a set of stolen credentials to impersonate an employee from the other side of the world. Device authentication factors ensure that only approved devices can log in. Some versions operate in a go/no-go state, meaning it&rsquo;s enough to prove that the device is known. Others add an additional layer of protection: checking not only that a device is familiar, but that it&rsquo;s in a secure state. <h3 id="certificate-based-authentication">Certificate-based authentication</h3> In certificate-based authentication (CBA), a device presents a digital certificate to a server for verification. Many identity providers, such as Okta and Azure, enable CBA as part of their MFA product. CBA is considered very secure because it&rsquo;s based on public/private key cryptography, where the private key acts as a combination that never leaves the device. CBA offers some distinct advantages: <ul> <li> It&rsquo;s usable for all endpoint connections, including IoT devices without a direct user </li> <li> It allows mutual authentication of both the server and device </li> <li> It&rsquo;s infinitely extensible because contractors, vendors, and partners can all be issued certificates </li> </ul> Still, CBAs aren&rsquo;t infallible. Hackers have breached certificate authorities, giving them free reign to create phony certificates. Thieves have also swiped existing certificates. <h3 id="on-device-agents-that-verify-device-health">On-device agents that verify device health</h3> Certificates tell your network that a device is known, but that&rsquo;s only half the battle. What if that &ldquo;trusted&rdquo; laptop is missing a critical security update or is running a non-genuine version of Windows? Ensuring that a device is secure is a crucial part of <a href="https://blog.1password.com/history-of-zero-trust/">Zero Trust Architecture (ZTA), and one that often gets neglected</a>. But software like <a href="https://1password.com/product/xam">1Password Extended Access Management</a> makes device health part of the authentication process. Like a CBA, the presence of 1Password&rsquo;s agent on a device works as a possession factor (if a device doesn&rsquo;t have the app installed, it can&rsquo;t log in). <img src='https://blog.1password.com/posts/2024/authentication-methods/kolide_blocking_notification-min.png' alt='A screenshot of XAM&#39;s blocking notification.' title='A screenshot of XAM&#39;s blocking notification.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> But 1Password Extended Access Management goes further, because it also scans for compliance issues before letting a user log in, so it can also be understood as a &ldquo;posture factor.&rdquo; <h2 id="when-designing-mfa-dont-forget-the-human-factor">When designing MFA, don&rsquo;t forget the human factor</h2> Here&rsquo;s the note we&rsquo;ll leave on: a good approach to MFA doesn&rsquo;t just consider the hackers it&rsquo;s designed to keep out. It accounts for people who need to be let in. Humans make mistakes. They have work to get done. And by and large, they want to do the right thing. What often goes wrong in MFA (and security more broadly) is that it treats users as enemies rather than allies. Keep these three points in mind to help users become the hidden factor in your MFA. <ol> <li> Make authentication simple. Low-lift MFA leads to better security habits. If you ask a user to create, remember, and frequently update credentials, they&rsquo;ll find shortcuts that put your company at risk. </li> <li> Protect privacy. Even with the best intentions, security initiatives can erode user privacy. To earn and keep employees' trust, collect the minimum amount of information, be transparent about how it&rsquo;s used, and safeguard it against outside threats. That&rsquo;s all part of our belief driving 1Password Extended Access Management&rsquo;s <a href="https://blog.1password.com/improve-productivity-minimize-cost-distributed-teams/">commitment to privacy</a>. </li> <li> Create a security culture. When properly equipped with tools and knowledge, users will behave more securely. So it&rsquo;s worth investing the time to educate them about security, instead of implementing changes without their knowledge or consent. </li> </ol> So stop fantasizing about a user-free authentication solution, and start building one that puts them front and center. Want to see how 1Password Extended Access Management can help secure authentication at your organization? <a href="https://1password.com/contact-sales/xam">Reach out for a demo</a>!</description></item><item><title>The history, evolution, and controversies of zero trust</title><link>https://blog.1password.com/history-of-zero-trust/</link><pubDate>Fri, 02 Aug 2024 00:00:00 +0000</pubDate><author>info@1password.com (Elaine Atwell)</author><guid>https://blog.1password.com/history-of-zero-trust/</guid><description> <img src='https://blog.1password.com/posts/2024/history-of-zero-trust/header.png' class='webfeedsFeaturedVisual' alt='The history, evolution, and controversies of zero trust' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Zero Trust is having a bit of a moment. Okta&rsquo;s 2023 <a href="https://www.okta.com/resources/whitepaper-the-state-of-zero-trust-security-2023/thankyou/">State of Zero Trust</a> report found that 61% of organizations globally have a defined Zero Trust initiative in place. (That&rsquo;s up from only 16% of companies in 2018). Yet even as Zero Trust security reaches new heights of popularity (including via <a href="https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/">executive order</a>), a backlash is brewing among professionals, who feel the term is being diluted past all usefulness. At security conferences, endless lines of vendors hawk products, all dubiously labeled &ldquo;ZTA.&rdquo; Companies crow about their Zero Trust initiatives while privately making as many exceptions as there are rules. Charlie Winckless, senior director analyst for Gartner, <a href="https://venturebeat.com/security/how-zero-trust-methods-thwart-malicious-hackers/">puts it this way</a>: &ldquo;It&rsquo;s important that organizations look at the capability and not the buzzword that&rsquo;s wrapped around it.&rdquo; So which is it – is Zero Trust our best hope against a lawless security landscape, or is it just another disposable tech buzzword? The answer is: a little bit of both. And that begs another question: how did one term come to mean so many things to so many different people? In this article, we&rsquo;ll trace this idea&rsquo;s 20-year history and show how it has changed along the way. <img src='https://blog.1password.com/posts/2024/history-of-zero-trust/green.jpg' alt='The green panel from the blog cover.' title='The green panel from the blog cover.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="what-is-zero-trust">What is Zero Trust?</h2> Before we get into Zero Trust&rsquo;s origin story back in the 2000s, let&rsquo;s get on the same page about what Zero Trust means in the 2020s. In a nutshell, Zero Trust is an approach to security that is designed to operate without a clear network perimeter (such as today&rsquo;s SaaS-based, hybrid work model), and that continuously seeks to verify the identity and trustworthiness of all actions, and restrict access to sensitive resources. <h2 id="the-2000s-de-perimeterization-and-black-core">The 2000s: de-perimeterization and black core</h2> The beginnings of the Zero Trust paradigm–starting before it found its now-familiar name – didn&rsquo;t occur in a purely linear fashion, where one idea was neatly built upon another. Instead, multiple security professionals came up with similar ideas at roughly the same time. That confluence isn&rsquo;t surprising, since everyone in the security world was responding to the same trends, which were rendering traditional, network-based security obsolete. Prior to the 2000s, the standard security model relied on a hardened perimeter around a corporate intranet. Access to the network was protected by firewalls and a single log-in; but once someone was inside, they were essentially treated as trusted. This approach – sometimes called castle-and-moat or M&amp;M (like the candies) – made sense when work was contained by a physical office building and on-prem servers. But in the 2000s, all that changed. Reliable home internet and public wifi eroded the physical perimeters around work. Employees, contractors, and partners needed a way to access company data from anywhere. To be clear, this didn&rsquo;t immediately give rise to Zero Trust; instead, many organizations relied on corporate VPNs, which allowed for secure tunnels into their networks. VPNs helped companies keep their employees' sessions from being hijacked every time they went to a Starbucks. Still, if a VPN was compromised, so was the entire network. Gradually, the idea of a &ldquo;hardened perimeter&rdquo; started to look less and less feasible. In 2005, the Department of Defense proposed transitioning to a <a href="https://www.semanticscholar.org/paper/Defining-the-GIG-Core-Tarr-Desimone/23fca2c21439eacc77f0787b664b150f7195bfd8">&ldquo;black core&rdquo;</a> architecture that focused on securing individual transactions via end-to-end encryption. It&rsquo;s unsurprising that an organization as vast as the military came up with black core (later called colorless core) since they were racing to create a Global Information Grid (GIG) in order to &ldquo;integrate virtually all of the information systems, services, and applications in the US Department of Defense (DoD) into one seamless, reliable, and secure network.&rdquo; A network that large could not depend on a single perimeter and needed an approach to security that allowed for mobility and interoperability. Another major mid-aughts development was a wave of devastating viruses like <a href="https://www.infoworld.com/article/2677291/blaster-worm-spreading--experts-warn-of-attack.html">Blaster</a> and SoBig hitting organizations from the University of Florida to Lockheed Martin. These worms evaded firewalls and proliferated wildly within networks. As Paul Simmonds said in his seminal <a href="https://www.blackhat.com/presentations/bh-usa-04/bh-us-04-simmonds.pdf">2004 presentation</a>: &ldquo;We are losing the war on good security.&rdquo; Simmonds proposed a framework called &ldquo;de-perimeterization,&rdquo; which he also called &ldquo;defense in depth.&rdquo; De-perimeterization was an early forebear of Zero Trust (and still a better name for it, IMO). Some of the things Simmonds called for–such as cross-enterprise trust and authentication and better standards for data classification–are still parts of ZT today. However, in 2004, Simmonds still couldn&rsquo;t imagine a non-VPN approach to creating secure connections, much less the dominance of individually-gated cloud apps. <img src='https://blog.1password.com/posts/2024/history-of-zero-trust/blue.jpg' alt='The blue panel from the blog cover.' title='The blue panel from the blog cover.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="forrester-and-the-birth-of-the-zero-trust-model">Forrester and the birth of the Zero Trust model</h2> The term &ldquo;Zero Trust Model&rdquo; didn&rsquo;t appear on the scene until 2009, when it was coined by Forrester&rsquo;s John Kindervag. Kindervag&rsquo;s landmark report introduces three core concepts of the Zero Trust Model: <ol> <li> Ensure all resources are accessed securely regardless of location. This demands the same level of encryption and protection for data moving within a network as for external data. </li> <li> Adopt a least privilege strategy and strictly enforce access control. The idea of &ldquo;least privilege&rdquo; – that people can access only the data they need to do their jobs – predates Zero Trust, but is nevertheless part of its foundation. Role-based access control – people being given access to resources based on their role – is one way to put least privilege into action, though Kindervag doesn&rsquo;t claim it&rsquo;s the only solution. </li> <li> Inspect and log all traffic. In Zero Trust architecture, it&rsquo;s not enough to establish trust once a user has verified their identity. Instead, Kindervag argues, &ldquo;By continuously inspecting network traffic, security pros can identify anomalous user behavior or suspicious user activity (e.g., a user performing large downloads or frequently accessing systems or records he normally doesn&rsquo;t need to for his day-to-day responsibilities).&rdquo; </li> </ol> Each of these concepts has survived in some form in our current understanding of Zero Trust principles, although each has evolved. For instance, the concept of &ldquo;continuous authentication,&rdquo; or even multi-factor authentication, is missing here–in fact, the word &ldquo;authentication&rdquo; only appears once, in a footnote. <aside class="c-technical-aside-box c-technical-aside-box--background" aria-labelledby="why-is-it-called-zero-trust"> <h2 class="c-technical-aside-box__title" id="why-is-it-called-zero-trust"> Why is it called Zero Trust? </h2> <div class="c-technical-aside-box__description"> John Kindervag coined the term Zero Trust as a bit of a dig at his security colleagues. It comes from the Russian proverb &ldquo;trust but verify.&rdquo; &ldquo;However,&rdquo; he writes, &ldquo;Forrester has found that most security professionals trust a lot but verify very little.&rdquo; Most Americans first heard the expression uttered by Ronald Reagan to Mikhail Gorbachev, but Kindervag points out that it was intended as a joke, since neither the US nor the Soviets trusted each other in the slightest. His challenge to the security world was to never trust and always verify. </div> </aside> <h3 id="microperimeters-and-the-role-of-the-insider-threat">&ldquo;Microperimeters&rdquo; and the role of the insider threat</h3> The 2010 Forrester report was a landmark document, but it introduced two ideas that continue to cause tension and confusion in the Zero Trust world to this day. The first issue is how Kindervag&rsquo;s ideal Zero Trust Model relates to the corporate network and its perimeter. For all that Kindervag embraces de-perimeterization and states that &ldquo;the perimeter no longer exists,&rdquo; this report can&rsquo;t quite abandon the network model and continually refers to threats being either &ldquo;internal&rdquo; or &ldquo;external.&rdquo; Kindervag also recommends that security teams &ldquo;segment your networks into microperimeters where you can granularly restrict access, apply additional security controls, and closely monitor network traffic…&rdquo; This reintroduction of the perimeter opens the door for vendors to chip away at one of the core ideas of Zero Trust. While using microperimeters/ microsegmentation is one model for ZTA, firewalls and VPNs are explicitly not a part of the paradigm, yet many vendors attempt to use this idea to jump on the bandwagon. The Forrester report also establishes another defining Zero Trust trait: (over)emphasizing the danger of malicious insiders. The report opens with a long anecdote about Russian spies and goes on to cite Chelsea Manning and Edward Snowden as evidence that bad actors within an organization are your single biggest concern. But while internal threats are indeed serious, this report glibly conflates three extremely different types of breaches: <ol> <li> Third parties impersonating insiders via stolen credentials or hardware </li> <li> Employee error, whether through carelessness or ignorance </li> <li> Deliberate employee malfeasance </li> </ol> In the quote below, you can see that conflation in action where &ldquo;internal incident&rdquo; is transformed into the much darker &ldquo;malicious activities.&rdquo; <blockquote> &ldquo;How serious is the threat? Well, according to Forrester&rsquo;s Global Business Technographics® Security Survey, 2015, 52% of network security decision-makers who had experienced a breach reported that it was a result of an internal incident, whether it was within the organization or the organization of a business partner or third-party supplier. (<a href="https://www.forrester.com/report/No-More-Chewy-Centers-The-Zero-Trust-Model-Of-Information-Security/RES56682#endnote15">see endnote 15</a>) Insiders have much easier access to critical systems and can often go about their malicious activities without raising any red flags.&rdquo; </blockquote> This focus on malicious insiders is responsible for some of the worst excesses of so-called Zero Trust security technology, which could be better described as <a href="https://www.spiceworks.com/hr/hr-compliance/guest-article/bossware-legal-and-practical-implications-of-tracking-employees/">bossware</a>. <img src='https://blog.1password.com/posts/2024/history-of-zero-trust/purple.jpg' alt='The purple panel from the blog cover.' title='The purple panel from the blog cover.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="googles-beyondcorp-makes-zero-trust-mainstream">Google&rsquo;s BeyondCorp makes Zero Trust mainstream</h2> In 2014, Google introduced its <a href="https://storage.googleapis.com/pub-tools-public-publication-data/pdf/43231.pdf">BeyondCorp initiative</a>, which is widely credited with transforming Zero Trust from &ldquo;a neat but impractical idea&rdquo; to &ldquo;an urgent mandate.&rdquo; Though the words &ldquo;Zero Trust&rdquo; never appear in Google&rsquo;s announcement – it&rsquo;s not clear if they were trying to replace the term or had simply never heard of it – BeyondCorp clearly marked an evolution of ZTA. By 2014, the business world was embracing the cloud revolution, and cloud-based SaaS apps were taking over. Because of that, BeyondCorp was the first version of Zero Trust that could imagine a truly perimeterless world. Its authors announced that &ldquo;We are removing the requirement for a privileged intranet and moving our corporate applications to the Internet.&rdquo; <blockquote> &ldquo;All access to enterprise resources is fully authenticated, fully authorized, and fully encrypted based upon device state and user credentials. We can enforce fine-grained access to different parts of enterprise resources. As a result, all Google employees can work successfully from any network, and without the need for a traditional VPN connection into the privileged network.&rdquo; </blockquote> BeyondCorp had an undeniable influence on security writ large, but not all of its ideas survived in later versions of Zero Trust. <h2 id="device-trust-and-byod">Device trust and BYOD</h2> Nearly every report on ZTA mentions that, in order for the entire concept to work, devices must be in a secure state. In other words, strong authentication, RBAC, and encryption won&rsquo;t protect your resources from a device that&rsquo;s infected with malware. Despite the consensus that device trust is crucial to Zero Trust, few writers include suggestions for how to actually ensure devices are in a secure state. In fact, many writers and vendors <a href="https://www.gartner.com/document/3912802">claim that Zero Trust can facilitate BYOD</a> policies and reduce the need for endpoint management. In this report, Google explicitly rejects the idea that BYOD can be compatible with BeyondCorp. Instead, they emphasize that &ldquo;only managed devices can access corporate applications.&rdquo; Google issues unique certificates identifying the device and &ldquo;only a device deemed sufficiently secure can be classed as a managed device.&rdquo; That&rsquo;s obviously a little light on details, but still goes farther than many other, more recent, Zero Trust guides in sketching out an actual process for ensuring device trust. To be clear, Zero Trust solutions can help enforce a strict enough BYOD policy — but they won&rsquo;t solve for completely unmanaged devices being allowed into systems. <img src='https://blog.1password.com/posts/2024/history-of-zero-trust/red.jpg' alt='The red panel from the blog cover.' title='The red panel from the blog cover.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="nist-provides-a-zero-trust-how-to">NIST provides a Zero Trust how-to</h2> At present, the most comprehensive guide to the current Zero Trust security model comes to us from the National Institute of Standards and Technology (NIST). Rather than proposing a single &ldquo;right way&rdquo; to practice Zero Trust, the <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf">2020 report</a> encompasses the breadth of its possibilities, including variations in the underlying architecture, deployments, trust algorithms, and use cases. The report also offers detailed guidance on managing a ZTA transition, from creating an asset inventory to evaluating vendors. The NIST&rsquo;s description of Zero Trust as an approach to security, rather than a rigid set of policies or technologies, has contributed to this report&rsquo;s longevity. Even so, parts of the report have already become dated. For instance, the report &ldquo;attempts to be technology agnostic&rdquo; when choosing between authentication methods such as username/password, one-time code, and device certificates. From today&rsquo;s vantage point, it&rsquo;s easy to see that all authentication methods are not created equally. Passwords, for instance, are particularly weak (though it helps if you use an Enterprise Password Manager), and strong authentication is necessary for effective Zero Trust. The NIST&rsquo;s report includes a list of potential threats to ZTA, including stolen credentials, a compromised policy administrator (such as an identity provider), and a lack of interoperability between vendors. It also names an underrecognized risk to the integrity of ZTA: &ldquo;subversion of ZTA decision process.&rdquo; In the real world, these policies are vulnerable to abuse by admins and executives who make exceptions to security policies – such as by allowing themselves access to resources on personal devices. <h2 id="the-history-of-zero-trust-is-just-beginning">The history of Zero Trust is just beginning</h2> While you may be sick of the name &ldquo;Zero Trust&rdquo; (especially after reading this article), the ideas at its core aren&rsquo;t going anywhere. The more the world is dominated by SaaS apps, the less the idea of a network perimeter makes sense. And in a perimeterless world, strong authentication, encryption, and access control are necessities. Still, that&rsquo;s just the start of how you reduce attack surface and protect systems. Part of the reason Zero Trust is so popular (and profitable) is because it&rsquo;s malleable; for better and for worse, there is no single right way to accomplish it. In fact, part of the point of Zero Trust is that you can&rsquo;t &ldquo;accomplish&rdquo; it at all; you can only practice it. And the interaction between Zero Trust theory and the real-world practice of security will continue to push its evolution for years to come. If you&rsquo;d like to hear more data privacy and security stories like this, and hear about how to implement Zero Trust, <a href="https://www.youtube.com/watch?v=_jP5mtoGexg">check out our podcast</a>.</description></item><item><title>Introducing Unlock with Google for 1Password Business</title><link>https://blog.1password.com/unlock-1password-google-identity-platform/</link><pubDate>Thu, 01 Aug 2024 00:00:00 +0000</pubDate><author>info@1password.com (Chisom Ezeh)</author><guid>https://blog.1password.com/unlock-1password-google-identity-platform/</guid><description> <img src='https://blog.1password.com/posts/2024/unlock-1password-google-identity-platform/header.png' class='webfeedsFeaturedVisual' alt='Introducing Unlock with Google for 1Password Business' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 1Password Business customers can now integrate with Google Identity Platform using OpenID Connect (OIDC). Doing so brings all the benefits of <a href="https://support.1password.com/sso/">integrating 1Password with your IdP</a>: streamlined access, unified security policies, and improved auditing, compliance, and reporting workflows. <h2 id="why-google-sso">Why Google SSO?</h2> In short, you asked (thank you to the many 1Password Business customers who provided their input!). Single sign-on (SSO) has become a critical requirement for businesses to simplify access management for both admins and employees. When you integrate 1Password with Google Identity Platform, you make it easier for teams to securely access their passwords, payment info, and all the other business secrets they store in 1Password. Like all identity provider integrations, zero-knowledge architecture and end-to-end encryption are preserved, and decryption happens on-device. And the <a href="https://support.1password.com/sso-trusted-device/">trusted device model</a> ensures that if your identity provider credentials are ever compromised, attackers still wouldn’t be able to access your 1Password data. Key Benefits of Google SSO Integration: <ul> <li>Seamless integration: Easily integrate 1Password with Google Identity Platform using OIDC. This allows your team to use single sign-on for 1Password using existing Google credentials.</li> <li>Enhanced security: Extend Google’s authentication policies to every 1Password account unlock to strengthen access controls and improve security.</li> <li>Simplified access: Your employees can access their passwords and sensitive information with ease, all while maintaining robust security standards.</li> <li>Comprehensive protection: Integrate with Google to access 1Password using single sign-on with zero-knowledge and end-to-end encryption preserved. Give your employees a simpler, more secure way to access their passwords and other digital secrets – like documents, Secure Notes, and SSH keys – that aren’t covered by Google.</li> <li>Guided setup: Use our existing SSO wizard to set up the integration, scope users, set a grace period, and manage biometrics.</li> </ul> <h2 id="how-it-works">How It Works</h2> <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/AGOUusF161A" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> Setting up Google SSO with 1Password is similar to the process for <a href="https://support.1password.com/sso-configure-okta/">Okta</a> or <a href="https://support.1password.com/sso-configure-entra/">Entra ID</a>, Check out the walkthrough video to see how it’s done, or <a href="http://support.1password.com/sso-configure-google">visit 1Password Support for detailed setup instructions</a>. For more details on unlocking 1Password with SSO, download the <a href="https://1passwordstatic.com/files/resources/unlock-1Password-with-sso-adoption-kit.pdf">adoption kit</a>. It includes everything you need to enable and roll out Unlock 1Password with SSO. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Secure your employees at scale with 1Password and Google SSO</h3> Try 1Password Business free for 14 days to unlock 1Password with Google. <a href="https://start.1password.com/sign-up/business?l=en%5C&amp;source=blog%5C&amp;campaign=UnlockGoogle" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Get started </a> </div> </section></description></item><item><title>Adamaka Ajaelo explains how cybersecurity can make space for BIPOC women</title><link>https://blog.1password.com/cybersecurity-bipoc-women-interview/</link><pubDate>Wed, 31 Jul 2024 00:00:00 +0000</pubDate><author>info@1password.com (Jenn Marshall)</author><guid>https://blog.1password.com/cybersecurity-bipoc-women-interview/</guid><description> <img src='https://blog.1password.com/posts/2024/cybersecurity-bipoc-women-interview/header.png' class='webfeedsFeaturedVisual' alt='Adamaka Ajaelo explains how cybersecurity can make space for BIPOC women' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Diversity brings innovation. At a time when every tech company is looking for an edge, having a workforce that mirrors their heterogeneous customer base is a smart move. But how can tech and cybersecurity companies build new talent pipelines? <a href="https://selfestem.org/">Self-eSTEM</a>, a non-profit that supports BIPOC (Black, Indigenous, and people of color) women and girls learning and working in STEM fields is helping to diversify the talent pool. But, as Sara Teare, one of 1Password’s founders discussed with Adamaka Ajaelo, founder and executive director of Self-eSTEM on the <a href="https://randombutmemorable.simplecast.com/">Random but Memorable</a> podcast, they can’t do it alone. Tech companies need to become intentional about recruiting and developing BIPOC talent. Read the interview highlights below or listen to the <a href="https://randombutmemorable.simplecast.com/episodes/lift-as-you-climb">full podcast episode</a> to learn more about Self-eSTEM and strategies for BIPOC women and girls interested in cybersecurity and tech careers. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/Mnhnehwru3g?si=DMdr9g8FhIKC_gBU" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> It was such an interesting conversation we actually created a complete <a href="https://randombutmemorable.simplecast.com/episodes/founder-to-founder-fireside-chat">bonus episode with Adamaka Ajaelo</a> to keep the conversation going! And Self-eSTEM is hosting their <a href="https://www.linkedin.com/posts/self-estem_selfestem-vipaffair-stemeducation-activity-7210061629009330176-KNVe?utm_source=share&amp;utm_medium=member_desktop">10th annual fundraiser</a> if you want to find out how you can get more involved with their efforts to make space in tech for BIPOC women. Editor’s note: This interview has been lightly edited for clarity and brevity. The views and opinions expressed by the interviewee don’t represent the opinions of 1Password. Sara Teare: What&rsquo;s the mission of Self-eSTEM and how is it supporting women in BIPOC communities and STEM? Adamaka Ajaelo: Our mission is pretty simple. It&rsquo;s really just to ignite pride, purpose, and possibility among BIPOC girls and women through STEM. We do this by providing culturally relevant education, education that aligns to their interests, training, mentorship, and access to a supporting network to fuel their personal and professional development. Specifically in cybersecurity and technology, we have a series called Digital and Generative AI Bootcamp, which introduces our innovators – the participants in our program – to online safely through entrepreneurship and project-based training. So that&rsquo;s some of the ways we’re getting girls into cybersecurity and into the technology field. ST: I love “pride, purpose, and possibility” as an overarching mission statement because it&rsquo;s about enjoying what you do and giving the people that have been successful an opportunity to show off and be proud of what they&rsquo;re accomplishing. I think that&rsquo;s a really great opportunity for everyone to be able to celebrate bringing awesome into their field and giving other people that opportunity to learn from them. AA: Thank you. You&rsquo;re spot on. That&rsquo;s really the essence of our mission. ST: What are some of the unique challenges for women and girls of color when they&rsquo;re trying to enter into the cybersecurity and technology centers? AA: There are several unique challenges that BIPOC women and girls face, including limited access to resources, lack of mentorship, and some systemic biases that hinder their entry and advancement in cybersecurity and technology sectors. At Self-eSTEM, we’re addressing these challenges by offering comprehensive programs that include technical training, mentorship, and networking opportunities. Our Early STEM Immersion Program, which provides hands-on experience for young people aged 7 to 17, connects our participants with industry professionals who can guide them through their journey. This is designed to address what we call some of the systemic root cause issues that keep them out and push them out of the talent pipeline. By doing this, we&rsquo;re really focusing on building their STEM career identities, building their confidence, and fostering educational readiness so that they can have thriving careers. ST: It&rsquo;s a challenge for kids to figure out how they can take the knowledge they have and apply it in a business sense. Then they can put it on their resume and get a foot in the door at a technology firm. They just need the mentorship to be able to put those pieces together. AA: Exactly. That really gets to the heart of it. It&rsquo;s a route. We need to open up their world to new possibility, believing in their gifts and abilities. It’s really just guiding them and encouraging them on their journey. ST: From your perspective, what are some of the key areas where the current cybersecurity industry is lacking diversity? Where do you think we can be taking steps to address those gaps? AA: I would say that the cybersecurity industry has opportunity for diversity at all levels, particularly in leadership. To address these gaps, it&rsquo;s really important for organizations to make commitments to being intentional about recruiting, retention and development, as well as promotional strategies that really prioritize diversity, equity, and inclusion. Some of the things that companies can do include creating what I call supportive environments: creating a safe space for people to speak up and share their ideas. Offering professional development opportunities is always a bonus. Another key thing is to actively work to remove biases in some of your critical touch points and systems, primarily around hiring, as well as with promotion and investment processes that are internal to the company. <blockquote> &ldquo;Make commitments to being intentional about recruiting, retention and development.&quot; </blockquote> When organizations take a step back and absorb their ecosystem and listen to employees, that&rsquo;s really the foundational step for them to start addressing some of the diversity challenges at all levels. ST: Let’s talk about the importance of feedback. For example, as an employer, being able to ask your employees: &ldquo;What could we be doing to support you as a professional? How do we make sure our interview processes are fair, and how do we look at our talent pipelines to make sure we&rsquo;re being inclusive?” For example, at a company like 1Password, the diversity of our employees should be reflective of who uses our product – which is everyone. AA: That&rsquo;s where innovation can take flight. When you&rsquo;re saying you have a product in which you have diversity in the users, and if you&rsquo;re thinking about those groups as being key personas or your target market, and you&rsquo;re looking to innovate for them, it&rsquo;s always great to have people who have that same frame of reference and can really empathize with the needs of your customers. ST: What could we do better as an industry to make sure we&rsquo;re supporting diverse talent pipelines? Is there a particular area that would have a big impact? AA: I&rsquo;ve often heard from companies that: &ldquo;Hey, we don&rsquo;t know where the talent exists.&rdquo; I would say one of the things that can make a big impact, thinking about it from an organizational level, is to go out into the community and do sort of an environmental scan of what&rsquo;s happening. What are some of the emerging trends from a talent perspective? For an organization to drive this change, it starts with doing research. Where are the areas I’m looking to increase diversity in my organization – is it gender representation, ethnicity, disabilities, other different categories and touch points? <blockquote> &ldquo;Go out into the community and do an environmental scan of what’s happening.&quot; </blockquote> Diversity does exist in the market – these diverse talent pools do in fact exist. Once you do the research and identify those talent pools, then start to build those pipelines and build those connectors with those targeted populations or institutions that have that diverse talent. I think that that will be really, really critical. ST: It’s important for youth to learn how to network. But it&rsquo;s not just the youth that have work to do, it&rsquo;s the companies as well. Get out there, network, figure out where the world is. It&rsquo;s not just a one-stop-shop, internet world of resumes. There&rsquo;s a whole world of talent out there. AA: Yes, I love the way you summarized that and re-framed it. That is perfectly spot on. ST: What advice would you give to women, especially those folks in our BIPOC communities who are interested in entering into cybersecurity and technology? AA: My number one piece of advice is “find your tribe”. By that I mean finding supportive networks and mentorship opportunities that fit you. It doesn&rsquo;t necessarily mean that in your tribe everyone will look exactly like you. It’s more about finding people who are there to support you no matter what they look like, no matter what their background is. Second, leveraging resources. We are in this big information age and there&rsquo;s so many online courses and community programs. But you can start by going on the internet and doing some research about things that you can self-teach – I like to say it&rsquo;s about generating “self-believe”. I think it&rsquo;s really important for you to believe in your potential and to continuously advocate for yourself and others. So, stay connected and look for programs like ours and also look for resources online. I always like to look for free tools. Tools can be in the form of online training. Tools can be in the form of digital community groups. I know that LinkedIn has different groups and associations that you can join for free, as well as social media platforms like Facebook. I think that those are the things that will really help those who are interested in entering the cybersecurity field and may face some of the systemic barriers. <blockquote> &ldquo;Find your tribe.&quot; </blockquote> But finding your tribe is really the key thing that I like to tell a lot of my young mentees or just anybody within my peer group. I just want to remind everyone to be resilient and to continue to push forward. It does yield positive results. ST: Do you find impostor syndrome to be common for women in STEM careers and do you have any advice for trying to overcome that? AA: Yes, I do find this to be common for women in the STEM fields and also for women in the business or corporate world, especially if they’re in leadership. One of the things I like to tell people within my peer group – I also mentor young professionals – is to remind yourself that you are there because you belong there. You&rsquo;re not there to say: &ldquo;Oh, I&rsquo;m just a diversity hire.” It&rsquo;s okay for you to take up space. I also tell them to give themselves grace. There&rsquo;s no one in the company that knows everything. Many people have had help. I keep that in the back of my mind and share it because it’s okay to acknowledge that you have those feelings. But what I encourage people to do is think: “I have this imposter syndrome feeling but what am I going to do about it?&rdquo; You&rsquo;ll find out that other people whom you think have it all together actually don&rsquo;t have it all together. Even the CEO has had to learn and depend on other people to provide them information or to help them with decision-making. That really helps me along my journey to humanize that experience. ST: Could you share some success stories of BIPOC women who have been supported by Self-eSTEM and gone on to pursue successful careers in technology? AA: I’d love to tell you one of our amazing stories. Ten years ago, we had an innovator participate in our Early STEM Immersion Program. She was interested in the STEM fields but lacked what we call the 21st century skills of collaboration and some of the social skills. With our organization and mentorship, she was able to build her collaboration skills and confidence to communicate effectively. We did this through putting her in project-based activities and team environments. Today she&rsquo;s a sophomore at UC Davis with a full scholarship, and she&rsquo;s double majoring in computer science and neuroscience. She&rsquo;s now an advocate for diversity in tech and has been inspiring other BIPOC girls to pursue careers in the STEM fields. It’s amazing to have that full circle moment – to see someone’s growth and development and then see them come back to become an advocate. To reach back and lift as she climbs. That’s very, very important within our organization. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/8yPn7IPte_o?si=HXscz6BkmbwGyfsV" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> ST: Where could folks go to learn more about you, Self-eSTEM, and the incredible work that you&rsquo;re doing? AA: To learn more about Self-eSTEM and our program, go to our website at <a href="http://www.selfestem.org">selfestem.org</a>. You also can follow us on our social media platforms for updates and upcoming events, including our <a href="https://www.linkedin.com/posts/self-estem_selfestem-vipaffair-stemeducation-activity-7210061629009330176-KNVe?utm_source=share&amp;utm_medium=member_desktop">10th annual fundraiser</a>. We’re encouraging everyone to support our mission by donating, volunteering, or simply spreading the word about our organization. I really do believe in the collective and the community and believe that together we can drive meaningful change. I really empower girls and women to become leaders, not just for today, but also for tomorrow. <section class="c-call-to-action-box c-call-to-action-box--yellow"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Subscribe to Random but Memorable</h3> Listen to the latest news, tips and advice to level up your security game, as well as guest interviews with leaders from the security community. <a href="https://randombutmemorable.simplecast.com/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--yellow" data-event-category="CTA" data-event-action="call-to-action-button"> Subscribe to our podcast </a> </div> </section></description></item><item><title>The complete guide to digital estate planning</title><link>https://blog.1password.com/get-started-digital-estate-planning/</link><pubDate>Wed, 31 Jul 2024 00:00:00 +0000</pubDate><author>info@1password.com (Sara Teare)</author><guid>https://blog.1password.com/get-started-digital-estate-planning/</guid><description> <img src='https://blog.1password.com/posts/2024/get-started-digital-estate-planning/header.png' class='webfeedsFeaturedVisual' alt='The complete guide to digital estate planning' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> It’s not something we want to think about, but the reality is that we all have to face it at some point: Death. It’s an inevitable human experience that no one really wants to talk about. With so many folks finding conversations like this uncomfortable, planning is often left undone, and loved ones are left to struggle with putting the puzzle pieces together, while dealing with the emotions that come with loss. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> 💡 Download our free guide, <a href="https://1passwordstatic.com/files/resources/digital-estate-planning-guide.pdf">How to get started with digital estate planning</a>, and prepare for your family&rsquo;s future today. </div> </aside> I grew up knowing only one grandparent, who passed away when I was 19. My father had health issues and passed away when I was 30. Prior to my life here at 1Password, I worked in long-term care, where I was witness to families dealing with the challenges of loss. All of this led to an odd conversation starter – “Box or Pot?” When the time comes, do you want to be buried or cremated? Kick starting those conversations reminds us that there are decisions to be made, and if we can be prepared in advance, then we’re able to allow ourselves and our loved ones the grace to handle emotions and the unexpected, without additional stress. When you’re going through grief, dealing with confusing paperwork, estates, accounts, and passwords is the last thing you want to do. When you’ve already taken care of these “chores” that come along with death, it’s one less thing your loved ones have to worry about. <h2 id="be-prepared">Be prepared</h2> Part of proper preparation is estate planning – having a will is important, along with making sure your executor has the information they need to handle your affairs. With so much of the world having a digital presence, it’s important that you’re thinking about how to pass that account information on, so that the task of identifying and accessing accounts is made simple. For folks who are new to 1Password, I recommend our <a href="https://www.youtube.com/watch?v=seMl5imFNCQ">Getting Started video</a> to kick things off easily. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/seMl5imFNCQ" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> Within 1Password, there is an <a href="https://support.1password.com/emergency-kit/">Emergency Kit</a> – you can print this out and store it with your will. It’s the only time you should write your account password down, so I caution that this document should be <a href="https://blog.1password.com/where-to-store-your-emergency-kit/">well stored and safely stowed</a> with instructions for you executor, only to be used when needed. This kit will specify where your account is located (either our .ca, .com or .eu site), the email address used, and your <a href="https://support.1password.com/secret-key-security/">Secret Key</a>. There is a QR code to download 1Password and a way to <a href="support@1password.com">connect with the 1Password support team</a>. We’ve also recently <a href="https://blog.1password.com/introducing-1password-recovery-codes/">introduced recovery codes</a>, and while these aren’t designed specifically for digital estate planning, they are another option you can consider to make passing on your accounts easier. We truly understand the value of estate management and our team is always considering ways to enhance our features to support this need we all have. We&rsquo;re committed to helping you be well-prepared for the future. In the meantime, we’ve also created a guide, <a href="https://1passwordstatic.com/files/resources/digital-estate-planning-guide.pdf">How to get started with digital estate planning</a>, to help you navigate through the online side of estate planning. You’ll learn how to get started on your own plan, what to do if you’ve inherited a digital estate plan from someone else, and even how to transfer crypto after you’ve passed. <h2 id="you-can-do-this">You can do this</h2> At 1Password, we&rsquo;re always telling you to keep your passwords as safe as possible – they&rsquo;re the keys to your life, from crucial documents to irreplaceable family photos. Keeping your passwords to yourself is the right thing to do. But ironically, once we&rsquo;ve moved on, those passwords become the keys your loved ones will use to access what you&rsquo;ve left behind for them. This will be the one time you want to make access to those keys as easy as possible. Thinking about death and what happens when the time comes isn’t on the top of the to-do list and isn’t the most exciting topic, but it is important to have these conversations and make preparations. If all else fails and you’re looking for a conversation starter, you can always go with “Box or Pot?” and see where things lead. 🙂 <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">How to get started with digital estate planning</h3> Get the free guide for step-by-step tips on getting started with your digital estate planning. <a href="https://1passwordstatic.com/files/resources/digital-estate-planning-guide.pdf" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Download now </a> </div> </section></description></item><item><title>New 1Password SIEM integration with Microsoft Sentinel now generally available</title><link>https://blog.1password.com/1password-microsoft-sentinel-siem/</link><pubDate>Tue, 30 Jul 2024 00:00:00 +0000</pubDate><author>info@1password.com (Scott Lougheed)</author><guid>https://blog.1password.com/1password-microsoft-sentinel-siem/</guid><description> <img src='https://blog.1password.com/posts/2024/1password-microsoft-sentinel-siem/header.png' class='webfeedsFeaturedVisual' alt='New 1Password SIEM integration with Microsoft Sentinel now generally available' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Microsoft Sentinel customers, get ready to streamline your security monitoring and investigation workflows with the official 1Password integration for Microsoft Sentinel. 1Password for Microsoft Sentinel is an end-to-end solution allowing you to ingest <a href="https://developer.1password.com/docs/events-api/reference/">1Password Events API</a> data directly to Microsoft Sentinel. This brings visibility to 1Password audit events, sign-in activity, and shared item usage, with the full power of Microsoft Sentinel. You can get started right away with alerts and a dynamic, customizable dashboard thanks to out-of-the-box analytics rules and workbooks. Here are the highlights: <ul> <li>Track security events: Stay in the know with real-time alerts for successful and failed login attempts as well as account and billing changes.</li> <li>Monitor shared item usage: Gain insights into user adoption and usage, file uploads, and item modifications for accountability and transparency.</li> <li>Threat intel notifications: Proactively identify potential security threats and attacks, equipped with actionable suggestions with 18 analytics rule templates.</li> <li>Streamline reporting: Consolidate 1Password logs into Microsoft Sentinel, allowing for a single pane of glass and reducing the time spent toggling between different apps and services.</li> </ul> <h2 id="using-the-1password-events-api">Using the 1Password Events API</h2> The new integration makes it easier for security admins and analysts to monitor and manage their organization&rsquo;s credentials and secrets, better assess security risks, and quickly detect, investigate, and mitigate threats. For example, admins can set up custom alerts for: <ul> <li>Privilege escalation within 1Password</li> <li>Privileged vault and group access control changes</li> <li>Impossible travel</li> <li>Changes to a user’s MFA settings</li> <li>1Password tenant-level changes (e.g., firewall rules or authentication policies)</li> </ul> Admins can also create dashboards and custom graphs to illustrate event activity, and cross-reference 1Password events with data from other services. Together, 1Password and Microsoft Sentinel eliminates the hassle of juggling multiple security platforms. Just connect your <a href="https://1password.com/business/">1Password Business</a> account to Microsoft Sentinel to track your 1Password security events in one place and illuminate your overall secrets landscape. <blockquote> “We all know how crucial visibility is for security teams. This collaboration helps bridge that visibility gap, surfacing and visualizing 1Password events directly in Microsoft Sentinel, allowing businesses to take a more proactive approach to reducing risk.” – Natee Pretikul, Principal Product Management Lead, Microsoft Security </blockquote> <h3 id="special-thanks-to-our-open-source-contributors">Special thanks to our open source contributors</h3> We&rsquo;d like to give a special shout-out to our community for making this integration possible. In particular, we&rsquo;d like to thank <a href="https://www.linkedin.com/in/rogierdijkman/">Rogier Dijkman</a> (<a href="https://github.com/azurekid">azurekid</a>) and <a href="https://nl.linkedin.com/in/stefan-alexander-smit">Stefan Alexander Smit</a>, among many other contributors to the Microsoft Sentinel and 1Password integration! <h2 id="getting-started">Getting started</h2> The new Microsoft Sentinel integration is available to anyone with a 1Password Business account and a Microsoft Sentinel account via the <a href="https://azuremarketplace.microsoft.com/en-us/marketplace/apps/1password1617200969773.azure-sentinel-solution-1password">Microsoft Azure Marketplace</a>. Get started by <a href="https://support.1password.com/events-reporting/">connecting your account</a> from the integrations directory in 1Password Business. Once the accounts are connected, you can start enabling features. Microsoft Sentinel is the newest in a long line of <a href="https://support.1password.com/events-reporting/">1Password Business security information and event management (SIEM) integrations</a> that includes Datadog, Elastic, Panther, Splunk, and Sumo Logic. (You can <a href="https://developer.1password.com/docs/events-api/reference/">build your own</a>, too, with the 1Password Events API.) Interested in partnering with 1Password as an integrated service? We’d love to hear from you. Reach out to <a href="mailto:tech-partnerships@1password.com">tech-partnerships@1password.com</a> to start a conversation. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Secure your business with 1Password</h3> Give your admins the visibility they need to protect your business. Send 1Password account activity to Microsoft Sentinel using the 1Password Events API with 1Password Business. Try it free for 14 days. <a href="https://1password.com/business-pricing/?utm_ref=blog" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>AI browser extensions are a security nightmare</title><link>https://blog.1password.com/ai-browser-extension-nightmare/</link><pubDate>Mon, 29 Jul 2024 00:00:00 +0000</pubDate><author>info@1password.com (Elaine Atwell)</author><guid>https://blog.1password.com/ai-browser-extension-nightmare/</guid><description> <img src='https://blog.1password.com/posts/2024/ai-browser-extension-nightmare/header.png' class='webfeedsFeaturedVisual' alt='AI browser extensions are a security nightmare' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Since the public release of OpenAI&rsquo;s ChatGPT, AI-powered browser extensions have proliferated wildly. There are hundreds of them – search for &ldquo;AI&rdquo; in the Chrome Web Store and you&rsquo;ll get tired of scrolling long before you reach the end of the list. These browser extensions run the gamut in terms of what they promise to do: some will summarize web pages and email for you, some will help you write an essay or a product description, and still others promise to turn plaintext into functional code. The security risks posed by these AI browser extensions also run the gamut: some are straightforward malware just waiting to siphon your data, some are fly-by-night operations with copy + pasted privacy policies, and others are the AI experiments of respected and recognizable brands. We&rsquo;d argue that no AI-powered browser extension is free from security risk (<a href="https://www.intego.com/mac-security-blog/chrome-extensions-are-a-security-nightmare-heres-why-you-should-avoid-them/">browser extensions in general are notoriously dangerous</a>) but right now, most companies don&rsquo;t even have policies in place to assess the types and levels of risk posed by different extensions. And in the absence of clear guidance, people all over the world are installing these little helpers and feeding them sensitive data. The risks of AI browser extensions are alarming in any context, but here we&rsquo;re going to focus on how workers employ AI and how companies govern that use. We&rsquo;ll go over three general categories of security risks, and best practices for assessing the value and restricting the use of various extensions. <h2 id="malware-posing-as-ai-browser-extensions">Malware posing as AI browser extensions</h2> The most straightforward security risk of AI browser extensions is that some of them are simply malware. On March 8th, 2023, <a href="https://labs.guard.io/fakegpt-new-variant-of-fake-chatgpt-chrome-extension-stealing-facebook-ad-accounts-with-4c9996a8f282">Guardio reported</a> that a Chrome browser extension called &ldquo;Quick access to Chat GPT&rdquo; was hijacking users' Facebook accounts and stealing a list of &ldquo;ALL (emphasis theirs) cookies stored on your browser–including security and session tokens…&rdquo; Worse, even though the extension had only been in the Google Chrome store for a week, it had been downloaded by over 2,000 users per day. In response to this reporting, Google removed this particular extension, <a href="https://www.pcmag.com/news/beware-ai-scams-meta-blocks-1000-plus-links-tied-to-chatgpt-themed-malware">but more keep cropping up</a>. As we mentioned earlier, security problems are a perennial issue in the browser extension space, and we&rsquo;ve yet to see meaningful action taken to stamp them out. This situation would likely shock the millions of users who download browser extensions, who assume that a product available on Chrome&rsquo;s store and advertised on Facebook had passed some sort of quality control. To quote the Guardio article, this is part of a &ldquo;troublesome hit on the trust we used to give blindly to the companies and big names that are responsible for the majority of our online presence and activity.&rdquo; What&rsquo;s particularly troubling is that malicious AI-based extensions (including the one we just mentioned) can behave like legitimate products, since it&rsquo;s not difficult to hook them up to ChatGPT&rsquo;s API. In other forms of malware – like the open source scams poisoning Google search results – someone will quickly realize they&rsquo;ve been tricked once the tool they&rsquo;ve downloaded doesn&rsquo;t work. But in this case, there are no warning signs for users, as the browsing experience stays the same. The malware can live in their browser (and potentially elsewhere) as a comfortable parasite. <h2 id="the-security-risks-of-legitimate-ai-powered-browser-extensions">The security risks of legitimate AI-powered browser extensions</h2> Even the most die-hard AI evangelist would agree that malicious browser extensions are bad, and we should do everything in our power to keep people from downloading them. Where things get tricky is when we talk about the security risks of legitimate AI browser extensions. Here are a few of the potential security issues: <ol> <li> Sensitive data you share with a generative AI tool could be incorporated into its training data and viewed by other users. For a simplified version of how this could play out, imagine you&rsquo;re an executive looking to add a little pizazz to your strategy report, so you use an AI-powered browser extension to punch up your writing. The next day, an executive at your biggest competitor asks the AI chatbot what it thinks your company&rsquo;s strategy will be, and it provides a surprisingly detailed and illuminating answer! Fears of this type of leak have driven some companies – including Verizon, Amazon, and Apple – to ban or severely restrict the use of generative AI. As <a href="https://www.theverge.com/2023/5/19/23729619/apple-bans-chatgpt-openai-fears-data-leak">The Verge&rsquo;s article</a> on Apple&rsquo;s ban explains: &ldquo;Given the utility of ChatGPT for tasks like improving code and brainstorming ideas, Apple may be rightly worried its employees will enter information on confidential projects into the system.&rdquo; </li> <li> The extensions or AI companies themselves could have a data breach. In fairness, this is a security risk that comes with any vendor you work with, but it bears mentioning because it&rsquo;s already happened to one of the industry&rsquo;s major players. In March 2023, <a href="https://openai.com/blog/march-20-chatgpt-outage">OpenAI announced</a> that they&rsquo;d recently had a bug &ldquo;which allowed some users to see titles from another active user&rsquo;s chat history&rdquo; and &ldquo;for some users to see another active user&rsquo;s first and last name, email address, payment address&rdquo; as well as some other payment information. Microsoft saw a <a href="https://www.pcmag.com/news/microsoft-ai-employee-accidentally-leaks-38tb-of-data">similar incident</a>, in which their AI data was left vulnerable to attack or manipulation from bad actors. How vulnerable browsers extensions are to breaches depends on how much user data they retain, and that is a subject on which many &ldquo;respectable&rdquo; extensions are frustratingly vague. </li> <li> The whole copyright + plagiarism + legal mess. LLMs frequently generate pictures, text, and code that have a clear resemblance to a distinct human source. As of now, it&rsquo;s an open legal question as to whether this constitutes copyright infringement, but it&rsquo;s a huge roll of the dice. And that&rsquo;s not even getting into the quality of the output itself – LLM-generated code is notoriously buggy and often replicates well-known security flaws. </li> </ol> AI developers are making good faith efforts to mitigate all these risks, but unfortunately, in a field this new, it&rsquo;s challenging to separate the good actors from the bad. Their efforts to mitigate risks are also far from airtight. OpenAI, for instance, <a href="https://openai.com/index/introducing-chatgpt-enterprise/">released</a> &ldquo;ChatGPT Enterprise.&rdquo; OpenAI promises that, with the enterprise version of their product, &ldquo;we do not train on your business data or conversations, and our models don&rsquo;t learn from your usage.&rdquo; This could provide a more secure way for teams to use ChatGPT. However, there&rsquo;s still the risk that employees – particularly those who work on personal devices – may switch between their personal and work accounts on ChatGPT, which could <a href="https://help.openai.com/en/articles/8265430-what-is-a-chatgpt-enterprise-workspace-how-can-i-switch-workspaces">all too easily</a> result in business data being fed to training models. Even a widely-used extension like fireflies (which transcribes meetings and videos) has <a href="https://fireflies.ai/terms-of-service.pdf">terms of service</a> that amount to &ldquo;buyer beware.&rdquo; Among other things, they hold users responsible for ensuring that their content doesn&rsquo;t violate any rules, and promise only to take &ldquo;reasonable means to preserve the privacy and security of such data.&rdquo; Does that language point to a concerning lack of accountability or is it just boilerplate legalese? Unfortunately, you have to decide that for yourself. <h2 id="ais-unsolvable-threat-prompt-injection-attacks">AI&rsquo;s &ldquo;unsolvable&rdquo; threat: prompt injection attacks</h2> Finally, let&rsquo;s talk about an emerging threat that might be the scariest of them all: websites stealing data via linked AI tools. The first evidence of this emerged on X (formerly Twitter) on May 19th, 2023. <div class="tweet"> <img src="https://blog.1password.com/img/icons/twitter.svg" alt="@simonw tweet" /> This looks like it might be the first proof of concept of multiple plugins - in this case WebPilot and Zapier - being combined together to exfiltrate private data via a prompt injection attack I wrote about this class of attack here: <a href="https://simonwillison.net/2023/Apr/14/worst-that-can-happen/#data-exfiltration">https://simonwillison.net/2023/Apr/14/worst-that-can-happen/#data-exfiltration</a> - @simonw <a href="http://twitter.com/user/status/1659457043617701888" title="@simonw" class="view-tweet" target="_blank" rel="noopener">View tweet</a> </div> If that explanation makes you scratch your head, here&rsquo;s how Willison explains it in his social media posts, using &ldquo;pizza terms.&rdquo; <div class="tweet"> <img src="https://blog.1password.com/img/icons/twitter.svg" alt="@simonw tweet" /> If I ask ChatGPT to summarize a web page and it turns out that web page has hidden text that tells it to steal my latest emails via the Zapier plugin then I&rsquo;m in trouble - @simonw <a href="http://twitter.com/user/status/1660436551401377792" title="@simonw" class="view-tweet" target="_blank" rel="noopener">View tweet</a> </div> These prompt injection attacks are considered unsolvable given the inherent nature of LLMs. In a nutshell: the LLM needs to be able to make automated next-step decisions based on what it discovers from inputs. But if those inputs are evil, then the LLM can be tricked into doing anything, even things it was explicitly told it should never do. It&rsquo;s too soon to gauge the full repercussions of this threat for data governance and security, but at present, it appears that the threat would exist regardless of how responsible or secure an individual LLM, extension, or plugin is. <a href="https://www.ibm.com/blog/prevent-prompt-injection/">As IBM put it</a> in April 2024: &ldquo;The only way to prevent prompt injections is to avoid LLMs entirely. However, organizations can significantly mitigate the risk of prompt injection attacks by validating inputs, closely monitoring LLM activity, keeping human users in the loop, and more.&rdquo; Defining what data and applications are too sensitive to be shared and communicating these policies with employees should be your first AI project. <h2 id="what-ai-policies-should-i-have-for-employees">What AI policies should I have for employees?</h2> The AI revolution happened overnight, and we&rsquo;re all still adjusting to this brave new world. Every day, we learn more about this technology&rsquo;s applications: <a href="https://www.scientificamerican.com/article/one-of-the-biggest-problems-in-biology-has-finally-been-solved/">the good</a>, <a href="https://www.vice.com/en/article/qjvk97/eating-disorder-helpline-disables-chatbot-for-harmful-responses-after-firing-human-staff">the bad</a>, and <a href="https://twitter.com/heykody/status/1662168390352666624?s=20">the cringe</a>. Companies in every industry are under a lot of pressure to share how they&rsquo;ll incorporate AI functionalities into their business, and it&rsquo;s okay if you don&rsquo;t have the answers today. However, if you&rsquo;re in charge of dictating your company&rsquo;s AI policies, you can&rsquo;t afford to wait any longer to set clear guidelines about how employees can use these tools. (If you need a starting point, <a href="https://www.shrm.org/resourcesandtools/hr-topics/technology/pages/how-to-create-the-best-chatgpt-policies-.aspx">here&rsquo;s a resource</a> with a sample policy at the end.) There are multiple routes you can take to govern employee AI usage. You could forbid it altogether, but an all-out ban is too extreme for many companies, who want to encourage their employees to experiment with AI workflows. Still, it&rsquo;s going to be tricky to embrace innovation while practicing good security. That&rsquo;s particularly true of browser extensions, which are inherently outward-facing and usually on by default. So if you&rsquo;re going to allow their use, here are a few best practices: Education: Most employees are not aware of the security risks posed by these tools, so they don&rsquo;t know to exercise caution about which ones to download and what kinds of data to share. Educate your workforce about these risks and teach them how to assess malicious versus legitimate products. Allowlisting: Even with education, it&rsquo;s not reasonable to expect every employee to do a deep dive into an extension&rsquo;s privacy policy before hitting download. With that in mind, the safest option here is to allowlist extensions on a case-by-case basis. When possible, you should offer safer alternatives to dangerous tools, since an outright ban can hurt employees' productivity and drive them to Shadow IT. In this case, look for products that explicitly pledge not to feed your data into their models. Visibility and Zero Trust Access: You can&rsquo;t do anything to protect your company from the security risks of AI-based extensions if you don&rsquo;t know which ones employees are using. In order to learn that, the IT team needs to be able to query the entire company&rsquo;s fleet to detect extensions. From there, the next step is to automatically block devices with dangerous extensions from accessing company resources. That&rsquo;s what we did with 1Password <a href="https://blog.1password.com/introducing-extended-access-management/">Extended Access Management</a>, which allows admins to detect and block malicious apps and extensions. But again, simple blocking shouldn&rsquo;t be the final step in your policy. Rather, it should open up conversations about why employees feel they need these tools, and how the company can provide them with safer alternatives. Those conversations can be awkward, especially if you&rsquo;re detecting and blocking extensions your users already have installed. 1Password&rsquo;s <a href="https://www.darkreading.com/application-security/malware-exploits-security-teams-greatest-weakness-poor-relationships-with-employees">Jason Meller wrote for Dark Reading</a> about the cultural difficulties in stamping out malicious extensions: &ldquo;For many teams, the benefits of helping end users are not worth the risk of toppling over the already wobbly apple cart.&rdquo; But the reluctance to talk to end users creates a breeding ground for malware: &ldquo;Because too few security teams have solid relationships built on trust with end users, malware authors can exploit this reticence, become entrenched, and do some real damage.&rdquo; If you&rsquo;d like to learn more about how 1Password Extended Access Management can help manage and communicate the risks of AI for your team, <a href="https://1password.com/contact-sales/xam">reach out for a demo</a>! <a href="https://1password.com/kolidescope-newsletter">And if you&rsquo;d like to keep up with our work on AI and security, subscribe to our newsletter!</a></description></item><item><title>Can BYOD policies be compatible with good security?</title><link>https://blog.1password.com/byod-policies/</link><pubDate>Mon, 29 Jul 2024 00:00:00 +0000</pubDate><author>info@1password.com (Elaine Atwell)</author><guid>https://blog.1password.com/byod-policies/</guid><description> <img src='https://blog.1password.com/posts/2024/byod-policies/header.png' class='webfeedsFeaturedVisual' alt='Can BYOD policies be compatible with good security?' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> When workers bring their own equipment on the job, it opens the door to all kinds of trouble – just ask the NFL. In 2006, <a href="https://web.archive.org/web/20150515041558/http://articles.sun-sentinel.com/2006-11-28/sports/0611270475_1_new-football-new-england-quarterback-competition-committee">the National Football League instituted a rule change</a> that allowed each team&rsquo;s offense to use their own footballs during games, as long as those footballs met the league&rsquo;s requirements. This change was made at the request of the league&rsquo;s quarterbacks, who wanted more control over the equipment they use to throw touchdowns. But in 2015, the NFL&rsquo;s BYOD policy led to disaster. The New England Patriots and their quarterback Tom Brady were accused of deliberately underinflating footballs below NFL standards, <a href="https://www.cbssports.com/nfl/news/new-deflategate-revelations-paint-the-nfl-in-a-bad-light-during-infamous-saga-with-tom-brady-and-patriots/#:~:text=In%20the%20aftermath%20of%20that,made%20in%20the%20initial%20report.">in a scandal known as Deflategate</a>. Whatever you believe about the Patriots' guilt or innocence (please don&rsquo;t email us), Deflategate illustrates the pitfalls that come with BYOD - how a well-meaning policy can create a culture of mistrust and end up putting the most sensitive devices in your organization at risk. <img src='https://blog.1password.com/posts/2024/byod-policies/football_in_grass_final.jpg' alt='A photo of a football on the ground.' title='A photo of a football on the ground.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> In this piece, we&rsquo;ll talk about whether or not BYOD policies can be compatible with good cybersecurity (spoiler alert: the answer is &ldquo;it depends&rdquo;), and how to differentiate between BYOD solutions that look good on paper and those that work in the real world. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> To understand the issues surrounding managed versus unmanaged devices, it&rsquo;s helpful to have a working knowledge of mobile device management solutions (MDMs). If you&rsquo;d like a starter/refresher, <a href="https://blog.1password.com/pros-and-cons-of-mdms/">check out our blog on the subject</a>. </div> </aside> <h2 id="what-is-byod">What is BYOD?</h2> Bring your own device (BYOD) refers to organizations allowing their employees and contractors to use their own computers, phones, and other devices for work. BYOD has been popular since the 2010s, and many businesses believe in its cost effectiveness and positive impact on employee experience. But BYOD has also been consistently dogged by concerns about its effects on employee privacy, productivity, and – in particular – security. <h2 id="the-risks-of-byod">The risks of BYOD</h2> Generally speaking, employee-owned devices are at far greater risk than company-owned devices of letting sensitive data out and bad actors in. That&rsquo;s because in most cases, IT does not have the ability to enforce security policies on these devices. This can lead to: <ul> <li> Malware, since security tools are less likely to be installed and properly configured, and personal devices may be running vulnerable, unpatched software </li> <li> Data leakage, since IT cannot monitor downloads or transfers of data onto these devices' hard drives and applications </li> <li> Lost/stolen devices, since IT may lack the ability to remotely wipe an employee-owned device </li> <li> Credential-based attacks, since bad actors can steal or phish employee credentials and impersonate them </li> </ul> <h2 id="the-types-of-byod">The types of BYOD</h2> There are valid cases to be made for and against BYOD. However, it&rsquo;s difficult to make universal statements about BYOD as a concept, since the risks and benefits vary so much depending on what types of devices we&rsquo;re talking about, as well as the specifics of an organization&rsquo;s BYOD policy (or lack thereof). Some employee-owned devices get much the same level of management as employer-owned devices, and some get no oversight from the company at all. Likewise, not all devices are equally risky, because not all devices or users have the same level of access to sensitive data. In other words, a marketer who checks Slack on their MDM-enrolled iPhone poses a very different set of risks from a developer who accesses the company&rsquo;s source code on an unmanaged laptop. For that reason, we need to spend some time differentiating between the different types of BYOD before we can assess how they can (or cannot) be compatible with good corporate security. <h3 id="mobile-devices">Mobile Devices</h3> When a lot of people say &ldquo;BYOD,&rdquo; what they&rsquo;re really talking about is mobile phones. Employees using their personal cell phones for work tasks is most likely the largest BYOD use case, especially among knowledge workers in Western countries. A <a href="https://www.securitymagazine.com/articles/99142-71-of-employees-store-sensitive-work-passwords-on-personal-phones">2023 study found</a> that 85% of employers require employees to install work-related apps on their personal apps, and 71% of employees store work passwords on their personal phones. There are a few reasons that phones represent the biggest tranche of BYO-devices, including: <ul> <li> Many workers want or need to be available for workplace communication when they&rsquo;re away from their computer, and most don&rsquo;t want to carry around two cell phones. </li> <li> The kinds of work that most people do on their phones – messaging and email – are considered low-risk from a security perspective, so businesses are less concerned about the potential for data leakage, loss, or theft. (It&rsquo;s worth pointing out that a lot of sensitive data gets passed around on messaging apps, so they&rsquo;re far from harmless, but the perception remains.) </li> <li> Money, of course! Smartphones and tablets are expensive, and companies would prefer not to pay for them, especially if workers don&rsquo;t really need them to do their jobs. So unless a worker does the majority of their work on a mobile device – like a service technician who works off a phone or tablet – companies would rather avoid paying for service and upkeep on a mobile fleet. </li> </ul> <h3 id="third-party-contractor-devices">Third-party contractor devices</h3> Plenty of organizations purchase devices for their employees, but let outside contractors use their own computers. Even within this category of BYOD, there are subcategories that present different risk levels. <ul> <li> Specialized individuals/freelancers: Specialists like web designers or consultants may work independently or for small agencies and be brought on for a specific project. Depending on the nature of that project, their access to company resources may be very limited, or they could be deeply embedded in the organization, with access equal to high-level employees. </li> <li> Larger contractor teams: Large corporations often subcontract work to other businesses that specialize in providing services, such as content moderation or customer service. The contractor&rsquo;s employees may be working on their personal devices, or they may be working on devices provided to them by the contractor. And again, their access to sensitive data may be heavily restricted or relatively unsupervised, depending on the nature of their work and the contractor&rsquo;s own security policies. </li> <li> Vendors and service providers: This category encompasses anyone performing work that is not directly tied to your business operations but that must access its systems–anyone from your building&rsquo;s security to your HVAC company. </li> </ul> As you can likely guess, BYOD presents more risk in some of these circumstances than others. For instance, if you outsource your <a href="https://www.techtarget.com/searchitchannel/definition/managed-service-provider">IT help desk to an MSP</a>, those contractors can operate as highly-privileged superadministrators, and are often targeted by bad actors. But even seemingly inconsequential vendors can be an entryway for attackers if they have sufficient access to your network. In the infamous <a href="https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/">2014 Target hack</a>, credentials stolen from an HVAC company led to an attack that cost Target over <a href="https://slate.com/technology/2022/04/breached-excerpt-hartzog-solove-target.html">$200 million</a>. <h3 id="employee-personal-computers">Employee personal computers</h3> Some companies allow or require their employees to work on their own devices. The most obvious reason for this is budgetary (although <a href="https://www.wired.com/brandlab/2018/12/byod-whats-roi/">experts debate</a> whether BYOD actually saves money once you factor in all its associated costs). In other cases, BYOD may be a matter of employee preference or need. For instance, some developers come equipped with their own Linux laptops, and reject working on a standard-issue employee PC. In still other cases, employees may be allowed to work on a combination of their work-issued and personal devices. For example, an employee may typically work on their company-issued laptop, but use their personal machine if they&rsquo;re on vacation. Often, BYOD operates in a gray area between an actual policy and benign neglect. In one common situation, an employee has to use their work-issued device to log into their company&rsquo;s VPN and access certain resources. But other apps don&rsquo;t go through the VPN at all, so the employee can log in using their credentials on their personal computer. In our <a href="https://blog.1password.com/unmanaged-devices-run-rampant/">Shadow IT report</a>, we found that 47% of companies allow employees to access their company resources on unmanaged devices, and 43% of workers reported using their personal device because they preferred it to their company-issued one. <img src='https://blog.1password.com/posts/2024/byod-policies/shadow_it_unmanaged_devices_stat-min.jpg' alt='A screenshot from Kolide&#39;s Shadow IT report showcasing that 47% of companies surveyed allow unmanaged devices to access their company resources.' title='A screenshot from Kolide&#39;s Shadow IT report showcasing that 47% of companies surveyed allow unmanaged devices to access their company resources.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Regardless of the situation, the main question we should ask about this type of BYOD is: is it governed by an actual, enforceable policy, or is it merely tolerated? The answers here run the gamut. On one end of the spectrum, you&rsquo;ll find personal devices that are nonetheless enrolled in the company&rsquo;s MDM and subjected to much the same policies as a company-owned device. On the other end of the spectrum, you&rsquo;ll find employees working on devices that IT has no visibility or control over. In that case, BYOD is effectively shadow IT, and it presents some of the most serious risks to a company&rsquo;s security. <h2 id="how-to-assess-byod-solutions">How to assess BYOD solutions</h2> There are ways to maintain a BYOD policy while minimizing security risk, but any solution you consider needs to pass a very simple test: would this work in the real world? Much of the advice you&rsquo;ll find on BYOD security boils down to: &ldquo;Treat employee-owned devices exactly like company-owned devices.&rdquo; That means installing whatever MDM, VPN, and EDR tools you&rsquo;d use on your company-owned fleet, so IT can monitor and manage them. But it&rsquo;s not reasonable to expect employees to relinquish all control and privacy on the same devices where they keep their family photos and half-finished novels. There are also a slew of solutions that claim to enable BYOD by partitioning work tasks on a device, so there is minimal contact between those activities as the rest of the device, and users are prohibited from downloading or even screenshotting their work tasks. Those solutions include things like <a href="https://www.techtarget.com/searchvirtualdesktop/definition/virtual-desktop-infrastructure-VDI">virtual desktop infrastructure (VDI), web application isolation (WAI)</a>, or enterprise browsers. There are genuine use cases where those tools can be helpful, but their drawbacks – technical complexity, high costs, and negative employee experiences – often outweigh their benefits. We can&rsquo;t get into every permutation of security tool and BYOD use-case, but we can go in-depth on MDM, since it&rsquo;s the most commonly-suggested solution and illustrates the complexities at play. <h2 id="can-you-use-mdm-for-byod">Can you use MDM for BYOD?</h2> MDMs are to endpoint security what over-the-top guitar solos were to 80s rock music: so ubiquitous, they&rsquo;re almost synonymous. MDM solutions let IT do a lot of important things: force updates onto a device, set its default security settings, and remotely wipe it if it&rsquo;s lost or an employee leaves the company. However, MDM is <a href="https://blog.1password.com/pros-and-cons-of-mdms/">not well-suited, or even possible</a>, for many BYOD scenarios. <h3 id="mobile-devices-yes">Mobile devices: yes</h3> Until a few years ago, asking employees to install MDM on their personal phones was a dicey proposition, partly due to <a href="https://www.newsweek.com/google-digital-dystopia-wipe-phone-rebecca-rivers-ice-1473747">stories of employers wiping</a> all the data from an employee&rsquo;s device in a careless or retaliatory manner. But these days, both iOS and Android offer less invasive ways to segregate work and personal applications, so the MDM cannot view or erase personal data. For iOS, this type of management comes in the form of Apple User Enrollment and managed Apple IDs, while Android offers work profiles that clearly delineate work from personal apps and data. (For a detailed guide to each, check out <a href="https://www.techtarget.com/searchmobilecomputing/tip/Comparing-iPhone-vs-Android-privacy-for-employee-devices">TechTarget&rsquo;s excellent comparison piece.</a>) With these safeguards in place, it is reasonable to expect that if employees want to access company data on their phones, they need to enroll in MDM. Still, putting MDM on employee phones still isn&rsquo;t widely practiced. A <a href="https://image-us.samsung.com/SamsungUS/samsungbusiness/short-form/maximizing-mobile-value-2022/Maximizing_Mobile_Value_2022-Final.pdf">2022 study</a> from Samsung found that, &ldquo;&hellip;93% of companies which provide mobile devices to employees have an MDM solution in place. For BYOD companies, this falls to just 40%, leaving smartphones and corporate data unmanaged…&rdquo; Employees may still perceive MDM as invasive, and the <a href="https://www.wakeforestlawreview.com/2021/03/is-workplace-privacy-dead-the-effects-of-bring-your-own-device-policies-on-employee-privacy/">legal consensus seems to be</a> that companies cannot force management tools on personal devices. In the event that an employee rejects this measure, you will need to either purchase them a separate, managed mobile device, or prohibit them from doing work on their personal phone. (And that might be a blessing in disguise, since the world would keep turning if we all checked Slack a little less.) <h3 id="contractor-devices-no">Contractor devices: no</h3> We can cover this one quickly: there are very few situations in which you have the right to install MDMs and similar management tools on the computers of people who are not your employees. For one thing, a contractor may already be enrolled in MDM via their actual employer, and it&rsquo;s not possible to be enrolled in multiple MDMs simultaneously. But even if it were possible, contractors have much less incentive than employees to accept the loss of agency and privacy that comes with MDMs. However, given that contractor devices can introduce significant risk, it&rsquo;s clear that companies need some way of enforcing baseline security policies on them. It&rsquo;s just that a successful approach must take a lighter touch than MDMs, which rely on forced restarts and grayed-out System Settings options. (Don&rsquo;t worry, we&rsquo;ll get into what lighter device management entails in a moment.) <h3 id="employee-personal-computers-mixed-bag">Employee personal computers: mixed bag</h3> Rolling out MDM on your employees' personal computers can go a number of different ways, ranging from painless, to disruptive, to simply impossible. In the best case scenario, end users have a strong, trusting relationship with leadership and IT, no reason to suspect that an MDM will be used against them, and they use the device in question primarily for work. Think of a video editor who joins the company with a specialized workhorse of a PC; this person doesn&rsquo;t expect the company to buy them a new desktop, and is basically comfortable with their existing computer being treated like any other member of the fleet. On the other hand, if you suddenly require MDM for workers who were used to an unmanaged BYOD policy, you may incite a backlash. This is especially likely if you fail to adequately communicate to end users about how MDM will impact their privacy, or if you implement it in a heavy-handed way. In a 2014 article for CIO.com, <a href="https://www.cio.com/article/288367/mobile-device-management-attack-of-the-byod-killing-mdm-software.html">Tom Kaneshige bemoaned</a> &ldquo;companies taking advantage of advanced MDM capabilities, thus threatening to ruin the user experience.&rdquo; He warned that &ldquo;poor usability and privacy violations can derail the BYOD movement.&rdquo; Though MDMs have evolved in the subsequent decade to (at least theoretically) allow for a more surgical and less invasive user experience, in practice, end users rarely respond well to their freedoms being taken away. Imagine a developer, for instance, who needs to occasionally turn off their firewall in order to run tests, but now finds that option grayed out by the MDM&rsquo;s settings. Finally, making MDM a part of your BYOD policy may not be possible, for two reasons. In the first case, as we&rsquo;ve written before, <a href="https://blog.1password.com/no-mdm-for-linux/">there is no such thing as MDM for Linux</a> operating systems. So those machines – which typically make up a tiny but highly-privileged fraction of your fleet – are automatically out of consideration. But moreover, requiring MDM on personal devices is impossible if you have no way to enforce that requirement, and many companies don&rsquo;t. (As we discussed earlier, 47% let users authenticate on any device as long as they have the right credentials.) To make MDM a true requirement, you must be able to block devices from accessing company resources unless the MDM is present. <h2 id="how-to-manage-byod-risks">How to manage BYOD risks</h2> Whether you love or hate BYOD, at this point it&rsquo;s so firmly entrenched in our work lives that it feels permanent. Some form of it – whether through mobile phones, contractor devices, or employee work stations – tends to creep into all but the most security-obsessed organizations. <blockquote> In designing BYOD policies, organizations have both the right and obligation to secure their data by ensuring that every device meets minimal security standards. However, end users also have the right to reject unreasonable intrusions on the devices they bought and paid for. </blockquote> So how to reconcile these two truths? In some cases, as we&rsquo;ve shown, MDM solutions work well at striking this balance. But in situations where MDM is either unfeasible or impossible, companies need a lighter form of management. And in either case, BYOD policies must have an enforcement mechanism that ensures that only known and trusted users and devices are able to authenticate into systems. While there are multiple ways to achieve these goals, let&rsquo;s focus on the one we&rsquo;re most excited about at 1Password: <a href="https://1password.com/product/xam">Extended Access Management</a>. <h2 id="device-trust-and-byod">Device trust and BYOD</h2> <a href="https://blog.1password.com/introducing-extended-access-management/">1Password Extended Access Management</a> provides solutions that work to extend security onto devices and applications that fall outside the reach of traditional security tools, like MDM. 1Password Extended Access Management achieves this, in part, by combining an enterprise password manager (EPM) and device trust solution. With 1Password Extended Access Management, our EPM encourages employees to use strong and unique passwords to access company systems, and securely stores them. Since so many employees keep company passwords on their phones, keeping those passwords secure is a vital BYOD security measure. But even more importantly, 1Password Extended Access Management uses device trust. <a href="https://blog.1password.com/what-is-device-trust/">Device trust</a> is a subset of Zero Trust security, and it requires that any device trying to access company resources meet the following criteria: <ol> <li> A device must be known (its identity must be recognized based on more than user credentials) </li> <li> A device must be in a secure state, and prevented from accessing company resources unless it meets security requirements </li> </ol> Device trust solutions like 1Password Extended Access Management&rsquo;s allow organizations to enforce BYOD policies with minimal impact on user experience and privacy. This approach works well in situations where MDM would be unpopular or impossible. That&rsquo;s because, unlike MDM, 1Password Extended Access Management has no ability to remotely wipe a user&rsquo;s device or forcibly install updates, so users maintain agency over their devices. However, it still prevents a device from authenticating to the organization&rsquo;s apps unless it&rsquo;s secure. The crucial difference between 1Password Extended Access Management and MDM is that our device trust agent shows users how to fix these problems themselves, instead of trying to do it for them. That way, the developer who needs to turn off their firewall for an hour can do so, then simply turn it back on when it&rsquo;s time to authenticate. <img src='https://blog.1password.com/posts/2024/byod-policies/kolide_blocking_notification-min.png' alt='A screenshot showing Kolide&#39;s blocking screen for macOS updates and macOS firewall checks failing.' title='A screenshot showing Kolide&#39;s blocking screen for macOS updates and macOS firewall checks failing.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 1Password Extended Access Management also works well in situations where MDM is required, since admins can design a policy that only allows devices enrolled in MDM to authenticate. You could write a similar policy that checks for the presence of EDR tools like Crowdstrike, or virtually any other requirement – our osquery-based agent can run checks based on hundreds of device properties. Plus, 1Password Extended Access Management is platform-agnostic, so you can use a single solution to manage all your devices: macOS, Windows, iOS, Android, and even Linux. <h2 id="closing-thoughts">Closing thoughts</h2> In the aftermath of Deflategate, the NFL implemented its own device trust solution. The <a href="https://operations.nfl.com/updates/the-game/preparing-the-footballs-for-nfl-games/">current rules for ball preparation</a> require both teams &ldquo;to bring 24 footballs (12 primary and 12 back-up) to the Officials' Locker Room for inspection.&rdquo; In the end, it might have been simpler for football to avoid BYOD altogether, but it&rsquo;s difficult to claw back a policy that end users enjoy. So whether you&rsquo;re trying to open up your organization to BYOD, or lock it down, start with end users in mind. Anticipate how your BYOD approach will impact users – if it&rsquo;s too onerous or too laissez-faire they will find ways to go around it. And that can really take the air out of your company&rsquo;s security. To learn more about how 1Password&rsquo;s approach to device trust protects both managed and unmanaged devices, <a href="https://1password.com/contact-sales/xam">request a demo</a>!</description></item><item><title>Unmanaged devices run rampant in 47% of companies</title><link>https://blog.1password.com/unmanaged-devices-run-rampant/</link><pubDate>Fri, 26 Jul 2024 00:00:00 +0000</pubDate><author>info@1password.com (Elaine Atwell)</author><guid>https://blog.1password.com/unmanaged-devices-run-rampant/</guid><description> <img src='https://blog.1password.com/posts/2024/unmanaged-devices-run-rampant/header.png' class='webfeedsFeaturedVisual' alt='Unmanaged devices run rampant in 47% of companies' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Tl;dr: <a href="https://blog.1password.com/files/unmanaged-devices-run-rampant/the_shadowIT_report.pdf">The Shadow IT report</a>, conducted in late 2023, shows that 47% of companies allow employees to access their resources on unmanaged devices, authenticating via credentials alone. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Some context about this blog: This article pulls heavily from a <a href="https://blog.1password.com/files/unmanaged-devices-run-rampant/the_shadowIT_report.pdf">Shadow IT Report</a>, which was originally conducted by Kolide, and as such, uses Kolide&rsquo;s name and branding. Now that the team at Kolide has happily <a href="https://blog.1password.com/1password-acquires-kolide/">joined our team at 1Password</a>, we wanted to share the insights and information from this survey with our audience. Rather than edit the report after the fact, we&rsquo;ve left it as-is, in order to preserve the integrity of the information as it was originally gathered. </div> </aside> Corporate cybersecurity is at something of a turning point. Companies are very concerned about hacks and data breaches, and are <a href="https://securityintelligence.com/articles/it-budget-cuts-cant-touch-cybersecurity/">throwing resources at their security teams</a>. In particular, companies are investing in <a href="https://www.cisa.gov/zero-trust-maturity-model">Zero Trust</a>, a security framework that restricts access to sensitive resources based on a user&rsquo;s identity and security posture. According to Okta&rsquo;s 2023 <a href="https://www.okta.com/resources/whitepaper-the-state-of-zero-trust-security-2023/thankyou/">State of Zero Trust</a> report, 61% of organizations globally have a defined Zero Trust initiative in place. That&rsquo;s up from the 16% who were launching initiatives in 2019. So, what exactly is driving this urgency? The answer lies in employee devices, human psychology, and of course, a global pandemic. <h2 id="the-origins-of-the-unmanaged-device-problem">The origins of the unmanaged device problem</h2> Let&rsquo;s say you&rsquo;re an engineer. Before COVID, you went to work in an office, and you used the laptop the company assigned to you–the one equipped with management software that ensured your OS was up-to-date and your firewall stayed on. If you&rsquo;d brought your personal, unmanaged laptop into work, that would have felt like a deliberate breach of the rules. Then COVID happened. Fast-forward to 2023, and you&rsquo;re working from home, where you can keep your personal laptop right there on the desk next to your corporate computer. One day, there&rsquo;s a data visualization app you want to try out, but you can&rsquo;t do it on your managed device, so you just switch to the personal one. It&rsquo;s right there! Then you need to feed the app some real data from your company, so you email or airdrop it to yourself. (You promise yourself to delete it later.) Suddenly you realize that you can log into most of your company apps on your (cooler, faster) personal laptop. And since you&rsquo;re not getting any angry emails from IT, you figure it must be okay. Soon, what started as a one-time bending of the rules becomes a full-time habit. Meanwhile, more and more SaaS apps are accessible outside your company&rsquo;s VPN (assuming it has one). You&rsquo;re a responsible engineer, so you wouldn&rsquo;t install the corporate VPN on your personal device; that would clearly be a rule violation. But if you just happen to forget which device you&rsquo;re using, and you log into a SaaS app like you normally do, that doesn&rsquo;t feel like deliberate malfeasance. Plus, you&rsquo;re allowed to log in on your personal phone anyway, so what&rsquo;s the problem? These choices feel harmless on an individual level, but they have played out in countless home offices across the world. And so now we have a problem where one previously did not exist: the proliferation of unmanaged devices accessing sensitive resources. Our research shows that, despite investing in security tools that promise total visibility, 47% of companies still permit access to unmanaged devices outside the reach of those tools. <img src='https://blog.1password.com/posts/2024/unmanaged-devices-run-rampant/managed-devices-question.jpg' alt='A screenshot from the shadow IT report.' title='A screenshot from the shadow IT report.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> This single data point should be extremely alarming to anyone interested in security, since unmanaged and personal devices introduce a host of security concerns: <ul> <li> Attackers can use their own devices to impersonate employees using phished credentials. </li> <li> Unmanaged devices can be compromised by malware—that&rsquo;s what happened in the recent <a href="https://www.bleepingcomputer.com/news/security/cisa-warns-of-actively-exploited-plex-bug-after-lastpass-breach/">LastPass data breach</a>. </li> <li> Employees on unmanaged devices can use unapproved tools that would be detected and blocked on a managed device–for example, AI-powered browser extensions that siphon up sensitive data. </li> </ul> All these vulnerabilities fall under the umbrella term of shadow IT: hardware and software that is not visible to or capable of being managed by an organization. Let&rsquo;s make it clear: Unmanaged devices are shadow IT, and shadow IT is incompatible with a successful Zero Trust architecture. Google&rsquo;s famous BeyondCorp initiative—widely credited with kickstarting Zero Trust security — <a href="https://storage.googleapis.com/pub-tools-public-publication-data/pdf/43231.pdf">plainly states</a> that &ldquo;only managed devices can access corporate applications.&rdquo; Yet this research reveals that unmanaged and potentially unsecure devices access sensitive resources on a massive scale. <h2 id="what-are-unmanaged-devices">What are unmanaged devices?</h2> First, let&rsquo;s establish what an &ldquo;unmanaged&rdquo; device is. <a href="https://csrc.nist.gov/glossary/term/unmanaged_device#:~:text=Definitions%3A,to%20a%20person%20to%20administer.">NIST defines</a> the term as: &ldquo;A device inside the assessment boundary that is either unauthorized or, if authorized, not assigned to a person to administer.&rdquo; In simpler terms, an unmanaged device is not subject to centralized control from an IT or security team. Managed devices, by contrast, are equipped with software — <a href="https://blog.1password.com/pros-and-cons-of-mdms/">typically a mobile device management (MDM) solution</a> — that allows administrators to dictate what a user can do, mandate what software can and can&rsquo;t be installed, and remotely wipe devices. So why are unmanaged devices able to access company resources? There are a few general situations in which admins either allow this type of access or are unable to stop it: <ul> <li> Employees working on their personal computers used as part of a BYOD policy </li> <li> Employees accessing company applications–often email, Slack, and other messaging tools–on their personal mobile devices </li> <li> Devices outside the scope of existing management solutions, such as <a href="https://blog.1password.com/no-mdm-for-linux/">Linux endpoints, which are incompatible with MDMs</a> </li> <li> Third-party contractors and vendors not subject to centralized management </li> <li> Unknown devices, which could be an employee logging in on a friend&rsquo;s computer or in a public library, or a threat actor logging in with stolen employee credentials </li> </ul> <aside class="c-technical-aside-box c-technical-aside-box--background" aria-labelledby="unmanaged-vs-personal-devices"> <h2 class="c-technical-aside-box__title" id="unmanaged-vs-personal-devices"> Unmanaged vs Personal Devices </h2> <div class="c-technical-aside-box__description"> In our survey, we mostly asked respondents about &ldquo;personal devices,&rdquo; since some non-technical users weren&rsquo;t familiar with the term &ldquo;managed devices.&rdquo; Many people use these terms interchangeably, but while there&rsquo;s a lot of overlap in the unmanaged/personal Venn diagram, some companies do install management software on their employees' personal devices. For instance, a graphic designer may work on their own, purpose-built PC, but still consent to installing MDM when they join a company. In general, though, companies do not exert the same level of control over devices they do not own. </div> </aside> Security-minded organizations try to minimize the risks of unmanaged devices by assigning company-issued laptops to employees instead of going the BYOD route and by implementing MFA to make it harder for attackers to log in on unknown devices. Despite that, unmanaged devices creep in, whether through Linux users, contractors, mobile devices, or executives who opt out of centralized management. That last problem is more prevalent than you might assume. Our data shows that the higher you go in the org chart, the more likely you are to find people working on their personal devices. <img src='https://blog.1password.com/posts/2024/unmanaged-devices-run-rampant/personal-devices-question.jpg' alt='A screenshot from the shadow IT report.' title='A screenshot from the shadow IT report.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> In fact, one consistent thread in this research was that executives and security practitioners engage in some of the riskiest behaviors of everyone we surveyed. <h2 id="the-security-risks-of-unmanaged-devices">The security risks of unmanaged devices</h2> When we asked what types of work people were doing on their personal devices, the most common answers were &ldquo;email&rdquo; and &ldquo;collaboration tools.&rdquo; That&rsquo;s not surprising, since those are the applications most likely to be on mobile devices, and companies are understandably reluctant to install invasive security software on their workers' personal phones. That being said, it&rsquo;s a mistake to assume that these applications are &ldquo;low-risk&rdquo; just because the behavior is commonplace. There&rsquo;s plenty of sensitive information in email and Slack, and they can give an attacker a foothold into a network. <img src='https://blog.1password.com/posts/2024/unmanaged-devices-run-rampant/work-tasks-question.jpg' alt='A screenshot from the shadow IT report.' title='A screenshot from the shadow IT report.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> But employees aren&rsquo;t just checking their email on their cell phones; they&rsquo;re doing real work on real computers. That becomes clear when we separate this data by role. 49% of developers report doing software development on personal devices, and 35% of security professionals use personal devices to manage cloud infrastructure. It&rsquo;s safe to assume that this type of work isn&rsquo;t happening on phones. To quote the report: <blockquote> &ldquo;This is where security risks start to skyrocket. A bad actor can use a security flaw in an unmanaged device to break into the production environment, as in the LastPass breach. Even a simple smash-and-grab of a laptop can turn into a nightmare if that laptop is full of PII, and IT has no way to remotely wipe it.&rdquo; </blockquote> Lest we forget, a compromised device has a wealth of information right on its hard drive. We already know from our <a href="https://lp.kolide.co/hubfs/Content/Dimensional_Research_Report_Kolide.pdf?">Sensitive Data report</a> that employees download sensitive data onto their devices at 83% of companies, and only 38% have a policy prohibiting employees from storing plain-text access credentials on their devices. <h2 id="why-employees-use-personal-devices">Why employees use personal devices</h2> We&rsquo;ve established that unmanaged devices are inherently risky, so we wanted to understand why workers chose to use their non company-issued devices anyway. The answers ran the gamut, but three of the top six reasons related to avoiding security requirements. (That&rsquo;s another data point that shows the overlap between personal and unmanaged devices, since getting around security wouldn&rsquo;t be possible on a managed device.) <img src='https://blog.1password.com/posts/2024/unmanaged-devices-run-rampant/why-question.jpg' alt='A screenshot from the shadow IT report.' title='A screenshot from the shadow IT report.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Ironically, security professionals were the most likely to report that they used their own devices to get around security. 28% said that &ldquo;Getting through all the work-related security requirements (usernames/passwords, VPN, etc.) is frustrating,&rdquo; compared to just 15% of respondents in IT and 21% in business roles. (Also, in a fun fact that didn&rsquo;t make the final report, 38% of executives reported that they forgot their device in the office, compared to 28% of managers and just 15% of frontline employees.) <h2 id="download-the-shadow-it-report">Download the Shadow IT Report</h2> All the data above comes from Kolide&rsquo;s Shadow IT Report. This report examines several facets of the shadow IT problem, as well as the cultural conditions that allow it to flourish. Our findings reveal that executives, security teams, and frontline workers suffer from a lack of communication and transparency, and often make incorrect assumptions about each others' behavior. To read the full report, <a href="https://blog.1password.com/files/unmanaged-devices-run-rampant/the_shadowIT_report.pdf">click here</a>. <h2 id="about-1password-extended-access-management">About 1Password Extended Access Management</h2> As you&rsquo;ve probably guessed, we didn&rsquo;t create this report just because shadow IT is an interesting topic. It&rsquo;s also a problem we&rsquo;re actively trying to solve. 1Password <a href="https://1password.com/product/xam">Extended Access Management</a> comes built with our <a href="https://1password.com/product/enterprise-password-manager">Enterprise Password Manager</a> (EPM), along with our device trust solution. That allows it to stop unmanaged and unsecure devices from accessing your company&rsquo;s cloud apps. Our device trust offering fixes many of the shortcomings with existing device authentication solutions. <ul> <li> It works on Linux (and Windows and Macs and Android and iOS). </li> <li> It doesn&rsquo;t create the kinds of productivity disruptions (like forced restarts) that lead executives to opt out of device management. </li> <li> It provides a lightweight, non-intrusive form of management that end-users are comfortable putting on their mobile devices and third-party contractors are willing to install on their computers. Unlike MDM, 1Password Extended Access Management can&rsquo;t remotely wipe a device, and we have a privacy center for users that explicitly lists all the data we collect and who can see it. </li> </ul> <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Disclaimer: one more disclaimer before we go – the original PDF of this report makes reference to Kolide, but all of Kolide&rsquo;s Device Trust principles are present in 1Password Extended Access Management, where they&rsquo;re backed by even more new and improved features, as well as the support of a world-class EPM. </div> </aside> To learn more about 1Password Extended Access Management, keep exploring the website or <a href="https://1password.com/contact-sales/xam">reach out for a demo</a>!</description></item><item><title>1Password is ISO 27001 certified — and more</title><link>https://blog.1password.com/1password-iso-27001-certified/</link><pubDate>Thu, 25 Jul 2024 00:00:00 +0000</pubDate><author>info@1password.com (Megan Barker)</author><guid>https://blog.1password.com/1password-iso-27001-certified/</guid><description> <img src='https://blog.1password.com/posts/2024/1password-iso-27001-certified/header.png' class='webfeedsFeaturedVisual' alt='1Password is ISO 27001 certified — and more' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We’re incredibly proud to announce that 1Password has achieved ISO 27001, 27017, 27018, and 27701 certifications. While the building blocks for ISO certifications have been embedded in 1Password DNA for years, we’ll share the reason we pursued them now, what the certifications mean for us, and most importantly, what they mean for you and your organization. <h2 id="what-are-isoiec-certifications">What are ISO/IEC certifications</h2> The International Organization for Standardization (ISO) is a non-governmental organization that develops international standards for establishing, implementing, and maintaining services, systems, and processes. <a href="https://www.iso.org/standard/27001">ISO/IEC 27001:2022</a> is the world’s most recognized standard for information security management systems, and defines requirements for certification. Certified organizations – like 1Password – have proven they have designed controls that follow ISO best practices and principles, and can manage risks related to the security and privacy of information entrusted to them. There are additional ISO standards and extensions to ISO 27001 that, when achieved, further reinforce a company’s ability to adhere to strict information security and privacy standards: <ul> <li> <a href="https://www.iso.org/standard/43757.html">ISO/IEC 27017:2015</a> provides information security controls and implementation guidance for both cloud service providers and cloud service customers. </li> <li> <a href="https://www.iso.org/standard/76559.html">ISO/IEC 27018:2019</a> outlines controls related to protecting Personally Identifiable Information (PII) in those public cloud computing environments. </li> <li> <a href="https://www.iso.org/standard/71670.html">ISO/IEC 27701:2019</a> specifies requirements and provides guidance for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS). </li> </ul> 1Password has been certified to each one. And these certifications speak volumes. They confirm 1Password meets the highest international standards for information security and privacy. Today 1Password is the only enterprise password manager that has achieved ISO 27001, 27017, 27018, and 27701. <h2 id="why-iso-27001-and-why-now">Why ISO 27001 and why now?</h2> ISO sets the international standards for information security management, cloud security, and privacy. ISO 27001, specifically, is requested by prospective customers every single day. Many companies actually require their password manager to be ISO 27001 certified for compliance purposes. 1Password has been a trusted security, privacy, and compliance partner of the international business community for a long time, and we’re grateful for their loyalty. But it became clear ISO certification is something our community relies on, something it values. As more customers, prospects, and partners requested us to pursue certification, we decided to listen. And so we embarked on the path to ISO 27001, 27017, 27018, and 27701 – toward the best version of 1Password. <h2 id="what-iso-27001-certification-means-for-1password">What ISO 27001 certification means for 1Password</h2> Secure by design and private by default, 1Password has a long history of meeting and exceeding your expectations and the standards set by various authorities. Our secure policies and practices have allowed us to obtain unqualified opinions during our <a href="https://blog.1password.com/a-1password-journey-through-soc2/">SOC 2 Type 2 evaluations</a> since 2018, indicating that our controls related to security and availability are designed and operating effectively. But this ISO certification journey gave us another reason to come together again to analyze 1Password at a holistic level. Our path to certification involved numerous internal stakeholders – executive leadership, management, and subject matter experts from across the organization – who worked in tandem with third-party auditors to review our compliance to ISO-specific standards. The review included an audit of our information security and privacy policies and processes. It further confirmed that 1Password is well positioned to protect against malicious activity by quickly and accurately detecting and addressing that activity. Overall, the audit confirmed that we’re clearly and consistently documenting and executing the best practices we established many years ago. This certification is the result of many months of hard work by individuals and teams across our organization, demonstrating an intense dedication to the ISO standards and everything the certification represents for 1Password. That is to say, certification to ISO 27001, 27017, 27018, and 27701 means a great deal to 1Password, as well. <h2 id="what-iso-27001-certification-means-for-your-organization">What ISO 27001 certification means for your organization</h2> Our certifications mean you can continue (or <a href="https://1password.com/enterprise">start!</a>) using 1Password knowing you’ll meet compliance requirements with an ISO-certified password manager and access management solution. And they say so much more. The 1Password ISO certification is a sign of organizational and security maturity, and serves as evidence that we take the safety and privacy of your data incredibly seriously. It illustrates our ability to protect your company’s most valuable information. 1Password has always promised a security-first approach and the addition of these ISO certifications to our third-party assurance portfolio means it’s more than just a promise. An independent third-party auditor has observed our practices, policies, and processes and certified they’re up to or beyond industry standards. Whether it’s access control, confidentiality of information, or employee training, we have it covered. Finally, our certifications represent our commitment to you and your business. It’s our investment in continuous improvement so we remain ISO certified and continue to demonstrate that your highest level of trust is well placed in 1Password. And regardless of your geographic location and compliance requirements, that peace of mind is priceless.</description></item><item><title>What is device trust?</title><link>https://blog.1password.com/what-is-device-trust/</link><pubDate>Thu, 25 Jul 2024 00:00:00 +0000</pubDate><author>info@1password.com (Elaine Atwell)</author><guid>https://blog.1password.com/what-is-device-trust/</guid><description> <img src='https://blog.1password.com/posts/2024/what-is-device-trust/header.png' class='webfeedsFeaturedVisual' alt='What is device trust?' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The first known security incident involving a compromised device occurred during the Bronze Age, in present-day Turkey. In that case, the Trojan guards were good men, not malicious bad actors. But they made a fatal mistake when they failed to inspect the large, horse-shaped device they dragged inside the city gates. <img src='https://blog.1password.com/posts/2024/what-is-device-trust/trojan-horse.jpg' alt='A drawing of a classic trojan horse.' title='A drawing of a classic trojan horse.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> You&rsquo;d think that after 3000 years, we would&rsquo;ve learned. And yet today, compromised devices are one of the greatest threats to cybersecurity. Employees routinely log into their work accounts with <a href="https://thehackernews.com/2023/03/lastpass-hack-engineers-failure-to.html">malware-infected devices</a>. Even more commonly, bad actors use their own devices to access sensitive data, with the help of stolen employee credentials. These debilitating hacks and data breaches are driving up cybersecurity insurance premiums and driving interest in potential solutions to secure end user devices. One such class of solutions is device trust. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Device trust can also be called device health, device posture, device context, or device assurance. But &ldquo;trust&rdquo; is particularly useful because it indicates the idea&rsquo;s relationship to the larger framework of Zero Trust. </div> </aside> <h2 id="what-does-device-trust-mean">What does device trust mean?</h2> Device trust is the idea that a user&rsquo;s device must be secure before accessing an organization&rsquo;s sensitive resources (such as networks, cloud apps, and data). In this context, &ldquo;users&rdquo; generally means an organization&rsquo;s employees, contractors, or vendors, and &ldquo;devices&rdquo; refers to the endpoints they use for work: laptops, desktops, and mobile devices. We&rsquo;ll go into the finer details of what makes a device trustworthy in a bit, but for now, let&rsquo;s boil it down to two points. <h3 id="1-a-device-must-be-known">1. A device must be known</h3> You can&rsquo;t let just any device access sensitive resources, even if its user has valid credentials. Stolen and phished employee credentials are responsible for <a href="https://blog.1password.com/verizon-data-breach-report-2024-analysis/">huge numbers of hacks</a> each year, so you need a more reliable way than passwords to associate a device with a specific user. Making sure devices are known isn&rsquo;t too difficult if you only allow access via managed devices – generally, those that are enrolled in the company&rsquo;s mobile device management solution (MDM). But many organizations also <a href="https://www.kolide.com/blog/unmanaged-devices-run-rampant-in-47-of-companies">permit some degree of access</a> on personal devices. Some companies have BYOD policies, others let third-party contractors use their own devices, some have <a href="https://blog.1password.com/no-mdm-for-linux/">Linux users outside the scope of MDM</a>, and many have exceptions for workers using their personal mobile devices. In all these cases, management via MDM is either not technically possible or is considered too invasive. Device trust solutions need to verify a device&rsquo;s identity, even for unmanaged devices. <h3 id="2-a-device-must-be-in-a-secure-state">2. A device must be in a secure state</h3> Once you&rsquo;ve established that a device is known, the other half of the battle is ensuring that it meets an organization&rsquo;s security requirements. These requirements include things like: <ul> <li> Operating system is up-to-date </li> <li> OS security controls (such as disk encryption, firewall, screenlock, and remote access) are configured correctly </li> <li> Additional security agents (such as antivirus) are <a href="https://www.kolide.com/blog/how-to-tell-if-crowdstrike-falcon-sensor-is-running">installed and functional</a> </li> <li> No malicious or prohibited software is installed </li> </ul> If a device is determined to be unsecure, it must be blocked from accessing sensitive resources. That&rsquo;s why many device trust solutions are linked to user authentication; it&rsquo;s the natural moment to allow or deny access. Device trust solutions need to detect whether a device is in a secure state and restrict access to resources based on the device&rsquo;s security posture. <h3 id="device-trust-vs-zero-trust">Device trust vs zero trust</h3> Many of the theorists who originally helped <a href="https://www.kolide.com/blog/the-history-evolution-and-controversies-of-zero-trust">define the term &ldquo;Zero Trust&rdquo;</a> thought that secure devices were an integral part of the paradigm. If their advice had been taken more seriously, we wouldn&rsquo;t need to talk about device trust as a separate category or even sub-category of Zero Trust. But when ZTA gained popularity in recent years, most companies focused on verifying user identity and practicing role-based access control (RBAC), and devices were left out of the conversation. Why did that happen? One reason is that device health is hard to define and even harder to enforce. <h2 id="challenges-of-device-trust">Challenges of device trust</h2> Establishing device health is considerably more complex than verifying a user&rsquo;s identity. In the latter case, the question is basically a binary: either someone is who they claim to be or they are not. (It gets trickier when we think about what resources they should be permitted to access based on their identity, but that&rsquo;s the realm of authorization, not authentication.) By contrast, to decide that a device is &ldquo;healthy,&rdquo; we have to look at a range of factors. And there&rsquo;s no universally agreed-upon set of properties to determine device trust – some companies will consider you compliant if you&rsquo;ve got the latest OS installed and firewall on, while others put every part of a device under the microscope. On a political level, some companies struggle to implement device trust policies because it doesn&rsquo;t neatly belong to either the IT or security team. It touches on device management (IT&rsquo;s domain) but also reflects the security team&rsquo;s access policies for the organization. Another thing that differentiates device trust from traditional identity and access management (IAM) is that it requires constant updates to reflect threats that arise internally (ex: a laptop hasn&rsquo;t been restarted in weeks) and externally (ex: a critical security patch needs to be installed). While a person&rsquo;s identity is (more or less) stable, a device can go from compliant to noncompliant multiple times per week. To quote <a href="https://www.twingate.com/blog/device-trust-in-a-zero-trust-world">Twingate&rsquo;s blog</a>: <blockquote> &ldquo;Device state changes constantly. To name just a few examples, a new OS security patch may be made available, a user may connect to an unsecured network, or a device may move to a new geography. Any of these events are triggers to re-evaluate device trust.&rdquo; </blockquote> <h2 id="what-are-device-trust-solutions">What are device trust solutions?</h2> For a solution to qualify as &ldquo;device trust,&rdquo; it&rsquo;s not enough to simply detect problems: a solution must have some mechanism for restricting access to devices that don&rsquo;t meet their security standards. By that definition, device trust solutions can operate as either standalone products or as part of holistic security solutions. Some IAM vendors check device properties in addition to handling user authentication. For instance, Okta has <a href="https://help.okta.com/en-us/Content/Topics/device-trust/device-trust-landing.htm">Okta Device Trust</a>, a suite of client-based and SAML-based solutions for managed devices, and they also offer <a href="https://www.okta.com/blog/2022/09/secure-access-from-unmanaged-devices-with-okta-device-assurance/">&ldquo;device assurance&rdquo;</a> as part of their Okta Verify product for unmanaged (or lightly managed) devices. However, these features offer limited telemetry, and are only available when bundled with other feature sets. Other companies make device trust more of a core pillar of their solutions. 1Password, for instance, recently entered the device trust space with <a href="https://1password.com/product/xam">1Password Extended Access Management</a>. Our example can be useful in defining device trust. 1Password Extended Access Management has the ability to detect problems on employee devices by looking at hundreds of device properties, like whether the OS is updated, or whether certain <a href="https://blog.1password.com/two-checks-chatgpt-macos-app/">unauthorized apps are installed</a>. However, none of that would be enough to qualify it as a &ldquo;device trust&rdquo; solution, if we didn&rsquo;t also have an enforcement mechanism: stopping users from authenticating via SSO unless the device is secure. <img src='https://blog.1password.com/posts/2024/what-is-device-trust/device-consequences.png' alt='A screenshot of device trust consequences.' title='A screenshot of device trust consequences.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> This enforcement mechanism also ensures that only known devices can authenticate, because the 1Password Extended Access Management agent acts as an additional authentication factor. What that means is that an unknown device, or a device without the agent installed, will not be able to authenticate – even if it has a user&rsquo;s password, Yubikey, or fingerprint. <h2 id="what-makes-a-device-healthy">What makes a device healthy?</h2> As we&rsquo;ve said, there&rsquo;s no universal standard for device trust. Some device trust/device health solutions only look at a handful of properties, while others analyze device posture based on hundreds of factors. Let&rsquo;s start with the most widely agreed-upon issues, then work our way down to those that get less attention. <h3 id="tier-1-updated-os">Tier 1: Updated OS</h3> An up-to-date OS is considered table stakes for device trust since updates often contain <a href="https://www.macworld.com/article/1963573/macos-ventura-13-4-1-update-security-updates-kernel-webkit.html">critical security patches</a>. This isn&rsquo;t much of a technical challenge, since any device trust product can compare the device&rsquo;s state to a single, simple source of truth (Apple, Windows, etc). OS updates are also a particularly potent use case for device trust solutions since organizations struggle to get them deployed via MDM. (We&rsquo;ve written about this in much more detail elsewhere, but basically: updates require users to restart their devices, which is disruptive and challenging to automate with 100% success.) <h3 id="tier-2-baseline-device-security-settings">Tier 2: Baseline device security settings</h3> Most device posture checks look for at least some of the following: <ul> <li> Firewall is on </li> <li> Screen lock is on </li> <li> Disk is encrypted </li> <li> Device has been restarted recently </li> <li> System Integrity Protection is configured correctly (for Macs) </li> <li> Remote access is turned off </li> </ul> These all relate to the device&rsquo;s settings and first-party software. <h3 id="advanced-device-trust-properties">Advanced device trust properties</h3> This is where we start to see real differentiation between device trust products. Many device trust solutions don&rsquo;t look at the following properties at all: <ul> <li> Browser is up-to-date </li> <li> Antivirus and malware blockers are running </li> <li> Device is enrolled in MDM </li> <li> Malicious browser extensions are blocked </li> <li> No unencrypted credentials (like SSH keys or MFA backup codes) are present </li> <li> No sensitive files are present </li> <li> Ubuntu Unattended Upgrades are on (for Linux) </li> </ul> These are not standardized properties where we can rely on a single source of first-party data. Getting visibility into this data requires a high degree of customizability and the ability to query not just the device, but individual applications. Looking for sensitive files on a hard drive, for example, means you have to know what files or file types you&rsquo;re looking for, and the answer will be different at every organization. <h2 id="how-1password-does-device-trust">How 1Password does device trust</h2> Since you&rsquo;re reading an article about device trust, and 1Password Extended Access Management includes a device trust product, we&rsquo;d be remiss if we didn&rsquo;t conclude by talking about ourselves a little. Specifically, let&rsquo;s touch on three things that form the core of our device trust solution. <h3 id="1password-extended-access-management-monitors-a-huge-range-of-device-properties">1Password Extended Access Management monitors a huge range of device properties</h3> 1Password Extended Access Management looks at all the properties mentioned above, plus many more. We have a library of over 100 checks and we also offer IT and security teams the ability to write their own custom checks. That&rsquo;s a crucial feature since every organization has a unique tech stack and set of priorities. 1Password Extended Access Management can provide a more granular look at devices than many other &ldquo;device health&rdquo; features thanks to our osquery-based agent, which can draw on various data sources, instead of just the settings you&rsquo;d find in System Preferences. <h3 id="1password-extended-access-management-works-on-all-major-platforms">1Password Extended Access Management works on all major platforms</h3> The vast majority of device trust solutions focus on a single platform, but – again, thanks to osquery&rsquo;s versatility – 1Password Extended Access Management works on macOS, Windows, and Linux. (We also have a non-osquery version of our product for iOS and Android devices.) <h3 id="1password-extended-access-management-works-with-end-users">1Password Extended Access Management works with end users</h3> As you might have guessed, any product that locks users out of their company&rsquo;s resources has the potential to be unpopular and disruptive. But at 1Password, we make it a point to give users maximal agency and transparency. We&rsquo;ve established that all device trust products need some blocking mechanism that keeps users from accessing resources if their device isn&rsquo;t secure. Some products stop at the blocking stage; they tell the user they&rsquo;re blocked (but not why) and send them off to IT. That&rsquo;s not a great outcome for users (who can&rsquo;t do their jobs) or IT (who will face an avalanche of support tickets). 1Password Extended Access Management, by contrast, gives users simple, non-technical instructions so they can unblock themselves. <img src='https://blog.1password.com/posts/2024/what-is-device-trust/macos-firewall-check.png' alt='A screenshot of macOS firewall is disabled remediation instructions.' title='A screenshot of macOS firewall is disabled remediation instructions.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Also, our agent doesn&rsquo;t wait until users are authenticating to inform them of blocking issues – we inform them ahead of time, so they can get ahead of the problem. (And if they forget to fix an issue but urgently need to log in, we have a <a href="https://www.kolide.com/blog/device-auth-snooze-and-exemption-requests">snooze button</a> that can give them temporary access.) There&rsquo;s an insidious idea that any improvement to security must come with a corresponding cost to user privacy or quality of life. Still, 1Password Extended Access Management shows that it is possible to practice device trust without making users feel untrusted. Want to see what our device trust solution looks like in action? <a href="https://1password.com/contact-sales/xam">Reach out for a demo!</a></description></item><item><title>How we improved search results in 1Password</title><link>https://blog.1password.com/improved-search-results-1password/</link><pubDate>Wed, 24 Jul 2024 00:00:00 +0000</pubDate><author>info@1password.com (Megan Barker)</author><guid>https://blog.1password.com/improved-search-results-1password/</guid><description> <img src='https://blog.1password.com/posts/2024/improved-search-results-1password/header.png' class='webfeedsFeaturedVisual' alt='How we improved search results in 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Accuracy is important in just about everything we do, so it’s difficult to think of a situation in which one can be too exact. But it’s not impossible. There’s good ol’ 1Password search, for instance, which is perfectly functional. It’s also overly precise and highly inflexible. When I search the term bank, my bank login is never returned because my financial institution doesn’t have the word bank in its name, and I lacked the foresight to tag every banking-related credential with the appropriate tag. Because I, like you, expected 1Password to just… know. Now it does. With the latest version of 1Password, we&rsquo;ve introduced a better search experience. Now your item searches are useful and much more helpful thanks to large language models (LLM). Yep, that says LLM. And, yes, LLM is a type of artificial intelligence (AI). What follows is a deep dive into how we use it securely. <h2 id="out-with-the-old">Out with the old</h2> Before we get into how incredible the new is, I think it’s important to understand where we started. In the original 1Password search, a token was assigned to each word or term and the algorithm looked for exact matches in those tokens. For example, 1Password saw <code>this text</code> as two tokens; <code>snake_case</code> would be two tokens, as well. 1Password turned item data into a list of tokens, then checked your search input to see if it matched tokens in the list. The more matches found, the higher the item ranked in the search results. That’s essentially it. There are ways for power users to amp up their results. We haven’t made much noise about filtering in the past but the older 1Password search algorithm supported filters so you were able to customize (and narrow) your results. A search of <code>=untagged bank</code> queries the term <code>bank</code> in all items without tags, for example. Similarly, <code>=vault:Private bank</code> searches the term <code>bank</code> only in your private vault. Filters helped (if you knew how to use them) but there was a lot of work to be done. <h2 id="in-with-the-new">In with the new</h2> After dropping those two specific and often controversial vowels in the introduction, here we are: The new 1Password LLM-supported search. You may notice I used the word “supported.” Very intentionally. Because there’s no LLM technology in 1Password itself. That means the LLM interacts with precisely zero user data. We only rely on the LLM to derive keywords from popular website metadata and compile the words into a list indexed by website domain. We then make the list accessible to the 1Password clients. After the keyword list is downloaded, searching works entirely offline. There’s also a multi-step process to make your searches smart and keep them safe. <img src="https://blog.1password.com/posts/2024/improved-search-results-1password/better-search-results.jpg" alt="A screenshot of 1Password showing a number of search results for &#39;social&#39; that don&#39;t include the word &#39;social&#39;, like Facebook, Instagram, and Reddit." title="A screenshot of 1Password showing a number of search results for &#39;social&#39; that don&#39;t include the word &#39;social&#39;, like Facebook, Instagram, and Reddit." class="c-featured-image"/> When you perform a search, 1Password compares your query to the keyword cache, finds websites that match your search term, then locates items in your vault that match those websites. And that keyword cache is secured the very same way <a href="https://support.1password.com/1password-security/">all vault items are secured</a>. That means if a theoretical attacker were to gain physical access to your device, no part of the new search design could help them determine what’s in your vault — a privacy-preserving implementation similar to that of <a href="https://support.1password.com/rich-icons-privacy/">rich icons</a>. All this is to say (reiterate) AI is part of the process but doesn’t interact with your information. Ever. <h2 id="what-once-was-old-is-new-again">What once was old is new again</h2> While the original 1Password search was rigid, we had a few things right. So, we retained it — the original search and its exact matches work right alongside the new search. We also kept great features like <a href="https://support.1password.com/quick-access/">Quick Access</a> and those handy filters that help you narrow your search results. <img src="https://blog.1password.com/posts/2024/improved-search-results-1password/vault-filtering.jpg" alt="A screenshot of 1Password showing the following search query: =vault:Employee social" title="A screenshot of 1Password showing the following search query: =vault:Employee social" class="c-featured-image"/> It’s worth calling out the other long-time 1Password feature we brought to the new search capabilities: security. There’s no question AI use can <a href="https://tech.co/news/list-ai-failures-mistakes-errors">go badly</a>. But when the technology is implemented thoughtfully by people who care, its power can be harnessed for amazing things. With our improved search results, the innovation you’ve come to expect from 1Password enhances usability, and our secure design remains intact. When we restrict LLM to tasks outside 1Password, we use AI to make your search results more accurate without sacrificing your privacy. And that’s a pretty amazing thing. With thanks to the following contributors: <ul> <li>Sean Aye, Sr Developer</li> <li>Tiemoko Ballo, Sr Security Developer</li> </ul></description></item><item><title>[Checklist] How to make back-to-school (and family life) easier with a password manager</title><link>https://blog.1password.com/password-checklist-students-parents/</link><pubDate>Tue, 23 Jul 2024 00:00:00 +0000</pubDate><author>info@1password.com (1Password)</author><guid>https://blog.1password.com/password-checklist-students-parents/</guid><description> <img src='https://blog.1password.com/posts/2024/password-checklist-students-parents/header.png' class='webfeedsFeaturedVisual' alt='[Checklist] How to make back-to-school (and family life) easier with a password manager' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The back-to-school season is a hectic and overwhelming time for both students and parents alike. Along with the usual stress of pick-ups and drop-offs, schedules, extra-curriculars, and report cards, now you also have to worry about cybersecurity, school portals, hackers, and social media, too! Not to mention all the other life administration you take on, like bills, doctor’s appointments, pet care, family vacations, and more. It’s exhausting just thinking about it. Back in the day, it was just pencil cases and Trapper Keepers, but now it’s apps, online assessments, and even a bit of ChatGPT. It’s certainly a new era, and while we can’t go back to the past, it may help to start thinking about password managers like the new Trapper Keepers of the digital world. To lend a helping hand, we’ve put together a checklist of all the ways you can use a password manager like 1Password to make going back to school – and every day – a much easier and more convenient experience for you and your family. <h2 id="1-create-strong-passwords-and-passphrases-to-stay-secure">1. Create strong passwords and passphrases to stay secure</h2> Believe it or not, compromised passwords are still involved in most data breaches. In fact, <a href="https://services.google.com/fh/files/blogs/gcat_threathorizons_full_jul2023.pdf">Google Cloud’s 2023 Threat Horizons Report</a> found that 86% of breaches used stolen credentials. You don’t have to live in fear, but for all that the internet adds to our everyday lives, there are also innumerable threats in the shape of cybercriminals, hackers, and con artists who want access to your identity, data, and finances. Stealing passwords and logins is fundamental to their work. The answer to these threats starts with encouraging everyone to use truly unique passwords for every account and website they use. You can begin building better security habits for you and your family instantly by leveraging a password manager like 1Password and its built-in password generator feature that creates strong passwords according to each website&rsquo;s requirements. <img src='https://blog.1password.com/posts/2024/password-checklist-students-parents/generator-min.png' alt='1Password interface showing a generated password, settings for password type, character count, and toggles for numbers and symbols.' title='1Password interface showing a generated password, settings for password type, character count, and toggles for numbers and symbols.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> These unique passwords can be synced across everyone in the family’s devices, making it simple to instantly share any password updates, log in to shared online accounts, like school portals or online banking, and avoids having to keep the Wi-Fi password on the fridge. Plus, <a href="https://1password.com/features/autofill/">1Password’s autofill</a> feature gives you the option to automatically enter your logins and personal information like addresses and credit cards in trusted apps and web pages rather than manually typing your information into each field. You can even choose default options like a certain email address or payment card to automate things even further. <img src='https://blog.1password.com/posts/2024/password-checklist-students-parents/autofill-min.png' alt='Registration form with fields for username, password, and confirm password. A suggested password from 1Password is displayed in the password field.' title='Registration form with fields for username, password, and confirm password. A suggested password from 1Password is displayed in the password field.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> While 1Password is usually there to easily autofill your passwords for you, sometimes you do still have to manually type them in, like when setting up a gaming console, or signing in to a streaming service on your TV. In these cases, 1Password’s option for memorable passwords (also known as passphrases) are perfect for making this usually annoying task much more convenient. A completely random passphrase like brisling-expiate-tattle-juniper, for instance, can be just as difficult for cybercriminals to crack as a complex password that contains special characters, uppercase letters, lowercase letters, and numbers. <img src='https://blog.1password.com/posts/2024/password-checklist-students-parents/memorablepassword-min.png' alt='1Password app interface with account categories and an editing section for a Fortnite account showing customization options for a generated memorable password.' title='1Password app interface with account categories and an editing section for a Fortnite account showing customization options for a generated memorable password.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Because online security is so crucial, <a href="https://support.1password.com/1password-security/">1Password’s security model</a> is robust, audited and verified by third-party experts. 1Password uses Advanced Encryption Standard (AES) 256-bit encryption to encrypt your vaults. 1Password also uses a zero-knowledge approach, which means what you save in your 1Password vaults is only accessible to you — the person with the keys to the vault. It’s never visible nor accessible to 1Password. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Syncing seamlessly across all your devices, 1Password is available on <a href="https://apps.microsoft.com/detail/xp99c9g0krdz27?hl=en-us&amp;gl=CA">Windows</a>, <a href="https://1password.com/downloads/mac/">Mac</a>, <a href="https://1password.com/downloads/linux/">Linux</a>, <a href="https://apps.apple.com/app/id1511601750?mt=8">iOS</a>, <a href="https://play.google.com/store/apps/details?id=com.onepassword.android">Android</a>, and 1Password browser extensions (<a href="https://1password.com/downloads/browser-extension/">Microsoft Edge, Chrome, Firefox, Safari, and Brave</a>). </div> </aside> <h2 id="2-securely-share-passwords">2. Securely share passwords</h2> A password manager like 1Password doesn’t just make it safe to share passwords, it also makes it simple. No more text messages, copying and pasting from the notes app, sticky notes, or even reading a password aloud. You can share passwords seamlessly across everyone’s devices regardless of what kind they are, and if you ever need to update a password, no need to let everyone know – the update will automatically sync to everyone who has access to it. <img src='https://blog.1password.com/posts/2024/password-checklist-students-parents/sharedvault-min.png' alt='Pop-up window for managing &#39;Banking&#39; access permissions in 1Password app, showing two users with full access.' title='Pop-up window for managing &#39;Banking&#39; access permissions in 1Password app, showing two users with full access.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Plus, every item you save in 1Password is stored in a vault, so you can use vaults to organize your items and then share with others. For example, you could: <ul> <li>Create a school and extracurriculars vault to store any school-related logins.</li> <li>Create a streaming vault to store all the passwords for your streaming services.</li> <li>Create a gaming vault to store logins for things like Steam, consoles, Roblox, and Fortnite.</li> </ul> The possibilities are endless. You can also create more vaults to share with only certain people in the family. For example, you may want to share specific credit cards, bank accounts, and other sensitive information between you and your partner, but not with your children, so you can create a vault that only you and your partner have access to. For shorter-term needs, there’s also item sharing. <a href="https://support.1password.com/share-items/">Item sharing</a> lets you generate a link, customize the length of time the link is valid, and choose who can view the item. <img src='https://blog.1password.com/posts/2024/password-checklist-students-parents/shareitem-min.png' alt='1Password app interface with a pop-up for sharing a Wi-Fi network item named Home Wi-Fi - Casa Martinez.' title='1Password app interface with a pop-up for sharing a Wi-Fi network item named Home Wi-Fi - Casa Martinez.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 1Password lets you share anything in your account with anyone – even people who don’t use 1Password! <h2 id="3-store-sensitive-information-and-documents">3. Store sensitive information and documents</h2> 1Password can store and secure a lot more than just strong passwords. You can use 1Password like a digital safe, not only as a way to keep all of your sensitive information secure, but also as an easy way to keep all of your documents organized, accessible, and searchable. For example: <ul> <li>Store all of your children’s school-related items you may need to reference often, like report cards, school schedules, logins for school portals, uniform shops, or lunch plans.</li> <li>Store your family’s identity information, like Social Insurance and Social Security cards, health insurance cards, driver’s licenses, passports, and birth certificates.</li> <li>Store medical records or notes, like lists of allergies, medications, or family histories for easy sharing when visiting the doctor or informing schools.</li> <li>Store items your kids might still be forgetful about, like locker combinations, school and personal device PINs, and bike lock combinations.</li> </ul> <img src='https://blog.1password.com/posts/2024/password-checklist-students-parents/schoolvault-min.png' alt='1Password app interface of a vault with school-related items, with the file &#39;Jamie report card 2022&#39; selected.' title='1Password app interface of a vault with school-related items, with the file &#39;Jamie report card 2022&#39; selected.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> As your children get older, they can continue to add items to the vault along with you. Plus, keep track of miscellaneous life administration Along with all of your sensitive information, you can also use 1Password to help you with any life administration tasks: <ul> <li>Car details: You can’t be the family chauffeur if your car isn’t up to snuff! Store things like insurance information, license plate numbers, VINs, and your favorite mechanic’s contact information.</li> <li>Gift cards: Do you have a pile of gift cards you always mean to take with you so you can finally spend them but you forget every single time? Store them in 1Password so they’re always with you without taking up space in your wallet. Use them in-person or online whenever you’re ready, or easily share them with your loved ones.</li> <li>Memberships and subscriptions: Library cards, music streaming, magazines, gym memberships – keep track of everything you’re using and what may need to be canceled.</li> <li>Serial numbers: They can come in handy a lot more than you think – serial numbers for school instruments, school, work, and personal devices, bikes, and tools can be very valuable if something gets lost or goes missing.</li> <li>Traveling: If you’re traveling with family or friends, a shared vault is a great way to store personal information for easy access, like travel insurance, itineraries, and medication histories. When traveling alone, a shared vault lets you share all that important information with family or guests back home in case there’s an emergency. Plus, share instructions with whoever is feeding your pets, watering your plants, or collecting your mail.</li> <li>Taxes: Donations, receipts, tuition – store all of these crucial documents in 1Password to keep them safe and then easily share them with your accountant when tax season arrives.</li> </ul> <img src='https://blog.1password.com/posts/2024/password-checklist-students-parents/vaultlist-min.png' alt='1Password app interface showing list of vaults including Private, Banking, Cars, Family, and Gift Cards.' title='1Password app interface showing list of vaults including Private, Banking, Cars, Family, and Gift Cards.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Keeping everything in one searchable place, especially in a shared household, can keep you organized, far less stressed, and prepared for anything. <h2 id="4-create-guest-accounts-to-keep-things-safe-and-simple">4. Create guest accounts to keep things safe and simple</h2> 1Password lets you create <a href="https://support.1password.com/guests/">guest accounts</a>, which are perfect for sharing limited information for a limited time, like your Wi-Fi password, for example. You can also use guest accounts for things like: <ul> <li>Sharing instructions for your babysitter, including emergency phone numbers, allergy and medication lists, school pick-up codes and instructions, extra-curricular activity schedules, and your home alarm code.</li> <li>Sharing instructions for the dog walker or pet sitter, including veterinarian contact information, feeding or medication instructions, and where to find their favorite ball.</li> <li>Sharing any need-to-know information with a guest staying at your home, like your home alarm code, where to find the spare key, the Wi-Fi password, and how to lock that wonky doorknob you’ve been meaning to fix.</li> <li>Sharing information with contractors or builders like schedules, parking information, alarms, and spare key locations.</li> </ul> <img src='https://blog.1password.com/posts/2024/password-checklist-students-parents/guest-min.png' alt='A guest vault in 1Password showing items includimg a wifi password, alarm code, and allergies list.' title='A guest vault in 1Password showing items includimg a wifi password, alarm code, and allergies list.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Guests can have access to a single vault at a time. They won’t have their own Private vault or access to your family’s Shared vault, so you don’t have to worry about sharing any information you’re not intending to. <h2 id="5-share-financial-information-regularly-or-in-emergencies">5. Share financial information regularly or in emergencies</h2> Sharing financial information with family members and friends you trust can make things very easy or even come in very handy during emergencies big and small, like if your child needs to buy lunch, a textbook, or bus fare to get home, for example. <img src='https://blog.1password.com/posts/2024/password-checklist-students-parents/creditcard-min.png' alt='1Password app interface with a pop-up for sharing an Emergency Credit Card link, showing link expiration and access options.' title='1Password app interface with a pop-up for sharing an Emergency Credit Card link, showing link expiration and access options.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Since text and email are not secure channels for sending a photo of your credit card or other personal data. You can use a <a href="https://1password.com/features/secure-password-sharing/">shared vault</a> in 1Password to securely pass sensitive information to family members, or item sharing to pass it to friends who you may not want to have indefinite access to your financial details. <h2 id="6-stay-informed-about-data-breaches-weak-passwords-and-more">6. Stay informed about data breaches, weak passwords, and more</h2> Staying up to date on the latest breaches and other security issues is important, but who has the time to stay on top of it all? 1Password takes it off your plate with Watchtower, a built-in system that checks for security problems. <img src='https://blog.1password.com/posts/2024/password-checklist-students-parents/watchtower-min.png' alt='1Password Watchtower interface displaying password strength score of 1159 labeled fantastic, and security issues such as vulnerable, reused, weak passwords, duplicates, available passkeys, and two-factor authentication.' title='1Password Watchtower interface displaying password strength score of 1159 labeled fantastic, and security issues such as vulnerable, reused, weak passwords, duplicates, available passkeys, and two-factor authentication.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Think of 1Password’s <a href="https://watchtower.1password.com/">Watchtower</a> dashboard as your online security command center where you can review and resolve potential vulnerabilities you’re notified about. <ul> <li>Change weak and reused passwords: Watchtower will flag and bring any weak or reused passwords to your attention on the dashboard.</li> <li>Change passwords that have appeared in a data breach: Watchtower integrates with <a href="https://haveibeenpwned.com/">Have I Been Pnwed</a> to alert you if any of your different accounts are involved in a data breach.</li> <li>Enable 2FA where it’s offered: The two-factor authentication (2FA) notification will appear on login items that support 2FA but haven’t had it enabled yet.</li> <li>Update HTTP sites to HTTPS: Websites will be marked as “Unsecured” when the URL saved in 1Password starts with HTTP. Any time you enter passwords (or other sensitive information) on an unsecured website, they remain unencrypted and vulnerable to interception. HTTPS is the encrypted version of the HTTP protocol, and you can resolve these alerts by clicking “Use HTTPS” in the Watchtower banner.</li> <li>Take action on expiring items: 1Password can help you keep your credit cards, memberships, licenses, and passports up to date. The “Expiring Soon” alert will appear for items that are, of course, about to expire.</li> </ul> <h2 id="7-store-items-for-extended-family-members">7. Store items for extended family members</h2> We all have at least one family member or loved one that isn’t tech savvy, and convincing them to use a password manager just isn’t happening yet. While you work on getting them to see the light, 1Password can make things much easier for you. <img src='https://blog.1password.com/posts/2024/password-checklist-students-parents/famvault-min.png' alt='A 1Password vault for an extended family member showing items like instructions to sign in to Netflix and wifi reset steps.' title='A 1Password vault for an extended family member showing items like instructions to sign in to Netflix and wifi reset steps.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> If you’re often helping someone with logins, password recall, or even just instructions for doing certain things online, you can create a vault for things like their logins, PINs, and notes containing steps or how-tos. Even without them using 1Password, you can share these items using item sharing, or open up the vault whenever you’re with them for easy access. If your spouse or kids are also helpers, the vault can also be shared so there’s always someone available when needed. <h2 id="security-at-the-speed-of-life">Security at the speed of life</h2> Get creative! Whatever life throws at you, you can probably throw it in 1Password. A password manager like 1Password can take your and your family’s to-do list from an endless chore to a well-oiled machine. When everyone knows where to go to find or store all the most important family data, you can rest easier knowing you and your loved ones are ready for anything – back to school and beyond. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Ready to protect yourself?</h3> Keep all of your accounts secure with 1Password, the world’s most-trusted password manager. Get started today with a free 14-day trial. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>Credential-based data breaches: Five ways to shore up defenses and prevent unauthorized access</title><link>https://blog.1password.com/credential-based-data-breaches/</link><pubDate>Tue, 23 Jul 2024 00:00:00 +0000</pubDate><author>info@1password.com (1Password)</author><guid>https://blog.1password.com/credential-based-data-breaches/</guid><description> <img src='https://blog.1password.com/posts/2024/credential-based-data-breaches/header.png' class='webfeedsFeaturedVisual' alt='Credential-based data breaches: Five ways to shore up defenses and prevent unauthorized access' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Note: 1Password has not been compromised. This blog post provides practical tips to protect your organization from a recent string of credential-based breaches. Over the last few months, there have been a number of credential-based breaches, including the attacks on <a href="https://www.theverge.com/2024/5/31/24168984/ticketmaster-santander-data-breach-snowflake-cloud-storage">Ticketmaster, Santander Bank, and others</a>. As details regarding this string of attacks continue to be uncovered, it is critical that organizations take precautionary measures in order to protect themselves and their customers from potentially being compromised by cybercriminals. While the details may be murky, it’s likely that cybercriminals are successfully “stuffing” stolen credentials into numerous systems and databases to see what they can unlock. This underscores the consequences of risky behavior many employees have of reusing the same email and password on multiple sites. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> What happened? Recently, there has been a <a href="https://www.darkreading.com/cloud-security/nieman-marcus-customers-impacted-snowflake-data-breach">string of high-profile attacks</a> on large organizations. These attacks have been primarily credential-based and focused on cloud-based data platforms, resulting in the theft of sensitive information. Organizations that are not using multi-factor authentication (MFA) have been particularly at risk. Who’s impacted? Currently, more than 165 organizations have been impacted, and it is unclear how widespread these attacks will become. If your organization is using credentials in any manner, it may be at risk from this attack. How can I tell if I’ve been breached? It’s imperative to begin monitoring security data and logs for anomalous behavior that can indicate a security incident. This includes analyzing access logs for context that may indicate a breach, such as access from uncommon locations or at odd times. You can also use <a href="https://haveibeenpwned.com/DomainSearch">Have I Been Pwned</a> to see if a specific email address has been impacted by recent breaches. If your company is a 1Password customer, you can also check <a href="https://watchtower.1password.com/">Business WatchTower</a> to see if any employee email addresses have been impacted. </div> </aside> <h2 id="what-to-do-about-credential-based-data-breaches">What to do about credential-based data breaches</h2> Given that this breach may be using credentials from large collections of compromised data, like the <a href="https://blog.1password.com/what-to-do-mother-of-all-breaches/">Mother of All Breaches</a> or <a href="https://cybernews.com/security/rockyou2024-largest-password-compilation-leak/">rockyou2024</a>, there is risk for every organization and individual reusing credentials in multiple places. This is especially true for applications or websites that may contain sensitive data, such as cloud databases like Snowflake. The main action organizations should take is to require employees to change any passwords that are reused in multiple places and replace them with strong and unique passwords. Given the scope and sheer number of credentials involved, organizations should use an enterprise password manager to manage this process. Below are five ways organizations can shore up defenses from these types of cyberattacks and prevent unauthorized access: <ol> <li>Use contextual access management to review access requests against defined policies, such as location, device health, and configuration.</li> <li>Use multi-factor authentication to ensure that users require more than just a username/password to access tools with sensitive data. This extra layer of security can go a long way to slowing or preventing attacks like credential stuffing.</li> <li>Implement and enforce strong password policies including having strong, unique passwords for every account and system. This is the only way to ensure that if a single accounts’ credentials are stolen, that no other systems will be at risk. In terms of requirements, <a href="https://www.cisa.gov/secure-our-world/use-strong-passwords">CISA has published guidelines</a> for strong passwords that can be used in developing policies.</li> <li>Use <a href="https://passage.1password.com/post/why-passkeys-are-better">passkeys</a> wherever possible to bypass having to use passwords. 1Password has the ability to provide an alert if a service is eligible for passkeys or you can visit <a href="https://passkeys.directory/">passkeys.directory</a> to view eligible services.</li> <li>Discover and secure unmanaged applications in order to minimize the number of credentials that may be weak or reused in your organization.</li> </ol> <h2 id="how-1password-can-help">How 1Password can help</h2> The biggest challenge with breaches of this magnitude is that virtually any and every company is at risk. 1Password helps organizations secure credentials across your entire organization and across tools you may not have visibility into. With 1Password, you can: <ul> <li>Secure web accounts and unmanaged tools, including shadow IT, that your employees bring in from the edge, which may unknowingly contain customer data.</li> <li>Enforce password and device health policies and provide employees with an easy-to-use interface that makes access easier for them in the process.</li> <li>Implement passkeys across your organization for a stronger method of authentication. <a href="https://passage.1password.com/">1Password</a> has a free tool, <a href="https://passage.1password.com/product/passkey-ready">Passkey Ready</a>, that can help users gauge passkey readiness.</li> <li>Integrate with SIEM tools to monitor events that occur on credentials stored in 1Password, providing a better view into anomalous behavior.</li> </ul> The key takeaway: by requiring that every employee use a unique password for every business site and data store, then a stolen password in one place won&rsquo;t lead to a data breach in another. If you need help or support addressing this breach, <a href="https://1password.com/contact-sales">contact us today</a>. See below for additional resources regarding implementing MFA and strong password policies. <ul> <li><a href="https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2356020/nsa-releases-cybersecurity-guidance-selecting-and-safely-using-multifactor-auth/">NSA releases cybersecurity guidance for selecting and safely using MFA</a></li> <li><a href="https://www.enisa.europa.eu/topics/incident-response/glossary/authentication-methods">ENISA guidance for authentication methods, including password and MFA</a></li> <li><a href="https://www.cisa.gov/secure-our-world/use-strong-passwords">CISA strong password guidance</a></li> </ul></description></item><item><title>1Password vs. Keeper Security: A comparison</title><link>https://blog.1password.com/1password-vs-keeper-security/</link><pubDate>Fri, 19 Jul 2024 00:00:00 +0000</pubDate><author>info@1password.com (Rachel Sudbeck)</author><guid>https://blog.1password.com/1password-vs-keeper-security/</guid><description> <img src='https://blog.1password.com/posts/2024/1password-vs-keeper-security/header.png' class='webfeedsFeaturedVisual' alt='1Password vs. Keeper Security: A comparison' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The differences between 1Password and Keeper go a lot deeper than passwords. If you’re comparing 1Password and Keeper (and it seems like you are, since you’re reading this article) then it pays to be well-informed before you make a purchase. Keeper and 1Password both provide Enterprise Password Managers (EPMs), which are the foundational products of both companies. So if you’re here to compare password managers, we’ve got you covered. But, while EPMs do a lot to keep systems secure, they work better with the help of a more holistic security suite that goes beyond credential management. Fortunately, this is something that both our companies also offer. Keeper provides a lightweight Privileged Access Management (PAM) solution, while we provide 1Password Extended Access Management. (XAM). So, in the interest of giving you a complete comparison of our products, we’ll use this article to contrast Keeper and 1Password in three areas: credential management, device trust, and the impacts they have on your business and users. We’ll start with an overview of the security solutions offered by our two companies. <h2 id="what-is-privileged-access-management-pam">What is Privileged Access Management (PAM)?</h2> PAM is a type of security solution that’s all about securing and monitoring privileged accounts–administrators and others with access to highly sensitive information. Keeper is just one vendor in the PAM category, and there are some variations between PAM products, but the critical capabilities of PAM include: <ul> <li> Privileged credential management: PAM solutions scan for privileged credentials, and then take steps to secure their access. That might mean rotating credentials, using an EPM to manage those logins, or and other methods </li> <li> Session management: When a user begins a privileged access session, PAM solutions include the ability to monitor and record their actions during that session. </li> </ul> Keeper PAM: Keeper PAM is a more lightweight take on the PAM product category. Part of what differentiates it from more traditional PAM solutions is that it’s completely cloud-based. In their words, Keeper PAM consolidates three “disparate PAM tools into a unified platform.” Those tools are: the Keeper EPM, the Keeper Connection Manager (KCM), and the Keeper Secrets Manager (KSM). All of these tools together can meet some of the critical PAM requirements, but it’s still a less robust solution than traditional PAM, which is part of why Keeper PAM isn’t recognized as a fully-fledged PAM solution by companies like <a href="https://www.gartner.com/reviews/market/privileged-access-management">Gartner</a> and <a href="https://www.cyberark.com/resources/analyst-reports/the-forrester-waveprivileged-identity-management-q4-2023">Forrester</a>. Regardless, the real question, if you’re comparing 1Password vs Keeper, should be: which company meets the specific security needs of your team? <h2 id="what-is-extended-access-management-xam">What is Extended Access Management XAM?</h2> Extended Access Management (XAM) is a new product category, distinct from PAM, Identity Access Management (IAM), and Mobile Device Management (MDM), though with elements of all three. The goal of XAM is to take a more holistic approach to access management, in order to account for vulnerabilities outside the scope of other solutions. In a nutshell, the reality of doing business today – with hybrid work, the proliferation of SaaS apps, and BYO-devices – has created several security weaknesses. There’s a gap between the users, applications, and devices that businesses actually trust (the ones they manage and know are secure), versus all the logins, devices, and apps that can access sensitive data in practice. <img src='https://blog.1password.com/posts/2024/1password-vs-keeper-security/access-trust-gap-3.png' alt='A diagram of the Access-Trust Gap with an inner circle labeled &#39;Managed users, devices, apps&#39; followed by a middle circle labeled &#39;Bring your own device&#39; and an outer circle labeled &#39;Unmanaged apps&#39;.' title='A diagram of the Access-Trust Gap with an inner circle labeled &#39;Managed users, devices, apps&#39; followed by a middle circle labeled &#39;Bring your own device&#39; and an outer circle labeled &#39;Unmanaged apps&#39;.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> XAM seeks to bridge this “access-trust gap.” To do so, it needs to bring visibility and enforcement to things like employee personal devices, shadow IT apps, and third party contractor identities. Here are a few critical components of XAM: <ul> <li>Device trust: ensure that a device is both known and in a secure state before it accesses company resources.</li> <li>Application insights: visibility and oversight over the applications that employees use for work, not just the ones approved by IT.</li> <li>User identity: the ability to verify the identity of users before they’re allowed to access sensitive data (think SSO and MFA).</li> <li>Enterprise credential management: tools to manage and secure end-user access to shared credentials.</li> </ul> 1Password Extended Access Management: our XAM solution achieves these goals through our 1Password EPM and Device Trust solutions, combined with Application Insights and User Identity (coming soon). By combining the abilities of each, we’ve made a solution that can secure every sign-on, from every app, on every device. As you can see, while there is overlap between XAM and PAM, these two solutions use different methods to achieve different goals. PAM is an intensive security solution appropriate for a small subset of users. XAM is a more user-friendly solution designed for your entire workforce. To understand the consequences of these differences, we’re going to dig into three areas of our business: Credential management, device trust, and business impacts. We’ll start with a direct comparison of the component that we have in common: our EPMs. <h2 id="credential-management">Credential management</h2> You likely came here because you’d heard of our EPM. But just in case you need a refresher &hellip; what is an EPM? Enterprise password managers store and encrypt users’ login credentials in order to discourage users from re-using the same password or, for example, putting them on a sticky note next to their desk. EPMs typically come with a password generator to ensure that users are using unique passwords, and they also allow you to share login information with other authenticated employees. All of the above is true for both 1Password and Keeper. But there are also important differences between our products, starting with the features that come standard, versus the ones you have to pay extra for. As you can see in the table below, 1Password EPM includes many critical features as part of our standard product, while Keeper treats them as add-ons. <img src='https://blog.1password.com/posts/2024/1password-vs-keeper-security/1password-vs-keeper-whats-included.png' alt='A table summarizing the features that are available in 1Password and Keeper. Many features, including Secure File Storage and Secrets Management, are included in 1Password but an added cost in Keeper.' title='A table summarizing the features that are available in 1Password and Keeper. Many features, including Secure File Storage and Secrets Management, are included in 1Password but an added cost in Keeper.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Let’s dig a little deeper into the factors that set our EPMs apart. <h3 id="encryption">Encryption</h3> Both Keeper and 1Password EPM use AES-256 encryption. When you use either service, all of the decryption is done locally on your device. We both also operate using a zero-knowledge architecture, which means that nobody at either company can see your passwords. The reason 1Password EPM <a href="https://www.passwordmanager.com/keeper-vs-1password/">consistently wins</a> over Keeper in security comparisons is that we go one step further, with a 128-bit secret key for account access. This key is next to impossible to crack, and keeps accounts safer from attack than a master password alone, which is what Keeper has. 1Password also uses a password-authenticated key exchange (PAKE) to protect the user&rsquo;s password and <a href="https://support.1password.com/secure-remote-password/">adds an additional layer of security</a> to authentication. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> A quick vocab lesson: Keeper claims that 1Password doesn’t encrypt at the “record level.” But that’s only because 1Password doesn’t refer to individual vault items as “records.” That’s Keeper’s term. But rest assured – each vault item is encrypted individually. </div> </aside> <h3 id="breach-monitoring">Breach monitoring</h3> Both Keeper and 1Password have the ability to alert users when a password for their account has been compromised and leaked on the dark web. 1Password’s service is called Watchtower, while Keeper’s is BreachWatch. With 1Password, Watchtower alerts are included in your company plan, whereas Keeper’s BreachWatch costs extra. <h3 id="secrets-management">Secrets management</h3> Keeper describes their secrets manager as a <a href="https://www.keepersecurity.com/secrets-manager.html">core element of their PAM solution</a>. But they also <a href="https://www.keepersecurity.com/pricing/business-and-enterprise.html">sell it as an add-on that doesn’t come standard</a> on even the enterprise tier of their password manager. On top of that, it’s less robust than 1Password’s secrets manager, and its integrations are more difficult to deploy. Let us explain what we mean by that. Keeper’s secret manager has an installable ssh agent, but that requires their CLI to run – and Keeper CLI is only available for their Enterprise plan. They also charge an extra fee for SDKs and CI/CD integrations. And, while their offering is integrated with a number of services, it doesn’t have a REST API available for non-native platforms to use the service. 1Password, however, provides a built-in SSH agent and full CLI. Access to SDKs and CI/CD integrations are also part of the core product–at no extra cost. 1Password&rsquo;s Secrets Automation also supports several plugins/SDKs, as well as a REST API to be used on any other platform. <h3 id="third-party-audits">Third-party audits</h3> Keeper and 1Password both conduct regular third-party security audits. Keeper, however, maxes out their bug bounty at <a href="https://bugcrowd.com/keepersecurity">$10,000</a> (or they’ll ask you to pay, if you happen to be <a href="https://boingboing.net/2017/12/21/keeper-v-goodin-et-al.html">a reporter</a> who wrote an article about a Keeper bug). 1Password proudly has the highest bug bounty program of any password manager (hack us, and you could get <a href="https://bugcrowd.com/agilebits">1 million dollars</a>). <h3 id="secure-travel-mode">Secure travel mode</h3> 1Password includes a secure travel mode, which allows you to limit the amount of information that’s stored on your individual device during travel. This way, in cases where border or custom officials ask a user to unlock their phone, or where devices are stolen or confiscated, they can ensure that highly sensitive data still isn’t seen. Only the vaults marked “safe to travel” will stay on the device. Keeper does not have a secure travel mode. <h3 id="onboarding-and-customer-support">Onboarding and customer support</h3> Keeper <a href="https://www.keepersecurity.com/en_GB/professional-services-business.html">charges for support</a>, with prices increasing depending on the size or needs of your company. 1Password EPM, however, includes onboarding and customer support for any account over 75 seats; admins get the help of a dedicated team as they roll out the solution. <h2 id="device-trust">Device trust</h2> Once you’ve secured your workforce’s credentials via an EPM, your next step should be to secure their devices. But, because Keeper PAM works through <a href="https://www.keepersecurity.com/en_GB/solutions/remote-browser-isolation/">a remote browser add-on</a>, it has little oversight beyond the work that gets done in the browser. A lot of vulnerabilities can lurk on devices, including malware that can slip upstream via the browser. It’s critical that the devices that access sensitive systems are patched, healthy, and free from vulnerabilities. Moreover, it’s critical that employees only use devices that are associated with their identities–otherwise bad actors using stolen credentials can log into your systems. IAM and PAM tools can’t limit access from unhealthy devices. Indeed, most security solutions, even if they offer some limited information about devices, can only work to secure company-owned and managed devices. That leaves you with no way to ensure the safety of personal and contractor devices. <h3 id="how-xam-solves-for-device-trust">How XAM solves for device trust</h3> Device trust is a subset of zero trust security that only allows trusted and healthy devices to access company systems. 1Password Extended Access Management comes with a sophisticated, industry-leading device trust solution that integrates with your identity provider’s authentication flow. If a user’s device is found to be compromised, the user will not be allowed to authenticate until they have fixed the problem. It also provides a complete inventory of all of the endpoints able to access company systems, and works on macOS, Windows, Linux, iOS, and Android. <h3 id="device-health">Device health</h3> 1Password Extended Access Management offers a rich and comprehensive look at a device’s health, that far exceeds the capability of MDM solutions. That includes over 100 pre-built policy checks, that do things like ensuring the browser and OS are updated, ensuring the firewall is on and security software is properly configured, and that sensitive data is not sitting around on the hard drive. In addition to this library of checks, 1Password Extended Access Management also includes the ability to write custom checks around specific vulnerabilities you’re concerned with. And if users don’t fix those vulnerabilities in a timely manner, then they’re blocked from authentication. <h3 id="self-serve-remediation">Self-serve remediation</h3> Sorry, what was that? If users don’t fix their device vulnerabilities? You heard us. Self-serve remediation is one of the signature features of 1Password Extended Access Management, and it&rsquo;s a big part of what makes our solution so effective and user-friendly. If a device fails a posture check, 1Password Extended Access Management will alert the user immediately, tell them how to fix it via easy-to-follow instructions, and let them know how long they have to fix it before they’ll be blocked from authentication. This minimizes disruptions to productivity, educates end-users, and reduces IT support tickets. <h2 id="1password-vs-keeper-which-is-right-for-your-needs">1Password vs Keeper: which is right for your needs?</h2> PAM and XAM have some overlap in their use cases, particularly in how they each help with credential management via the EPM. However, these solutions are ultimately suited for different purposes, so in many ways it’s an apples-to-oranges comparison between the two. In fact, you could choose to use both PAM and XAM alongside one another! What’s important is understanding which tool is right for the problems you’re trying to solve. <h3 id="keeper-pam">Keeper PAM</h3> Keeper PAM provides insight into privileged account credentials, and who has access to them. That can help teams follow principles of least privilege, keep highly sensitive data secure, and even guard <a href="https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=10486311">against insider threats</a>, to a degree. It makes sense that <a href="https://www.globenewswire.com/en/news-release/2024/02/21/2832437/0/en/Privileged-Access-Management-Market-Surges-to-USD-21-8-Billion-by-2033-at-19-21-CAGR-Marketresearch-biz.html">market research</a> shows PAM solutions as being popular in industries known for handling highly secure data–like banking, government sectors, and healthcare. Still, PAM solutions are typically best suited to larger companies, with enough IT support to dedicate to its implementation and rollout. PAM has long been infamous for being <a href="https://www.infosecurity-magazine.com/magazine-features/pam-in-the-enterprise-pros-versus/">quite complex</a> to roll out. Keeper PAM is cloud-based, which <a href="https://www.keepersecurity.com/blog/2023/12/05/keeper-security-report-organizations-seek-cloud-advantages-in-pam-solutions/">reduces some complexities</a>, but also robs it of some of the power and cohesion of traditional PAM solutions. Keeper PAM secures privileged access through an <a href="https://www.keepersecurity.com/en_GB/connection-manager.html">agentless browser add-on</a>, which means that any privileged browsing session can be recorded. However, its focus on the cloud and the browser does mean that it will work best for companies whose most privileged admin work can be done primarily through web-based apps. Keeper PAM, like their EPM, also comes with many hidden costs and complexities, starting with the initial price tag and extending to the <a href="https://docs.keeper.io/en/v/enterprise-guide/keeper-msp/consumption-based-billing/secure-add-ons">additional costs</a> your team incurs depending on the add-ons and support you need to implement and maintain the solution. Those add-ons include things like: secure file storage, customer support, and their reporting and alerts module. With that in mind, Keeper PAM isn’t likely to provide much ROI for smaller companies, those who don’t have the complex administration structure that it’s designed to serve, or those that host a lot of work or data off of SaaS apps. <h3 id="1password-extended-access-management">1Password Extended Access Management</h3> 1Password Extended Access Management uses device trust, which looks for security issues beyond the browser. It protects the credentials and devices of every user, as opposed to focusing only on your most privileged accounts. And this is important, since most users have access to some form of sensitive data, and even the lowliest account can be a launchpad for a privilege escalation attack. Its flexibility in the ability to share or store secrets is also ideal for companies that need to work with third-parties. 1Password is also a good choice for organizations that want to prioritize user experience and privacy. Our solutions are proudly transparent about the data we collect on user activity, which is why users are willing to install us on their unmanaged, personal devices. <h2 id="conclusion">Conclusion</h2> While Keeper and 1Password are competitors in the EPM business, in many ways, PAM and XAM are quite complementary; one protects highly privileged access, and the other fills in the access-trust gap. But even on its own, 1Password Extended Access Management provides a flexible and user-friendly way of protecting against credential-based attacks, ensuring the health of the endpoints in your fleet, and giving you visibility into shadow IT. We would love to have an honest discussion with your team about how XAM can help you meet your security goals–whether you’re currently using PAM, IAM, or something else. Let us help you make the right choice for your company. If you want an honest discussion with a supportive team, please <a href="https://1password.com/xam/contact-us">reach out</a> to us.</description></item><item><title>1Password can now encrypt data using your saved passkeys</title><link>https://blog.1password.com/encrypt-data-saved-passkeys/</link><pubDate>Thu, 18 Jul 2024 00:00:00 +0000</pubDate><author>info@1password.com (Rene Leveille & Max Crone)</author><guid>https://blog.1password.com/encrypt-data-saved-passkeys/</guid><description> <img src='https://blog.1password.com/posts/2024/encrypt-data-saved-passkeys/header.png' class='webfeedsFeaturedVisual' alt='1Password can now encrypt data using your saved passkeys' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Passkeys are a great technology that can replace passwords and any number of multi-factor authentication mechanisms. However, they have one major limitation holding them back from fully replacing passwords. While <a href="https://blog.1password.com/passkeys-vs-passwords-differences/">passkeys are a great sign-in method</a>, they can’t be used to encrypt the data associated with your account. Until now, services have been stuck with passwords and other <a href="https://support.1password.com/passkey-security/#device-keys">clever key handling methods</a> to encrypt customer data. That’s no longer the case for services that you’ve chosen to protect with a passkey saved in 1Password. Starting with the latest beta versions of our browser extension and 1Password for Android, any service you log in to with a passkey – provided it’s stored in 1Password – can use that same passkey for end-to-end encryption. <h2 id="what-does-this-mean">What does this mean?</h2> Let&rsquo;s say you use an app that protects all of your notes with end-to-end encryption. That means only you have the key required to decrypt and read your notes. Historically this key would be a password. It would be used to verify who you are and decrypt your data. Passkeys in their base form can only be used to verify who you are. They’re excellent at this but can’t traditionally be used to scramble the data associated with your account – in this case, your private notes. That changes with the Pseudo-Random Function (PRF) extension. Now, passkeys stored in 1Password can also be used for encryption. That means the note-taking app can fully ditch passwords and use passkeys for the sign-in process and encrypting your notes. <h2 id="what-is-prf">What is PRF?</h2> Pseudo-Random Function, or PRF, is an extension for <a href="https://blog.1password.com/what-is-webauthn/">WebAuthn</a>, the protocol behind passkeys. Along with the basic functionality for passkeys, the WebAuthn specification includes optional extensions that add useful features. You might already know that behind every passkey are a public and private key. PRF creates an additional key, which doesn’t encrypt your data directly. Instead, the extension combines this third key with a salt which is generated by the service (e.g. the note taking app). Mixing these two ingredients in a secure way produces a shared secret in addition to the usual passkey authentication result. The service can then use this shared secret as an encryption key. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> A salt is a value that is randomly generated by the web service. A salt is also not considered secret because its goal is to add extra randomness to the output. <a href="https://blog.1password.com/a-salt-free-diet-is-bad-for-your-security/">It&rsquo;s the same concept that’s used when hashing passwords</a>. </div> </aside> This shared secret has two important properties: <ol> <li>Its value is deterministic. The same input from the web service will always give the same respective output.</li> <li>Its value is unpredictable. It is virtually impossible for an attacker to guess the shared secret or the passkey’s secret even if they know many of the possible salt and shared secret combinations.</li> </ol> In symmetric encryption, a deterministic value is crucial since the key that was used to encrypt is also used for decryption. If the process creates a different result or key every time, your data can&rsquo;t be decrypted anymore and you’ll essentially be locked out forever. A deterministic output doesn&rsquo;t mean it&rsquo;s predictable. The salt on its own doesn&rsquo;t tell an attacker anything about the shared secret. If the attacker knows both the salt and the final shared secret, they still can&rsquo;t infer anything about the secret key nor any future shared secrets should the salt change. This allows a service to easily change the encryption key by changing the salt without ever exposing your data. <h2 id="why-is-prf-important">Why is PRF important?</h2> <a href="https://blog.1password.com/what-are-passkeys/">Passkeys are great at proving who you are</a> in a secure and un-phishable way. The private and public key behind every passkey always stay the same but the output changes every time you sign in to the associated account. This is great for authentication because if an attacker somehow obtained the output, they couldn’t re-use it to impersonate you later. However, this characteristic breaks the first important property we outlined for encryption: determinism. Since the output changes every time, using this process for encryption means we would never be able to retrieve the same encryption key. Historically, all of your online accounts would use a strong password as an encryption key, similar to how vaults in 1Password are protected by your account password and secret key. We&rsquo;re running a public beta at the moment that lets you unlock 1Password with a passkey instead of an account password and a secret key. When you unlock 1Password this way, we currently generate and store a separate <a href="https://support.1password.com/passkey-security/#device-keys">device key</a> that is used to decrypt and encrypt your account data. When other websites or apps implement end-to-end encryption, they now need to carefully think about where and how they should store the encryption keys. Every platform requires a different implementation and in the browser it&rsquo;s currently not possible to store these keys in a secure manner. By supporting the PRF extension for passkeys, encryption keys are now protected by the same mechanisms that already secure millions of passkeys. This finally allows passkeys to truly replace passwords for any operation. <h2 id="our-angle">Our angle</h2> In an ideal world, every passkey manager would support PRF. It would allow other companies to make their services more secure by implementing end-to-end encryption, knowing that the key is securely protected. As an end-to-end encrypted product, 1Password would also greatly benefit. If you unlock 1Password with a passkey, this would give you the option to let 1Password handle the encryption key or to store the encryption key in another passkey manager. It’s a win-win for everyone! Unfortunately, this is not the world we live in today. We want to see every passkey manager adopt the PRF extension. This will allow applications and web services to encrypt their user’s data when they adopt passkeys. Therefore, we are leading the charge by providing our PRF implementation in our <a href="https://blog.1password.com/passkey-crates/">open-source passkey library</a>. This makes it easier for other passkey managers to provide PRF for their users. <h2 id="what-does-this-mean-for-you">What does this mean for you</h2> PRF support is available now in the latest 1Password for Android beta (8.10.38) and browser extension beta (2.26.1). Our PRF support will also be available on iOS 18. If you’re a 1Password customer, you won’t notice any differences while using your passkeys. This change is all behind the scenes. While invisible, it increases your online security so it’s important that you’re aware of it. There&rsquo;s nothing you need to do other than update your 1Password apps. If you’re developing a product that could benefit from end-to-end encryption, it’s the perfect time to look into adopting passkeys along with the PRF extension. You can learn more about PRF and how our passkey unlock solution works by checking out these resources: <ul> <li><a href="https://blog.1password.com/passkey-secret-key-account-security/">Unlocking 1Password with a passkey vs. password and Secret Key</a></li> <li><a href="https://blog.1password.com/unlock-1password-individual-passkey-beta/">Unlock 1Password with a Passkey: Now in beta</a></li> <li><a href="https://support.1password.com/passkey-security/">About the security of unlocking 1Password with a passkey</a></li> <li><a href="https://blog.millerti.me/2023/01/22/encrypting-data-in-the-browser-using-webauthn/">Encrypting data in the browser using WebAuthn</a></li> </ul></description></item><item><title>Getting to yes: How to enforce a security policy</title><link>https://blog.1password.com/how-enforce-security-policies/</link><pubDate>Wed, 17 Jul 2024 00:00:00 +0000</pubDate><author>info@1password.com (Stacey Harris)</author><guid>https://blog.1password.com/how-enforce-security-policies/</guid><description> <img src='https://blog.1password.com/posts/2024/how-enforce-security-policies/header.png' class='webfeedsFeaturedVisual' alt='Getting to yes: How to enforce a security policy' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Security and IT professionals know that keeping a business secure is no easy task. Finding and implementing the best solutions and keeping them up-to-date can feel like a never ending cat and mouse game with unseen adversaries. But it’s no secret that one of the biggest cybersecurity risks is the employees themselves. According to <a href="https://www.verizon.com/business/resources/reports/dbir/">Verizon&rsquo;s 2024 Data Breach Investigations Report</a>, 68% of breaches involved a human element. People are one of the main vulnerabilities that have proven challenging to secure. After all, no matter how many policies you put in place, if you can’t get your team to follow the rules, it all might all be for nought. <img src='https://blog.1password.com/posts/2024/how-enforce-security-policies/employees-lax-security-policies.png' alt='A dial with the following statistic underneath: More than half of employees admit to being lax on their company&#39;s security policies.' title='A dial with the following statistic underneath: More than half of employees admit to being lax on their company&#39;s security policies.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Unless noted otherwise, all the stats included in this blog post are from the <a href="https://1password.com/state-of-enterprise-security-report">2024 1Password State of Enterprise Security Report</a>. <h2 id="the-human-challenge-of-cybersecurity">The human challenge of cybersecurity</h2> Visibility has proven to be one of the biggest challenges to IT professionals in recent years. Where once employees were tied to a physical office where devices and apps used were under the IT teams purview, now work happens from any device in any location. As hybrid work and bring your own device (BYOD) became the norm for many, so did employees bringing in SaaS apps that enhance collaboration and improve productivity. Suddenly, keeping track of and protecting against potential entry points can start to feel impossible. More than 90% of security pros say their company security policy requires IT approval to download and use software and apps for work. But, despite having rules in place, 34% of employees are still choosing to use shadow IT – unapproved SaaS apps. There’s also the challenge of device management. Similar to IT security policies around app usage, organizations have also implemented security requirements asking employees to exclusively use work provided devices. But our research confirms that workers are still working from their own personal devices, or even more worrying, from friends, family, or public computers. <img src='https://blog.1password.com/posts/2024/how-enforce-security-policies/bring-your-own-device-statistics.png' alt='Four statistics that illustrate how more employees are using personal devices at work, even when companies ask that employees only use work-provided devices.' title='Four statistics that illustrate how more employees are using personal devices at work, even when companies ask that employees only use work-provided devices.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="the-risks">The risks</h2> The risks of employees dodging these policies can’t be understated. Workers using apps outside of the IT team&rsquo;s sight could be exposing sensitive data for both the company and customers. And, in the event of a data breach on those apps, all that information is not only exposed, but your business’ incident response plan won’t matter because you likely don’t even know the breach affects you. Many companies have worked hard to educate employees on why cybersecurity is important in an effort to encourage employees to make safer security choices. But with more than half of employees admitting to being lax on their company’s security policies, it might be falling on empty ears. <h2 id="why-employees-circumvent-it-security-policies">Why employees circumvent IT security policies</h2> So if the risks are so high – and employees know the rules they’re meant to be following – why do they still choose to circumvent the IT security policy? If businesses want to improve compliance and reduce security incidents, they need to first understand why employees are finding workarounds. According to the <a href="https://1password.com/state-of-enterprise-security-report">2024 1Password State of Enterprise Security Report</a>, 24% of employees say they’re just trying to get things done quickly and be productive. Other reasons workers are dodging security policies include those policies being inconvenient, too stringent, or unreasonable. Employees clearly see information security regulations as barriers keeping them from getting their best work done. This lack of data security awareness isn’t deliberate on the employees' part – after all, they’re just trying to focus on the work they were hired for. <h2 id="how-to-enforce-an-it-security-policy">How to enforce an IT security policy</h2> Now that we know what’s stopping employees from following security policies it’ll be easier to make sure your business is employing security controls that both improve visibility for IT teams, while also making it easier for employees to make smart security choices. One of the best available security measures for protecting against shadow IT is a password manager. With 61% of employees exhibiting weak password practices it&rsquo;s a tool that can have a large impact on the overall security of your business while also improving employee productivity. <img src='https://blog.1password.com/posts/2024/how-enforce-security-policies/poor-password-practices-statistic.png' alt='A visualization of the statistic: 61% of employees have poor password practices.' title='A visualization of the statistic: 61% of employees have poor password practices.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> For employees, a password manager makes signing in across apps and devices faster – letting them get to the task at hand sooner. It also makes sharing passwords and sensitive information with co-workers and contractors easier – helping improve collaboration across teams. A password management tool also encourages strong security for all apps employees use – not just the ones approved by IT teams. And it keeps all employee logins in one place – so, if an employee needs to be deprovisioned, account ownership remains with the business. Some password managers, like 1Password, also have reporting features that allow administrators to track actions performed by team members. For example, <a href="https://support.1password.com/activity-log/">the Activity Log in 1Password Business</a> allows administrators to see when team members view reports, set up new devices, invite guests to view items, and more. 1Password administrators are also able to enforce an information security policy, including requiring two-factor authentication (2FA) on accounts that have that option, and having rules around password strength and complexity on employee’s 1Password account. Employees get to work faster, and IT teams get to make sure work is being completed in a secure environment – it’s a win-win solution. <h2 id="enforcing-an-access-management-policy">Enforcing an access management policy</h2> But there’s more to identity and access management (IAM) than just protecting application sign-ins. Running a risk assessment will show that device trust and access control is becoming increasingly important as more employees choose to work from personal devices. <img src='https://blog.1password.com/posts/2024/how-enforce-security-policies/personal-devices-visibility-statistic.png' alt='A visualization of the statistic: 65% of security pros say that personal devices have made complete visibility into employee security habits much more elusive.' title='A visualization of the statistic: 65% of security pros say that personal devices have made complete visibility into employee security habits much more elusive.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://1passwordstatic.com/files/resources/extending-access-management-beyond-iam.pdf">Extended access management</a> moves beyond traditional IAM security tools and helps secure every sign in, on any device, from any location – all in one place. Security teams looking for a solution that make it easier to secure unmanaged applications and devices need to look no further than extended access management. It’s a non-intrusive solution that empowers employees to work in whatever way is most convenient for them, without putting the business security at risk. <a href="https://1password.com/xam/extended-access-management">1Password Extended Access Management</a> – the most complete solution available – allows administrator teams to manage access permissions for all types of identities, applications, devices, and users. With comprehensive visibility, administrators can protect against most threats, including data breaches – all from a single reporting center. With the ability to make sure only trusted users on secure devices have access with the ability to enforce policy and implement identity safeguards, the risk is significantly lowered. We’re entering a new era of enforcing security policies – one where getting employees to say “yes” to good cybersecurity is no longer a question, but instead, it’s a given. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Balancing act: Security and productivity in the age of AI</h3> Productivity and security are often in tension. Learn how today’s shifting landscape of hybrid work and AI has affected that tension, and how security professionals and workers are coping. <a href="https://1password.com/state-of-enterprise-security-report?utm_medium=social&amp;utm_source=blog&amp;utm_campaign=annual-report-2024" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Download now </a> </div> </section></description></item><item><title>1Password product enhancements [Summer edition]: Recovery codes, auto-save, and more</title><link>https://blog.1password.com/product-update-features-and-security/</link><pubDate>Tue, 16 Jul 2024 00:00:00 +0000</pubDate><author>info@1password.com (Matt Grimes)</author><guid>https://blog.1password.com/product-update-features-and-security/</guid><description> <img src='https://blog.1password.com/posts/2024/product-update-features-and-security/header.png' class='webfeedsFeaturedVisual' alt='1Password product enhancements [Summer edition]: Recovery codes, auto-save, and more' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Since the beginning of the year, we’ve committed to enhancing your experience in ways that will help you easily accomplish whatever you set out to do when you open 1Password – especially saving, finding, and accessing your sensitive data across any of the devices you’re using. We’ve been listening to all of your feedback and working non-stop to address the experiences you told us could be faster, easier, or just simply better. This round, we’ve added improvements and new features that include finding and sharing items faster, seamless sign-in flows for 1Password, quicker logins to your online accounts, and a way to make sure you’ll never be locked out of 1Password and your data. Across all the latest versions of our 1Password apps and extensions, you can now expect a more streamlined experience that will not only save you time, but give you the peace of mind you need to manage the digital life you want. Let’s take a look at all the details of what’s new. <h2 id="more-peace-of-mind">More peace of mind</h2> Recovery codes Before, if you were using either 1Password Individual or 1Password Families, there was no self-recovery method to regain access to your account if you forgot your account password or lost your Secret Key. This could mean permanent loss of access to your 1Password account and any critical information you’ve stored there. Oh dear. <video class="round shadow" style="display: block; margin: auto; padding: 0;"autoplay='true'loop="loop" playsinline="" width="100%" alt='' controls> <source src="https://blog.1password.com/posts/2024/product-update-features-and-security/Recovery%20Codes1.mp4" type="video/mp4" /> </video> Now, we’ve introduced recovery codes so you will always have a streamlined and secure self-recovery method. You can easily create, replace, or delete a recovery code at any time through 1Password.com or the 1Password mobile and desktop apps. Not only does this put you in complete control of your account and data, but you can rest assured that even in a worst case scenario, you can still regain access to your 1Password account. <h2 id="more-time-saved">More time saved</h2> Logins and credit cards are now autosaved Logins: When signing up for a new account or logging into an account you hadn’t yet stored in 1Password, you used to be prompted to save the login credentials before you successfully authenticated. If anything went wrong, like entering the wrong password or not meeting the password requirements, you couldn’t easily update the new password for the online account while also successfully updating and saving it in 1Password. Frustrating! Now, if you haven’t stored a username and password in 1Password, the next time you enter those credentials and successfully sign into the account, you’ll enjoy a much smoother experience. Once you log in, 1Password will now automatically show you a prompt asking if you’d like to save the credentials in 1Password. Plus, you can also choose your preferred vault to store the login, customize the details before saving, and even update existing logins. <video class="round shadow" style="display: block; margin: auto; padding: 0;"autoplay='true'loop="loop" playsinline="" width="100%" alt='' controls> <source src="https://blog.1password.com/posts/2024/product-update-features-and-security/Autosave1.mp4" type="video/mp4" /> </video> Credit cards: There was also a similar situation when it came to credit cards. If you wanted to use a credit card that wasn’t yet stored in 1Password, after you typed in the information, 1Password didn’t automatically offer to save it. You’d either have to manually save it yourself, or just type in the credit card details every time you wanted to use it. This might be a good thing if you’re trying to curb your online shopping, but it’s certainly not convenient! Now, just like logins, after you successfully submit a form, 1Password will ask if you’d like to save your credit card details if they aren’t already stored, and you’ll have the option to edit the new item or an existing one, like an expired credit card you had saved. Let the online shopping begin. Streamlined sign-in to 1Password on the mobile and desktop apps Previously, when you visited the sign-in page of the 1Password mobile and desktop apps, you had six different sign-in options to choose from. You had to pick the right sign-in method from options like password, passkey, or SSO (Single Sign-On) before you could log in. Talk about decision fatigue. <img src='https://blog.1password.com/posts/2024/product-update-features-and-security/signin.png' alt='A prompt to sign in to 1Password with your email address.' title='A prompt to sign in to 1Password with your email address.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Now, we’ve streamlined the sign-in experience to avoid any confusion, so you won’t be overwhelmed with the options or have to deal with accidentally choosing the wrong sign-in method. From now on, you’ll be asked to enter your email address. Based on your email, 1Password will automatically identify the right sign-in method (password, passkey, or SSO) for you and guide you to the next screen. Improved 1Password icon in form fields Sometimes, it wasn’t obvious you could click the 1Password icon to autofill form fields, or it got obstructed behind a popup, dropdown, or another icon. It was starting to feel like a video game where you had to beat the form field boss to get to the next level. <img src='https://blog.1password.com/posts/2024/product-update-features-and-security/icon.png' alt='A sign-in screen highlighing the 1Password icon in the username form field.' title='A sign-in screen highlighing the 1Password icon in the username form field.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Now, we’ve introduced some sleek animations to give you valuable cues about the status of 1Password, and it’s easier to identify clickable elements of the icon. Plus, instead of seeing a dropdown blocking the form fields when 1Password had no items stored for a specific site, you’ll instead get new handy and helpful popups that won’t get in your way. Now you can seamlessly log in without jumping through hoops! Automatically progress through sign-in flows with autosubmit In the past, when you went to a website and selected the option to autofill login credentials in the username and password fields, you were often required to hit “Enter” afterwards – meaning you had to manually submit the credentials that 1Password just autofilled. On some sites, you even had to manually progress through multi-page authentication steps, like having to enter a two-factor authentication code or one-time password. Let’s face it; sometimes, you’re just tired of moving your hands. <video class="round shadow" style="display: block; margin: auto; padding: 0;"autoplay='true'loop="loop" playsinline="" width="100%" alt='' controls> <source src="https://blog.1password.com/posts/2024/product-update-features-and-security/Autosubmit1.mp4" type="video/mp4" /> </video> Now, when you autofill one of your logins, 1Password will automatically hit submit for you and progress you through the sign-in experience, no matter how many pesky steps there are in the process. No hands! Scan a QR code to set up 1Password on a new device (Beta) Currently, when setting up 1Password on a new device, you have to enter your credentials manually, including your very secure and very long Secret Key that looks something like this: A3F8J-K2L5Q-7X9ZT-V5B1P-N6Y4D. Ahh! Alternatively, you can scan a QR code that only pre-fills the Secret Key, meaning you escape all that typing, but you still need to manually enter your account password. This is an error-prone and tedious process, especially with how many devices we tend to have these days. <video class="round shadow" style="display: block; margin: auto; padding: 0;"autoplay='true'loop="loop" playsinline="" width="100%" alt='' controls> <source src="https://blog.1password.com/posts/2024/product-update-features-and-security/QR%20Codes1.mp4" type="video/mp4" /> </video> Now in beta, you can sign in to 1Password on a new device with a single scan of a QR code. No more passwords, email addresses, or Secret Key – and this scan works bidirectionally, meaning either the already-signed-in device or the new device can initiate the process. Even better? This new functionality isn’t just convenient, it’s incredibly secure. When you scan the QR code, 1Password sets up an encrypted channel between your devices. It uses this channel to sign you in without asking for your credentials. The code itself is temporary and does not contain any secrets, so it’s resistant to screenshots and over-the-shoulder scans. <h2 id="quicker-results">Quicker results</h2> Search for terms in your secure notes Previously, there was no functionality to search your secure notes for specific terms. For those who rely heavily on secure notes for storing important information, having to look through lengthy notes in search of one or two terms was time consuming and frustrating. Nobody wants to spend all their time scrolling. <video class="round shadow" style="display: block; margin: auto; padding: 0;"autoplay='true'loop="loop" playsinline="" width="100%" alt='' controls> <source src="https://blog.1password.com/posts/2024/product-update-features-and-security/Secure%20Notes1.mp4" type="video/mp4" /> </video> Now, when you enter a search term into the search bar, 1Password will highlight those terms found in secure notes within the search results, so you can see where your search terms appear more clearly. No more endless scrolling or using insecure workarounds that could put your data at risk. Get helpful suggestions on who to share items with Before, if you wanted to share an item in 1Password with someone, you had to manually enter their email address. This was time consuming, and could also lead to errors if you got the email wrong. Plus, you also had to navigate through to another screen to generate the secure sharing link, and it wasn&rsquo;t automatically added to the clipboard. That’s too much work to simply share the Wi-Fi password! Now, when you select the option to share an item, the next step is simple: just copy the secure sharing link, and it will be instantly accessible and saved to your clipboard. On top of that, we&rsquo;ve introduced a new feature – when you start typing the name or email of the intended recipient, 1Password intuitively identifies and suggests relevant options from your recent contacts or other people in your 1Password account. <video class="round shadow" style="display: block; margin: auto; padding: 0;"autoplay='true'loop="loop" playsinline="" width="100%" alt='' controls> <source src="https://blog.1password.com/posts/2024/product-update-features-and-security/Sharing1.mp4" type="video/mp4" /> </video> This means sharing items in 1Password with as many people as you&rsquo;d like can be done twice as fast. Since these enhancements went live, our customers are sharing more than ever before! Quickly and effortlessly sharing items, but also never compromising your security by sending a password via text? You&rsquo;re going to be a speedy security superstar. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> All features are available on the latest versions of 1Password for <a href="https://apps.microsoft.com/detail/xp99c9g0krdz27?hl=en-us&amp;gl=CA">Windows</a>, <a href="https://1password.com/downloads/mac/">Mac</a>, <a href="https://1password.com/downloads/linux/">Linux</a>, <a href="https://apps.apple.com/app/id1511601750?mt=8">iOS</a>, <a href="https://play.google.com/store/apps/details?id=com.onepassword.android">Android</a>, and 1Password browser extensions (<a href="https://1password.com/downloads/browser-extension/">Microsoft Edge, Chrome, Firefox, Safari, and Brave</a>) unless otherwise specified. If you’d like to learn even more about what’s new with the updates we’ve made, <a href="https://releases.1password.com/">check out our release notes for all the details</a>. </div> </aside> <h2 id="you-help-shape-1password">You help shape 1Password</h2> Your feedback means the world to us. It&rsquo;s thanks to you that we&rsquo;ve been able to make so many enhancements, and we&rsquo;re excited for the ones yet to come. Keep sharing your thoughts with us – <a href="https://1password.community/">we’re always listening</a>. We&rsquo;ll never stop striving to make 1Password a tool that simplifies your digital life while making security easy. With flexible <a href="https://1password.com/business-pricing">subscriptions</a> tailored to your needs, you can protect <a href="https://1password.com/personalhttps://1password.com/personal">yourself</a>, your <a href="https://1password.com/business">business</a>, or even an entire <a href="https://1password.com/enterprise">enterprise</a> with the most reliable password manager out there. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Ready to protect yourself?</h3> Keep all of your accounts secure with 1Password, the world’s most-trusted password manager. Get started today with a free 14-day trial. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>1Password’s back-to-school tips for parents in a digital world</title><link>https://blog.1password.com/getting-started-students-and-families/</link><pubDate>Thu, 11 Jul 2024 00:00:00 +0000</pubDate><author>info@1password.com (1Password)</author><guid>https://blog.1password.com/getting-started-students-and-families/</guid><description> <img src='https://blog.1password.com/posts/2024/getting-started-students-and-families/header.png' class='webfeedsFeaturedVisual' alt='1Password’s back-to-school tips for parents in a digital world' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We’ve all been there. Summer starts to fly by and before you know it, it’s new supplies, textbooks, school portals, class schedules, extra-curriculars, and more. The horror! Whether you’re a parent getting the kids ready to go or you’re a kid dreading the end of the break, heading back to school (and making it through the year) can be a stressful time. Fortunately, when it comes to giving you a leg up, 1Password is in a class of its own. We’re sharing our favorite back-to-school online security tips for parents, beginners and pros alike, that will help keep your family safe, while you stay stress-free. When you take on these tips, you’ll set up both you and your kids for a simpler and easier back-to-school season every year – all while creating habits that will keep your family safer in the long term. <h2 id="talk-to-your-kids-about-online-security">Talk to your kids about online security</h2> Your kids are probably pretty tech-savvy, but that doesn’t mean they’re security savvy. Around <a href="https://1password.com/resources/the-family-password-paradigm/">40 percent of parents</a> talk about online security with their preschool children (ages 3-4), so you don’t have to worry if it&rsquo;s too early for a chat. If they’re already going to school, using computers, or watching things on your iPad or another tablet, they’re <a href="https://blog.1password.com/talking-to-kids-online-safety/">ready to learn about online safety</a>. For this talk, start by educating yourself on the <a href="https://blog.1password.com/talking-to-kids-online-safety/">best cybersecurity practices</a> and stay informed about the latest online trends that interest young people – these trends are constantly evolving along with their associated risks. You don’t have to scare them away from technology but rather set them up for success with knowledge and preparation. Remember, it’s also important to lead by example. When you follow your own advice, your kids are more likely to do the same. <h2 id="make-strong-passwords-a-habit-now">Make strong passwords a habit now</h2> If you use a password manager with a family account option like <a href="https://support.1password.com/explore/personal/">1Password Families</a>, your kids can use the built-in <a href="https://1password.com/password-generator/">password generator</a> to easily create strong passwords for accounts that you can keep an eye on. Plus, you won’t have to worry about them struggling to type out any complex passwords. <img src='https://blog.1password.com/posts/2024/getting-started-students-and-families/passwordhabit.png' alt='The 1Password app showing the option to generate a strong, unique password.' title='The 1Password app showing the option to generate a strong, unique password.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> To make logging in even easier, they can also use the autofill functionality to automatically fill passwords on any of their devices, including iPhones, iPads, and Androids, as well as with 1Password’s browser extension on web browsers like Microsoft Edge, Chrome, Firefox, and Safari. <h2 id="start-encouraging-other-online-security-habits">Start encouraging other online security habits</h2> Along with strong passwords, you can also start encouraging some other new habits, like: <ul> <li>New device setup: Whenever your family gets a new device, they should immediately install their password manager so they can not only stay safe, but easily login to any of their apps and accounts. With a password manager like 1Password, all of their important data will sync seamlessly onto their new device regardless of operating system or browser so they can get started right away.</li> <li>Two-factor authentication: The use of <a href="https://blog.1password.com/password-manager/#what-is-two-factor-authentication">two-factor authentication (2FA)</a> for a second layer of security will protect accounts from criminals if they have somehow managed to find or guess one of your passwords. Many password managers like 1Password will notify you of which sites offer 2FA.</li> <li>Locked devices: Show your kids how to lock their devices, whether via PIN or biometrics, and remind them that they should never leave a device unattended – especially if it’s unlocked. You can store their PIN or password in a password manager like 1Password in case they forget it.</li> <li>Trusted users: Go over who, if anyone, should have access to their accounts, like parents, siblings, or teachers. Remind them to never share their passwords or accounts with anyone, even friends, unless they’ve checked with you first.</li> </ul> Helping your kids learn these kinds of online habits until they’ve become second nature will keep them safe in a very digital world. Using a password manager is a great way to start instilling these habits and making them easier to stick with. <a href="https://support.1password.com/explore/personal/">1Password Families</a> lets anyone, even kids, create and remember strong, unique passwords for all their accounts – both personal and shared. With 1Password, you can <a href="https://blog.1password.com/family-organizer-tips/">oversee your family’s shared passwords</a> and manage who has access to them. You can also help recover accounts if your kids are ever locked out, and quickly update any passwords that have appeared in data breaches. You can also share important items like emergency credit cards, secure notes, important phone numbers, and anything else you can think of that would be great to have in one place, easily accessible by the whole family. <img src='https://blog.1password.com/posts/2024/getting-started-students-and-families/gate.png' alt='A secure note in the 1Password app sharing the gate code for a home.' title='A secure note in the 1Password app sharing the gate code for a home.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> 💡 Syncing seamlessly across all your devices, 1Password is available on <a href="https://apps.microsoft.com/detail/xp99c9g0krdz27?hl=en-us&amp;gl=CA">Windows</a>, <a href="https://1password.com/downloads/mac/">Mac</a>, <a href="https://1password.com/downloads/linux/">Linux</a>, <a href="https://apps.apple.com/app/id1511601750?mt=8">iOS</a>, and <a href="https://play.google.com/store/apps/details?id=com.onepassword.android">Android</a>, and on web browsers through the 1Password browser extensions (<a href="https://1password.com/downloads/browser-extension/">Microsoft Edge, Chrome, Firefox, Safari, and Brave</a>). </div> </aside> <h2 id="keep-an-eye-out-for-back-to-school-scams">Keep an eye out for back-to-school scams</h2> Scams can happen any time, but the back-to-school season in particular offers cybercriminals a chance to take advantage of back-to-school shopping needs, overwhelmed parents, and unsuspecting kids. Some examples include: <ul> <li> Phishing: Criminals may send emails posing as an educational institution asking you to log in to a fake site to steal credentials, or they can use social media to promote fake school shopping deals leading you to fraudulent websites. Avoid clicking any suspicious links and stay away from any unsolicited deals and offers unless you are certain of their legitimacy. </li> <li> Shopping scams: Scammers can create fake websites full of enticing deals for school supplies, uniforms, devices, and more, all in an effort to get you to pay for an item that doesn’t exist, or to collect your sensitive data. If you were sent a link to click, instead visit the website yourself to confirm you’re on the real version before signing in or buying anything. </li> <li> Loan scams: Criminals may pose as loan providers or government agencies offering loan forgiveness, grants, or even scholarships that do not exist. They may try to pressure you into making immediate payments over the phone or try to get your personal information online. If you are interested in an offer, pause to research the institution and reach out yourself via phone or email to confirm what your options are. </li> </ul> Ultimately, try to stay skeptical – if something sounds too good to be true, it probably is. If it is real, a little bit of extra work to confirm that is worth it. <h2 id="consider-the-schools-role-in-your-childs-online-security">Consider the school’s role in your child’s online security</h2> Every school is different, so it’s worth putting in the time to find out what policies or processes your child’s school has in place when it comes to online security. Here are some questions to consider: <ul> <li>Is the school providing a device? Who has access to it? Is it kept at the school exclusively or can they bring it home? Can you change the password to unlock it? Can you add your own apps, like a password manager?</li> <li>Can you change the passwords provided by the school for any online accounts, like school or parent portals? If not, why? Who else has access to the accounts?</li> <li>Do they provide tools for special education needs? How are additional tools secured?</li> </ul> <img src='https://blog.1password.com/posts/2024/getting-started-students-and-families/portal.png' alt='The 1Password app showing a saved item to log in to a school portal website.' title='The 1Password app showing a saved item to log in to a school portal website.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Do your best to create a partnership with your child’s school when it comes to the online aspect of their education. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> 💡 Are you a teacher looking for ways to keep your students safer? Read <a href="https://blog.1password.com/schools-colleges-password-manager/">Why schools and colleges should invest in a password manager</a> to help get you started. </div> </aside> <h2 id="have-the-social-media-talk">Have the social media talk</h2> However you personally feel about social media, or even if you’re not planning on letting your children use it, it’s worth having this chat. You can start off by explaining what a digital footprint is – let your kids know that they shouldn’t share something if they aren’t comfortable with everyone they know, along with everyone in the world, being able to see it. Tell them to always take a moment before posting to consider the consequences – are they posting something embarrassing, unintentionally offensive, or too personal? It doesn’t have to be about never posting, but instead about thinking before posting. For much younger children, keep an eye on their usage and limit their posts to “friends only.” Adding something like “Monitored by a parent” to the account bio can help ward off anyone looking for easy prey. It’s okay to give them some autonomy, so go over what they should consider when they accept friends and followers, like if they know them in person, if it’s someone they want to see their personal details, or if it makes sense that the person behind the account reaching out would want to befriend a child. You can also show them how to block and report users who send suspicious or inappropriate messages and remind them that they can always come to you for help on what to do. <img src='https://blog.1password.com/posts/2024/getting-started-students-and-families/social.png' alt='The 1Password app showing the login for a TikTok account.' title='The 1Password app showing the login for a TikTok account.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Currently, the reality is that social media is just a part of life. Your kids will want to be a part of that, and they will use social media for fun, entertainment, and even a form of expression – whether you know about it or not. Think back to your younger days. Is there something you got away with that your parents still don’t know about? Kids will be kids, and they’ll find a way, so equip them to use it safely, ideally with your guidance and support. <h2 id="do-future-you-a-favor-and-make-regular-backups">Do future-you a favor and make regular backups</h2> Make regular backups of anything school-related, including homework, projects, report cards, or even class photos. When they’re old enough, they can start making these backups themselves and turn this into a habit. There’s no rule on how frequent backups should be, but consider how often the device is used, what’s stored on it, and the consequences should that data be lost. Of course, the more important the data, the more often you should back up. One day, when all of your kid’s data is gone because of a hardware problem or a corrupted file, you won’t be too worried. You’ve been making regular backups for a long time, so future-you will just be thanking present-you for being so prepared and saving the day. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> 💡 Is your child heading to college or university? Check out our blog, <a href="https://blog.1password.com/why-students-1password-university/">Why you should start using 1Password at university</a>, and get tips from students using 1Password themselves. </div> </aside> <h2 id="always-keep-apps-software-and-operating-systems-up-to-date">Always keep apps, software, and operating systems up to date</h2> Hackers look for easy ways to access sensitive information. Not updating software is like leaving your front door open for anyone to wander in. Why? Because software developers are always fixing security issues and releasing these fixes in updates, so if you don&rsquo;t keep your software updated, your family is at risk of new threats. Regular updates help close these security gaps, making it harder for hackers to get any data. To make these updates convenient, many systems have automatic updates. Turn this feature on wherever you can so you can easily keep your kids protected without any extra effort. <h2 id="give-them-tips-on-staying-digitally-organized">Give them tips on staying digitally organized</h2> Showing your kids how to keep their digital lives organized doesn’t just make things simpler, but it also keeps them safer. A digital declutter can make it easier to spot phishing emails and help you delete old accounts that can get caught up in breaches. Here are a couple of tips to get started with: <ul> <li>Delete apps and uninstall programs you don’t use anymore.</li> <li>Delete old emails and unsubscribe from mailing lists you no longer care about. If you enjoy subscribing to your favorite brands or newsletters but don’t want your inbox getting messy, create rules or filters to send those emails to separate folders.</li> <li>Delete accounts you no longer use.</li> <li>Set a reminder to clear your cookies and browsing history on a regular basis.</li> <li>Create folders to save and organize different file types.</li> <li>Name your files clearly for simple searching.</li> <li>Empty the trash folder.</li> </ul> For more tips, read <a href="https://blog.1password.com/secure-yourself-digital-declutter-checklist/">Secure yourself with our digital declutter checklist.</a> <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> 💡 Is your child studying to become a developer one day? Students can now get a free year of 1Password with the <a href="https://blog.1password.com/github-student-developer-pack/">GitHub Student Developer Pack</a> to jump-start their careers in software development. </div> </aside> <h2 id="a-kids-with-a-parents">A+ kids with A+ parents</h2> Back-to-school season has always been hectic, but also throwing in the need to guide your kids through digital security at home and at school can feel like a tall order. You already know you have to keep your kids safe online, and that need grows more and more with each return to school. You have to juggle different devices and different accounts, passwords, codes, notes, and more. It’s exhausting! So how do you tackle this part of the problem? By streamlining how you manage your and your family&rsquo;s digital identities with 1Password. Taking this approach lets you start preparing your kids for both the new school year and the online world – all while taking control of your household’s security. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Ready to protect yourself?</h3> Keep all of your accounts secure with 1Password, the world’s most-trusted password manager. Get started today with a free 14-day trial. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>1Password sponsors the 2024 Presidents Cup</title><link>https://blog.1password.com/1password-sponsors-presidents-cup/</link><pubDate>Tue, 09 Jul 2024 00:00:00 +0000</pubDate><author>info@1password.com (Melton Littlepage)</author><guid>https://blog.1password.com/1password-sponsors-presidents-cup/</guid><description> <img src='https://blog.1password.com/posts/2024/1password-sponsors-presidents-cup/header.png' class='webfeedsFeaturedVisual' alt='1Password sponsors the 2024 Presidents Cup' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> There are moments when stars seem to align, and incredible opportunities present themselves. This is one such moment. Today, we’re proud to announce that 1Password is a global partner of the 2024 Presidents Cup in Montreal, Quebec, Canada. <h2 id="why-sponsor-the-presidents-cup">Why sponsor the Presidents Cup?</h2> Since our founding, a major cultural value of 1Password is putting people first. When the opportunity presented itself to work with the PGA Tour and sponsor the Presidents Cup, it was evident that we had shared values. Like 1Password, the PGA Tour focuses on giving back and supporting the local communities that host each professional golf tournament. The PGA Tour has donated more than $3.93B to local charities where events take place. <img src="https://blog.1password.com/posts/2024/1password-sponsors-presidents-cup/presidents_cup.png" alt="The Presidents Cup trophy" title="The Presidents Cup trophy" class="c-featured-image"/> That brings us to the Presidents Cup. The Presidents Cup is a global team competition between elite golfers from the United States and internationally (minus Europe). The 2024 Presidents Cup takes place in Montreal, presenting 1Password with a rare opportunity as we are a Canadian-founded company. When considering the combination of shared values, sponsoring an event in our backyard, and the unique structure of the Presidents Cup – there is no prize or purse, and participants play for charity – clearly the stars had aligned. <h2 id="golf-security-and-the-pursuit-of-excellence">Golf, security, and the pursuit of excellence</h2> As we explored the partnership, it became increasingly apparent that golf and cybersecurity are disciplines that require shared traits: developing good habits, excellence with ease, and risk management. These traits are necessary to play golf at an elite level, and the same goes for cybersecurity. <ul> <li>Develop good habits – In golf, you must develop the right habits in order to succeed – things like ensuring proper posture, having the right grip, and following through. Cybersecurity is similar in that you must develop the right habits to be secure, such as using strong passwords, embracing multi-factor authentication (MFA), or enabling employees to securely use the tools they need.</li> <li>Excellence with ease – Playing golf at an elite level requires consistent practice, determination, and resilience to be productive – and make every swing look easy. Cybersecurity also requires determination, resilience, and a commitment to security – luckily, the best tools provide that excellence for you while making security easier in the process.</li> <li>Risk management – Professional golfers need to think strategically and calculate the risk and rewards of every shot while assessing distance, trajectory, and shape of their shot. And in the case that things don’t go well, they must adapt accordingly. Similarly, people and businesses must decide how to balance productivity and security in the modern ways we work.</li> </ul> <h2 id="welcome-mackenzie-hughes-to-the-1password-family">Welcome Mackenzie Hughes to the 1Password family</h2> In addition to sponsoring the Presidents Cup, we’re excited about our partnership agreement with professional golfer and PGA Tour member <a href="https://www.pgatour.com/player/35506/mackenzie-hughes">Mackenzie Hughes</a>. Mac is a native-Canadian and has played on the PGA Tour since 2016, having won the 2016 RSM Classic and the 2022 Sanderson Farms Championship. As you’re watching future tournaments, you’ll notice Mac sporting the 1Password logo displayed proudly on his shirt. <img src='https://blog.1password.com/posts/2024/1password-sponsors-presidents-cup/mackenzie_hughes.jpg' alt='Professional golfer Mackenzie Hughes (left) and Blake Brandon of 1Password (right).' title='Professional golfer Mackenzie Hughes (left) and Blake Brandon of 1Password (right).' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <blockquote> As a Canadian athlete, it’s an honour to be sponsored by an industry-leading Canadian brand that’s committed to putting people first and giving back to its community. Excelling in golf requires strategic thinking, adaptability, and resilience, and 1Password has done the same in cybersecurity – giving me peace of mind that my sensitive information is kept secure, whether on the course or at home.” – Mackenzie Hughes, professional golfer </blockquote> <h2 id="shining-a-global-spotlight-on-the-importance-of-good-cybersecurity-practices">Shining a global spotlight on the importance of good cybersecurity practices</h2> With the sponsorship, 1Password joins the ranks of some of the best and most valuable global brands, such as Accenture, BMW, Coca-Cola, FedEx, and Mastercard, who are also proud sponsors of PGA Tour events. In addition to being in such esteemed company sponsoring golf, the Presidents Cup also provides a unique opportunity to bring broader awareness to cybersecurity challenges that businesses, individuals, and families face every day. We’re excited to partner with the Presidents Cup as a platform for helping every internet user gain an upper hand over bad actors. As you can see, we’re thrilled to be a global partner of the Presidents Cup along with Rolex and Cognizant. Be sure to tune into the 15th Presidents Cup on September 24th through the 29th. You know we will be. ⛳</description></item><item><title>Why there's no such thing as MDM for Linux, and what to do about it</title><link>https://blog.1password.com/no-mdm-for-linux/</link><pubDate>Mon, 08 Jul 2024 00:00:00 +0000</pubDate><author>info@1password.com (Elaine Atwell)</author><guid>https://blog.1password.com/no-mdm-for-linux/</guid><description> <img src='https://blog.1password.com/posts/2024/no-mdm-for-linux/header.png' class='webfeedsFeaturedVisual' alt='Why there's no such thing as MDM for Linux, and what to do about it' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> If you want to make Google tongue-tied, search for &lsquo;MDM for Linux.&rsquo; At first glance, you&rsquo;ll find a few vendors who claim to offer device management software for Linux devices (usually as an afterthought to round out their solutions for Mac and Windows). But look closer and you&rsquo;ll quickly realize that none of these solutions are really MDMs, and none of them will let an IT admin provide endpoint security in the way they&rsquo;re used to. The absence of an MDM for Linux is a real problem if you&rsquo;re trying to get your entire fleet of devices aligned to the same standard–for instance, if you&rsquo;re trying to pass a third-party compliance audit. It&rsquo;s also just a black eye on your security program when you have no visibility or way to enforce policy on some of your highest-risk devices. So why isn&rsquo;t there a Linux MDM? And what are you supposed to do now? Let us explain. <h2 id="why-linux-mdms-dont-exist">Why Linux MDMs don&rsquo;t exist</h2> <a href="https://blog.1password.com/pros-and-cons-of-mdms/">MDM (Mobile Device Management) solutions</a> are the most common–and the most aggressive–form of device management. (It&rsquo;s also important to note that &ldquo;MDM&rdquo; and &ldquo;device management&rdquo; are not synonymous, but we&rsquo;ll get into that more later.) MDMs give IT teams nearly total control over Android and iOS mobile devices and Mac and Windows PCs, and allow admins to apply policies that the user cannot alter. The MDM approach is about graying out check boxes, installing and uninstalling apps, and being able to remotely read, update, lock, or wipe a device. But that approach is antithetical both to Linux as a technology, and Linux users as individuals. We&rsquo;ll talk about the technology side first. <h3 id="mdms-are-incompatible-with-linux-design">MDMs are incompatible with Linux design</h3> If you&rsquo;ve ever dabbled with Linux, you know it isn&rsquo;t a single, standardized operating system, like the ones produced by Microsoft or Apple. The only thing all Linux devices have in common is the Linux kernel, on top of which Linux users can run anything they want. <img src='https://blog.1password.com/posts/2024/no-mdm-for-linux/slot-machine.png' alt='A slot machine graphic of Linux distros.' title='A slot machine graphic of Linux distros.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Linux distros have default choices for things like the desktop environment or the firewall, but that doesn&rsquo;t mean the user will keep those choices. This makes MDM-style device management incompatible with Linux. Even within the two primary flavors of Debian-based Linux (which includes Ubuntu) and RPM-based Linux (which includes Red Hat and CentOS)–there&rsquo;s nearly infinite variation from one user to the next. No MDM solution can account for this level of customization. And since end user control is baked into Linux at every level, the user can reject any outside interference. For example, you can write a shell script for Linux demanding that the firewall is turned on; but unlike with the other operating systems, the user can uninstall it as they please. As we mentioned earlier, there are tools that claim to provide Linux device management, but they only work on a very finite subset of systems. So what claims to be a tool for Linux turns out to only work if the system runs on Ubuntu, is using the Gnome window manager, etc. And if you try to enforce that level of conformity on devices so they&rsquo;re compatible with these tools, then you have misunderstood the Linux user. <h3 id="mdms-are-incompatible-with-linux-users">MDMs are incompatible with Linux users</h3> You can&rsquo;t solve the problem of endpoint security for Linux devices until you understand the psyche of the Linux community. Linux users have long had an aura of mystique–kind of a mix of punk rockers and warrior monks. That&rsquo;s because, even for developers, using Linux is hard. A user has to have a lot of technical skill for Linux&rsquo;s value to offset its inconvenience. Non-Linux users often assume that people gravitate to this challenging operating system simply to be contrarian or avoid oversight. But they&rsquo;re wrong. Linux users are driven by the belief that <a href="http://fringe.davesource.com/Fringe/Computers/Linux/Manifesto.txt">free software</a> is important, and that it&rsquo;s crucial for individuals to have a say over what their computers do. That&rsquo;s an important perspective that shouldn&rsquo;t be lost in a world where devices are locked down by the vendors who sell them and by the organizations who provision them to their employees. Linux users are hackers in the original sense of the term; they value the freedom to control their experience. If you force MDM enrollment on them they may just quit, and your company will likely lose some of its brightest and most original thinkers. The other option is that a Linux user pretends to accept MDM enrollment on their company-issued Mac or Windows laptop, but actually does all their work on their personal Linux computer. And that scenario is very risky, because Linux users may be highly capable, but <a href="https://www.kolide.com/features/checks/ubuntu-unattended-upgrades">they&rsquo;re not infallible</a>, and you still need visibility into their devices to maintain security. <h2 id="linux-device-management-options">Linux device management options</h2> We&rsquo;ve established that you&rsquo;ll never have the same inexpensive, easy-to-deploy MDM for Linux endpoints as you do for the rest of your fleet. We&rsquo;ve also explained the problems with trying to standardize Linux devices, or forcing Linux users onto another operating system. Once you&rsquo;ve eliminated those choices, only three real options remain. <h3 id="option-one-do-nothing">Option one: Do nothing</h3> This might seem like a joke, but for a long time, doing nothing was the dominant strategy for Linux device management. IT teams basically trusted that Linux users were technically sophisticated enough to protect their own devices, and allowed them to work without oversight or observation. And here&rsquo;s the thing: they weren&rsquo;t entirely wrong. Linux isn&rsquo;t free from vulnerabilities, but Linux endpoints are much less vulnerable to commodity malware or ransomware attacks than Mac or Windows devices, or even Android or iOS. The same customizability that throws off MDMs also makes Linux laptops an unappealing target for hackers, who usually seek the path of least resistance. Unfortunately, while you may have been able to get away with this approach in the past, &ldquo;do nothing and hope for the best&rdquo; is no longer a viable option. For one thing, visibility into all devices is now mandatory in order to pass third-party audits like SOC 2. Likewise, your customers, investors, and leaders simply won&rsquo;t accept that some of the most high-risk devices in your fleet are functionally invisible. And they&rsquo;re right to object, because if a Linux device is compromised, it can be disastrous. <blockquote> Linux users deal with the most valuable data in your fleet, but ironically, they have the least amount of scrutiny applied to their devices. </blockquote> Linux users often hold the <a href="https://www.kolide.com/features/checks/unencrypted-ssh-keys">keys to the kingdom</a> on their laptops: intellectual property, production environments, and access to other servers. For a hacker looking to exfiltrate IP or customer data, Linux users are an appealing target. And just like any user, they sometimes need to be reminded to do the things that will keep their device secure, like enabling the firewall and turning on screen lock. <h3 id="option-two-do-it-yourself">Option two: Do it yourself</h3> While the concept of a Linux MDM solution is fundamentally impossible, achieving visibility is not. There are a couple of options for admins and IT teams to achieve this in-house. The first general approach is to treat Linux device management like Linux server management, which is relatively straightforward. But, as many IT admins have learned the hard way, you can&rsquo;t manage Linux laptops like servers, because there&rsquo;s a human user there. On servers, products like <a href="https://www.ansible.com/">Anisble</a> or <a href="https://puppet.com/">Puppet</a> are good choices because most of the servers you interact with remotely are standardized and in an expected state when you run scripts/commands on them. By contrast, end user devices are anything but standard, by design. It&rsquo;s impractical (maybe even impossible) to build robust script automations that don&rsquo;t risk creating unintended consequences due to a modification a user made to their device. You can theoretically use the same products you use for servers to run commands across multiple Linux laptops, but it&rsquo;s up to you to write the scripts and code to suit your use case. The second option for getting visibility is a tool like <a href="https://www.kolide.com/blog/osquery-under-the-hood">osquery</a>, an open source project that lets you run queries across your entire fleet. Osquery can surface a lot of useful data about Linux devices, but it stops at visibility. When it comes to troubleshooting or remediating issues, you&rsquo;re on your own. The overarching problem with any DIY approach is that <a href="https://www.kolide.com/blog/buying-kolide-vs-building-your-own-osquery-solution">it isn&rsquo;t economical</a>. Linux users typically make up a tiny fraction of a workforce, so it doesn&rsquo;t make financial sense to spend significant time and effort just to allow a handful of people to keep using the computer they want to use. <h3 id="option-three-make-linux-users-your-allies">Option three: Make Linux users your allies</h3> Every solution we&rsquo;ve covered so far has shared the same basic philosophy: that device management is something you do to users. But what if it were something you did with them? That&rsquo;s the question we asked at 1Password. (Yes, we&rsquo;re going to talk about our own product now, but we promise it&rsquo;s not a bait-and-switch; it&rsquo;s a genuinely new way of approaching this problem.) 1Password Extended Access Management&rsquo;s agent is built on osquery, so it can run posture checks across your Linux devices, whether they&rsquo;re Debian-based or RPM-based. But our solution goes beyond visibility and actually helps achieve compliance. 1Password Extended Access Management&rsquo;s agent notifies Linux users when it detects an issue, and instructs them on how to resolve it. And if a device isn&rsquo;t secure, its user can&rsquo;t authenticate via your IdP until they&rsquo;ve resolved the issue. This approach–device trust authentication combined with self-remediation–gives Linux users the freedom they value without compromising the organization&rsquo;s security. For instance, a developer might have a valid reason to briefly turn off their firewall (which an MDM would never allow them to do), and 1Password Extended Access Management won&rsquo;t stop them. However, it will ensure that they turn it back on before accessing sensitive resources. To be clear, we&rsquo;re not claiming we can detect or solve every issue on every version of Linux, but we are the fastest and easiest way to deploy osquery across your fleet. And osquery&rsquo;s power as a tool goes far beyond the capabilities of MDM. MDM solutions can look at a handful of device properties; osquery can look at <a href="https://www.kolide.com/use-cases/fleet-visibility">hundreds</a>. You may start out looking for a Linux device management solution on par with MDM, but wind up realizing that MDM was never providing meaningful device management in the first place. And that&rsquo;s a lesson that applies to your entire fleet, not just Linux devices. <img src='https://blog.1password.com/posts/2024/no-mdm-for-linux/gnome-screenlock-check.png' alt='A screenshot of Kolide&#39;s Gnome screenlock check that Linux users will see if they&#39;re failing the check.' title='A screenshot of Kolide&#39;s Gnome screenlock check that Linux users will see if they&#39;re failing the check.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> &ldquo;Ask users to fix their own problems&rdquo; might seem simplistic, but it&rsquo;s a quietly revolutionary way of collaborating with employees who value transparency and autonomy. And in our experience, it works. When you approach Linux users this way, they&rsquo;re happy to cooperate, and are even grateful for the reminder. <h2 id="managing-linux-devices-means-working-with-linux-users">Managing Linux devices means working with Linux users</h2> For all their stubbornness, Linux users aren&rsquo;t ridiculous. They understand that for business to transact, their devices need to be secure. But they&rsquo;re unwilling to accept an approach where that is done on their behalf. You can&rsquo;t solve endpoint security for Linux without involving end users. But this approach doesn&rsquo;t have to stop there; your Mac and Windows users will also appreciate having more agency over their devices. Once you have a solution that teaches users how to solve problems themselves, you may not want to lean so hard on MDM, <a href="https://blog.1password.com/pros-and-cons-of-mdms/">which comes with its own problems</a>. <hr> Want to hear more on how 1Password Extended Access Management&rsquo;s Device Trust solution (finally) solves Linux endpoint security? <a href="https://1password.com/xam/contact-us">Request a demo</a>.</description></item><item><title>How MFA is falling short</title><link>https://blog.1password.com/how-mfa-is-falling-short/</link><pubDate>Fri, 28 Jun 2024 00:00:00 +0000</pubDate><author>info@1password.com (Kenny Najarro)</author><guid>https://blog.1password.com/how-mfa-is-falling-short/</guid><description> <img src='https://blog.1password.com/posts/2024/how-mfa-is-falling-short/header.png' class='webfeedsFeaturedVisual' alt='How MFA is falling short' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> In baseball, it&rsquo;s tempting to think that once you&rsquo;re on a base, the hard part is over. But then, just when you think you&rsquo;re safe (you are literally &ldquo;safe&rdquo;) the baseman hits you with the <a href="https://en.wikipedia.org/wiki/Hidden_ball_trick#:~:text=A%20hidden%20ball%20trick%20is,to%20tag%20out%20the%20runner.">hidden ball trick</a>. Your opponent appears to throw the ball away, but merely hides it and tags you in the moment you&rsquo;re most vulnerable. A similar thing is happening to companies with multi-factor authentication (MFA). The goal of MFA, much like baseball, is to safely get users where they need to go (in this case, authenticated into their apps). For years, MFA has been considered the gold standard of enterprise cybersecurity. However, even when you&rsquo;re doing everything right, you can be lured into a false sense of security that your opponent is happy to take advantage of. <img src='https://blog.1password.com/posts/2024/how-mfa-is-falling-short/hidden-baseball-trick.gif' alt='A gif of Rockies&#39; Todd Helton doing the hidden ball trick on a Cardinals player.' title='A gif of Rockies&#39; Todd Helton doing the hidden ball trick on a Cardinals player.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://youtu.be/I5wGxsxjmy0?si=HZC6EB8ilC8-F6pH">Image Source</a> Take Retool, for example. They <a href="https://www.bleepingcomputer.com/news/security/retool-blames-breach-on-google-authenticator-mfa-cloud-sync-feature/">experienced a data breach</a> in August 2023 because a threat actor bypassed not one but three(!) forms of security – VPN, SSO, and Google Authenticator. By deploying phishing, vishing, and Man-In-The-Middle (MITM) tactics, the bad actors were able to convince an employee to give them a One-Time Password (OTP). And that&rsquo;s all they needed; by compromising the MFA factor, they were able to gain access to the Retool employee&rsquo;s Okta account and access all of the MFA codes on Retool&rsquo;s Google Authenticator. In a blog post about the breach, Retool <a href="https://retool.com/blog/mfa-isnt-mfa">named</a> Google&rsquo;s authenticator as one of the primary culprits for the breach. They wrote: &ldquo;Google recently released the <a href="https://security.googleblog.com/2023/04/google-authenticator-now-supports.html?ref=retool-blog.ghost.io">Google Authenticator synchronization feature</a> that syncs MFA codes to the cloud. As <a href="https://news.ycombinator.com/item?id=35690398&amp;ref=retool-blog.ghost.io">Hacker News noted</a>, this is highly insecure, since if your Google account is compromised, so now are your MFA codes.&rdquo; Furthermore, they explained that this feature was turned on by default, without Retool&rsquo;s knowledge. This cyberattack shows what can happen when an organization relies too heavily on phishable authentication factors — like passwords and SMS OTPs – in their MFA. Because we can go ahead and preview one of the main themes of this blog: all MFA factors are not created equal. Even President Obama knew that back in 2016, when he was <a href="https://www.wsj.com/articles/protecting-u-s-innovation-from-cyberthreats-1455012003">urging Americans to move past passwords</a>. Yet organizations are still struggling with MFA, and bad actors are thriving because of it. MFA&rsquo;s promise was to secure all our logins while providing a relatively frictionless experience to users. But while any MFA is certainly better than nothing, the user experience is about as frictionless as sandpaper, and attackers keep finding new ways to poke holes in it. So let&rsquo;s talk about what happened to MFA, and how we can help it fulfill its original promise. <h2 id="mfas-promise">MFA&rsquo;s promise</h2> Before we start analyzing where MFA is falling short, let&rsquo;s briefly make clear what we&rsquo;re talking about. As a refresher, MFA is an approach to authentication that relies on multiple factors to prove a user&rsquo;s identity. Here&rsquo;s <a href="https://cheatsheetseries.owasp.org/cheatsheets/Multifactor_Authentication_Cheat_Sheet.html">a nonexhaustive list of factors</a> that can be leveraged, courtesy of OWASP: <ul> <li> Something You Know: Passwords, PINs, Security Questions </li> <li> Something You Have: OTP Tokens, Certificates, Smart Cards, Email, SMS and Phone Calls </li> <li> Something You Are: Fingerprints, Facial Recognition, Iris Scans </li> </ul> There are also less traditional forms of MFA, which are usually used in addition to factors above, and sometimes when assessing particularly sensitive or unusual logins. <ul> <li> Somewhere You Are: Source IP Address, Geolocation, Geofencing </li> <li> Something You Do: Behavioral Profiling, Keystroke &amp; Mouse Dynamics </li> </ul> You might notice that passwords are included as a potential &ldquo;something you know&rdquo; factor, despite being notoriously insecure–especially if your company (like <a href="https://1passwordstatic.com/files/resources/2022-state-of-access-report.pdf">too many others</a>) doesn&rsquo;t use a password manager. Indeed, MFA was supposed to solve many of the problems created by shoddy password practices. When it comes to password-related attacks Microsoft stated in 2019 that MFA <a href="https://techcommunity.microsoft.com/t5/microsoft-entra-blog/your-pa-word-doesn-t-matter/ba-p/731984">would have stopped 99.9% of account compromises</a>. Still, passwords stubbornly remain part of the mix, and that&rsquo;s particularly dangerous when you pair them with another phishable factor, like an OTP. <h2 id="mfa-risk-1-social-engineering">MFA risk #1: social engineering</h2> What&rsquo;s the easiest way to steal a user&rsquo;s authentication factors? Just ask them nicely. In social engineering MFA attacks, a threat actor tricks an employee into handing over an MFA factor — login credentials, OTPs, MFA codes – by acting as a trusted source. That&rsquo;s how Rockstar Games was <a href="https://www.forbes.com/sites/siladityaray/2022/09/20/social-engineering-how-a-teen-hacker-allegedly-managed-to-breach-both-uber-and-rockstar-games/">compromised in September 2022</a>. A bad actor masqueraded as an IT employee at Rockstar and was able to capture credentials from an unsuspecting employee. They were then able to use the compromised account to breach Rockstar&rsquo;s Slack channel to leak videos of unreleased gameplay. &ldquo;Attackers will often use the information they&rsquo;ve already compromised as part of the social engineering attack to lull users into a false sense of security,&rdquo; Jordan LaRose, Practice Director for infrastructure security at NCC Group, <a href="https://www.darkreading.com/threat-intelligence/cyberattackers-double-down-bypassing-mfa">tells DarkReading</a>. And that information can be trivially easy to find. This was the case in <a href="https://www.kolide.com/blog/what-everyone-got-wrong-about-the-mgm-hack">2023&rsquo;s MGM hack</a>, when threat actors called MGM&rsquo;s help desk, impersonated an employee, were likely provided a password or MFA reset, and gained access to the account of a super administrator with advanced privileges. Allegedly <a href="https://www.bloomberg.com/news/articles/2023-09-16/mgm-resorts-hackers-broke-in-after-tricking-it-service-desk">operating on the &ldquo;honor system,&quot;</a> the MGM help desk only required very basic information that can be scraped from social media and sources that only require a quick Google. Bad actors fooling tech support (and sometimes pretending to be tech support) is emerging as one of the more tried-and-true methods specifically designed to thwart MFA. And that&rsquo;s why any factor that can be phished should be considered inherently vulnerable. <h2 id="mfa-risk-2-session-hijacking">MFA risk #2: session hijacking</h2> Even when you take away the human element from MFA&rsquo;s list of weaknesses, you&rsquo;re still left with things like vulnerable browsers. Cookies have long been the way the internet has saved our browsing information and preferences; however, they also risk allowing threat actors to steal your credentials after login. This attack method famously happened in August 2022, when ransomware gang Yanluowang <a href="https://www.bleepingcomputer.com/news/security/cisco-hacked-by-yanluowang-ransomware-gang-28gb-allegedly-stolen/">compromised the personal Google account of a Cisco employee</a> who unfortunately synced their Cisco credentials to their browser. This enabled the threat actors to deploy a MFA fatigue attack–which we&rsquo;ll cover in greater detail later—allowing them to have MFA codes and login credentials in hand before eventually getting access to Cisco&rsquo;s servers. <a href="https://www.kolide.com/blog/ai-browser-extensions-are-a-security-nightmare">Malicious browser extensions</a> provide another variant of this attack. If installed, they can also allow bad actors to take control of a user&rsquo;s session once past any MFA prompts without any interference from the user. Companies like Google are trying their hardest to make cookie theft and session hijacking a thing of the past. They&rsquo;ve recently introduced <a href="https://blog.chromium.org/2024/04/fighting-cookie-theft-using-device.html">Device Bound Session Credentials</a>, where Chromium browsers will abandon browser cookies, forcing bad actors to act locally on devices, thus lessening the attack surface. <h2 id="mfa-risk-3-man-in-the-middle-mitm-attacks">MFA risk #3: man-in-the-middle (MITM) attacks</h2> In MITM attacks, hackers create a fake network/server/webpage that intercepts user credentials when a user thinks they&rsquo;re entering them into the legitimate destination. &ldquo;This allows the attackers to bypass most available methods of MFA, since the user is providing the site, and the hacker, with both the username and password and additional authentication,&rdquo; <a href="https://its.unc.edu/2022/10/20/mfa-bypass/">says</a> Drew Trumbull, incident response team lead with the Information Security Office at the University of North Carolina. In the past, for a MITM attack to be successful, a previous server or network needed to be compromised to gain initial access for the bad actor to then install a keylogger or present a fake login page. Yet that&rsquo;s no longer the case with the advancement in phishing kits. While these kits have been available for some years, a <a href="https://www.proofpoint.com/us/blog/threat-insight/mfa-psa-oh-my">2022 report by Proofpoint</a> unveiled just how much they had evolved. Bad actors have abandoned recreating target websites in lieu of instituting a transparent reverse proxy (or attacker server) method; this actually presents the real websites victims intend to visit. This not only allows the bad actors to capture credentials entered during the login attempt, but the session cookie. This gives them unfettered access to the user&rsquo;s systems while capturing any credentials or MFA prompts. And now, to everyone&rsquo;s dismay, these phishing kits have evolved again. <h3 id="the-expansion-of-mfa-phishing-kits">The expansion of MFA phishing kits</h3> In March 2024, Sekoia published a <a href="https://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/">report</a> highlighting a new variant of MITM attacks (or Adversary-In-The-Middle, as they are increasingly called) with their discovery of a phishing-as-a-service (PhaaS) platform named &ldquo;Tycoon 2FA.&rdquo; With prices starting at $120 for a 10-day subscription, there&rsquo;s plenty of opportunity for threat actors to make a hearty return on investment when their initial purchase costs less than a nice dinner. By building upon previously established methods, like the reverse proxy method, threat actors were able to target Microsoft 365 and Gmail accounts and bypass two-factor authentication (2FA) protection. Here&rsquo;s a visual, courtesy of Sekoia. <img src='https://blog.1password.com/posts/2024/how-mfa-is-falling-short/tycoon-phishing-kit.jpg' alt='An infographic from Sekoia that lays out the Tycoon 2FA phishing kit operation.' title='An infographic from Sekoia that lays out the Tycoon 2FA phishing kit operation.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/">Image Source</a> If you find that diagram a bit overwhelming, I don&rsquo;t blame you. For some help, <a href="https://www.bleepingcomputer.com/news/security/new-mfa-bypassing-phishing-kit-targets-microsoft-365-gmail-accounts/">BleepingComputer gave a simplified description</a> of the phishing kit, which we&rsquo;ll now quote at length: <ul> <li> Stage 0: Attackers distribute malicious links via emails with embedded URLs or QR codes, tricking victims into accessing phishing pages. </li> <li> Stage 1: A security challenge (Cloudflare Turnstile) filters out bots, allowing only human interactions to proceed to the deceptive phishing site. </li> <li> Stage 2: Background scripts extract the victim&rsquo;s email from the URL to customize the phishing attack. </li> <li> Stage 3: Users are quietly redirected to another part of the phishing site, moving them closer to the fake login page. </li> <li> Stage 4: This stage presents a fake Microsoft login page to steal credentials, using WebSockets for data exfiltration. </li> <li> Stage 5: The kit mimics a 2FA challenge, intercepting the 2FA token or response to bypass security measures. </li> <li> Stage 6: Finally, victims are directed to a legitimate-looking page, obscuring the phishing attack&rsquo;s success. </li> </ul> For those keeping count at home, this phishing kit involves session hijacking, plain &lsquo;ol phishing, and MITM tactics. But the really scary part of Tycoon 2FA is how good it is at covering its tracks. As Sekoia <a href="https://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/">points out</a>, <blockquote> &ldquo;&hellip;it appears that the phishing kit developer extended the kit&rsquo;s capabilities to identify and evade more traffic patterns associated with analysis or scan environments. This includes IP addresses hosted in datacenters or associated with the Tor network, as well as specific User-Agent strings of bots and some versions of Linux web browsers.&rdquo; </blockquote> <h2 id="mfa-risk-4-sim-swapping">MFA risk #4: SIM swapping</h2> Compared to other methods we&rsquo;ve gone over, SIM swapping attacks require a bit more effort to succeed. Bad actors select a target and conduct an extensive social engineering campaign to collect as much information as they can on their victim, most importantly their phone number. They then contact the target&rsquo;s phone carrier and impersonate them to receive a new SIM card. This allows the attacker to insert the SIM card into the mobile device of their choosing and effectively take over the target&rsquo;s number. We&rsquo;ve seen the tactic pay off when it was done to a <a href="https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-they-were-hacked-by-lapsus-extortion-group/">Microsoft employee in March 2022</a> in the infamous Lapsus$ attack. Once the bad actor performed the SIM swap, they were able to access any MFA codes coming through SMS texts to the employee and escalated their access throughout Microsoft&rsquo;s systems. There&rsquo;s only so much an end user, or MFA for that matter, can do to prevent a SIM swapping attack. The sage wisdom here is to abandon SMS OTPs in favor of stronger authentication methods. And that still may not be enough because if your mobile account credentials are leaked — we&rsquo;re looking at you, <a href="https://www.cnet.com/tech/mobile/at-t-data-breach-what-at-t-is-doing-for-the-73-million-accounts-breached/">AT&amp;T</a> — threat actors can now deploy <a href="https://www.bleepingcomputer.com/news/security/sim-swappers-hijacking-phone-numbers-in-esim-attacks/">eSIM attacks</a> where little to no social engineering is involved. As we&rsquo;re learning, for MFA attack methods to be successful, they increasingly need to be done together. <h2 id="mfa-risk-5-mfa-fatiguebombingflooding">MFA risk #5: MFA fatigue/bombing/flooding</h2> Whatever you call these attacks – MFA fatigue, MFA bombing, or MFA flooding – they all fittingly convey a sense of despair. And that&rsquo;s the feeling you&rsquo;d experience when your device is hammered with push notifications about password resets that you never triggered. Attackers usually spam you with an onslaught of MFA requests in the middle of the night, when your brain is foggy and you&rsquo;re most likely to hit &ldquo;approve&rdquo; by mistake. <img src='https://blog.1password.com/posts/2024/how-mfa-is-falling-short/stu-pickles-making-pudding.jpg' alt='Stu Pickles from Rugrats making pudding at four in the morning.' title='Stu Pickles from Rugrats making pudding at four in the morning.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://www.pinterest.com/pin/370913719308221278/">Image Source</a> The goal of an MFA bombing attack is to coerce the victim into confirming their identity via notification, which is almost always the second factor. And that&rsquo;s key when discussing MFA&rsquo;s viability. Our first line of defense, most likely a password, has failed, so we have a second factor to save the day. That is if the victim is prepared and trained to handle an onslaught of authentication requests; if not, down goes our second line of defense. Now, MFA fatigue attacks <a href="https://www.bleepingcomputer.com/news/security/mfa-fatigue-hackers-new-favorite-tactic-in-high-profile-breaches/">aren&rsquo;t new</a>. They&rsquo;ve been in the news for some years, none more so than the <a href="https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/">September 2022 Uber hack</a>, which was a textbook MFA fatigue attack. However, the Uber employee didn&rsquo;t accept MFA push notification out of annoyance or lack of training; they accepted it because a cybercriminal posed as IT support and convinced them they needed to accept. <h3 id="no-password-no-problem">No password, no problem</h3> In March 2024, <a href="https://krebsonsecurity.com/2024/03/recent-mfa-bombing-attacks-targeting-apple-users/">KrebsonSecurity</a> reported on MFA fatigue attacks specifically targeting executives that are Apple users. There&rsquo;s nothing novel on the surface, but when you look into the details, it&rsquo;s far more troublesome than previous attacks of this nature. That&rsquo;s because it&rsquo;s being pulled off without compromised credentials — just the victim&rsquo;s phone number. When a bad actor obtains an Apple user&rsquo;s phone number, they&rsquo;re able to continually bombard password reset notifications to the iPhone of the user, no matter if the device or iCloud account is new. If that doesn&rsquo;t trick the user, then the bad actor has the ability to spoof a call from Apple&rsquo;s legitimate support phone number. And if you thought advanced security features like Apple&rsquo;s <a href="https://support.apple.com/en-us/109345">recovery key</a> would help, it does little to mitigate the password reset prompts. KrebsonSecurity posits that bad actors are taking advantage of Apple&rsquo;s flawed &ldquo;forgot password&rdquo; flow. Just like SIM swapping, this is tough to protect against, since our phone numbers aren&rsquo;t exactly closely-guarded secrets. Until a fix of some sort — perhaps a rate limit — is implemented by Apple, MFA and the &ldquo;deny&rdquo; button will have to brace for impact. <h2 id="the-future-of-mfa">The future of MFA</h2> If you&rsquo;ve read this far, you can agree that MFA has taken quite a beating. And like a prize fighter on the comeback trail, a change in defense is much needed to prevent getting knocked out again. But let&rsquo;s run back the tape so we can find what to improve on—namely what we pick as second factors. According to <a href="https://oort.io/hubfs/Reports/State-of-Identity-Security-2023.pdf">Oort&rsquo;s &ldquo;2023 State of Identity Security&rdquo; report</a>, &ldquo;the average company has 40.26% of accounts with either no MFA or weak MFA. In contrast, phishing-resistant second factors account for only 1.82% of all logins.&rdquo; And there you have it, folks. Less secure methods, almost by default, reign supreme for our most sensitive accounts. But if we want MFA that actually holds off attackers, this is a trend that cannot continue. <h3 id="if-not-passwords-then-what">If not passwords, then what?</h3> If you take one thing away from this blog, let it be this: we need to get rid of passwords. The security industry has been saying it for years, but it&rsquo;s been a slow drip for that mindset to turn into action. Luckily, we have the resources now with FIDO2. <a href="https://www.microsoft.com/en-us/security/business/security-101/what-is-fido2">FIDO2</a> (Fast IDentity Online 2 – ignore the tortured acronym) is an open standard for user authentication that strengthens security and protects users by using phishing-resistant and passwordless cryptographic credentials to validate user identities. Developed by the <a href="https://fidoalliance.org/">FIDO Alliance</a>, FIDO2 can be accomplished by two types of FIDO authenticators: roaming authenticators and platform authenticators. Roaming authenticators are portable hardware devices like Yubikeys that are plugged into devices cross-platform. And platform authenticators are embedded into users&rsquo; devices that generally require biometrics like Apple&rsquo;s Touch ID or Face ID. However, these are traditionally the second factor in a passwordless MFA experience. The first is <a href="https://1password.com/product/passkeys">passkeys</a>. Passkeys in their simplest form are FIDO2 sign-in credentials that generate a pair of private and public passkeys that provide passwordless authentication. That means a bunch of random numbers that aren&rsquo;t phishable! Aside from being phish-proof, 1Password <a href="https://blog.1password.com/what-are-passkeys/">describes</a> some of passkeys' benefits: <ul> <li> You don&rsquo;t have to remember or type out your passkeys. </li> <li> Your private key is never shared with the website you want to sign into. </li> <li> Your public key can&rsquo;t be used to figure out your private key. </li> <li> Passkeys offer an improved user experience over other forms of authentication. </li> </ul> Passkeys can also be bound to a single device or synced across multiple devices, whatever the user prefers. Still, it&rsquo;s one thing for a solution to be available, and a totally different thing for that solution to be leveraged — even when leaders in the space are pleading for organizations to take advantage of it. &ldquo;To business leaders: I urge every CEO to ensure that FIDO authentication is on their organization&rsquo;s MFA implementation roadmap. FIDO is the gold standard. Go for the gold,&rdquo; said Jen Easterly, Director, CISA in a <a href="https://www.cisa.gov/news-events/news/next-level-mfa-fido-authentication">2022 bulletin</a>. Look, passkeys aren&rsquo;t perfect; they&rsquo;re still developing, being adopted, and <a href="https://proton.me/blog/big-tech-passkey">fighting against corporate interests</a>, but there&rsquo;s hope that won&rsquo;t be the case for too long. And at the very least, while you make the transition, your company needs to be using an <a href="https://1password.com/enterprise">enterprise password manager</a> to ensure that your team is using strong passwords. And tools like 1Password&rsquo;s <a href="https://watchtower.1password.com/">Watchtower</a> can even monitor the dark web for stolen credentials, and help you know when passwords have been leaked and need to be updated. <h3 id="dont-forget-about-devices">Don&rsquo;t forget about devices</h3> While we&rsquo;ve focused on the user identity portion of MFA, an unpatched or compromised device can do just as much damage as a weak password. 1Password Extended Access Management uses device trust. The presence of a device trust tool works as a possession factor; basically, if a device doesn&rsquo;t have 1Password Extended Access Management installed, it can&rsquo;t log in. So compromised credentials won&rsquo;t work, and employees can&rsquo;t be tricked into giving this factor away to a bad actor. But beyond that, 1Password Extended Access Management looks for compliance issues before letting a user log in, like an out-of-date browser. Making sure devices are in a secure state before they authenticate goes a long way to keeping out bad actors trying to piggyback into your systems. <h2 id="how-to-improve-your-mfa-strategy-today">How to improve your MFA strategy today</h2> Let&rsquo;s be realistic: the average company doesn&rsquo;t have the budget or the technological ability to implement truly bulletproof MFA in 2024. You&rsquo;re not going to buy everyone in your organization Yubikeys, and you can&rsquo;t force all your vendors to roll out passkey support, much as you&rsquo;d like to. But you can still strengthen your MFA strategy today, using tools you already have. In particular, the most underused asset in security: humans. <h3 id="user-education">User education</h3> End users are often referred to as the weakest link in security. But let&rsquo;s explore an incident where users limited potential damage from a MFA attack. In January 2023, <a href="https://www.darkreading.com/cyber-risk/reddit-hack-shows-limits-mfa-strengths-security-training">Reddit experienced a MITM attack</a> when an employee clicked on a malicious link in an email. This phishing incident could have been devastating to Reddit. However, their end user&rsquo;s security training tingled their spidey senses. As Reddit CTO Chris Slowe <a href="https://www.reddit.com/r/reddit/comments/10y427y/comment/j7w961a/?utm_source=share&amp;utm_medium=web2x&amp;context=3">explained</a>, &ldquo;[s]oon after being phished, the affected employee self-reported, and the Security team responded quickly, removing the infiltrator&rsquo;s access and commencing an internal investigation.&rdquo; There&rsquo;s something to be said for that quick response. Humans aren&rsquo;t infallible, but they are capable of righting wrongs. If your organization doesn&rsquo;t already, invest in <a href="https://www.kolide.com/blog/is-your-security-awareness-program-a-total-snoozefest">making your security awareness program better</a>. Creating a security program that actively engages employees will pay dividends if they&rsquo;re ever faced with a threat. <h3 id="password-manager">Password manager</h3> We&rsquo;ve already explained that compromised (phished, breached, weak, or reused) passwords are at the root of many MFA attacks. So, at this point, an organization without a <a href="https://blog.1password.com/local-threats-device-protections/">password manager</a> is like a car without airbags. Password managers can secure credentials today, while helping transition to a passwordless future, as most of them <a href="https://1password.com/product/passkeys">support passkeys</a>. And since password managers are relatively inexpensive (especially compared to hardware tokens) you can roll them out to your entire workforce, not just highly-privileged admins. <h3 id="device-trust">Device trust</h3> As Megan Barker succinctly <a href="https://blog.1password.com/local-threats-device-protections/">explains</a>, &ldquo;[t]here&rsquo;s no password manager or other mainstream tool with the ability to guard your secrets on a fully compromised device.&rdquo; It&rsquo;s true. Password managers (even 1Password&rsquo;s amazing one) can&rsquo;t do everything. You&rsquo;ll need help from a different set of tools to protect against unknown and unsecured devices. As we mentioned earlier, that&rsquo;s possible with <a href="https://www.kolide.com/blog/what-is-device-trust">device trust</a> solutions. By making device posture checks part of authentication, you&rsquo;re able to establish a security baseline for user devices and have an unphishable factor right there on the device itself. And since <a href="https://1password.com/xam/extended-access-management">1Password Extended Access Management</a> comes packaged with both Kolide Device Trust and the 1Password Enterprise Password Manager, you&rsquo;re already monitoring security health at two points of authentication – the password, and the device. <h2 id="the-less-you-know-the-better">The less you know, the better</h2> MFA is some of the best security we have, but to fulfill its promise of protecting us from bad actors, MFA and passwordless methods of authentication need to become synonymous. Not only will they keep us more secure, they&rsquo;ll save us from the exhaustion of today&rsquo;s authentication. Anything an organization does to phase out passwords is a great first step. Although you&rsquo;ll need to educate and convince your higher ups on the effort and cost, as well as educating your employees how to use these new methods, it&rsquo;s worth it. Because I don&rsquo;t know about you, but I think the world will be a better place if you don&rsquo;t need to feel guilty when authenticating a fast food rewards account. That&rsquo;s the world I want to live in. <img src='https://blog.1password.com/posts/2024/how-mfa-is-falling-short/arbys-mfa-tweet.jpeg' alt='A person tweeted about getting an Arby&#39;s authnetication text early in the morning.' title='A person tweeted about getting an Arby&#39;s authnetication text early in the morning.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://x.com/BigTucsonDad/status/1781328497182388414">Image Source</a> Want to learn more about how 1Password Extended Access Management keeps systems safe? <a href="https://1password.com/xam/contact-us">Request a demo</a>.</description></item><item><title>Explaining the backlash to the SSO tax</title><link>https://blog.1password.com/explaining-the-backlash-to-the-sso-tax/</link><pubDate>Thu, 27 Jun 2024 00:00:00 +0000</pubDate><author>info@1password.com (Nick Moore)</author><guid>https://blog.1password.com/explaining-the-backlash-to-the-sso-tax/</guid><description> <img src='https://blog.1password.com/posts/2024/explaining-the-backlash-to-the-sso-tax/header.png' class='webfeedsFeaturedVisual' alt='Explaining the backlash to the SSO tax' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The SSO tax is the unofficial name for the practice of software vendors significantly upcharging their customers for Single Sign-On, usually by making it part of an enterprise tier. Opponents of this practice say that charging for SSO is like buying a car and having to pay extra for the seatbelts. Meanwhile, vendors argue that SSO is more like a sunroof: a luxury feature that belongs on their high-end model. In reality, SSO is probably most analogous to a rearview camera; it initially seemed like a fancy add-on, but it&rsquo;s now recognized as a security requirement that keeps everyone safer. Charging extra for a safety feature strikes plenty of people – like the creators of the <a href="https://ssotax.org/">SSO Wall of Shame</a> – as unfair and irresponsible, and there&rsquo;s a backlash against the SSO tax rising in tandem with credential-based hacks that SSO could have helped prevent. Still, even in the face of criticism, the practice of upcharging thousands of dollars for SSO shows no signs of slowing down. Why? That&rsquo;s the question we&rsquo;re here to explore. <h2 id="three-reasons-companies-need-sso">Three reasons companies need SSO</h2> Let&rsquo;s start with a quick refresher on why Single Sign-On is so important in the first place. SSO puts a single authentication experience – handled by an identity provider (IdP) such as Okta, Microsoft, or Google – in front of multiple applications. So instead of a worker having unique passwords for, say, GitHub, Slack, and Asana, they use the same Okta authentication process for each one. In theory, a company can get by without SSO. But in practice, having individual employee passwords for every application quickly becomes unwieldy and security becomes lax – especially for ransomware attacks that often target vulnerable employee login credentials. So at the very least, companies want SSO (backed up by strong authentication like MFA) in front of every application that poses a significant security risk. There are three main reasons companies want SSO for any apps that touch sensitive data: <ul> <li> SSO creates one strong access point rather than many weak ones, meaning the surface area of attack for the company is reduced. </li> <li> SSO makes it easier for companies to onboard and offboard employees and to implement Role-Based Access Control (RBAC), giving IT a single tool with which to manage access to applications. </li> <li> SSO eliminates the need for employees to use (and forget) multiple passwords, which can improve employee experience and productivity, and reduce help desk tickets for lost passwords. </li> </ul> The advantages above have been true for a long time, but the <a href="https://www.itworldcanada.com/article/increase-in-ransomware-attacks-number-of-variants-and-the-attack-surface-itself-this-week-in-ransomware-as-of-sunday-august-21-2022/499014">stunning increase in ransomware attacks</a> in the past few years has made these issues more urgent, and has changed SSO from a luxury to a necessity. <h2 id="how-the-sso-tax-works">How the SSO tax works</h2> Now that we&rsquo;ve made the case for SSO, let&rsquo;s go shopping and see how the SSO tax might affect a hypothetical company. Let&rsquo;s say we&rsquo;re selling a productivity app that insults you when your GitHub contribution squares are empty (free billion dollar idea for anyone who wants it). For starters, we need a website and a CRM. Our head of marketing wants to go with HubSpot – a well-known company with a reputable product. We <a href="https://www.hubspot.com/pricing/content/enterprise?hubs_content=www.hubspot.com%2F&amp;hubs_content-cta=nav-pricing&amp;term=annual">look at the pricing</a> and a &ldquo;Starter&rdquo; plan costs $15/month. Perfect! We are just starting, after all. But SSO isn&rsquo;t included in the Starter plan or the Professional plan. It&rsquo;s exclusive to the Enterprise plan, which comes in at a whopping $1,500/month. So we&rsquo;ve jumped from $15 to $1,500. And that&rsquo;s the SSO tax in action. To be clear, the Enterprise tier comes with a lot of other bells and whistles besides SSO – but many of them are &ldquo;nice to haves,&rdquo; while SSO is a &ldquo;need to have.&rdquo; The pattern repeats with other mission-critical tools. Github, Docker, and plenty of other services charge the SSO tax, and it quickly eats into our imaginary company&rsquo;s budget. <img src='https://blog.1password.com/posts/2024/explaining-the-backlash-to-the-sso-tax/sso-tax-infographic.jpg' alt='A graphic comparing the cost of Github, Docker, and Hubspot with and without SSO. In each case, the SSO tier costs more than double.' title='A graphic comparing the cost of Github, Docker, and Hubspot with and without SSO. In each case, the SSO tier costs more than double.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> You can imagine how difficult and expensive it would be for an SMB to get and maintain SSO functionality across all or even most of its apps. To be clear, charging some extra for features isn&rsquo;t inherently problematic. The problem is the proportion. HubSpot, for instance, charges more than a 5,000% increase to access SSO. <h3 id="the-impact-of-the-sso-tax">The impact of the SSO tax</h3> When we&rsquo;re talking 5,000% price increases, the results are predictable. As of now, many applications are not within many companies' SSO portals, making these companies vulnerable to attack. Grip, a SaaS security company, <a href="https://www.grip.security/blog/why-sso-doesnt-protect-80-of-your-saas">polled over one hundred CISOs</a> to prove this. They found that 80% of the SaaS applications employees use are not in their companies' SSO portals. Grip laid out several reasons why – including SSO not being supported and third party owned – but the top reason was SSO licensing cost. <h2 id="why-vendors-upcharge-for-sso">Why vendors upcharge for SSO</h2> Money. Really, that&rsquo;s the main reason. But if we want to know more about the staying power of the SSO tax, it&rsquo;s worth digging a little deeper into why the financial incentives outweigh the costs. There are three primary reasons vendors charge an SSO tax (or at least justify doing so). <h3 id="building-and-maintenance-costs">Building and maintenance costs</h3> Many vendors argue that SSO is hard to build and worth charging for. Gergely Orosz, for example, writer of the popular newsletter The Pragmatic Engineer, <a href="https://twitter.com/GergelyOrosz/status/1562354776188272640?s=20&amp;t=cJu9J0kHPOGdJHLi4dTNBw">writes that</a> &ldquo;Every company should absolutely charge more for non-standard SSO (which is most SAML-based, enterprise SSO).&rdquo; For Orosz, it&rsquo;s simple: &ldquo;It&rsquo;s additional work for the vendor. Of course customers would love to get all that for free, but it&rsquo;s not how it works.&rdquo; Klaas Pieter Annema, engineering manager at Sketch, <a href="https://twitter.com/klaaspieter/status/1562353404143435776">largely agrees</a>. Based on his experience running the team maintaining SSO at Sketch, he argues that though supporting Google and Microsoft SSO is easy, &ldquo;Supporting whatever wonky homebuilt some large enterprises use is a huge time [sink].&rdquo; Sketch, according to Annema, had to go so far as to build a rotating support role to provide SSO. But others disagree, or at least maintain that the cost is out of step with the work required. When Rob Chahin announced The SSO Wall of Shame, he explained his reasoning (in a now-deleted tweet) from the perspective of an experienced developer. &ldquo;Having shipped SSO,&rdquo; Chahin writes, &ldquo;I have no qualms about considering it a service that needs to be paid for.&rdquo; The qualms come from proportion, he says. &ldquo;The enormous markups I see for these vendors cannot be feasibly attributed to the SSO cost.&rdquo; For Chahin, the math doesn&rsquo;t work: &ldquo;If your SSO pricing is 3x your base pricing, are you telling me that 2/3 of the cost of your product is just keeping the SAML going? Doesn&rsquo;t seem reasonable to me.&rdquo; <h3 id="profit">Profit</h3> The SSO tax makes vendors money - that much is obvious. But vendors aren&rsquo;t going to come out and say that&rsquo;s why they keep it around. Well, most of them won&rsquo;t. In a <a href="https://tuple.app/blog/sso-should-be-table-stakes">shockingly transparent post</a>, Ben Orenstein, co-founder and CEO of remote pair programming app Tuple, reveals that it really is mostly about profit. &ldquo;If you&rsquo;re a new SaaS founder and you want to maximize your revenue,&rdquo; Orenstein writes, &ldquo;I recommend you create an enterprise tier, put SSO in it, and charge 2-5x your normal pricing. Even with no other benefits, some customers will be forced to choose this option&rdquo; (emphasis ours). But what about those setup and maintenance costs? Orenstein covers this aspect, too, writing that &ldquo;SSO costs close to nothing after a little automation, so this price increase is all profit.&rdquo; He goes on to admit that doing this &ldquo;always felt a little gray hat,&rdquo; which is one reason why Tuple stopped charging the SSO tax. <h3 id="upselling">Upselling</h3> This reason is related to but distinct from pure profit. When vendors lock SSO access into an enterprise pricing tier, they can better segment their customers and drive potential enterprise customers into actual enterprise plans. Patrick McKenzie, of &ldquo;charge more&rdquo; and Stripe fame, <a href="https://twitter.com/patio11/status/1481293496506253321?s=20&amp;t=GSqe0KHLuJaY7TYPS-p4_w">explains</a> that &ldquo;SSO is a segmentation lever, and a particularly powerful one because everybody in the sophisticated-and-well-monied segment is increasingly forced to purchase it.&rdquo; He compares it to HIPAA-compliant services, saying &ldquo;Yes, enjoy 2X on the invoice.&rdquo; Orenstein goes into this too, writing that: &ldquo;On its face, SAML-based Single Sign-On (SSO) is the perfect feature to push your bigger customers into your enterprise tier.&rdquo; Picture the typical pricing page again. The standard plans list a specific cost in dollars, but the enterprise plan often simply advises you to &ldquo;contact sales.&rdquo; So not only is the SSO tax profitable, but vendors use it to put companies into the position of having to negotiate. <h2 id="the-case-for-not-upcharging-for-sso">The case for not upcharging for SSO</h2> While the argument for charging the SSO tax is clearly persuasive, there are counterarguments that have persuaded some vendors to turn down the easy money. The benefits of not upcharging for SSO might be less tangible than the alternative, but they&rsquo;re still worth considering if we ever hope to change the status quo. <h3 id="pr-aka-the-right-thing-to-do">PR (AKA: &ldquo;The right thing to do&rdquo;)</h3> Unsurprisingly, most software buyers don&rsquo;t like the SSO tax. So naturally, some vendors have harnessed that resentment for marketing purposes, either by announcing they&rsquo;re getting rid of the SSO tax or making a big deal about never charging for it. The Tuple post we got into earlier, for instance, is titled &ldquo;SSO Should Be Table Stakes,&rdquo; and it explains why Tuple would no longer charge an SSO tax. Similarly, Scalr, a company providing a Terraform cloud alternative, <a href="https://www.scalr.com/blog/sso-tax">published a post</a> titled &ldquo;SSO Tax: Why Scalr Is Not Charging Extra For Security.&rdquo; Even if a vendor doesn&rsquo;t make their lack of an SSO tax an explicit part of their messaging, they can still benefit from not being on the Wall of Shame and from establishing a positive reputation with users. <h3 id="industry-security">Industry security</h3> Richard Hartmann, Director of Community at Grafana, has tweeted that there&rsquo;s an industry-level or even ethical reason to <a href="https://twitter.com/TwitchiH/status/1562354142265450496?s=20&amp;t=cJu9J0kHPOGdJHLi4dTNBw">dispose of the SSO tax</a>. <div class="tweet"> <img src="https://blog.1password.com/img/icons/twitter.svg" alt="@TwitchiH tweet" /> The argument written out in plain English above the list is that by making baseline security a feature with significant markup, internet infrastructure as a whole is less secure. Infrastructure security is the classic example of tragedy of the commons, and externalizing costs. - @TwitchiH <a href="http://twitter.com/user/status/1562354142265450496" title="@TwitchiH" class="view-tweet" target="_blank" rel="noopener">View tweet</a> </div> Hartmann gets at the heart of why people find the SSO tax so infuriating, and he&rsquo;s not the only one who feels this way. Ed Contreras, Chief Information Security Officer at Frost Bank, for example, <a href="https://cisoseries.com/we-shame-others-because-were-so-right-about-everything/">called the SSO tax</a> &ldquo;an atrocity.&rdquo; His reasoning is that security infrastructure is too important to be priced as a luxury. &ldquo;With single sign-on,&rdquo; he explains, &ldquo;We&rsquo;re protecting both of our companies, and I would even say indemnification clauses should get changed if I don&rsquo;t get my security requirements.&rdquo; <h3 id="product-led-growth">Product-led growth</h3> Another argument against the SSO tax is that it&rsquo;s antithetical to the idea of product-led growth. While a tiered pricing structure is central to PLG, the standard or freemium version of a product still needs to include the capabilities that customers depend on and fall in love with. Locking away SSO–especially if it&rsquo;s gated behind a &ldquo;Contact sales&rdquo; button–introduces friction and withholds a core feature from users. If the goal of your company is to design a product-led marketing engine and a self-serve buying process, an SSO tax can strangle deal flow. Kyle Poyar, Operating Partner at OpenView, <a href="https://kylepoyar.substack.com/p/why-you-should-give-away-your-features">argues that</a> companies are &ldquo;missing out by not making SSO more accessible.&rdquo; He writes that, as more customers demand SSO as part of baseline security, they might not even consider a vendor who locks it away. On top of that, he writes that customers with SSO also &ldquo;tend to be stickier with better retention rates.&rdquo; <h2 id="what-to-do-if-you-cant-afford-the-sso-tax">What to do if you can&rsquo;t afford the SSO tax</h2> Hopefully, all the SaaS vendors who read this article will see the error of their ways and stop charging extra for SSO. But until that day comes, a lot of companies will simply have to make do. If that sounds like you, here&rsquo;s some advice on practicing good security without breaking the bank. <h3 id="negotiate-for-sso-during-purchase">Negotiate for SSO during purchase</h3> Sure, a SaaS vendor&rsquo;s pricing page might say that you only get SSO through the enterprise tier, but they might be willing to throw it in on a starter tier if it means they get your business. Some vendors will offer this option if you, in turn, offer to sign a multiyear contract. Others will simply offer it if you threaten to take your business elsewhere. Regardless, it&rsquo;s not guaranteed to work, but you won&rsquo;t know until you try. <h3 id="use-an-enterprise-password-manager-to-secure-logins">Use an enterprise password manager to secure logins</h3> The whole reason SSO is important to security is that unmanaged passwords are so vulnerable to being hacked, phished, reused, guessed, and forgotten. And an enterprise password manager (EPM) is the <a href="https://blog.1password.com/closing-the-sso-security-gap/">best way to secure passwords</a> for apps that aren&rsquo;t protected by SSO. An EPM like 1Password will automatically create strong, unique passwords for employees and even notify them (via the <a href="https://watchtower.1password.com/">Watchtower</a> feature) if any passwords are weak, duplicated, or have appeared in a data breach. You can also go even further by combining SSO (on the apps you can afford) with an EPM. To quote <a href="https://blog.1password.com/closing-the-sso-security-gap/">our blog on the subject</a>: <blockquote> &ldquo;And with <a href="https://support.1password.com/sso/">Unlock 1Password with SSO</a> enabled, admins can extend their existing security policies to everything stored in 1Password. Now those policies apply both to SSO-enabled logins and those that SSO doesn&rsquo;t cover, so things like two-factor authentication requirements can also be applied to unmanaged services.&rdquo; </blockquote> <h2 id="the-sso-tax-isnt-going-anywhere-unless-we-make-it">The SSO tax isn&rsquo;t going anywhere (unless we make it)</h2> So here&rsquo;s where we are: Vendors feel &ldquo;gray hat&rdquo; about charging an SSO tax. Customers feel frustrated about paying it. Onlookers shame vendors for charging it. And still, the SSO tax remains. The SSO tax is one of those interesting quirks of capitalism that show that markets do not always work in everyone&rsquo;s interest. As Orenstein explains, even as his company took the rare stance of not charging the SSO tax: &ldquo;Even with no other benefits, some customers will be forced to choose this option. People will get a little mad at you, but not much, because just about everyone does this.&rdquo; But remember: it wasn&rsquo;t too long ago that &ldquo;just about everyone&rdquo; smoked on airplanes and drove around without seatbelts. That seems crazy now, but it&rsquo;s also important to remember that those things didn&rsquo;t change by themselves. It took a concerted effort to raise awareness and public pressure, and that&rsquo;s what it will take to finally abolish the SSO tax. To see for yourself how 1Password can bolster your security, get started with a <a href="https://start.1password.com/sign-up/business">free 14-day trial of 1Password Business</a>. Or, reach out to <a href="https://1password.com/xam/contact-us">request a demo of 1Password Extended Access Management</a>.</description></item><item><title>The top three cybersecurity threats facing businesses today</title><link>https://blog.1password.com/top-3-cybersecurity-threats-businesses/</link><pubDate>Wed, 26 Jun 2024 00:00:00 +0000</pubDate><author>info@1password.com (Stacey Harris)</author><guid>https://blog.1password.com/top-3-cybersecurity-threats-businesses/</guid><description> <img src='https://blog.1password.com/posts/2024/top-3-cybersecurity-threats-businesses/header.png' class='webfeedsFeaturedVisual' alt='The top three cybersecurity threats facing businesses today' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> With the global average cost of a data breach being <a href="https://newsroom.ibm.com/2023-07-24-IBM-Report-Half-of-Breached-Organizations-Unwilling-to-Increase-Security-Spend-Despite-Soaring-Breach-Costs">4.45 million USD in 2023</a>, businesses can’t afford to ignore the biggest cybersecurity risks. 1Password surveyed 1,500 North American white-collar employees – including 500 IT security professionals to better understand today’s security landscape. The survey found that security pros are most worried about external threats like phishing or ransomware (36%) and internal threats like shadow IT (36%). <img src='https://blog.1password.com/posts/2024/top-3-cybersecurity-threats-businesses/security-pros-protections-adequate.png' alt='Four out of five figures highlighted in purple, with the caption &#39;Four in five security pros don&#39;t feel their security protections are adequate&#39;.' title='Four out of five figures highlighted in purple, with the caption &#39;Four in five security pros don&#39;t feel their security protections are adequate&#39;.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> In this post, we dive into the top three cybersecurity threats, how they manifest in a company, and what security professionals can do to combat these common but manageable threats. After all, what is cybersecurity for business if not the ongoing pursuit of staying one step ahead of an ever evolving security landscape? <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Unless noted otherwise, all the stats included in this post are from the <a href="https://1password.com/state-of-enterprise-security-report">2024 1Password State of Enterprise Security Report</a>. </div> </aside> <h2 id="phishing">Phishing</h2> <a href="https://blog.1password.com/what-is-phishing-and-how-can-you-protect-your-business/">Phishing</a> is a scam that tries to trick people into giving away sensitive information. Often appearing as a message from a trustworthy source, the sender attempts to fool the receiver into thinking they are sharing credentials, credit cards, or other information with a legitimate source. In our 2024 State of Enterprise Security Report, we found that 61% of employees have been – or have seen a colleague be – the target of a phishing attack from someone posing as a CEO, manager, colleague, vendor, client, or other work associate. We also found that 18% of employees clicked a link in a suspicious email, showing that not all employees are capable of identifying suspicious emails. With 23% of employees using passwords that follow a similar pattern or are identical, and 19% of employees using the same passwords across multiple work accounts, a single exposed password in a phishing scam can expose the business beyond a single account breach. And those are the stats for the state of phishing right now. Phishing scams aren’t anything new, and in fact, they’ve been around since the early nineties. As AI continues to advance, phishing scams are taking on a new level of sophistication, making them harder to spot for those who are adept at security. And the speed at which AI can be deployed makes it cost effective for criminals to target companies of every size, not just enterprise businesses. <img src='https://blog.1password.com/posts/2024/top-3-cybersecurity-threats-businesses/security-pros-concerns%20ai.png' alt='A blue circle with the following statistic in the center: 92% of security pros have security concerns around AI.' title='A blue circle with the following statistic in the center: 92% of security pros have security concerns around AI.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Implementing multi-factor authentication and increasing employee education about spotting suspicious emails are two of the best ways that businesses can help reduce the risk of phishing scams. <h2 id="ransomware">Ransomware</h2> Ransomware has been around since the late eighties but took the spotlight in 2021 with a <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-040a">significant uptick in incidents</a>. According to Malwarebytes' new <a href="https://www.prnewswire.com/news-releases/ransomware-attacks-increased-by-68-in-2023-according-to-malwarebytes-new-2024-threatdown-state-of-malware-report-302054116.html">2024 ThreatDown State of Malware Report</a>, ransomware attacks increased by 68% in 2023. If you haven’t already come across it, ransomware is a form of malware that infects a digital system (servers, computers, phones, etc.), and deploys an encryption that effectively locks the owner out. The criminal will then request a ransom in exchange for the key to decrypt the files and return access. There are many ways ransomware can make it into an organization, including phishing (<a href="https://www.ibm.com/resources/guides/cyber-resilient-organization-study/">45% of ransomware attacks involved phishing</a>), compromised credentials, and criminals hacking into the business through software vulnerabilities. Security professionals admit that they’re struggling to stay on top of the latest patch/update cycles, and often don’t have a way of monitoring if employees are following through with required updates. 1Password found that more than 45% of employees don’t update software immediately upon receiving an alert that they should. These unpatched vulnerabilities can leave companies exposed to a ransomware attack. <img src='https://blog.1password.com/posts/2024/top-3-cybersecurity-threats-businesses/employees-update-software-habits-work.png' alt='A blue circle with the following statistic in the center: 92% of security pros have security concerns around AI.' title='A blue circle with the following statistic in the center: 92% of security pros have security concerns around AI.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The best defense against ransomware is employing an <a href="https://1password.com/xam/extended-access-management">access management solution</a> that makes sure every identity, device, and application is secure. <h2 id="shadow-it">Shadow IT</h2> Employees are always looking for new tools to help them get the job done. Unfortunately, not all these tools are company approved. <a href="https://blog.1password.com/what-is-shadow-it/">Shadow IT</a> refers to the tools, technologies, and devices that are unmanaged by the company. While 92% of security pros say their company policy requires IT approval to download and use software and apps for work, our survey found that one in three employees still chose to use unapproved apps – it’s no wonder shadow IT is in the top three risks worrying IT and security teams. <img src='https://blog.1password.com/posts/2024/top-3-cybersecurity-threats-businesses/employees-lax-security-policies.png' alt='A dial with the following statistic underneath: More than half of employees admit to being lax on their company&#39;s security policies.' title='A dial with the following statistic underneath: More than half of employees admit to being lax on their company&#39;s security policies.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> And part of that worry comes from knowing that they’re limited in what they can do about employees using shadow IT. More than 50% of security pros say they don’t control whether employees follow these policies. Whether it’s a lack of identifying what shadow IT is being used, or if the IT team has enforcement capabilities, the reality is that each new shadow IT app or tool is a potential new threat vector. With the average number of shadow IT apps being used by each worker being five – that’s a lot of unmanaged risk. Implementing a password manager helps mitigate the shadow IT risk as it promotes strong password use across accounts that may fall out of the security team&rsquo;s purview. It also means that employees will likely lose access to those shadow IT accounts when they’re deprovisioned. To learn more about the security landscape and threats facing businesses, check out 1Password’s <a href="https://1password.com/state-of-enterprise-security-report">State of Access Report 2024</a>. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Balancing act: Security and productivity in the age of AI</h3> Productivity and security are often in tension. Learn how today’s shifting landscape of hybrid work and AI has affected that tension, and how security professionals and workers are coping. <a href="https://1password.com/state-of-enterprise-security-report?utm_medium=social&amp;utm_source=blog&amp;utm_campaign=annual-report-2024" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Download now </a> </div> </section></description></item><item><title>CISA: Enforcing a password manager protects your business</title><link>https://blog.1password.com/cisa-strong-passwords/</link><pubDate>Tue, 25 Jun 2024 00:00:00 +0000</pubDate><author>info@1password.com (Dominic Garcia)</author><guid>https://blog.1password.com/cisa-strong-passwords/</guid><description> <img src='https://blog.1password.com/posts/2024/cisa-strong-passwords/header.png' class='webfeedsFeaturedVisual' alt='CISA: Enforcing a password manager protects your business' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The Cybersecurity &amp; Infrastructure Security Agency (CISA) has issued new guidance: <a href="https://www.cisa.gov/secure-our-world/require-strong-passwords">require strong passwords</a>. The new guidance highlights the critical role that strong, unique passwords play in preventing breaches – whether personally or professionally. According to CISA: <ul> <li>Small and medium businesses are a regular target for malicious hackers, and a common entry point is stolen or weak passwords.</li> <li>The use of a password manager can keep your business safe.</li> <li>Strong, long, random passwords should be used across all of your personal and business accounts.</li> </ul> While this guidance may seem common sense, recent research has indicated that weak passwords represent perpetual risk for organizations and individuals: <ul> <li>61% of employees have poor password practices, like reusing passwords or neglecting to reset the IT-selected defaults (<a href="https://blog.1password.com/productivity-ai-cybersecurity-report/">1Password State of Enterprise Security, 2024</a>)</li> <li>Use of stolen credentials remains the top/most common ‘action’ in breaches last year (24%), representing 38% of all breaches recorded in 2023 (Verizon Data Breach Report, 2024)</li> <li>More than two-thirds of security pros (69%) say single sign-on (SSO) tools are not a complete solution for securing employees’ identity – highlighting the need for a way to secure logins that exist outside of SSO (<a href="https://blog.1password.com/productivity-ai-cybersecurity-report/">1Password State of Enterprise Security, 2024</a>)</li> </ul> <h2 id="what-does-this-mean-for-businesses">What does this mean for businesses?</h2> In the near term, organizations should review their IT and security guidelines to ensure that secure password best practices are met. CISA provides clear guidelines for strong, unique passwords, including: <ul> <li>Length - Passwords should be at least 16 characters, with longer being better.</li> <li>Random - Passwords should include a mix of upper and lowercase letters, numbers, symbols.</li> <li>Unique - Every account should have a unique password.</li> </ul> Long term, CISA recommends implementing an enterprise password manager that includes a password generator, can store passwords, and can autofill credentials for all of your accounts. This is because password managers play a critical role in enabling employees to create, manage, and use custom, unique, and strong passwords across every application and web sign-in used. The impact is tangible across SMBs and the enterprise: <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> For SMBs: Password managers enable small and medium sized-businesses to secure passwords across all employees, without the need for a dedicated security team or significant investment. Furthermore, password managers can help SMBs meet compliance mandates, such as SOC 2, that are required for selling to many large organizations. For large enterprises: Enterprise password managers fill a gap that is not covered by SSO or traditional identity and access management (IAM) tools. Where these traditional approaches to IAM help to secure tools that are actively managed by IT and security, tools that are not managed by these teams (due to cost or being shadow IT, for example) are left unsecure. Enterprise password managers provide a path for IT and security teams to secure these unmanaged applications and web logins. This Access-Trust Gap is a major part of why we are championing <a href="https://blog.1password.com/introducing-extended-access-management/">extending access management</a>. </div> </aside> Finally, CISA also recommends changing default credentials on all software and hardware products. <h2 id="what-does-this-mean-for-individuals-and-families">What does this mean for individuals and families?</h2> CISA’s guidance goes beyond strong password requirements for businesses, and also recommends the use of strong passwords and a password management solution for personal use. After all, if you use good password practices in one aspect of life, you are more likely to apply it to every aspect of life. Using a personal password manager can help make sure that employees aren’t reusing personal passwords for business purposes, or vice versa. This helps to reduce the risk of a business being compromised in the event that an employee is personally compromised. <h2 id="password-security-additional-considerations">Password security: additional considerations</h2> Going beyond creating and storing passwords, password managers can also provide additional functionality that benefits organizations and consumers. The best password managers combine high ease-of-use while streamlining the creation and management of passwords. Additional benefits may include: <ul> <li>Protecting additional sensitive information beyond passwords (such as credit card numbers)</li> <li>Syncing of passwords across all devices, major browsers (including Chrome, Firefox, and Safari), and major operating systems (such as Microsoft Windows, iOS, and Android)</li> <li>Secure password sharing with family members or other employees</li> <li>Simplified onboarding and offboarding of employees</li> </ul> <h2 id="how-1password-can-help">How 1Password can help</h2> 1Password Password Manager is trusted by over 150,000 businesses and millions of consumers globally to secure and manage their credentials. 1Password Password Manager can help organizations of every size meet the guidelines set forth by CISA: <h3 id="easily-create-and-manage-strong-passwords">Easily create and manage strong passwords</h3> 1Password Password Manager can create strong, secure, and random passwords for every sign in. These passwords can be accessed and autofilled from any device or web browser (typically via browser extensions). <h3 id="set-password-security-policies--including-the-use-of-multi-factor-authentication-mfa-and-passkeys">Set password security policies – including the use of multi-factor authentication (MFA) and passkeys</h3> Organizations can set specific password security policies – such as those set forth by CISA above – to govern how passwords are created and used. 1Password Password Manager also helps with two-factor authentication (2FA) and enables the use of passkeys and biometrics. In addition to securing sensitive data, strong password security policies can also help support security audits. <h3 id="prevent-breaches-with-proactive-monitoring">Prevent breaches with proactive monitoring</h3> With Watchtower, 1Password Password Manager enables organizations and individuals to identify if any passwords, emails, or company domains have been compromised. <h3 id="family-account-with-business-account">Family account with business account</h3> Every business license comes with a free family plan for every employee, so every team member can create and use strong password management personally and professionally. You can get started addressing CISA’s password guidelines by <a href="https://1password.com/pricing/?utm_ref=blog">signing up for a free 1Password trial</a> or <a href="https://1password.com/contact-us">contacting us</a>. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Protect yourself, your family, or your business</h3> Keep all of your accounts secure with 1Password, the world’s most trusted password manager. Get started today with a free 14-day trial. <a href="https://1password.com/pricing/?utm_ref=blog" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>Progress on 2SLGBTQIA+ rights isn't always linear. But it's still progress.</title><link>https://blog.1password.com/pride-2024/</link><pubDate>Tue, 25 Jun 2024 00:00:00 +0000</pubDate><author>info@1password.com (Ronan Lyver)</author><guid>https://blog.1password.com/pride-2024/</guid><description> <img src='https://blog.1password.com/posts/2024/pride-2024/header.png' class='webfeedsFeaturedVisual' alt='Progress on 2SLGBTQIA+ rights isn't always linear. But it's still progress.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The month of June is Pride Month, which celebrates 2SLGBTQ+ folks (two-spirit, lesbian, gay, bisexual, transgender, queer plus all the other people that fall under this umbrella). It also honors the <a href="https://www.history.com/topics/gay-rights/the-stonewall-riots">Stonewall Riots</a> and the queer liberation protests of 1969. This year in particular marks the 55th anniversary of the Stonewall Uprising. 2SLGBTQ+ issues have never been more important or talked about in North American society. So it&rsquo;s important to take a moment to listen to queer voices. It’s an opportunity to recognize that while we still have room to grow, we’ve made significant progress since June 28th, 1969. <h2 id="a-brief-timeline-of-progress">A brief timeline of progress</h2> Many people consider Stonewall to have kicked off the 2SLGBTQ+ movement in the United States, though it was preceded by a decade of similar riots. However, Stonewall is considered a major turning point, with Marsha P. Johnson, Sylvia Rivera, and Stormé DeLarverie all playing major roles. June 1970 marked the first Pride Week, remembering the actions of everyone involved in Stonewall and celebrating the culture that grew out of it. There have been some major milestones since then. In May 1990, the World Health Assembly (WHA) stopped classifying homosexuality as a mental illness. Then, in May 2019, the WHA announced gender incongruence, the organization’s preferred term for transgender people, is no longer considered a mental illness. The Canadian Human Rights Act, which handles discrimination in the workplace, was amended twice to include people in the 2SLGBTQ+ community. The first time was in June 1996, when sexual orientation became a protected category. The second was in June 2017, when it was expanded to include gender identity and gender expression. In December 2003, the Employment Equality (Sexual Orientation) Regulations went into effect in the UK, making it illegal for employers to discriminate against lesbians, gay and bi people. It was followed by The Equality Act 2010 in October 2010, which included limited protections for transgender employees. Moving back across the pond, June 15th, 2020 marked the US Supreme Court ruling in favor of employment protections for LGBTQ+ employees. These milestones are significant, however, they were hard-won and are still being challenged to this day. In the US, many laws regarding 2SLGBTQ+ people are created and managed by the state. This means from state to state, laws change greatly. Gay and trans panic defense is still legal in many states, and over 500 anti-trans bills have been proposed in 2024 alone, with 43 of them having been passed. Many of them concern bathroom usage, insurance and medical care as well as prohibition in schools. Similar policy changes have occurred in Canada and the UK. For example, the UK government blocked Scotland from passing gender reform laws last year. These developments show that while progress is being made, there are plenty of challenges and setbacks. Outside of politics, accessing healthcare for 2SLGBTQ+ in all three countries is significantly difficult, with a lack of providers willing to provide the care and wait times of years to access it. <h2 id="stories-from-1password">Stories from 1Password</h2> 1Password prides itself on being able to hear stories from people directly from the community. Through our Pride ERG (Employee Resource Group), we&rsquo;ve learned that while society has made great strides, there&rsquo;s still a long way to go. Furthermore, we asked people two questions on this topic: What are some of the positive changes you’ve seen in your lifetime/career? Are there things you once thought impossible that have come to fruition? Here’s what we heard: <h3 id="kaitlyn-vinson--product-operations">Kaitlyn Vinson – Product Operations</h3> I remember being in my Women &amp; Gender Studies class when gay marriage became legal in the United States and it was electric. While not everyone in the class was part of the LGBTQIA+ community, you could feel the joy and happiness seeping from every corner of the room. It was a really unique experience to be able to celebrate in a space like that. [Another positive change I’ve seen is] WLW<a href="#fn:1" class="footnote-ref" role="doc-noteref">1</a> representation in pop culture. Recently, we&rsquo;ve had so many WLW artists come out and release songs that really encompass the sapphic experience. Seeing artists like Chapell Roan, Billie Eilish, and Renee Rapp have such huge successes with their music is so inspiring. It&rsquo;s so nice to listen to a song and really feel what they&rsquo;re singing. (Shoutout to the artists who have been singing about WLW experiences for years like Tegan &amp; Sara)&quot; I&rsquo;d love to see a world where we can all just exist and not live in fear. While we&rsquo;ve come a long way as a society, there is still so much hate, misunderstanding, and outright lies being spread about our community. We are just people who want to be able to live our lives authentically and love who we want to love. <h3 id="anonymous-1password-employee">Anonymous 1Password employee</h3> I&rsquo;m ace<a href="#fn:2" class="footnote-ref" role="doc-noteref">2</a> and one of the biggest changes I&rsquo;ve seen in my lifetime is LGBTQIA+ visibility. I know a ton of ace people who didn&rsquo;t really realize it was even a thing when they were younger and just felt odd. Even now, there aren&rsquo;t a ton of ace references in pop culture. I hope to see an increase in people across the rainbow spectrum being represented in movies, TV, and books. Growing up in the 1990s, if I saw queer people on TV, they were often the punchline and not the leading character. Seeing that change and noticing Hallmark movies get queer leads makes me happier than I can even express. But it can still get better! <h3 id="kelly-calheiros--senior-hr-business-partner">Kelly Calheiros – Senior HR Business Partner</h3> Every day I am reminded of my privilege to live in a country and work for a company where I feel safe bringing my full self to work, which means a great deal to me. However, I recognize that many people in our community, both globally and locally, do not share this experience. Looking ahead to future generations, I hope to see a world where being true to oneself is not just accepted but celebrated, where everyone can live without fear of prejudice or persecution. <h3 id="erin-figueroa---vp-office-of-the-ceo-and-executive-sponsor-of-the-pride-erg">Erin Figueroa - VP, Office of the CEO and Executive Sponsor of the Pride ERG</h3> Leadership comes with great privilege and access, and I strive to use my position to support the continued inclusion and advancement of our 2SLGBTQIA+ ‘Bits. As someone who has benefited from transparency and openness, I bring those values to work every day and ensure every voice around the table is heard and valued. <h2 id="powerful-pride">Powerful Pride</h2> With the 55th anniversary of the Stonewall Uprising, we picked the theme of “Powerful Pride” to celebrate this year at 1Password. Despite the challenges that have been recently surfacing for the 2SLGBTQ+ community, significant progress has been made since June 28th, 1969. Here at 1Password, we stand together in strength and authenticity, celebrating the joy and freedom of living our inner truth. This month is about celebration, empowerment, and the power of representation. Let&rsquo;s push for and champion progress, even when it&rsquo;s not always linear. <section class="footnotes" role="doc-endnotes"> <hr> <ol> <li id="fn:1" role="doc-endnote"> WLW is an acronym for woman-loving-woman also known as women who love women.&#160;<a href="#fnref:1" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a> </li> <li id="fn:2" role="doc-endnote"> Ace refers to asexual, someone who does not experience sexual attraction to any gender.&#160;<a href="#fnref:2" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a> </li> </ol> </section></description></item><item><title>Vulnerability management goes much deeper than patching</title><link>https://blog.1password.com/vulnerability-management-goes-much-deeper-than-patching/</link><pubDate>Mon, 24 Jun 2024 00:00:00 +0000</pubDate><author>info@1password.com (Rachel Sudbeck)</author><guid>https://blog.1password.com/vulnerability-management-goes-much-deeper-than-patching/</guid><description> <img src='https://blog.1password.com/posts/2024/vulnerability-management-goes-much-deeper-than-patching/header.png' class='webfeedsFeaturedVisual' alt='Vulnerability management goes much deeper than patching' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> In 2016, the Large Hadron Collider in Switzerland fell prey to a vicious and devastating attack. The bad actor exploited a vulnerability that researchers at CERN had never considered – small furry animals. Yes, the Large Hadron Collider, the pinnacle of scientific achievement, was shut down by a weasel. The cunning critter infiltrated their systems (crawled into one of their tubes) and executed a targeted attack (chewed up a power cord). Research into the Higgs-Boson was delayed for weeks while they got systems back online. <img src='https://blog.1password.com/posts/2024/vulnerability-management-goes-much-deeper-than-patching/weasel.jpg' alt='A photograph of a &#39;least weasel,&#39; a type of Swiss weasel, crouching on a rock with an alert expression.' title='A photograph of a &#39;least weasel,&#39; a type of Swiss weasel, crouching on a rock with an alert expression.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://wiesel-gesucht.citizenscience.ch/en/mustelids/">Image Source</a> Now, in 2024, CERN is more concerned about an increasingly common (and far less adorable) style of attack: ransomware. In a <a href="https://home.cern/news/news/computing/computer-security-hits-are-coming-closer">January blog post</a>, their computer security team wrote that &ldquo;the base question is not &lsquo;if&rsquo; but &lsquo;when&rsquo; CERN will be subject to a ransomware attack.&rdquo; While CERN knows (better than most) that it&rsquo;s impossible to protect against every threat that weasels its way into your systems, their plan to guard against ransomware gangs hinges on good old fashioned vulnerability management tactics. And they&rsquo;re not alone. The concept of vulnerability management has been around for a while, but in the last few years it&rsquo;s been steadily gaining momentum and interest, in part due to tougher laws and compliance standards. But for this wave of investment in vulnerability management to actually translate to better security, it has to go deeper than check-box compliance. And that starts with establishing a shared definition of what vulnerability management actually means. <h2 id="what-is-vulnerability-management">What is vulnerability management?</h2> Vulnerability management is the continuous process of analyzing systems for flaws that might make them vulnerable to attack, and then managing those vulnerabilities. <h3 id="vulnerability-management-vs-risk-management">Vulnerability management vs risk management</h3> Vulnerability management is a segment of <a href="https://www.techtarget.com/searchsecurity/tip/Vulnerability-management-vs-risk-management-compared">risk management</a> (to the point that many of our sources use the terms interchangeably). But the general agreement is that vulnerability management is more specifically focused on the IT and cybersecurity risks posed to an organization, while risk management includes physical and other categories of threat. But forgive us while we open a taxonomical can of worms. Because the word &ldquo;vulnerability&rdquo; is used to mean a few things when it comes to computing. <img src='https://blog.1password.com/posts/2024/vulnerability-management-goes-much-deeper-than-patching/compliance-definitions.png' alt='A screenshot of the wikipedia page listing different definitions of &#39;vulnerability&#39; in the computing sense.' title='A screenshot of the wikipedia page listing different definitions of &#39;vulnerability&#39; in the computing sense.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The National Institute of Standards and Technology <a href="https://csrc.nist.gov/glossary/term/vulnerability">(NIST) defines</a> vulnerability as: &ldquo;Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.&rdquo; &ldquo;Vulnerability,&rdquo; by this definition, would encompass an intimidating number of weaknesses that attackers could exploit. Unmanaged devices, <a href="https://blog.1password.com/how-to-protect-yourself-from-password-reuse-attacks/">reused passwords</a>, employees' <a href="https://www.pcgamer.com/minecraft-exploit-makes-it-completely-dangerous-to-play-with-unpatched-mods-right-now/">unpatched Minecraft mods</a>, shadow IT &hellip; you get the idea. All of these things, and more, could let bad actors compromise your systems. But when people use the word in the context of a &ldquo;vulnerability database,&rdquo; like the &ldquo;Common Vulnerabilities and Exposures&rdquo; (CVE) program, they&rsquo;re talking about something very specific. In their case, they&rsquo;re referring to what <a href="https://csrc.nist.gov/glossary/term/software_vulnerability">NIST would instead define as</a> a Software Vulnerability: &ldquo;A security flaw, glitch, or weakness found in software code that could be exploited by an attacker (threat source).&rdquo; Software vulnerabilities generally fall under the umbrella of <a href="https://www.kolide.com/blog/the-real-world-challenges-of-patch-management">patch management</a>. <aside class="c-technical-aside-box c-technical-aside-box--background" aria-labelledby="patch-management-vs-vulnerability-management"> <h2 class="c-technical-aside-box__title" id="patch-management-vs-vulnerability-management"> Patch management vs vulnerability management </h2> <div class="c-technical-aside-box__description"> Patch management is the process of applying updates that vendors release to close up code flaws that they&rsquo;ve found in their software. It&rsquo;s <a href="https://www.ibm.com/topics/patch-management">sometimes considered</a> to be a subset (note, not the entirety) of vulnerability management. </div> </aside> For the purposes of this article, when we&rsquo;re referring to the patchable style of vulnerability, we&rsquo;ll use the term &ldquo;software vulnerability.&rdquo; But when we talk about vulnerability on the whole, we&rsquo;ll be taking a broader view on the wide range of issues that can let bad actors breach systems. It&rsquo;s important to make this distinction; the CVE, and the practice of vulnerability management, started <a href="https://www.cve.org/About/History">in the 90s</a>. Back then, there weren&rsquo;t nearly as many remote workers to account for, and &ldquo;cloud&rdquo; was just a word for those puffy things in the sky. IT teams could <a href="https://vulcan.io/resources/new-vulnerability-management-then-and-now-a-brief-history/">manually patch</a> most vulnerabilities as they trickled in. But since then, the number of software vulnerabilities that the CVE lists per year has increased <a href="https://www.redhat.com/en/blog/patch-management-needs-a-revolution-part-2">by 3,100%</a>. Meanwhile, bad actors have tons of new avenues (like phishing, sim-swapping, etc.) to compromise systems. When you&rsquo;re looking at a modern business with hundreds or even thousands of applications and endpoints, vulnerabilities could <a href="https://www.youtube.com/watch?v=Sazc2J5MO7M">pop up</a> just about anywhere. The way we work has changed, and as IT and security teams have struggled to keep up with the pace of patching, they&rsquo;ve struggled even more to broaden their scope and account for systemic vulnerabilities. <h2 id="the-nist-framework">The NIST framework</h2> In an attempt to help bring some order to the chaos, 2014 saw the introduction of the National Institute of Standards and Technology (NIST) <a href="https://www.nist.gov/cyberframework">Cybersecurity Framework</a> (CSF). <a href="https://www.nist.gov/cyberframework/history-and-creation-framework">It sought to</a> lay out successful techniques to help owners and providers of critical infrastructure “identify, assess, and manage cyber risk.” “Critical infrastructure,” like “vulnerability,” is a pretty broad term. Hospitals and manufacturers, for example, work at different scales and manage different types of data; the framework needed to be able to serve a variety of tech and organizational needs. The NIST framework wasn’t designed to be <a href="https://www.cisco.com/c/dam/en/us/products/collateral/security/nist-cybersecurity.pdf">an instruction manual</a>. Instead, it’s meant to provide a flexible structure for cybersecurity programs, with the understanding that different companies and services have different needs and demands to keep data secure. After some serious deliberating, NIST arrived at a framework with five <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf">core functions</a>. In the briefest summary possible, they were: <ul> <li>Identify: Understand your company’s assets and their vulnerabilities.</li> <li>Protect: Secure those assets and lower their risk from attack.</li> <li>Detect: Have systems in place to alert your teams to signs of compromise.</li> <li>Respond: Have systems in place to contain attacks when they happen.</li> <li>Recover: Have a way to recover data and systems that are lost or compromised.</li> </ul> The NIST framework is a loose but reasonable way to better understand the objectives that need to happen for your vulnerability management program to work. <h2 id="vulnerability-management-for-compliance">Vulnerability management for compliance</h2> In a <a href="https://l.vulcan.io/hubfs/Infographics/Pulse%20research%20project%20-%202021-07-23%20-%20How%20are%20Businesses%20Mitigating%20Cyber%20Risk.pdf">2021 survey</a> of cybersecurity leaders, only 33% said that vulnerability management was “very important” to their organization. That’s an especially troubling statistic, since 77% also said that an IT security vulnerability had impacted their business that year. However, in a similar <a href="https://files.scmagazine.com/wp-content/uploads/2023/07/1658.pdf">2023 survey</a>, 50% of respondents said that their organization’s vulnerability management program had support from leadership to “a large/great extent.” The problems of vulnerability management have been mounting for decades, so why is it suddenly starting to get the attention it deserves? While we’d love to say it’s because CEOs recognized the rising <a href="https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/">costs and frequency</a> of cyberattacks, it’s only partially that. The other force driving companies to step up security is compliance. Uncle Sam <a href="https://www.cisa.gov/topics/cybersecurity-best-practices/executive-order-improving-nations-cybersecurity">wants companies to reduce vulnerabilities</a>. And he wants it done pretty sharpish. The Biden administration has made its <a href="https://www.whitehouse.gov/oncd/briefing-room/2024/03/04/national-cybersecurity-strategy-one-year/">National Cybersecurity Strategy</a> a major priority, and this push from the top has driven more than a few recent updates to vulnerability management regulatory requirements. Here’s a non-comprehensive sampling of some recent compliance changes: <h3 id="payment-card-industry-data-security-standard-pci-dss">Payment Card Industry Data Security Standard (PCI DSS)</h3> Long ago, in the year 2004, five major credit card companies (Visa, Mastercard, Discover, JCB, and American Express) combined forces. Why? They were sick of losing money to <a href="https://www.tidalcommerce.com/learn/merchant-levels-of-pci-compliance#:~:text=Between%201988%20and%201998%2C%20Visa,dollars%20in%20transactions%20recorded%20annually.">credit card fraud</a>. They came up with security compliance standards that they would apply to any company that processed or stored consumer credit card data. The <a href="https://www.davidfroud.com/wp-content/uploads/2016/07/PCI-DSS-v1.0.pdf">first version</a>, among other guidelines, mandated that compliant companies “maintain a vulnerability management program” (the requirements vary depending on the company’s scale). The most recent update came in March, 2022, in the form of <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">version 4.0</a>. This includes several updates to their vulnerability management guidelines: <ul> <li>Companies now need to explicitly state how frequently they re-evaluate system components that were previously defined as “not at risk for malware.”</li> <li>The frequency of malware scans must now be explained in the company’s risk analysis guidelines.</li> <li>Anti-malware solutions must now include the ability to scan or analyze when removable electronics are connected.</li> <li>Processes or mechanisms must now be in place to guard against phishing attacks.</li> <li>Companies that authenticate with passwords must require a minimum password length of twelve characters.</li> </ul> These, and other changes, are becoming assessment requirements on <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">March 31st, 2025</a>. <h3 id="iso-27001-and-27002">ISO 27001 and 27002</h3> ISO 27001 comes to us from the <a href="https://www.iso.org/about-us.html">International Organization for Standardization</a> (ISO). Despite their <a href="https://www.kolide.com/blog/what-you-need-to-know-about-iso-27000-standards">confusing abbreviation system</a>, ISO standards are a source of truth for various international industries. ISO 27001 and 27002 were made to create a standard around information security management systems (ISMS). ISO 27001 establishes the requirements, and <a href="https://www.iso.org/standard/75652.html">ISO 27002</a> establishes the objectives and practices to achieve those requirements. They were first published in 2005, and the latest update to the standards <a href="https://www.iso.org/standard/27001">came in 2022</a>. A lot of these updates regard ISO changing and condensing their terminology around their old requirements. But there are some notable <a href="https://www.isms.online/iso-27002/#:~:text=What%20has%20changed%20in%20ISO,be%20applied%20throughout%20an%20organisation.">new additions</a>. As a sample: <ul> <li>Organizations need to maintain a level of threat intelligence around current and future cyberattacks.</li> <li>Companies should maintain a policy that deletes user, customer, and employee data when it is no longer needed.</li> <li>A series of data masking techniques are advised to protect personally identifiable information.</li> <li>Companies need to implement technical measures to prevent data leakage.</li> </ul> After <a href="https://www.cbh.com/guide/articles/iso-270012022-transition-what-you-need-to-know/">April 30th, 2024</a>, any company that wants to become ISO 27001/27002 compliant will need to meet the updated guidelines. And companies that were already compliant with the previous version will need to update to the new standards by October 31st, 2025. <h3 id="security-and-exchange-commision-sec-regulation">Security and Exchange Commision (SEC) Regulation</h3> <a href="https://www.sec.gov/news/press-release/2023-139">In July of 2023</a>, the SEC started requiring that registrants annually report on their cybersecurity risk management processes. This includes things like: <ul> <li>Processes for assessing and managing cybersecurity vulnerabilities.</li> <li>Describing current or likely impacts from vulnerabilities.</li> <li>Describing the oversight the company’s board of directors have over vulnerabilities.</li> <li>Describing the role management plays in assessing and managing vulnerabilities.</li> </ul> These disclosures are now required in reports at the end of every fiscal year. <h3 id="nist">NIST</h3> Remember NIST? In February of 2024, they updated their Cybersecurity Framework to <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf">version 2.0.</a> The most major change was to add a new function: <ul> <li>Govern: Communicate your vulnerability management strategy with your team.</li> </ul> This function is all to do with organizations making sure that their cybersecurity risk management strategy, and its expectations and goals, are being established, communicated, and monitored effectively. Later in the document, NIST more explicitly states that this function’s success falls to executives. They even specifically place this function in the center of their new graphics, because “it informs how an organization will implement the other five Functions.” <img src='https://blog.1password.com/posts/2024/vulnerability-management-goes-much-deeper-than-patching/nist-framework.jpg' alt='A graphic from the NIST CSF 2.0.' title='A graphic from the NIST CSF 2.0.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> While NIST isn&rsquo;t a mandated compliance guideline for any company, it is referenced in many other compliance guidelines. The NIST functions are a gold standard for vulnerability management. And a keen reader will notice that &ldquo;strategic communication&rdquo; is becoming a bit of a must-have in meeting standards. The trouble with NIST, and similar guidelines, is that they establish what needs to be done, without much guidance on how to do it. <h3 id="beyond-check-box-compliance">Beyond check-box compliance?</h3> Compliance standards are certainly <a href="https://www.thebusinessresearchcompany.com/report/security-and-vulnerability-management-global-market-report">helpful</a> in getting companies to prioritize vulnerability management. But in a 2020 interview, Charles Henderson, head of IBM&rsquo;s cybersecurity services team, <a href="https://www.darkreading.com/vulnerabilities-threats/firms-still-struggle-to-prioritize-security-vulnerabilities">summarized the problem</a> with compliance being the primary driver of change: &ldquo;Organizations are focused on meeting compliance requirements with vulnerability management rather than actually eliminating the vulnerabilities.&rdquo; Companies could afford to just check the boxes when there were fewer consequences for getting breached. But new laws, like CPRA, come with <a href="https://usercentrics.com/knowledge-hub/california-privacy-rights-act-cpra-enforcement-begins/">financial penalties</a> for negligence. Doing due diligence to reduce breaches requires more thorough methods to manage vulnerabilities. <h2 id="elements-of-vulnerability-management">Elements of vulnerability management</h2> The process of finding and remediating vulnerabilities is typically called &ldquo;the vulnerability management lifecycle.&rdquo; It&rsquo;s worth researching the cycle that will best fit your company, but a typical version, as described by <a href="https://www.ibm.com/blog/vulnerability-management-lifecycle/">IBM</a> and <a href="https://www.crowdstrike.com/cybersecurity-101/vulnerability-management/vulnerability-management-lifecycle/">Crowdstrike</a>, would be something like: <ol> <li>Assess your assets and their vulnerabilities.</li> <li>Prioritize vulnerabilities.</li> <li>Resolve vulnerabilities.</li> <li>Rescan and verify that they&rsquo;re resolved.</li> <li>Improve your systems and their defenses.</li> </ol> Anyone in IT or security can tell you that each stage alone is just the tip of a pretty humongous iceberg–and <a href="https://de.tenable.com/blog/successfully-presenting-vulnerability-data-to-management">executives might not get</a> why you&rsquo;re tightening bolts on an &ldquo;unsinkable&rdquo; ship. <img src='https://blog.1password.com/posts/2024/vulnerability-management-goes-much-deeper-than-patching/titanic-submersible-oceangate-illustration-andrea-gatti.jpg' alt='A picture of the wreckage of the Titanic lying at the bottom of the ocean.' title='A picture of the wreckage of the Titanic lying at the bottom of the ocean.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://mollybrown.org/dust-to-dust-the-titanic-today-and-in-the-future/">Image Source</a> So the real first step in vulnerability management is getting <a href="https://www.niscicb.com/LatestResults.html">buy-in from leadership</a>, which you can hopefully do by sending them a steady stream of data breach horror stories. <h3 id="assess-your-assets-and-their-vulnerabilities">Assess your assets and their vulnerabilities</h3> Once you have the buy-in you need, the first official step of vulnerability management is to assess your assets and their vulnerabilities. <a href="https://www.techtarget.com/searchsecurity/tip/Types-of-vulnerability-scanning-and-when-to-use-each">Software vulnerability scanning</a> software is seeing a <a href="https://www.tenable.com/analyst-research/idc-worldwide-device-vulnerability-management-market-share-report-2022">lot of growth</a> in response to all of the recent changes. These programs scan your company&rsquo;s assets and compare them against databases–like the aforementioned CVE–of known software vulnerabilities. Overall, this software is solid. There may be issues with scanners' databases being <a href="https://www.techtarget.com/searchsecurity/tip/Types-of-vulnerability-scanning-and-when-to-use-each">out of date</a> or the like, but most of them do the job they set out to do–so long as your team knows what they need to scan. But what about the devices and applications you don&rsquo;t know about? Challenge: Asset management is one of the most crucial steps in understanding your cybersecurity risks. That means getting an inventory of your assets. <a href="https://www.kolide.com/blog/can-byod-policies-be-compatible-with-good-security">All of them.</a> Companies struggle with this. Our own recent study found that <a href="https://www.kolide.com/blog/unmanaged-devices-run-rampant-in-47-of-companies">47% of companies</a> still let employees access company resources from unmanaged devices. And when employees are using unmanaged devices, that means that unapproved apps and other shadow IT might be accessing your systems without your knowledge. Those unseen apps aren&rsquo;t subject to vulnerability scans–or to any data oversight–and they can introduce a lot of vulnerabilities to your ecosystem. If there&rsquo;s a known exploit on an application that accesses sensitive data, you desperately need to make sure it&rsquo;s getting patched. But you can&rsquo;t do that if you don&rsquo;t know it&rsquo;s there. And when you consider that employees might be using multiple personal devices to access your systems, and that those devices might have multiple vulnerable applications lurking on them, then you start to see the &ldquo;<a href="https://en.wikipedia.org/wiki/The_Trouble_with_Tribbles">trouble with tribbles</a>&rdquo; issue of unmanaged assets. Your team can&rsquo;t protect what they can&rsquo;t see. <h3 id="prioritize-vulnerabilities">Prioritize vulnerabilities</h3> Getting a complete inventory of your company&rsquo;s assets is hard enough, but prioritizing which vulnerabilities need to be fixed is an even tougher challenge. For starters, the number of new <a href="https://www.statista.com/statistics/500755/worldwide-common-vulnerabilities-and-exposures/">listed CVEs</a> grows every year, even while teams are still struggling to patch their <a href="https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3481350/cisa-nsa-fbi-and-international-partners-issue-advisory-on-the-top-routinely-exp/">backlog from previous years</a>. Teams are often swamped with a very long list of software vulnerabilities to patch and update. But frankly &hellip; a lot of those software vulnerabilities aren&rsquo;t a huge deal. In fact, the vast majority of them don&rsquo;t pose any immediate threat. In 2023, over <a href="https://www.statista.com/statistics/500755/worldwide-common-vulnerabilities-and-exposures/">25,228 (give or take) CVEs</a> were listed, but <a href="https://www.darkreading.com/cyber-risk/how-to-measure-patching-and-remediation-performance">DarkReading found</a> that &ldquo;7,786 vulnerabilities had potential exploits, but just 159 had weaponized exploit code, and only 93 were exploited by malware.&rdquo; It&rsquo;s like how your front door is vulnerable to being knocked open by a rhinoceros. It&rsquo;s technically true, but you&rsquo;d still focus on a security system that could stop the much more likely human attacker, rather than getting rhino-proof armor. Most teams prioritize patch updates according to the ones that are <a href="https://l.vulcan.io/hubfs/Infographics/Pulse%20research%20project%20-%202021-07-23%20-%20How%20are%20Businesses%20Mitigating%20Cyber%20Risk.pdf">most likely to be exploited</a>. Challenge: But this is where it&rsquo;s important to again differentiate vulnerability management from the much narrower concept of patch management. Even if, somehow, your team were able to get every piece of software on every device patched, only <a href="https://www.verizon.com/business/resources/reports/dbir/2023/results-and-analysis-intro/">5% of attacks</a> in 2023 actually worked by exploiting software vulnerabilities. If teams were to prioritize all vulnerabilities based on how likely they are to be exploited, they&rsquo;d have to take a much broader view on their organization. The <a href="https://www.verizon.com/business/resources/reports/dbir/2023/results-and-analysis-intro/#:~:text=the%20presence%20of%20the%20Exploit%20vuln%20action%20has%20kept%20stable%20in%20incidents%20and%20is%20actually%20less%20prominent%20in%20breaches%2C%20dropping%20from%207%25%20to%205%25">overwhelming majority</a> of breaches stem from things like phishing, stolen credentials, or other human elements. That&rsquo;s not to say that timely updates aren&rsquo;t important, but that they wind up as a sort of easily quantifiable smokescreen for vulnerability management. <h3 id="resolve-vulnerabilities">Resolve vulnerabilities</h3> Next, teams are meant to resolve their list of vulnerabilities. That might mean fixing them, updating software, or just letting them be. Challenge: The trouble we face is that problems with the human element are a lot trickier to resolve at an organizational level. Patch management, as overwhelming as it can become, is at least straightforward. Meanwhile, more abstract vulnerabilities like <a href="https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password">shoddy user verification</a> or <a href="https://marketplace.org/2023/10/31/are-your-companys-cybersecurity-trainings-a-waste-of-your-time/">lackluster security training</a> abound. Similarly, even as security companies warn about bad actors social engineering their way to <a href="https://thehackernews.com/2023/09/okta-warns-of-social-engineering.html">super-administrator credentials</a>, leading to devastating ransomware attacks, Capterra reported in 2023 that <a href="https://www.capterra.com/resources/insider-attacks/#:~:text=In%20other%20words%2C%20employees%20should,all%20company%20data%20(12%25).">43% of companies</a> let employees access far more data than they need for their job. But finding and resolving these vulnerabilities requires more than a patch rollout. <h3 id="verify-that-vulnerabilities-are-resolved">Verify that vulnerabilities are resolved</h3> The next stage of the lifecycle is to verify that the fix has repaired the vulnerability. For patching purposes, that just means running another scan. Challenge: More abstract systematic changes, however, rarely lead to a satisfying checkbox. Measuring how successful cybersecurity awareness programs are, for instance, is a <a href="https://www.techtarget.com/searchsecurity/tip/Cybersecurity-employee-training-How-to-build-a-solid-plan">constant moving target</a> and requires frequent adjustments. Any other procedural change is likely to involve similar long-term effort to verify that methods are working. <h3 id="improve-systems">Improve systems</h3> The final stage of the lifecycle is meant to be focused around improving company systems and their resilience to vulnerabilities. Challenge: According to a <a href="https://files.scmagazine.com/wp-content/uploads/2023/07/1658.pdf">2023 report</a>, only 34% of IT and security professionals said they felt confident that their VM program had eliminated the gaps that can be exploited by attackers. As one of the anonymous respondents put it: &ldquo;Some vulnerabilities require a lot more than just patching and updating. These ones are harder to get support from management.&rdquo; Patchable vulnerabilities receive an outsized focus. And by now, it&rsquo;s pretty clear why. They&rsquo;re just more straightforward. But when IT teams are stuck with all of their focus placed on playing the single-vulnerability patch management game, they get in a never-ending cycle of playing catch up (or &ldquo;patch up&rdquo;). And much more vital security issues continue to not receive the attention or resources that they need. <h2 id="improving-vulnerability-management-with-zero-trust">Improving vulnerability management with zero trust</h2> Now that we&rsquo;ve established that (if you&rsquo;re doing it right) vulnerability management is really hard, let&rsquo;s look at some practical ways that companies can manage its challenges. Fair warning that we&rsquo;ll be referencing our own product, 1Password Extended Access Management, fairly heavily in this section. But we could never pretend that one tool (even our super awesome one) is capable of fixing all the problems plaguing vulnerability management. Still, Zero Trust can genuinely help companies refocus their efforts and reduce their attack surface. In fact, around 2019, Forrester estimated that Zero Trust Architecture could reduce an organization&rsquo;s risk exposure by <a href="https://www.centrify.com/about-us/news/press-releases/2018/respondents-with-zero-trust-models-leveraging-next-gen-access-report-reduced-overall-risk-and-lower-security-related-costs/">37% or more</a>. And the logic behind that statistic is sound. <h3 id="use-device-trust-to-manage-apps-and-assets">Use device trust to manage apps and assets</h3> Teams need to know what devices are accessing company apps and data, and whether those devices are secure. That&rsquo;s the basic principle behind device trust. 1Password Extended Access Management uses its built-in device trust solution to ensure that only known and secure devices can access company systems and sensitive apps. That means no unmanaged mobile devices or random BYOD will be able to bring unseen vulnerabilities into your systems. More than that, our device trust solution is built to also offer insight into managed and unmanaged applications on employee devices. For instance, your team likely needs some way of ensuring that employees who use the ChatGPT macOS app are only using it from their enterprise account (as their personal accounts could introduce data leakage vulnerabilities). Thankfully, 1Password Extended Access Management has <a href="https://blog.1password.com/two-checks-chatgpt-macos-app/">checks built</a> to make sure of just that. And that&rsquo;s just one example. We have more than a hundred <a href="https://www.kolide.com/docs/using-kolide/checks">pre-built checks</a>, and your team can also build custom checks to suit your specific needs. <h3 id="strengthen-authentication-to-resist-phishing">Strengthen authentication to resist phishing</h3> Despite years of investments in SSO and MFA, some of the most <a href="https://www.kolide.com/blog/what-everyone-got-wrong-about-the-mgm-hack">nightmare scenario</a> attacks still happen as a result of weak authentication security–in particular, compromised and phished employee credentials. MFA is useful but it&rsquo;s <a href="https://www.verizon.com/about/account-security/sim-swapping#:~:text=What%20is%20a%20SIM%20swap,exchanges%2C%20and%20other%20financial%20institutions.">not foolproof</a>. Keeping an eye out for <a href="https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password?embedded-checkout=true">compromised passwords</a> is also a vitally <a href="https://watchtower.1password.com/">important step</a> to keep IDs secure. 1Password Extended Access Management includes 1Password&rsquo;s <a href="https://1password.com/enterprise">Enterprise Password Manager</a> (EPM), which makes sure employees are using secure and unique passwords, as well as keeping an eye out for potentially breached credentials. Unfortunately, bad actors work fast, and there&rsquo;s a possibility they&rsquo;ll break into systems before the password breach gets reported. The solution to this problem is to move beyond authentication factors that can be phished. <a href="https://blog.1password.com/what-are-passkeys/">Passkeys</a>, which are gradually permeating the app ecosystem, are a promising substitute for passwords (and, ahem, whaddya know, 1Password Extended Access Management also lets teams use and <a href="https://support.1password.com/save-use-passkeys/">manage passkeys</a>). Likewise, our Device Trust authenticates via a certificate on the device itself. That means that even if a user&rsquo;s ID gets compromised, a bad actor still can&rsquo;t log in from a device that isn&rsquo;t verified. Unless someone has your password and computer, they can&rsquo;t get in. <h3 id="use-device-trust-for-patch-management">Use device trust for patch management</h3> A company we work with ran a vulnerability scan for compliance purposes, and found many unpatched software vulnerabilities on their IT infrastructure. But when they looked at the advised remediations to fix those vulnerabilities, they realized that 60% of them could be fixed by simply requiring users to update their OS and internet browsers. 1Password Extended Access Management requires users to apply these updates themselves, and will not let them authenticate until their device is compliant. This eliminates one of the main bottlenecks to effective patch management: the strain on IT of remotely forcing patches and dealing with all the support tickets that come along with it. <h3 id="educate-users">Educate users</h3> It&rsquo;s a common saying in security that &ldquo;humans are your biggest vulnerability.&rdquo; We at <a href="https://1passwordstatic.com/files/resources/balancing-act_security-and-productivity-in-the-age-of-AI.pdf">1Password</a> ran a very recent survey of security pros. A third of respondents listed human elements like phishing and human error in the top three threats to their organizations. Regular and consistent training has been shown to <a href="https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-state-of-the-phish-2021.pdf">markedly improve</a> workers' resistance to things like phishing emails, but a <a href="https://www.scmagazine.com/news/a-third-of-companies-dont-offer-cybersecurity-training-to-remote-workers">third of companies</a> don&rsquo;t offer cybersecurity training to their remote workers. <a href="https://www.kolide.com/blog/is-your-security-awareness-program-a-total-snoozefest">Keeping users educated</a>, and enforcing good security habits, lets them be an ally rather than a hurdle to your vulnerability management program. <h2 id="vulnerability-management-is-a-journey-not-a-destination">Vulnerability management is a journey, not a destination</h2> For too long, vulnerability management has been stuck in a reactive mode. CVEs come in, then patches go out. Data gets breached, then systems get strengthened. Guidelines get updated, then boxes get checked. When your captain is telling you to bail water out of a rowboat that keeps springing new leaks, it&rsquo;s hard to think about what a better boat might look like. But it starts by moving to a proactive, rather than a reactive mindset. True vulnerability management needs a lot of communication, broad-reaching strategy, and support. It&rsquo;s going to fall to your people – at every level – to make that happen. Want more info on how 1Password Extended Access Management works? <a href="https://1password.com/xam/contact-us">Request a demo</a>.</description></item><item><title>Introducing recovery codes: Never lose access to 1Password</title><link>https://blog.1password.com/introducing-1password-recovery-codes/</link><pubDate>Thu, 20 Jun 2024 00:00:00 +0000</pubDate><author>info@1password.com (Danny Grenzowski)</author><guid>https://blog.1password.com/introducing-1password-recovery-codes/</guid><description> <img src='https://blog.1password.com/posts/2024/introducing-1password-recovery-codes/header.png' class='webfeedsFeaturedVisual' alt='Introducing recovery codes: Never lose access to 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> In 2024, we’ve committed to making 1Password more user-friendly, accessible, and intuitive, and that’s why today, we’re introducing recovery codes. We know how frustrating and stressful both remembering or forgetting passwords can be – after all, that’s the foundation of why 1Password was founded 18 years ago. Now, millions of people trust us with their sensitive information every day. Since we have that trust, we also want to give you the peace of mind and control that comes with knowing you’ll never be locked out of your account and will always have access to your critical data. With recovery codes, you can rest easy knowing you’ll always have a secure, reliable, and simple way to regain access to your 1Password account – even if you forget your account password or lose your <a href="https://support.1password.com/secret-key-security/">Secret Key</a>. <h2 id="what-are-recovery-codes">What are recovery codes?</h2> <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/Q8rZxntMlN0" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> A recovery code is a unique and secure code generated by an app or website as a backup to help you regain access to your account in case you forget your account password, or, in the case of 1Password, also lose your <a href="https://support.1password.com/emergency-kit/">Emergency Kit</a> with your Secret Key. You may have already come across recovery codes with other apps or password managers as an additional option for authentication. Currently, Family Organizers of a 1Password Families plan can perform account recovery for other family members on their plan, and this option will not be going away. Should someone forget their password or lose their Emergency Kit and/or recovery code, Family Organizers will still be able to recover accounts. However, before recovery codes, if Family Organizers and customers using 1Password Individual forgot their password or lost their Secret Key, even with 1Password Support, they wouldn’t be able to regain access to their data, as there were no options for self-recovery. Now, that’s changing. <h2 id="how-do-you-create-and-use-recovery-codes">How do you create and use recovery codes?</h2> To avoid the possibility of losing any of your sensitive data, you should create a recovery code as soon as possible. You won’t be able to create a recovery code after you’ve lost access to your 1Password account, so this needs to be done proactively. Once you’ve created that recovery code, as long as you have access to the email address associated with your 1Password account, you can use the recovery code on <a href="http://1password.com/">1Password.com</a> any time to regain access to your account and create new sign-in details. You can generate recovery codes if you’re using 1Password for Mac, Windows, Linux, iOS, Android, and 1Password.com. Here’s how it works: How to generate a recovery code: <ol> <li>Open and unlock the 1Password app.</li> <li>Select your account or collection at the top of the sidebar and choose Manage Accounts.</li> <li>Choose your account and then select Sign-in &amp; Recovery.</li> <li>Select Set up recovery code and follow the onscreen instructions.</li> </ol> <img src="https://blog.1password.com/posts/2024/introducing-1password-recovery-codes/reccodes1.png" alt="The Sign-in and Recovery screen in the 1Password app ." title="The Sign-in and Recovery screen in the 1Password app ." class="c-featured-image"/> Make sure you store your recovery code in a safe and accessible place so that you can always regain access to your account. Check out <a href="https://blog.1password.com/where-to-store-your-emergency-kit/">Where to store your 1Password Emergency Kit</a> for some ideas on where you can also store your recovery codes. <img src="https://blog.1password.com/posts/2024/introducing-1password-recovery-codes/reccodes2.png" alt="The Sign-in and Recovery screen in the 1Password app ." title="The Sign-in and Recovery screen in the 1Password app ." class="c-featured-image"/> How to recover your account: <ol> <li>Open your browser and navigate to the <a href="https://my.1password.com/signin?a=new">1Password.com sign in page</a>.</li> <li>Select Having trouble signing in?</li> <li>Select Use Recovery Code.</li> <li>Enter your recovery code and select Next.</li> <li>Enter the verification code sent to the email address associated with your 1Password account and select Next.</li> <li>If you don’t receive a verification code select Send new code.</li> <li>Choose a new <a href="https://support.1password.com/strong-account-password/">strong account password</a> and select Next.</li> <li>Download a copy of your Emergency Kit. This will contain your new Secret Key.</li> </ol> Your recovery code is reusable and will remain valid after it’s used. If you’ve completed a recovery for your account, you’ll need to <a href="https://support.1password.com/after-recovery/">sign back in to 1Password</a> on your trusted devices using your new Secret Key. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> For all the details and more step-by-step instructions, <a href="https://support.1password.com/cs/recovery-codes/">visit our help article</a>. </div> </aside> <h2 id="is-anything-else-changing">Is anything else changing?</h2> While the introduction of recovery codes will make it much easier to have full control of your account and give you even more confidence that your data will always be both safeguarded and accessible with 1Password, you don’t have to worry about any unexpected changes. <ul> <li>1Password accounts and the data stored in them are just as secure as they’ve always been. We’ve made sure that the recovery process is safe by requiring two separate steps (email verification and your recovery code) to complete identity verification and regain access to your account.</li> <li>The Secret Key is not going away – remember, you’ll use a recovery code only if you’ve forgotten your account password and/or lost your Secret Key. If you’ve used a recovery code to get back into your 1Password account, you’ll be asked to create a new account password and will receive a new Emergency Kit with a new Secret Key. You’ll use that new Secret Key to log in to your 1Password account on additional devices.</li> <li>If you’re a Family Organizer of a 1Password Families account, you’ll still be able to <a href="https://support.1password.com/recovery/">recover accounts the same way you could before</a>, but now you’ll have an additional option to help family members regain access to their accounts themselves.</li> <li>1Password will still provide a multi-layered security approach for extraordinary protection. Every aspect of 1Password&rsquo;s security architecture remains engineered to protect you – even in the unlikely event of a breach.</li> </ul> <h2 id="on-the-road-to-recovery-codes">On the road to recovery codes</h2> With 1Password’s new recovery codes, you can rest assured you’ll never lose access to your account and always have control over your sensitive data, even if you forget your account password or lose your Secret Key. No more frustration, interrupted workflows, or emails with 1Password Support; just a quick, streamlined process you can complete on your own – whenever you need to or wherever you are. Create one today! <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Ready to protect yourself?</h3> Keep all of your accounts secure with 1Password, the world’s most-trusted password manager. Get started today with a free 14-day trial. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>Happy 18th birthday, 1Password!</title><link>https://blog.1password.com/happy-18th-birthday/</link><pubDate>Tue, 18 Jun 2024 00:00:00 +0000</pubDate><author>info@1password.com (Sara Teare)</author><guid>https://blog.1password.com/happy-18th-birthday/</guid><description> <img src='https://blog.1password.com/posts/2024/happy-18th-birthday/header.png' class='webfeedsFeaturedVisual' alt='Happy 18th birthday, 1Password!' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Eighteen years ago we made a decision that forever changed our lives: ‘1Passwd’ went live on the internet! It was a side project that was meant to take three weeks. We had built a tool to fill a need we had - saving passwords and everything else you need to submit on webpages, so they could be stored and shared securely. Along the way, we could use this tool to test how well that information was filled into the page. We did all that so we could get back to building websites and doing our other projects faster. We knew that other people might also like what we had built. But what surprised us was the passion of the community! As soon as we launched 1Passwd on MacUpdate and Version Tracker, we were welcomed with open arms, kicking off what would become an amazing journey to where we are today. Over the last 18 years, it’s been our customers who have continued to inspire and drive us forward, and to continue to make 1Password the most-loved password manager. It was a different world 18 years ago - macOS (then Mac OS X) was still a niche operating system, the only pocket calculator you had was a Casio, and your Nokia flip phone was there to make emergency phone calls. <blockquote> It’s been our customers who have continued to inspire and drive us forward. </blockquote> When we launched, we were Mac exclusive. It was “just” a tool that we thought other developers might like to use - and use it they did! The suggestions and feedback from our customers created a positive feedback loop for us: build something, release it, listen to our users, then iterate on it and release it again. It was our customers who demanded a Windows version. They were using our password manager on multiple machines and wanted that convenience and security everywhere they were. When Steve Jobs introduced the world to the iPhone, our customers wanted us there too. The 1Password community was everywhere, and they wanted us there with them, from browsers to Android phones, from Linux systems to iPads - everywhere! As our customers grew and changed, we did as well. We continued our positive feedback loop and continued to iterate, evolving 1Password into the company we are now. One of our biggest moments was in 2016, when we launched our own hosting service. This was because our users didn’t just want us on every device and platform – they wanted us at home and at work. <blockquote> We had managed to build something that businesses across the world were relying on. </blockquote> Sharing passwords within a work environment was something we were working on as well, as 1Password had grown to over 100 team members. From a three-week side project, we had managed to build something that businesses across the world were relying on to make the secure choice the easy choice. The evolution to a business product challenged us to create new ways for 1Password to be there for our users – one that could provide solutions for an individual, for a family, and all kinds of organizations, from small teams all the way up to giant enterprise customers. <img src="https://blog.1password.com/posts/2024/happy-18th-birthday/1password-18-birthday.png" alt="A desk with an old iMac featuring the 1Password logo. To the left of the iMac is a phone with the 1Password logo and a microphone with &#39;RBM&#39;. Behind the desk are balloons, a bottle of champagne, and a picture frame showing the four 1Password founders." title="A desk with an old iMac featuring the 1Password logo. To the left of the iMac is a phone with the 1Password logo and a microphone with &#39;RBM&#39;. Behind the desk are balloons, a bottle of champagne, and a picture frame showing the four 1Password founders." class="c-featured-image"/> I was born on the 2nd of the month, so I didn’t know what a “champagne birthday” was until a friend turned 14 years old on the 14th of the month. If you’re not familiar, it’s called a champagne birthday because it’s a once-in-a-lifetime chance to celebrate your age matching the same number as the day you were born. While 1Password isn’t technically a person, it’s definitely taken on a life of its own and I’m excited to be celebrating its own champagne birthday, as 1Password (well, 1Passwd) officially joined the world on June 18th, eighteen years ago! 🍾🥳 So, here we are 18 years later celebrating this milestone with you all! We’ve worked on 1Password for much longer than the original three week plan, and this journey has taken us farther than <a href="https://1password.com/company/meet-the-team/roustem-karimov">Roustem</a>, <a href="https://1password.com/company/meet-the-team/dave-teare">Dave</a>, <a href="https://1password.com/company/meet-the-team/natalia-karimov">Natalia</a>, and myself could’ve ever imagined. From the four of us offering 1Passwrd on a single platform, to 1Password being a world class company with almost 1,200 people, operating on every platform, with over 150,000 business and millions of users. <blockquote> Thank you for being a part of our journey. </blockquote> As our team looks towards the future, with new products like 1Password Extended Access Management, we continue to be passionate about what we started. It’s all about building security and convenience in one easy to use tool, where it becomes second nature to save it in 1Password and make the right choice when securing yourself online. The world has changed significantly in the last 18 years. I’m grateful that for many of you, 1Password has become essential to your lives as well. Thank you for being a part of our journey! We truly appreciate the support and the ongoing push to make sure we’re giving you the solutions you need to make your life an easier, more secure one.</description></item><item><title>Single sign-on isn't enough: closing the SSO security gap</title><link>https://blog.1password.com/closing-the-sso-security-gap/</link><pubDate>Tue, 11 Jun 2024 00:00:00 +0000</pubDate><author>info@1password.com (Rob Boone)</author><guid>https://blog.1password.com/closing-the-sso-security-gap/</guid><description> <img src='https://blog.1password.com/posts/2024/closing-the-SSO-security-gap/header.png' class='webfeedsFeaturedVisual' alt='Single sign-on isn't enough: closing the SSO security gap' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Single sign-on (SSO) used to be enough. It&rsquo;s not anymore. Consider these stats: <ul> <li>34% of employees use unsanctioned apps.</li> <li>61% of employees have poor password practices.</li> <li>Credentials are the #1 way attackers gain access to systems.</li> </ul> Let&rsquo;s connect those dots. According to 1Password research, <a href="https://blog.1password.com/productivity-ai-cybersecurity-report/">more than one-third of the apps employees use for work are unsanctioned</a>, meaning IT and Security don&rsquo;t know about them. That&rsquo;s shadow IT, and because you don&rsquo;t know about them, you can&rsquo;t put those logins behind SSO. The same research found that most employees have poor password practices like using weak passwords, or reusing them across multiple services. Finally, <a href="https://blog.1password.com/verizon-data-breach-report-2024-analysis/">credentials are still the primary method</a> for attackers to gain access to systems. So, employees are using weak or reused passwords to log in to unmanaged and unprotected services, leaving attackers' favorite entry point – credentials – vulnerable. SSO solutions can help, of course. But reducing your attack surface means understanding what SSO protects – and what it doesn&rsquo;t. <h2 id="sso-is-necessary">SSO is necessary</h2> SSO providers like Okta or Microsoft Entra ID put user access for managed applications behind a single, strongly vetted identity. That strengthens your security posture while making it easier for employees to follow security protocols: <ul> <li>Single sign-on shrinks your attack surface by reducing the number of passwords in circulation.</li> <li>Fewer passwords in circulation means fewer password reset requests for the IT help desk, and fewer passwords to manage, lessening the need for employees to get creative.</li> <li>SSO services bring all covered logins under one umbrella, so security policies can be applied to all managed services at once.</li> <li>Provisioning (onboarding and offboarding) gets simplified, too. IT can place employees in groups, then configure access at the group level to give new hires instant access to an entire suite of services, or revoke access for departing employees.</li> </ul> <h2 id="but-its-not-sufficient">But it&rsquo;s not sufficient</h2> When employees sign in to unsanctioned apps with insecure passwords, SSO doesn&rsquo;t help with that problem. Security professionals know this: Identity is the new perimeter security teams are tasked with defending, and 69% of security pros say <a href="https://1password.com/state-of-enterprise-security-report?utm_source=blog&amp;utm_campaign=annual-report-2024">SSO isn&rsquo;t a complete solution for securing employee identity</a>. Think of it this way: With an SSO provider in place, do password spreadsheets and post-it notes still have a role to play? Yep. As long as employees need to create and manage passwords, they&rsquo;ll find ways to&hellip; well, create and manage (or simply reuse) those passwords. And if the company doesn&rsquo;t provide a way to do that securely, employees are left to devise their own methods. Those methods are often insecure, leading to vulnerabilities for the company. <h2 id="employees-first-priority-is-productivity--not-security">Employees' first priority is productivity – not security</h2> To recap: SSO doesn&rsquo;t secure every login. As long as there are stray logins SSO doesn&rsquo;t cover, employees will be forced to manage those logins themselves. But security isn&rsquo;t a top priority for employees. The <a href="https://1password.com/state-of-enterprise-security-report?utm_medium=social&amp;utm_source=blog&amp;utm_campaign=annual-report-2024">1Password State of Enterprise Security Report 2024</a> also revealed that 54% of employees say they&rsquo;re lax about company security policies. 44% say security would be less of an issue if leaders made tools easier to use and policies easier to follow. And yet fewer than one in 10 security pros (9%) say employee convenience is the top consideration driving their security software decisions(!). This creates a situation where employees share the responsibility for the security of the company, but aren&rsquo;t given the necessary tools to carry out those responsibilities. <blockquote> Of respondents to the 2022 Gartner’s Drivers of Secure Behavior Survey, 44% acknowledged that they are ultimately responsible for managing their cyber risk exposure in the enterprise. Meanwhile, 67% admitted to using the same password for multiple accounts. — <a href="https://www.gartner.com/en/documents/5282463">Innovation Insight: Workforce Password Management Tools</a> (Gartner, 2024) </blockquote> And that&rsquo;s just the basics of creating and storing strong passwords. What happens when they need to share them with a colleague, or a contractor? <h2 id="enterprise-password-managers-protect-the-logins-that-sso-doesnt">Enterprise password managers protect the logins that SSO doesn&rsquo;t</h2> The answer is an enterprise password manager (EPM) like 1Password. 1Password gives employees a way to create, store, and manage all those logins that SSO doesn&rsquo;t cover. And it makes doing so easier for employees than managing them on their own. No need to resort to post-it notes, password spreadsheets, or other insecure methods. <blockquote> We’ve found that once people understand the concepts, which doesn’t take long, it’s a really smooth transition. I’d chalk that up to the user experience in 1Password, which we clearly think is superior to every other product we’ve looked at. — Nick Tripp, IT Security Office Senior Manager, Duke University (Duke <a href="https://1password.com/customer-stories/duke">tripled password manager adoption</a> after switching to 1Password.) </blockquote> Suddenly, it&rsquo;s easier to manage and share logins in a secure way than it is to leave employees to fend for themselves. IT and Security get what they want (strong security) and employees get what they want (convenience). No more competing priorities. <h2 id="the-best-of-both-worlds-combining-sso-and-an-epm">The best of both worlds: Combining SSO and an EPM</h2> So SSO secures sign-ins for managed applications. 1Password secures sign-ins for everything else. And you can combine the two to secure every sign-in, simplify the employee experience, and unify your security policies. When you integrate 1Password with your identity provider – otherwise known as <a href="https://support.1password.com/sso/">unlocking 1Password with SSO</a> – employees no longer have to remember even their 1Password account password. Instead, they can sign in to 1Password using their SSO provider, thus gaining access to everything protected either by SSO or by 1Password with a single login. And with Unlock 1Password with SSO enabled, admins can extend their existing security policies to everything stored in 1Password. Now those policies apply both to SSO-enabled logins and those that SSO doesn&rsquo;t cover, so things like two-factor authentication requirements can also be applied to unmanaged services. The protection enterprise password managers provide against phishing is also worth mentioning. If a user clicks a link in an email, EPMs will only autofill user passwords on the correct URL. For example, 1Password would only offer to autofill <code>google.com</code> and not <code>goog1e.com</code>. <h2 id="1password-extended-access-management-secure-every-sign-in-to-every-app-from-every-device">1Password Extended Access Management: Secure every sign-in to every app from every device</h2> <a href="https://1password.com/enterprise">1Password Enterprise Password Manager</a> secures every sign-in from every device. <a href="https://1password.com/xam/extended-access-management">1Password Extended Access Management</a> goes further. Extended Access Management (XAM) is an entirely new category of security software designed to extend access management to every identity, device, and application. XAM <a href="https://blog.1password.com/introducing-extended-access-management/">goes places traditional identity and access management (IAM) can&rsquo;t</a> – specifically, to every device employees might use for work. As remote work and bring-your-own-device (BYOD) proliferate, and the number of SaaS applications we use for work increases, 1Password Extended Access Management covers those bases. 1Password® Extended Access Management combines four aspects of access management into one easy way to secure your business: <ul> <li>User Identity extends single sign-on to every application, including unsanctioned apps.</li> <li>Device Trust keeps unknown and wounded devices away from your sensitive data, and gives employees a way to fix vulnerabilities and regain access without involving IT.</li> <li>Application Insights gives admins visibility into the applications employees are using, so they can guide users towards company-approved applications, or manage access to unmanaged applications.</li> <li>Enterprise Password Manager rounds it all out with the benefits we&rsquo;ve discussed in this article (among many others), starting with securing every set of user credentials.</li> </ul> For a full walkthrough of 1Password Extended Access Management, <a href="https://1password.com/webinars/extending-access-management?utm_ref=blog">check out the on-demand webinar</a>. <h2 id="business-security-doesnt-have-to-be-this-hard">Business security doesn&rsquo;t have to be this hard</h2> Both Security Assertion Markup Language (SAML) and OpenID Connect (OIDC) flavors of SSO protect sign-ins to managed applications. 1Password Enterprise Password Manager protects virtually everything else. And 1Password Extended Access Management extends that security to every identity, every sign-in, and every device. To see for yourself how easy strong security can be, get started with a <a href="https://start.1password.com/sign-up/business">free 14-day trial of 1Password Business</a>. Or, reach out to <a href="https://1password.com/xam/contact-us">request a demo of 1Password Extended Access Management</a>.</description></item><item><title>The pros and cons of mobile device management (MDM) solutions</title><link>https://blog.1password.com/pros-and-cons-of-mdms/</link><pubDate>Mon, 10 Jun 2024 00:00:00 +0000</pubDate><author>info@1password.com (Elaine Atwell)</author><guid>https://blog.1password.com/pros-and-cons-of-mdms/</guid><description> <img src='https://blog.1password.com/posts/2024/pros-cons-of-mdms/header.png' class='webfeedsFeaturedVisual' alt='The pros and cons of mobile device management (MDM) solutions' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> It&rsquo;s no easy feat for a company to maintain security and enforce standardized policies across a fleet of devices. The proliferation of endpoints and operating systems that employees use to connect to company networks makes protecting sensitive data mind-blowingly complex, especially in remote settings. These challenges often come to a head when a company is seeking a security certification like <a href="https://www.kolide.com/blog/how-much-does-a-soc-2-audit-cost">SOC 2</a> or <a href="https://www.kolide.com/blog/the-business-guide-to-iso-27001-compliance-and-certification">ISO 27001</a> and realizes it can only pass an audit if it can achieve greater visibility and control over its fleet. In such situations, most companies resort to mobile device management (MDM) solutions to give their IT team centralized control over the fleet. <aside class="c-technical-aside-box c-technical-aside-box--background" aria-labelledby="what-is-an-mdm"> <h2 class="c-technical-aside-box__title" id="what-is-an-mdm"> What is an MDM? </h2> <div class="c-technical-aside-box__description"> In a nutshell, MDM solutions make devices behave in specific ways according to predefined security policies so companies can pass audits, prevent data breaches, and obey data privacy and security laws. Despite the word &ldquo;mobile&rdquo; in the name, MDMs often extend to the management of laptops, desktops, and tablets. There are many independent MDM providers and proprietary MDMs from Microsoft and Apple. </div> </aside> Ultimately, most companies of a certain size need an MDM solution (or potentially more than one) to accomplish things like remote wipes and configuring default settings for new devices. The problem is that many companies assume they can use MDM to solve all their device security issues. That is incorrect. Leaning too hard on MDM can create problems not only for security but employee morale. In this article, we&rsquo;ll go over MDM&rsquo;s strengths and weaknesses, and where it fits into a larger approach to endpoint security. <h2 id="the-pros-and-cons-of-mdm-solutions">The Pros and Cons of MDM Solutions</h2> You know the expression, &ldquo;when the only tool you have is a hammer, every problem looks like a nail?&rdquo; In this analogy, MDM is the hammer – a blunt instrument that&rsquo;s good at solving some problems, but can&rsquo;t address more nuanced issues. In fact, its approach can even be harmful. An MDM solution requires employees to agree to have their devices fully managed by their employer. While the capabilities of MDMs differ by platform, they all grant the MDM administrator a form of remote control over the device settings and capabilities. This can be as benign as setting the default state of various security features or as extreme as forcing a device to erase itself without the consent of the person behind the keyboard. <img src='https://blog.1password.com/posts/2024/pros-cons-of-mdms/mdm-restart-needed.png' alt='An MDM dialog box showing that a user&#39;s computer is about to automatically restart.' title='An MDM dialog box showing that a user&#39;s computer is about to automatically restart.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Many workers will be familiar with MDM from a screen like the one above, that pops up to announce a forced reboot of their machine. And whether that capability is a feature or a bug is largely in the eye of the beholder. <h2 id="advantages-of-mdm-solutions">Advantages of MDM solutions</h2> There are several reasons why MDM solutions are so widely-used, although some of those reasons are more well-founded than others. MDMs' technological capabilities certainly play a role, but so do cost and force of habit. Here are some of the most common reasons organizations use MDM solutions: <h3 id="they-are-effective-at-rapidly-achieving-surface-level-compliance">They are effective at rapidly achieving surface-level compliance.</h3> MDMs can force a device into the desired compliant state (at least on the simplest level) and keep it there without consulting or negotiating with the end user. That means a user whose device is enrolled in MDM may not be able to turn off its firewall, download unapproved apps, or put off a software update. This has some clear advantages, but it turns out to be a double-edged sword, as we&rsquo;ll see in the next section. <h3 id="they-enable-remote-wipe-and-lock">They enable remote wipe and lock.</h3> These capabilities are crucial for third-party audits since they ensure that sensitive data is not at risk if a device is lost or stolen or an employee is terminated. <h3 id="they-are-easy-to-deploy">They are easy to deploy.</h3> The agent portion of MDM is often built into the OS, and IT can pre-configure devices before they are distributed to employees. That ensures that things like disk encryption are enabled the first time an end user logs in. However, implementing MDM on existing (not new) devices can present challenges, and failures of installation are common. <h3 id="they-are-inexpensive">They are inexpensive.</h3> Since the OS vendor provides most of the functionalities that make MDM possible, the barrier to entering the MDM space is much lower than building a device management solution from scratch. The commoditization of MDM software means buyers can get competitive pricing and a wide array of vendor choices. <h3 id="they-are-a-known-quantity">They are a known quantity.</h3> Most IT administrators and managed service providers are familiar with MDMs and can easily find IT engineers with experience implementing them at scale. <h3 id="there-is-first-party-support">There is first-party support.</h3> OS vendors are building their own device management products (e.g., <a href="https://www.apple.com/business/enterprise/it/">Apple Business Manager</a> for MacOS and iOS, and <a href="https://docs.microsoft.com/en-us/mem/intune/fundamentals/what-is-intune">Microsoft Intune</a> for Windows) that are cheaper and often have better features than third-party MDM vendors. <h2 id="disadvantages-of-mdm-solutions">Disadvantages of MDM solutions</h2> MDMs have a clear use case, but there are still many device security problems they can&rsquo;t solve, or for which their solutions create bigger problems. Here are a few MDM drawbacks to consider: <h3 id="they-cant-get-you-to-100-compliance">They can&rsquo;t get you to 100% compliance.</h3> If an MDM can&rsquo;t get a device compliant with brute force or automation, you&rsquo;re out of luck. And that means you have no way of dealing with some of the highest-risk compliance issues, such as encrypting SSH keys, securing plain-text two-factor backup codes, or minimizing the time production data is stored on a device. MDMs also fall short on seemingly straightforward use cases, such as deploying OS patches. It&rsquo;s not uncommon for IT teams to deploy a patch or update via MDM, only for it to fail on the majority of the fleet due to errors and bugs. And forcing employee devices to restart without their consent is so disruptive that most IT teams avoid it altogether, and rely on &ldquo;nudge&rdquo; tools to get users to install patches. <a href="https://www.kolide.com/blog/the-real-world-challenges-of-patch-management">For more on that subject, read our blog on patch management.</a> The point is: there are many valid security objectives that are too nuanced for the blunt instruments provided by traditional MDM solutions. And because these issues are unsolvable via MDM, they&rsquo;re often declared out of scope, which creates a false (and dangerous) sense of security. <h3 id="they-offer-limited-visibility">They offer limited visibility.</h3> Most MDMs only provide a small number of essential data points about a device. IT administrators must write and deploy custom shell scripts to gather valuable data to answer pressing questions about the fleet. If MDM isn&rsquo;t installed correctly on a device, then visibility is null, which means most companies have to supplement MDM with Zero Trust solutions, to ensure that devices can&rsquo;t access company apps unless MDM is functioning. <h3 id="they-create-more-work-for-it">They create more work for IT.</h3> It takes a lot of effort to maintain an MDM, both in terms of writing scripts and responding to support tickets. For example, if you want to ensure Firefox is always up to date, the MDM method is to force everybody to have Firefox and then disconnect its (already perfectly fine) auto-updating mechanism and push updates through a manual script. <h3 id="youre-on-your-own-with-linux">You&rsquo;re on your own with Linux.</h3> <a href="https://www.kolide.com/blog/why-there-s-no-such-thing-as-mdm-for-linux-and-what-to-do-about-it">As we&rsquo;ve written before</a>, MDMs are inherently incompatible with Linux endpoints. There&rsquo;s no real solution to automatically address the near-infinite choices Linux offers its users regarding basic OS features like firewalls, terminals, and automatic updates. At most organizations, Linux users make up a small percentage of the workforce, but since they deal with some of its most sensitive corporate data, this turns out to be a big problem. <h3 id="they-can-create-long-term-employee-morale-and-productivity-problems">They can create long-term employee morale and productivity problems.</h3> MDM solutions take away a user&rsquo;s agency over their device, leading to frustration and bad feelings between end users and IT. Here&rsquo;s a common MDM complaint: An employee is in the middle of their workday when suddenly a popup appears and informs them that their laptop will restart in 10&hellip;9&hellip;8&hellip; In the best case scenario, this is a minor update that only takes a few minutes, but it could easily be an OS update that costs employees an hour they&rsquo;d been counting on or makes them late for a meeting. In addition, end users sometimes have good reasons for violating MDM policy. A developer might need to turn off their firewall for ten seconds to test something, but MDM takes away that option. <h3 id="they-create-as-many-exceptions-as-rules">They create as many &ldquo;exceptions&rdquo; as rules.</h3> The average end user may have no choice but to put up with locked-down devices and forced restarts, but the average CEO won&rsquo;t tolerate an intrusive agent telling them what they can do with their device. Most companies with MDMs have &ldquo;VIP lists&rdquo; of users who are exempt from participating because they find it obnoxious and disruptive. The size of that list can quickly balloon, and everyone on it is a security risk. <h3 id="they-can-lead-to-employees-using-shadow-it">They can lead to employees using Shadow IT.</h3> Users who don&rsquo;t qualify as &ldquo;VIPs&rdquo; can still find ways around MDMs – <a href="https://www.kolide.com/blog/what-is-shadow-it-you-can-t-solve-it-by-blocking-it">usually by working on their personal devices</a>. Ironically, this exacerbates the very problem MDM was initially trying to solve: sensitive data disappearing onto invisible devices and unapproved apps. <h3 id="they-cant-manage-byod-or-contractor-devices">They can&rsquo;t manage BYOD or contractor devices</h3> MDM software isn&rsquo;t a good solution if you have a &ldquo;bring your own device&rdquo; (BYOD) policy. It&rsquo;s extremely uncommon for a workplace to attempt to install MDM on workers' personal devices due to privacy concerns, so those are essentially out of scope. You&rsquo;ll run into the same problem if you work with any third-party contractors, since they will likely be enrolled in MDM via their actual employer, and it&rsquo;s impossible for devices to be enrolled in more than one MDM at a time. <h2 id="device-security-is-bigger-than-mdms">Device security is bigger than MDMs</h2> So here&rsquo;s what we&rsquo;ve established so far: MDM solutions are complex to deploy and maintain. While they&rsquo;re a known quantity in the IT world, their invasiveness and less-than-stellar user experience significantly reduce their effectiveness in addressing today&rsquo;s cybersecurity challenges. Furthermore, if you&rsquo;re trying to protect your corporate data, MDMs can only address a single piece of the puzzle. For example, they can&rsquo;t tell you who is using a managed device: that&rsquo;s what authentication is for. The case we&rsquo;re making isn&rsquo;t that MDM solutions are bad; they&rsquo;re incomplete. All those missing puzzle pieces–the Linux users, the VIPs, the SSH keys and sensitive data–also need to be addressed. This gap between the devices you manage (and therefore trust) and the devices you allow to access sensitive resources (Linux machines, personal and contractor devices) is called the Access-Trust gap, and it&rsquo;s one of the primary security flaws for organizations that rely exclusively on MDM for device management. If MDM could solve those problems, it would, but clearly, a different approach is required. <h3 id="embrace-a-user-first-endpoint-security-solution">Embrace a user-first endpoint security solution</h3> As you may have guessed, we&rsquo;re not exactly disinterested observers when it comes to this topic. After all, our Extended Access Management (XAM) software includes a device security and compliance solution that solves many of the problems that fall outside the scope of MDM. 1Password Extended Access Management comes packaged with a Device Trust component, which gives IT admins a cross-platform (even Linux!) dashboard for all devices; you can see <a href="https://www.kolide.com/use-cases/fleet-visibility">thousands of data points about your device inventory</a>. IT admins can run queries and set compliance policies across a much wider array of issues than with MDM. But our most important differentiator is how we communicate with users. Instead of forcing changes onto their devices, 1Password Extended Access Management&rsquo;s Device Trust portion sends automated alerts to employees when a problem is detected. The notification includes simple self-remediation steps that teach users to resolve the issue themselves. This minimizes disruption on users (no more surprise restarts) and reduces the strain on IT resources. 1Password Extended Access Management also makes the device monitoring process transparent through our Privacy Center, which lets users see who can access their devices, what data is collected, and even the complete source code of the agent running on their devices. Even when using personal devices, employees are assured that their personal data stays private. 1Password Extended Access Management also has the ability to enforce compliance. <a href="https://1password.com/xam/extended-access-management">When a device isn&rsquo;t in a secure state, users can&rsquo;t authenticate via SSO until they&rsquo;ve fixed the problem.</a> It&rsquo;s a straightforward way to achieve total fleet compliance without robbing employees of agency. Instead of a top-down &ldquo;big brother&rdquo; approach, 1Password Extended Access Management uses the principles of <a href="https://honest.security/">Honest Security</a> to give users a seat at the table. <img src='https://blog.1password.com/posts/2024/pros-cons-of-mdms/five-tenets-of-honest-security.png' alt='An information graphic that lists the 5 tenets of honest security.' title='An information graphic that lists the 5 tenets of honest security.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Ready to change the device management conversation, and to learn how XAM closes the Access-Trust gap? <a href="https://1password.com/xam/extended-access-management">Read more about XAM and see what a user-focused approach to security looks like.</a></description></item><item><title>How we used esbuild to reduce our browser extension build times by 90%</title><link>https://blog.1password.com/new-extension-build-system/</link><pubDate>Thu, 30 May 2024 00:00:00 +0000</pubDate><author>info@1password.com (Jarek Samic)</author><guid>https://blog.1password.com/new-extension-build-system/</guid><description> <img src='https://blog.1password.com/posts/2024/new-extension-build-system/header.png' class='webfeedsFeaturedVisual' alt='How we used esbuild to reduce our browser extension build times by 90%' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The system that we use internally to build the code behind our browser extension was put together over half a decade ago. While we were able to iteratively grow it over time to meet our needs, it became slower and slower in the process. Let&rsquo;s give it a much-needed upgrade! I joined 1Password as an intern back in early 2020. That&rsquo;s a date with &hellip; some interesting memories! One of them is my recollection of how long it took to build <a href="https://1password.com/downloads/browser-extension/">our browser extension</a>. At that time my <a href="https://www.macworld.com/article/233034/2019-13-inch-core-i5-macbook-pro-review.html">13 inch-MacBook Pro with an Intel i5 processor and 8GB RAM</a> needed roughly 30 seconds to do a warm build of our extension (a warm build means I&rsquo;ve already built the extension at least once, and I&rsquo;m rebuilding it to test some changes I&rsquo;ve made.) Thirty seconds wasn&rsquo;t bad by any means but it was long enough to be annoying and I often wished it could be faster. Fast forward to 2024. We have many more folks working on the extension, I&rsquo;m now a senior developer with a much more capable M1-equipped laptop, and our extension is a wee bit larger than it used to be. I&rsquo;ve had a hand in building <a href="https://blog.1password.com/autofill-saving-extension-improvements/">lots</a> <a href="https://blog.1password.com/big-changes-to-1password-in-the-browser/">of</a> <a href="https://blog.1password.com/1password-for-safari/">cool</a> <a href="https://blog.1password.com/save-use-passkeys-web-ios/">features</a> over the last four years, and many of them required our build system to stretch in new and interesting ways. That stretching increased warm extension build times to an unfortunate one minute and ten seconds on my M1 Max-powered MacBook Pro. Throwing more compute power at the problem clearly isn&rsquo;t going to help! <img src="https://blog.1password.com/posts/2024/new-extension-build-system/current_build_system_hyperfine.png" alt="A screenshot of a terminal showing the output of a hyperfine benchmark run on our extension build system." title="A screenshot of a terminal showing the output of a hyperfine benchmark run on our extension build system." class="c-featured-image"/> One minute and ten seconds is an eternity when you consider that any source code change must funnel its way through this system to be tested by a developer! Long build times slow down everyone&rsquo;s work, extend the time it takes to onboard new developers, and create an environment where it&rsquo;s difficult to enter <a href="https://github.blog/2024-01-22-how-to-get-in-the-flow-while-coding-and-why-its-important/">flow state</a> during day-to-day tasks. I believed we could do better than the status quo and I wanted to prove it. <h2 id="its-hackathon-time">It&rsquo;s hackathon time!</h2> Fortunately, I didn&rsquo;t have to wait long for an opportunity to arise. We had a <a href="https://blog.1password.com/beyond-boundaries-hackathon/">company-wide Beyond Boundaries hackathon</a> scheduled for early February. I spent time in January collecting data, writing up a hackathon project proposal, recruiting team members, and doing some preliminary research to shore up my understanding of our existing build system and figure out how we were going to profile it. The existing system consisted of many individual commands and tools glued together by <code>make</code>. We were going to need a way to get a high-level profile of the entire system to be able to identify areas for improvement and ensure we were making positive progress during the hackathon time. I tried out a few different approaches and ended up landing on something that worked out quite well, which I&rsquo;ll share here. Make allows for <a href="https://www.gnu.org/software/make/manual/html_node/Choosing-the-Shell.html">defining the shell that should be used to execute commands</a>. It turns out that we can specify any script as the shell: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash">make SHELL=path/to/script.sh </code></pre></div>That allows us to build a small script that executes a given command, but does so within a wrapper that we control: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash">#!/bin/zsh echo &#34;before running the command&#34; eval &#34;$2&#34; echo &#34;after running the command&#34; </code></pre></div>We can use <a href="https://github.com/equinix-labs/otel-cli">otel-cli</a> in this script to report an OpenTelemetry span for the command that we ran, including information like the start and end time, working directory, and the command string itself: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash">#!/bin/zsh export OTEL_EXPORTER_OTLP_ENDPOINT=localhost:4317 start=$(date +%s.%N) # Unix epoch with nanoseconds eval &#34;$2&#34; end=$(date +%s.%N) # Unix epoch with nanoseconds duration=$(( $(echo &#34;$end - $start&#34; | bc) )) if (( duration &gt; 0.1 )); then # report spans above 100ms (cuts down on noise) otel-cli span -n &#34;$2&#34; -s &#34;b5x&#34; --attrs pwd=&#34;$(pwd)&#34; --start $start --end $end fi </code></pre></div>All we need now is a server to collect and render the reported spans. We can use <a href="https://www.jaegertracing.io/docs/getting-started/">Jaeger</a> for this purpose. Here&rsquo;s what a profile of our build system looked like: <img src="https://blog.1password.com/posts/2024/new-extension-build-system/current_build_system_profile.png" alt="The jaeger UI displaying a profile of our old extension build system." title="The jaeger UI displaying a profile of our old extension build system." class="c-featured-image"/> This started us off with some great high-level insights: <ul> <li>Long Webpack / Rollup runs made up the majority of the build time.</li> <li>Many smaller dependencies were built one-by-one, with great opportunities for parallelism.</li> <li>Some hot-ticket items at the very beginning were longer than they needed to be, holding up the rest of the build process.</li> <li>In particular, we were relying on a <code>find</code> command to avoid rerunning <a href="https://github.com/1Password/typeshare">typeshare</a> when Rust files hadn&rsquo;t changed. This worked great &hellip; except running that <code>find</code> command across our repo took much longer than simply rerunning <code>typeshare</code> every time!</li> </ul> Some of those problems are easy to correct. For example, we can run multiple shell commands in parallel, or otherwise remove or shift dependencies to reduce times. Making Webpack or Rollup faster is more involved, though. We had thousands of lines of Webpack and Rollup configuration across multiple files, with many different plugins. How could we shorten these times? I began our hackathon project with an open slate; everyone on the team was encouraged to pursue any idea they had for reducing our bundler runtime. That could mean making improvements to our existing configurations, using different plugins, or even replacing the bundlers entirely with something new. This open-ended approach was key to quickly finding promising paths forward, and with multiple developers on the team it made sense to divide and conquer. A couple of interesting discoveries arose from this: <ul> <li>Using esbuild as a <a href="https://github.com/privatenumber/esbuild-loader">loader for Webpack</a> / <a href="https://github.com/egoist/rollup-plugin-esbuild">loader for Rollup</a> resulted in some large performance wins.</li> <li>For Rollup specifically it cut runtime by about 80%. Not bad!</li> </ul> <img src="https://blog.1password.com/posts/2024/new-extension-build-system/rollup_esbuild_loader.png" alt="Screenshot of an excel spreadsheet showing bundle times with and without using esbuild as a loader for Rollup." title="Screenshot of an excel spreadsheet showing bundle times with and without using esbuild as a loader for Rollup." class="c-featured-image"/> <ul> <li>Using esbuild directly as a complete replacement for Webpack / Rollup was extremely promising, reducing bundle times by ~90%.</li> <li>Here&rsquo;s the time it took a couple of our Webpack configurations to run:</li> </ul> <img src="https://blog.1password.com/posts/2024/new-extension-build-system/webpack_runtime.png" alt="Screenshot of a jaeger profile showing a couple highlighted spans that are Webpack commands running." title="Screenshot of a jaeger profile showing a couple highlighted spans that are Webpack commands running." class="c-featured-image"/> <ul> <li>And here&rsquo;s the time it took esbuild ports of those same Webpack configurations:</li> </ul> <img src="https://blog.1password.com/posts/2024/new-extension-build-system/esbuild_runtime.png" alt="Screenshot of a jaeger profile showing a couple highlighted spans that are esbuild instances running." title="Screenshot of a jaeger profile showing a couple highlighted spans that are esbuild instances running." class="c-featured-image"/> While we hadn&rsquo;t set out originally with the explicit goal of using <a href="https://esbuild.github.io/">esbuild</a>, it had been at the top of our list of things to try. After our first hackathon day we were convinced that it was the best path forward and we spent our remaining two days rebuilding as much of our system as possible on top of it. We learned a lot about esbuild in the process and the outcome was a very successful and award-winning hackathon project that reduced our extension build times by over 70% to around 15 seconds: <img src="https://blog.1password.com/posts/2024/new-extension-build-system/hackathon_build_system_hyperfine.png" alt="a screenshot of a terminal showing the output of a hyperfine benchmark run on our final hackathon project build system" title="a screenshot of a terminal showing the output of a hyperfine benchmark run on our final hackathon project build system" class="c-featured-image"/> And a profile that was looking so much nicer: <img src="https://blog.1password.com/posts/2024/new-extension-build-system/hackathon_build_system_profile.png" alt="The jaeger UI displaying a profile of our final hackathon project extension build system." title="The jaeger UI displaying a profile of our final hackathon project extension build system." class="c-featured-image"/> This was a really fantastic outcome! We were thrilled to have been able to deliver this kind of improvement with only a few days of work. The next step was actually merging the changes. <h2 id="from-hackathon-to-production">From hackathon to production</h2> We&rsquo;ve all been there: you&rsquo;re in the middle of a hackathon project when somebody encounters a blocker. Multiple suggestions for overcoming the obstacle are put forth, all of which would take too long. Enter: the temporary workaround! A fun, totally crazy hack that befits the hackathon narrative is put in place. Of course, as soon as the hackathon is over and you&rsquo;re looking at bringing your changes to production, those quick hacks have to be replaced with real solutions. The new, fast build system we developed during the hackathon had many such hacks: <ul> <li>We hadn&rsquo;t actually finished moving the entire system over to esbuild, so there was still Webpack and Rollup usage floating around.</li> <li>We hadn&rsquo;t done any work to consolidate the build process into one location, so it was still spread out across many makefiles, shell scripts, and bundler configurations.</li> <li>We broke most of the graphic assets across our web extension and hadn&rsquo;t fixed them yet.</li> <li>Typescript typechecking was removed from the build process and hadn&rsquo;t been brought back yet.</li> <li>Production builds with the new system hadn&rsquo;t been tested, and we had no idea how they would compare in terms of size or functionality.</li> <li>Some necessary changes in internal dependencies from other repositories had yet to be merged, published, and integrated.</li> <li>Other aspects of the previous build system, such as Sentry build steps, had yet to be recreated.</li> <li>We were missing handling for non-Chrome browsers, polyfills, and store-specific build needs (such as the source code bundle required by the Mozilla store).</li> </ul> After the hackathon ended, I took the above to my manager and the rest of my team and made the case for re-arranging my roadmap so I could bring the new build system to production. I was given the thumbs up and got down to business 🙌. I began by spending a few weeks diving deep into the remaining problem areas (like how to solve typechecking). The lessons learned from this exploration went into a RFD (Request For Discussion) explaining the why, when, and how for bringing the new build system to production. Once it was approved, I began implementation in earnest. Let&rsquo;s dive into two of the most interesting areas of that work: typechecking and bundle size. <h2 id="esbuild-with-typechecking">esbuild, with typechecking!</h2> It turns out that <code>tsc</code> (the Typescript compiler) is slow and that&rsquo;s not changing anytime soon. <ul> <li><a href="https://github.com/dudykr/stc/issues/1101">stc</a> development is halted.</li> <li><a href="https://github.com/kaleidawave/ezno">Ezno</a> is not aiming for <code>tsc</code> parity.</li> <li><a href="https://github.com/marcj/TypeRunner">Typerunner</a> development is halted.</li> <li>The Typescript team said in 2020 that they have <a href="https://twitter.com/drosenwasser/status/1260722414012358657">&ldquo;no plans&rdquo;</a> to work on a speed-focused rewrite of <code>tsc</code>.</li> </ul> The whole point of our new extension build system is speed. <code>tsc</code> is slow. esbuild bypasses <code>tsc</code> completely to achieve its incredible speed but we still need to be checking our types. How do we move forward? In the Webpack world, <a href="https://github.com/TypeStrong/fork-ts-checker-webpack-plugin">fork-ts-checker-webpack-plugin</a> is a popular solution for this problem. It uses a Webpack plugin to run <code>tsc</code> in a separate, non-blocking process, allowing the bundling process to finish first while typechecking is completed in the background. This gives you the best of both worlds: you can keep a fast build process fast while still incorporating full, <code>tsc</code>-based typechecking. There&rsquo;s a similar community plugin for esbuild called <a href="https://github.com/jgoz/esbuild-plugins/tree/master/packages/esbuild-plugin-typecheck">esbuild-plugin-typecheck</a>. It&rsquo;s interesting in that it does still run <code>tsc</code> in-process, but it does so in a worker thread, keeping it non-blocking. It also uses <code>tsc</code> as a library (allowing for more implementation flexibility) and runs <code>tsc</code>&rsquo;s incremental compilation mode on top of an in-memory VFS (Virtual File System) for improved performance on subsequent runs. Very neat! While <code>esbuild-plugin-typecheck</code> did work fairly well with our codebase, I wanted something that was a bit simpler implementation-wise. I put together a typechecking plugin of our own in ~50 lines of code that spawned a <code>tsc</code> CLI process for each package root that needed to be typechecked. Since we had multiple package roots, this got us some nice parallelism; it also guaranteed that typechecking performed by the build system would always be equivalent to that of a developer invoking <code>tsc</code> directly, which I quite liked. Once I had that simple typechecking implementation working well on top of the <code>tsc</code> CLI, I added two major enhancements. <h3 id="esbuild-native-diagnostic-formatting">esbuild-native diagnostic formatting</h3> The first was improved formatting for <code>tsc</code> compilation diagnostics (warnings and errors). By default, the <code>tsc</code> CLI outputs errors that look like this: <img src="https://blog.1password.com/posts/2024/new-extension-build-system/tsc_pretty_error.png" alt="a screenshot of a terminal showing the output of tsc --noEmit --skipLibCheck. The error is a simple TS2322 &#39;type number is not assignable to type string&#39;." title="a screenshot of a terminal showing the output of tsc --noEmit --skipLibCheck. The error is a simple TS2322 &#39;type number is not assignable to type string&#39;." class="c-featured-image"/> That error format doesn&rsquo;t quite fit in with other output from esbuild. Let&rsquo;s see if we can do better. You can have <code>tsc</code> output a different error format by passing <code>--pretty false</code>: <img src="https://blog.1password.com/posts/2024/new-extension-build-system/tsc_simple_error.png" alt="A screenshot of a terminal showing the output of tsc --noEmit --skipLibCheck --pretty false. The error is the same as the last screenshot – it&#39;s just that the formatting has changed." title="A screenshot of a terminal showing the output of tsc --noEmit --skipLibCheck --pretty false. The error is the same as the last screenshot – it&#39;s just that the formatting has changed." class="c-featured-image"/> While this format also isn&rsquo;t quite what we want, it does happen to be very amenable to being parsed and the <a href="https://github.com/Aiven-Open/tsc-output-parser">tsc-output-parser</a> library does just that! This library takes in the output lines written to stdout by <code>tsc</code> and returns a nice object with all of the parsed error data. We can translate this object into esbuild&rsquo;s native diagnostic message format like so: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-ts" data-lang="ts">import { $ } from &#34;execa&#34;; async function tscDiagnosticToEsbuild( diagnostic: GrammarItem, ): Promise&lt;esbuild.PartialMessage&gt; { // sed is currently used to fetch lines from files for simplicity const lineText = await $`sed -n ${diagnostic.value.cursor.value.line}p ${diagnostic.value.path.value}`; // Sometimes `tsc` outputs multi-line error messages. It seems that // the first line is always a pretty good overview of the error, and // subsequent lines (if present) may present more detailed information. // // We split the first line overview out to use as the error message, // and the rest of the lines to be used as the error notes. const [firstLine, rest] = diagnostic.value.message.value.split(&#34;\n&#34;, 2); return { location: { column: diagnostic.value.cursor.value.col - 1, line: diagnostic.value.cursor.value.line, file: diagnostic.value.path.value, lineText: lineText.stdout, }, notes: rest &amp;&amp; rest.trim().length &gt; 0 ? [{ text: rest }] : [], text: `${firstLine} [${diagnostic.value.tsError.value.errorString}]`, }; } </code></pre></div>These esbuild-native objects can be written to our own stdout using <a href="https://esbuild.github.io/api/#format-messages">esbuild&rsquo;s helper functions</a>, and they look great: <img src="https://blog.1password.com/posts/2024/new-extension-build-system/esbuild_diagnostic_error.png" alt="A screenshot of a terminal showing the same error from the above screenshots, but this time formatted using esbuild&#39;s native diagnostic format." title="A screenshot of a terminal showing the same error from the above screenshots, but this time formatted using esbuild&#39;s native diagnostic format." class="c-featured-image"/> A more complex error is even better at showing off the benefit of using esbuild&rsquo;s formatting. Here&rsquo;s one: <img src="https://blog.1password.com/posts/2024/new-extension-build-system/tsc_complex_error.png" alt="A screenshot of a terminal showing a pretty-formatted complex error from tsc. The error is Type &#39;{ item2: ItemListEntry; data: ListItemData; style: ItemStyle; index: number; }&#39; is not assignable to type &#39;IntrinsicAttributes &amp; ListItemProps&#39; followed by Property &#39;item2&#39; does not exist on type &#39;IntrinsicAttributes &amp; ListItemProps&#39;. Did you mean &#39;item&#39;?" title="A screenshot of a terminal showing a pretty-formatted complex error from tsc. The error is Type &#39;{ item2: ItemListEntry; data: ListItemData; style: ItemStyle; index: number; }&#39; is not assignable to type &#39;IntrinsicAttributes &amp; ListItemProps&#39; followed by Property &#39;item2&#39; does not exist on type &#39;IntrinsicAttributes &amp; ListItemProps&#39;. Did you mean &#39;item&#39;?" class="c-featured-image"/> <img src="https://blog.1password.com/posts/2024/new-extension-build-system/esbuild_complex_error.png" alt="A screenshot of a terminal showing a pretty-formatted complex error from tsc. The error is the same as the last screenshot, but this time using esbuild&#39;s native diagnostic format." title="A screenshot of a terminal showing a pretty-formatted complex error from tsc. The error is the same as the last screenshot, but this time using esbuild&#39;s native diagnostic format." class="c-featured-image"/> The <code>tsc</code> error formatting starts off with multiple lines of error description, which is a bit overwhelming. It also has the error file location separated from the error source code excerpt. The esbuild-formatted error, on the other hand, splits the extra line of error description off into a note at the bottom, and includes all the source code information prominently in the center. All together, translating <code>tsc</code> diagnostics into the esbuild format allowed us to unify diagnostic formatting across the entire build system. It also made <code>tsc</code> diagnostics easier to read. <h3 id="automatically-verifying-that-all-build-inputs-are-being-typechecked">Automatically verifying that all build inputs are being typechecked</h3> I&rsquo;ve had some great conversations about web project build systems with my colleagues over the years. We&rsquo;ve discussed modern tools such as esbuild, which promise better performance, many times. One question always surfaced: if <code>tsc</code> is no longer handling your Typescript compilation, how do you guarantee that all of your build inputs are actually being typechecked? It&rsquo;s easy enough to run <code>tsc --noEmit</code> in your project root but that doesn&rsquo;t by itself provide any guarantees that are tied to your build system. For example, if you have multiple projects that each need to be typechecked, it&rsquo;s possible that you could forget to include one in your typecheck plugin config. Boom – now you&rsquo;re shipping production code that isn&rsquo;t being typechecked. Bummer! It&rsquo;s always going to require reliance on some measure of luck and human observance to prevent this from happening, and that&rsquo;s never made us feel all warm and fuzzy inside. What if we could rebuild that connection between the build system and the typechecker, though? We want to get back to knowing that if our build finishes successfully, we&rsquo;re guaranteed to have typechecked all of the inputs. I noticed that <a href="https://www.typescriptlang.org/docs/handbook/compiler-options.html#compiler-options"><code>tsc</code> offers a <code>--listFilesOnly</code> flag</a>. It causes <code>tsc</code> to print a newline-separated list of filepaths involved in compilation. On the other side of the fence, I also knew that <a href="https://esbuild.github.io/api/#metafile">esbuild generates a Metafile</a> that describes all build inputs: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-ts" data-lang="ts">interface Metafile { inputs: { [path: string]: { // ... }; }; // ... } </code></pre></div>I realized that given this information, we could: <ul> <li>Build a set T containing all of the input filepaths from the <code>tsc</code> invocations that the typechecking plugin was configured to run.</li> <li>Build another set E containing all of the Typescript input filepaths from the esbuild Metafile.</li> <li>Compute the difference between the two sets (E - T).</li> <li>If the resulting set is empty, all build inputs were typechecked.</li> </ul> And it worked out very well! Here&rsquo;s a screenshot showing the information output: <img src="https://blog.1password.com/posts/2024/new-extension-build-system/typechecking_integrity_verification.png" alt="A screenshot of a terminal showing some log messages and the words &#39;✅ All first-party input files used in the bundling process were typechecked [552 first-party inputs, 4839 files checked by tsc]&#39;" title="A screenshot of a terminal showing some log messages and the words &#39;✅ All first-party input files used in the bundling process were typechecked [552 first-party inputs, 4839 files checked by tsc]&#39;" class="c-featured-image"/> I got validation that this approach was helpful very quickly. A couple days later I made a change while iterating on the build system that resulted in a new package not being typechecked. Instead of finding out weeks later, I immediately became aware of the configuration error through CI a few minutes after pushing the commit. I was then able to fix it up and continue on without a second thought. And while we&rsquo;re on the topic of benefiting from smart build tools&hellip; <h2 id="production-bundle-size-improvements-esbuild-rocks">Production bundle size improvements (esbuild rocks)</h2> Towards the final stages of implementing the new build system I turned my eye toward production builds. Our team knew they worked but there were still some details to be investigated (like comparing production bundle sizes). esbuild has a fantastic <a href="https://esbuild.github.io/analyze/">bundle size analyzer</a>. It accepts the Metafile mentioned earlier as input and then renders a variety of delightful visualizations that not only help you understand what the size of your bundle is, but also why it&rsquo;s that size. Click on the &ldquo;load an example&rdquo; button in the analyzer and take it for a spin. It&rsquo;s fun! While I was poking around our production bundle analysis, I noticed something odd: <img src="https://blog.1password.com/posts/2024/new-extension-build-system/esbuild_cjs_esm.png" alt="A screenshot of esbuild&#39;s treemap bundle size visualizer. A large number of blocks are on the screen of varying sizes and colors. Each block consists of a title with location information for the block (filepath, package name) as well as text showing the block&#39;s contribution to the overall bundle size." title="A screenshot of esbuild&#39;s treemap bundle size visualizer. A large number of blocks are on the screen of varying sizes and colors. Each block consists of a title with location information for the block (filepath, package name) as well as text showing the block&#39;s contribution to the overall bundle size." class="c-featured-image"/> Here we&rsquo;re seeing the treemap visualization for one of our entrypoints. The largest block contributing to the size of this entrypoint happens to be <code>@1password/knox-components</code> (our internal UI component library). But &hellip; looking closely, there appear to be two blocks of equal size inside of it: <code>index.mjs</code> and <code>index.js</code>. Surely we don&rsquo;t need both the <a href="https://nodejs.org/api/esm.html#modules-ecmascript-modules">ESM</a> and <a href="https://nodejs.org/api/modules.html#modules-commonjs-modules">CJS</a> builds of the library to be in our production bundle? This is where esbuild&rsquo;s analyzer takes it to the next level. If we click on the <code>@1password/knox-components/index.js</code> block: <img src="https://blog.1password.com/posts/2024/new-extension-build-system/esbuild_cjs_esm_why.png" alt="A screenshot of the inclusion reason panel in esbuild&#39;s treemap bundle size visualizer. This panel provides more details about a specific block from the treemap. In particular, it contains a section that walks you through the dependency tree to show you why a particular block ended up being included in the final bundle output." title="A screenshot of the inclusion reason panel in esbuild&#39;s treemap bundle size visualizer. This panel provides more details about a specific block from the treemap. In particular, it contains a section that walks you through the dependency tree to show you why a particular block ended up being included in the final bundle output." class="c-featured-image"/> It tells us exactly what&rsquo;s causing the CJS build of <code>@1password/knox-components</code> to be included in our production bundle! Some code we were importing from another internal library was itself importing <code>@1password/knox-components</code> via a <code>require</code> statement, and <code>require</code> forces CJS to be pulled in over ESM. <a href="https://github.com/evanw/esbuild/issues/1950#issuecomment-1018624513">The author of esbuild has written some great comments explaining this situation in more detail.</a> Armed with this information, I was able to quickly track down and fix the package misconfiguration in our internal library, resulting in an exciting file size win for this entrypoint (3.3 mb -&gt; 2.1 mb): <img src="https://blog.1password.com/posts/2024/new-extension-build-system/esbuild_esm.png" alt="A screenshot of esbuild&#39;s treemap bundle size visualizer. A large number of blocks are on the screen of varying sizes and colors, just like earlier. This time there&#39;s one less large block thanks to our fix." title="A screenshot of esbuild&#39;s treemap bundle size visualizer. A large number of blocks are on the screen of varying sizes and colors, just like earlier. This time there&#39;s one less large block thanks to our fix." class="c-featured-image"/> And given that we use our UI component library across many entrypoints, the file size win applied in multiple places. This resulted in the new build system producing a smaller production extension build in significantly less time. Awesome! <h2 id="lets-talk-impact">Let&rsquo;s talk impact</h2> I was thrilled to see the (large) changeset for the new build system merge into <code>main</code> only a few months after the hackathon project that started it all. (I was also a little bit sad because I had so much fun working on it!) The only thing left was to better understand the impact it had on our product. Earlier I mentioned that the new build system had reduced warm extension build times by over 70%, bringing them from one minute, ten seconds to fifteen seconds. I&rsquo;m happy to say that the production implementation resulted in a reduction of more than 90%, and a warm build time of just five seconds. It also included a <a href="https://esbuild.github.io/api/#watch">watch mode</a> that can rebundle the extension&rsquo;s Typescript files (which make up a majority of the codebase) in under a second every time changes are written to disk. Numbers are only one way to measure impact, though. A number of my colleagues have shared amazing stories about how the new build system has made their lives so much easier and let them iterate on important changes more quickly than they ever thought possible. Their experiences paint the numbers with color and meaning in a way that&rsquo;s truly inspiring! It&rsquo;s also useful to consider the impact that the new build system didn&rsquo;t have. For example, if you use 1Password in the browser, you&rsquo;ve got a little icon in your browser toolbar right now that&rsquo;s powered by output from this new build system, and you&rsquo;d most likely never have known anything had changed behind the scenes if it weren&rsquo;t for this post! Our QA team and many developer volunteers worked tirelessly to comb over builds from the new system and confirm their integrity, and their wonderful work meant that we were able to keep shipping to millions of people without interruption. Yay! Developer satisfaction with the extension build system has also improved dramatically. I ran two polls internally: one before work began and one just recently after it had been merged for some time. The &ldquo;before&rdquo; poll saw 97% (n=31) of extension developers saying they were unhappy with extension build times. The &ldquo;after&rdquo; poll flipped that number right around to 95% (n=22) happiness. Happy developers build great things, so it&rsquo;s wonderful to have been able to move this metric so far in the right direction in a short amount of time. <h2 id="in-conclusion">In conclusion</h2> The extension builds faster, esbuild is awesome, and hackathon projects are the best 😎. If making developers happy and productive with fast build systems sounds fun to you, consider <a href="https://1password.com/careers">joining our team</a>! <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Want to work for 1Password?</h3> Browse our current job openings to see if there’s an opportunity that matches your career goals. <a href="https://1password.com/jobs/?utm_ref=blog" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> View our open positions </a> </div> </section></description></item><item><title>It's time to get serious about GDPR compliance – here's why</title><link>https://blog.1password.com/get-serious-gdpr-compliance/</link><pubDate>Wed, 29 May 2024 00:00:00 +0000</pubDate><author>info@1password.com (Rachel Sudbeck)</author><guid>https://blog.1password.com/get-serious-gdpr-compliance/</guid><description> <img src='https://blog.1password.com/posts/2024/get-serious-gdpr-compliance/header.png' class='webfeedsFeaturedVisual' alt='It's time to get serious about GDPR compliance – here's why' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> In 2022, the EU’s General Data Protection Regulation (GDPR), the most powerful data privacy law in a generation, was used to fine a nosy neighbor. An <a href="https://www.dataguidance.com/news/spain-aepd-fines-unnamed-person-1500-unlawful-use-video">unnamed Spanish citizen</a> had two home security cameras pointed toward a public road. This got attention from their city council, who filed a claim with the Spanish data protection authority (AEPD). Home security is one thing, but GDPR has some pretty strict requirements on how citizens’ data can be processed. For one thing, you have to collect only the minimum data necessary for your purpose; recording everyone who passes by your house is going a little overboard. And while the homeowner had hung up a notice about the cameras, it lacked important information, like who owned the recordings. For this, and other issues, the AEPD found the individual in violation of GDPR. They were ordered to move their cameras, hang up notices about the recorded data, and pay a fine of 1,500 euros. Since GDPR enforcement began, plenty of companies have had an unspoken belief: “I’m too small for the EU to notice.” But data authorities are paying attention to even the smallest cases. And in recent years, GDPR enforcement has only been <a href="https://www.enforcementtracker.com/?insights">ramping up</a> in scale and intensity. These days, if you do business in the EU, you have to do more for GDPR compliance than cross your fingers and play the odds. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Legal Disclaimer None of the following information should be construed as legal advice, and if you have legal questions, you should consult an AI chatbot. Sorry, we mean your attorney. Consult your attorney. </div> </aside> Note to readers: We’re going to be starting with an overview of the GDPR basics. For readers who need a refresher, read on. For readers who are already familiar and want to get straight to the juicy stuff, we’ll forgive you if you skip ahead to the section titled: <a href="#recent-changes-to-gdpr-enforcement">Recent changes to GDPR enforcement</a>. <h2 id="what-is-gdpr">What is GDPR?</h2> GDPR is a regulation that formalizes and enforces the data privacy rights of European Union citizens. It was <a href="https://gdpr-info.eu/">first published</a> in 2016, and enforcement began on May 25th, 2018. Remember 2018? GDPR had built some impressive hype, in no small part because it came with <a href="https://gdpr-info.eu/issues/fines-penalties/#:~:text=For%20especially%20severe%20violations%2C%20listed,fiscal%20year%2C%20whichever%20is%20higher.">hefty consequences</a> for infringement – violating companies could be charged up to 4% of their global turnover for a fiscal year. Invasive ad companies were <a href="https://www.wired.com/story/happy-gdpr-day-gdpr-hall-of-shame/">pulling out of Europe</a> with their tails tucked between their legs, academics were <a href="https://www.tandfonline.com/doi/full/10.1080/13600834.2019.1573501">celebrating</a> “the most consequential regulatory development in information policy in a generation,” and the scrappy little multinational data regulation even managed to beat <a href="https://www.wired.com/story/happy-gdpr-day-gdpr-hall-of-shame/">Beyoncé</a> in Google search volume (for like, a couple of days, but still). All that build-up aside, it feels like it still took <a href="https://www.statista.com/chart/30053/gdpr-data-protection-fines-timeline/">a few years</a> to see GDPR truly kick off enforcement. Legal proceedings are never zippy, for one thing, and only a fraction of GDPR fines receive media attention. But recently, GDPR has been getting some renewed buzz. Some very visible rulings against big tech companies saw GDPR fines topping 2.06 billion euros in 2023. And while those big fines make a lot of noise, GDPR has been picking up steam at every level. Since enforcement began, the <a href="https://www.enforcementtracker.com/">GDPR enforcement tracker</a> from CMS has shown a <a href="https://www.enforcementtracker.com/?insights">general upward trend</a> in fines at various amounts being levied against companies of various sizes. From 2019 to 2023, we went from only 143 public cases a year to closer to 500. And remember – most fines aren’t notorious or big enough to go public. CMS looked through aggregate numbers of the non-publicized fines, and notes that the less notable cases make up the <a href="https://cms.law/en/media/international/files/publications/publications/gdpr-enforcement-tracker-report-may-2023?v=1">vast bulk</a> of GDPR enforcement. <img src='https://blog.1password.com/posts/2024/get-serious-gdpr-compliance/gdpr-iceberg.png' alt='A graphic from CMS depicting &#39;The GDPR fine iceberg.&#39; The tip of the iceberg is labeled &#39;record fines &amp; landmark cases.&#39; Underneath that, still above water, the middle portion of the iceberg is labeled &#39;Publicly known cases.&#39; The bulk of the iceberg, which is underwater, is labeled, &#39;The rest.&#39;' title='A graphic from CMS depicting &#39;The GDPR fine iceberg.&#39; The tip of the iceberg is labeled &#39;record fines &amp; landmark cases.&#39; Underneath that, still above water, the middle portion of the iceberg is labeled &#39;Publicly known cases.&#39; The bulk of the iceberg, which is underwater, is labeled, &#39;The rest.&#39;' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> This “ramp-up of enforcement,” as <a href="https://cms.law/en/media/international/files/publications/publications/gdpr-enforcement-tracker-report-may-2023?v=1">CMS calls it</a>, has gotten GDPR some renewed interest in the past few months alone. Given all this attention, you probably have a decent idea of what the law is and how it impacts businesses. But let&rsquo;s start off with a refresher on the basics. <h3 id="what-data-is-protected-by-gdpr">What data is protected by GDPR</h3> The EU takes a <a href="https://gdpr-info.eu/issues/personal-data/#:~:text=For%20example%2C%20the%20telephone%2C%20credit,as%20broadly%20interpreted%20as%20possible.">broad definition</a> of “personal data.” There are the obvious things, of course, like names and mailing addresses. But any information that could conceivably be used to identify someone is considered enforceable. That includes information like IP addresses, working hours, race, religion, and even subjective data like people’s opinions. The basic rule is that if information could be connected to a specific individual – either on its own or by connecting it with other data – then it’s protected. <h3 id="when-is-it-okay-to-collect-pii-under-gdpr">When is it okay to collect PII under GDPR?</h3> Protected information can be collected and processed if the subject gives their informed consent. However, data can be collected without consent in <a href="https://gdpr-info.eu/art-6-gdpr/">specific cases</a> where the benefits outweigh any privacy compromises. By and large, these cases are pretty sensible. Banks can process data to prevent fraud, for instance, and hospitals can process your data to treat urgent injuries. The thorniest provision for this, however, might be that companies are allowed to collect data to serve “<a href="https://commission.europa.eu/law/law-topic/data-protection/reform/rules-business-and-organisations/legal-grounds-processing-data/grounds-processing/what-does-grounds-legitimate-interest-mean_en">legitimate interest</a>.” As we’ll see later, some companies have adopted an overly broad interpretation of that term. Keep in mind – when it comes <a href="https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/legitimate-interests/when-can-we-rely-on-legitimate-interests/">to marketing</a>, users’ privacy will almost always outweigh companies’ interests. <h3 id="who-gdpr-applies-to">Who GDPR applies to</h3> If GDPR applies to your company, you hopefully already know that. But just to be clear, GDPR applies to any controllers that: <ol> <li>Are based in the EU.</li> <li>Aren’t based in the EU, but sell goods or services there, or collect and process the data of European citizens.</li> </ol> It’s also worth noting that, Brexit aside, the UK adopted their own (<a href="https://www.legislation.gov.uk/eur/2016/679/contents">basically verbatim</a>) copy of the GDPR, so you can go ahead and lump them in with everything else we say in this article. We’ll go into more specifics later on the responsibilities of controllers – especially for the overseas controllers out there. But spoiler alert: one of a controller&rsquo;s primary obligations is to protect data from unauthorized access, so we will be talking about security. <h3 id="rights-of-subjects">Rights of subjects</h3> GDPR articulates certain <a href="https://gdpr-info.eu/chapter-3/">fundamental rights</a> that subjects have when it comes to their data. These rights include things like providing subjects’ data to them when it’s requested, as well as erasing or correcting that data when necessary. GDPR also places the <a href="https://www.edpb.europa.eu/sme-data-protection-guide/respect-individuals-rights_en#:~:text=Facilitate%20the%20exercise%20of%20rights,locate%20and%20retrieve%20information%20efficiently.">impetus on companies</a> to make these rights easy for users to exercise. Your company’s ability to comply will often come down to your policies around data transparency, governance, and security. You can’t fully erase someone’s data, for instance, if you aren’t sure what devices have already downloaded it or what apps your employees are using to process it. <h2 id="recent-changes-to-gdpr-enforcement">Recent changes to GDPR enforcement</h2> Again, remember 2018? It’s safe to say that the GDPR fervor has died down a smidge since then (Beyoncé’s still going strong, though). After a few years of enforcement, we grew jaded. There were <a href="https://www.enforcementtracker.com/?insights">some fines</a> levied, sure, and the creepy neighbors of the world were hopefully being more cautious with their doorbell cameras. But GDPR hadn’t cracked any of the broader systemic issues with data privacy. Its impact on online tracking rates was <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4399388#:~:text=Findings%20show%20that%2C%20across%20all,trackers%20in%20the%20control%20group">marginal at best</a>, the world’s data brokers weren’t exactly <a href="https://gitnux.org/data-broker-industry/">taking a hit</a> to profits, and <a href="https://www.forbes.com/sites/steveandriole/2022/07/26/are-we-spending-too-much-on-cybersecurity-when-costs-reputation-risks--fines-are-so-small/?sh=23f087e74763">business pros</a> were still using the cold calculus of “why pay for security when you can just pay the fine for a breach?” <img src='https://blog.1password.com/posts/2024/get-serious-gdpr-compliance/scrooge-mcduck-dive.jpg' alt='An illustration of Scrooge McDuck swimming in cash and gold coins.' title='An illustration of Scrooge McDuck swimming in cash and gold coins.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://fair.org/home/to-readers-x-billion-just-means-a-whole-lot-of-money/">Image Source</a> As Austrian privacy campaigner Max Schrems <a href="https://www.politico.eu/article/wojciech-wiewiorowski-gdpr-brussels-eu-data-protection-regulation-privacy/">stated in 2022</a>: “After a first moment of shock, a large part of the data industry has learned to live with GDPR without actually changing practices.&quot; However, as Wired <a href="https://www.wired.com/story/gdpr-2022/">reported</a> that same year: “Europe’s data regulators claim GDPR enforcement is still maturing and … improving over time.” It sounded like lip service, but very recently we’ve seen some major changes to how GDPR is enforced–especially in cross-border cases. <h3 id="gdprs-cross-border-problem">GDPR’s cross-border problem</h3> In all honesty, enforcement was probably always doomed to have an uneven start. The EU is composed of disparate countries with disparate systems of government, after all. The European Data Protection Board (<a href="https://www.edpb.europa.eu/about-edpb/who-we-are/european-data-protection-board_en">EDPB</a>) was established to make sure that GDPR was being enforced consistently. But each EU Member State was still in charge of forming its own independent “<a href="https://gdpr-info.eu/art-52-gdpr/">supervisory authority</a>,” to investigate and enforce GDPR rulings in their country. What about cross-border cases, where companies process data from citizens in more than one EU state? It’s simple! The country that hosts the company’s <a href="https://gdpr-info.eu/recitals/no-36/">main establishment</a> (“the place of its central administration in the union”) would become the “<a href="https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202208_identifying_lsa_targeted_update_v2_en.pdf">lead supervisory authority</a>.” They’d be responsible for overseeing the cases levied against that company. It’s a <a href="https://www2.deloitte.com/ch/en/pages/risk/articles/gdpr-one-stop-shop.html">one-stop-shop</a> mechanism to keep cross-border collaboration streamlined and efficient. … Right? <h3 id="ireland-vs-the-eu">Ireland vs The EU</h3> The thing is, tech companies don’t tend to build their headquarters in nations known for being tough on corporate malfeasance. Ireland and Luxembourg were two countries known for courting big tech with low corporate tax rates and other business-friendly regulations. Suddenly, they became the supervisory authorities of the very corporations they’d pinned their economic hopes on. Luxembourg, for instance, became the primary regulator of Amazon, a company with about twice as many employees as Luxembourg has citizens. That didn’t stop the Luxembourg authority from levying a <a href="https://www.politico.eu/article/amazon-fine-luxembourg-europe-privacy-champion/">hefty fine</a> against Amazon, but there was plenty of debate around the wisdom in provoking their country’s <a href="https://www.uni-europa.org/news/a-remarkable-victory-for-amazon-workers-in-luxembourg/">second-largest</a> employer. Meanwhile, The Emerald Isle had been particularly aggressive in rolling out the red carpet to Big Tech. The Irish Data Protection Commission (DPC) became the lead regulator in cases relating to major companies like Apple, Microsoft, Google, and Meta. Well before GDPR, in cases like the <a href="https://www.politico.eu/interactive/ireland-blocks-the-world-on-data-privacy/">Cambridge Analytica scandal</a>, the DPC had already proven themselves willing to overlook Silicon Valley’s privacy sins. And their approach to GDPR enforcement didn’t invite much new confidence. Nowhere is this more clear than their attempts to enforce GDPR policies on Meta. Meta had been under fire by privacy activists since <a href="https://www.irishtimes.com/business/technology/max-schrems-launches-first-legal-cases-under-gdpr-1.3508177">literally day one</a> of GDPR enforcement. Of particular concern was Meta’s transfers of EU citizens’ data overseas for processing. In fact, investigation into their practices in 2020 led the European Union to <a href="https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-07/cp200091en.pdf">invalidate Privacy Shield</a>, the whole legal mechanism for smoothly moving data across the Atlantic. It would be three years before a new, <a href="https://www.crowell.com/en/insights/client-alerts/eu-us-data-privacy-framework-the-new-solution-for-eu-data-transfers-to-the-us">slightly tougher</a> mechanism was in place, but for that whole time, Meta continued their data transfers as usual, citing their need to fulfill contractual obligations to customers. Suffice to say, despite hastily updating their <a href="https://www.computerweekly.com/news/366543459/EU-judgment-sinks-Metas-argument-for-targeted-ads">terms of service</a> with a clause indicating consent to data monitoring, Meta wasn’t impressing anyone with their GDPR compliance efforts. And the DPC wasn’t impressing their fellow Member States. Despite the severity of Meta’s infringements, after five years of investigation, they sent out a drafted decision to fine the company a maximum of 59 million pounds. <img src='https://blog.1password.com/posts/2024/get-serious-gdpr-compliance/mark-zuckerberg-compound.jpg' alt='A screenshot of a news headline from Wired which reads, &#39;Inside Mark Zuckerberg’s top-secret $100 million Hawaii compound.&#39;' title='A screenshot of a news headline from Wired which reads, &#39;Inside Mark Zuckerberg’s top-secret $100 million Hawaii compound.&#39;' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://www.instagram.com/applenews/p/C1FmaZ6udNF/">Image Source</a> Other nations made some strong objections. The DPC, <a href="https://www.edpb.europa.eu/system/files/2023-05/final_for_issue_ov_transfers_decision_12-05-23.pdf">in their words</a>, “determined that it would not follow [the objections] and/or that they were not relevant and reasoned.” The case was referred to the EDPB for a final decision in 2023. <a href="https://www.edpb.europa.eu/system/files/2023-05/final_for_issue_ov_transfers_decision_12-05-23.pdf">The EDPB’s ruling</a>? <ol> <li>Meta would be fined 1.3 billion (note the b) dollars.</li> <li>They weren’t buying Meta’s “contractual obligation” argument.</li> <li>Meta had to suspend data transfers.</li> <li>Meta had to <a href="https://www.edpb.europa.eu/news/news/2023/12-billion-euro-fine-facebook-result-edpb-binding-decision_en">stop processing or storing</a> in the U.S. any of their illegally gained data.</li> <li>Meta was <a href="https://www.edpb.europa.eu/news/news/2023/edpb-urgent-binding-decision-processing-personal-data-behavioural-advertising-meta_en">banned</a> from processing personal data for behavioral advertising across the European Economic Area (EEA).</li> </ol> This wasn’t the first time that the DPC had issued rulings that were out of step with the prevailing legal consensus. As Derek Scally reported for <a href="https://www.irishtimes.com/opinion/2023/01/23/irelands-data-commissioner-out-of-step-with-european-peers/">The Irish Times</a>, “in seven EDPB interventions in national decisions to date, all but one have involved the Irish regulator.” He went on to say that critics linked the consistent pattern of intervention “&hellip;to how the Irish regulator – faced with a choice – will always choose the most tortuous, lengthy and expensive legal route to a decision rather than a simple application of EU law.” The Meta case, however, invited particular frustration. For the EDPD to overrule a regulator’s decision requires a two-thirds majority vote. And Scally reported that in the Meta ruling, not a single one of the 30 member states in the EDPB sided with Ireland. <h3 id="the-eu-vs-you">The EU vs you</h3> The thing is, Meta’s pretty big. When hearing about such egregious violations, it would be natural to think: “Europe’s not going to care about my lil old non-compliant company.” But remember the home security enthusiast from earlier – most cases aren’t big enough to get national attention. That&rsquo;s not to say that the big cases don&rsquo;t have an impact on the little ones. The recent big tech enforcement actions bring attention and notoriety, which leads to a general tightening of the policies used to enforce all cases. For instance, Meta’s ruling seems to have marked a tipping point in the EU’s patience not just with Ireland, but with overseas companies in general. On February 14th, 2024, the EDPB published a <a href="https://www.edpb.europa.eu/system/files/2024-02/edpb_opinion_202404_mainestablishment_en.pdf">strongly worded Valentine</a> (or guidance) around the one-stop-shop, enforcement-where-you&rsquo;re-established mechanism. The one-stop-shop will now only apply for controllers that can prove that their European main establishment: <ol> <li>Is the main establishment in charge of making decisions about how and why data gets processed.</li> <li>Has the power to implement those decisions.</li> </ol> If companies have no European main establishments that fit the bill, one-stop-shop doesn’t apply, and they’ll be at the mercy of any and every country that’s receiving complaints about them. This is a clear attempt to nerf overseas companies that set up puppet establishments in corporate-friendly EU countries. EDPB even takes the time to specify that “the Board also recalls that the GDPR does not permit ‘forum shopping’ in the identification of the main establishment.” Listen. There’s no delicate way to put this, so I’ll be using their full name in order to convey a proper amount of severity. The European Data Protection Board is pissed. Legal bodies don’t put scare quotes around “forum shopping” unless they’ve been driven to the edge of a blind rage. This new guidance comes on the heels of The European Commission <a href="https://www.iccl.ie/digital-data/europe-wide-overhaul-of-gdpr-monitoring-triggered-by-iccl/">in 2023</a> committing to oversee every large-scale GDPR case. Later that year, they committed to strengthening and streamlining <a href="https://ec.europa.eu/commission/presscorner/detail/en/qanda_23_3610">cross-border GDPR</a> investigations so rulings would move faster. These strengthened restrictions are going to impact cases at every level of the GDPR. Meta was just the Great White Shark that showed them their boat was too small. To summarize: in the years since GDPR&rsquo;s passage, the European Commission has stepped up its commitment to making enforcement better, faster, and stronger. And when it comes to companies that take a laissez-faires approach to people’s rights, there&rsquo;s no target too big or too small. <h2 id="gdprs-controller-responsibilities-and-how-theyre-being-enforced">GDPR’s controller responsibilities, and how they&rsquo;re being enforced</h2> So, what are the duties of a controller with a renewed dedication to compliance? GDPR explicitly lays out <a href="https://gdpr-info.eu/art-24-gdpr/">several responsibilities</a> for data controllers. We’re going to focus on the more commonly infringed responsibilities, along with brief examples of what happens when companies fail to meet them. <h3 id="transparency">Transparency</h3> Controllers need to tell people what’s processed, and make it easy to consent or not consent to sharing their data. H&amp;M In 2020, <a href="https://www.bbc.com/news/technology-54418936">H&amp;M</a> received what was then a record-setting fine of 35.3 million euros. They were cited by the Data Protection Authority of Hamburg (HmbBfDI), which might mark this article’s tipping point for acronyms. H&amp;M was fined for keeping excessive records on employees, including their religion and health data. GDPR has made one thing about <a href="https://www.dickinson-wright.com/news-alerts/the-gdpr-covers-employee-hr-data-and-tricky#:~:text=While%20a%20lot%20of%20guidance,and%2For%20transfer%20their%20HR">employee data</a> clear: “It is basically impossible for employees to give voluntary consent to their employer &hellip; because of the unequal negotiation power&hellip;” The H&amp;M case, however, belongs in this section because some of the employee data had been gathered during informal chats with managers – meaning there was absolutely no transparency around its use in processing. <h3 id="data-protection-by-design-and-default">Data protection by design and default</h3> This responsibility states that controllers are obligated to default to doing everything they can to protect the data they gather, as well as only collecting the minimum amount of data necessary for their stated purposes. Amazon France In January of 2024, Amazon France Logistique got fined for a few things (including <a href="https://1password.com/enterprise">shoddy passwords</a>). Of particular interest was the court’s ruling on productivity scanners. Amazon was scanning and logging employee “idle time” down to the millisecond. The <a href="https://www.cnil.fr/fr/surveillance-des-salaries-la-cnil-sanctionne-amazon-france-logistique-dune-amende-de-32-millions">court’s conclusion</a> was that yes, companies can assess productivity. But there are plenty of ways to measure that without collecting such a downright obsessive amount of data. As such, Amazon was in breach of data minimization principles. <h3 id="notification-of-data-breaches">Notification of data breaches</h3> If a controller suffers a breach of people’s personal data, they have to report it to the supervisory authority within 72 hours. And when it’s likely to result in any risk to the data subjects, they have to report the breach to them as well. Twitter In 2020, Twitter (now X) was actually the first big tech company to be fined by the DPC: $546,000 for failing to report a breach in time. The DPC, in what would soon become a pattern, first <a href="https://www.hipaaexams.com/blog/twitter-violating-gdpr-data-breach-provisions-the-full-story-you-need-to-know">tried to fine Twitter</a> by a much smaller amount, saying that the failure to report was a result of “negligence” rather than avoidance. The EDPB, in what would soon become a pattern, stepped in and increased the fine. <h3 id="security-of-data-processing">Security of data processing</h3> Controllers are obligated to follow strong security principles and do all they can to protect data. British Airways In 2020, <a href="https://www.bbc.com/news/technology-54568784">British Airways</a> received what was also, at the time, a record-setting fine. They had experienced a highly preventable data breach, and the courts lacked sympathy for a company that had failed to implement adequate security, such as MFA. <h3 id="data-protection-impact-assessment">Data protection impact assessment</h3> If a controller adopts new technology or practices that are likely to affect people’s data, they have to do a Data Protection Impact Assessment (DPIA). This requires them to document their anticipated privacy risks, and to specifically outline the systems they’ll implement to follow GDPR principles. ICS Plenty of companies have failed to comply with this guideline at all. But Dutch credit card company ICS was <a href="https://www.dataguidance.com/news/netherlands-ap-fines-international-card-services-150000">fined 150,000 euros</a> for, basically, doing a lazy job with their DPIA. It’s another sign that GDPR can be unforgiving to controllers that don&rsquo;t seem to take compliance seriously. <h3 id="records-of-processing-activities">Records of processing activities</h3> Controllers are obligated to keep records of what, how, why, where, and how long data is processed. This is an important responsibility to note. Fulfilling just about any of the data subjects’ rights listed above requires having an organized record of individuals’ data. Clearview AI <a href="https://ico.org.uk/media/action-weve-taken/mpns/4020436/clearview-ai-inc-mpn-20220518.pdf">Clearview AI</a> is a small American facial recognition company that used random photos of citizens worldwide to train their data. They were found in violation of numerous parts of GDPR. And calculating the total cost of their fines is a little tricky, since <a href="https://www.edpb.europa.eu/news/national-news/2022/french-sa-fines-clearview-ai-eur-20-million_en">multiple</a> EU <a href="https://www.edpb.europa.eu/news/national-news/2022/facial-recognition-italian-sa-fines-clearview-ai-eur-20-million_en">countries</a> have issued fines in the millions by now. But of interest is Clearview AI’s citation for failing to comply with subjects’ “right to erasure.” The company had no actual way of searching for the pictures taken of specific people, unless the victim were to also provide more pictures of themself to the company as a search filter. Which, as it turns out, does not fulfill their record obligations. <h2 id="to-get-gdpr-compliant-start-with-security">To get GDPR compliant, start with security</h2> In 2022, <a href="https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/10/biggest-cyber-risk-is-complacency-not-hackers/">John Edwards</a>, the UK Information Commissioner, issued a fine of 4,400,000 pounds to a construction company that failed to keep its staff’s personal data secure. He stated: “The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn&rsquo;t regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn&rsquo;t update software and fails to provide training to staff, you can expect a similar fine from my office.&quot; (Hey IT and security teams, try sharing that quote with your executive leadership.) Of the fine violation types, “bad security” <a href="https://www.enforcementtracker.com/?insights">ranks third</a> both in terms of the total cost of fines and the total number of them. But really, every aspect of the GDPR is about data protection, and that means that cybersecurity is a core element in getting compliant. Now we&rsquo;ll go into more detail about how you can use security to improve your GDPR compliance. Fair warning, we’ll be using our own product, <a href="https://1password.com/xam/extended-access-management">1Password Extended Access Management (XAM)</a>, as an example. But let&rsquo;s be clear: no single piece of software can make your company compliant with GDPR. Bringing your data collection and security policies in line with GDPR is a cultural and philosophical project, just as much as a technical one. <h3 id="data-minimization">Data minimization</h3> If there’s any company that could truthfully claim that collecting data was a business necessity, it would <a href="https://s21.q4cdn.com/399680738/files/doc_earnings/2023/q3/presentation/Earnings-Presentation-Q3-2023.pdf">be Meta</a>. And the EU still didn&rsquo;t give them a pass; it’s hard to think that they’ll be any more forgiving of companies that are collecting <a href="https://www.zdnet.com/article/enterprises-are-collecting-more-data-but-do-they-know-what-to-do-with-it/">more data than they need</a> for a rainy day. So, it behooves teams to start looking at processing policies with the goal of data minimization. <img src='https://blog.1password.com/posts/2024/get-serious-gdpr-compliance/miniature-book.jpg' alt='A picture of the tiniest book in the world, which is much smaller than the fingernails of the hand holding it.' title='A picture of the tiniest book in the world, which is much smaller than the fingernails of the hand holding it.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://www.miniboox.com/product_info.php?language=de&amp;info=p108_-the-smallest-book---1950-edition-.html">Image Source</a> For data minimization, the first step is to look at your systems and data flows. The <a href="https://iapp.org/resources/article/template-for-data-protection-impact-assessment-dpia/">DPIA</a> assessments we mentioned earlier aren’t just required; they’re a useful tool to get your team to ask itself some questions. For instance: What do you collect, why, and for how long? What data is actually essential for your business? And remember, these are questions you should be asking about the data you collect on employees, not just customers. XAM follows these principles in the monitoring of employee devices. We never monitor things like browser history or take screenshots of worker activity; there’s no security benefit to knowing what songs your employees listen to on Spotify. When it comes to employee device oversight, XAM makes it easy for your team to document <a href="https://www.kolide.com/blog/introducing-the-check-catalog">the reasoning</a> for processing the data you do. <h2 id="access-management">Access management</h2> On a basic security level, secure and encrypted passwords are hugely important, and way <a href="https://securityaffairs.com/78393/laws-and-regulations/knuddels-gdpr-fines.html">too many GDPR fines</a> cite companies for poor password policies. XAM manages access through 1Password&rsquo;s Enterprise Password Manager. This enables employees to use strong unique passwords for every account, because they only have to remember one account password. But XAM goes beyond that, because it also manages access at the device level. That means that only verified devices – like a user’s work computer – can access sensitive data. This significantly reduces the attack surface for bad actors. It also helps teams provably contain data flows across a controlled number of users and devices. <h2 id="data-management">Data management</h2> Do you know where all your data is? If your employees are using unapproved apps and personal devices, then the answer is probably no. It&rsquo;s easy for sensitive data to leak out via shadow IT, and end up in the hands of bad actors. XAM manages these issues via device trust, which boils down to device posture checks that scan for unauthorized apps, as well as on-device authentication that ensures that only recognized and healthy devices are accessing sensitive data (making sure that data stays where you can see it). And since software vulnerabilities are a <a href="https://www.verizon.com/business/resources/reports/dbir/">growing cause</a> of breaches, XAM also ensures that your endpoint devices are updated and patched, and gives your team verifiable logs of your update process. <h2 id="transparency-1">Transparency</h2> “Transparency” could be the one-word motto of GDPR. But you can’t be transparent until you take the time to think about <a href="https://honest.security/">what you monitor and why</a>. The notion of transparency is deeply ingrained into XAM, which features a <a href="https://www.kolide.com/docs/using-kolide/end-user-portal">privacy dashboard</a> that shows end users: <ol> <li>What data is being accessed.</li> <li>Who is accessing it.</li> <li>What the purpose of accessing that data is.</li> </ol> <img src='https://blog.1password.com/posts/2024/get-serious-gdpr-compliance/xam-privacy-center.jpg' alt='A screenshot of a user’s &#39;privacy center&#39; on XAM. The page shows a list of users under the question &#39;Who Can Access My Data?&#39;' title='A screenshot of a user’s &#39;privacy center&#39; on XAM. The page shows a list of users under the question &#39;Who Can Access My Data?&#39;' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Overall, people deserve to know when and why their data is accessed. And XAM provides a useful model for how to be transparent with your teams. <h2 id="gdpr-compliance-requires-a-cultural-shift">GDPR compliance requires a cultural shift</h2> Achieving GDPR compliance isn’t going to be simple. We live in a world where companies and users alike are resigned to the idea that our data belongs to no one and everyone, and that&rsquo;s a tough mindset to break out of. To follow GDPR, it’s not enough to be better than Meta. Your teams need to be better than what has become the default. The GDPR is a law built on the revolutionary idea that “people have rights when it comes to their personal data.” It’s a refreshing principle, and one that most people want to honor. Compliance is a worthy goal, but the worthier one to strive for is “respecting the data of the people you serve.” Meeting that goal is going to take effort, and may even require a shift in your company’s fundamental culture around privacy. But the rewards will be worth the work. So go ask your company&rsquo;s leadership if you plan on minimizing risk with GDPR next year. If the answer is yes (and it really should be), then you can use this article to present some practical next steps. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> <a href="https://1password.com/xam/extended-access-management">Learn more about how XAM can be a part of your compliance efforts!</a> </div> </aside></description></item><item><title>A&PI Heritage Month: How our leaders’ cultural roots have shaped their careers</title><link>https://blog.1password.com/asian-pacific-islander-heritage-month-2024/</link><pubDate>Wed, 22 May 2024 00:00:00 +0000</pubDate><author>info@1password.com (Liz Tam & Melissa Ong)</author><guid>https://blog.1password.com/asian-pacific-islander-heritage-month-2024/</guid><description> <img src='https://blog.1password.com/posts/2024/asian-pacific-islander-heritage-month-2024/header.png' class='webfeedsFeaturedVisual' alt='A&PI Heritage Month: How our leaders’ cultural roots have shaped their careers' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Our cultural upbringings shape who we are when we enter the workplace and how we navigate it throughout our careers. The values we gain and lessons we learn through our communities can ultimately become our greatest strengths in charting our own professional paths and forging deeper connections with our co-workers. In the spirit of Asian &amp; Pacific Islander (A&amp;PI) Heritage Month, we passed the virtual mic to five A&amp;PI leaders at 1Password who spoke at a company-wide panel to share how their cultural roots have influenced their professional journeys. Here are some highlights: <h2 id="sylvia-tu-senior-manager-fpa">Sylvia Tu, Senior Manager, FP&amp;A</h2> My parents are from Vietnam and immigrated to Canada as refugees to escape a tumultuous life of war and set up a better future for their family. My dad came to Canada from Vietnam by boat with absolutely nothing on him or to his name. Through sheer strength, grit, and support of his sponsor family, he taught himself English and French, earned his Bachelor of Computer Science degree at École Polytechnique in Montreal, and is now living a comfortable, peaceful life as a software engineer with two kids and a grandson (my shih tzu, Carlton!). <blockquote> &ldquo;Anything is possible if you have the work ethic and drive to achieve it.&quot; </blockquote> Seeing where my dad started and where he is today is a reminder to me that anything is possible if you have the work ethic and drive to achieve it. He’s also taught me that it&rsquo;s necessary to stop and smell the flowers and really appreciate how far you&rsquo;ve already come and to appreciate what you have around you. <h2 id="parvathi-subramanyam-director-compensation--benefits">Parvathi Subramanyam, Director, Compensation &amp; Benefits</h2> I grew up in India and moved to Canada for my undergrad degree when I was 18. My parents had very high expectations and instilled in me from a young age the importance of education and academic achievement. So, it made sense for me to tackle the challenge head-on and move halfway across the world for the benefit of my future. They raised me to be independent and looking back, moving to Canada was the starting point in my journey to get to where I am today. Coming to Canada on a scholarship meant that I had to constantly prove myself at university by having a strong work ethic, which is a value I’ve held in all my jobs out of university and continue to hold to this day. <blockquote> &ldquo;All the values I was taught throughout my childhood have led me to where I am today.&quot; </blockquote> I put my head down, worked hard and never took for granted all the opportunities that came my way – I feel like all the values I was taught throughout my childhood have led me to where I am today. <h2 id="jeannie-de-guzman-chief-financial-officer">Jeannie De Guzman, Chief Financial Officer</h2> Being the child of immigrant parents, I grew up seeing and thinking that making a modest living for your family required many hours of work. That, which also meant a lot of sacrifice: no days off, no family vacations and no rest. I think this showed me how hard it was to make a dollar and resulted in a pretty intense work ethic, which I attribute as a reason for the career trajectory I was lucky to be put on. <blockquote> &ldquo;This showed me how hard it was to make a dollar and resulted in a pretty intense work ethic.&quot; </blockquote> Being in the fortunate position I am today, I find myself grateful that I have the ability to take PTO (paid time off) and to work remotely so I can see glimpses of my kids throughout the day. Mostly, I am happy to be able to spend time with my parents who gave up their time so that I can have mine. <h2 id="steve-won-chief-product-officer">Steve Won, Chief Product Officer</h2> As a second generation Korean-American growing up in a working class family, my family invested a tremendous amount of expectations on me through education, music, and so forth. As a result, I had an aggressive goal-oriented approach ingrained into my being. Whether it was school, or a certain job, or a promotion, I was intrinsically motivated by “what’s next?” My career has spanned support, design, sales engineering, customer success, and now product. That attitude served me well in startups, where it always feels like there are never enough hands to do the work that needs to be done. However, I’ve learned more about myself and recognize that a goal-based approach can be exhausting. I’ve learned that it means I’m not particularly mindful and over-calibrated on the future without appreciating the present. So sometimes a strength can become a weakness. <h2 id="eric-chang-director-product-marketing">Eric Chang, Director, Product Marketing</h2> When I was growing up, my parents and relatives (who all loved to give me their very direct opinions) really emphasized to me that if you choose to do something, you should put in the effort and do your best. Otherwise why do it and waste time and money? This applied whether it was academics, music, hobbies, sports, etc. <blockquote> &ldquo;Going &ldquo;all-in&rdquo; really builds a sense of discipline.&quot; </blockquote> Going &ldquo;all-in&rdquo; really builds a sense of discipline while helping you understand if you like and/or are good at something. I really feel that this approach was critical in helping me discover what my interests and strengths are as I&rsquo;ve gone throughout my career. <h2 id="embracing-our-unique-paths">Embracing our unique paths</h2> Our individual journeys and backgrounds are unique. Learning how others’ career trajectories transpired and how they got to where they are today can help us reflect on our own strengths – as well as recognize those strengths in others. Throughout A&amp;PI Heritage Month, we’ve proudly spotlighted our team members’ stories through company-wide panel discussions. We look forward to continuing to amplify these A&amp;PI voices and foster an environment where all team members’ strong, unique voices can shine.</description></item><item><title>Dr. Chase Cunningham and Elliot Volkman explain how to implement Zero Trust in your business</title><link>https://blog.1password.com/how-zero-trust-strategy-interview/</link><pubDate>Mon, 20 May 2024 00:00:00 +0000</pubDate><author>info@1password.com (Jenn Marshall)</author><guid>https://blog.1password.com/how-zero-trust-strategy-interview/</guid><description> <img src='https://blog.1password.com/posts/2024/how-zero-trust-strategy-interview/header.png' class='webfeedsFeaturedVisual' alt='Dr. Chase Cunningham and Elliot Volkman explain how to implement Zero Trust in your business' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> A world with no trust wouldn’t be great, but when it comes to cybersecurity, Zero Trust is actually a good thing. To get some perspective and clarity on what a Zero Trust approach actually entails, Michael “Roo” Fey, Head of User Lifecycle &amp; Growth at 1Password, talked with two Zero Trust experts on the <a href="https://randombutmemorable.simplecast.com/">Random but Memorable</a> podcast: <ul> <li><a href="https://www.linkedin.com/in/dr-chase-cunningham/">Dr. Chase Cunningham</a>, the Forrester analyst who popularized the concept of Zero Trust and is the host of the <a href="https://www.drzerotrust.com/">Dr. Zero Trust podcast</a>, and who is now building G2’s Cybersecurity Analyst program.</li> <li><a href="https://www.linkedin.com/in/elliotv/">Elliot Volkman</a>, a journalist, cybersecurity brand builder, and host of the Adopting Zero Trust podcast.</li> </ul> Read our interview highlights below or listen to the <a href="https://randombutmemorable.simplecast.com/episodes/zero-trust-fall-out">full podcast episode</a> for strategies for how to apply Zero Trust (try it on your kids!) and why these experts say if you embrace Zero Trust, emerging threats like AI won’t keep you up at night. Editor’s note: This interview has been lightly edited for clarity and brevity. The views and opinions expressed by the interviewee don’t represent the opinions of 1Password. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/_jP5mtoGexg?si=WstcavjC7mAHjY2h" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> Michael Fey: What is Zero Trust and what is it in the context of cybersecurity? Chase Cunningham: Zero Trust is a strategy that&rsquo;s been evolving for quite a long time. It’s about removing trust relationships from within digital systems. It&rsquo;s that simple. MF: Lots of security companies advertise themselves as offering Zero Trust solutions, but they all have a slightly different interpretation of what it is and what counts as Zero Trust. Why is that? CC: I would say that most security companies could help enable a Zero Trust strategy, and they&rsquo;re not wrong by saying that they could help you decide how to enable the strategic side. But there is no Zero Trust product, and that&rsquo;s the issue that we run into. MF: So the concept of Zero Trust is somewhat left up to interpretation. There isn&rsquo;t a standard that companies can rally around and say, &ldquo;Yes, it&rsquo;s this thing&rdquo; like they can with two-factor authentication? CC: I wouldn&rsquo;t call them standards but there&rsquo;s lots of documentation, publications, and really good guidance on this. There&rsquo;s been entire books written on the subject. Elliot Volkman: Yeah, I can agree with that. I think the other piece is about differentiation. Companies want to be recognized and aligned with Zero Trust. Ultimately it can be down to semantics like, &ldquo;Yeah, we align with Zero Trust,&rdquo; instead of, &ldquo;We offer this Zero Trust solution.&rdquo; We recently did an episode on my podcast with the head of enterprise security over at Canva. He&rsquo;s been doing MVP (minimum viable product) approaches for Zero Trust for forever. Today, he feels like there are now solutions that you can actually buy to align with Zero Trus, but ultimately there is nothing you can just plug into your system and say, &ldquo;Yeah, now I&rsquo;ve got Zero Trust.&rdquo; That&rsquo;s kind of the issue of the semantics of the equation. MF: To recap, Zero Trust is a model that you can adopt within your infrastructure, but it&rsquo;s also not this overarching thing? CC: That&rsquo;s a good way to think about it. I always tell folks that I don&rsquo;t even think about cybersecurity any more from a defensive posture. I think about it from whether what I do is valuable in the context of removing the bad guys' capability to be continuously successful. I know that I&rsquo;m going to get compromised. I know that there&rsquo;s a reality around breach. I know that there is no perfect solution. <blockquote> &ldquo;What I can do is put tools, technologies, and strategy in place that make it so that I&rsquo;m not a soft target for an adversary.&quot; </blockquote> But what I can do is put tools, technologies, and strategy in place that make it so that I&rsquo;m not a soft target for an adversary. They&rsquo;ll realize it&rsquo;s not worth their time and go somewhere else. MF: What are the fundamental principles behind the Zero Trust security model? And how does it differ from traditional security approaches? CC: You need to think about Zero Trust from the perspective of: What would you need as an adversary to be successful inside of a system? You need trust relationships. You need access. You need machines that talk to one another freely. You need shared tokens. You need people to use bad passwords. With Zero Trust, if you figure out how to remove those things or at least make sure they&rsquo;re not the low-hanging fruit, you&rsquo;re doing it right. <blockquote> &ldquo;As long as you remove the easy stuff for the bad guy, you&rsquo;re doing it.&quot; </blockquote> This is 100% about an organization selecting what works and what matters for them. That&rsquo;s why some of us have been so adamant about not coming up with a kind of prescriptive line item, or whatever you call it. Because then everybody will gravitate to “We have to do X or we&rsquo;re not Zero Trust.” Like no, you can do Zero Trust. It&rsquo;s just how you do it for you that works. As long as you remove the easy stuff for the bad guy, you&rsquo;re doing it. MF: We&rsquo;ve been speaking in a lot of generalities around Zero Trust. Can you give some examples of a Zero Trust model that may exist in an archetypical workplace somewhere? CC: If you remember, Google got kind of curb stomped with <a href="https://googleblog.blogspot.com/2010/01/new-approach-to-china.html">Operation Aurora</a> back in the day (2010). When it happened, they realized that they had some pretty glaring flaws in their overarching security posture and strategy. I&rsquo;ve talked with the folks that actually did this work and who led everything. They took a step back and said, &ldquo;Okay, ZT makes a lot of sense. How can we align to Zero Trust? But we&rsquo;re not going to call it Zero Trust.&rdquo; Because, honestly, who cares? I don&rsquo;t care, from a strategy perspective, you call it cyber tiddly winks. Whatever works for you, go nuts. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/przDcQe6n5o?si=hQDJpzsQqP0UzJ_J" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> They called it Beyond Trust. And what did they do with Beyond Trust? Well, they moved towards a Zero Trust architecture where basically the network is treated as if it&rsquo;s online all the time. It&rsquo;s a Starbucks sort of network. They issued everybody Chromebooks that could use a Chromebook because Chromebooks don&rsquo;t have the same operating system that would allow compromises from malware and whatever else. They moved to mandatory multi-factor authentication. They pushed everybody&rsquo;s stuff into the cloud with really good policy controls and you have not heard of a breach on the corporate side of Google since. If you can think of an organization that has 200,000-plus global employees and lots and lots of technology and they&rsquo;re doing Zero Trust, what additional proof or evidence does an organization need that it’s the way to go? I mean, yeah, they’ve got infinite money and resources to throw at the problem but they also aligned to it. It took them about 2.5 years to roll it out and make it a thing but it&rsquo;s there. George Finney, a CISO at Southern Methodist University, wrote a book called <a href="https://www.oreilly.com/library/view/project-zero-trust/9781119884842/">Project Zero Trust</a>. It&rsquo;s a narrative of how an organization went through and engaged in Zero Trust. He crawls through what the organizational challenges were, how they put things in place, which technologies they selected. We could spend the entire podcast talking about that. MF: Are there specific steps or best practices that you recommend for folks to get started as they&rsquo;re considering adopting this architecture? CC: What I always tell people in my engagements is that the first thing I’m going to do is a red team. Because a red team will tell us where we have weaknesses, who&rsquo;s going to click links if our Wi-Fi is jacked up – all the things that an adversary would do. That&rsquo;s what a red team should be built for. <blockquote> &ldquo;Why would you not do a red team and then plan your strategies around the gaps that you identify?&quot; </blockquote> If your goal in this space is to fend yourself from an adversarial attack, why would you not take a kind of get-out-of-jail-free card and do a red team, and then plan your strategies around the gaps that you identify? The other thing that I&rsquo;ve done with a lot of organizations is walk into the executive suite or boardroom with a ransomware scenario. I just drop it on the table and say: &ldquo;Ready, go.&rdquo; And that&rsquo;s literally all the guidance I give, and then I just watch what happens. MF: Have you seen organizations that are resistant to a Zero Trust approach? CC: Oh yeah, many times. Usually, I just say: &ldquo;Okay, cool, here&rsquo;s my card because you&rsquo;re going to be calling me. Let me know when you feel like this is a doable thing.&rdquo; I’ll never forget when I was working with an organization and the sort of bill that we put in front of them to get their Zero Trust stuff in place was $17,000 or something like that. They said: &ldquo;No, that&rsquo;s too expensive.&rdquo; Fast forward maybe 90 days and they got hit with a big-time ransomware deal that was a very defensible problem. It wound up costing them, I think, $3.5 million to get their system back online. I&rsquo;m no math whiz but $17,000 is a lot cheaper than $3 million. EV: I can expand upon that a little bit. We recently had a conversation with <a href="https://www.forrester.com/analyst-bio/david-holmes/BIO14404">Dave Holmes</a>, a research analyst at Forrester who advises security professionals about Zero Trust. He said the primary issue for Zero Trust used to be getting buy-in. But in recent years, especially after the pandemic, buy-in is less of a concern. Now, it&rsquo;s more about implementation. “I need a roadmap. I need to be able to have a clear path of how to install and build and incorporate this into everything that we&rsquo;re doing.” That is definitely one aspect of the tides turning. We&rsquo;re also seeing other things like the <a href="https://www.cisa.gov/topics/cybersecurity-best-practices/executive-order-improving-nations-cybersecurity#:~:text=Executive%20Order%20(EO)%2014028%2C,adjust%20their%20network%20architectures%20accordingly">executive order that looped in Zero Trust</a> about a year or two ago. Other organizations like NSA just released new reports about how they&rsquo;re adopting Zero Trust. CISA said that they are going to create a new office focused on Zero Trust. I could be getting all of those backwards and mixed up, but the bottom line is that on the federal side, if there are high marks and focal points of making this a priority, it has snowball effects that often trickle down and show validation of how important this philosophy and concept are for the private sector. MF: What challenges do organizations typically face when adopting a Zero Trust model? And how do they overcome them? CC: Number one, you should educate and train your people on cybersecurity risks. However, that’s not a technical control. Cybersecurity is a technical space with technical risk. Put technical controls in front of people before they can interact with malicious content, and you will exponentially reduce your potential for being compromised. <blockquote> &ldquo;Put technical controls in front of people before they can interact with malicious content.&quot; </blockquote> Like multi-factor authentication. Is it perfect? Absolutely not. Is it better than nothing? Absolutely. I&rsquo;m a big fan of browser isolation. Why? Because where do people get fished? It&rsquo;s on the internet by clicking links. If they can&rsquo;t interact with the content, problem solved. Move to the cloud. Use the suite of tools that are available to you to take care of the policy side. This stuff is not rocket science but it does require people to take a step back and say: &ldquo;Okay, what do I need to do? What actually makes a difference? Where can we apply a control?&rdquo; Until we stop treating people like technology, we&rsquo;re never going to get towards an end state that makes things better. EV: To put a wraparound what Chase just said, this is just cybersecurity 101. It’s “defense in depth”, creating layers upon layers to prevent people from being in those scenarios. <blockquote> &ldquo;I cannot imagine a world where social engineering is actually solved for.&quot; </blockquote> But I cannot imagine a world where social engineering is actually solved for. That will be a day that unicorns are roaming among us. MF: How does Zero Trust adapt to new threats and technologies like AI? What should people keep in mind as they&rsquo;re moving towards this security model? CC: Let&rsquo;s be real. None of this is AI. This is large language modeling and machine learning with process and compute and good algorithms tied behind it. That&rsquo;s part of the problem. We keep calling this AI, that’s not the case. <blockquote> &ldquo;Zero Trust doesn&rsquo;t actually adapt or change based on what&rsquo;s going on with the newfangled, cool, shiny thing that&rsquo;s on the market.&quot; </blockquote> My response is that a really good strategy like Zero Trust doesn&rsquo;t actually adapt or change based on what&rsquo;s going on with the newfangled, cool, shiny thing that&rsquo;s on the market because, at the fundamental level, it deals with the realities of what those things do to cause compromise. I don&rsquo;t care if they come up with quantum-powered, robot-enabled unicorn something-or-other. Sooner or later, it&rsquo;s got to do something to cause an exploit. How do I get in front of that and how do I mitigate its risk? EV: That’s why a lot of us love Zero Trust. You don&rsquo;t have to have the adaptation. It’s designed at the core to be unmovable. Now, there are no goal posts so there&rsquo;s no finish line, and that’s why things like AI and new threats and AI taking over our voices and cloning them or impacting social engineering – it doesn&rsquo;t matter. At the core, you still have no implicit trust, or you remove as much as possible, bit by bit. So, I love that take. MF: It&rsquo;s not technology-dependent. It&rsquo;s a best practice at that point. It&rsquo;s something that you put in place. EV: Yeah, as the language goes, it&rsquo;s trust but verify, and keep verifying continuously. MF: What advice do you have for people who are considering implementing Zero Trust in their organizations? How can they make the transition as smooth as possible? CC: The biggest one is to just make sure that everyone understands that real strategic change is going to be uncomfortable at first. It doesn&rsquo;t matter what it is that you do. Whether you want to grow a business, run a marathon – whatever it is in life that you try and do, understand that real commitment to a long-time strategic win requires discomfort. <blockquote> &ldquo;You need to let stakeholders and users know that things are going to change and there may be some bumps.&quot; </blockquote> In your business, you need to let stakeholders and users know that things are going to change and there may be some bumps. But in the end, this will be better for everyone. If you make this very clear and you line up what&rsquo;s coming their way, you&rsquo;d be surprised at the level of – I would call it technical discomfort – that people are willing to deal with. EV: If you want organizational alignment with something as impactful as a new cybersecurity strategy, you need to make sure it aligns with the business. A low-hanging fruit example is: You want to bring chat GPT in your organization and to use it for purpose X. That&rsquo;s cool. But there are obviously no regulations right now, so it&rsquo;s up to the organization to build policies. What can go into it, what can&rsquo;t go into it – those kinds of concepts. The other piece is that a quick win is really helpful. It&rsquo;s hard to do that for something like this but adding multi-factor or two-factor or SSO – something of significant impact that has high visibility and low risk to fail – is a really good entry point as well. Otherwise, red teaming and doing an audit to identify the biggest risk and biggest impact, that’s the right way to go. If you actually want organizational buy-in, you also have to get visibility and win people over. MF: What would it look like for a family or an individual to implement Zero Trust? CC: I&rsquo;ll give you an example because my house is Zero Trust-y. Matter of fact, my kids are so sick of it, they walk by my office door and they just say, &ldquo;ZT,&rdquo; like they&rsquo;re making fun of me about it. My kids aren&rsquo;t developers, they don&rsquo;t need computers with Pentium chips and everything else, so they have Chromebooks. Chromebooks solve a lot of the issues of an operating system that can get hit by malware. If I know anybody&rsquo;s going to get hit, it&rsquo;s going to be them on Discord and playing games and those types of things. On the phone side, everybody runs on the wireless network that is not the same as my business wireless network. I&rsquo;ve got browser isolation running on everybody&rsquo;s machines as well. And then, I have to approve any application that my family uses. And when I do approve it, the first thing we do is turn on multi-factor authentication. I had the conversation with my kids and told them why we&rsquo;re doing this and why it matters. Everybody had a little bit of griping and moaning to begin with, but now it&rsquo;s just the way life works, and everybody&rsquo;s tracking along. It&rsquo;s a very doable thing, and it didn&rsquo;t cost me anything. As a matter of fact, moving away from very expensive laptops to Chromebooks saved me some money because those are $200. Even if the worst happened and those things got just totally bricked, I&rsquo;d take it out in the yard and use it for target practice and get them another one. EV: I went a slightly different route. I do have segmentation, so all of our IoT devices are either not connected to the internet and it just looks like they are, or we have a work line and a “not work line”. Outside of that, I think Chase alluded to a Doberman as a solution. I don&rsquo;t have a Doberman, but I do have four dogs, and at least one of them is big and scary enough to be my preventive measure. MF: Where can folks go to find more about you or tune into your podcasts, and go read any specific literature that you put out in the world? EV: It&rsquo;s <a href="https://www.adoptingzerotrust.com/">adoptingzerotrust.com</a>, which is also on every standard podcast channel on YouTube. Also, for Zero Trust tools and services, I created a website called <a href="https://topzerotrust.com/">TopZeroTrust.com</a>. And Chase, I want to make sure you also highlight that really awesome thing that you recently launched, which aligns with this technology site, which is not a cybersecurity solution because I think the world needs to definitely see that. CC: Oh, I think you&rsquo;re talking about <a href="https://www.demo-force.com/">Demo-Force</a>, correct? We launched Demo-Force into the market back in January. It’s basically a way for buyers to try out vendor software and never have the risk of your data or passwords or usernames winding up in somebody&rsquo;s trial instance. For vendors, it&rsquo;s a great way to get your software optimized where you can put it in front of a lot of people really easily. That&rsquo;s kind of the Skunk Works thing I&rsquo;ve been working on for the last couple of years. You can find my podcast on all the podcast stuff. It&rsquo;s called <a href="https://www.drzerotrust.com/">Dr. Zero Trust</a>. I&rsquo;m on Spotify as well. As far as publications, NIST (U.S. Department of Commerce National Institute of Standards and Technology) has got a bunch of great ones. There&rsquo;s books by a bunch of really smart people around Zero Trust. Look all those up. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Subscribe to Random but Memorable</h3> Listen to the latest news, tips and advice to level up your security game, as well as guest interviews with leaders from the security community. <a href="https://randombutmemorable.simplecast.com/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Subscribe to our podcast </a> </div> </section></description></item><item><title>The big takeaway from the 2024 RSA Conference</title><link>https://blog.1password.com/rsa-2024-conference-takeaways/</link><pubDate>Fri, 17 May 2024 00:00:00 +0000</pubDate><author>info@1password.com (Elaine Atwell)</author><guid>https://blog.1password.com/rsa-2024-conference-takeaways/</guid><description> <img src='https://blog.1password.com/posts/2024/rsa-2024-conference-takeaways/header.png' class='webfeedsFeaturedVisual' alt='The big takeaway from the 2024 RSA Conference' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> There&rsquo;s one quote from the 2024 RSA conference that I can&rsquo;t stop thinking about, even though it was originally uttered by Kobe Bryant. Here&rsquo;s the quote: <blockquote> &ldquo;Why do you think I&rsquo;m the best in the world? Because I never get bored with the basics.&quot; </blockquote> That (possibly apocryphal) bit of wisdom was delivered by Etay Maor, Chief Security Strategist at Cato Networks, in a talk called &ldquo;<a href="https://www.rsaconference.com/usa/agenda/session/The%20Price%20is%20WRONG%20-%20An%20Analysis%20of%20Security%20Complexity">The Price is WRONG–An Analysis of Security Complexity</a>.&rdquo; Maor&rsquo;s message was that as our digital infrastructure has ballooned in size and complexity, so has our attack surface, and too often, security vendors offer siloed, rather than holistic, solutions. That&rsquo;s an excellent point, but the quote has broader implications for security and IT professionals, and it&rsquo;s a message I saw repeated over and over at RSA. Don&rsquo;t get so excited by shiny new tech that you forget about your most basic obligations. Don&rsquo;t assume you can automate your way out of every problem. Don&rsquo;t get bored with the basics. Of course, RSAC is a massive security conference, so that rather subtle message had to compete with a lot of shiny objects, plus the charms of San Francisco and special guests including Jason Sudeikis and Alicia Keys. <img src='https://blog.1password.com/posts/2024/rsa-2024-conference-takeaways/rsa-jason-sudeikis-jen-easterly.jpeg' alt='Actor Jason Sudeikis stands in front of an RSA Conference banner with CISA director Jen Easterly, among others.' title='Actor Jason Sudeikis stands in front of an RSA Conference banner with CISA director Jen Easterly, among others.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://www.linkedin.com/posts/jen-easterly_believe-hanging-with-some-of-my-best-friends-activity-7193983057513648129-9tZS/">Image Source</a> So let&rsquo;s look back on RSAC 2024 and share the stories you might have missed (even if you were there). <h2 id="ai-ai-everywhere-but-not-a-drop-to-drink">AI, AI everywhere (but not a drop to drink)</h2> It should shock absolutely no one that AI was the biggest star of RSAC 2024 (apologies to Jason Sudeikis). It was the topic of over 50 presentations and panel discussions, and even when exasperated speakers promised they weren&rsquo;t going to talk about AI, it inevitably came up anyway. Many of the speakers and attendees were AI evangelists and enthusiasts who were excited to show off the LLM-based tools they&rsquo;d designed to help them operate more efficiently. Others were more preoccupied with AI&rsquo;s security threats than its promise–deepfakes got a fair amount of attention. Still others split the difference and maintained that the only way to stop a bad guy with an AI is a good guy with an (even better) AI. My favorite AI-related insights were delivered by Lauren McIlvenny and Gregory Touhill, security experts from Carnegie Mellon University. <a href="https://www.rsaconference.com/usa/agenda/session/Creating%20an%20AI%20Security%20and%20Incident%20Response%20Team">They discussed their process</a> for creating an AI Security Incident Response Team (AISIRT) and diagnosing AI/ML vulnerabilities from the chip hardware to the risks of bias and prompt manipulation. Here&rsquo;s the key quote, from Touhill: <blockquote> &ldquo;We as cyber professionals and AI professionals really need to be open and transparent as to what some of those risks are, and set clear guidelines and rules for our fellow employees…as to how to handle PII (personally identifiable information), but also trade secrets, intellectual property, things like that.&quot; </blockquote> &ldquo;Be transparent and set clear policies&rdquo; is great, back-to-basics advice for security and IT professionals, but it also speaks to the dangers of employees using &ldquo;shadow AI.&rdquo; After all, it doesn&rsquo;t do much good to be transparent with employees about the dangers of AI if they&rsquo;re not transparent with you about how they&rsquo;re using it. <h2 id="there-oughta-be-a-law-security-regulations-and-legal-actions">There oughta be a law (security regulations and legal actions)</h2> Many RSA sessions concerned, or at least touched on, the looming specter of legal and regulatory accountability for lax security. One session focused on dealing with the <a href="https://www.rsaconference.com/usa/agenda/session/Techniques%20to%20Evolve%20Risk%20Governance%20and%20Comply%20with%20SEC%20Cybersecurity%20Rule">SEC&rsquo;s new cybersecurity rules</a>, especially regarding breach disclosures. Another held a <a href="https://www.rsaconference.com/usa/agenda/session/Old%20McDonald%20Had%20a%20Server%20FarmA%20I%20A%20I%20OhA%20Mock%20Trial">mock trial</a> that imagined a case in which an AI-powered gossip blog published news that was stolen in a data breach (the attendees overwhelmingly voted that the blog should not be held liable). The session <a href="https://www.rsaconference.com/usa/agenda/session/Regulation%20on%20the%20Horizon%20What%20You%20Wish%20Your%20Lawyer%20Had%20Told%20You%20About">Regulation on the Horizon: What You Wish Your Lawyer Had Told You About</a> was particularly juicy, since it featured both in-house counsels from tech companies as well as Stacey Schesser, from the Privacy Unit of the California Attorney General. Naturally, these two groups had rather different perspectives on the subject of legal accountability. The in-house counsels persuasively argued that new regulations put CISOs in the impossible position of raising security concerns internally while communicating confidence to external stakeholders. Schesser countered (and I&rsquo;m paraphrasing here) that her job is to safeguard the personal data of Californians, and you&rsquo;re only in an impossible position if you fail to do that and then lie about it. The session&rsquo;s choicest quote came from moderator Beth George: <blockquote> &ldquo;When I see a client panicking around new regulations, it tends to be a symptom of a more immature security program than it is about how onerous the regulations are.&quot; </blockquote> <h2 id="rsa-announcements">RSA announcements</h2> Naturally, a lot of companies use RSAC as a launchpad for big announcements, and this year was no exception. The biggest headline grabber was a <a href="https://www.cybersecuritydive.com/news/68-software-promise-secure-by-design/715665/">public commitment from 68 tech companies</a> – including such giants as Google, Microsoft, and AWS–to implement secure-by-design development, building security into every aspect of their products' lifecycles. Of course, there&rsquo;s a case to be made that tech leaders should have been practicing this all along, but better late than never. There were also plenty of vendors unveiling new products, not least of which was us! <a href="https://1password.com/xam/extended-access-management">1Password Extended Access Management</a> debuted just a few days before the start of the conference, and we were extremely excited to talk about it both in the booth and onstage. <img src='https://blog.1password.com/posts/2024/rsa-2024-conference-takeaways/1password-jeff-shiner-golden-state-warriors-stage.jpg' alt='1Password&#39;s Danielle Caldwell, Jeff Shiner, and Jason Meller, and the Golden State Warriors&#39; Daniel Brusilovsky.' title='1Password&#39;s Danielle Caldwell, Jeff Shiner, and Jason Meller, and the Golden State Warriors&#39; Daniel Brusilovsky.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> XAM is an access management solution that secures every login and device, even the Shadow IT apps and BYOD endpoints that fall outside traditional security solutions. It&rsquo;s a new approach to solving for zero trust, but it&rsquo;s also a return to the fundamentals of good security. <h2 id="best-rsac-booth-award">Best RSAC booth award</h2> The expo floor of the Moscone Center was bursting with vendors, showing off their wares and creative instincts. There were carnival games, cotton candy, and at least two close-up magicians. But there was also one clear winner when it came to pure spectacle. <img src='https://blog.1password.com/posts/2024/rsa-2024-conference-takeaways/wiz-rsa-conference-booth.jpeg' alt='Wiz&#39;s grocery store-inspired booth at RSA Conference 2024.' title='Wiz&#39;s grocery store-inspired booth at RSA Conference 2024.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://www.linkedin.com/posts/wizsecurity_rsac-activity-7194345128289849345-obYZ">Image Source</a> The coolest booth on that expo floor belonged to Wiz, which had an amazingly high-concept, security grocery store, with gleaming displays of fake products. While other security vendors often rely on doom and gloom to get their message across, this one radiated the kind of joy and optimism that comes with a <a href="https://www.pymnts.com/news/investment-tracker/2024/cloud-security-firm-wiz-valued-at-12-billion-after-funding-round/">$12 billion dollar valuation</a>. I&rsquo;m still not entirely sure what Wiz does, but whatever it is, I want one. That being said, I do believe that the 1Password booth had the friendliest people, the best product, and the coolest t-shirt. <img src='https://blog.1password.com/posts/2024/rsa-2024-conference-takeaways/1password-rsa-conference-booth.jpeg' alt='1Password&#39;s booth at RSA Conference 2024.' title='1Password&#39;s booth at RSA Conference 2024.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> All in all, the 2024 RSA Conference was one of the most illuminating experiences I&rsquo;ve had since I started writing about security, and I can&rsquo;t wait for next year. (Assuming we haven&rsquo;t learned how to stop all breaches with AI by then.) <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> <a href="https://blog.1password.com/introducing-extended-access-management/">Want to learn more about our big Extended Access Management announcement? Click here!</a> </div> </aside></description></item><item><title>Two new checks for the ChatGPT macOS app</title><link>https://blog.1password.com/two-checks-chatgpt-macos-app/</link><pubDate>Fri, 17 May 2024 00:00:00 +0000</pubDate><author>info@1password.com (Fritz Ifert-Miller)</author><guid>https://blog.1password.com/two-checks-chatgpt-macos-app/</guid><description> <img src='https://blog.1password.com/posts/2024/two-checks-chatgpt-macos-app/header.png' class='webfeedsFeaturedVisual' alt='Two new checks for the ChatGPT macOS app' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> With the recent announcement of OpenAI’s <a href="https://openai.com/index/gpt-4o-and-more-tools-to-chatgpt-free/">ChatGPT desktop application for macOS</a>, users gain access to LLM workflows outside of their browser. ChatGPT’s broad adoption by employees across industries, and around the world, has put employers, compliance, and security teams into high gear as they seek to balance the gains made in productivity with the potential risks of how these tools are being used. One of the most common concerns among employers when it comes to the utilization of generative AI is the possibility of sensitive or secure company data being fed into the larger ChatGPT training model, which is then used by individuals external to the organization. In August of 2023, <a href="https://openai.com/index/introducing-chatgpt-enterprise/">OpenAI announced their Enterprise offering of ChatGPT</a> which introduced collaboration functionality, as well as security and privacy guardrails. Specifically with regards to model training they called out the following: <blockquote> You own and control your business data in ChatGPT Enterprise. We do not train on your business data or conversations, and our models don’t learn from your usage. </blockquote> This enterprise functionality was enthusiastically welcomed by teams who could now implement generative AI into their workflows while mitigating the risk it posed to their company. However, these guardrails are only effective as long as employees are logged into an enterprise workspace, and not their personal workspace. It’s crucial then to verify that the ChatGPT desktop app is configured properly to ensure data is not going somewhere it isn’t supposed to. By default, the ChatGPT app opens with the sidebar closed. This hides not only your chat history, but also your logged-in workspace: <img src='https://blog.1password.com/posts/2024/two-checks-chatgpt-macos-app/chatgpt1.png' alt='A screenshot of the ChatGPT app&#39;s home screen, with the sidebar closed.' title='A screenshot of the ChatGPT app&#39;s home screen, with the sidebar closed.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> When we open the sidebar, we can see this account is actually logged into a personal workspace: <img src='https://blog.1password.com/posts/2024/two-checks-chatgpt-macos-app/chatgpt2.png' alt='A screenshot of the ChatGPT app with a visible sidebar. A pop-up shows the user is signed into their personal account.' title='A screenshot of the ChatGPT app with a visible sidebar. A pop-up shows the user is signed into their personal account.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> That’s why we’re excited to announce <a href="https://app.kolide.com/x/checks/76947">a new Check for the ChatGPT macOS app</a> which ensures users are not using their personal ChatGPT workspace while logged into the app. <img src='https://blog.1password.com/posts/2024/two-checks-chatgpt-macos-app/kolide-chatgpt.png' alt=' screenshot of Kolide showing that Jason Meller&#39;s MacBook Pro has been blocked from using ChatGPT because they&#39;re using a personal account.' title=' screenshot of Kolide showing that Jason Meller&#39;s MacBook Pro has been blocked from using ChatGPT because they&#39;re using a personal account.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="verifying-active-account-and-workspace-id">Verifying Active Account and Workspace ID</h2> The ChatGPT app keeps preferences and settings stored on disk, including what user accounts are logged in, and which account/workspace is currently active. In order to validate users are working on the correct account, an administrator must provide their Workspace ID, which can be retrieved from the <a href="https://chatgpt.com/admin/settings">OpenAI ChatGPT admin portal</a>. <img src='https://blog.1password.com/posts/2024/two-checks-chatgpt-macos-app/chatgpt-admin-portal.png' alt='A screenshot of the ChatGPT admin portal, with the Workspace ID field highlighted.' title='A screenshot of the ChatGPT admin portal, with the Workspace ID field highlighted.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Your team may have more than one workspace, which is why you can provide as many as necessary. <img src='https://blog.1password.com/posts/2024/two-checks-chatgpt-macos-app/kolide-chatgpt-configuration.png' alt='A screenshot of Kolide showing a configuration window titled &#39;ChatGPT Mac App Should Use Approved Workspace&#39;.' title='A screenshot of Kolide showing a configuration window titled &#39;ChatGPT Mac App Should Use Approved Workspace&#39;.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 1Password Extended Access Management will then retrieve the local settings from the user’s ChatGPT desktop app, and verify that the active workspace matches one of the IDs you’ve provided. If the active ChatGPT workspace does not match one of your provided values, end-users will be prompted to switch workspaces as shown below: <ol> <li>Ensure you are logged into the user account <code>johnny-appleseed</code>.</li> <li>Open Spotlight search via the following keyboard shortcut: ‘Command + Spacebar’.</li> <li>Type <code>chatGPT.app</code> to locate your ChatGPT application and press Enter to launch.</li> <li>With the ChatGPT app open and the window in focus, expand the sidebar by clicking the icon in the upper-left corner.</li> <li>On the bottom of the sidebar, click your name to reveal a list of alternative accounts.</li> <li>Select the account associated with your organization.</li> <li>Close the application.</li> </ol> <blockquote> If you do not see an alternative account to choose, please contact your IT team for support. In the meantime, you can log out of the application to pass the check. </blockquote> <h3 id="what-if-the-chatgpt-app-isnt-installed-or-isnt-logged-in">What if the ChatGPT app isn’t installed, or isn’t logged in?</h3> Only users with the desktop app installed will be considered in-scope for this Check, and those without the app installed will pass automatically. Likewise, users who have installed the app but have not yet logged in will be considered passing. Only users who are logged in with an active <code>Workspace ID</code> which does not match your supplied values will be reported as failing this Check. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> <h3 id="what-if-i-just-dont-want-my-users-putting-chatgpt-on-their-laptop-at-all">What if I just don’t want my users putting ChatGPT on their laptop at all?</h3> If you aren’t comfortable with your users installing the ChatGPT desktop application, <a href="https://app.kolide.com/x/checks/76948">we have a second Check which prohibits the installation of the macOS ChatGPT app entirely</a>. When this Check is configured to block, a user who has ChatGPT installed will not be able to successfully authenticate until the app has been removed from their device. </div> </aside> <h2 id="reducing-the-risk-of-llm-usage-with-1password-extended-access-managements-chatgpt-check">Reducing the risk of LLM usage with 1Password Extended Access Management’s ChatGPT Check</h2> In a recent survey of knowledge workers conducted by Kolide, <a href="https://www.kolide.com/blog/89-of-workers-use-ai-far-fewer-understand-the-risks">89% of respondents reported using AI for work-related purposes at least once per month</a>. AI-based tools are becoming as ubiquitous as the calculator and their prevalence within the workspace shows no sign of slowing. The genie cannot be put back in the bottle, but we must be able to verify these tools are being used appropriately and safely. 1Password Extended Access Management’s ChatGPT Check helps employees use the workflows that make them most productive, without putting the company’s data at risk, by making sure that data is going only where it is intended and nowhere else.</description></item><item><title>1Password SDKs are now available in beta</title><link>https://blog.1password.com/sdk-beta/</link><pubDate>Tue, 14 May 2024 00:00:00 +0000</pubDate><author>info@1password.com (Andrew Stiefel)</author><guid>https://blog.1password.com/sdk-beta/</guid><description> <img src='https://blog.1password.com/posts/2024/sdk-beta/header.png' class='webfeedsFeaturedVisual' alt='1Password SDKs are now available in beta' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Developers can now integrate their applications and services directly with 1Password using software development kits (SDKs) for Python, Javascript, and Go. The SDKs are available as open-source libraries in public beta. <h2 id="why-1password-sdks">Why 1Password SDKs?</h2> Customers have been asking for a 1Password API so they can access their vaults and items stored in 1Password via that API. It’s a common request, and a reasonable one. The use cases are endless, and we’re builders and tinkerers by nature, too. But it presents some engineering challenges given 1Password’s unique security model. Building a traditional REST API would require 1Password to decrypt and store sensitive user data on our servers. That’s incompatible with <a href="https://support.1password.com/1password-security/">our security model</a> and our commitment to zero-knowledge, end-to-end encryption. Only you hold the keys to decrypt the information you store in 1Password, and we want to keep it that way. Enter the 1Password SDKs. The SDKs can be embedded within your application to decrypt data when and where it’s needed, so every value stays secret until that moment. This approach keeps our end-to-end security intact, even while opening up access for developers to build integrations. SDKs also provide a better developer experience overall. You can use them directly in your language of choice without building the types, functions, and validation from scratch – the SDK already provides all of this for you. It’s also easier to manage and install different versions using the package manager for your language. And, of course, all of this is available directly in your language of choice. <h2 id="how-1password-sdks-work">How 1Password SDKs Work</h2> Building on the success of <a href="https://developer.1password.com/docs/cli/">1Password CLI</a>, the SDKs provide simple and efficient access to build integrations with 1Password. Today you can create, read, edit and delete items using our Go, JavaScript and Python SDKs. We’ll be improving the SDKs and adding new functionality in the coming months, so let us know your feedback. You can share your input, and follow for updates, by joining the #sdk channel in the <a href="https://developer.1password.com/joinslack">1Password Developer Community Slack</a>. To use an SDK in your project, first <a href="https://developer.1password.com/docs/service-accounts/get-started/#create-a-service-account">create a 1Password Service Account</a> to provide token-based access to a 1Password vault. By default you can create service accounts if you&rsquo;re an owner or administrator on your team, family, or personal plan. Otherwise, ask your administrator to give you permissions to create service accounts, or ask them to set one up and share the token with you. Next, export your service account token to an environment variable, for example: <code>export OP_SERVICE_ACCOUNT_TOKEN=&lt;your-service-account-token&gt;</code>. Using the 1Password SDKs follows a similar flow across languages: <ol> <li>Import the SDK.</li> <li>Create an authenticated client.</li> <li>Perform an action (for example, create, read, update, or delete an item).</li> </ol> Let’s take a look at a few examples to see how the SDKs work in practice. <h3 id="1password-javascript-sdk">1Password Javascript SDK</h3> To get started with the Javascript SDK, first install it by running <code>npm install @1password/sdk@beta</code>. You can also install it using Yarn or PNPM, or directly from the <a href="https://github.com/1Password/onepassword-sdk-js/tree/main">GitHub repository</a>. Here’s a simple example showing how you might retrieve a secret stored in 1Password using the Javascript SDK: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript">import { createClient } from &#34;@1password/sdk&#34;; // Creates an authenticated client with 1Password. const client = await createClient({ auth: process.env.OP_SERVICE_ACCOUNT_TOKEN, integrationName: &#34;My 1Password Integration&#34;, integrationVersion: &#34;v1.0.0&#34;, }); // Retrieves a secret from 1Password. Takes a secret reference as input and returns the secret to which it points. const secret = await client.secrets.resolve(&#34;op://vault/item/field&#34;); // TODO: Do something with the secret... </code></pre></div>You can learn more about <a href="https://developer.1password.com/docs/sdks">working with the 1Password Javascript SDK</a> in the SDK documentation. <h3 id="1password-python-sdk">1Password Python SDK</h3> To get started with the Python SDK, install it using <code>pip install git+ssh://git@github.com/1Password/onepassword-sdk-python.git</code>, or directly from the <a href="https://github.com/1Password/onepassword-sdk-python">GitHub repository</a>. Here’s a simple example showing how you might retrieve a secret stored in 1Password using the Python SDK: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python">import asyncio import os from onepassword.client import Client async def main(): token = os.getenv(&#34;OP_SERVICE_ACCOUNT_TOKEN&#34;) # Creates an authenticated client with 1Password. client = await Client.authenticate(auth=token, integration_name=&#34;My 1Password Integration&#34;, integration_version=&#34;v1.0.0&#34;) # Retrieves a secret from 1Password. Takes a secret reference as input and returns the secret to which it points. secret = await client.secrets.resolve(&#34;op://vault/item/field&#34;) # TODO: Do something with the secret... if __name__ == &#39;__main__&#39;: asyncio.run(main()) </code></pre></div>Check out the SDK documentation to learn more about <a href="https://developer.1password.com/docs/sdks">working with the 1Password Python SDK</a>. <h3 id="1password-go-sdk">1Password Go SDK</h3> To get started with the Go SDK, install it using the <code>go get github.com/1password/onepassword-sdk-go</code> command, or directly from the <a href="https://github.com/1Password/onepassword-sdk-go">GitHub Repository</a>. Here’s a simple example showing how you might retrieve a secret stored in 1Password using the Go SDK: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-go" data-lang="go">import ( &#34;context&#34; &#34;os&#34; &#34;github.com/1password/onepassword-sdk-go&#34; ) func main() { token := os.Getenv(&#34;OP_SERVICE_ACCOUNT_TOKEN&#34;) // Creates an authenticated client with 1Password. client, err := onepassword.NewClient( context.TODO(), onepassword.WithServiceAccountToken(token), onepassword.WithIntegrationInfo(&#34;My 1Password Integration&#34;, &#34;v1.0.0&#34;), ) if err != nil { // TODO: handle err } // Retrieves a secret from 1Password. Takes a secret reference as input and returns the secret to which it points. secret, err := client.Secrets.Resolve(&#34;op://vault/item/field&#34;) if err != nil { // TODO: handle err } // TODO: Do something with the secret... } </code></pre></div>Again, you can learn more about <a href="https://developer.1password.com/docs/sdks">working with the 1Password Go SDK</a> in the documentation. <h2 id="get-started-with-1password-sdks">Get started with 1Password SDKs</h2> Visit the <a href="https://developer.1password.com/">1Password Developers portal</a> for additional documentation and resources about 1Password SDKs and our other developer tools. We can’t wait to see what you build with 1Password SDKs! <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Start building with 1Password SDKs</h3> Leverage open-source 1Password SDKs for Python, Javascript, and Go to easily and securely integrate your application with 1Password. <a href="https://developer.1password.com/docs/sdks/?utm_ref=blog" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Explore the documentation </a> </div> </section></description></item><item><title>Introducing 1Password’s solution for Managed Service Providers in beta</title><link>https://blog.1password.com/managed-service-provider-beta/</link><pubDate>Mon, 06 May 2024 00:00:00 +0000</pubDate><author>info@1password.com (Dan Haberman)</author><guid>https://blog.1password.com/managed-service-provider-beta/</guid><description> <img src='https://blog.1password.com/posts/2024/managed-service-provider-beta/header.png' class='webfeedsFeaturedVisual' alt='Introducing 1Password’s solution for Managed Service Providers in beta' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> On the heels of our <a href="https://blog.1password.com/global-partner-program/">global partner program launch</a> earlier this year, 1Password® Enterprise Password Manager - MSP Edition is now available in beta. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/fEucgeXrQT4" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> With this launch, managed service providers (MSPs) can protect their clients’ data and improve the security posture of their information technology systems with the industry-leading password manager trusted by more than 150,000 businesses. 1Password Enterprise Password Manager - MSP Edition includes multi-tenancy client management, streamlined billing, and integration with existing client services and apps. <h2 id="the-broader-security-and-solution-integration-challenges-for-msps">The broader security and solution integration challenges for MSPs</h2> As our partners know, the increasing number of cyberattacks targeting their clients is a major concern. This puts pressure on MSPs to enhance their security measures and protect clients' data effectively. Another pain point for MSPs is the difficulty of offering multiple solutions from different security providers to their clients. Integrating technology solutions from various vendors can be complex and time-consuming. Without a simple, scalable IT service to protect their clients, MSPs face an uphill battle against the growing threat of cybersecurity incidents. <h2 id="why-1password">Why 1Password?</h2> 1Password Enterprise Password Manager - MSP Edition offers the highest level of security to safeguard clients’ passwords and important data from online threats. MSPs can rest easy knowing they have access to streamlined workflows, integrations, and resources to help them become trusted advisors, protecting their clients while growing their business more efficiently. 1Password Enterprise Password Manager - MSP Edition is a comprehensive solution that offers centralized client management, granular controls, actionable insights, and custom reporting. <h2 id="what-to-expect-from-1password-enterprise-password-manager---msp-edition">What to expect from 1Password Enterprise Password Manager - MSP Edition</h2> 1Password Enterprise Password Manager - MSP Edition provides a comprehensive set of features to streamline management, enhance security, and improve efficiency for MSPs and their managed companies. During this beta, we’re unveiling the core functionality including: <ul> <li>Centralized console. Manage clients in a single, intuitive admin console, including linking and unlinking new managed companies.</li> <li>Event data integration. Ingest 1Password managed account activity, like sign-in attempts or item usage, into your preferred SIEM tools including Datadog, Sumo Logic, Panther, and Splunk using the <a href="https://support.1password.com/events-reporting/">1Password Events API</a>.</li> <li>Streamlined billing, licensing, and reporting. Simplify billing and reporting by consolidating information across managed companies directly to the MSP, saving time and effort.</li> <li>Actionable insights. Leverage real-time threat detection in Business Watchtower for actionable recommendations to proactively identify and mitigate client risks.</li> <li>Controls for security policies. Manage your team’s access by creating rules to govern how and where 1Password is used to stay secure and compliant with their industry regulations and policies.</li> </ul> We&rsquo;re excited to expand upon this functionality to create the most comprehensive security solution for MSPs, tailored to their clients' unique business needs. <h2 id="register-as-an-msp-with-1password">Register as an MSP with 1Password</h2> For more information, check out the 1Password Enterprise Password Manager - MSP Edition <a href="https://www.youtube.com/watch?v=fEucgeXrQT4">overview video</a> and <a href="https://www.1password.partners/#/page/register">register as an MSP</a> to stay up to date on all news related to the 1Password Partner Program. If you’re looking to get started immediately with 1Password, <a href="https://www.1password.partners/#/page/register">register as an MSP</a> and get started transacting as a reseller. <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Register as an MSP</h3> Register as an MSP with 1Password to get the latest news about the 1Password Partner Program, or to start transacting as a reseller. <a href="https://www.1password.partners/#/page/register" class="c-call-to-action-box__link-href" data-event-category="CTA" data-event-action="call-to-action-button"> Register now </a> </div> </section></description></item><item><title>Charlie Livingston talks shadow IT: 'We need to change to a collaborative model.'</title><link>https://blog.1password.com/shadow-it-risks-charlie-livingston-interview/</link><pubDate>Fri, 03 May 2024 00:00:00 +0000</pubDate><author>info@1password.com (Jenn Marshall)</author><guid>https://blog.1password.com/shadow-it-risks-charlie-livingston-interview/</guid><description> <img src='https://blog.1password.com/posts/2024/shadow-it-risks-charlie-livingston-interview/header.png' class='webfeedsFeaturedVisual' alt='Charlie Livingston talks shadow IT: 'We need to change to a collaborative model.'' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Shadow IT – the use of apps or devices outside IT’s oversight – can mean that important business information is at risk of being exposed. Many organizations have rules prohibiting the use of <a href="https://blog.1password.com/what-is-shadow-it/">shadow IT</a>. But employees are still finding ways to use tools that help them complete their work more efficiently, if occasionally less securely. So what’s the secret sauce to getting users to be more mindful about security? According to <a href="https://ca.linkedin.com/in/charlielivingston">Charlie Livingston</a>, head of infrastructure and security at financial wellbeing platform <a href="https://wagestream.com/en-us/">Wagestream</a>, it’s important to position IT as the go-to partner who works to make employees’ jobs easier – and more secure. Livingston recently shared with 1Password’s Michael “Roo” Fey on the <a href="https://randombutmemorable.simplecast.com/">Random but Memorable</a> podcast his insights into how IT and employees can be more collaborative to manage the challenges surrounding shadow IT. Read the interview highlights below or <a href="https://randombutmemorable.simplecast.com/episodes/shadow-it-incident-sequel">listen to the full episode</a> wherever you like to listen to podcasts. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/4P7xlytpDO8?si=PyOfU-J0gEoWcxLC" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> Editor’s note: This interview has been lightly edited for clarity and brevity. The views and opinions expressed by the interviewee don’t represent the opinions of 1Password. Michael Fey Can you give us an overview of Wagestream? Charlie Livingston: Wagestream is a company founded in the UK. All the funding came from five really great charities. Our goal is to provide fair financial services to every frontline worker. What that means is we have the unique position of being tied to employees’ pay. So we&rsquo;re able to offer very good financial services to people who typically aren&rsquo;t eligible for these things. There&rsquo;s this thing we look at, which is the poverty premium, and there is a cost to not making a lot of money. You pay more for credit products, you don&rsquo;t get good rates on your mortgages, on your car payments, on your credit cards. Wagestream is built from the ground up to battle that and to make finance fair for everyone. MF: Shadow IT is a relatively recent focus for a lot of companies. What&rsquo;s your definition of shadow IT? CL: Shadow IT is really just anything that&rsquo;s being done outside of the core IT team. It&rsquo;s the temptation to just go: &ldquo;Oh, I&rsquo;m going to go and use this SaaS product, or I need to build my own little database for a little side project and I don&rsquo;t want to involve IT.&rdquo; The concern in bigger companies and in companies that I&rsquo;ve worked at in the past is: &ldquo;I don&rsquo;t want to talk to IT because they&rsquo;re a monolith and it&rsquo;s going to quadruple the budget for this project. It&rsquo;s going to take six months and they&rsquo;re probably going to screw it up.” <blockquote> &ldquo;Shadow IT is really just anything that&rsquo;s being done outside of the core IT team.&quot; </blockquote> Whereas in a company like Wagestream, it&rsquo;s a lot more innocent. Someone might think: &ldquo;Oh, IT is so busy, I don&rsquo;t want to bother them. It&rsquo;s just a small project. I&rsquo;ll just do it.&rdquo; MF: How do you approach that “I won’t bother them” mindset and explain the risks of shadow IT to your company? CL: I don&rsquo;t know if you&rsquo;ve heard the term <a href="https://en.wikipedia.org/wiki/Hanlon's_razor">Hanlon&rsquo;s razor</a> before but it basically means: Don&rsquo;t attribute to malice what you can attribute to stupidity – or rather, misplaced good intention. In an organization like Wagestream, shadow IT is never somebody being malicious and saying: &ldquo;Oh, I want to sneak this under the radar from IT.&rdquo; It&rsquo;s misplaced good intention. &ldquo;Oh, IT&rsquo;s too busy. I&rsquo;m not important enough. What I&rsquo;m doing isn&rsquo;t important enough to bother IT.&rdquo; There are two points about shadow IT and Wagestream from a security standpoint. The first is the SaaS spend and a lot of people saying: &ldquo;Oh, I just need a little tool in my browser to do text-to-speech.&rdquo; It costs $10 a month. That&rsquo;s not a big deal but across 200 employees and 20 different platforms, it gets really expensive, really quick. The second point is dealing with: “What is that browser tool actually reading? Have you read the terms of service? Is it really cheap? Oh, it&rsquo;s a free tool. Okay, well why is it free? What data are they selling?” MF: Do you have any shadow IT horror stories to share with us? CL: At one of the large companies I worked at, I remember finding out that one of the main employee training databases – which recorded all of the scores for every employee who&rsquo;d gone through training on any course – was stored on a computer under somebody&rsquo;s desk at home. We didn&rsquo;t know it until the power went out at that guy&rsquo;s house and we couldn&rsquo;t run our compliance reports for two days. MF: Whoa, that&rsquo;s a good one! CL: It was a small project. Somebody just said: &ldquo;Oh, I&rsquo;m going to test this out.&rdquo; And it just kept growing and growing and growing into this big production thing that everybody used over many years. Shadow IT is often unchecked over time. A lot of it is good-natured, it&rsquo;s not bad intention. But it just grows into this time bomb that&rsquo;s waiting to go off. There are so many dark corners of large corporations that are run on an Excel spreadsheet that nobody, except for one person from 1994, knows how it works. <blockquote> &ldquo;A lot of it is good-natured, it&rsquo;s not bad intention. But it just grows into this time bomb that&rsquo;s waiting to go off.&quot; </blockquote> MF: You mentioned that shadow IT within Wagestream is usually good-natured. Still, what&rsquo;s your approach to managing and mitigating it? CL: It’s the carrot versus the stick. I am continually horrified by the security industry at large, and how adversarial a lot of blog and social media posts are about user. They&rsquo;ll say things like: &ldquo;Oh, your users are stupid. How dare you trust your users with this or that. They&rsquo;re just going to go out and break it.&rdquo; And I&rsquo;m like, &ldquo;If you can&rsquo;t trust the people you&rsquo;re working with, who can you trust?&rdquo; We need to change to a collaborative model. When I talk to everybody in the company as Mr. Security Guy, I&rsquo;m like: &ldquo;I&rsquo;m here to work with you. I&rsquo;m here to make your job easier. I&rsquo;m here to give you the tools you need to do your job securely,” and they get the hell out of my way. If I&rsquo;m stopping you from doing something, I&rsquo;m not an asset to the company. I&rsquo;m a detriment to the company and I may as well just leave and go somewhere else. <blockquote> &ldquo;If I&rsquo;m stopping you from doing something, I&rsquo;m not an asset to the company.&quot; </blockquote> When people have problems or do something and realize, &ldquo;Oh wait, maybe I should talk to IT about it,&rdquo; they&rsquo;re way happier to go: &ldquo;Hey, we&rsquo;re doing this. What do you think?&rdquo; Versus, &ldquo;I have to trudge to the IT department. I have to talk to them. I don&rsquo;t want to do it. It&rsquo;s going to be such a problem. They&rsquo;re going to make me fill out 10 forms.&rdquo; I&rsquo;m just like: &ldquo;Hey, how can I help?&rdquo; MF: Have you seen a transition from, &ldquo;Hey, we&rsquo;re trying to do this. How would we do this well?&rdquo; to, &ldquo;Hey, we&rsquo;re trying to do this and we think this is the right approach. Are we thinking about this the right way?&quot; If people are showing up with solutions and thinking about security, that can be a huge lift for the IT department. CL: That&rsquo;s the dream, isn&rsquo;t it? It happens every day at Wagestream. We have this fantastic internal RFC (Request For Comments) process. When we&rsquo;re talking about platform changes and designing new features, we&rsquo;ll build a Wiki article and write an RFC. Everybody then gets to comment on it. We get comments from our engineering team and our product design teams and even people in customer service saying: &ldquo;Hey, have you thought about this angle? Or, &ldquo;How does this affect security?&rdquo; Or, my favorite question every time is: &ldquo;What type of encryption are we using for this?&rdquo; I’m like: &ldquo;Yes, my job here is complete.&rdquo; MF: At work, there needs to be a balance between flexibility and staying secure. How do you think that that balance is being executed, both in the industry and at Wagestream? CL: I&rsquo;ll start with the industry. There are so many good, alternative voices in the security industry that aren&rsquo;t saying: &ldquo;All your users are idiots. You can&rsquo;t trust anybody.&rdquo; I&rsquo;m really seeing a sea change in the industry and it&rsquo;s heartening. Mindful IT, mindful security, security that involves the human factor. If you respect your users and the people you&rsquo;re working with and if you&rsquo;re hiring the right people, everybody should have the best intentions in mind. Instead of designing adversarial systems, you&rsquo;re building guardrails so people can do things safely and confidently. It&rsquo;s so much easier. <blockquote> &ldquo;Instead of designing adversarial systems, you&rsquo;re building guardrails.&quot; </blockquote> That’s the way we’ve been doing things in Wagestream, building guardrails, policies, and a collaborative framework that allows people to do their jobs and understand that they can do them safely and the right way. MF: Is that guardrails concept your recommendation for any company that&rsquo;s concerned about shadow IT? CL: It depends on your threat model. But from almost every example of shadow IT I&rsquo;ve seen, it isn&rsquo;t a failure of your controls. It&rsquo;s a failure of your relationship with your users. If your users are resorting to shadow IT, it means there&rsquo;s a breakdown somewhere in the process. They didn&rsquo;t want to deal with IT, or weren&rsquo;t able to, or didn&rsquo;t know how to. MF: Where can people go to find out more about you or check out Wagestream? CL: Definitely check out <a href="https://wagestream.com/en/">wagestream.com</a> and find us on <a href="https://www.linkedin.com/company/wagestream">LinkedIn</a>. If you have interest in our community mission and want to see some of the research on how Wagestream really benefits employees, I suggest you look up the research on financial inclusion and the impact we&rsquo;ve had. Personally, I&rsquo;m a business social media recluse. You can find me <a href="https://twitter.com/CCLiv">on X (formerly Twitter)</a> and <a href="https://ca.linkedin.com/in/charlielivingston">LinkedIn</a>. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Subscribe to Random but Memorable</h3> Listen to the latest news, tips and advice to level up your security game, as well as guest interviews with leaders from the security community. <a href="https://randombutmemorable.simplecast.com/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Subscribe to our podcast </a> </div> </section></description></item><item><title>It’s time to extend access management</title><link>https://blog.1password.com/introducing-extended-access-management/</link><pubDate>Thu, 02 May 2024 00:00:00 +0000</pubDate><author>info@1password.com (Steve Won)</author><guid>https://blog.1password.com/introducing-extended-access-management/</guid><description> <img src='https://blog.1password.com/posts/2024/introducing-extended-access-management/header.png' class='webfeedsFeaturedVisual' alt='It’s time to extend access management' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Balancing security and productivity is hard. On one hand, IT and Security have an obligation to protect the company. On the other hand, employees are most productive when they can work with the tools they know and love. Between <a href="https://blog.1password.com/identity-security-in-hybrid-work-environments/">hybrid work</a>, BYOD, and <a href="https://blog.1password.com/what-is-shadow-it/">shadow IT</a>, one thing is clear: the way we work has changed; and the way we protect that work should too. Existing access management tools were built for a bygone age when every employee was on-premises; SSO was the way into every application used in the business and every device was managed by IT; and all access happened over corporate networks. But things have rapidly changed since the start of 2020, and these days: <ul> <li>Hybrid and remote work have become standard.</li> <li>Employees frequently use unsanctioned applications that they bring in to boost their productivity.</li> <li>Employees and contractors increasingly use their personal devices for work purposes.</li> </ul> The tools we use today for identity and access management (IAM) are great at securing access to managed applications, but they&rsquo;re unable to secure access to unsanctioned applications – and in reality do not even have visibility into those applications that live in the shadows beyond ITs ability to manage them. With the popularity of SaaS applications and the freedom that hybrid work arrangements provide, the number of unsanctioned applications businesses have has more than doubled over the last four years on average. Security teams have almost no way to prevent company confidential or customer sensitive data from flowing into unmanaged applications, or to ensure that departed employees don&rsquo;t still have access to the data held in those applications that lack access management control. Similarly, the mobile device management (MDM) tools offered today do a strong job securing company-managed devices, but employees or contractors rarely allow company MDM tools to be installed onto their personal laptops or mobile devices that they now frequently use for both business and personal purposes. Security teams have almost no way to stop wounded or compromised devices from logging in through their SSO provider into critical business applications. We&rsquo;re all living with the problems created by this disconnect between the tools we have and the reality of how we work – data breaches are more common and devastating than ever. Clearly, a new approach to secure access management is needed. And today, a new approach has arrived. <h2 id="introducing-extended-access-management-xam">Introducing Extended Access Management (XAM)</h2> Extended Access Management is a new category of security software that fills critical gaps in the identity and access management landscape. It is focused on extending the capabilities offered by IAM and MDM to the unmanaged applications and devices that today’s tools cannot secure. Extended Access Management secures access to all the places data goes, by giving companies the ability for the first time to manage: <ul> <li>Unsanctioned and unmanaged apps and websites (shadow IT) that are not secured behind SSO.</li> <li>Unmanaged devices, that are either poorly managed by MDM or outside its scope altogether.</li> </ul> In companies today, too many sign-ins are untrusted – either because the sign-in is to an unsanctioned application or from an unhealthy device. This is what we call the Access Trust Gap, and it represents the percentage of sign-ins in a business that aren’t trusted – whether that’s due to unmanaged applications or from untrusted devices. The Access Trust Gap is increasing for most businesses because employees continue to bring in new SaaS applications and more frequently use personal equipment. <img src='https://blog.1password.com/posts/2024/introducing-extended-access-management/access_trust_gap.png' alt='Illustrative diagram of the Access Trust Gap' title='Illustrative diagram of the Access Trust Gap' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="every-business-with-iam-needs-extended-access-management">Every Business with IAM Needs Extended Access Management</h2> Extended Access Management plugs the access management holes created as a result of IAM being unable to see or secure unmanaged applications. Every company of every size, from SMBs through the enterprise, needs to extend their access management strategy to cover all applications and devices. Today’s approach of securing only managed apps and devices is what has led to the rapid growth in the Access Trust Gap in most businesses. <h2 id="requirements-of-extended-access-management">Requirements of Extended Access Management</h2> Extended Access Management goes beyond traditional IAM to support how we work today. For example, supporting a remote or hybrid workforce comes with fundamentally different challenges than simply plugging in your device to a corporate network. <table> <thead> <tr> <th>Requirement</th> <th>Use-Case</th> <th>Existing Workforce Identity Solutions</th> <th>Extended Access Management (XAM)</th> </tr> </thead> <tbody> <tr> <td>User Identity</td> <td>Manage the entire lifecycle of end-user identity - provision user access from onboarding to offboarding.</td> <td>✅</td> <td>✅</td> </tr> <tr> <td>Universal Sign-on</td> <td>Offer SSO to all managed and unmanaged applications, and websites, from a single pane of glass.</td> <td>🆇 SSO only for managed applications</td> <td>✅</td> </tr> <tr> <td>Device Trust</td> <td>Monitor device health and security in real-time to mitigate security risks by addressing device compliance before access occurs.</td> <td>🆇 No ability to ensure device health</td> <td>✅</td> </tr> <tr> <td>Contextual Access Management</td> <td>Dynamic policies that take context – such as time, location, device health, and credential health – into consideration before allowing access.</td> <td>🆇 No ability to block SSO access to applications from unhealthy or compromised devices</td> <td>✅</td> </tr> <tr> <td>Application Visibility</td> <td>Generate an automatic inventory of managed and unmanaged apps across platforms to track usage, SSO eligibility, and more.</td> <td>🆇 No visibility of or capability to manage the inventory of unsanctioned applications used for business</td> <td>✅</td> </tr> <tr> <td>Enterprise Password Management</td> <td>Securely manage access to sensitive information.</td> <td>🆇 No ability secure access to unmanaged applications</td> <td>✅</td> </tr> </tbody> </table> <h2 id="introducing-1password-extended-access-management">Introducing: 1PasswordⓇ Extended Access Management</h2> Extended Access Management is a vendor-neutral concept, like Zero Trust or RBAC. We believe that Extended Access Management is a new category of security software that solves the access management challenges and closes the Access Trust Gap created by today’s hybrid way of work where BYO applications and devices are the new norm. 1Password Extended Access Management is the first product to be offered in this new category. 1Password Extended Access Management addresses security across your workforce, devices, applications, and credentials. As a result, access to every application from every device is secure. 1Password Extended Access Management goes beyond traditional identity and access management to secure all applications (including managed, shadow IT, and legacy apps) and access from all corporate and personal devices. 1Password Extended Access Management secures organizations on four fronts: <ul> <li>User identity secures your workforce.</li> <li>Device trust secures your devices.</li> <li>App Insights secures all applications.</li> <li>Enterprise password management secures your credentials.</li> </ul> <img src='https://blog.1password.com/posts/2024/introducing-extended-access-management/xam_components.png' alt='The components of Extended Access Management, including contextual access controls, device health, authentication, and App Insights' title='The components of Extended Access Management, including contextual access controls, device health, authentication, and App Insights' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Taken together, 1Password Extended Access Management delivers the industry’s first solution that closes the Access Trust Gap that lies between identity and access management (IAM), privileged access management (PAM), mobile device management (MDM), and extended detection and response (XDR). 1Password Extended Access Management makes it possible for businesses to balance security and productivity. Universal Sign-on (USO) improves security while making it easier than ever for employees to access the tools they need to best do their jobs. And Device Trust makes it safer for companies to allow employees to use the equipment that maximizes their performance. Here are a few links to learn more: <ul> <li><a href="https://1password.com/xam/extended-access-management">1Password Extended Access Management</a></li> <li><a href="https://1password.com/xam">Extended Access Management</a></li> <li><a href="https://1passwordstatic.com/files/resources/extending-access-management-beyond-iam.pdf">Extended Access Management ebook</a></li> </ul> With that, let me be the first to welcome you to the era of Extended Access Management. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Explore Extended Access Management</h3> Learn why the way we work has changed – and why the way we protect that work should, too. <a href="https://1password.com/xam" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Explore XAM </a> </div> </section></description></item><item><title>Private vaults in 1Password Teams and Business are now employee vaults</title><link>https://blog.1password.com/employee-vault/</link><pubDate>Wed, 01 May 2024 00:00:00 +0000</pubDate><author>info@1password.com (Skylar Nagao)</author><guid>https://blog.1password.com/employee-vault/</guid><description> <img src='https://blog.1password.com/posts/2024/employee-vault/header.png' class='webfeedsFeaturedVisual' alt='Private vaults in 1Password Teams and Business are now employee vaults' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> After speaking with customers, we renamed 1Password Teams and Business private vaults to employee vaults to reduce confusion between work and personal accounts. No functionality is changing – just the name. Each 1Password Teams and Business team member has access to shared vaults and a <a href="https://support.1password.com/private-vault/">private vault</a>. When an item is stored in a shared vault, whoever is added to that vault has access to the items stored in it. When an item is stored in the private vault, only the team member has access to that item (unless an individual item is <a href="https://support.1password.com/share-items/">temporarily shared</a>). The confusion arises when someone has access to a work account, like 1Password Business, as well as a personal account, like a 1Password Individual or Families account. If private vaults have the same name across both kinds of account, it’s easy to see how some folks end up accidentally saving personal items to their work account or vice-versa. For that reason, the existence of a private vault in both accounts takes a little explaining to new team members – and questions tend to come up during onboarding and offboarding. The name change should help clarify things. <blockquote> The seemingly minor transition from ‘Private Vault’ to ‘Employee Vault’ may not appear significant, but the time it saves during employee training is truly invaluable.&quot; – Brian Morris, CISO at Gray Media </blockquote> <h2 id="making-it-easier-to-keep-work-and-personal-items-separate">Making it easier to keep work and personal items separate</h2> <a href="https://blog.1password.com/keep-work-personal-items-separate/">Recall that keeping personal and work items separate is a security best practice</a>. Naturally, we want to make following that best practice as easy as possible. 1Password Business memberships include <a href="https://support.1password.com/link-family/">free 1Password Families memberships</a> for every employee for that very reason: Mixing personal items with work items can be a risk for you and for your company – especially when either contains vulnerabilities like weak or reused passwords. We’ve already introduced new features to help 1Password Business customers <a href="https://blog.1password.com/keep-work-personal-items-separate/">maintain that separation</a>. Again, the name change should help to eliminate any confusion between the employee vault and the private vault. We’ve shared the news with a few 1Password customers, and the feedback has been positive: <blockquote> It will prevent misunderstandings between the private vault from a family account and the private vault from a business account. Allowing employees to have both accounts configured in their 1Password client, even though we ask them to separate private from professional stuff, is creating some confusion. Therefore, this change is more than welcomed. – Diego de Haller, Cyber Security Lead at Frontiers </blockquote> Note that this name change applies only to 1Password Business and 1Password Teams accounts. Nothing is changing in either 1Password Individual or 1Password Families accounts.</description></item><item><title>Verizon's 2024 data breach report challenges the security industry to do better</title><link>https://blog.1password.com/verizon-data-breach-report-2024-analysis/</link><pubDate>Wed, 01 May 2024 00:00:00 +0000</pubDate><author>info@1password.com (Elaine Atwell)</author><guid>https://blog.1password.com/verizon-data-breach-report-2024-analysis/</guid><description> <img src='https://blog.1password.com/posts/2024/verizon-data-breach-report-2024-analysis/header.png' class='webfeedsFeaturedVisual' alt='Verizon's 2024 data breach report challenges the security industry to do better' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The Verizon Data Breach Investigations Report is to security what the <a href="https://www.youtube.com/watch?v=Ph7HLll8XmA">Vogue September issue</a> is to fashion: a glossy, buzzy publication that guides the industry&rsquo;s conversations for an entire year. The 2024 DBIR is no exception – it&rsquo;s packed with deeply-researched insights, elaborate (and sometimes inscrutable) graphs, and its usual collection of charming footnotes. This year, the authors look at some of the biggest security headlines from the past year, such as the MOVEit hack and its aftermath, and the (surprisingly muted) impact of GenAI on breaches. Still, if you&rsquo;re a security professional or observer, a lot of the information in the 2024 DBIR will feel depressingly familiar. One fact in particular stands out: in 2024, the overwhelming majority of data breaches can still be traced to credential-based attacks and human error. <img src='https://blog.1password.com/posts/2024/verizon-data-breach-report-2024-analysis/dbir1.png' alt='A graph showing that credentials were the leading cause of breaches.' title='A graph showing that credentials were the leading cause of breaches.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> This trend has held remarkably steady in recent years. The <a href="https://www.verizon.com/about/news/verizon-2020-data-breach-investigations-report">2020 DBIR</a> reported that &ldquo;credential theft, social attacks (i.e. phishing and business email compromise), and errors cause the majority of breaches (67% or more).&rdquo; The 2022 report found that &ldquo;&hellip;82% of breaches involved the human element…&rdquo; while the 2023 report blames the &ldquo;human element&rdquo; for 74% of breaches. This year, the &ldquo;human element&rdquo; accounts for 68% of breaches, which may look like a slight drop, until you consider that this year, the report&rsquo;s authors are no longer including malicious insiders in this category. So that 68% is strictly the result of accidental breaches resulting from human error or victimization via phishing attacks and the like. Likewise, it was another banner year for ransomware, with 32% of breaches involving ransomware and extortion, continuing another longtime trend. Given how quickly cybersecurity evolves, it&rsquo;s shocking to see the same &lsquo;ol usual suspects back again. It&rsquo;s like Vogue saying for five years in a row that fashion&rsquo;s hottest new trend is corduroy. When we hear about this seemingly unshakeable pattern of attacks, it can be tempting to roll our eyes or shrug our shoulders. But the appropriate reaction to these data breaches isn&rsquo;t apathy, it&rsquo;s astonishment. You should find this report&rsquo;s conclusions outrageous if you&rsquo;re a security or IT professional who is constantly struggling to get buy-in for your programs, if you&rsquo;re a worker given all the responsibility but none of the tools to protect your company, and especially if you&rsquo;re an individual whose data was compromised in one of these breaches. And you should be astonished because so many of these attacks are preventable, using security tools and training that already exist. As the Verizon 2024 Data Breach Investigations Report makes clear, the answers to our most pressing security problems are right in front of us, if we just take a close look at the data. <h2 id="credentials-must-be-secured">Credentials must be secured</h2> Let&rsquo;s start with credentials (it&rsquo;s kind of our wheelhouse, after all). The 2024 DBIR found that credentials remain the number one way that attackers gain access to systems, &ldquo;use of stolen credentials&rdquo; is the number one initial action during breaches, and stolen credentials also account for a whopping 77% of Basic Web Application Attacks. Credentials are also a part of many other forms of data breach – credential theft is the goal of many phishing and social engineering attacks, and the first thing a bad actor will do if they gain access to an end user&rsquo;s device is sniff around for unencrypted passwords on the hard drive. For a problem this widespread, the solutions are actually pretty straightforward. Ultimately, every organization&rsquo;s goal should be to move away from passwords and onto phishing-resistant forms of authentication. That means putting SSO and MFA in front of sensitive applications, and eventually retiring passwords altogether <a href="https://1password.com/product/passkeys">in favor of passkeys</a>. In the meantime, organizations can still prevent a lot of these attacks by investing in password managers for their employees. These ensure that workers create strong, unique passwords for every site, and keep them encrypted on their devices. Password managers have been around for years and are neither prohibitively expensive nor technologically complex, yet they remain underused. In 1Password&rsquo;s <a href="https://1passwordstatic.com/files/resources/2022-state-of-access-report.pdf">2022 State of Access Report</a>, only 29% of respondents said they used a password manager at work. So, let&rsquo;s be blunt: the only way the 2025 DBIR will give us some surprising twists is if organizations start doing more to protect credentials. As the report&rsquo;s author&rsquo;s said in their May 1 webinar: &ldquo;We&rsquo;ve been beating the drum of properly protecting credentials for many years.&rdquo; We&rsquo;ll add our own drum kit to that cacophony in the hopes that more people start listening. <h2 id="the-hidden-attack-vector-compromised-devices">The hidden attack vector: compromised devices</h2> The 2024 DBIR is clear about how compromised credentials threaten security. But there&rsquo;s another culprit in data breaches that is just as dangerous, but gets less direct attention: employee devices. You can think about the dangers of end user devices (by which we mean laptops, tablets, and phones) in two ways: unknown devices, and unsecure devices. Let&rsquo;s tackle them in that order. <h3 id="unknown-devices">Unknown devices</h3> An organization that allows any device to access its systems as long as it has the proper credentials is extremely vulnerable to attack. This is really an extension of the credential-based attack problem we just went over; as long as passwords remain so vulnerable to being stolen, phished, guessed, or purchased, you desperately need a stronger form of authentication. The usual advice for strengthening authentication is MFA, but even companies that implement this (and not enough do) often resort to <a href="https://www.kolide.com/blog/how-mfa-is-falling-short">secondary factors that are also vulnerable to phishing</a>. What you really need is an authentication factor that lives on the device itself and is not capable of being phished. That way, all the phished credentials in the world won&rsquo;t let a bad actor authenticate on an unknown device. Making device identity a part of authentication is one aspect of a <a href="https://www.kolide.com/blog/what-is-device-trust">device trust</a> solution. Now let&rsquo;s look at the other. <h3 id="unsecure-devices">Unsecure devices</h3> The consequences of unsafe, unhealthy devices are all over the 2024 DBIR. Here are two examples: <ul> <li> System intrusion attacks, which include ransomware, represent 23% of all breaches in the 2024 DBIR. The &ldquo;CIS Controls for consideration&rdquo; to mitigate those attacks focus heavily on protecting devices, including maintaining firewalls on end-user devices, deploying and maintaining anti-malware software. Relatedly, the report also recommends requiring MFA for externally-exposed applications and remote network access. </li> <li> Lost and stolen devices account for 199 incidents this year, 181 of which resulted in confirmed data disclosure, which presumably means those devices were improperly locked or encrypted. In this case, the &ldquo;CIS Controls for consideration&rdquo; include encrypting data on end-user devices, enforcing automatic device lockout, and enforcing remote wipe capability. (Unfortunately, that last recommendation may be difficult to follow for any organization with a BYOD policy, which will be unable to remotely wipe its employees&rsquo; unmanaged devices.) </li> </ul> So why are all these vulnerable devices accessing sensitive data in the first place? It&rsquo;s partly because traditional <a href="https://www.kolide.com/blog/the-pros-and-cons-of-mobile-device-management-mdm-solutions">device management solutions like MDM</a> aren&rsquo;t effective at identifying and resolving these issues. And it&rsquo;s partly because so many companies let employees work on unmanaged devices that are functionally invisible to MDM. Again, a device trust solution can mitigate these problems by ensuring that every device (even unmanaged, personal devices) is in a secure state before it authenticates. <h2 id="employee-training-anyone">Employee training? Anyone?</h2> As we mentioned in the introduction, this year&rsquo;s report found that 68% of breaches involved non-malicious human errors. Or, as the report&rsquo;s authors put it in their webinar: &ldquo;You can address two-thirds of these breaches by training and equipping your employees appropriately.” Unfortunately, &ldquo;give employees adequate training and resources&rdquo; is advice that&rsquo;s given and ignored as often as &ldquo;use stronger passwords.&rdquo; Many security vendors and practitioners would rather automate than educate, and we can all see where that approach has gotten us. But Verizon&rsquo;s data points to the ways that improved employee awareness drives improved security outcomes. Since 2016, users have gotten better at identifying and reporting phishing emails in training exercises, and that includes employees who reported after clicking the link! <img src='https://blog.1password.com/posts/2024/verizon-data-breach-report-2024-analysis/dbir2.png' alt='A graph showing phishing email report rate by click status. In the graph, &#39;did not click&#39; trends above &#39;clicked&#39;.' title='A graph showing phishing email report rate by click status. In the graph, &#39;did not click&#39; trends above &#39;clicked&#39;.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> This is a great opportunity for security professionals and leaders to ask what a meaningful approach to security training and awareness programs could look like, instead of (to be brutally honest) doing the bare minimum to check a box in a compliance audit. In our experience, the best way to make employees into security allies is to make education a part of their day-to-day experience, rather than a semi-annual distraction. Encourage and empower employees to fix problems (such as changing compromised passwords, updating software, and turning on their firewalls) themselves, and explain the reasoning behind it. You&rsquo;ll soon find your workforce taking more responsibility over security, instead of thinking of it as someone else&rsquo;s problem. <h2 id="lets-not-do-this-again-next-year-okay">Let&rsquo;s not do this again next year, okay?</h2> Though many of its conclusions are all-too-familiar, 2024 DBIR should be a wake-up call for anyone who cares about cybersecurity. Unless we fix some of our foundational weaknesses, we&rsquo;re in danger of succumbing to apathy. On April 24, <a href="https://www.theinformation.com/articles/the-cybersecurity-takeover-list-6-unicorns-that-could-seek-a-sale?rc=xw1brz">The Information reported</a> that companies are beginning to &ldquo;lose faith in the effectiveness of cybersecurity software&rdquo; since &ldquo;seemingly no matter how much security software companies are buying, cyberattacks continue to get through.&rdquo; But the problem isn&rsquo;t the concept of cybersecurity software – it&rsquo;s that many of these solutions ignore the obvious issues that stem from weak credentials, compromised devices, and uneducated employees. Naturally, there will always be data breaches – we&rsquo;d hate to see the DBIR authors out of a job – but by addressing the fundamentals of security, we can at least start talking about some new, exciting problems this time next year.</description></item><item><title>Improve API security and collaboration with 1Password and Postman</title><link>https://blog.1password.com/1password-postman-integration/</link><pubDate>Tue, 30 Apr 2024 00:00:00 +0000</pubDate><author>info@1password.com (Simon Barendse and Andrew Stiefel)</author><guid>https://blog.1password.com/1password-postman-integration/</guid><description> <img src='https://blog.1password.com/posts/2024/1password-postman-integration/header.png' class='webfeedsFeaturedVisual' alt='Improve API security and collaboration with 1Password and Postman' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We’re partnering with <a href="https://www.postman.com/">Postman</a> to streamline how you securely build, test, and work with APIs. Starting today, you can <a href="https://learning.postman.com/docs/sending-requests/postman-vault/1password/">access API tokens and other secrets stored in 1Password</a> directly in your Postman workspaces and collections. The integration is available in Postman Enterprise plans with the Advanced Security Administration add-on. Postman is the leading API platform used by more than 30 million developers to build and work with APIs. Postman simplifies each step of the API lifecycle and streamlines collaboration so you can create better APIs, faster. The team at Postman was an early partner and tester in the <a href="#build-your-own-integration-with-1password-sdks">1Password SDKs</a> private beta, and built the new integration with 1Password using the 1Password Javascript SDK. Developers can use the SDKs to securely retrieve secrets stored in 1Password natively in their apps, whether integrating with an API, accessing infrastructure secrets, or building their own integrations with 1Password. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/-47nWF0qT78" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h2 id="how-it-works">How it works</h2> First, <a href="https://developer.1password.com/docs/service-accounts/get-started/#requirements">create a service account</a> using 1Password.com or 1Password CLI. We recommend saving the service account token into one of your 1Password vaults to reference later. (Note: 1Password Business users may need to ask their account administrator to set up a service account with access to shared vaults.) <img src='https://blog.1password.com/posts/2024/1password-postman-integration/create-1password-service-account.png' alt='Creating a service account with 1Password' title='Creating a service account with 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Next, head over to <a href="https://go.pstmn.io/vault">Postman Vault</a> and start adding a vault secret. Give it an appropriate name (under the Key column) and then click the Vault Integration Icon in the Value field. Choose 1Password from the dropdown and enter your 1Password Service Account token. <img src='https://blog.1password.com/posts/2024/1password-postman-integration/add-1password-service-account-token-postman.png' alt='Adding a 1Password Service Account token to Postman' title='Adding a 1Password Service Account token to Postman' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Now you can configure your secret by <a href="https://developer.1password.com/docs/cli/secret-references/">copying the 1Password Secret Reference</a> for the API key or other secret stored in 1Password. The secret reference is of the form <code>op://&lt;vault-name&gt;/&lt;item-name&gt;[/&lt;section-name&gt;]/&lt;field-name&gt;</code>. <img src='https://blog.1password.com/posts/2024/1password-postman-integration/copy-1password-secret-reference.png' alt='Copying the secret reference for an OpenAI API token in 1Password' title='Copying the secret reference for an OpenAI API token in 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> You can reference vault secrets in your Postman collections and requests from the URL builder, the Params tab, the Authorization tab, the Headers tab, and the Body tab. Enclose the vault secret in double curly braces (<code>{{ }}</code>) and prefix the secret name with <code>vault:</code> to reference it throughout your Postman team. For example, to reference a secret named “openai-api-key”, use the following syntax: <code>{{vault:openai-api-key}}</code>. <img src='https://blog.1password.com/posts/2024/1password-postman-integration/use-postman-vault-secret-reference.png' alt='Referencing a secret in Postman' title='Referencing a secret in Postman' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="improving-api-security-and-collaboration">Improving API security and collaboration</h2> APIs are the connective tissue of modern applications. By some estimates up to <a href="https://www.akamai.com/security-research/the-state-of-the-internet">83% of internet traffic is from APIs</a>. Unfortunately, this can also make them appealing targets for malicious actors. <a href="https://equixly.com/blog/2024/01/05/top-5-api-security-incidents-of-2023/">Multiple high-profile breaches</a> over the past year illustrate the importance of protecting API keys. By providing an integrated vault experience, Postman and 1Password help streamline and secure developer workflows, ensuring APIs are protected every step of the way: <ul> <li>Available everywhere: You can sync and access your Postman workspace on every device without having to set up access to your API keys and secrets again. Whenever you need to make an API request, your API keys will be available in Postman.</li> <li>Easier collaboration: Teams that collaborate in a workspace can easily reproduce each other&rsquo;s requests without additional setup. If they use a shared vault in 1Password to share access secrets, they can easily reproduce requests without any additional configuration.</li> <li>Reduced security gaps: Secrets are end-to-end encrypted in 1Password so no one else can access them – including Postman and 1Password. This helps secure secrets and prevents them from accidentally leaking in configuration files or other plaintext files saved to your local disk.</li> </ul> <h2 id="build-your-own-integration-with-1password-sdks">Build your own integration with 1Password SDKs</h2> Postman was one of our first partners to test and build with the new 1Password SDKs for Golang, Javascript, and Python. Currently in private beta, 1Password SDKs provide native language functionality to access and work with secrets stored in 1Password encrypted vaults. “The 1Password SDK takes the hassle out of integrating 1Password Vault into your app,” says Pranav Joglekar, Software Engineer at Postman. “With a streamlined setup process, it’s up and running in no time. So, we (developers) can focus on building amazing apps while the 1Password SDK handles the rest, improving overall efficiency.” Whether you’re building an integration, or just want to securely make an API request in your code, you can use 1Password SDKs to access secrets stored in your 1Password vaults. Sign up for the <a href="https://1password.com/dev-subscribe/">1Password Developer Newsletter</a> or join the <a href="https://developer.1password.com/joinslack">1Password Developer Slack Community</a> for updates about the public beta, and for the latest product updates and news for developers from 1Password. We can’t wait to see what you build! <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Secure your workflows with 1Password Developer Tools</h3> Streamline how you manage SSH keys, API tokens, and other infrastructure secrets from your first line of code all the way into production. <a href="https://developer.1password.com/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Explore documentation </a> </div> </section></description></item><item><title>What you can expect to work on as a 1Password intern</title><link>https://blog.1password.com/what-work-on-1password-internship/</link><pubDate>Mon, 22 Apr 2024 00:00:00 +0000</pubDate><author>info@1password.com (Liz Tam)</author><guid>https://blog.1password.com/what-work-on-1password-internship/</guid><description> <img src='https://blog.1password.com/posts/2024/what-work-on-1password-internship/header.png' class='webfeedsFeaturedVisual' alt='What you can expect to work on as a 1Password intern' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 1Password is proud to welcome roughly 60 interns to the team every year. Our internship program is a launching pad for Canadian students that lets them learn new skills, grow their network, and step into their careers. Curious what you could be doing as a 1Password intern? To answer that question, we first need to explain how we set up and run our internships. <h2 id="how-1password-internships-work">How 1Password internships work</h2> We post all of our internships on <a href="https://1password.com/careers">our Careers page</a>, giving you the chance to pick a team that best suits your skills and interests. If successful, you’ll be brought on for four months of fast-paced, hands-on work that moves us along our mission to build a safer, simpler digital future. As an intern, you’ll be asked to support or lead projects based on your skills and career goals. You’ll collaborate with teammates from around the world in our fully remote environment, working closely day to day with your manager and mentor. Internal growth is a priority for us. You’ll have the chance to raise your hand for projects that spark your curiosity and network with people from other teams. Who knows, you might just land your next internship or full-time job by doing so! In recent terms, students have taken on internships in our Technology, Product, Marketing, and Legal departments. Here are some examples of what our interns have been working on… <img src='https://blog.1password.com/posts/2024/what-work-on-1password-internship/vithyea-kim.jpeg' alt='A headshot of Vithyea Kim, a Product Management Intern at 1Password' title='A headshot of Vithyea Kim, a Product Management Intern at 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="vithyea-kim-hehim">Vithyea Kim (he/him)</h2> Product Management Intern, University of Waterloo Hey! I&rsquo;m <a href="https://www.linkedin.com/in/vithyea-kim/">Vithyea</a>, a Product Management Intern on the B2B team working on <a href="https://1password.com/developers">1Password’s Developer Tools</a>. Joining 1Password has been an incredible journey. Right from the start, I was welcomed into a culture that values innovation, autonomy, and teamwork. During my time at 1Password, I led the effort to deprecate version 1 of our <a href="https://1password.com/developers/cli">Command Line Interface (CLI)</a> tool. The deprecation was an important initiative aimed at motivating people to adopt CLI v2, which includes all the latest features and an improved user experience. The project required strategic planning, user research, cross-functional collaboration, and a keen focus on user experience to ensure a seamless transition for our customers. <blockquote> &ldquo;The autonomy to make key decisions, tackle technical challenges with the team, and bring the concept to life was very rewarding.&quot; </blockquote> I also took the lead on making service account tokens mutable, a feature highly requested by developers. I owned the feature from its initial ideation through to its scoping, design, and implementation. Having the autonomy to make key decisions, tackle technical challenges with the team, and bring the concept to life was very rewarding. <img src='https://blog.1password.com/posts/2024/what-work-on-1password-internship/1password-interns-group-1.jpg' alt='A group of 1Password interns going bowling together.' title='A group of 1Password interns going bowling together.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Throughout my internship, I engaged with colleagues from departments including engineering, design, marketing, customer success, and more. I was part of technical discussions and brainstorming sessions where the diversity of ideas not only propelled projects forward, but deepened my understanding of the unique aspects of the product life cycle and what it takes to bring challenging product features to market. <img src='https://blog.1password.com/posts/2024/what-work-on-1password-internship/mave-hur.jpeg' alt='A headshot of Mave Hur, a Developer Intern at 1Password' title='A headshot of Mave Hur, a Developer Intern at 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="mave-hur-sheher">Mave Hur (she/her)</h2> Developer Intern, University of British Columbia I&rsquo;m part of a team launching a groundbreaking new product in its alpha phase. It not only broadens 1Password’s capabilities by opening up exciting new markets but also requires a seamless integration with our existing product lineup and technical stack. I’ve gained skills that help me navigate the ambiguity and complexity of project scope, direction, and sequencing. Teams encourage active participation, idea sharing, and asking questions, which helps create a shared understanding of our work. <blockquote> &ldquo;I’ve gained skills that help me navigate the ambiguity and complexity of project scope, direction, and sequencing.&quot; </blockquote> At the beginning of my internship, I was paired with an onboarding buddy based on my technical skills and career goals. Before handling my own tickets, I shadowed my onboarding buddy as well as other team members. This helped me get familiar with the company&rsquo;s tools and products, and offered a firsthand look at how seasoned developers approach brainstorming, decision-making, error resolution, and testing. <img src='https://blog.1password.com/posts/2024/what-work-on-1password-internship/laptop-coffee-zoom.jpeg' alt='Brewing coffee over a Zoom call.' title='Brewing coffee over a Zoom call.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> I love how the fully remote environment here increases my concentration and efficiency. Although it might reduce the chances for spontaneous interaction, it opens up alternative pathways for connection. Through company-wide events, randomized <a href="https://www.donut.com/">Donut chats</a> and Slack channels covering a diverse range of topics, I&rsquo;ve had the pleasure of meeting colleagues across departments, enriching my experience and nurturing a sense of community within 1Password. <img src='https://blog.1password.com/posts/2024/what-work-on-1password-internship/max-thomson.jpg' alt='A headshot of Max Thomson, a Developer Intern at 1Password' title='A headshot of Max Thomson, a Developer Intern at 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="max-thomson-hehim">Max Thomson (he/him)</h2> Developer Intern, University of Victoria Hey there, I’m <a href="https://linkedin.com/in/MNThomson">Max</a>, a Developer Intern on the Developer Workflows team (<a href="https://developer.1password.com/">building tools for developers to integrate with 1Password</a>). My first task after onboarding was to add additional SSH key export types, something that customers had been requesting for a long time. Working through this feature request helped orient me in one of our multi-million line Rust codebases, learn the PKCS#8 encoding and SSH key encryption specifications, and gain my first foray into writing React for production. While working on the SSH key export options, I was continuously getting annoyed at the ~3 minute start time of Rust-Analyzer when I opened up my editor. I was able to configure it to ignore a large amount of JSON and every <code>node_modules</code> folder. A morning of debugging resulted in Rust-Analyzer now starting in 25 seconds flat (a 7x improvement) for every developer. Whether you’re an intern or a staff developer, you can have a massive impact across the organization. <blockquote> &ldquo;A morning of debugging resulted in Rust-Analyzer now starting in 25 seconds flat.&quot; </blockquote> Before coming to 1Password, I had built a few small projects in Rust. But that experience feels like nothing when approaching a multi-million line Rust codebase! What sets 1Password apart is everyone’s intense focus on learning Rust together. From bi-weekly Rust Study groups, where we work through a chapter from the Rust Book, to monthly 1:1 Rust Mentorship meetings to solve specific challenges, there’s a lot of support for anyone keen to dive deep. To future interns: 1Password encourages active learning above all else. Are you stuck or confused on a project? Jump on a call to debug and learn together. Be curious and take advantage of being surrounded by extremely knowledgeable people. <img src='https://blog.1password.com/posts/2024/what-work-on-1password-internship/joey-wang.png' alt='A headshot of Joey Wang, a Developer Intern at 1Password' title='A headshot of Joey Wang, a Developer Intern at 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="joey-wang-hehim">Joey Wang (he/him)</h2> Developer Intern, University of Waterloo Hi. I’m <a href="https://www.linkedin.com/in/joeywangzr/">Joey</a>, a Developer Intern on the Item Management team. Our focus is helping customers create, organize, and find information they add to 1Password. In 1Password, people can <a href="https://blog.1password.com/psst-item-sharing/">create a link to share any item with other</a>. It’s a pretty major feature and is responsible for a significant portion of all sign-ups! I was really happy to work on a new feature allowing users to view, copy, and delete any sharing links they’ve created in our Android app. In previous internships, I never had the opportunity to work on such a significant user-facing feature. <blockquote> &ldquo;I was really happy to work on a new feature allowing users to view, copy, and delete any sharing links they’ve created in our Android app.&quot; </blockquote> During my internship, I was assigned a mentor who helped me with anything I had trouble with throughout the term. I also worked closely with all the other Android developers on my team. I’m not the most familiar with Android/Kotlin, so there was a big learning curve. With the help of my mentor and team, I got the proper resources and I was able to get rolling quickly! <img src='https://blog.1password.com/posts/2024/what-work-on-1password-internship/1password-interns-group-2.jpg' alt='A group of 1Password interns playing Mario Kart together.' title='A group of 1Password interns playing Mario Kart together.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We’re fully remote but our team had a lot of events on the calendar to help us stay connected, like weekly gaming sessions and an offsite in Halifax! The interns organized get-togethers too. We did a virtual escape room, went bowling, and had lots of meals together. It’s also worth checking out 1Password’s Toronto Collaboration Space. There’s lots of free snacks, drinks, games, and a Nintendo Switch. <img src='https://blog.1password.com/posts/2024/what-work-on-1password-internship/ingrid-crant.jpg' alt='A headshot of Ingrid Crant, a Developer Intern at 1Password' title='A headshot of Ingrid Crant, a Developer Intern at 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="ingrid-crant-sheher">Ingrid Crant (she/her)</h2> Developer Intern, University of Waterloo Hi, I’m Ingrid. I’m a Developer Intern on the Infrastructure Secrets team! One of my focuses has been enhancing <a href="https://blog.1password.com/1password-service-accounts/">Service Accounts</a>, a tool that automates secrets management for applications and infrastructure. This term, I led a project implementing the inclusion of sharing items permissions for Service Accounts. With the team, I worked on the newly released Service Account creation via the CLI, where I owned the expiration time and validation aspects! This unlocks a new way of programmatically interacting with the product – something customers have asked for since its creation. <blockquote> &ldquo;I worked on the newly released Service Account creation via the CLI, where I owned the expiration time and validation aspects!&quot; </blockquote> I also worked on the creation of contributing.md documents for our open-source repositories, simplifying the process for external developers to contribute to important projects involving secrets injection into our supported CI/CD integrations. By making these concepts and repositories more approachable, I&rsquo;ve helped foster a more inclusive and collaborative environment within the open-source community. <img src='https://blog.1password.com/posts/2024/what-work-on-1password-internship/kuberenetes-secrets-injector-contributing.png' alt='A screenshot of a contributing.md file for a kubernetes secrets injector.' title='A screenshot of a contributing.md file for a kubernetes secrets injector.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Lastly, I published my own internal documentation explaining the complex data structures governing permissions and ownership for one of my team&rsquo;s products. This not only facilitated knowledge-sharing within my team but laid the groundwork for future developers to navigate our systems more efficiently. My experience at 1Password has been transformative. I&rsquo;ve honed my skills in backend development, my main area of interest that I communicated to my team from the get-go. I’ve learned to quickly grasp new concepts and distill them into clear and concise communication — a crucial skill in any technical role. I owe so much of my growth and development to the incredible team I&rsquo;ve had the pleasure of working with. Their mentorship, support, and warmth have created an environment where I feel encouraged to learn, experiment, and excel. In my journey as a developer, I know I’ll look back on my internship here fondly. <img src='https://blog.1password.com/posts/2024/what-work-on-1password-internship/veronica-zoleta.jpg' alt='A headshot of Veronica Zoleta, a Product Management Intern at 1Password' title='A headshot of Veronica Zoleta, a Product Management Intern at 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="veronica-zoleta-sheher">Veronica Zoleta (she/her)</h2> Product Management Intern, University of British Columbia I worked on the B2B Product Management team to help scope out new features to improve the admin experience in 1Password. I led a project end-to-end where I got to discover a problem space, ideate a new feature, and collaborate with developers, designers, and other cross-functional teams to bring our vision to reality. This allowed me to take ownership of a brand new feature and be fully immersed in what it’s like to work as a product manager. The feature works directly with the onboarding flow and provides significant value to B2B customers setting up best practices when first logging in to 1Password. <blockquote> &ldquo;I led a project end-to-end where I got to discover a problem space, ideate a new feature, and collaborate with developers, designers, and other cross-functional teams.&quot; </blockquote> I was able to make an impact in other aspects of product management, such as assisting with product roadmaps, taking on competitive analysis, and sitting in on user interviews! I had a valuable experience as an intern and was able to develop both personally and professionally. Throughout my time here, I learned the importance of communicating effectively with other teams and the various components required to take a product from ideation to shipment. I also learned greatly from product managers who provided me with the confidence to define my own leadership and collaboration style within the team. <h2 id="finding-your-place-at-1password">Finding your place at 1Password</h2> From working on features that directly impact users to hosting gaming sessions, a 1Password internship isn’t just another line on your resume – it’s a chance to discover what the next step in your career can look like. Want to be a 1Password intern? We have four-month paid internships each winter, summer, and fall. Follow us on <a href="https://www.linkedin.com/company/1password">LinkedIn</a> to stay updated on <a href="https://jobs.lever.co/1password">open roles</a>. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Interested in an internship at 1Password?</h3> Keep an eye on our careers page for open internship opportunities throughout the year. <a href="https://1password.com/jobs/?utm_ref=blog" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> View our careers page </a> </div> </section></description></item><item><title>Stephen Balkam explains how parents can keep their children safe online</title><link>https://blog.1password.com/online-safety-families-stephen-balkam-interview/</link><pubDate>Wed, 17 Apr 2024 00:00:00 +0000</pubDate><author>info@1password.com (Jenn Marshall)</author><guid>https://blog.1password.com/online-safety-families-stephen-balkam-interview/</guid><description> <img src='https://blog.1password.com/posts/2024/online-safety-families-stephen-balkam-interview/header.png' class='webfeedsFeaturedVisual' alt='Stephen Balkam explains how parents can keep their children safe online' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> It’s a concern for families everywhere: keeping kids safe online. For parents with teenagers, there’s the added complication of trying to balance a child&rsquo;s safety with their right to privacy. But is online safety just families’ problem? Policy advocate Stephen Balkam says everyone – including government, technology companies, law enforcement, and individuals – has a role to play. He thinks about these issues a lot as the founder and CEO of the <a href="https://www.fosi.org/">Family Online Safety Institute (FOSI)</a>, a nonprofit that brings together government, industry, academia, and nonprofits to innovate around public policy, industry best practices, and digital parenting. He chatted with 1Password&rsquo;s Michael “Roo” Fey on the <a href="https://randombutmemorable.simplecast.com/">Random but Memorable</a> podcast about how parents should approach online safety with their kids. Balkam also discussed the emerging threats to children’s online safety, parental rights and children’s rights, and how kids can always find a workaround to get online. Want to learn more? Read the interview highlights below or listen to the <a href="https://randombutmemorable.simplecast.com/episodes/family-online-safety-sandwich">full podcast episode</a>. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/cFcr3wf8q04?si=YXHxst8KJpwAvLXl" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> Editor’s note: This interview has been lightly edited for clarity and brevity. The views and opinions expressed by the interviewee don’t represent the opinions of 1Password. Michael Fey: What is the Family Online Safety Institute&rsquo;s mission? Stephen Balkam: To make the online world safer for kids and their families. We don&rsquo;t say the word “safe” because there&rsquo;s no such thing as 100% safe, but we can definitely make it safer. We do it through what we call the three Ps: Policy, Practices, and Parenting. Enlightened public policy is what we try to persuade our friends on Capitol Hill of, in the state capitals, London, and Brussels. Public policy laws and regulations that are based and grounded in research and not in banner headlines from the Daily Mail or something like that. We work with policymakers on both sides of the aisle. We&rsquo;re nonpartisan and do our best to encourage the emergence of good legislation. <blockquote> &ldquo;We&rsquo;re nonpartisan and do our best to encourage the emergence of good legislation.&quot; </blockquote> We also talk to the regulators. We sit down with the FTC a great deal, <a href="https://www.ofcom.org.uk/online-safety">Ofcom</a> in the UK, and <a href="https://www.esafety.gov.au/about-us/who-we-are/about-the-commissioner">eSafety</a> Commissioner Julie Inman Grant in Australia. These are the folks who actually have to enforce the laws as they are created. We work with them and provide a conduit to the technology companies, and vice versa, so there&rsquo;s better understanding of the work they&rsquo;re doing. The second P refers to industry best practices. We work with our members to up their “trust and safety game”, if you will, and act under NDA as constructive critics of their products and services. To that end, we&rsquo;ve worked with a number of the brand name companies to try to get them to put more resources behind the safety of their products. The third P is an initiative we call <a href="https://www.fosi.org/good-digital-parenting">Good Digital Parenting</a>. We take everything we&rsquo;ve learned from the laws and regulations, add that to the products and services that the tech companies are providing, including filtering tools, security devices, and so on, and translate that into easy-to-use language for parents. <blockquote> &ldquo;We have something called &lsquo;The Seven Steps to Good Digital Parenting.&rsquo; You can put that on your fridge.&quot; </blockquote> We have something called <a href="https://www.fosi.org/good-digital-parenting/7-steps-good-digital-parenting">The Seven Steps to Good Digital Parenting</a>. You can put that on your fridge to remind you to keep talking with your kids, to set ground rules, and to be a good digital role model yourself. MF: How has your work evolved over the years? And what do you see as the most pressing challenges and emerging threats to children&rsquo;s online safety today? SB: When we started we only had two Ps: the policy side and the industry best practices side. Within a few years, we could see there was a real need to help parents. We call it empowering parents to confidently navigate the web with their kids. All of the issues that people have become familiar with – cyberbullying, sexting, overuse, oversharing, and screen time – these have been really vexing questions over the last decade or so. I would say over the last year or two, <a href="https://blog.1password.com/clint-bodungen-chatgpt-security-interview/">the emergence of generative AI through ChatGPT</a> and other products has just exploded onto the scene and caused a new wave of issues, concerns, fears, and excitement. It&rsquo;s why we decided to do <a href="https://www.fosi.org/policy-research/emerging-habits-hopes-and-fears">a year-long research project</a> on it last year. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/yZFr-7LvTW0?si=BvKUwzAEExgpnI8l" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> MF: Tell me more about that. What have the findings been? What did you set out to discover? What was the focus of the project? SB: We looked at parents and teens in the U.S., Germany, and Japan to find out their experience of generative AI. That incldues their concerns, their biggest fears, their biggest hopes, and just generally their attitudes toward it. Surprisingly, it was the first time where the kids admitted that their parents knew more about generative AI than they did. Every time we&rsquo;ve looked at anything from social media, the use of Snapchat, Instagram, and in the early days, Facebook, teens were far ahead of their parents in terms of usage knowledge. <blockquote> &ldquo;The kids admitted that their parents knew more about generative AI than they did.&quot; </blockquote> But with GenAI, we found something really interesting. I think it&rsquo;s because a lot of parents were already using ChatGPT and similar products for their work. And not surprisingly, they were quite concerned about generative AI taking over their jobs, so they really got in deep. In terms of what parents were concerned about for their own kids, it was that they wouldn&rsquo;t develop critical thinking skills in the way that they had to, going through school and college and into the workforce. They were concerned their kids would just have their essays written for them by AI. When we asked teens about their biggest concerns, ironically, given that they&rsquo;re not in the workforce yet, their biggest concern was whether there will be jobs for them when they do get into the workforce. <blockquote> &ldquo;The biggest concern [for teenagers] was whether there will be jobs for them when they get into the workforce.&quot; </blockquote> Also, the use of generative AI tools to create images and videos to cyberbully – that wasn&rsquo;t a concern for parents, but it was definitely one for teens. That&rsquo;s a huge concern if you&rsquo;re still at school. MF: FOSI aims to create a culture of responsibility in the online world. What role do you see individuals, tech companies, and policymakers playing in fostering that safer digital environment for children? SB: If you can envision a large circle, at the top of the circle would be government. Government definitely has a role to play in setting the rules for what is allowed and not allowed online. It&rsquo;s a complicated role, particularly in the United States, where we have the First Amendment. We have this tricky balance between rights of privacy and safety. It&rsquo;s not easy legislating in this space but the government has a role to play in providing a legal framework and to urge folks to do more and better in this space. <blockquote> &ldquo;The government has a role to play in providing a legal framework and to urge folks to do more and better in this space.&quot; </blockquote> Law enforcement is also part of this picture and part of the circle. For the really heinous stuff, we need well-resourced law enforcement to go after the bad actors. In many cases, law enforcement does not have the resources it needs, but even so, it&rsquo;s part of the picture. It&rsquo;s also not acceptable for industry just to put out tools and products and services without thinking about online safety. They definitely have a role to play. When I go and talk to VCs, I say: “It’s great you have a gifted CEO and a fabulously skilled CTO, but who’s your chief online safety officer? Let’s make sure you bake that in.&rdquo; Safety by design, if you will. Parents, teachers, even the kids themselves, have a responsibility for maintaining safety online. We encourage parents to use parental controls. When kids hit high school, the emphasis shifts to being more of a co-pilot with your teen and working with them so that they utilize the online safety tools that have been created for them – to report, block, be private, and in many ways, shape or administer their online lives. <blockquote> &ldquo;When kids hit high school, the emphasis shifts to being more of a co-pilot with your teenager and working with them so they utilize the online safety tools that have been created for them.&quot; </blockquote> And then teachers, of course, have a huge role to play in terms of giving online safety advice or lessons and modeling how to be not just safe, but civil online as well. MF: There seems to be a real interplay between parental rights and children&rsquo;s rights at the moment. Can you talk about that? SB: I should have said right at the front that FOSI is an international non-profit. What I often notice in Europe is there&rsquo;s a far greater emphasis on children&rsquo;s rights and teens’ rights to access content, gather online, and express themselves. And also a right to be safe when they&rsquo;re online. Here in the U.S., we tend to emphasize parental rights, and that often has pretty heavy connotations with it, particularly in certain states. Parents, particularly those who have younger children, absolutely have the right and the responsibility to keep their young kids safe online and use parental controls. But things shift in the teen years. Kids, at some point or another, start to have rights themselves, including rights of privacy and a right not to be surveilled by their parents while they&rsquo;re online. <blockquote> &ldquo;Kids, at some point or another, start to have rights themselves, including rights of privacy and a right not to be surveilled by their parents while they&rsquo;re online.&quot; </blockquote> Are we saying that kids, until they&rsquo;re 18, have zero rights? And then, once they hit 18, inherit 100% rights? Or is there a gradual curve upwards? Not surprisingly, our organization argues that kids have rights as they age, and it&rsquo;s a gradual curve. It&rsquo;s not an easy thing. It&rsquo;s not something you can point to and say: &ldquo;Absolutely this is the point at which they have X, Y, and Z rights.&rdquo; But it is a commonsensical thing and also a realization that 15-, 16-, 17-year-olds will have the ability to circumvent whatever you try and put in their way. MF: How does FOSI educatie parents about online safety? What are the key principles or tips you have for parents? SB: We developed the seven steps to condense all of our various messaging and advice. It boils down to: <a href="https://blog.1password.com/talking-to-kids-online-safety/">Talk to your kids</a>. That talk should be done early and often. When I say early, I mean as young as kindergartners. They can understand the word “bad”, they can understand the word “danger”, they can understand concepts like: &ldquo;We&rsquo;re not going to let you have this whenever you want it. There will be times when you can have it and times when you can&rsquo;t. We&rsquo;ll also set up some rules where there will be consequences if you misbehave.&rdquo; <blockquote> &ldquo;Talk to your kids. That talk should be done early and often.&quot; </blockquote> Laying all that out early is absolutely critical so the kid knows that when you act, you&rsquo;re not doing it unfairly. It&rsquo;s based on stuff you&rsquo;ve already talked about. But it&rsquo;s an ongoing conversation. You&rsquo;re going to have to do it almost on a yearly basis. Back to school is the time that we often suggest as a good time. &ldquo;Look, you&rsquo;re now going into third grade. We&rsquo;re getting you this gizmo watch so that you can contact us and we can contact you, but no, you&rsquo;re not getting a phone.&rdquo; <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/12lN6oRUc-g?si=dnXJQj59hvTNHv7Z" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> Also, milestones, like: &ldquo;You&rsquo;re turning 13, you&rsquo;re now legally able to go on to various social media sites, but maybe we&rsquo;re not going to. We want to discuss each one in turn.&rdquo; And at 14 or 15, sitting down with them before they go back to school: &ldquo;Now show me how you report something on Snap. Tell me how you&rsquo;re remaining private on Instagram.&rdquo; This co-pilot concept is about working with your kid to make sure they&rsquo;re utilizing the tools that are there for them rather than you trying to lock everything down. So that&rsquo;s number one. Talk with your kids. Number three is use parental controls. We talked about that before. Number seven, probably the most important, is to be a good digital role model yourself. The top complaint I get from kids when I work in schools is: &ldquo;I can&rsquo;t get my parents' attention. My mom is always on Facebook. My dad is always checking his email.&rdquo; Put your own screens down and give your kids face time. <blockquote> &ldquo;The top complaint I get from kids when I work in schools is: &ldquo;I can&rsquo;t get my parents' attention. My mom is always on Facebook. My dad is always checking his email.&quot; </blockquote> We talk about tech-free zones in the house. A tech-free zone includes the bedroom. We&rsquo;re not fans of screens in kids' bedrooms. No screens at the table if you sit at the table for a meal. Tech-free time zones, so maybe you have a 9:00PM or 10:00PM curfew where everyone puts their devices in a closet to charge up overnight. We say to parents at PTA meetings: “Raise your hands if you use your phone as an alarm clock.” And almost everyone&rsquo;s hands go up. The next thing I say is: &ldquo;Don&rsquo;t. Don&rsquo;t use your phone as an alarm clock.&rdquo; <blockquote> &ldquo;Little kids love to jump in your bed in the morning. They&rsquo;ll see that blue haze on your face and they&rsquo;re going to want the same thing.&quot; </blockquote> Because it&rsquo;s the last thing you&rsquo;re going to look at when you&rsquo;re going to bed. It&rsquo;s also the first thing you&rsquo;re going to look at, and sometimes even before you&rsquo;re brushing your teeth, you&rsquo;ll be checking your email and your texts and the weather. And if you have little kids, they love to jump in your bed in the morning. They&rsquo;ll see that blue haze on your face and they&rsquo;re going to want the same thing. Kids will do what you do rather than what you tell them to do. MF: Do you think that teenagers are often neglected in the conversation around online security and almost seen as something to be managed instead of someone to be included? SB: Oh, for sure. That&rsquo;s why whenever we can, we include teenagers in our surveys, in our research. It&rsquo;s extremely important to hear from them because it&rsquo;s their lived experience that will inform public policy, as well as the products and services that tech companies build. MF: Where can people go to find out more about you, the Family Online Safety Institute, and the incredible work that you&rsquo;re doing? SB: Our website is <a href="https://www.fosi.org/">fosi.org</a>. We&rsquo;re also on <a href="https://www.linkedin.com/company/family-online-safety-institute/">LinkedIn</a>, <a href="https://twitter.com/FOSI">X</a>, <a href="https://www.instagram.com/familyonlinesafety/?hl=en">Instagram</a>, all the usual places. And we have <a href="https://www.youtube.com/fosi">a YouTube channel</a>. You’ll find a number of quite amusing videos with actual parents and kids illustrating the seven steps. <section class="c-call-to-action-box c-call-to-action-box--yellow"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Subscribe to Random but Memorable</h3> Listen to the latest news, tips and advice to level up your security game, as well as guest interviews with leaders from the security community. <a href="https://randombutmemorable.simplecast.com/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--yellow" data-event-category="CTA" data-event-action="call-to-action-button"> Subscribe to our podcast </a> </div> </section></description></item><item><title>Sisense breach: the urgency of protecting developer secrets</title><link>https://blog.1password.com/sisense-credential-breach/</link><pubDate>Tue, 16 Apr 2024 00:00:00 +0000</pubDate><author>info@1password.com (1Password)</author><guid>https://blog.1password.com/sisense-credential-breach/</guid><description> <img src='https://blog.1password.com/posts/2024/sisense-credential-breach/header.png' class='webfeedsFeaturedVisual' alt='Sisense breach: the urgency of protecting developer secrets' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The U.S. Cybersecurity and Infrastructure Security Agency (CISA) <a href="https://www.cisa.gov/news-events/alerts/2024/04/11/compromise-sisense-customer-data">recently announced</a> that they are investigating a major breach at Sisense, a business intelligence company. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> 1Password is not a Sisense customer nor were we impacted by the Sisense breach. </div> </aside> As a result of the breach, it is critical that Sisense customers take action immediately to minimize the impact of any breached credentials. Here is a quick overview of what happened, and a look at what needs to be done to secure your developer secrets to protect against follow-on data breaches. <h2 id="what-caused-the-sisense-breach">What caused the Sisense breach?</h2> <a href="https://krebsonsecurity.com/2024/04/why-cisa-is-warning-cisos-about-a-breach-at-sisense/">According to reporting by Brian Krebs</a>, attackers gained access to Sisense’s self-hosted GitLab environment. From there, they found an unprotected token that gave them full access to the company’s Amazon S3 Buckets. Once they had full access to the company’s cloud environment, they were able to copy and exfiltrate several terabytes of customer data, including millions of access tokens, passwords, and even SSL certificates. <h2 id="whos-impacted">Who’s impacted?</h2> Exact details have not been published, however, it appears that over 1,000 companies (and possibly over 2,000) may have been impacted, ranging from startups to global brands. The company serves businesses in the finance, healthcare, retail, media &amp; entertainment, software and technology, and transportation industries. While the initial breach is severe on its own, it&rsquo;s the potential for downstream attacks on companies and consumers that likely has CISA concerned. The stolen credentials could give the attackers access to additional cloud environments containing consumer information as they move downstream from their initial target to Sisense’s customers. Many of these credentials – SSL certificates, SSH keys, and API tokens – exist for an extended period of time by default. As a result, it is imperative that Sisense customers take action to secure their developer credentials. <h2 id="sisense-breach-actions-to-take">Sisense breach: actions to take</h2> Sisense has <a href="https://krebsonsecurity.com/2024/04/why-cisa-is-warning-cisos-about-a-breach-at-sisense/">shared guidance</a> with their customers about the types of credentials to rotate, including but not limited to account passwords, single sign-on (SSO) client secrets, database credentials, Git credentials, API tokens, and SSL certificates. Impacted customers should: <ol> <li>Review guidance and communications from Sisense for the full list of impacted credentials.</li> <li>Audit and identify the most privileged credentials that protect customer data, especially personally identifiable information (PII) and personal health information (PHI).</li> <li>Begin rotating credentials, working backwards from the most privileged to the least privileged.</li> </ol> <h2 id="lessons-learned--and-what-to-do-going-forward">Lessons learned – and what to do going forward</h2> Even if you were not directly impacted by the Sisense breach, it&rsquo;s important to review your security posture, especially when it comes to developer secrets and devops environments. As we’ve <a href="https://blog.1password.com/exposed-developer-secrets-gitguardian/">written about in the past</a>, businesses of all sizes struggle to protect developer secrets. Even sophisticated security and engineering organizations can fall victim to secrets leaks. Here are some steps you can take to secure developer credentials: <h3 id="secure-developer-credentials-like-api-tokens-and-ssh-keys">Secure developer credentials like API tokens and SSH keys</h3> Despite the privileged access developer secrets provide, they often do not have the same degree of protection as passwords, especially since IT and security teams can lack visibility into the health of these credentials. These types of developer secrets should be secured with end-to-end encrypted storage, like an enterprise password manager (EPM). <h3 id="use-secrets-references-even-in-dotenv-files">Use secrets references, even in dotenv files</h3> It’s too easy to accidentally commit a secret, even if it’s added to an environment configuration file. The best defense is to use secrets references that can be replaced programmatically at run time. <h3 id="inspect-git-commits-for-secrets">Inspect Git commits for secrets</h3> Although it is more effective to address the root causes of developer secrets leakage, businesses and organizations should inspect Git commits as a last safety check to make sure credentials are not accidentally committed to shared repositories. GitHub recently announced that they have turned on <a href="https://github.blog/2024-02-29-keeping-secrets-out-of-public-repositories/">push protection</a> for all public repositories, but this feature needs to be applied to all repositories, public or private, cloud or self-hosted. <h3 id="strengthen-cloud-infrastructure-by-blocking-public-access-by-default">Strengthen cloud infrastructure by blocking public access by default</h3> <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html">Amazon S3 Block Public Access</a> can help you make sure that your Amazon S3 buckets don’t allow public access. As of April 2023, block public access is turned on by default for all new Amazon S3 buckets. For any created prior to April 2023, the setting should be configured for your AWS accounts or within individual Amazon S3 buckets. Another preventative security measure for Amazon S3 buckets is to use <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html">IAM Access Analyzer</a> to regularly monitor which buckets (and other resources) are accessible outside your account or AWS environment. <h2 id="how-1password-can-help">How 1Password can help</h2> While organizations must react to this breach, the most effective solution to this type of breach is to implement the practices outlined in this post to secure developer secrets. To that end, 1Password provides an enterprise password manager (EPM) that secures developer secrets while simplifying the complexity of developer workflows. 1Password’s offerings provide critical secrets management functionality to prevent breaches caused by developer credentials, and are available in all 1Password plans: <h3 id="protect-and-manage-developer-secrets">Protect and manage developer secrets</h3> Store SSH keys, API tokens, database credentials, and more in 1Password’s end-to-end encrypted vaults. Use 1Password to generate, store, and biometrically authenticate SSH connections so SSH private keys are never saved as plaintext on your local disk. <h3 id="keep-secrets-out-of-code">Keep secrets out of code</h3> Use the 1Password VSCode Extension to find secrets in your code as your work, one-click save them to 1Password, and then replace them with a secrets reference. <h3 id="securely-deploy-to-production">Securely deploy to production</h3> Integrate 1Password with your CI/CD pipelines (GitHub Actions, CircleCI, and Jenkins) and infrastructure as code (IaC) tools (Kubernetes, Terraform, Pulumi, Ansible) to programmatically replace secrets at runtime. While it’s not possible to prevent 100% of breaches, it is possible to empower software engineering teams and other employees with the tools they need to keep secrets safe. You can get started with a <a href="https://start.1password.com/sign-up/business/?utm_ref=blog">14-day free business trial</a>, or by visiting our <a href="https://developers.1password.com/">developer docs</a> to learn more about how you can secure developer secrets. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Secure developer secrets with 1Password</h3> Streamline how developers manage SSH keys, API tokens, and other infrastructure secrets throughout the entire software development life cycle with 1Password Business. <a href="https://start.1password.com/sign-up/business/?utm_ref=blog" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>A guide to developer secrets and shadow IT for security teams</title><link>https://blog.1password.com/secrets-management-for-developers/</link><pubDate>Thu, 11 Apr 2024 00:00:00 +0000</pubDate><author>info@1password.com (Jenn Marshall)</author><guid>https://blog.1password.com/secrets-management-for-developers/</guid><description> <img src='https://blog.1password.com/posts/2024/secrets-management-for-developers/header.png' class='webfeedsFeaturedVisual' alt='A guide to developer secrets and shadow IT for security teams' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> This is the final post in a series about shadow IT. In this series, we&rsquo;ve detailed how and why teams use unapproved apps and devices, and cybersecurity approaches for securely managing it. For a complete overview of the topics discussed in this series, download <a href="https://1password.com/resources/managing-shadow-it/?utm_ref=blog">Managing the unmanageable: How shadow IT exists across every team – and how to wrangle it</a>. We all use passwords and other secrets to access things at work. It’s the IT team’s responsibility to secure those secrets. For most departments, secrets management needs are simple: They sign in to apps and websites with passwords, or passkeys, or sometimes with multi-factor authentication. But developers have unique workflows and secrets management needs. The types of secrets developers manage every day include SSH keys, database and API keys, server credentials, and other encryption keys. These keys power authentication methods developers use every day to access systems, integrate applications, securely transfer files, and more. To complicate matters, developer secrets often live outside IT’s purview. That means developers are often left to manage secrets themselves, but that scenario can create serious risks for companies. A 2023 GitGuardian study revealed that in just one popular open-source repository used by developers, <a href="https://blog.gitguardian.com/uncovering-thousands-of-unique-secrets-in-pypi-packages/">nearly 4,000 unique secrets were exposed</a> across all projects. Of those unique secrets, they found 768 were still in active use. Separately, in the first two months of 2024, GitHub reported it found <a href="https://github.blog/2024-02-29-keeping-secrets-out-of-public-repositories/">more than one million leaked secrets on public repositories</a>, which translates to a rate of about 12 secrets leaked per minute during that time. That’s a lot of leaks! Secrets management, in other words, is <a href="https://blog.1password.com/exposed-developer-secrets-gitguardian/">a growing problem</a>. To make matters worse, the typical shadow IT concerns that plague non-developer teams apply to developers, too. That is, the passwords and credentials they use to sign in to apps and websites may not be secure – and IT may not even know about it. The challenge, should IT and security teams choose to accept it: Secure encryption keys and other developer secrets no matter which apps and tools are being used – and do it without adding friction to already complex workflows. <h2 id="breaking-down-developers-unique-secrets-management-needs">Breaking down developers’ unique secrets management needs</h2> Due to the nature of their roles, developers building software products have direct access to key systems and sensitive data. In addition, they need to work with secrets directly in their terminal, code editor, and deployment pipelines. Engineering teams may also need to share secrets for different applications, or when configuring their development environments. To streamline this process, developers sometimes store secrets somewhere convenient in plaintext, or hardcode them into the source code while working. Either of these scenarios – not exactly secrets management best practices – can lead to data breaches or compromised systems. <h2 id="a-brief-introduction-to-secret-sprawl">A brief introduction to secret sprawl</h2> The growing number of different tools and cloud environments developers use to do their work has made secrets management more difficult. A 1Password report revealed that 50% of individual contributors in IT or DevOps roles admit <a href="https://1passwordstatic.com/files/resources/research-report-risks-of-mismanaging-corporate-secrets.pdf">they’re storing secrets in more locations than they can count</a>. 25% of companies said their secrets are stored in 10 or more locations. And while the IT team has traditionally been responsible for managing passwords, IT teams often lack visibility and control over developer secrets like SSH keys and API tokens. This seems to be the norm: approximately 80% of companies surveyed by 1Password <a href="https://1passwordstatic.com/files/resources/research-report-risks-of-mismanaging-corporate-secrets.pdf">said they didn’t manage their secrets well</a>, and 60% have experienced secret leaks. In fact, 75% of developers admitted they had access to sensitive information like a former employers’ infrastructure secrets(!). <h2 id="lack-of-developer-specific-toolsets-compounds-the-problem">Lack of developer-specific toolsets compounds the problem</h2> Why is it so hard for developers to secure secrets like SSH keys and database credentials? Security and productivity are often in tension. One survey found that 73% of developers agree that the work or tools their security team typically requires them to use <a href="https://get.chainguard.dev/hubfs/Chainguard-Harris-Poll-ciso-and-developer-trends-Report.pdf">interfere with their productivity and innovation</a>. Each cloud provider, application, server, database, or other tool a developer uses typically requires separate authentication – and might require learning specialized tooling for that environment. Authenticating for multiple tools can interrupt workflows, slowing developers down – which can be unacceptable for teams trying to deliver projects on tight deadlines. As a workaround, sometimes developers store credentials insecurely or take shortcuts to enable faster access. Lacking a secure, productivity-friendly alternative, this is how you end up with hard-coded credentials. In addition to taking shortcuts, lack of education around proper secrets management has allowed insecure habits to form, including: <ul> <li>Reusing secrets across projects.</li> <li>Using the same secrets in both production and testing/staging.</li> <li>Storing secrets in shared or unsecured spreadsheets.</li> <li>Sending secrets over email, chat, and text.</li> <li>Former employees maintaining access to secrets.</li> </ul> When developers share secrets using unencrypted email messaging apps, manually set up system configurations on their local device to run a program, or manually copy sensitive values to connect to another machine, those secrets are not secure. <h2 id="securing-shadow-it-with-secrets-management-solutions-for-developers">Securing shadow IT with secrets management solutions for developers</h2> As we detailed in the last post in this series, a first step to wrangling shadow IT across all of your company’s departments is <a href="https://blog.1password.com/understanding-shadow-it-security-needs/">understanding employees’ responsibilities and workflows</a>. This helps IT and security teams identify not only where employees may be using shadow IT to help them in their jobs, but why they’re using it. Employees often use shadow IT to improve their productivity – to work around something that’s holding them back from doing their best work, on schedule. This is especially important to understand for the engineering team. The question is how to secure developer workflows while simultaneously streamlining them. Secure credential management for developers can be trickier than it is among non-developers, because the workflows are more technical, so the fix requires a more bespoke solution. Implementing single sign-on (SSO) as part of an identity and access management (IAM) framework can go a long way to securing non-development workflows, but they don’t typically address developer needs. The good news is there is arguably more opportunity within developer workflows to secure credentials and reduce friction than with other teams. It’s not particularly convenient for developers to <a href="https://blog.1password.com/developers-deserve-great-ux/">generate SSH keys manually every time</a>, or to store SSH keys on their local drive, or to store plaintext secrets in code. These (insecure) methods are just the way things have always been done – but they’re certainly not without friction. However, it can be difficult for IT and security admins to know where to start, because they’re less familiar with developer workflows. That being the case, a good first step is to try to understand developers’ unique secrets management use cases. For example, it may be helpful to understand that <a href="https://blog.1password.com/developers-deserve-great-ux/">each developer starts their day with a ‘git pull’</a>, or why they have to google the <code>ssh-keygen</code> command every time they need it (because it’s so complicated). To find points of friction, pinpoint where developers may be taking shortcuts with secrets management, and where shadow IT may be lurking, it can help to ask questions like: <ul> <li>How are you storing and sharing secrets?</li> <li>Are you running programs/queries on your local device (instead of a secure server?)</li> <li>Are you copying and pasting sensitive values to connect to another machine?</li> <li>Are you using additional tools or services to increase your productivity or do your job better?</li> <li>Are there security policies or processes you feel are slowing down your work?</li> </ul> Once you gather this information, then what? It’s not realistic to try and monitor all the ways developers may be sharing secrets or prevent employees from using shadow IT (you’ll be engaging in an unwinnable game of whac-a-mole). The only practical way forward is to put effective secrets management tools in place so developers can use the platforms they want, but in a secure way. How do you do that? For starters, look for tools that use automation to eliminate the possibility of human error. That should make it easier to get buy-in too: Developers will never object to removing friction from their workflows, especially when you can automate tedious tasks in the software development lifecycle and lessen their workload. For developers using SSH keys, for example, you can implement an enterprise password manager (EPM) like 1Password that supports <a href="https://developer.1password.com/docs/ssh/agent/">secure secrets management for credentials like SSH keys</a> in a way that fits seamlessly into developer workflows. In addition, an <a href="https://1password.com/developers">EPM with secrets management features</a> can help developers securely work with API tokens, application keys, and other credentials where they need them – in their terminal and code editor. That means both stronger security and increased productivity. <h2 id="learn-more-about-shadow-it">Learn more about shadow IT</h2> To learn more about shadow IT and how IT teams can adapt to evolving workplace challenges in a hybrid environment, catch up with three previous posts in this series: <ul> <li><a href="https://blog.1password.com/what-is-shadow-it/">What is shadow IT and how do I manage it?</a></li> <li><a href="https://blog.1password.com/shadow-it-employee-productivity/">Employee productivity and worker burnout, and how they impact shadow IT</a></li> <li><a href="https://blog.1password.com/understanding-shadow-it-security-needs/">Understanding and securing shadow IT use for HR, finance, and marketing</a></li> </ul> For a complete overview of the topics discussed in this series, download the eBook, <a href="https://1password.com/resources/managing-shadow-it/?utm_ref=blog">Managing the unmanageable: How shadow IT exists across every team – and how to wrangle it</a>. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Managing the Unmanageable</h3> Learn why teams like finance, marketing, HR, and engineering use shadow IT, the security vulnerabilities that can follow, and how to manage it all. <a href="https://1password.com/resources/managing-shadow-it/?utm_ref=blog" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Download now </a> </div> </section></description></item><item><title>How 1Password protects information on your devices (and when it can’t)</title><link>https://blog.1password.com/local-threats-device-protections/</link><pubDate>Wed, 10 Apr 2024 00:00:00 +0000</pubDate><author>info@1password.com (Megan Barker)</author><guid>https://blog.1password.com/local-threats-device-protections/</guid><description> <img src='https://blog.1password.com/posts/2024/local-threats-device-protections/header.png' class='webfeedsFeaturedVisual' alt='How 1Password protects information on your devices (and when it can’t)' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> There’s one question our Security team hears more than any other: Is my 1Password data vulnerable if my device is compromised or infected with malware? A compromised device involves full control or visibility at the system level<a href="#fn:1" class="footnote-ref" role="doc-noteref">1</a>, and password managers like 1Password store data that’s accessible to the system — that’s how they function. In fact, that’s how most typical apps are built. The short answer is: Yes, your secrets are vulnerable to an attacker who’s fully compromised your device, however unlikely that situation may be. And let me be clear that if you’re an everyday internet citizen who <a href="https://blog.1password.com/data-breach-101-stay-safe-online/">browses securely and maintains their devices</a>, worrying about such local threats is probably unnecessary. The longer answer is nuanced, as they so often are, and presents an interesting paradox. So, let’s explore that paradox, then dig right into local threat protections in 1Password. After our deep dive, I’ll reveal the crucial non-security consideration involved in our threat-mitigation approach, and explain how the 1Password team strikes an incredibly delicate balance. <h2 id="the-challenge">The challenge</h2> Keeping information safe on your devices is essentially the reason password managers were created in the first place. Your password vault is a much more secure alternative to spreadsheets and word-processing files floating around because your data is encrypted at rest (on your device). That means the information you store in 1Password is most secure when 1Password is locked. Attacks on your locked data - like guessing your account password or trying to find an unpatched cryptographic flaw – are passive attacks. But keeping 1Password locked at all times flies in the face of everything else our product is known for: convenience, security on the go, ease of use, adding efficiency to your workflows, and more. It’s also not realistic because as consumers, we typically choose products we can make use of, right? Well, using 1Password means the possibility of active attacks. Active attacks occur when malware targets 1Password as the app is running or being unlocked. An attacker can attempt to steal your credentials as you provide them; they can also steal secrets while the app is open and unlocked. Active attacks are the larger concern for our security and development teams. They’re also the hardest to guard against. And there’s no one-size-fits-all solution. Our approach, for example, is a bit contradictory. We face a challenge that’s incredibly common throughout our industry: Protections are largely specific to each platform, operating system, and environment because each has its own security boundaries. Given the varied conditions and guardrails, the protections we can build differ, and depend on the platform and type of threat we’re addressing. We have to exclude many local threats from our threat model for that reason, and often reject related <a href="https://bugcrowd.com/agilebits">bug bounty reports</a>. We implement platform-specific protections where we can but are often limited by the operating systems themselves. Yet we always do our best to protect your data from local attacks, and often accept reports of missing local protections we can add without negatively impacting performance, other security considerations, or the customer experience. <h2 id="the-protections">The protections</h2> When 1Password is locked, we make sure your vault contents are encrypted so they’re impenetrable, even to someone with root access to the device. We accomplish this with traditional 1Password accounts by storing the secret that’s required to decrypt the vault contents, your account password, in your mind — a location presumably inaccessible to attackers. Accounts protected by SSO and <a href="https://blog.1password.com/what-are-passkeys/">passkeys</a> rely on security features <a href="https://support.1password.com/sso-security/">built into</a> <a href="https://support.1password.com/passkey-security/">the device</a>. We also do everything possible to protect against same-user privileged access — a term for malware that runs on a computer with the same permissions you have, and lacks the ability to elevate its privileges. We can prevent such attacks from targeting open and unlocked versions of 1Password so it can steal your information on devices with specific Linux distributions (Wayland), macOS, Android, and iOS. There are protections in place for Windows systems, as well, but Windows apps are protected in such a way that an anti-malware solution is required to protect against processes that try to debug other applications. While we account for same-user threats, it’s important to acknowledge this kind of malware is always capable of phishing or otherwise misdirecting you to a fake version of 1Password. Let me reiterate that safe browsing and a <a href="https://blog.1password.com/apple-device-security-mac-admins-interview/">secure device</a> are always the first lines of defense. There’s one other category of security threats we take into account as we fortify 1Password: forensic analysis. Maybe the would-be attacker has physical access to your device or exploits a vulnerability. However it happens, there are plenty of tools available that allow someone to view your secrets if they get their hands on a copy of your drive (disk) or memory (RAM). To protect your secrets, we prevent your vault contents from ever hitting the disk unencrypted. And when you unlock 1Password the traditional way, the keys to decrypt your data are unavailable via forensics alone — the account password remains with you. When you use SSO or a passkey to unlock your 1Password account, your vault information is only accessible if the forensics can gather other data to facilitate a successful SSO or passkey authentication, and that depends entirely on your SSO configuration and local <a href="https://support.1password.com/sso-security/#device-keys">storage</a> <a href="https://support.1password.com/passkey-security/#device-keys">protections</a>. We minimize exposure of your secrets in memory by attempting to clear the 1Password apps of sensitive data, and minimizing the amount and types of data in memory while the apps are unlocked. It’s difficult to guarantee absolute clearance when we talk about things remaining in memory, but we aim to maintain the highest possible level of security hygiene. While these local protections cover a number of threats at the forefront of our threat model, there’s one local threat without any viable defense. <h2 id="the-balance">The balance</h2> 1Password lacks the ability to protect against an attacker who’s gained full control over a device with administrative or root privileges. But there’s an important fact to acknowledge here: In this case, 1Password is far from unique. There’s no password manager or other mainstream tool with the ability to guard your secrets on a fully compromised device. It’s simply a limitation of the operating systems 1Password runs on: There’s no way to isolate an application to sufficiently limit the damage malware is capable of inflicting. An application can be an annoyance, but there’s no amount of annoying that will stop a determined attacker. At the end of the day, local threats present a number of issues we’re unable to reasonably address. And that’s the very reason we’re forced to exclude them from our threat model and reject many related bug reports. While we’re unable to defend against a full compromise, we use every option available to make it difficult for local threats to access your secrets. But there’s a critical balance we have to consider: protection and usability. Many mitigations that make the lives’ of local threats more difficult, make your life more difficult, too. Runtime Application Self-Protection frameworks, for example, would allow us to make even root level attackers suffer. But these third-party products often have serious performance, reliability, and privacy considerations. The implications are serious enough that we’ve decided not to use them. When security restrictions clash with convenience and we have to make choices, we’ll always choose to give your secrets the best fighting chance. And when that approach is layered with nearly impenetrable cryptography, same-user defenses, and the minimization of secrets in memory, we find ourselves with the deeply secure design of a thoughtfully secured password manager. Thank you to the following contributors: <ul> <li>Tiemoko Ballo - Security Developer</li> <li>Rick van Galen – Tech Lead, Product Security</li> <li>Adam Caudill – Security Architect</li> </ul> <section class="footnotes" role="doc-endnotes"> <hr> <ol> <li id="fn:1" role="doc-endnote"> To clarify, full control of the device is not relegated to physical control, but access with administrative or root privileges.&#160;<a href="#fnref:1" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a> </li> </ol> </section></description></item><item><title>Who’s responsible for AI? Verity Harding on AI policy and ethics</title><link>https://blog.1password.com/ai-ethics-verity-harding-interview/</link><pubDate>Tue, 09 Apr 2024 00:00:00 +0000</pubDate><author>info@1password.com (Jenn Marshall)</author><guid>https://blog.1password.com/ai-ethics-verity-harding-interview/</guid><description> <img src='https://blog.1password.com/posts/2024/ai-ethics-verity-harding-interview/header.png' class='webfeedsFeaturedVisual' alt='Who’s responsible for AI? Verity Harding on AI policy and ethics' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Who’s responsible for regulating technological change in a democracy? Verity Harding, a globally recognized expert in AI technology and public policy, and one of Time Magazine&rsquo;s 100 most influential people in AI, thinks anyone – with any level of technological knowledge – can have a valid opinion about AI. After all, it may not be technological knowledge that helps us make the best decisions around how we want to use AI as a society. Harding, who is currently the director of the AI and geopolitics project at the <a href="https://www.bennettinstitute.cam.ac.uk/">Bennett Institute for Public Policy</a> and author of the book, <a href="https://press.princeton.edu/books/hardcover/9780691244877/ai-needs-you">AI Needs You, How We Can Change AI&rsquo;s Future and Save Our Own</a>, talked with Michael “Roo” Fey, Head of User Lifecycle &amp; Growth at 1Password on the <a href="https://randombutmemorable.simplecast.com/">Random but Memorable</a> podcast about technology policy and ethics. To learn more, read the interview highlights below or <a href="https://randombutmemorable.simplecast.com/episodes/change-future-banter-rating">listen to the full podcast episode</a>. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/nAtVnjOd9MA?si=8l8-yd_eRmJhvt9I" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> Editor’s note: This interview has been lightly edited for clarity and brevity. The views and opinions expressed by the interviewee don’t represent the opinions of 1Password. Michael Fey: Tell me about the book. Verity Harding: I wanted to make sure I actually added something new to the AI debate, because obviously it can get a bit old and tired sometimes. People have given me lovely feedback that what I have in there is really new. MF: Actually, before we dig too much into the book, can you give a little background on yourself and what led you to writing something like this? VH: It&rsquo;s an odd journey I had to AI. I studied history at university and the earliest part of my career was spent in politics. I was the political advisor to the then Deputy Prime Minister, Nick Clegg, who&rsquo;s now president at Meta. It was really my experiences in politics that ended up leading me to technology. I worked quite heavily on a piece of legislation in the UK that was national security related. It was about updating the powers of the security services in the UK for the digital age. Obviously, that&rsquo;s an extremely controversial and difficult subject, and it was very fraught in the UK with lots of different opinions on whether it was too much overreach from the government. What it made me realize was that there was this huge deficit in terms of knowledge about technology between the technologists and the political class who are responsible for regulating this technology for society. <blockquote> &ldquo;There was this huge deficit in knowledge about technology between the technologists and the political class.&quot; </blockquote> I felt that this gap was not good and that there needed to be more people who could speak both languages – the political language and the technological language. Because of course, technology is extremely political. I eventually ended up joining Google and I was head of security policy in Europe, the Middle East, and Africa (EMEA) and also head of UK and Ireland policy, which was a fantastic experience. Funnily enough, in the time between me leaving government and joining Google, the Edward Snowden revelations happened. That subject, which was already fraught, became even more fraught. We had to do a lot of work at Google, educating and explaining and helping politicians learn more about what digital privacy, security, human rights, and civil liberties on the internet really meant. While I was at Google, the company acquired <a href="https://deepmind.google/">DeepMind</a>, which is a British AI lab. I got to know the CEO and founder, Demis Hassabis, who&rsquo;s a really visionary and inspirational scientist himself. I learned more from him about AI. It was clear to me that all of the subjects that I cared most about when it came to technology policy were going to be made immeasurably better or worse by AI, depending on how we managed to navigate it. I wanted to be part of making sure that it went down the better route and not the worst route. <blockquote> &ldquo;It was clear to me that all of the subjects that I cared most about when it came to technology policy were going to be made immeasurably better or worse by AI.&quot; </blockquote> I moved to DeepMind and was one of the really early employees there. I co-founded all of DeepMind&rsquo;s policy and ethics and social science research teams, as well as things like the <a href="https://partnershiponai.org/">Partnership on AI</a>, which is an independent, multi-stakeholder organization of tech companies and different businesses and civil society groups and academics looking at the societal impact of AI. All of this led me eventually to writing this book because I felt that I&rsquo;d had this really privileged, up-close view and perspective on AI. I wanted to be able to share that more broadly. This book is really everything I&rsquo;ve learned from all of that experience. MF: You’ve been part of the AI conversation or a long time. At what point did you start writing this book? Did the launch and popularity of ChatGPT change the trajectory of your book? VH: It’s true, I&rsquo;ve been involved in it for a really long time. What&rsquo;s so funny is that when I moved from Google to DeepMind to work on AI policy, I was thinking, well, this is going to be a much quieter life. Because at Google we were right in the thick of many news cycles – as I said, the Snowden revelations were causing a huge amount of press coverage. I also covered other issues at Google, like online radicalization and hate speech that were also getting a huge amount of attention. Going straight from politics into dealing with media stories and being involved in the constant 24/7 news – it&rsquo;s quite exhausting. Nobody was talking about AI at all, so I thought, well, this will be a lot quieter and I&rsquo;ll have time to do the deep thinking and not be fire fighting every day. Demis offered me the job when he was in the car on the way to fly to South Korea. That&rsquo;s where <a href="https://deepmind.google/technologies/alphago/">AlphaGo</a> happened, which created a huge amount of interest and everything really blew up straight away, so I didn&rsquo;t ever get that quiet life. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/WXuK6gekU1Y?si=tiNRYa05Bt9OxWQh" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> When I started writing the book, I would say that the media coverage and attention around AI had started to dip a little. It was a surprise to all of us in AI that ChatGPT had the effect that it did. We all knew about these capabilities already, but something just connected and hit, and you never can quite tell when that will happen. It brought AI crashing into the limelight. <blockquote> &ldquo;ChatGPT brought AI crashing into the limelight.&quot; </blockquote> I had either finished or was very close to finishing the book when that happened. But because I already knew about generative AI, I had written about it quite a lot in the book already. It was something that I was concerned that politicians – and society more broadly – weren&rsquo;t grappling with. Before ChatGPT we had already been warning about the possibility for deep fakes to mess with our democracy and undermine truth. We hadn&rsquo;t seen much response to that, really. So, my book already covered all of those kinds of issues. I didn&rsquo;t have to change it much. I did decide to alter it a bit and include more on ChatGPT specifically, just because I think that made it easier to get my argument across. Before, I had to explain from scratch what generative AI is. It was very helpful that ChatGPT enabled me to have this shorthand that made me pretty sure that anybody who picked up the book would know straightaway what that was. MF: What are the most pressing concerns or misconceptions people have around AI? VH: There&rsquo;s no right and wrong answer about what people should or shouldn&rsquo;t be concerned about when it comes to AI. That&rsquo;s what I say in the book: that everybody will have an opinion and everyone has a right to an opinion. Their opinion is no less or more valid based on the depth of their technological knowledge. And indeed, sometimes technological knowledge won&rsquo;t help make a decision about whether we&rsquo;re happy with AI being used in certain aspects of society or not. I think one common misconception is that, if I don&rsquo;t understand the deep technology and detailed technological side of AI, then I don&rsquo;t have a right to have an opinion. I think there&rsquo;s quite a lot of gate-keeping that happens in AI and it encourages people not to get involved. <blockquote> &ldquo;There&rsquo;s quite a lot of gate-keeping that happens in AI and it encourages people not to get involved.&quot; </blockquote> That’s partly why I wrote the book – to say, in a democracy, you do get to have a say and you can educate yourself to an extent, but you don&rsquo;t need to be the world&rsquo;s leading research scientist to be able to have that say. I also personally find the conversations around AI causing human extinction very unhelpful. I don&rsquo;t think that that&rsquo;s an appropriate way to think about this new technology. I think that it tends to obscure some of the more pressing concerns, and it tends to obscure some of the more exciting potential, too. We&rsquo;ve ended up in quite an odd position with AI. Back when I started at DeepMind, I was very keen that we would shift the conversation from AI as Terminator, AI as Skynet and towards AI as a tool. The things to be worried about should be more realistic; things like bias and accountability and security and safety. And I think probably the latest hype cycle has not contributed to calm common sense when we&rsquo;re talking about it. MF: Is one of the driving factors around the release of this book trying to bring a more stable, measured approach to the conversation? VH: That wasn&rsquo;t the motivation. The motivation was really that I felt I had something to contribute, something new to say. The bulk of the book is these examples of transformative technologies of the past. I think coming from both a history training and a political background, I was very conscious that the tech industry is not known for its humility and likes to think everything it&rsquo;s doing is the first time anyone&rsquo;s ever done anything. But while AI is new, invention is not new, and progress is not new, innovation is not new. I really had this hunch that there would be things that we could learn to help guide us with the future of AI. I feel very strongly that it&rsquo;s an extremely important and exciting technology. I don&rsquo;t mean to diminish its importance by saying that I don&rsquo;t think that it will cause human extinction, but that&rsquo;s not to lessen the need to pay real attention to its power. I felt that we weren&rsquo;t looking enough to the past and what we could learn. I suppose the other motivation was, I really believe in democracy. It&rsquo;s not necessarily always the most fashionable thing, but I think policymaking is hard graft. It&rsquo;s difficult and it can be a slog and it can be boring, certainly not the sexiest thing to talk about, but it&rsquo;s really important. <blockquote> &ldquo;We&rsquo;ve managed great technological change before and I&rsquo;m really confident that we can do it again.&quot; </blockquote> Someone who read the book said to me just yesterday that they really got a sense from it that AI was important, but they also got a sense that humans were pretty great too. I liked that feedback because hopefully that does come across. I feel that AI is important and it&rsquo;s great, but we have done this before. We&rsquo;ve managed great technological change before and I&rsquo;m really confident that we can do it again. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Subscribe to Random but Memorable</h3> Listen to the latest news, tips and advice to level up your security game, as well as guest interviews with leaders from the security community. <a href="https://randombutmemorable.simplecast.com/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Subscribe to our podcast </a> </div> </section></description></item><item><title>Understanding and securing shadow IT for HR, finance, and marketing</title><link>https://blog.1password.com/understanding-shadow-it-security-needs/</link><pubDate>Thu, 04 Apr 2024 00:00:00 +0000</pubDate><author>info@1password.com (Jenn Marshall)</author><guid>https://blog.1password.com/understanding-shadow-it-security-needs/</guid><description> <img src='https://blog.1password.com/posts/2024/understanding-shadow-it-security-needs/header.png' class='webfeedsFeaturedVisual' alt='Understanding and securing shadow IT for HR, finance, and marketing' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> This is the third in a <a href="https://blog.1password.com/what-is-shadow-it/">series of four posts about shadow IT</a>, including how and why teams use unapproved apps and devices, and approaches for securely managing it. For a complete overview of the topics discussed in this series, download <a href="https://1password.com/resources/managing-shadow-it/?utm_ref=blog">Managing the unmanageable: How shadow IT exists across every team – and how to wrangle it</a>. Until recently, companies have been able to exert pretty comprehensive control over security and how people work – in an office, at a desk, with a desktop computer, and using company-provided software and servers. But the days of protecting clearly defined perimeters from the threat of cyber attacks with strong network security and unforgiving firewalls are, for most companies, gone. Today, thanks to <a href="https://blog.1password.com/securing-your-hybrid-workforce/">hybrid work</a>, the situation can be very different. Many companies have limited insight into where or how their employees are working. In the park? On a mobile device? Laptop? Using any number of apps and tools? Cybercriminals are taking advantage of the confusion. This reduced control makes it imperative for information technology (IT) and IT security teams to understand where and why employees are using shadow IT, so they can find ways to protect employees from security threats no matter how or where they work. <h2 id="tracking-employees-shadow-it-desire-paths">Tracking employees’ shadow IT desire paths</h2> Employees typically use shadow IT to be more productive. A great analogy for shadow IT is something called the “desire path” – a term landscape architects use to describe the shortcut footpaths pedestrians carve into public spaces that get them from point A to point B faster than “official” or paved walkways. (You’ve seen them. They’re the dirt paths that cut the corner on the way to the train station or shorten the walk from the parking lot to the playground, through the flower bed.) Security solutions should secure that desire path. This means understanding departments’ responsibilities and workflows, and where employees may be using shadow IT to help them in their jobs. Don’t expect the paths to look the same, department to department. Shadow IT shows up differently across teams because it’s used to support distinct business operations, roles, and responsibilities. IT and cybersecurity teams need to operate a bit like detectives to discover employees’ desire paths. You might be surprised to find shadow IT desire paths crisscrossing every department in your company. Trying to stop the use of shadow IT and forcing employees to stick to the “official path” of company-approved tools isn’t a particularly effective strategy. The most realistic and effective shadow IT security strategy is to secure the desire path for each individual employee, so they can use shadow IT securely. In other words, to protect against the risk of security breaches, embrace shadow IT – and secure it. <h2 id="shadow-it-on-the-finance-team">Shadow IT on the finance team</h2> The finance team is typically high on the security team’s list because they literally has the keys to the bank. The finance team handles critical financial data such as the company’s banking credentials, and sensitive information like audit reports and financial reporting. Sometimes finance employees need to share sensitive documents with external partners like investors, board members, or auditors. And if they do that through insecure channels like email or SMS, it could open the door to unauthorized access. Typical finance team workflows and responsibilities include: <ul> <li>Leading financial planning and management, forecasting, and risk management and mitigation</li> <li>Optimizing budgets</li> <li>Identifying cost-saving opportunities across the company</li> <li>Working with the audit committee</li> <li>Sharing financial reporting</li> <li>Ensuring adherence to compliance standards</li> </ul> With these finance team workflows in mind, where might shadow IT be lurking? Some typical information security vulnerabilities to investigate include: <ul> <li>Services used often that aren’t supported by SSO, such as bank accounts</li> <li>Unencrypted emails or messaging applications used to share data with internal and external teams</li> </ul> <h2 id="shadow-it-on-the-hr-team">Shadow IT on the HR team</h2> The human resources (HR) team handles confidential employee information every day in its efforts to hire, develop, and retain talent for the company. HR also ensures the company is compliant with benefits administration and labor laws. In addition, they focus on creating and implementing employee management strategies, managing training and development programs, and fostering a positive workplace culture. Typical HR team workflows and responsibilities include: <ul> <li>Sharing sensitive information about employees with internal and external teams</li> <li>Managing the employee lifecycle, including a critical role in onboarding and offboarding</li> <li>Using and sharing credentials for recruiting/hiring platforms, employee background checks</li> </ul> Based on these workflows, here are some areas where you may find vulnerabilities due to shadow IT lurking in HR: <ul> <li>Storage of sensitive employee data, including personally identifiable information (PII)</li> <li>Recruiting/hiring platforms or apps</li> <li>Employee benefit vendor platforms</li> <li>Unencrypted emails sharing confidential data with external vendors or consultants</li> </ul> <h2 id="shadow-it-on-the-marketing-team">Shadow IT on the marketing team</h2> The marketing team handles more sensitive data and information than you might expect. This might include campaign spending and reporting data, as well as customer information. They also are on the front lines of social media and may be using multiple platforms or apps for customer support or top-of-funnel customer acquisition. As the guardians of your company’s brand reputation, it’s critical that marketing’s accounts aren’t compromised. Typical marketing team workflows and responsibilities include: <ul> <li>Working with cross-functional teams to generate leads</li> <li>Reporting campaign details, such as budget and ROI</li> <li>Working with external agencies or freelancers, with whom they often need to share credentials</li> <li>Generating and posting marketing and thought-leadership content</li> </ul> Knowing marketing’s responsibilities, it can be useful to check the following for information security risks and shadow IT use: <ul> <li>Services used often that aren’t supported by SSO or don’t support multiple accounts or logins, such as social media platforms</li> <li>Unencrypted emails or messaging apps to share data or credentials across internal and external teams</li> <li>Apps for customer relationship management, project management, email marketing, and website analytics, many of which may not be covered by SSO</li> </ul> <h2 id="securing-shadow-it-vulnerabilities-at-the-employee-level">Securing shadow IT vulnerabilities at the employee level</h2> Once you’ve identified the shadow IT desire paths for each team, then what? In terms of security measures or security tools, it’s most important for security professionals to secure credential sharing, as well as standardizing and securing access to apps and tools. You can secure authentication, password management, and credential sharing using an <a href="https://1password.com/enterprise">enterprise password manager</a> (EPM), which provides teams with a centralized solution to use, access, and share sensitive company data. It’s important that the EPM provides role-based access controls to ensure that users adhere to your company’s cybersecurity policies to defend against data breaches, cyberattacks like ransomware, and social engineering attacks like phishing. EPMs can help you make the easy way to work the secure way to work. For example, EPMs can <a href="https://support.1password.com/one-time-passwords/">autofill time-based one-time passwords</a> (ToTP) in addition to standard passwords. That enables security teams to require multi-factor authentication for providers that offer it, while at the same time streamlining the sign-in flow, rather than adding friction to it. To learn more about shadow IT and how to secure it to reduce risk of security incidents, stay tuned. Now that we’ve covered what to look for in teams like HR, finance, and marketing, next we’ll discuss the unique needs of developers. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Managing the Unmanageable</h3> Learn why teams like finance, marketing, and HR use shadow IT, the security vulnerabilities that can follow, and how to manage it all. <a href="https://1password.com/resources/managing-shadow-it/?utm_ref=blog" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Download now </a> </div> </section></description></item><item><title>1Password cybersecurity report: Balancing information security and productivity in the age of AI</title><link>https://blog.1password.com/productivity-ai-cybersecurity-report/</link><pubDate>Wed, 03 Apr 2024 00:00:00 +0000</pubDate><author>info@1password.com (Rob Boone)</author><guid>https://blog.1password.com/productivity-ai-cybersecurity-report/</guid><description> <img src='https://blog.1password.com/posts/2024/productivity-ai-cybersecurity-report/header.png' class='webfeedsFeaturedVisual' alt='1Password cybersecurity report: Balancing information security and productivity in the age of AI' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> What&rsquo;s good for business is often bad for security. That&rsquo;s the inescapable conclusion of the <a href="https://1password.com/state-of-enterprise-security-report?utm_medium=social&amp;utm_source=blog&amp;utm_campaign=annual-report-2024">1Password State of Enterprise Security Report this year</a>. Here&rsquo;s the backdrop, and it should be familiar by now: Work has, slowly and then all of a sudden, expanded. No longer confined to the office ecosystem, work happens in coffee shops and at home and at the airport, on company-provided laptops and the shared computer in the living room, on the family iPad and the phones in our pockets. All that work leaves a residue of (often sensitive) data as it flows through managed apps like the company productivity suite and unsanctioned apps like the file-sharing service that a handful of people use, unbeknownst to IT. With the explosion in the number of apps used for work, it&rsquo;s a good time for employee productivity, and artificial intelligence (AI) has entered the picture to boost output even further. But IT and security teams are struggling to keep up, especially when they&rsquo;re constrained by limited resources. In the 1Password report, <a href="https://1password.com/state-of-enterprise-security-report?utm_medium=social&amp;utm_source=blog&amp;utm_campaign=annual-report-2024">Balancing act: Security and productivity in the age of AI</a>, we surveyed 1,500 white-collar employees in North America, including 500 security professionals. What emerged from our findings is a tension between productivity and security that has taken on a new urgency. Let&rsquo;s start with the growing pressure on employees to be productive. <h2 id="risk-management-suffers-in-the-race-for-peak-productivity">Risk management suffers in the race for peak productivity</h2> <img src="https://blog.1password.com/posts/2024/productivity-ai-cybersecurity-report/shadow_it_by_industry.png" alt="Shadow IT use across tech, healthcare, finance, and education" title="Shadow IT use across tech, healthcare, finance, and education" class="c-featured-image"/> More than a third of workers (34%) use unapproved apps or tools to get things done. This is shadow IT, and its use won&rsquo;t come as a surprise to security professionals. But the scale of the problem might. Of that 34% who use shadow IT, each employee uses an average of five unapproved apps or tools. In a company of just 300 employees, that&rsquo;s more than 500 potential new threat vectors. The problem is most pronounced in the tech industry, with nearly half of employees saying they use shadow IT, compared to 40% of employees in finance, 27% in healthcare, and 19% in education. Security teams are trying to keep up. 92% of security pros say their company requires IT to approve software that&rsquo;s used for work. But 59% say they have no control over whether employees follow those information security policies. That visibility is more achievable if employees use only work-provided devices, which 84% of companies say they require of their employees. But 17% of employees say they never work on a company-provided device, using only personal or public computers for work instead. <h2 id="security-teams-struggle-to-adapt-to-a-new-threat-landscape">Security teams struggle to adapt to a new threat landscape</h2> More than two-thirds (69%) of security pros say they&rsquo;re at least partly reactive in terms of security risk mitigation. That&rsquo;s because they&rsquo;re either pulled in too many directions (61%), don&rsquo;t have the necessary budget (24%), or are understaffed (21%), among other reasons. As a result, security teams are worried. When asked what keeps them up at night, 79% of security pros listed inadequate security protections. Among their top concerns: external threats like phishing or ransomware (36%), internal threats like shadow IT (36%), and human error (35%). <blockquote> Phishing scams, ransomware attacks, and a patchwork system give our security team heartburn. They&rsquo;re the tireless ninjas keeping the bad guys out, so next time you see them, offer a coffee (or a medal). We&rsquo;re in this digital battle together.” – IT Security VP, tech hardware company </blockquote> <h2 id="focus-on-productivity-opens-the-door-to-cybersecurity-threats">Focus on productivity opens the door to cybersecurity threats</h2> <img src="https://blog.1password.com/posts/2024/productivity-ai-cybersecurity-report/ai_security_concerns.png" alt="92% of security professionals have security concerns about AI" title="92% of security professionals have security concerns about AI" class="c-featured-image"/> Understandably, productivity is top of mind for employees. Unsurprisingly, in the pursuit of productivity, security suffers. 54% admit to being lax about their company&rsquo;s data security policies, with 24% of those saying they&rsquo;re just trying to get things done quickly. Despite the well-known vulnerabilities associated with weak or reused passwords, 61% of employees (64% of managers and 53% of non-managers) confess to poor password habits, which increase the risk of data breaches. And half of employees say they slipped up on security in the past year, for example by clicking a link in a suspicious email or sharing credentials for work with people outside the company, making companies more vulnerable to a cyberattack. This is a scenario seemingly tailor-made for AI to deepen the tension between security and productivity. 57% of employees say using generative AI applications makes them more productive. But a full 92% of security pros have security concerns about AI security, citing employees entering sensitive data into the tools, using AI systems that were trained with bad data, or falling for cybercriminals’ increasingly sophisticated phishing attempts powered by AI. <h2 id="download-the-1password-state-of-enterprise-security-report-2024">Download the 1Password State of Enterprise Security Report 2024</h2> The delicate balance between productivity and security isn&rsquo;t new, but the conditions leading to a potential breaking point are. While security teams are struggling to reduce the risk of cybersecurity incidents as workplace habits shift, employees are likewise singularly focused on the pursuit of productivity. Old concerns like the security of authentication methods haven’t gone anywhere, while new concerns only complicate matters. We’ve only scratched the surface of this year’s report. Download <a href="https://1password.com/state-of-enterprise-security-report?utm_medium=social&amp;utm_source=blog&amp;utm_campaign=annual-report-2024">1Password&rsquo;s State of Enterprise Security Report</a> for the full breakdown. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Balancing act: Security and productivity in the age of AI</h3> Productivity and security are often in tension. Learn how today’s shifting landscape of hybrid work and AI has affected that tension, and how security professionals and workers are coping. <a href="https://1password.com/state-of-enterprise-security-report?utm_medium=social&amp;utm_source=blog&amp;utm_campaign=annual-report-2024" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Download now </a> </div> </section></description></item><item><title>Employee productivity and worker burnout, and how they impact shadow IT</title><link>https://blog.1password.com/shadow-it-employee-productivity/</link><pubDate>Thu, 28 Mar 2024 00:00:00 +0000</pubDate><author>info@1password.com (Jenn Marshall)</author><guid>https://blog.1password.com/shadow-it-employee-productivity/</guid><description> <img src='https://blog.1password.com/posts/2024/shadow-it-employee-productivity/header.png' class='webfeedsFeaturedVisual' alt='Employee productivity and worker burnout, and how they impact shadow IT' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> This is the second in a series of four posts about shadow IT, including how and why teams use unapproved apps and devices, and approaches for securely managing it. For a complete overview of the topics discussed in this series, download <a href="https://1password.com/resources/managing-shadow-it/?utm_ref=blog">Managing the unmanageable: How shadow IT exists across every team – and how to wrangle it</a>. High productivity levels are generally a good thing. For most organizations, the answer to the question, “Is it important for your employees to be productive?” is a resounding “Yes!” However, when employees ask to use a tool or app to boost productivity, companies may want to say “yes”, but often find themselves saying “no”. What gives? Security concerns. And they’re legit. Companies are in the midst of experiencing a brave new world called hybrid work. Gone are the days of on-premise servers, software, and devices (and employees) that were relatively straightforward to manage and secure. Now knowledge workers can get things done in coffee shops and their own living rooms. Companies turn to cloud services to support flexible working with “access from anywhere” apps and online collaboration tools, collectively known as software-as-a-service (SaaS). Employees have become much more likely to select these cloud services and apps (not all company-approved) to get their work done. While hybrid and remote work was slowly starting to become a thing before, the pandemic accelerated it, and here we are. So the million-dollar question is: If employees want to use their preferred apps and tools to be more productive, how can companies leverage this employee productivity while still protecting themselves from cybersecurity risks? And what does worker burnout (the opposite of employee productivity) have to do with the IT department’s security strategy for shadow IT? <h2 id="quick-review-what-is-shadow-it">Quick review: What is shadow IT?</h2> The first post in this series, <a href="https://blog.1password.com/what-is-shadow-it">What is shadow IT and how do I manage it?</a>, explains what shadow IT is and what it may look like across different company departments. To recap, here’s a quick definition: Shadow IT refers to the apps and devices that aren’t licensed and managed by a company. These aren’t obscure apps used for nefarious purposes. Examples of shadow IT can be anything from Google Docs to social media. The issue is that employees may enter company information or client data in them and, if they log in with a weak or reused password, it can cause vulnerabilities that may result in a data breach. <h2 id="a-changing-work-environment-securing-the-new-perimeter">A changing work environment: Securing the new perimeter</h2> This new hybrid, cloud-based work environment and employee experience requires a shift in companies’ security strategy. There are no walls. Instead, security and IT teams are managing a nebulous perimeter that’s constantly shifting and often spans the globe. In <a href="https://1password.com/resources/access-management-ebook/?utm_ref=blog">The new perimeter: access management in a hybrid world</a>, we highlight four key considerations for securing the new perimeter of a hybrid workforce: <ol> <li><a href="https://blog.1password.com/identity-security-in-hybrid-work-environments/">To address shadow IT, start with identity</a>. <a href="https://www.verizon.com/business/resources/reports/dbir/">70% of data breaches involved an identity element</a> in 2023. Identity issues, which include stolen passwords, are expected to be even worse in 2024, <a href="https://www.forrester.com/blogs/predictions-2024-security-and-risk/">increasing to as much as 90%</a>, according to Forrester.</li> <li><a href="https://blog.1password.com/find-and-secure-shadow-it">Secure access to managed and unmanaged apps</a>. Any number of employees are using multiple devices to access all sorts of apps and websites during their workday. An <a href="https://1password.com/enterprise">enterprise password manager</a> (EPM) ensures that employees use strong passwords no matter what they access and on what device. Companies can set their own minimum security requirements, and the EPM will ensure that every sign-in, on every device, meets those requirements.</li> <li><a href="https://blog.1password.com/improve-productivity-minimize-cost-distributed-teams/">Minimize security stack costs</a>. Single sign-on tools (SSO) are great for managing access to the software and tools IT knows about, but aren’t enough to corral shadow IT. And the costs of putting more apps behind SSO can add up. It takes time for implementation and custom configuration, plus there’s typically an additional charge to place most apps behind SSO (the “SSO tax”).</li> <li><a href="https://blog.1password.com/improve-productivity-minimize-cost-distributed-teams">Debunk the false tradeoff of workforce productivity versus security</a>. Employee productivity versus security doesn’t have to be an either-or choice. In fact, it can’t be, because it’s a futile exercise to try and stop shadow IT at your organization. It’s everywhere: In one study, <a href="https://hbr.org/2022/01/research-why-employees-violate-cybersecurity-policies">85% of employees said they knowingly broke cybersecurity rules</a> to accomplish a task. Instead, the challenge is to find ways to secure each individual employee’s preferred ways of working.</li> </ol> <h2 id="full-spectrum-shadow-it-challenges-employee-productivity-to-worker-burnout">Full-spectrum shadow IT challenges: Employee productivity to worker burnout</h2> Productive employees. Burned-out employees. At the opposite ends of the spectrum, yet both contribute to the risks of shadow IT at companies everywhere. At one end, employees are using shadow IT to help them increase productivity levels or do their jobs better. A Gartner survey shows that we’re using twice the number of apps we did in 2019, and use continues growing. At the other end of the spectrum are employees who are being stretched too thin. And it’s not a few outliers. A <a href="https://1passwordstatic.com/files/resources/2021-state-of-secure-access-report.pdf">1Password report on burnout</a> revealed that 80% of office workers feel burned out, and one in three workers say burnout is affecting their initiative and motivation levels. It&rsquo;s worth noting that this research was conducted during the height of the pandemic, when we&rsquo;d expect burnout levels to be particularly high – but it’s also worth noting that we haven’t solved burnout since then. In addition to the obvious physical and mental health effects, worker burnout can present a severe, pervasive, and multifaceted cybersecurity risk. This is because employees who are feeling burned out can be more lax about following security protocols. They also are more likely to use shadow IT. Here are some additional eye-opening findings from the 1Password report: <ul> <li>3 times as many burned-out employees as non-burned-out employees maintain that security policies “aren&rsquo;t worth the hassle” (20% vs. 7%), regardless of incentives.</li> <li>A 21-point gap separates those who are burned out (59% of whom say they follow their companies' security rules) from those who are not (80% of whom say they follow the rules).</li> <li>60% more burned-out employees than non-burned-out employees are creating, downloading, or using shadow IT (48% vs. 30%).</li> <li>59% of burned-out employees have poor practices when setting up work passwords, compared to 43% of non-burned-out employees.</li> </ul> Why is this so concerning? In addition to the important concerns about human health and employee well-being, burnout and resulting low levels of employee engagement negatively affects adherence to security protocols. Bottom line? Nobody wins when an employee is burned out. When workers are so tuned out that they’re less likely to follow security rules, and more likely to use weak passwords or fall for phishing scams, it increases cybersecurity risks. <h2 id="cybersecurity-team-burnout-risk">Cybersecurity team burnout risk</h2> Adding complexity to the challenges of securing the new perimeter, it turns out (surprise!) that IT/security professionals aren’t superhuman. The 1Password report shows that they’re experiencing burnout in even greater numbers than the general employee population (84% vs. 80%). While 89% of security professionals say they favor security over convenience, they also admit that they take shortcuts. For example, they use shadow IT (29%) or work around company policies to solve their own IT problems themselves (37%) or because they don’t like the company-approved software (15%). Even more worrying, security professionals are twice as likely as other workers to say that due to burnout, they’re “completely checked out” and “doing the bare minimum at work” (10% vs. 5%). That’s not good news, especially if a company has a reactive approach to managing shadow IT that depends on the vigilance of team members and their ability to quickly respond to problems. <h2 id="take-a-proactive-approach-to-managing-shadow-it">Take a proactive approach to managing shadow IT</h2> As security professionals know, prevention is often more effective than protection. Taking a proactive approach to managing shadow IT – securely enabling it – is the only viable path forward. It starts with understanding employee productivity, workflows, and potential security vulnerabilities in every department. A next step is working to secure the “path of least resistance” for all employees at the individual level so they can use the apps and tools they need to boost productivity. The good news is, by securing credential sharing and standardizing how access to tools happens, you also protect your organization against lax security practices and behaviors. Next, we’ll explore how to identify shadow IT, what it may be used for (such as project management, social media, productivity tools, and file sharing), and common vulnerabilities for different departments, including Finance, HR, Engineering, and Marketing. To learn more, follow this series on the 1Password blog exploring shadow IT over the next few weeks or download the ebook: <a href="https://1password.com/resources/managing-shadow-it/?utm_ref=blog">Managing the unmanageable: How shadow IT exists across every team – and how to wrangle it</a>. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Managing the Unmanageable</h3> Learn why teams like Finance, Marketing, and HR use shadow IT, the security vulnerabilities that can follow, and how to manage it all. <a href="https://1password.com/resources/managing-shadow-it/?utm_ref=blog" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Download now </a> </div> </section></description></item><item><title>Meet Jess Plowman and Tiphanie Futu, members of 1Password’s Go-to-Market team</title><link>https://blog.1password.com/meet-jess-plowman-tiphanie-futu/</link><pubDate>Mon, 25 Mar 2024 00:00:00 +0000</pubDate><author>info@1password.com (1Password)</author><guid>https://blog.1password.com/meet-jess-plowman-tiphanie-futu/</guid><description> <img src='https://blog.1password.com/posts/2024/meet-jess-plowman-tiphanie-futu/header.png' class='webfeedsFeaturedVisual' alt='Meet Jess Plowman and Tiphanie Futu, members of 1Password’s Go-to-Market team' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 1Password&rsquo;s Go-to-Market (GTM) team is critical to achieving our mission of helping businesses, families, and individuals protect their passwords and other private information. GTM helps our company understand the real-life problems that businesses are facing and how 1Password is best equipped to solve them. It&rsquo;s a fast-growing team and we&rsquo;re delighted that women like Jess Plowman, Senior Sales Development Representative, and Tiphanie Futu, Sales Enablement Manager, are playing such an integral role in its success. Curious what it&rsquo;s like to work in the GTM team at 1Password? Read on to learn about Jess and Tiphanie&rsquo;s professional journeys, as well as their current role and day-to-day responsibilities. <h2 id="jess-plowman-senior-sales-development-representative">Jess Plowman, Senior Sales Development Representative</h2> Why did you join 1Password, and how did you end up here? Back in 2022, I was made redundant from my previous role working as a sales development representative (SDR). I shared my experience on Linkedin and 1Password reached out to see if I would be interested in applying. After doing my research, learning about the company’s values and meeting the team, I decided t it would be the perfect next step to develop my career. And I’ve never looked back. What do you enjoy most about your role? The highlights of my role involve speaking to a diverse range of people on a daily basis, learning about their needs for a password manager and how best I can assist them. 1Password’s culture focuses on development and progression, so I love helping with the onboarding process and watching my colleagues progress in the company and grow their skills. This focus on development and progression also helps me in my personal growth! If you were interviewing for a role on your team at 1Password, what are your best words of advice? First of all, I would 100% recommend it! We’re a friendly and welcoming team! The SDR role is a great way to get started in the cybersecurity industry, learn about sales and develop an in-depth knowledge of the product. Remember to be yourself, be open to learning and ask lots of questions. The role is remote but you’ll never feel alone! How would you describe your team in three words? Supportive, hard working and fun! <h2 id="tiphanie-futu-sales-enablement-manager">Tiphanie Futu, Sales Enablement Manager</h2> Why did you join 1Password, and how did you end up here? In 2022, I was impacted by a round of layoffs like many other people who work in tech. At that time, the company I had been working for helped us and shared our profiles on Linkedin. The Director of Business Development at 1Password then reached out to me to see if I’d be interested in joining her team. The business development representative (BDR) team at 1Password was just forming and I loved the idea of participating in its conception. What’s your current role, and what are your day-to-day responsibilities? I currently work as a Sales Enablement Manager for the BDRs, SDRs and BDR growth. My role is to provide those teams with the tools, resources, training, and processes they need to effectively do their job. My day-to-day responsibilities include onboarding new reps, creating and sharing content for the team to leverage, and meeting with sales leaders to identify underlying issues or challenges, and craft effective solutions to address them. You’ve transitioned roles at 1Password. What was that journey like? Transitioning roles at 1Password was a rewarding journey marked by support and encouragement from my colleagues and leadership team. I had been with the company for over a year and was eager to explore new opportunities for professional growth. When I noticed an opening on the enablement team, I started a conversation with my manager, Brandon, who was incredibly supportive from the outset. The leadership team&rsquo;s support throughout the application process was truly encouraging. Their guidance and mentorship helped me navigate the transition smoothly. What do you enjoy most about your role? I enjoy the opportunity to collaborate with various teams and gain insights into their unique perspectives. Working in this way allows me to understand their specific challenges and needs, enabling me to tailor my support to suit their needs better. This collaborative approach not only fosters stronger relationships across the organization but also allows me to continuously learn and grow professionally. Who was an influential woman that made an impact on your career to date? So many women have had an impact on my career. My cousin, Endji, who is about to become a doctor, and my little sister who created her own business, are the best examples of resilience and perseverance. My last manager, Diana, who is always sharing career guidance and advice, and all my friends who constantly encourage me in everything that I do. Editor&rsquo;s note: These interviews have been lightly edited for clarity and brevity. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Want to work for 1Password?</h3> Browse our current job openings to see if there’s an opportunity that matches your career goals. <a href="https://1password.com/jobs/?utm_ref=blog" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> View our open positions </a> </div> </section></description></item><item><title>What is shadow IT and how do I manage it?</title><link>https://blog.1password.com/what-is-shadow-it/</link><pubDate>Thu, 21 Mar 2024 00:00:00 +0000</pubDate><author>info@1password.com (Jenn Marshall)</author><guid>https://blog.1password.com/what-is-shadow-it/</guid><description> <img src='https://blog.1password.com/posts/2024/what-is-shadow-it/header.png' class='webfeedsFeaturedVisual' alt='What is shadow IT and how do I manage it?' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> This is the first in a series of four posts about shadow IT, including how and why teams use unapproved apps and devices, and approaches for securely managing it. Whether or not you’re familiar with shadow IT, know this: it’s everywhere. Fighting it is like playing a game of whac-a-mole: Try to eliminate it and it will pop up again elsewhere. So what’s IT and Security to do? A more realistic approach is to enable and secure it, so you can leverage the benefits of shadow IT without the security vulnerabilities it brings with it. Read on to find out how. For a complete overview of the topics discussed in this series, download <a href="https://1password.com/resources/managing-shadow-it/?utm_ref=blog">Managing the unmanageable: How shadow IT exists across every team – and how to wrangle it</a>. In this series, we’ll cover: <ul> <li>Why shadow IT is a thing</li> <li>Worker burnout and its impact on shadow IT</li> <li>Common security vulnerabilities in HR, finance, marketing, and developer workflows</li> <li>How IT teams can adapt</li> <li>Understanding developers’ unique secrets management needs</li> </ul> <h2 id="what-is-shadow-it">What is shadow IT?</h2> Traditionally, employees used the software applications provided and licensed by their company to do their work. IT and security teams were effective gatekeepers, securing and managing access with identity and access management (IAM) tools like single sign-on (SSO). Today, there’s an app for… everything. Grammar checking apps. Language translation apps. And a whole new, emerging category of AI apps. The choices are many and they are compelling. In fact, in 2021, 1Password research revealed that <a href="https://blog.1password.com/challenges-of-shadow-it/">more than 60% of respondents said they had created at least one account their IT department didn’t know about</a>. That’s shadow IT: any technology (usually a personal device or a cloud service) employees are using without the Security or IT department managing it – and sometimes not even knowing about it. You may think there’s not much shadow IT at your organization, but the reality is that it’s there, and you’ll find it across any number of teams. If Microsoft Word isn’t managed by IT, it’s shadow IT. Same if workers are using Google Docs for collaboration, or Dropbox for file sharing, or any other cloud service. While employees adopting “unofficial” websites or apps may seem like no big deal to some, IT and security teams know that entering company information or client data on these websites and apps can cause vulnerabilities that may result in a data breach. <h2 id="benefits-of-shadow-it">Benefits of shadow IT</h2> Why do employees use shadow IT? Why are they making security and IT’s job more difficult? First, most employees probably don’t realize the impact their actions have on security and IT. Second, there are benefits to shadow IT. Use of shadow IT is not malicious. It’s about productivity, innovation, meeting deadlines, and doing good work. When the work pressure is high, employees look for tools to help. When someone’s on a tight deadline, security risk is often the last thing on their mind – especially if they’re feeling stressed or burned out (we’ll touch more on the security challenges of worker burnout in the next post). So people will simply turn to the tools that help them get the job done. <h2 id="examples-of-shadow-it">Examples of shadow IT</h2> What does shadow IT look like in the wild? There are countless examples of shadow IT, and use varies by team and role. For instance, finance teams need to quickly share data with external partners like auditors, board members, or investors. HR teams commonly use external platforms for recruiting and hiring. And the marketing department wants apps to streamline tasks like customer relationship management (CRM), project management, and collaboration with external partners. If there are no apps in the suite of company-managed tools with the functionality they’re looking for, workers will solve those inefficiencies themselves with shadow IT. <h2 id="a-growing-problem-shadow-it-security-risks">A growing problem: shadow IT security risks</h2> Survey says: <a href="https://www.statista.com/statistics/1342529/global-deployment-level-single-sign-on-system-by-region/">Nearly three-quarters of North American companies have deployed single sign-on</a> (SSO) tools. But despite that adoption, 30% of applications used by employees are not managed by the company. Why? In addition to the plethora of apps at their disposal, <a href="https://blog.1password.com/securing-your-hybrid-workforce/">hybrid work environments</a> enable employees to split time between home and office. Some remote-first companies no longer even have office space, making bring-your-own-device (BYOD) even more common. And when working from home, employees may be more relaxed about security risks, opting for the convenience of personal devices such as laptops or smartphones when accessing work emails and documents. One survey shows that <a href="https://www.techradar.com/news/over-half-of-employees-using-own-devices-and-software-to-work-from-home">55% of employees say they use personally owned smartphones or laptops</a> for their work at least some of the time. Just like they find apps for personal use, many employees do the same when it comes to work – creating accounts for apps without going through IT, either because they aren’t thinking about security measures, or because they just want to get something done. The uptick in app usage is huge: a Gartner survey shows that <a href="https://www.gartner.com/en/newsroom/press-releases/2023-05-10-gartner-survey-reveals-47-percent-of-digital-workers-struggle-to-find-the-information-needed-to-effectively-perform-their-jobs#:~:text=According%20to%20the%20survey%2C%20the,or%20more%20applications%20at%20work.">the average employee uses 2x more SaaS applications today</a> than they did in 2019. <h2 id="why-sso-isnt-enough-to-mitigate-risks-of-shadow-it">Why SSO isn’t enough to mitigate risks of shadow IT</h2> While single sign-on (SSO) tools are an important first step for securing access to enterprise tools, they fall short when it comes to managing shadow IT. SSO can only secure access to apps the company or IT department knows about. Shadow IT, by definition, is a blind spot. This leaves critical gaps in a company’s identity and access management strategy. Those gaps are shadow IT. There’s also a cost factor: it can be expensive for tools to be integrated and managed by an SSO vendor, with some software-as-a-service (SaaS) apps charging extra to be put behind SSO – a cost known as the SSO tax. If SSO tools aren’t sufficient for managing security risks of shadow IT, what should companies do? Fight it? Try to stop shadow IT use? That’s unrealistic and unsustainable. The only viable path forward is to embrace it. <h2 id="a-new-approach-embracing-shadow-it">A new approach: embracing shadow IT</h2> When nearly a third of applications used by employees aren’t being managed by their companies, it’s time to pause and figure out a better path forward. You can’t realistically <a href="https://blog.1password.com/cybersecurity-awareness-month-smart-security/">eliminate shadow IT</a>. Therefore, the challenge is to enable and secure it so teams can access the tools they want to use, but in a secure way. This can be achieved by making sure that each employee – on every team and across different data access points – has comprehensive protection. Approaching the issue at the individual level is important because shadow IT looks different for different roles and departments. Where do you start? It’s most important to secure credential sharing and standardize how access to tools happens – so you can secure that access. For example, for the finance team, access to things like bank accounts needs to be locked down – and they need secure methods for file sharing. For marketing teams that use and test apps like social media and messaging platforms, it’s critical to make sure only approved team members have the appropriate access to social profiles. Applying the principle of least privilege (PoLP) can also help. That means making sure that employees have the minimum amount of access they need to do their jobs. For example, HR probably doesn’t need access to marketing analytics or campaign spend details. It’s up to IT and security to figure out how to secure and enable these systems. 1Password can help. 1Password is an enterprise password manager (EPM) that provides teams with a centralized solution to use, access, and share critical company data with role-based access controls and ensures employees adhere to your security policies. EPMs can help you make the easy way to work the secure way to work. <h2 id="bring-shadow-it-into-the-light">Bring shadow IT into the light</h2> Shadow IT is here to stay. It will likely continue growing, especially as new cloud services like generative AI garner wider use. And as it does, if left unchecked, it can increase your company’s attack surface, expose sensitive data (sometimes inadvertently), and increase the risk of a data breach. In other words, no cybersecurity plan is complete without addressing shadow IT. In the coming weeks, we’ll explore shadow IT in more depth here on the 1Password blog, including how to do more with less with valuable IT resources. In the meantime, you can learn how to manage shadow IT, shore up your data security, and protect your company against cyberattacks by downloading <a href="https://1password.com/resources/managing-shadow-it/?utm_ref=blog">Managing the unmanageable: How shadow IT exists across every team – and how to wrangle it</a>. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Managing the Unmanageable</h3> Learn why teams like Finance, Marketing, and HR use shadow IT, the security vulnerabilities that can follow, and how to manage it all. <a href="https://1password.com/resources/managing-shadow-it/?utm_ref=blog" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Download now </a> </div> </section></description></item><item><title>What concept-first design looks like at 1Password</title><link>https://blog.1password.com/concept-first-design/</link><pubDate>Wed, 20 Mar 2024 00:00:00 +0000</pubDate><author>info@1password.com (Ryan Bigge)</author><guid>https://blog.1password.com/concept-first-design/</guid><description> <img src='https://blog.1password.com/posts/2024/concept-first-design/header.png' class='webfeedsFeaturedVisual' alt='What concept-first design looks like at 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> When daydreaming about the future, it’s fun to imagine faraway, fantastic, and possibly impossible scenarios. Moving sidewalks. Personal jetpacks. Unconfusing TV remotes. But to make the world a better place, we need to balance small improvements with audacious moonshots. As science fiction novelist William Gibson famously put it: “The future is already here — it’s just not evenly distributed yet.” A good illustration of that quote can be found in Estonia, where citizens have been using digital identification to vote and access public services for over a decade. Estonia is living in the not-too-distant future, waiting for the rest of us to throw away our laminated ID cards. Delivering these kinds of improvements is easier said than done. The paradox of working at a technology company is that you need to build small but innovative products and features (the future) with tried-and-true approaches (the past). Tight deadlines often discourage experimentation but, in order to stay competitive, it’s important to revisit your processes on a regular basis. In other words, how you build can be as critical as what you build. The good news, according to William Gibson, is that there are plenty of new ideas out there. You just have to know where to look. <h2 id="introducing-concept-first-design">Introducing concept-first design</h2> In that spirit, the content design team at 1Password has been trying out an approach called concept-first design. You might be familiar with <a href="https://medium.com/google-design/write-first-the-craft-of-content-first-design-d9460d567947">content-first design</a> — letting the key pieces of communication (i.e. content) between the system and the user determine the shape and flow of the experience. Concept-first design, meanwhile, is a way to make sure that users won’t find those key pieces of communication confusing. Concept-first design helps simplify complex product ideas earlier in the process. This makes it easier to translate those key ideas into language and UX that users will recognize, understand, and adopt. That’s a lot to unpack, so the rest of this article will explore concept-first design in theory and practice, the benefits of using it, and how we’re starting to apply it at 1Password. <h2 id="the-art-of-concepts">The art of concepts</h2> So what, exactly, is concept-first design? Let’s use Hipmunk, <a href="https://techcrunch.com/2020/01/14/four-years-after-being-acquired-hipmunk-is-shutting-down/">the late, great, travel site</a>, as an example. Hipmunk wanted to help users pick the best flight based on factors like the number of connections and the airline’s on-time performance. Instead of a convoluted bar graph that put the burden of interpretation on the user, Hipmunk created an Agony index. Which is almost exactly what it sounds like. Finding the right balance of pain and price in order to minimize agony was an easy-to-grasp concept for anyone who’d endured a terrible flight to save some money. Now, in order to do concept-first design well, you’ll need to start by shifting your perspective. As Elizabeth McGuane, a UX director at Shopify points out, concept work requires swapping Figma and Adobe Photoshop (at least initially) for design tools like metaphor and narrative. In her recent book <a href="https://abookapart.com/products/design-by-definition">Design by Definition</a>, McGuane notes that “every digital product starts out as a problem to be solved. The idea, or concept, is the way we meet that problem – the premise of our solution.” Instead of immediately pushing pixels around, McGuane challenges product designers to brainstorm a bunch of metaphors by asking: <ul> <li>What materials would you build this feature with if it was a physical thing?</li> <li>What real world objects are similar to what you want to build?</li> <li>What emotional reaction should this product evoke?</li> </ul> As McGuane notes, “metaphors bring the abstractions of software closer to life, making interfaces feel real.” If you keep something real and relatable in mind while you&rsquo;re designing software, there&rsquo;s a greater chance the user will grasp the final concept and find it intuitive. (As a security company, 1Password has found the padlock to be a particularly useful bit of inspiration). Starting with the core idea of a feature – the concept – is a way to get everyone in your company on the same page. This, in turn, allows your product and content design teams to work more effectively in parallel. A shared language gives your team a shared understanding of what you’re building and, as a nifty bonus, it makes it easier to name things too. Speaking of which, McGuane has an entire chapter about naming in her book, which reinforces how important it is to product work. As she points out, endless arguments about product or feature names are usually due to a hazily-defined concept. Naming is hard but tech companies often make it much, much harder by starting with weak or confusing concepts. That’s why 1Password’s content design team, with help from product marketing, has been working on different ways to improve the name game. This includes team-wide Mad Libs exercises, where we test out potential names and concepts in realistic situations. We’ve also conducted UX research sessions where we ask customers to explain what potential names mean to them. <h2 id="selling-the-value-of-concepts">Selling the value of concepts</h2> Without giving away any top-secret information, 1Password plans to expand our offerings in 2024. That’s why, in the spring of last year, senior content designer Chantelle Sukhu and I gave a talk at a product manager meeting about how content design can improve the stuff that 1Password builds and ships. As our offerings expand, it’s even more important to think carefully about concepts, complexity and clarity. To make sure everyone on the call understood the worst case scenario, Chantelle and I shared an example of concepts gone rogue: “The Zoom Rooms Controller app provides an ideal way to manage a Zoom Room meeting without having to interact with the in-room Zoom Rooms Controller.” That’s not an excerpt from an unpublished Dr. Seuss book. It’s actual help content on the Zoom support page. Now, to be fair to Zoom, many other companies find themselves in similar situations when product concepts aren’t thought through and carefully managed. The result of this chaos? The user is forced to learn, understand, and memorize a series of unclear concepts. We noted during our talk that successful content design is often invisible. But users definitely notice intricate error messages, inconsistent labels, and confusing products that require complex instructions. <blockquote> Successful content design is often invisible. </blockquote> Along with helping product managers avoid Zoom doom and gloom, the content design team at 1Password has been working to identify and eliminate unnecessary concepts. In the same way a product can accumulate technical debt, it can also suffer from conceptual debt. As McGuane notes in her book: “Technology companies are machines for meaning.” And too much meaning is as bad as too little. Making our products and features less confusing demonstrates user empathy and makes it easier for everyone at 1Password to do their best work. The first step of this digital spring cleaning has involved <a href="https://www.nngroup.com/articles/cognitive-mind-concept/">concept mapping</a>. This is a way to visually capture the key aspects of 1Password and the interconnections between them. Creating a concept map for 1Password has helped us see the bigger picture and made it easier to integrate passkey options and identify improvements for how users sign in to our app. It’s also yet another way to create products that feel more consistent and easier to start using right away. <img src="https://blog.1password.com/posts/2024/concept-first-design/concept-map.png" alt="A concept map showing various concepts in green bubbles, linked together with lines." title="A concept map showing various concepts in green bubbles, linked together with lines." class="c-featured-image"/> <h2 id="applying-concepts-at-1password">Applying concepts at 1Password</h2> For all the value they bring, identifying and debating concepts can be tricky. To make our naming and mapping work more tangible, 1Password content designer Grace O’Neil created ConceptMania: a single elimination tournament bracket for ideas. Working in groups, the goal was to determine the clearest concept in 1Password. The exercise sparked a lot of discussion about what makes winning concepts like “subscriptions” and “tags” easy to understand and communicate to users. ConceptMania was fun and useful, especially because it reminded the team about mental models: a tool our brain uses to handle complexity. A mental model is a representation of how something works based on our real-world experiences. Since users bring their mental models into 1Password, our concepts need to reflect and build on those mental models. <img src='https://blog.1password.com/posts/2024/concept-first-design/conceptmania.png' alt='A Figjam screenshot with a fake &#39;Conceptmania&#39; poster and a written explanation of what the tournament is about, and how it works.' title='A Figjam screenshot with a fake &#39;Conceptmania&#39; poster and a written explanation of what the tournament is about, and how it works.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> As usability pioneer Jakob Nielsen famously put it: “People spend most of their time using digital products other than yours. Users’ experiences with those other products set their expectations.” That’s why, a few months after ConceptMania, our design team published competitive audit guidelines. A competitive audit is a systematic look at direct and indirect competitors. It’s a way for us to spend time with products other than 1Password to better understand common concepts. And by thoroughly exploring the problem space, we can avoid being insular in our thinking and instead rely on concepts that our users are already familiar with. <h2 id="reducing-content-design-agony">Reducing content design agony</h2> Concept-first design doesn’t solve every product problem — nor is it meant to. But it’s a fantastic way to make the often invisible work of content design impossible to ignore. Defining, describing, and solving core product problems with a conceptual framework creates stronger connections and a clear sense of purpose between content designers, UX researchers, and product designers. And concept-first design helps avoid, or at least minimize, tricky debates about naming — which in turn reduces the content design agony index. And, even more importantly, designing with clear, thoughtful concepts leads to products that are easier for users to grasp and enjoy. <h3 id="resources">Resources</h3> <ul> <li><a href="https://www.intercom.com/blog/videos/shopify-ux-director-elizabeth-mcguane-design-should-start-with-words/">Using words to bring concepts to life</a> — an interview with Elizabeth McGuane</li> <li><a href="https://medium.com/all-things-product-management/conceptual-debt-is-worse-than-technical-debt-5b65a910fd46">How to identify and reverse conceptual debt</a> — by Nicolae Rusan</li> <li><a href="https://uxdesign.cc/understanding-mental-and-conceptual-models-in-product-design-7d69de3cae26">Mental models and conceptual models in product design</a> — by Alana Brajdic</li> <li><a href="https://alistapart.com/article/pain-with-no-name/">The pain with no name</a> — by Abby Covert</li> <li><a href="https://medium.com/user-experience-design-1/start-your-designs-with-a-concept-7270e6b00fcc">Start your designs with a concept</a> — by Fabricio Teixeira</li> </ul> Author’s note: This blog post is based on a talk I gave at 1Password’s 2023 Product and Design offsite.</description></item><item><title>Empowering women in networking: Overcoming challenges and building meaningful connections</title><link>https://blog.1password.com/women-networking-connections-guide/</link><pubDate>Fri, 15 Mar 2024 00:00:00 +0000</pubDate><author>info@1password.com (Monica Jain & Christine Martin)</author><guid>https://blog.1password.com/women-networking-connections-guide/</guid><description> <img src='https://blog.1password.com/posts/2024/women-networking-connections-guide/header.png' class='webfeedsFeaturedVisual' alt='Empowering women in networking: Overcoming challenges and building meaningful connections' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> It’s essential during <a href="https://www.womenshistorymonth.gov/">Women&rsquo;s History Month</a> to recognize the strides women have made in various fields. However, networking remains one area of career advancement and satisfaction where women often face unique challenges. From battling imposter syndrome to navigating male-dominated spaces, women encounter obstacles that can hinder their networking efforts. If you’re struggling or unsure how to grow your professional network, fear not! In this blog post, we’ll address common fears and challenges that women often face while networking, and give you some strategies to overcome them. We’ll also explain the importance of shamelessly networking and cultivating meaningful connections. <h2 id="overcoming-common-fears-and-challenges">Overcoming common fears and challenges</h2> Networking takes a lot of confidence. It&rsquo;s natural to feel nervous about introducing yourself to new people and building real, meaningful connections. Here are some specific fears that you might have about networking, and some tried-and-true solutions: <h3 id="imposter-syndrome">Imposter syndrome</h3> Many women struggle with the feeling that they don&rsquo;t belong in professional settings, which leads to self-doubt and hesitation in networking. You can combat imposter syndrome by acknowledging your achievements and embracing your unique skills and experiences. (If you haven’t done so already, create a new note on your PC or phone to track your accomplishments!) Remember, you’ve earned your place at the table. <h3 id="fear-of-rejection">Fear of rejection</h3> It&rsquo;s natural to fear rejection when reaching out to new contacts. However, don&rsquo;t let the fear of &ldquo;no&rdquo; hold you back. View each interaction as an opportunity for growth, and remember that rejection is not a reflection of your worth. The other person simply may not have the time to develop a new professional relationship at the moment. Keep persevering, and you&rsquo;ll find the right connections. <h3 id="fear-of-not-knowing-what-to-say">Fear of not knowing what to say</h3> If you’re unfamiliar with a specific industry or new to a workplace, it can be intimidating to navigate conversations. You might be thinking: “What happens if I run out of things to say?” It’s okay not to be an expert and simply asking for advice on a particular topic can be an incredible tool for opening up meaningful conversation. <h3 id="male-dominated-spaces">Male-dominated spaces</h3> In industries traditionally dominated by men, women may feel out of place or overlooked. Instead of shrinking into the background, assert yourself confidently. Your voice and perspective are valuable assets, so speak up and make your presence known. <h2 id="shamelessly-networking-for-career-advancement">Shamelessly networking for career advancement</h2> Shameless networking is about being bold and owning the fact that you want to meet new people and find opportunities for professional growth. Embrace the power of networking events, conferences, and online platforms to connect with like-minded individuals. Don&rsquo;t be afraid to initiate conversations, share your accomplishments, and express your career goals. Remember to look for ways to offer value to your connections, whether it’s through sharing insights, providing referrals, or offering assistance in their projects. By putting yourself out there unapologetically, you&rsquo;ll increase the chance of finding valuable opportunities and advancing your career trajectory. <h2 id="cultivating-meaningful-connections">Cultivating meaningful connections</h2> Building a strong professional network isn&rsquo;t just about collecting business cards or LinkedIn connections – it&rsquo;s about fostering genuine relationships based on trust and mutual support. Approaching networking in this way will also increase your overall career satisfaction. How? Creating genuine connections will also give you access to more resources, support and opportunities that enhance professional life. Here are some tips for cultivating meaningful connections: <ul> <li> Be authentic: Authenticity breeds trust and rapport. Share your passions, interests, and goals genuinely, and seek connections who align with your values. </li> <li> Offer value: Networking is a two-way street. Be proactive in offering assistance, advice, and resources to your connections. By adding value to others, you&rsquo;ll strengthen your relationships and build a reputation as a valuable ally. </li> <li> Follow up: Don&rsquo;t let your connections fade into obscurity after the initial encounter. Follow up with personalized messages, schedule coffee meetings or virtual catch-ups, and stay engaged with your network regularly. </li> </ul> <h2 id="building-your-network-is-a-marathon-not-a-sprint">Building your network is a marathon, not a sprint</h2> As women continue to shatter glass ceilings, networking remains a powerful tool for career advancement, professional success and overall satisfaction. By overcoming common fears and challenges, shamelessly promoting oneself, and cultivating meaningful connections, you can build a robust network that supports your aspirations and helps you thrive in any industry. This Women&rsquo;s History Month, let&rsquo;s celebrate the resilience and tenacity of women in networking and champion each other&rsquo;s success. Consider reaching out to one new person today, whether that&rsquo;s in person or on a platform like LinkedIn. It&rsquo;s guaranteed to make their day! Together, we can create a more inclusive and supportive professional landscape for generations to come.</description></item><item><title>The Mac Admins Podcast team explain how to secure Apple devices at work and home</title><link>https://blog.1password.com/apple-device-security-mac-admins-interview/</link><pubDate>Thu, 14 Mar 2024 00:00:00 +0000</pubDate><author>info@1password.com (Jenn Marshall)</author><guid>https://blog.1password.com/apple-device-security-mac-admins-interview/</guid><description> <img src='https://blog.1password.com/posts/2024/apple-device-security-mac-admins-interview/header.png' class='webfeedsFeaturedVisual' alt='The Mac Admins Podcast team explain how to secure Apple devices at work and home' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Joined by the popular <a href="https://podcast.macadmins.org/">Mac Admins podcast</a> cast, we dive into Apple security and privacy, and how Macs are being integrated into workplaces everywhere. Find out whether an Apple product on its own keeps you secure and safe from viruses, or if you need additional security apps to protect your devices. Michael “Roo” Fey, Head of User Lifecycle &amp; Growth at 1Password chats with <a href="https://tombridge.com/">Tom Bridge</a>, <a href="https://twitter.com/marcusransom">Marcus Ransom</a>, and <a href="https://twitter.com/cedge318">Charles Edge</a> – three of the rotating cast of Apple expert hosts and consultants – on the <a href="https://randombutmemorable.simplecast.com/">Random but Memorable</a> podcast. To learn more, read the interview highlights below or listen to the <a href="https://randombutmemorable.simplecast.com/episodes/new-fingerprint-clone-magic">full podcast episode</a>. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/qiZF4Gl0MUU?si=vUNuoHD-owGabrQP" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> Editor’s note: This interview has been lightly edited for clarity and brevity. The views and opinions expressed by the interviewee don’t represent the opinions of 1Password. Michael Fey: A lot of people believe that buying an Apple product or a device keeps them secure and safe from viruses, is that true? Charles Edge: No. The first viruses were written – or the first viruses for personal computers at least – were written for the Mac, so I don&rsquo;t think it was ever true. Having said that, I do think Apple makes a lot of privacy and security decisions on our behalf out of the box that make the platform very secure, comparably. That&rsquo;s not to say I don&rsquo;t think third-party products have a place. Take <a href="https://1password.com/">1Password</a> as an example. Keychain&rsquo;s awesome. 1Password has all these things that make it even better. And the same can be said for endpoint detection and response solutions (EDR). <blockquote> &ldquo;Apple makes a lot of privacy and security decisions on our behalf out of the box that make the platform very secure.&quot; </blockquote> Tom Bridge: I don&rsquo;t think that there&rsquo;s a ton of need to go out and invest in EDR like a <a href="https://www.vmware.com/products/endpoint-detection-and-response.html">Carbon Black</a> or a <a href="https://www.crowdstrike.com/en-us/">CrowdStrike</a> for your personal individual machine. I don&rsquo;t think that that&rsquo;s a great use of money or time. But there are some common-sense things that you can do to protect yourself. Some of the more consumer-friendly solutions are a good option. But business needs are a little bit different than say, an individual focus. Marcus Ransom: The other way I like to look at it is, the computer itself is pretty safe. It&rsquo;s a pretty robust platform. As Charles mentioned, Apple has done an awesome job of building something that has a level of protection and privacy and makes it really hard for third-party threat actors. But one of the biggest problems is the person using the computer and their behavior. Once again, Apple has done a really awesome job of trying to encourage and promote good behavior, but there are still plenty of things you can get absolutely wrong if you&rsquo;re not mindful of what you&rsquo;re doing. <blockquote> &ldquo;One of the biggest problems is the person using the computer and their behavior.&quot; </blockquote> It&rsquo;s quite amazing to see what sort of paths people attacking Mac users will use compared to the typical Windows virus, which is a whole different kettle of fish. MF: Apple consistently adds new security features and new privacy features to their products. What has recently come out from Apple that has got you excited as admins or changed the way that you do device management? CE: <a href="https://blog.1password.com/what-are-passkeys/">Passkeys</a>. We can start there since we&rsquo;re on a podcast from a company that supports them! TB: Passkeys and iCloud Keychain. As we pivot into the business for a second, the ability to put those in a managed Apple ID keychain is absolutely right. Then we go one step further: being able to tie the authentication of your managed Apple ID to an external identity provider that isn&rsquo;t just Google or Microsoft. That could be a <a href="https://blog.1password.com/jumpcloud-1password-scim-bridge-launch/">JumpCloud</a>, an <a href="https://blog.1password.com/unlock-with-okta/">Okta</a>, or anybody else along those lines. That&rsquo;s a huge step forward for a lot of business organizations in terms of making managed Apple IDs more approachable, more familiar, more comfortable for the average end user. So that they can know: &ldquo;Hey, look, I don&rsquo;t have to remember a different password. I don&rsquo;t have to get out an SMS-capable device to complete authentication.&rdquo; To be able to do it the same way that I normally authenticate to do any of my other business tasks is so crucial. I&rsquo;m really excited to see Apple moving in that direction and supporting that kind of managed Apple ID federation. CE: Some of these things are not things that users are even asking for. As an example, just last week, <a href="https://security.apple.com/blog/imessage-pq3/">Apple introduced post-quantum encryption (PQ3) for iMessage</a>. Now it&rsquo;s like: “Oh, you don&rsquo;t even need <a href="https://signal.org/">Signal</a> or one of the other apps in order to have that same level of encryption to protect data, whether it&rsquo;s at rest or in transit, on that device. TB: While the texts I exchange with my friends aren&rsquo;t something that I&rsquo;m worried about, the fact that any messages I send are safe from quantum cryptography attacks&hellip; that’s a real good feeling. And it wasn&rsquo;t something that I sought out to ask from Apple, but boy, are they out there looking out for the people that use their platforms in ways that other companies just aren&rsquo;t. MR: One of the things that I really love is Apple&rsquo;s idea of containerization. On your personal device, you can have your work applications, but rather than having a portal that you go into for work or a different account that you sign into, the apps are all there, on your phone. If you use a work app, the company has responsibility for that work and can see what&rsquo;s going on in there. If you’re using personal apps on the same phone, work can&rsquo;t see it. One of the details I really love is that they won&rsquo;t even know the serial number of your device because that serial number can be used for narrowing down who you are or identifying you. The idea is making things secure for an organization and doing a really good job being able to prevent copy and paste and clipboard between personal and work – but at the same time giving the user privacy. I remember back to the early days of MDM (mobile device management) when, if a personal device was enrolled in MDM, you were able to see what’s on it, like what apps they have installed in an iPad. From that, you could draw conclusions about a person. Not having that available any more is really refreshing. We see so many organizations saying, &ldquo;Oh, we need to be able to geolocate all of our users wherever they are.&rdquo; Most of these ideas come from a good place. They&rsquo;re thinking about the value that they can have. <blockquote> &ldquo;If a personal device was enrolled in MDM, you were able to see what’s on it. Not having that available any more is really refreshing.&quot; </blockquote> But then you think about what happens if somebody with either bad intentions or sloppy digital hygiene gets access to that information. The next thing you know, your company is in the news! And as a user, something very personal of yours is now public, and you can&rsquo;t walk that back. I love the way Apple makes decisions on behalf of Mac admins, about what they can and can&rsquo;t do, really, to protect us from ourselves in a way. MF: What do you think is the perception of Apple devices in corporate environments these days? Do you see it shifting? There was a time where Apple was pushing out ad campaigns like, oh, you can do that on a Mac, too, like Microsoft Office and things like that. But obviously, there&rsquo;s a lot more than just running Office to bring a Mac into a corporate environment. TB: I see it shifting and that it&rsquo;s shifted a lot over the last five years. If we think about how businesses have traditionally seen Apple – in the “before times” and the “long ago” – we certainly saw Apple devices as “less than”. A lot of corporate IT departments were like: &ldquo;Oh, that one Mac over there, I was made to support it by my evil boss.” If you want to put one person&rsquo;s name out there – and I don&rsquo;t like putting one person&rsquo;s name because there was a whole team that was working with this person – but go look at <a href="https://twitter.com/fletcherprevin?lang=en">Fletcher Previn</a>. He was at one point CIO of IBM, and he&rsquo;s now, SVP and CIO of Cisco. If you look at the programs that he helped build, he basically said: &ldquo;Hey, it&rsquo;s okay to use a Mac at work. If you want to use a Mac, you should be able to.&rdquo; <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/_CDnmjmOBHE?si=CkFSn_AIy0OUwrXD" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> That approach has paid such dividends for IBM, Cisco, and other organizations throughout the Fortune 500. Now there isn&rsquo;t anybody any more without some plan for supporting Macs in the enterprise. CE: The one thing I would add is that I do see an almost overcorrection in some organizations. They equate the Mac with the &ldquo;digital transformation&rdquo; buzzword. They’re like: &ldquo;Well, if we allow a thousand Macs here, then we have completed the digital transformation.&rdquo; In my experience, digital transformation is about things like automation, cost-cutting, and getting to market faster with new product development. Just allowing a Mac and treating it like Windows is not synonymous with digital transformation unless you&rsquo;re looking to also automate things and get things to market faster. MF: Let&rsquo;s talk about the cybersecurity landscape, which is constantly evolving. How do you stay informed about emerging threats and vulnerabilities that are specific to Apple products? What steps can admins and users take to stay ahead of these potential security risks? CE: I can speak to what I do. I watch every video from <a href="https://objectivebythesea.org/v6/index.html">Objective by the Sea</a> (Mac security conference). It&rsquo;s a wonderful conference that talks in depth – it might be too in-depth for the average user. I also typically look for everything about iOS, Mac, iPad, vision OS, passkeys even, that pop up at <a href="https://defcon.org/">DEF CON</a> and <a href="https://www.blackhat.com/">Black Hat</a> conferences. Again, that&rsquo;s pretty deep for regular people who are just trying to protect their machine at home. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/t67S7lkj60A?si=Ql6ueI66au_Vl75s" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> TB: Well, I&rsquo;m a little bit of an outlier too because my next-door neighbor is one of the program managers for <a href="https://www.cisa.gov/">CISA</a>, which is the cybersecurity and infrastructure security agency here in Washington DC. I just go across the fence and ask Dave what happened! But really what I do is I read a lot of things. I will call out <a href="https://objective-see.org/">Objective See Foundation</a>. As Charles mentioned, they have a conference, but Patrick Wardle also has a <a href="https://www.patreon.com/objective_see/about?l=de">Patreon</a> and a <a href="https://objective-see.org/blog.html">blog</a>, and that&rsquo;s a great place to go look. I love the <a href="https://www.jamf.com/threat-labs/">threat labs research topics from the folks at Jamf</a>, and from <a href="https://blog.kandji.io/">Kandji</a>. And <a href="https://www.malwarebytes.com/blog">Malwarebytes</a>. They&rsquo;re doing great work out there, and that is a great place to go see what the cutting edge of threats is. I also want to caution you, if you read all this and you get scared, take a deep breath. It&rsquo;s going to be okay. A lot of it&rsquo;s theoretical. CE: Or been addressed in a point release or a security update. TB: The number one thing that anybody can do to protect their own security is keep their machine up to date. Period. Full stop. Apple patches the latest version of the operating system for all of the security bugs. And keep your third-party software up to date too. I know that it&rsquo;s fun to click the box that says “not now” or “ask me again tomorrow”, but don&rsquo;t get in the habit of doing that for three and a half years! <blockquote> &ldquo;The number one thing that anybody can do to protect their own security is keep their machine up to date. Period.&quot; </blockquote> CE: Don&rsquo;t enable sharing. Read the dialogue boxes. Ask questions like, &ldquo;Why do you want access to my Camera Roll?&rdquo; MR: There&rsquo;s also some basic digital hygiene as well. There&rsquo;s this great auto login functionality in macOS, so when you turn on your machine, it just logs in, which is a great convenience. Unfortunately, it&rsquo;s also a really good way to give somebody else access to what&rsquo;s on your machine if they have physical access to that machine. So use a good password manager. Use passkeys when you can. CE: Don&rsquo;t reuse the same password. MF: Where can folks go to find out more about you? TB: You can find the podcast at <a href="http://podcast.macadmins.org">podcast.macadmins.org</a>. You can join us in a 65,000-person-strong <a href="https://www.macadmins.org/">Slack</a> for people who manage Apple devices at scale. Check that out, read the code of conduct. We really like to keep it a safe place for people to participate and to be themselves, so please give that a look and come join us. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Subscribe to Random but Memorable</h3> Listen to the latest news, tips and advice to level up your security game, as well as guest interviews with leaders from the security community. <a href="https://randombutmemorable.simplecast.com/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Subscribe to our podcast </a> </div> </section></description></item><item><title>Innovating with more experimental 1Password features</title><link>https://blog.1password.com/1password-labs-features/</link><pubDate>Tue, 12 Mar 2024 00:00:00 +0000</pubDate><author>info@1password.com (Matt Grimes)</author><guid>https://blog.1password.com/1password-labs-features/</guid><description> <img src='https://blog.1password.com/posts/2024/1password-labs-features/header.png' class='webfeedsFeaturedVisual' alt='Innovating with more experimental 1Password features' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We recently introduced labs, a new and pioneering space in the 1Password apps that lets customers opt in to test experimental features. For us, innovation isn&rsquo;t just a buzzword – it&rsquo;s a big focus for all of our teams. We are always looking for ways to evolve 1Password so we can offer a leading-edge experience in both security and convenience. As the only password manager involving our customers in the early stages of development, we are breaking new ground in creating a truly human-centric experience. With customer feedback helping us shape experimental features before we commit to bringing them to all 1Password customers, every new addition to labs is actually tailored to real-life use-cases. By testing exciting, new features through labs, but also continuing to focus on making 1Password <a href="https://blog.1password.com/autofill-saving-extension-improvements/">more user-friendly and intuitive</a>, we’ve been able to balance innovative additions to 1Password while also improving existing features and functionality of our apps. Since labs was launched, we’ve been busy sharing new experiments and using customer feedback to improve those features and officially add them to 1Password for everyone to use. Here’s a breakdown of what we’ve been working on with the help of our customers. <h2 id="experimental-features">Experimental features</h2> Default details for a smoother autofill experience The first experimental feature introduced to labs was the ability to set default details. Given the positive feedback received from customers, our teams iterated on this feature, made improvements, and shipped it to all customers under a new “Profile” tab in the 1Password apps. By setting default details, you can select your preferred payment card and identity item, which includes things like your name, address, email, and phone number. Your chosen selections always take precedence in the list of options the next time you need to autofill any of that information. This can be set for each of the 1Password accounts you are signed in to, so if you have a work and personal account, you can set your default details for each of them. Next time you&rsquo;re filling out online forms or making online purchases, you can enjoy a seamless and improved autofill experience, ultimately saving valuable time and simplifying digital interactions. <img src='https://blog.1password.com/posts/2024/1password-labs-features/Default%20details%20-%20dark%20mode.png' alt='The Profile page showing default details in the 1Password app.' title='The Profile page showing default details in the 1Password app.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Default details is now available to everyone on the 1Password apps. </div> </aside> Custom browsers for more flexibility and control If you’re using 1Password on macOS and opt for different browsers, like Orion or Wavebox, you can now authorize 1Password to connect to those browsers and improve the functionalities of the 1Password browser extension. This brings significant improvements, such as letting you to unlock the 1Password browser extension with Touch ID in those browsers. This is a significant step toward providing greater autonomy and flexibility in browser selection, streamlining workflows, and enhancing your experience – and it lets more people than ever experience all the benefits of 1Password. <img src='https://blog.1password.com/posts/2024/1password-labs-features/Custom%20browser%20setting.png' alt='The Settings menu in the 1Password app showing browser selection.' title='The Settings menu in the 1Password app showing browser selection.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Custom browsers has graduated from labs and is now available to everyone using <a href="https://1password.com/downloads/mac/">1Password for Mac</a>. We&rsquo;re letting your feedback inform if we should build this for Windows and Linux. If you want to see this feature on other platforms, <a href="https://1password.community/discussion/141779/experiment-2-custom-browsers">let us know in the community thread</a>. </div> </aside> Nearby items for convenience on the go With nearby items, you can assign a location to any of your 1Password items. Then, on the 1Password mobile apps, a new dedicated section on the home tab will display when those items are physically close to you. Imagine having quick access to essential information based on your location – whether it&rsquo;s the door code at your workplace or the combination to your storage shed. With people becoming increasingly mobile, this feature aims to provide tailored convenience wherever you go. The 1Password community was very engaged with this feature and shared a huge amount of feedback that we were able to implement. For example, some use cases from the community include: office Wi-Fi passwords, gym locker PIN codes, garage door or gate access codes, debit card PIN codes showing near ATMs, health or benefits insurance for when you’re at the dentist or doctor, and membership cards at specific branches (such as library cards, gym cards, etc.) <img src='https://blog.1password.com/posts/2024/1password-labs-features/Nearby-items2.png' alt='The Nearby items widget showing several nearby items like the bank and the office Wi-Fi.' title='The Nearby items widget showing several nearby items like the bank and the office Wi-Fi.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Nearby items is currently available in labs. </div> </aside> New vault view in 1Password.com for consistency across platforms Our desktop application is the best way to manage your items in 1Password. This update not only aligns the design of 1Password.com’s vault item view with our main desktop application, but also enhances our ability to consistently introduce new features across all platforms. The current version offers read-only functionality, serving as an early testing phase to identify potential issues. However, over the next few months, 1Password will gradually introduce full functionality that aligns with the current web interface as we continue testing and development. Unlike other experimental features in labs, this update doesn&rsquo;t require manual activation and won&rsquo;t appear under the &ldquo;Labs&rdquo; tab in the 1Password apps. Instead, you can access it directly via an in-app banner within the vault item view on 1Password.com <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> The new vault view is available now to all <a href="https://1password.com/personal">1Password Individual and Families</a> customers on an opt-in basis, and will be available within the next month for <a href="https://1password.com/business">1Password Teams and Business</a>. </div> </aside> Beta: Auto-type for Windows for simplified logins Auto-Type via Quick Access on <a href="https://1password.com/downloads/windows/">Windows</a> simplifies the login process for you. <a href="https://blog.1password.com/labs-experimental-features/">By enabling this feature on labs through the beta build</a>, you can quickly fill and submit your login credentials into various applications and forms using a simple shortcut (Ctrl+Shift+Space). Once activated, it automatically types the username and password into the respective fields, enhancing efficiency and saving time. Additionally, for logins with two-factor authentication (2FA), the one-time code is conveniently copied to the clipboard for easy pasting. While not a substitute for Universal Autofill on Mac, Auto-type via Quick Access provides a similar streamlined experience, offering you a seamless way to access your accounts across different platforms and applications. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Auto-type for Windows is currently only available through labs in the 1Password beta apps, but will be available to everyone for testing via labs by the end of March 2024. </div> </aside> <h2 id="how-can-you-get-involved-with-labs">How can you get involved with labs?</h2> All the experimental features in labs are turned off by default, which means you&rsquo;ll have to opt in for each experiment you&rsquo;d like to try out, giving you full control over the experience. In the 1Password mobile and desktop apps under Settings, you’ll find a Labs tab. Select Labs, and you’ll see a list of all available experimental features. From there, you can easily toggle each feature on or off at any time. <img src='https://blog.1password.com/posts/2024/1password-labs-features/1password-labs.png' alt='The labs menu in the 1Password app.' title='The labs menu in the 1Password app.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We track the performance of each experimental feature by: <ul> <li>Providing a link to feedback forms for each experimental feature to capture customer insights.</li> <li>Creating forum community threads for each feature under the <a href="https://1password.community/categories/labs">labs category</a> so that we can hear directly from you and answer any questions.</li> </ul> If an experimental feature has enough positive feedback, the feature will progress through the beta 1Password apps and eventually be officially released into all 1Password apps. <h2 id="lets-keep-revolutionizing-security">Let’s keep revolutionizing security</h2> We’re not just committed to continuously enhancing the <a href="https://1password.com/business-pricing">1Password</a> experience – we also want to transform the way people manage the tension between <a href="https://support.1password.com/1password-security/">security</a> and convenience by making the secure thing the easy thing. With support from inventive initiatives like labs and customers like you, we’re well on our way – and we’re just getting started. Stay tuned for more ways we plan to shake up password management and reshape online security. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Ready to protect yourself?</h3> Keep all of your accounts secure with 1Password, the world’s most-trusted password manager. Get started today with a free 14-day trial. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>Introducing the new partner rebate incentive in 1Password’s Global Partner Program</title><link>https://blog.1password.com/partner-rebate-program/</link><pubDate>Mon, 11 Mar 2024 00:00:00 +0000</pubDate><author>info@1password.com (Monica Jain)</author><guid>https://blog.1password.com/partner-rebate-program/</guid><description> <img src='https://blog.1password.com/posts/2024/partner-rebate-program/header.png' class='webfeedsFeaturedVisual' alt='Introducing the new partner rebate incentive in 1Password’s Global Partner Program' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We’re thrilled to announce the availability of a partner rebate incentive for partners of 1Password. As valued members of our <a href="https://www.1password.partners/#/page/partner-network">partner ecosystem</a>, you play a pivotal role in our collective growth journey. With this program, we aim to deepen our partnership, drive mutual prosperity, and unlock new opportunities together. <h2 id="why-partner-rebates-matter">Why partner rebates matter</h2> Partner rebate programs are not just about offering financial incentives – they’re about fostering stronger relationships, driving collaborative growth, and rewarding your dedication and efforts. By participating in our rebate program, you gain access to benefits designed to amplify your success: <ol> <li> Increased earnings potential. Earn attractive rebates on your performance by achieving sales targets, expanding market reach, and driving customer engagement. </li> <li> Alignment of interests. The rebate program is designed to align with your business objectives, making sure that our mutual interests are in sync and driving toward shared success. </li> <li> Recognition and appreciation. Your dedication and contribution to our partnership do not go unnoticed, and the rebate program is a way for us to recognize and appreciate your hard work and commitment. </li> </ol> How to get started: <ol> <li> Review program details. Familiarize yourself with the program details including eligibility criteria, reward structures, and performance metrics. </li> <li> Promote and sell. Leverage partner resources to support your ability to promote and sell our product. Use marketing materials, training, and enablement tools to maximize your effectiveness. </li> <li> Claim your rewards. Once you’ve met the program requirements, our team will ensure a seamless payout process. </li> </ol> We’re excited to embark on this journey together and empower you to reach new heights of success and unlock boundless possibilities together. Learn more in the <a href="https://www.1password.partners/#/page/login">1Password Partner Portal</a> or sign up to be a 1Password Channel Partner today.</description></item><item><title>Greg van der Gaast's advice for CISOs: ‘Stop doing cybersecurity. Start doing business securely.’</title><link>https://blog.1password.com/greg-van-der-gaast-business-security-interview/</link><pubDate>Fri, 08 Mar 2024 00:00:00 +0000</pubDate><author>info@1password.com (Jenn Marshall)</author><guid>https://blog.1password.com/greg-van-der-gaast-business-security-interview/</guid><description> <img src='https://blog.1password.com/posts/2024/greg-van-der-gaast-business-security-interview/header.png' class='webfeedsFeaturedVisual' alt='Greg van der Gaast's advice for CISOs: ‘Stop doing cybersecurity. Start doing business securely.’' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> If you think security is all about risk management, cybersecurity expert Greg van der Gaast thinks you’ve got it all wrong. Van der Gaast – chief information security officer (CISO), consultant, author, world-famous former hacker and undercover agent – talked with Michael “Roo” Fey, Head of User Lifecycle &amp; Growth at 1Password, on the <a href="https://randombutmemorable.simplecast.com/">Random but Memorable</a> podcast about why taking a different approach, especially in a world of increasing security incidents and ballooning budgets, can be a much more effective strategy to reduce both vulnerabilities and cost. What’s different in Van der Gaast’s approach? It has a lot to do with focusing on quality and process before risk. And repeatedly asking “why” to get at the root of upstream security issues. Read on for the interview highlights, or listen to the <a href="https://randombutmemorable.simplecast.com/episodes/smart-toothbrush-botnet-army">full podcast episode</a>. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/AP6SuqpfqyA?si=qRDMX1jqrSP5fk9H" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> Editor’s note: This interview has been lightly edited for clarity and brevity. The views and opinions expressed by the interviewee don’t represent the opinions of 1Password. Michael Fey: What was your journey from undercover hacker for the FBI and Department of Defense (DOD) to cybersecurity consulting? Greg Van Der Gaast: As a teenager growing up in Holland, I started learning about operating systems and how stuff worked and how you could break stuff and make it do other stuff. I semi-accidentally hacked into a nuclear weapons facility somewhere overseas – I think three or four weeks after they set up five atomic bombs on the ground. It was quite a hot topic at the time. I just realized what it was, downloaded a bunch of research, and next thing I know – I had moved to the States at this point – it&rsquo;s like CIA, DIA (Defense Intelligence Agency), and FBI. I had four suits show up at the door. The first one said he was from the DOD. I invited him in and I told him, &ldquo;Look, I was living in Holland at the time. This was somewhere over in Asia. I don&rsquo;t think I&rsquo;ve broken any U.S. laws. I was worried you guys were from Immigration.&rdquo; That&rsquo;s when suit number four raised his hand and said, &ldquo;I&rsquo;m from Immigration.&rdquo; I was put into the back of a van, taken to a detention facility where, to this day, I still don&rsquo;t know where it was. About a week later, more suits came and made me a job offer I couldn&rsquo;t refuse. I spent the next three years working undercover, getting paid cash by federal agents in underground car parks. What I do now is at the extreme end of the strategic- and business-focused leadership and root cause big-picture stuff that isn&rsquo;t on the radar of most security people. Part of my challenge has been that no one&rsquo;s asking for this because no one knows that these are even valid approaches. <blockquote> &ldquo;What I do now is root cause big-picture stuff that isn&rsquo;t on the radar of most security people.&quot; </blockquote> I think my overall mentality is more one of a problem-solver rather than just a &ldquo;security person&rdquo;. I started looking at the bigger picture of, &ldquo;Well, we&rsquo;re deploying all these firewalls and database encryption and intrusion prevention systems, all the latest stuff. Are we actually protecting the business? Do we know what data is where and who&rsquo;s doing what and how these business processes work and what data I should even be seeing over this network that I&rsquo;m monitoring?&rdquo; It dawned on me that everybody else hated process. But I realized that if we&rsquo;re not consistently implementing, configuring, monitoring, managing any of this stuff, how are we sure we&rsquo;re not missing anything? I started focusing on &ldquo;how do I make sure I mature the technical tooling?&rdquo; I started realizing a lot of these things wouldn&rsquo;t happen if it weren&rsquo;t for some root causes elsewhere. So why don&rsquo;t we focus more on our IT maturity rather than spending an absolute fortune on security operations? If those decisions are made by other departments, how do I influence change and create a program? Learning about the business language and about business took me down this journey where security is about risk management – and I think that is completely backwards. We should be like most other industries, like in manufacturing, aviation, oil and gas, healthcare – it&rsquo;s about quality management. It&rsquo;s about having really high quality processes so you don&rsquo;t have defects that cause issues. We don&rsquo;t do that. We don&rsquo;t go upstream. We don&rsquo;t go holistic. We just constantly detect and respond to the defects being exploited. That&rsquo;s brought about this really different approach to security that&rsquo;s process focused, not about doing IT security, but about going through your business processes and making sure they&rsquo;re secure. In other words, stop doing cybersecurity, start doing business securely. MF: You mentioned other industries that are heavily process oriented and quality focused. When I think about that from a software point of view, my brain says: &ldquo;We can&rsquo;t just build a resilient widget because the platform on which that widget rests is constantly shifting.&quot; It&rsquo;s an apples-to-oranges comparison. Am I thinking about this the wrong way? GVDG: Every industry – aviation, automotive, transport, oil and gas – focuses on quality management. They focus on addressing the root causes behind problems. I see incident responses like: &ldquo;Oh, the root cause was that this got exploited.&rdquo; Why was that exploitable? &ldquo;Oh, well, because so-and-so did X.&rdquo; Okay, why did so-and-so do X? &ldquo;Oh, because they had this.&rdquo; But why did they do X without considering the downstream impact? &ldquo;Oh, because there&rsquo;s no awareness.&rdquo; Why? Why? Why? Toyota has a “five why” system to find a root cause. They ask “why” five times and go five levels deeper. When you address those things, you get this downward curve of issues or defects over time. If you think about security vulnerabilities, they&rsquo;re actually quality defects in code, in the configuration of a system, and how a system is built for users. But there is a point at which there is a diminishing return in resolving the root cause of this thing that caused 50% of our issues. Or the second thing that was 30% of our issues. You end up with this level of residual activity where it&rsquo;s just not worth it to fix the root cause because it&rsquo;s too expensive or happens so rarely that it&rsquo;s just not cost-effective. That is the point at which risk management should start. Because if you look at the number of most vulnerabilities out there today – I&rsquo;m going to say 98% of them are known defects. <blockquote> &ldquo;If you look at the number of most vulnerabilities out there today – I&rsquo;m going to say 98% of them are known defects.&quot; </blockquote> If we started doing those things, we would reduce our exposure by probably one or two orders of magnitude. That&rsquo;s really significant. That&rsquo;s what I&rsquo;m getting at because we&rsquo;re at a point where instead of having that downward curve in security, every year we spend more money and every year we have more incidents. We see new applications all the time that have four-, five-, six-year-old <a href="https://www.techtarget.com/searchsecurity/definition/Common-Vulnerabilities-and-Exposures-CVE">Common Vulnerabilities and Exposures</a> (CVEs) in them. If someone&rsquo;s using six-year-old code to build a new platform, that&rsquo;s a process issue. We know how to fix this, but we don&rsquo;t. Only once you&rsquo;ve done all that, should we risk manage residual issues. But we&rsquo;re not doing the big picture. Very few people in security are bringing that total business lifecycle so that management appreciates the real cost. The reaction I get from CISOs and security leaders usually falls into two camps. The first is: &ldquo;Yeah, I get it but please shut up because I like my job security.&rdquo; We don&rsquo;t want to fix the problem because it threatens our employment! Really, if you’re the one fixing the problem, you become far more valuable. This is how I&rsquo;ve grown in my career – not by creating more problems to keep me busier, but by learning to fix bigger problems that create value. The second reaction, which is quite common, is a problem of structure. It&rsquo;s: &ldquo;Yes, Greg, I understand that these process issues somewhere upstream are causing me all this work and it&rsquo;s costing the business all this money to mitigate and remediate, but I don&rsquo;t own those things. I don&rsquo;t own the IT department. I don&rsquo;t own the engineering function. I don&rsquo;t own the fact that the salespeople put contract data in this platform. So I can&rsquo;t do any of that.&rdquo; And I think that’s a truth. But now that you’ve identified the problem, you need to influence processes somewhere else to create a structure where you can drive change even though you don&rsquo;t own it. Every security issue is a quality issue, but not every quality issue is a security issue – but the root causes can be the same. So, if I fix whatever causes my engineering teams to produce a lot of vulnerabilities in what they develop, quite often I end up with cleaner code. It runs faster, it&rsquo;s more stable, my customers are happier. <blockquote> &ldquo;Every security issue is a quality issue, but not every quality issue is a security issue – but the root causes can be the same.&quot; </blockquote> My AWS compute costs go down dramatically. And you end up saving the business a lot of money because you&rsquo;re making quality enhancements that go beyond just removing vulnerabilities. They remove other defects, they improve performance, they improve reliability. There&rsquo;s a lot of benefits and they&rsquo;re all cumulative and sustainable. MF: It sounds like you&rsquo;ve met some resistance when spreading your thesis out in the world. Can you talk about the differences between the companies that are very receptive to this type of approach versus the ones that aren’t? GVDG: There&rsquo;s a real lack of accountability in security. There&rsquo;s a lot of elitism. We&rsquo;ve all sat in the room with security people badmouthing the users and the business, like: &ldquo;Oh, management won&rsquo;t give us money.” But we&rsquo;re all very confident about how important we are. But if I go up to your head of InfoSec, who is asking for $2 million of security spending, and I ask them, &ldquo;Will there be a positive return on investment for the business?&rdquo; They&rsquo;re absolutely adamant: &ldquo;Oh yes, yes, we’ll definitely save money this way.&rdquo; I’m like: &ldquo;OK, how about you pay for it yourself and then you get to keep all the ROI?&rdquo; All of a sudden, no one&rsquo;s very sure anymore. I often say that security in many ways is the best job in the world because no one really understands what you&rsquo;re supposed to be doing. No one knows whether you&rsquo;re actually doing it. And, if you screw up bad enough, they triple your budget! When I would go into a place as an auditor or a consultant, especially as a consultant, where you&rsquo;re really trying to help them, they would get very upset at you. They don&rsquo;t like you criticizing or pointing things out that they didn&rsquo;t think of. It&rsquo;s very much like you&rsquo;re calling my baby ugly. It gets hostile very quickly. But, if you put the same group of people in a room and you&rsquo;re not talking about their business specifically – you start explaining the concepts – then they just kind of light up and say: &ldquo;This makes a lot of sense.&rdquo; They&rsquo;re very keen to go into work the next day and start applying the principles because you haven&rsquo;t insulted them directly. You&rsquo;ve given them an idea, an approach that they can implement, take credit for, and then they&rsquo;re all too happy to do it. But the direct approach tends to be very, very difficult. MF: It&rsquo;s easier to say &ldquo;well, we mitigated these 47 vulnerabilities this year&rdquo; than it is to say &ldquo;nothing happened this year again. We&rsquo;re all set.&rdquo; How do you change the conversation to: “This is how you should start advocating for changes so that people can see the value. Because if you don&rsquo;t, the bottom line is going to win out over everything else.&quot; GVDG: I think risk quantification is quite interesting but also pointless. Because OK, we removed 47 vulnerabilities, but what is the actual value of those vulnerabilities? Risk management calculations are – even the quantitative ones – extremely arbitrary. And the next thing you know, it&rsquo;s like, &ldquo;Well, yeah, you removed vulnerabilities, but it&rsquo;s actually running on a hypervisor running Windows 2008.&rdquo; Everything you&rsquo;ve done can be circumvented like that. So how can you stand behind that value? I think risk quantification as a whole is very tricky because there&rsquo;s no way of saying what those risks actually cost or whether they would&rsquo;ve been exploited or not. One of the points I like to make sometimes is this. You say: &ldquo;We&rsquo;ve done all the calculations and we&rsquo;ve got an annualized loss expectancy for this risk of £200,000. We can mitigate it 90% for £50,000.&rdquo; That&rsquo;s a good ROI if that quantification is accurate, which I highly doubt it is. But let&rsquo;s assume it is. But then, what if you increase the scope of it: &ldquo;We&rsquo;re going to spend, let&rsquo;s say £50K to eliminate a risk of £100K. What could marketing do with an extra £50K?&rdquo; And if the answer is, &ldquo;Well, marketing could probably give us an extra million quid in sales if we give £50K,&rdquo; does it still make sense to spend that money in security? Isn&rsquo;t it better for the business to not do the security and do the marketing instead? How do you reconcile that? I don&rsquo;t think security should be risk-led at all. I think it should be business-led and a quality function – fixing your engineering defects. <blockquote> &ldquo;I don&rsquo;t think security should be risk-led at all. I think it should be business-led.&quot; </blockquote> For example, by fixing the engineering defects that are introducing the security vulnerabilities, I am lowering your AWS costs by €2 million a year. I’m doing a security review of your Salesforce (this is an actual scenario), in which I spent €20,000 and have removed all the excess accounts, reducing your spend on Salesforce by €48,000 per year. I&rsquo;ve just made you money by securing you. If you look at security as a quality function on pure cost savings and agility enablement, you can justify it. The risk reduction is a byproduct. You don&rsquo;t even have to count it. It&rsquo;s just gravy. That&rsquo;s the approach I&rsquo;ve been taking because I can actually save the company more than double the cost of the security function – demonstrably. I probably can&rsquo;t even demonstrate half of what I&rsquo;m saving them, but I can demonstrate that I&rsquo;m saving them more than what they&rsquo;re paying me! MF: Where can folks go to learn more about you and the consultancy work? How do they bring you in and have you help them put some of this stuff into practice? GVDG: I wrote a book about three and a half years ago called <a href="https://www.amazon.com/Rethinking-InfoSec-Thoughts-Information-Leadership/dp/B0863TWXX6">Rethinking InfoSec</a>, which was just an amalgamation of articles. I&rsquo;ve recently done a collaboration with Hitachi Vantara, a book called <a href="https://www.amazon.com/What-Call-Security-Greg-Gaast/dp/B0CHL7R149">What We Call Security</a>. That one is really calling out this quality approach because what we are doing simply is not working. Every year we spend more and every year we spend more as a percentage of budget. It&rsquo;s unsustainable. I&rsquo;m also starting a new consultancy. I&rsquo;ve not actually launched it, but by March it&rsquo;ll be out there. The website&rsquo;s up, it&rsquo;s <a href="https://www.sequoia-consulting.co.uk/">sequoia-consulting.co.uk</a>. I&rsquo;m hoping to really help people address these high-level, strategic structural leadership issues. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Subscribe to Random but Memorable</h3> Listen to the latest news, tips and advice to level up your security game, as well as guest interviews with leaders from the security community. <a href="https://randombutmemorable.simplecast.com/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Subscribe to our podcast </a> </div> </section></description></item><item><title>Save and sign in to Android apps with passkeys using 1Password</title><link>https://blog.1password.com/save-use-passkeys-android/</link><pubDate>Tue, 05 Mar 2024 00:00:00 +0000</pubDate><author>info@1password.com (Travis Hogan)</author><guid>https://blog.1password.com/save-use-passkeys-android/</guid><description> <img src='https://blog.1password.com/posts/2024/save-use-passkeys-android/header.png' class='webfeedsFeaturedVisual' alt='Save and sign in to Android apps with passkeys using 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Android enthusiasts, your time has come. If you own a phone or tablet running Android 14 or higher, you can now save and sign in to many Android apps using passkeys. Today’s announcement builds on the passkey support <a href="https://blog.1password.com/save-use-passkeys-web-ios/">we released for the desktop version of 1Password in the browser and 1Password for iOS</a> last year. Mac, Windows, iOS, Android – no matter your platform preference, you can now go passwordless and start unlocking the web in a faster and more secure way. We&rsquo;re thrilled that so many people have started using passkeys, and are delighted that Android device owners can now embrace them too. <h2 id="what-is-a-passkey">What is a passkey?</h2> <a href="https://blog.1password.com/what-are-passkeys/">Passkeys</a> are a new kind of login credential that lets you quickly and securely log in to accounts on your desktop and mobile devices. They’re a form of passwordless authentication – so there’s no password involved – that are backed by the largest technology companies and built on open industry standards. Curious how passkeys work? Behind the scenes, the passwordless credential relies on <a href="https://blog.1password.com/what-is-public-key-cryptography/">public-key cryptography</a>. That means every passkey consists of two parts: a private key and a public key. The private key is just that – private – and never shared with the service you’re signing in to. The other part is the public key, which is seen and stored by the website or app. When you sign in with a passkey, the website or app creates a technical &ldquo;challenge&rdquo;, which is a bit like a special puzzle. You &ldquo;sign&rdquo; this challenge with your private key, which is then verified by the website or app using your public key. This quick back-and-forth relies on an API called <a href="https://blog.1password.com/what-is-webauthn/">WebAuthn</a>, which was developed by the FIDO Alliance (1Password is a member of the Alliance!) <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Read our <a href="https://blog.1password.com/passkeys-faqs/">passkeys FAQs</a> blog post to learn more about this new type of login credential. </div> </aside> <h2 id="passkeys-vs-passwords">Passkeys vs. passwords</h2> You can think of passkeys as the modern successor to passwords. Here are just a few ways that the two differ: <ul> <li>Every passkey is strong by default. When you create a password, it’s possible to choose something weak like p a s s w o r d 1 2 3 and re-use it across multiple accounts. Not so with passkeys. They’re always strong and can only be used for one website or app.</li> <li>Passkeys are phishing resistant. Passkeys can’t be phished like a traditional password because the underlying private key never leaves your device.</li> <li>Passkey can’t be stolen in a data breach. If one or more hackers breach a website or app, they might find some passwords. But if you secure your account with a passkey, the best the attacker can hope to find is your public key – which is useless without the associated private key.</li> </ul> <h2 id="using-passkeys-with-1password-on-android-what-you-need-to-know">Using passkeys with 1Password on Android: What you need to know</h2> Here’s what you need to start saving and signing in to Android apps with passkeys: <ul> <li>An Android device running <a href="https://www.android.com/android-14/">Android 14</a> or higher.</li> <li>The latest version of <a href="https://1password.com/downloads/android/">1Password for Android</a>.</li> <li>An Android app that supports passkeys.</li> </ul> <aside class="c-technical-aside-box c-technical-aside-box--background" aria-labelledby="what-about-websites"> <h2 class="c-technical-aside-box__title" id="what-about-websites"> What about websites? </h2> <div class="c-technical-aside-box__description"> Google is working on a new API that will enable 1Password to create and use passkeys on websites via Chrome for Android. 1Password is ready and will support these APIs as soon as they’re available, giving you more ways to save and sign in with passkeys. We’ll share more information soon – watch this space! </div> </aside> Remember: You can also use 1Password on any Android device to view, organize, share, and delete your saved passkeys. <h2 id="1password-vs-googles-passkey-solution">1Password vs. Google’s passkey solution</h2> You might be wondering: what&rsquo;s the benefit of saving my passkeys in 1Password instead of Google Password Manager? It&rsquo;s a great question. Here are two reasons to choose 1Password: <ol> <li> 1Password works everywhere. Google Password Manager is designed to work in three places only: Android, Chrome, and ChromeOS. 1Password, meanwhile, has thoughtfully-designed apps for every platform and supports every major web browser including Chrome, Firefox, Edge, Brave, and Safari. </li> <li> 1Password helps you organize your entire digital life. Google Password Manager is focused on passwords and passkeys. 1Password goes beyond a simple password manager by letting you store, manage, share, and conveniently autofill credit card numbers, addresses, documents, and all of your other sensitive information. </li> </ol> <h2 id="start-using-passkey-logins-on-android">Start using passkey logins on Android</h2> Creating a passkey for the first time couldn’t be more straightforward. First, open <a href="https://support.1password.com/watchtower/#find-websites-that-support-passkeys">Watchtower</a> (you’ll find it in the navigation bar at the bottom of 1Password for Android) to see which of your logins can be updated to use a passkey. We recommend these three Android apps if you’ve never created or used a passkey login before: <ol> <li>Amazon</li> <li>Uber</li> <li>WhatsApp</li> </ol> If it’s not already on your device, download the relevant Android app from the Google Play Store. Next, open the app and select the option to start using a passkey – it may be on the sign-in screen or in your account settings. Follow the instructions and, if prompted, choose to save your passkey in 1Password. <img src="https://blog.1password.com/posts/2024/save-use-passkeys-android/passkeyandroiduber.png" alt="An Android device asking the user to confirm that a new passkey for Uber should be saved in 1Password." title="An Android device asking the user to confirm that a new passkey for Uber should be saved in 1Password." class="c-featured-image"/> Once you’ve created and saved a passkey, you can use it every time you want to sign in to the associated account. We’re delighted that so many Android developers have already updated their apps to support passkeys, and look forward to seeing the options grow in the coming months. <h2 id="passkeys-are-the-future">Passkeys are the future</h2> We&rsquo;ve said it before and we&rsquo;ll say it again: we&rsquo;re all in on <a href="https://1password.com/product/passkeys">passkeys</a>, and believe they&rsquo;re our ticket to a truly passwordless future. This type of login credential offers a faster and more secure way to sign in to online accounts. It&rsquo;s supported by a growing number of websites and apps, as well as all of the major operating systems and password managers like 1Password. If you want to be an early adopter and fully embrace this new era of online security, 1Password is the way to do it. For years, we&rsquo;ve offered a safe home for your passwords, credit cards, medical records, and more. And we haven’t tied you down into any specific platform or ecosystem. Now you can add passkeys to the list of data that 1Password keeps secure at your fingertips. <div class="c-call-to-action"> <section class="c-call-to-action-box c-call-to-action-box--purple"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Save and sign in to Android apps with passkeys</h3> Ready to create some passkeys? Learn how to get started with 1Password for Android. <a href="https://support.1password.com/android-autofill/#save-and-sign-in-with-passkeys" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--purple" data-event-category="CTA" data-event-action="call-to-action-button"> Get started with passkeys </a> </div> </section> <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Start using passkeys on Android with 1Password</h3> Save, manage, and securely share passkeys on your Android devices using 1Password for Android. <a href="https://1password.com/downloads/android/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Download 1Password for Android </a> </div> </section> </div></description></item><item><title>Why cybersecurity needs to be at the top of IT’s to-do list</title><link>https://blog.1password.com/why-cybersecurity-for-businesses-matters/</link><pubDate>Thu, 29 Feb 2024 00:00:00 +0000</pubDate><author>info@1password.com (Stacey Harris)</author><guid>https://blog.1password.com/why-cybersecurity-for-businesses-matters/</guid><description> <img src='https://blog.1password.com/posts/2024/why-cybersecurity-for-businesses-matters/header.png' class='webfeedsFeaturedVisual' alt='Why cybersecurity needs to be at the top of IT’s to-do list' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> When you work in IT, you have a lot to manage. And while everything can feel critical – keeping the computers on might not mean much if your small business experiences a data breach. According to recent reports, cyber attacks are currently disproportionately targeting small businesses. <blockquote> “70% of cyber attacks target small businesses” – <a href="https://markets.businessinsider.com/news/stocks/cybercriminals-narrow-their-focus-on-smbs-according-to-the-acronis-cyberthreats-report-mid-year-update-1030688981">Business Insider</a> </blockquote> With the <a href="https://newsroom.ibm.com/2023-07-24-IBM-Report-Half-of-Breached-Organizations-Unwilling-to-Increase-Security-Spend-Despite-Soaring-Breach-Costs">average global cost of a data breach being $4.45 million</a>, many small business owners simply don’t have the capital to survive the damage caused from a cyber attack. From losing critical data, time spent trying to recover, and a loss of customer trust, it’s not surprising that 60% of small and medium-sized businesses (SMBs) that are hacked go out of business within six months. But while the stakes may be high, IT teams can protect their businesses by bumping security up their to-do list and prioritizing proactive security measures. <h2 id="risks-companies-face">Risks companies face</h2> There are many different types of cyber attacks businesses need to protect against but we’re going to focus on four threats: phishing, weak passwords, reused passwords, and shadow IT. All of these risks have one thing in common: credentials. <h3 id="phishing">Phishing</h3> <a href="https://blog.1password.com/what-is-phishing-and-how-can-you-protect-your-business/">Phishing</a> attacks are a type of scam designed to trick people into sharing sensitive information. Often taking the form of emails, cybercriminals are in search of passwords, logins, or other secrets that they can use to gain access to secure systems. <h3 id="reused-passwords">Reused passwords</h3> <a href="https://blog.1password.com/how-to-protect-yourself-from-password-reuse-attacks">Password reuse</a> is one of the most common security vulnerabilities businesses face. If the same password is used for multiple accounts a hacker just needs one login to gain access to all of the other accounts. And so if a single reused password is caught in a data breach, it could lead to multiple accounts being compromised. <h3 id="weak-passwords">Weak passwords</h3> Probably the most obvious risk is <a href="https://blog.1password.com/what-is-dictionary-attack/">weak passwords</a> that are easily guessed or cracked. Brute force, dictionary, and <a href="https://blog.1password.com/what-is-social-engineering-hacking-101/">social engineering</a> are all common attack types that take advantage of weak passwords. <h3 id="shadow-it">Shadow IT</h3> <a href="https://blog.1password.com/challenges-of-shadow-it/">Shadow IT</a> refers to the apps your employees use that IT doesn’t know about. If a password is caught up in a data breach in a shadow IT app, the IT team would have no idea to request employees update passwords on those accounts, or if any important information has been exposed. <h2 id="why-credential-security-is-important">Why credential security is important</h2> Credentials are basically the lock on the digital front door of your business. But unlike a physical building with one or two entrances, your online space can have infinite entry points. Indeed, each new account for every app by every employee creates a new door that gets locked behind a password. This exposure is what makes access control one of the most important parts of your cybersecurity strategy. <h2 id="how-these-risks-manifest-in-businesses">How these risks manifest in businesses</h2> If every login is seen as a door into your business then the one who holds the keys can be seen as the employees who create the locks. When it comes to credential security, employees aren’t deliberately putting their company at risk when they fall to phishing scams, or when they use weak passwords or apps that fall outside of security’s purview. Like IT teams, employees are trying to get their work done. Security policies can sometimes feel like a barrier to that end goal. Having to remember multiple complicated passwords slows down sign-ins when employees just want to get into an app. It’s convenient to use the same password for everything, but it’s definitely not secure. And when it comes to using apps outside of the IT team’s purview, employees are usually just trying to use the best tool available. With a long to-do list, IT teams don’t always have time to review apps, and so employees just quietly use what they need in the shadows. So what can IT teams do? <h2 id="challenges-it-face">Challenges IT face</h2> IT teams in small businesses are, unsurprisingly, usually quite small – sometimes even having just one person responsible for IT, security, and more. Trying to manage security effectively alongside competing IT and business responsibilities can require a constant act of juggling priorities. With limited bandwidth this can create a constant reordering of to-do lists, trying to just stay on top of incoming requests and leaving little room for proactive work. The way work gets done has significantly shifted as businesses move to hybrid models and some require employees to use their own devices. And as new apps to get work done come into play the challenge to secure every employee, on every app, in any location is only becoming more complicated. Even if an IT team has managed to put security policies in place, making sure employees are following them is a whole other story. It can be easy to think security challenges are the IT team&rsquo;s responsibility, but business cybersecurity is a team sport – you’re only as strong as your weakest link. <h2 id="protect-your-business-from-cyber-attacks">Protect your business from cyber attacks</h2> Creating <a href="https://blog.1password.com/remote-companies-culture-of-security/">a culture of security</a> helps your team prioritize while also working with them. A few high level ways you can make the two work in harmony are by providing flexibility, increasing security adoption, and improving your overall security posture. Security and productivity don’t have to be a one-or-the-other option. Check out our ebook <a href="https://1password.com/resources/small-business-large-security-risk/?utm_ref=blog">Small business. Large security risks.</a> for a more detailed look on how to keep your business safe and productive. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Small business. Large security risks.</h3> Read this ebook to learn how securing access to sensitive information and maintaining productivity doesn’t have to be a one-or-the-other option. <a href="https://1password.com/resources/small-business-large-security-risk/?utm_ref=blog" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Download now </a> </div> </section></description></item><item><title>How to keep your work and personal items separate in 1Password</title><link>https://blog.1password.com/keep-work-personal-items-separate/</link><pubDate>Wed, 28 Feb 2024 00:00:00 +0000</pubDate><author>info@1password.com (Rob Boone)</author><guid>https://blog.1password.com/keep-work-personal-items-separate/</guid><description> <img src='https://blog.1password.com/posts/2024/keep-work-personal-items-separate/header.png' class='webfeedsFeaturedVisual' alt='How to keep your work and personal items separate in 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 1Password doesn&rsquo;t just keep your personal and work-related data safe. <a href="https://blog.1password.com/email-domain-policy/">It also helps you keep them separate</a> – and your company&rsquo;s 1Password Business accounts include <a href="https://support.1password.com/link-family/">free 1Password Families memberships for all team members</a>. 1Password Families is a personal account for you and up to 5 family members. It works in much the same way your business account does – but instead of being owned by the company, you own it. And instead of admins managing the account, family organizers manage it (that&rsquo;s you, and anyone else you designate). Because you own the account, if you and your employer ever part ways, you can keep using your Families account by simply updating your payment method. Access won&rsquo;t be interrupted, and the personal data in your account will remain yours, completely unaffected by your departure from your company. Employers never have visibility or access to anything stored in personal accounts. In fact, your company’s 1Password Business account and your 1Password Families account aren’t connected in any technical way. You simply have access to a free 1Password Families account by virtue of your employer’s 1Password Business account. <div class="table-overflow"> <table> <thead> <tr> <th>1Password Business</th> <th>1Password Families</th> </tr> </thead> <tbody> <tr> <td>Managed by your employer</td> <td>Managed by you and/or a family organizer</td> </tr> <tr> <td>Paid for by your employer</td> <td>Free when linked to a Business account. Paid for by you if you leave the business account</td> </tr> <tr> <td>The account can be deleted by your employer at any time</td> <td>The account can only be deleted by a family organizer in your family account</td> </tr> </tbody> </table> </div> Why offer free Families memberships to 1Password Business team members? Because separating your business and personal information and logins helps foster the ideal security culture: work information in 1Password Business accounts; personal information in 1Password Families accounts. Mixing personal information with work information is a risk for you and for the company – especially when either one contains vulnerabilities like weak or reused passwords. More than that, though, we offer free Families accounts for the same reason we offer 1Password at all, to anyone, and for the same reason we built it back in 2006. It should be easy to navigate your digital life securely. Every protected login is a win. <h2 id="how-to-redeem-your-free-1password-families-account">How to redeem your free 1Password Families account</h2> Redeeming your free 1Password Families account is easy. Follow these steps if you haven’t yet redeemed a Families membership: <ol> <li>Sign in to your 1Password Business account on <a href="https://start.1password.com/signin">1Password.com</a>.</li> <li>Click your name in the top right and select My Profile.</li> <li>In the “Claim your free family account” section, select Redeem Now.</li> <li>Select Sign up (and remember to use your personal email address, not your work email).</li> </ol> If you do already have a 1Password Families membership, you can use it for free by linking it to your 1Password Business account: <ol> <li>Sign in to your 1Password Business account on <a href="https://start.1password.com/signin">1Password.com</a>.</li> <li>Click your name in the top right and choose My Profile.</li> <li>In the “Claim your free family account” section, select Redeem Now.</li> <li>Select “Apply to existing account”.</li> <li>Sign in to your Families account, then select Apply.</li> </ol> <h2 id="how-to-move-items-from-your-1password-business-account-to-your-families-account">How to move items from your 1Password Business account to your Families account</h2> If your 1Password Business admin has enabled the <a href="https://blog.1password.com/email-domain-policy/">policy to help separate work and personal information</a>, 1Password <a href="https://support.1password.com/watchtower/">Watchtower</a> can let you know if any items may be in the wrong account. In addition to tiles for things like weak passwords or compromised websites in Watchtower, you’ll see a tile for items you may want to move. Select “Show all items” to see them all as a list. <img src="https://blog.1password.com/posts/2024/keep-work-personal-items-separate/itemdomainprompt.png" alt="An item in 1Password with a prompt that says &#39;this item may belong in another account.&#39;" title="An item in 1Password with a prompt that says &#39;this item may belong in another account.&#39;" class="c-featured-image"/> To clean up your work and personal accounts, and make sure each item is in the appropriate account, you can drag-and-drop items between vaults. If you&rsquo;re using 1Password for Mac, Windows, or Linux, make sure you&rsquo;re signed in to both your Business and Families accounts, and click your account or collection at the top of the sidebar and choose All Accounts. Then, just drag existing items to a new vault to move them. If you&rsquo;re using 1Password on iOS or Android, select (or multi-select) the items you want to move. Next, tap the item menu and select &ldquo;Move,&rdquo; then choose the vault to move the item(s) to. Visit 1Password Support for <a href="https://support.1password.com/move-copy-items">complete instructions for all platforms</a>. <h2 id="get-started-with-1password-families">Get started with 1Password Families</h2> 1Password Families is the easiest way to protect and securely share passwords, financial accounts, credit cards, and other sensitive information with the whole family. Learn how to <a href="https://support.1password.com/explore/get-started-families/">invite your family, create a recovery plan, and more by visiting 1Password Support</a>.</description></item><item><title>1Password product enhancements [Winter edition]: Password autofill, saving, and more</title><link>https://blog.1password.com/autofill-saving-extension-improvements/</link><pubDate>Tue, 27 Feb 2024 00:00:00 +0000</pubDate><author>info@1password.com (Matt Grimes)</author><guid>https://blog.1password.com/autofill-saving-extension-improvements/</guid><description> <img src='https://blog.1password.com/posts/2024/autofill-saving-extension-improvements/header.png' class='webfeedsFeaturedVisual' alt='1Password product enhancements [Winter edition]: Password autofill, saving, and more' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Fumbling with an app when you&rsquo;re already stressed? We know the struggle. Also, is it just us, or does it always happen when you’re already having a bad day? It may seem silly, but sometimes, a few extra clicks or typing can feel painful when you’re just trying to get stuff done. That&rsquo;s why, in 2024, we&rsquo;re focused on making 1Password smoother, simpler, and more intuitive. We’re dedicated to making sure the <a href="https://support.1password.com/1password-security/">secure thing</a> is always the easy thing. Throughout the year, we’ll continually improve 1Password so it can reliably work as you expect. No more struggles. We&rsquo;ll keep you updated on added and improved features along the way, because every click and tap should feel effortless. The seamless experience you deserve. <h2 id="improving-password-autofill-browser-extension-functionality-and-more-in-1password">Improving password autofill, browser extension functionality, and more in 1Password</h2> Since the end of 2023, we&rsquo;ve already made nearly 200 updates to 1Password. These updates focused on overall performance, reliability, and usability with the goal of simply making sure things work better. This round, we devoted our energy to the browser extension experience and search within the 1Password apps because they are the quickest, most effective tools to find and use your passwords while online. We’ll be working on plenty more updates in the near future, so stay tuned! In this blog, we’re sharing some highlights on how we’ve improved several different features in the 1Password web browser extensions and 1Password apps including: 1Password browser extensions: <ul> <li>Consistent password autofill experience.</li> <li>Credential management and search with smart titles.</li> <li>Better syncing when on or offline.</li> <li>Saved time with 1Password for Chrome updates.</li> <li>Improved 1Password for Safari autofill suggestions.</li> <li>Save login improvements in the 1Password beta extensions.</li> </ul> 1Password apps: <ul> <li>Search improvements in the 1Password apps.</li> </ul> If you’d like to learn more about all the updates we’ve made, <a href="https://releases.1password.com/">check out our release notes</a> for all the details. <h2 id="a-consistent-password-autofill-experience-for-the-browser-extension">A consistent password autofill experience for the browser extension</h2> Some private web elements used to prevent the autofill dropdown menu from appearing or prevent autofill on login forms on certain websites. We’ve addressed this, so you can now seamlessly autofill on more sites, login forms, and much more! The 1Password browser extension will now work more regularly in username fields, email fields, addresses, and form credentials. The extension will also autofill more efficiently on hundreds of sites, like Reddit and CVS. Plus, we made a fix for many top popular sites, like Walmart and ESPN, that used to close the 1Password browser extension before it could complete autofilling. <h2 id="streamlined-credential-management-and-search-with-smart-titles-for-the-browser-extension">Streamlined credential management and search with smart titles for the browser extension</h2> The 1Password browser extension now leverages smart titles for the top 900+ sites online. Previously, a site like American Airlines might have been automatically labeled simply as &ldquo;AA&rdquo; for the title of the item, but now, it&rsquo;s accurately and automatically titled as &ldquo;American Airlines,&rdquo; making it more contextually relevant to the item you’re saving. <img src="https://blog.1password.com/posts/2024/autofill-saving-extension-improvements/Smart%20Titles.png" alt="The Save Item option in 1Password saving the correctly-titled American Airlines item." title="The Save Item option in 1Password saving the correctly-titled American Airlines item." class="c-featured-image"/> This streamlines the process of creating and saving new items faster and more accurately, and also makes it much easier to search for and find items later on. <h2 id="better-syncing-for-the-browser-extension-whether-youre-on-or-offline">Better syncing for the browser extension whether you’re on or offline</h2> If you’ve dealt with the pain of an unstable internet connection, you’ll love this update. Before, if you tried to save an item in the browser extension but you were offline, the item would save locally in the extension, but wouldn’t sync across your other 1Password apps, like on your phone or tablet. That means you couldn&rsquo;t access that item until the connection was re-established, which wasn&rsquo;t happening quick enough. Now, the browser extension will better recognize when you&rsquo;re on or offline, meaning if you&rsquo;re ever disconnected and then reconnected to the internet, your password will save and sync across all the 1Password apps faster. <h2 id="save-time-and-avoid-disruptions-with-1password-for-chrome-updates">Save time and avoid disruptions with 1Password for Chrome updates</h2> If you&rsquo;re a Chrome user, you know the browser updates quite often as Google pushes out new features and security updates for users. Previously, this caused interruptions in the connection between the 1Password for Chrome browser extension and the 1Password desktop app, leading to frequent password re-entry to unlock the extension again after Chrome updates. We heard your feedback on how frustrating that was, so now, whenever Chrome issues a pending update, you’ll no longer need to unlock 1Password, experiencing less interruptions to your daily tasks. <img src="https://blog.1password.com/posts/2024/autofill-saving-extension-improvements/Chrome%20Update%20Fix.png" alt="The Chrome browser showing an available update with a 1Password prompt asking you to unlock 1Password." title="The Chrome browser showing an available update with a 1Password prompt asking you to unlock 1Password." class="c-featured-image"/> With this new update, we estimate that we prevented nearly 20 million instances of unexpected re-authentication. With each login taking about two seconds, we&rsquo;ve collectively saved our customers approximately 462 days worth of time. That’s enough time to watch the entire The Lord of the Rings Trilogy Extended Edition 932 times or sail a pirate ship across the Atlantic Ocean 18 and a half times. Phew, that&rsquo;s a lot of time saved! <h2 id="find-exactly-what-youre-looking-for-with-1password-for-safari-updates">Find exactly what you’re looking for with 1Password for Safari updates</h2> Before, the 1Password for Safari browser extension didn’t filter suggestions in the autofill menu like it did for extensions for other browsers, like Chrome and Firefox. <img src="https://blog.1password.com/posts/2024/autofill-saving-extension-improvements/Safari%20Filtering.png" alt="The username field on a form with the 1Password autofill dropdown showing login options." title="The username field on a form with the 1Password autofill dropdown showing login options." class="c-featured-image"/> We’ve fixed that, now making it easier to find and autofill the right details depending on what site you’re on – plus, if you have to use different browsers for any reason or end up switching some day, you can expect a consistent and familiar 1Password experience. <h2 id="auto-save-and-submit-logins-automatically-in-the-1password-beta-extensions">Auto save and submit logins automatically in the 1Password beta extensions</h2> Now in the 1Password beta extensions, when you sign in to a site that you haven’t yet stored a credential for, 1Password will automatically create and save the credential for you after you’ve logged in – meaning you no longer have to manually save an item before you sign in. Not only does this make saving your logins easier, but it also means you no longer have to manually update an item if you entered the wrong username or password and already saved it to 1Password. But wait, there&rsquo;s more! Autofilling credentials is handy, but you often have to manually submit the form you&rsquo;ve filled, keep clicking to progress through multiple pages, and select autofill again in the next form fields that could come up, like two-factor authentication (2FA). <img src="https://blog.1password.com/posts/2024/autofill-saving-extension-improvements/Autosave%20Preview.png" alt="A 1Password prompt in the browser offering to save a login in 1Password." title="A 1Password prompt in the browser offering to save a login in 1Password." class="c-featured-image"/> That&rsquo;s too much work, so we&rsquo;ve introduced improved autofill automation for your logins. Now, once you&rsquo;ve selected a credential to autofill, the rest of the process autofills, auto-submits, and auto-progresses through multi-page sign-ins all on its own, including 2FA codes. <h2 id="improved-search-in-the-1password-apps">Improved search in the 1Password apps</h2> Previously, if you were searching for something in 1Password, the result would be shown within a list of all your 1Password items. This means if you picked the wrong item or wanted to look at multiple items with similar characteristics, you had to start your search completely over. Now, we only show you the list of items that match your search until you initiate a new search. Plus, <a href="https://support.1password.com/search-1password/#search-filters-mac">search filters</a> are now visible and usable across all of the 1Password apps. This means you can easily see all of your recently searched items on all devices for faster searching. We’ve also improved functionality to support search queries from customers, so we will keep making search even better this year. <h2 id="were-always-listening">We’re always listening</h2> We’re continuously working to make sure 1Password is simplifying your online world, all while keeping you safe. With <a href="https://1password.com/business-pricing">subscriptions</a> based on your needs, you can protect <a href="https://1password.com/personalhttps://1password.com/personal">yourself</a>, your <a href="https://1password.com/business">business</a>, and even an <a href="https://1password.com/enterprise">enterprise</a>, with the most reliable password manager around. Your feedback about 1Password is incredibly valuable to us. Without you, we wouldn’t have been able to make all these improvements, or all the ones to come. Keep letting us know what you think – <a href="https://1password.community/">we can’t wait to hear from you!</a> <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Ready to protect yourself?</h3> Keep all of your accounts secure with 1Password, the world’s most-trusted password manager. Get started today with a free 14-day trial. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>Improving productivity and minimizing cybersecurity costs for distributed teams</title><link>https://blog.1password.com/improve-productivity-minimize-cost-distributed-teams/</link><pubDate>Wed, 21 Feb 2024 00:00:00 +0000</pubDate><author>info@1password.com (Rob Boone)</author><guid>https://blog.1password.com/improve-productivity-minimize-cost-distributed-teams/</guid><description> <img src='https://blog.1password.com/posts/2024/improve-productivity-minimize-cost-distributed-teams/header.png' class='webfeedsFeaturedVisual' alt='Improving productivity and minimizing cybersecurity costs for distributed teams' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> This is the fourth and final post in a series on how to secure your hybrid workforce. For a complete overview of the topics discussed in this series, download <a href="https://1password.com/resources/access-management-ebook/?utm_ref=blog">The new perimeter: Access management in a hybrid world</a>. In the initial post in this series, we outlined four key considerations to securing your hybrid workforce: identity, shadow IT, the security vs. productivity tradeoff, and security costs. Now that we&rsquo;ve seen why <a href="https://blog.1password.com/identity-security-in-hybrid-work-environments/">identity is the right place to start</a>, and how to <a href="https://blog.1password.com/find-and-secure-shadow-it">secure access to both managed and unmanaged apps</a>, let&rsquo;s talk about worker productivity and cybersecurity costs. <h2 id="productivity-vs-security-is-a-false-tradeoff">Productivity vs. security is a false tradeoff</h2> Security software is notoriously hard to use. Instead of making things easier for end users, security tools often introduce new frictions into workflows. Hence the perpetual dance between security and productivity. The situation also pits IT and other employees against each other. IT&rsquo;s goal is to reduce their attack surface to avoid a security breach. Employees want to get things done. If security software is hard to use, those two goals are at odds. It&rsquo;s zero-sum. And when productivity and security face off, productivity often wins. A recent study found that <a href="https://hbr.org/2022/01/research-why-employees-violate-cybersecurity-policies">85% of employees knowingly broke cybersecurity rules</a> to accomplish a task. IT and security teams are left with an impossible choice: Impose more tools and security measures to strengthen their cybersecurity posture, or reduce friction to help employees get things done. Either you reduce the risk of a cyberattack, or you make workers’ lives a bit easier. You can’t do both. But those workarounds aren&rsquo;t a malicious attempt to thwart IT. It&rsquo;s just people trying to do their jobs. Employees are using their personal devices and preferred apps to get the job done, not to sabotage the company’s security posture. <h3 id="making-the-secure-way-to-work-the-default-way">Making the secure way to work the default way</h3> Resolving the paradox requires expecting more from our security solutions, specifically in terms of user experience. To illustrate how we might do that, consider the <a href="https://www.theguardian.com/cities/2018/oct/05/desire-paths-the-illicit-trails-that-defy-the-urban-planners">desire path</a>. When building spaces, landscape architects (naturally) include paved walkways in their plans. But those paved walkways aren&rsquo;t always the preferred route of those who use the space. When people continually cut across the grass of a park, for example, and eventually wear down the grass to create an &ldquo;unofficial path,&rdquo; that&rsquo;s a desire path. It wasn&rsquo;t in the designer&rsquo;s original plans, but that doesn&rsquo;t matter to those using the space – they&rsquo;re just trying to get from point A to point B as quickly as possible. Hybrid work has created a similar, digital desire path. Instead of using only the apps managed by the company, they&rsquo;re using shadow IT – both on company devices and personal devices – to get things done. That introduces new vulnerabilities. But what if IT could simply secure that desire path, instead of trying to force workers to stick to the paved walkways they&rsquo;ve been avoiding? <h3 id="bad-ux-is-a-security-risk">Bad UX is a security risk</h3> If a security tool is hard to use, people won&rsquo;t use it. Consider a few findings from 1Password&rsquo;s <a href="https://blog.1password.com/report-login-fatigue-research/">Unlocking the login challenge: How login fatigue compromises employee productivity, security and mental health</a>: <ul> <li>44% of employees say that the process of logging in and out at work harms their mood or reduces productivity.</li> <li>26% have given up on doing something at work to avoid the hassle of logging in.</li> <li>38% have procrastinated, delegated or skipped setting up new work security apps because of burdensome login processes.</li> </ul> And that&rsquo;s just logging in. If IT teams not only understood these frustrations, but did something about it – say by providing an enterprise password manager (EPM) that did the work of logging in for them – both security and productivity would win. <h3 id="strengthening-security-with-a-great-user-experience">Strengthening security with a great user experience</h3> Let&rsquo;s say Taylor, a new employee, is setting up a new Airtable account to check the publishing calendar for their role on the social media team. Instead of creating a weak password that&rsquo;s easy to remember, or reusing a password, Taylor uses an EPM to generate a strong, random, unique password. Because admins can customize password policies, the password Taylor creates automatically complies with company security policies. And Taylor doesn&rsquo;t have to remember that password or record it. The company can even mandate multi-factor authentication, which modern EPMs support. And the next time Taylor logs in, they don&rsquo;t have to guess how they logged in. Was it an email and password? Did they log in with their Google account? SSO? A passkey? It&rsquo;s all moot if their EPM remembers for them, and automatically logs them in. And when they need access to the company Instagram account (for which there&rsquo;s only one login for everyone on the team), a colleague can securely share those credentials with Taylor. To secure access to shadow IT, you have to make it easy for workers to do their jobs securely. They have to want to use the security tool you&rsquo;re offering. And that only happens when that security tool helps them get things done, instead of getting in their way. <h2 id="getting-a-handle-on-spiraling-security-costs">Getting a handle on spiraling security costs</h2> Security can feel like a game of whack-a-mole. New technologies pop up, workers adopt them, and IT rolls out new tools to address the vulnerabilities those tools introduce. It all adds up. Overhead and tools are two of the biggest contributors to cybersecurity costs. But it is possible to create efficiencies across both. <h3 id="reduce-and-eliminate-password-resets">Reduce and eliminate password resets</h3> IT spends a surprising amount of time resetting passwords. <a href="https://blog.1password.com/iam-shadow-it-epm-research-2020/">57% of IT workers reset employee passwords up to five times a week</a>, and 15% do so at least 21 times per week. That leads to IT spending nearly 21 days of work each year on tasks like resetting passwords and tracking app usage. But both IT and workers can wrestle back a significant portion of that time with an EPM. For example, in <a href="https://1password.com/resources/total-economic-impact-of-1password-business/?utmref=resources">The Total Economic Impact™ of 1Password Business</a>, Forrester found that deploying 1Password results in: <ul> <li>70% fewer IT help desk support tickets, saving 291 hours per IT team member each year</li> <li>1,400 fewer hours per year spent by workers resetting passwords or waiting to gain access to systems</li> </ul> <h3 id="reduce-sso-costs">Reduce SSO costs</h3> SSO and EPMs can work well together within an identity and access management (IAM) framework. SSO secures access to applications managed by IT, while EPMs secure access to unmanaged apps, or virtually everything else. But the costs of SSO can add up. It can take weeks or even months to implement SSO, and each application placed behind SSO needs to be configured. EPMs require less custom configuration – it&rsquo;s a one-time setup and doesn&rsquo;t require every app to be configured. And even once SSO is deployed, it only secures access to <a href="https://www.gartner.com/document/4022188?ref=solrResearch&amp;refval=373844826&amp;">50-70% of the apps in use</a>, according to Gartner. IT will have to dedicate time to add new applications, and many of those applications will charge extra for the ability to integrate with your SSO provider, a cost known as the SSO tax. EPMs not only secure access to the unmanaged apps that SSO doesn’t cover, but also reduces cybersecurity costs with a less costly rollout and by eliminating the <a href="https://www.csoonline.com/article/1248700/the-sso-tax-is-killing-trust-in-the-security-industry.html">SSO tax</a>. <h2 id="epms-create-efficiencies-through-usability-and-reduce-costs">EPMs create efficiencies through usability and reduce costs</h2> As a quick recap, here&rsquo;s what we&rsquo;ve covered in this series: <ul> <li><a href="https://blog.1password.com/securing-your-hybrid-workforce/">The four key considerations to securing a hybrid workforce</a> are identity and access management, shadow IT and bring-your-own-device, the productivity/security tradeoff, and security costs.</li> <li><a href="https://blog.1password.com/identity-security-in-hybrid-work-environments/">Verifying identity starts with strong, unique logins</a> for each service. Using passkeys where possible reduces or eliminates the threat of phishing, and following the principle of least privilege (as part of a zero trust strategy) reduces your attack surface.</li> <li><a href="https://blog.1password.com/find-and-secure-shadow-it">Shadow IT is the way we work now</a>, and the new perimeter includes not only company-owned devices and managed applications, but also personal devices and unmanaged apps. SSO protects managed apps, but we can reduce the likelihood of a data breach by securing access to each unmanaged app with an EPM.</li> <li>By making the secure way to work the easy way to work, EPMs reduce cost and create new efficiencies that can save the average organization thousands of hours every year, while also supporting a strong security posture.</li> </ul> For an overview of each of the topics we&rsquo;ve explored, download <a href="https://1password.com/resources/access-management-ebook/?utm_ref=blog">The new perimeter: Access management in a hybrid world</a>. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">The new perimeter: Access management in a hybrid world</h3> Learn about the four key considerations to securing your hybrid workforce, and why reducing risk starts with securing employee login credentials. <a href="https://1password.com/resources/access-management-ebook/?utm_ref=blog" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Download now </a> </div> </section></description></item><item><title>1Password acquires Kolide</title><link>https://blog.1password.com/1password-acquires-kolide/</link><pubDate>Tue, 20 Feb 2024 00:00:00 +0000</pubDate><author>info@1password.com (Jeff Shiner)</author><guid>https://blog.1password.com/1password-acquires-kolide/</guid><description> <img src='https://blog.1password.com/posts/2024/1password-acquires-kolide/header.png' class='webfeedsFeaturedVisual' alt='1Password acquires Kolide' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Protecting remote and hybrid work requires securing both identity and devices, regardless of where employees work. At this point, it’s safe to say work has changed. But the reality is that for those yearning for employees to return to the office, hybrid and remote work is the modern “business as usual,” and there is no going back. Unsurprisingly, our new way of work has brought a slew of new security challenges that companies struggle to address. Security is inherently a people problem. And when people no longer predominantly work from a corporate office, relying on security technologies built to secure physical corporate networks, and everything plugged into them, is now creating gaping holes in company defenses. At 1Password, we’ve always put people front and center of security, striving to create products that are easy to use and make employees more productive. By making the productive way to work the secure way to work, we help companies enlist their employees to be a part of their perimeter defense. That brings us to today’s news: 1Password has acquired Kolide, a next-generation device security solution. <h2 id="security-for-any-location-and-any-device">Security for any location and any device</h2> Why would 1Password acquire a device health and contextual access management solution? The reality is that access isn’t secure if the device doing the access isn’t secure. This is part of the complexity of the modern way we work. Every device, regardless of location, must be secure – just as every log-in, regardless of location, employee, or type of device used, must be secure. This is where <a href="https://www.kolide.com/">Kolide</a> fits into the 1Password story. Kolide is a leader in device health and contextual access management, and companies need a way to ensure that both the device used and every access request are secure. What also makes Kolide particularly compelling is how the company has taken a similar approach to 1Password and works to enlist employees to deliver better security. This is only possible by providing employees with tools that make security easy to use and adopt, enable them to secure their own activities, and provide them with the context to make the right decisions at the right time. In fact, Kolide’s philosophy of <a href="https://honest.security/">Honest Security</a> mirrors our deeply held values - that security can only work through a positive relationship with end users, and that privacy must be respected at every stage of the journey, being demonstrated through informed consent and transparency. Kolide’s message is resonating across the market, and leading companies including Databricks, Robinhood, Discord, and Anduril rely on Kolide to secure their teams. Turning your employees into security advocates is critical, because it’s no longer possible for IT or security teams to micro-manage every device or every application that employees use – especially for remote and hybrid workforces. By shedding light on the currently untenable state of IT and security, corporations can shift their mindset toward an approach where security empowers end users to use the tools they need, while also making them active participants in securing the applications they use. And 1Password with Kolide does just that. Please join me in welcoming the entire Kolide team to 1Password. We’re thrilled they’re joining us on our shared mission of building a safer, more secure future. And based on Kolide CEO Jason Meller’s perspective below, I’d say we’re well on our way. <blockquote> “Kolide was founded on the idea of Honest Security, a philosophy that, when combined with the principles of Zero Trust, transforms end users into the most effective security solution IT will ever have. We are combining forces with 1Password for one reason: we both believe every company on Earth needs user-focused device security. With 1Password, we now have the resources to make that belief a reality.” </blockquote> If you’d like to learn more about how Kolide and 1Password solutions can secure your organization, <a href="http://1password.com/kolide-info">let us know</a>.</description></item><item><title>Beyond Boundaries: What we built, learned, and shared during our latest hackathon</title><link>https://blog.1password.com/beyond-boundaries-hackathon/</link><pubDate>Fri, 16 Feb 2024 00:00:00 +0000</pubDate><author>info@1password.com (Rick Fillion)</author><guid>https://blog.1password.com/beyond-boundaries-hackathon/</guid><description> <img src='https://blog.1password.com/posts/2024/beyond-boundaries-hackathon/header.png' class='webfeedsFeaturedVisual' alt='Beyond Boundaries: What we built, learned, and shared during our latest hackathon' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Last week was a hackathon week at 1Password. We take time twice a year to pause our normal day-to-day tasks and focus on exploration and learning. These hackathons are a great opportunity to work with different folks, exercise some different muscles, and have a great deal of fun in the process. I&rsquo;d love to tell you more about our latest hackathon! The hackathon&rsquo;s theme was &ldquo;Beyond Boundaries&rdquo;, and it had a few broad categories for staff to choose from: <ul> <li>Shoot for the Moon. Pushing the boundaries of what 1Password can be.</li> <li>Shifting Left. Innovations in the earlier steps in our daily workflows that have compounding effects in the later ones.</li> <li>The Next Step. An incremental improvement in an existing feature, or a step toward something new.</li> </ul> We encourage everyone in our Tech, Product &amp; Design departments to set aside work to participate in the event, and ask them to self-organize into teams and projects. This means that the hackathon projects aren’t defined by leadership – they’re entirely grass-roots driven. We recommend folks work with others outside of their team, as this is a great way to meet others and learn from them. This can be a bit of a chicken and egg problem &hellip; how do folks know who to work with? Surely they won&rsquo;t go knocking on a random person&rsquo;s [virtual] door and say: <blockquote> &ldquo;Can we hack together?&quot; </blockquote> We solve this by having a centralized hackathon project idea list. If there&rsquo;s something a member of staff really wants to work on, they put it up on the list and see if others gravitate towards it. People can work on any part of the product, meaning they aren’t constrained by the area they normally work on at 1Password. The project board lists the skill sets that would be useful for each project, including non-coding skills, which helps people more easily find a great project to contribute to. For this hackathon, I personally deviated from our guidance a bit. I&rsquo;ve recently created a new team, and it&rsquo;s still in its forming stages, so I proposed that we use this opportunity to work closely together on a project. We added our project to the list and a few developers from other teams joined us because the project appealed to them. Our hackathons are short. Or at least they feel short. It&rsquo;s one of those things where any fixed period of time will feel too short as our dreams are always bigger than what the time will allow for. Our hackathons are effectively split into three parts: <ul> <li>Hack Hack Hack</li> <li>Video Production &amp; Sharing</li> <li>Awards Ceremony</li> </ul> <h2 id="hack-hack-hack">Hack Hack Hack</h2> Naturally this is where we sit down and actually write our prototype. There really aren&rsquo;t any limits here other than &ldquo;fit into one of the broad categories.&rdquo; The goal is certainly not to write code that will ship to production right away. Instead, we put a strong emphasis on creating a MVP of the concept. We work hard to prove that our ideas are possible. Words like &ldquo;hack-crimes&rdquo; are uttered frequently as developers try to find the fastest way to demonstrate their idea, and folks commonly share their most heinous crimes with the rest of the team on Slack. The actual output of our three days of hacking away is a video demo, so while we’re building we also need to plan and produce the final video. <h2 id="demo-video-production--sharing">Demo Video Production &amp; Sharing</h2> Of course, we all want to see what everyone else has built. We used to have each team present their project but as we&rsquo;ve grown, so have the number of projects. So this approach has become unsustainable. Instead, each team is expected to create a demo video of their project, helping others understand the challenge that their project is targeting, and how it solves the problem. The only constraint imposed: The video should last only two minutes. The creativity that comes out of these videos <a href="https://youtu.be/DAHQ3toRklE?si=GDpUUW5TQS8R-OKA">is pretty amazing</a>. Two minutes is simply not a lot of time, so everyone tries to find ways of cramming as much information as possible. And then there&rsquo;s the production quality! I&rsquo;m always blown away by the amazing videos that are produced. They&rsquo;re inspiring, and just a little silly. These videos are all due by the end of day three. For our latest hackathon, you better believe that I was up until midnight putting the final touches on ours. I was unlucky enough to have the video editing app I was using crash after two hours – and I hadn’t hit the save button. Was I ever thankful that it had auto-saved a few minutes prior to the crash! Day four is when everyone is expected to watch the demo videos. Some teams create watch parties and view them all together. <h2 id="awards-ceremony">Awards Ceremony</h2> A little bit of friendly competition can make anything more fun. The hackathon organizers chose some judges for each category, and all of the participants voted on the &ldquo;Bits Choice&rdquo; award. On Friday we do a large call where the winners are announced. Regardless of who wins awards, we all come out winning (and I don’t just say this because our team didn’t win). It’s a week where we get to set aside our normal routines and deliverables, and scratch whatever itch we may have. It&rsquo;s amazing to see so many great ideas from so many different teams. It’s also not uncommon for one or more of the hackathon projects to turn into full-fledged features after the fact. For example, the recently released <a href="https://1password.community/discussion/142824/experiment-3-nearby-items#:~:text=Nearby%20Items%20allows%20you%20to,are%20close%20to%20you%20physically.">Nearby Items</a> came out of the last hackathon. <h2 id="lets-share">Let&rsquo;s Share!</h2> I&rsquo;d love to share a few of the demo videos that have come out of the Beyond Boundaries hackathon. I want to emphasize that these projects do not necessarily represent our roadmap, and are a reflection of the ideas that individuals have, as opposed to the entire company. First up we have 1PasswIRC, who aimed to answer the question: &ldquo;What if we leveraged the End to End Encryption technology we had to power group chat within the app?&rdquo; <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/DAHQ3toRklE?si=i0nUdJF_r7_d1cfc" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> Next is B5X Diagnostics Reports. B5X is what our Browser Extension is called internally, it’s by far the most popular way to use 1Password. This group decided to see how we could more easily get Diagnostics Reports from the app so that we could better support our users. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/am-jrZDs27Y?si=zJCVB1fQ35Qkb6fz" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> Lastly we have Webhooks For Item Updates. I love seeing integrations between 1Password and other services, and webhooks are a great way to enable that. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/4fkTKn-MMI8?si=ks8kVBp6zzqJlAMi" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> I hope you enjoyed the videos. If these hackathons sound like fun to you, consider <a href="https://1password.com/careers">joining our team</a>! <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Want to work for 1Password?</h3> Browse our current job openings to see if there’s an opportunity that matches your career goals. <a href="https://1password.com/jobs/?utm_ref=blog" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> View our open positions </a> </div> </section></description></item><item><title>How hacker and security consultant Jayson E. Street breaks into businesses</title><link>https://blog.1password.com/social-engineering-hacker-jayson-e-street-interview/</link><pubDate>Thu, 15 Feb 2024 00:00:00 +0000</pubDate><author>info@1password.com (Jenn Marshall)</author><guid>https://blog.1password.com/social-engineering-hacker-jayson-e-street-interview/</guid><description> <img src='https://blog.1password.com/posts/2024/social-engineering-hacker-jayson-e-street-interview/header.png' class='webfeedsFeaturedVisual' alt='How hacker and security consultant Jayson E. Street breaks into businesses' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> “A man walks into a bank…” That may sound like the start of a joke but as hacker and security consultant Jayson E. Street tells it, it’s really nothing to laugh at. He’s walked into banks, hotels, government facilities, and biochemical companies all over the world and successfully compromised them. Street is an adversary for hire, Chief Adversarial Officer for <a href="https://www.secureyeti.com/">Secure Yeti</a>, a DEF CON group global ambassador, and the author of the book series <a href="https://www.goodreads.com/book/show/6648674-dissecting-the-hack">Dissecting the Hack</a>. He sat down with Michael “Roo” Fey, Head of User Lifecycle &amp; Growth at 1Password, on the <a href="https://randombutmemorable.simplecast.com/">Random but Memorable</a> podcast to share some fascinating stories about how he “hacks” human nature to get in the literal front door and compromise businesses. Read the interview highlights below or <a href="https://randombutmemorable.simplecast.com/episodes/data-breach-box-set">listen to the full podcast episode</a>. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/IZS206qOzGo?si=1Pa9aMNHxygl1EK5" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> Editor’s note: This interview has been lightly edited for clarity and brevity. The views and opinions expressed by the interviewee don’t represent the opinions of 1Password. Michael Fey: How did you get into penetration testing? Jayson E. Street: In 2000, I found out that you could do security and computers. A VP of an internet bank hired me into network security. For the first 10 years of this new career, I was doing defensive blue team work (defending against attackers). Then I realized: I have to start testing the things that I’m making as if I were a hacker. Around 2010, I was working for a bank, testing our defenses. That’s when I discovered I was really good at robbing banks. I started doing that more, as well as consulting. I branched out to robbing hotels, research facilities, and government facilities. In 2016, I started a thing that’s never been done before: security awareness engagements where I use red team tactics (attacking cybersecurity defenses), but for educational purposes. One of the things I love about Secure Yeti is that they believe in this too – that it’s about education, not exploitation. It’s about educating people so they can become better. The red team only exists to make the blue team better. We’re there to help validate their security, build them up, and teach them what they need to do – not just try to tear them down and break stuff. MF: Can you walk us through your process for penetration testing? I&rsquo;m sure the ultimate goal is getting in and getting the prize, but how do you approach it? JES: Honestly, that&rsquo;s not always the goal. I guarantee to my clients, in our contract, that I will get caught during the engagement. Because again, I&rsquo;m trying to teach them. If we give them a report and it&rsquo;s like, &ldquo;Oh, I just destroyed everything,&rdquo; the only thing that gets back to the employees is that they failed. I&rsquo;ve had to work at giving wins, but I make sure that everybody wins at least once. Then I can say, “Okay, yeah, we have to work on these things. But hey, look at Ann. She didn&rsquo;t open the door for him. She questioned him. She checked his ID, she reported it to security and he got caught.” It makes it a little more of a positive experience. There are so many red team people who are so focused on winning and think: &ldquo;I&rsquo;m going to go in, I&rsquo;m going to punch them in the face and shoot the guy.&rdquo; There’s all this toxic masculinity throughout the red team, unfortunately. My whole thing is, I don&rsquo;t want my clients to see sophistication. I want to show them how bad the situation really is – how basic it can be. <blockquote> &quot; I want to show them how bad the situation really is – how basic it can be.&quot; </blockquote> I&rsquo;ve got a video that I did at a talk. I use a hidden camera to show how I literally walk through the front door of a bank while employees are still on their lunch break and compromise the first machine in 15 seconds. I finished the attack in under 30 seconds. An employee did the right thing and stopped me, but then she allowed me to do sort of an interception of the conversation where she thought that I was going to be honest when I talked to the manager. She escorted me to the manager&rsquo;s office, the manager saw that I was waiting, but there was someone else in the office. The employee believed me when I said, &ldquo;I&rsquo;ll talk to him,&rdquo; and I dismissed her and she left. I went into the manager&rsquo;s office and assumed the role of, &ldquo;I&rsquo;m here with the help desk. We&rsquo;re trying to make the network faster.&rdquo; He escorted me to every machine, and I did a 100% compromise of every machine in that branch, including the wire transfer computer and the network servers. He gave me full access to everything, and he walked with me to do it. MF: Wow. JES: Everybody worries about Zero Days. It&rsquo;s like, &ldquo;Oh, I got to worry about <a href="https://blog.1password.com/ai-cracking-passwords/">AI</a>. I got to worry about all this blockchain and the kill chains coming in at us.&rdquo; And I&rsquo;m like, “You keep talking about how we need to secure low-hanging fruit. Screw the tree, OK? You&rsquo;re not ready for the low-hanging fruit. You&rsquo;ve got fruit rotting on the ground. Pick that stuff up, do some proper asset management, and do some proper patch management.&quot; We want to keep looking at all these other things that we&rsquo;re supposed to be defending against when it&rsquo;s the simple stuff of someone walking in off the street. Or someone sending an email that ends up costing a company $300 million. MF: Can you recall an infiltration where you really had to do your research? Maybe you used social engineering, or monitored people&rsquo;s patterns at work? JES: One time I was robbing an institution in New York City. It was across the street from Ground Zero in the financial district. It was very high security. They did not expect me to get in. This is the reason why I still say to this day that the only thing worse than no security is a false sense of security. They had canine SWAT police officers patrolling the mall and the lobby areas. They had four to six security guards. In the main elevator lobby, you had to show them your driver&rsquo;s license and get an ID name tag with your picture on it before you were allowed to go through the metal detectors, which led to the elevator and up to the office. I went in on the first day. I went up to the security desk to see if I could get a job interview. They were like, &ldquo;Nope, you have to call ahead.” So the next day I go back in. By the way, you always try to attack people in office buildings with building security between the hours of 4PM and 6PM. The 7AM to 3PM shift, that&rsquo;s your A team, the people who are on the ball. The 3PM to 11PM shift goes to new hires, the ones that aren&rsquo;t set in the patterns, the ones that don&rsquo;t know everybody. <blockquote> &ldquo;You always try to attack people in office buildings with building security between the hours of 4PM and 6PM.&quot; </blockquote> When I showed back up the next day around 4:30PM in the afternoon, the company was having a meeting upstairs and there was another guy waiting to get up there, too. I did a crosstalk attack like I did with that bank manager. I talked to one security person and then I talked to the other one and they saw me talk to that person. They made my ID and created my badge. I struck up a conversation with a guy who was legitimately going to this place like, &ldquo;Oh, you&rsquo;re going up there, too?&rdquo; &ldquo;Yeah.&rdquo; It made it look like we were together. So when the receptionist came down to escort us up in the elevator, she made the assumption that we were together. As soon as we got upstairs into the lobby area, I said: &ldquo;I’ve got to go to the restroom. I&rsquo;ll meet you in the conference room.&rdquo; I go and I see an open door that goes to the mailroom. There&rsquo;s an unlocked computer there and I compromise the first machine. I&rsquo;ve already compromised their network. And then I go to the break room. I don&rsquo;t attack people over social engineering. I attack human nature. How people operate. Being on the spectrum, it&rsquo;s like I had to be raised to try to watch people and figure out how normal people work, because they&rsquo;re terrifying. That&rsquo;s why I&rsquo;m so successful at robbing people on five different continents. <blockquote> &ldquo;I attack human nature. How people operate.&quot; </blockquote> It&rsquo;s like the biggest myth that society tells us: that we’re so different. The truth is we&rsquo;re all humans! I don&rsquo;t care if you&rsquo;re in China, Singapore, Brazil, or Britain – guess what? You&rsquo;re the same people. You all still come up with the same assumptions. You still come up with the same kind of attitudes. That&rsquo;s what I&rsquo;m trying to rob – I&rsquo;m going after human nature. MF: I&rsquo;m curious to hear a story where you were just completely shut down at every turn, where people did everything right. JES: I&rsquo;m so glad you asked that. No one talks about it enough. It&rsquo;s like everybody wants to talk about me accidentally robbing a bank, or something like that, because it sounds cool. But I did rob a bank in 2020 where it was a fail. I had robbed the same place in 2019, and I destroyed them. They&rsquo;d never had a red team engagement where they actually got up into their office area. And within 30 minutes, I was sitting at the desk of the person who hired us. When he came out of a meeting, he saw me at his desk. He had to go with me to take the badge back that I had stolen off of someone&rsquo;s desk. It was bad. But that&rsquo;s not the story. Companies are paying for you to communicate to management why these changes need to happen. I did a report. I didn’t do a nice little written report. I educated management about what was going on, how I was able to do these things. I had security go on a walk with me and watch as I compromised some people live – and their jaws just dropped. In January 2020, I went back to this client. I changed my appearance. It&rsquo;s like I knew it was going to be more difficult. I might be recognized. It was a brand-new receptionist. Didn&rsquo;t matter. I didn&rsquo;t get in. I walked up like I owned the place. I didn&rsquo;t even get to the stairs in the lobby before she said: &ldquo;Excuse me, you need to sign in.&rdquo; I was like, &ldquo;How does she know I&rsquo;m not an employee?&rdquo; That year, during their company all-hands meeting, the CEO, who only gets one hour to speak, spent 15 minutes on security. He spent 15 minutes talking about the responsibilities of employees for security awareness, maintaining the security of their personal items, computers, and cubicle space. <blockquote> &ldquo;During their company all-hands meeting, the CEO, who only gets one hour to speak, spent 15 minutes on security.&quot; </blockquote> They also instituted color-coded lanyards. If you had a green lanyard, you were an employee. If you had a red lanyard, you needed to be walked in and escorted everywhere. And if you had a yellow lanyard, you were a contractor, but not trusted. I didn&rsquo;t know that at first. So, I registered. I put the name of the person I&rsquo;m supposed to be working with, and then of course, I was like, “I need to go to the bathroom.” Instead of turning left into the bathroom, I turned right down this hallway and compromised two machines right off the bat. I&rsquo;m technically successful. But that didn&rsquo;t matter. Because there was a woman who was in her office. She got on the phone and reported me because she knew I was sketchy. It was awesome. <blockquote> &ldquo;She got on the phone and reported me because she knew I was sketchy. It was awesome.&quot; </blockquote> I could have gone to the stairs so I could say I &lsquo;escaped&rsquo; and therefore won. But no, that&rsquo;s not what it&rsquo;s about. So, I start walking toward the receptionist’s office. The guy who I was there to meet was already coming down the hallway because reception reported that I deviated from the path. There was a camera right above the hallway that she gets to watch. She saw that I went the wrong way. Throughout that whole engagement, even though I compromised every section, someone stopped me. Someone said &ldquo;no&rdquo;. And that&rsquo;s including the second day. That night, I went back and I got the cleaning crew to let me in. I broke in and I stole all the lanyards – the green ones and red ones and yellow ones. On the second day, I had a green lanyard because those were cool. But they still questioned me and said &ldquo;no.&rdquo; They were like: &ldquo;I&rsquo;m not allowed to let anybody plug anything into the computer unless I get an email from the help desk. I didn’t get one. If you don&rsquo;t mind, I&rsquo;ll call them and verify. And what&rsquo;s your name again? So I can see if they know you.&rdquo; I validated that their security programs were working because, even though I was successful, I was not successful for more than 15 minutes without someone stopping me. <blockquote> &ldquo;We need to stop trying to build defenses as walls. What’s more important is how quickly you can detect and how quickly and effectively you can respond.&quot; </blockquote> Humans make mistakes but if they correct it and someone reports it, you’re dealing with a 15-minute breach versus a five-month breach. That’s important because we can’t prevent things. We need to stop trying to build defenses as walls. What’s more important is how quickly you can detect and how quickly and effectively you can respond. That’s the dealbreaker for a company that’s going to survive a breach or not. MF: I appreciate you making the time for us today! Is there anywhere that people should go to learn more about you? JES: My main site is <a href="https://jaysonestreet.com/">jaysonestreet.com</a>. Places I go: <a href="https://hackeradventures.world/">hackeradventures.world</a>. And I live-tweet my life on <a href="https://twitter.com/jaysonstreet">Twitter</a>. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Subscribe to Random but Memorable</h3> Listen to the latest news, tips and advice to level up your security game, as well as guest interviews with leaders from the security community. <a href="https://randombutmemorable.simplecast.com/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Subscribe to our podcast </a> </div> </section></description></item><item><title>How to find and secure shadow IT</title><link>https://blog.1password.com/find-and-secure-shadow-it/</link><pubDate>Wed, 14 Feb 2024 00:00:00 +0000</pubDate><author>info@1password.com (Rob Boone)</author><guid>https://blog.1password.com/find-and-secure-shadow-it/</guid><description> <img src='https://blog.1password.com/posts/2024/find-and-secure-shadow-it/header.png' class='webfeedsFeaturedVisual' alt='How to find and secure shadow IT' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> This is the third in a series of four posts on how to secure your hybrid workforce. For a complete overview of the topics discussed in this series, download <a href="https://1password.com/resources/access-management-ebook/?utm_ref=blog">The new perimeter: Access management in a hybrid world</a>. In the first post in this series, we identified four key considerations to securing hybrid workforces: identity, shadow IT and bring-your-own-device (BYOD), security adoption, and security costs. Today, let&rsquo;s talk about shadow IT. In a hybrid world, not only do we work from everywhere, we use a huge number of apps – <a href="https://www.wsj.com/articles/employees-are-accessing-more-and-more-business-apps-study-finds-11549580017">130 at the average organization</a> – to get work done. Some apps are sanctioned by the IT/Security team. Many are not. Those apps not managed by IT/Security are, by definition, a blind spot. And because you can&rsquo;t secure what you can&rsquo;t see, those unmanaged apps are known as shadow IT. <h2 id="what-is-shadow-it">What is shadow IT?</h2> Shadow IT is all the apps we use to get things done that haven&rsquo;t been explicitly approved – and therefore secured – by IT. It’s usually cloud-based apps, or software-as-a-service (SaaS), which means the data (often sensitive data) we’re storing on them is stored on someone else’s server. It&rsquo;s the Google Sheet you spin up to keep track of expenses for a project, the Microsoft Word file Legal uses to draft a document, the Dropbox folder someone is using to share files with partners or clients. If IT doesn&rsquo;t know about it, it&rsquo;s shadow IT. By some estimates, shadow IT comprises as much as 50 percent of the apps we use to get work done. And those apps – those cloud services – are being accessed from airports and coffee shops, from employees' homes and on their commute, from their phones and tablets and personal laptops. That&rsquo;s the new perimeter businesses are tasked with defending. And that&rsquo;s why, in the world of hybrid work, securing that perimeter starts with securing identities – i.e verifying that the people accessing those apps are indeed who they say they are. <h2 id="the-benefits-of-shadow-it">The benefits of shadow IT</h2> Historically, shadow IT has been something to be feared and fought. It’s an unsanctioned box or server sitting under someone&rsquo;s desk. But shadow IT is what we use to get things done – and a growing number of CIOs and CISOs <a href="https://www.cio.com/article/222428/shadow-it-the-cio-s-perspective.html">see it as an opportunity</a>. We use shadow IT because we bump up against a limitation in the suite of approved/managed apps at our disposal. Getting things done, after all, is why we work. For that reason, sometimes shadow IT boosts productivity. Sometimes it’s the difference between whether employees complete a task or not. Of course, there are security risks. But there are also ways to mitigate them. Embracing shadow IT requires a mindset – and a toolset – shift. <h2 id="the-risks-of-shadow-it">The risks of shadow IT</h2> 70% of data breaches involved an identity element, which can be as simple as a stolen password. Forrester expects that number to grow to 90% in 2024. Here&rsquo;s a simplified version of what&rsquo;s happening: Sam in Sales needs to share a file with a prospect. There&rsquo;s no great way to do that with any of the apps sanctioned by IT, so they create an account on a file-sharing service, upload a couple of files, and send the link to the prospect. Mission accomplished, from a business standpoint. But when Sam signed up for the file-sharing account, they created it with a relatively weak password to do so. It&rsquo;s also one they&rsquo;ve used before for other services, because it&rsquo;s easy for them to remember. Now that login is vulnerable, because the password protecting it isn&rsquo;t strong, random, or unique. And Sam uploaded company data to the service, so if attackers stole the password, they could also use it to access other services Sam uses. Now the company is at risk – and IT has no idea. This kind of thing happens all the time: 1Password research found that <a href="https://blog.1password.com/challenges-of-shadow-it/">63.5% of respondents had created an account their IT department didn’t know about</a> in the previous 12 months. Gartner estimated that <a href="https://www.gartner.com/smarterwithgartner/protect-your-organization-from-cyber-and-ransomware-attacks">one-third of successful cyberattacks will be on data stored in shadow IT infrastructure</a>. And that was a few years ago. The risk of shadow IT has grown since. <h2 id="evolving-it-beyond-the-department-of-no">Evolving IT beyond the Department of No</h2> In a perfect world, Sam could have gone to IT and explained what he was trying to accomplish. IT would then provide Sam with a tool to get it done. But IT&rsquo;s job in a pre-hybrid world was to secure a well-defined perimeter – often one that they themselves had built. Which is to say the default answer to Sam&rsquo;s query is, historically, a resounding &ldquo;No.&rdquo; If IT can&rsquo;t secure it, employees can&rsquo;t use it. (In some cases, especially in large organizations with sufficient resources, IT can sometimes build the application themselves.) But <a href="https://www.cio.com/article/222428/shadow-it-the-cio-s-perspective.html">the role of IT is evolving</a>. Many IT departments are beginning to understand their role as an enabler of the business, rather than being an obstacle to productivity. IT directors are making a deliberate effort to understand the goals of the business, and to leverage the technology available to them to help the business accomplish those goals. To do that, they need new tools, particularly in their identity and access management (IAM) stack. Tools that will secure every access attempt, regardless of whether access originates on a cell phone in a coffee shop or on a company laptop in the office. Or for a sanctioned app or a non-sanctioned app. <h2 id="the-role-of-single-sign-on">The role of single sign-on</h2> <a href="https://blog.1password.com/how-sso-fits-enterprise-security-framework/">Single sign-on, or SSO, plays a crucial role in the IAM stack</a>. Without it, employees sign up for services, log in to them on their own, and manage all those logins themselves. With SSO, employees log in to their SSO provider instead. When they do, they see a list of all the services IT has already vetted and approved. They select the service they want to sign in to, and the SSO provider signs them in using a single, strongly vetted identity. With SSO, then, employees only need to manage a single login: their SSO provider credentials. It&rsquo;s much easier than managing a ton of credentials, and IT teams get the oversight they need to secure access to those applications. But SSO doesn&rsquo;t cover every login – only those IT has vetted and approved. Shadow IT is, by definition, not vetted or approved. So SSO doesn&rsquo;t help secure shadow IT. This is where the enterprise password manager (EPM) comes in. EPMs can secure every single set of credentials, first by creating strong, unique, random passwords – or better yet, <a href="https://1password.com/product/passkeys">passkeys</a> – for each login. The EPM can then autofill those credentials, effectively signing in for employees so they don&rsquo;t have to. Because the EPM both generates and autofills credentials, employees don&rsquo;t have to remember their passwords, let alone manage them all. This is how, when the EPM and SSO work together, you fill the holes in your sign-on security model. SSO protects managed applications, and the EPM protects virtually everything else. That combination mitigates the security risk of shadow IT – not only by protecting each login with stronger, randomly-generated credentials, but by making those logins visible to IT, subject to company security policies, and included in audits. That means that if IT chooses to implement, say, a minimum password length, the EPM can enforce that requirement by automatically generating compliant passwords – and only compliant passwords – when employees sign up for any particular service. Those policies can be further unified with SSO integration provided by the EPM, meaning the same set of IT policies can apply to services governed by SSO and those managed by the EPM. This is how IT supports business goals and productivity, rather than inhibiting those goals. <h2 id="the-relationship-between-security-and-productivity">The relationship between security and productivity</h2> But there is a catch: In order to secure shadow IT, strengthen your security posture, and enable productivity, the EPM, like any cybersecurity tool, has to be widely used. And in order to be used, it has to provide a good experience to the worker. If it doesn&rsquo;t, we&rsquo;re back to square one: Workers will simply skirt the intended workflow to get things done, and IT will remain in the dark. Good UX, then, is a boon to security, increasing adoption to help you secure your hybrid workforce without slowing them down. We&rsquo;ll explore the relationship of productivity and security – along with getting a handle on security costs – in the next post. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">The new perimeter: Access management in a hybrid world</h3> Learn about the four key considerations to securing your hybrid workforce, and why reducing risk starts with securing employee login credentials. <a href="https://1password.com/resources/access-management-ebook/?utm_ref=blog" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Download now </a> </div> </section></description></item><item><title>Introducing the new 1Password Global Partner Program</title><link>https://blog.1password.com/global-partner-program/</link><pubDate>Tue, 13 Feb 2024 00:00:00 +0000</pubDate><author>info@1password.com (Glenn Caccamise)</author><guid>https://blog.1password.com/global-partner-program/</guid><description> <img src='https://blog.1password.com/posts/2024/global-partner-program/header.png' class='webfeedsFeaturedVisual' alt='Introducing the new 1Password Global Partner Program' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Today, it&rsquo;s our pleasure to announce a <a href="https://1password.com/partnerships">new global partner program</a> for 1Password resellers, distributors, cloud service partners (CSPs), system integrators (SIs), and global system integrators (GSIs). If you&rsquo;re part of the global ecosystem of 1Password partners, you&rsquo;ll notice new investments to help you secure your customers, differentiate your offering, and grow your revenue. That includes key sales, marketing, and enablement resources and a simplified partner experience in the near term, with many more initiatives to follow in the coming months. And if you’re looking for a world-class solution that can provide enterprise password management with simple, lucrative and supportive partner programs, look no further. We encourage you to learn more and understand how we can help you achieve your growth objectives while simultaneously increasing your customers’ security posture. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Why partner with 1Password? <ul> <li>Improve customer data security and compliance</li> <li>Gain access to dedicated channel- and customer-facing teams</li> <li>Grow profit margins and increase pipeline</li> </ul> </div> </aside> <h2 id="overview-of-the-new-1password-global-partner-program">Overview of the new 1Password Global Partner Program</h2> The new partner program is a reflection of our deep commitment to the resellers, MSPs, and distributors that comprise the global ecosystem of 1Password partners. Throughout 2024, we&rsquo;ll introduce new tools, resources, and incentives to help partners secure their customers and grow their business, including: <ul> <li>Training and education programs to empower partners with technical expertise</li> <li>A partner marketing toolbox that helps partners create demand and grow pipeline</li> <li>Co-marketing investments in joint 1Password activities and events</li> <li>A robust partner compensation model to quickly increase partner profitability</li> <li>A channel-neutral selling experience to streamline the sales cycle</li> </ul> <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Partner with 1Password</h3> Register for the 1Password Partner Program to protect your customers and grow your business. <a href="https://1password.ziftone.com/#/page/partner-network" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Register now </a> </div> </section> <h3 id="announcing-the-1password-msp-solution">Announcing the 1Password MSP solution</h3> 1Password is excited to announce the development of our MSP solution, available later this year, which will provide MSPs: <ul> <li>Multi-tenant management</li> <li>Simple billing and invoicing</li> <li>Multi-user provisioning</li> </ul> All this functionality and more will allow MSPs to manage multiple customers from a single purpose-built platform. In the meantime, MSPs and managed security service providers (MSSPs) are invited to join the new 1Password MSSP Incubation Program to take advantage of the many opportunities for us to work together to secure your customers and grow your business. We’re offering assets tailored for MSPs today with additional incentives for MSPs and MSSPs coming later this year – and you’ll also have a chance to be part of the MSP beta platform testing and launch. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">1Password MSSP Incubation Program</h3> Learn more about exclusive MSSP Incubation Program features. <a href="https://1passwordstatic.com/files/resources/mssp-incubation-program.pdf" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Get the details </a> </div> </section> With 1Password, IT gets <a href="https://support.1password.com/team-policies/">control over the security policies</a> that govern employees' use of passwords and other sign-in details, and they get <a href="https://support.1password.com/insights/">insight into potential vulnerabilities</a> like weak or compromised passwords. And 1Password is leading the way to a <a href="https://1password.com/product/passkeys">passwordless future</a>, which is in fact a <a href="https://passage.1password.com/">passwordless present</a>. We look forward to continued growth within the partner community.</description></item><item><title>Celebrating Black innovators in tech, agriculture, education, and more</title><link>https://blog.1password.com/celebrating-black-innovators/</link><pubDate>Fri, 09 Feb 2024 00:00:00 +0000</pubDate><author>info@1password.com (Rozalynd Gaubault & Anthony Morgan)</author><guid>https://blog.1password.com/celebrating-black-innovators/</guid><description> <img src='https://blog.1password.com/posts/2024/celebrating-black-innovators/header.png' class='webfeedsFeaturedVisual' alt='Celebrating Black innovators in tech, agriculture, education, and more' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Celebrating Black innovators and their contributions to society is incredibly important. It’s an opportunity to reflect on history and recognize the impact these visionaries have had, both by shaping our present and influencing the future. This Black History Month, 1Password proudly spotlights some extraordinary figures who have made significant contributions to technology, agriculture, education, media, culinary arts, and other important fields. Join us in acknowledging these trailblazers, as we believe their stories are integral to a more inclusive and enlightened narrative. <h2 id="computer-hardware-and-software">Computer hardware and software</h2> <h3 id="now-mark-e-dean">Now: Mark E. Dean</h3> <a href="https://blog.teachcomputing.org/mark-dean/">Mark E. Dean</a>, an American computer scientist and engineer, played a pivotal role in developing the original IBM PC and color PC monitor. His contributions extend to the invention of the first gigahertz chip, showcasing his pioneering work in computer technology. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/G1GJsijOba4" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h3 id="now-tope-awotona">Now: Tope Awotona</h3> <a href="https://twitter.com/topeawotona">Tope Awotona</a>, a Nigerian-born entrepreneur, founded <a href="https://calendly.com/">Calendly</a>, a widely-used scheduling tool that simplifies appointment management. Awotona&rsquo;s background in software development and entrepreneurship led to the creation of this user-friendly platform. <h3 id="now-frederick-hutson">Now: Frederick Hutson</h3> <a href="https://www.linkedin.com/in/frederickhutson/">Frederick Hutson</a>, an American businessman, founded <a href="https://pigeonly.com/">Pigeonly</a>, a company that connects people with incarcerated loved ones. Hutson&rsquo;s entrepreneurial spirit took flight early, having launched and sold his first business while on active duty in the United States Air Force. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/S_R5JpvdBHE" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h3 id="now-lisa-carter">Now: Lisa Carter</h3> <a href="https://www.linkedin.com/in/lisamariecarter/">Lisa Carter</a>, award-winning Tech Entrepreneur and CEO of <a href="https://www.discussionbox.tv/">Discussion Box</a>, leads a virtual events platform for culture-shifting brands. <h2 id="agricultural-science">Agricultural science</h2> <h3 id="then-george-washington-carver">Then: George Washington Carver</h3> Renowned for his groundbreaking research on peanuts, sweet potatoes, and soybeans, <a href="https://www.history.com/topics/black-history/george-washington-carver">George Washington Carver</a> had a huge impact on American agriculture. His work promoted crop diversification and sustainable farming practices. <h3 id="now-tinia-pina">Now: Tinia Pina</h3> <a href="https://www.linkedin.com/in/tiniapina/">Tinia Pina</a>, founder and CEO of <a href="https://www.re-nuble.com/">Re-Nuble</a>, focuses on sustainable waste management and regenerative agriculture. Advocating for climate-smart agriculture, Pina leads a social enterprise that uses unique technologies to upcycle organic waste. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/-ULLNLmSV1U" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h3 id="now-jasmine-crowe-houston">Now: Jasmine Crowe-Houston</h3> <a href="https://twitter.com/jasminecrowe">Jasmine Crowe-Houston</a>, founder and CEO of <a href="https://goodr.co/">Goodr</a>, addresses food waste and hunger by connecting surplus food from businesses to communities in need. <h2 id="education">Education</h2> <h3 id="then-mary-mcleod-bethune">Then: Mary McLeod Bethune</h3> <a href="https://www.womenshistory.org/education-resources/biographies/mary-mcleod-bethune">Mary McLeod Bethune</a>, an advocate for racial and gender equality, founded a boarding school for African American girls in 1904. Her contributions extended to advising U.S. presidents on minority affairs. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/gnI0RhtE9jY" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h3 id="now-dr-johnetta-maccalla">Now: Dr. Johnetta MacCalla</h3> <a href="https://www.linkedin.com/in/johnetta-maccalla-a12311a8/">Dr. Johnetta MacCalla</a>, CEO of <a href="https://www.kidscodingapp.com/">Zyrobotics</a>, pioneers inclusive STEM-related educational technologies that address the diverse needs of children, especially those with differing abilities. <h3 id="now-gori-yahaya">Now: Gori Yahaya</h3> <a href="https://twitter.com/goridigital">Gori Yahaya</a>, founder and CEO of <a href="https://upskilldigital.com/">UpSkill Digital</a>, focuses on providing digital skills training and consultancy. <h2 id="media">Media</h2> <h3 id="now-bob-johnson">Now: Bob Johnson</h3> <a href="https://www.blackentrepreneurprofile.com/people/person/robert-l-johnson">Bob Johnson</a> is an entrepreneur, media magnate, and investor. He is the co-founder of Black Entertainment Television (BET) and made history in 2002 by becoming <a href="https://www.nytimes.com/2002/12/19/sports/founder-of-tv-network-becomes-first-black-owner-in-major-sports.html">the first African American majority owner of a major professional sports team</a> in the United States. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/YFFMdZBGyM8" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h3 id="now-deshuna-spencer">Now: DeShuna Spencer</h3> <a href="https://www.deshuna.com/">DeShuna Spencer</a>, founder and CEO of <a href="https://www.kweli.tv/">kweliTV</a>, promotes diversity and inclusion in the media industry through a streaming platform that showcases independent films and documentaries. <h2 id="culinary-arts">Culinary Arts</h2> <h3 id="then-joseph-lee">Then: Joseph Lee</h3> <a href="https://www.invent.org/inductees/joseph-lee">Joseph Lee</a>, an African American chef and inventor, credited with inventing the bread crumb machine, revolutionized food waste reduction. <h3 id="now-riana-lynn">Now: Riana Lynn</h3> <a href="https://twitter.com/rianalynn">Riana Lynn</a>, founder of <a href="https://www.journeyfoods.com/">Journey Foods</a>, leverages artificial intelligence and data analytics to deliver personalized and healthier food products. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/RPeQwTH5M6Y" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h3 id="now-dr-lisa-dyson">Now: Dr. Lisa Dyson</h3> <a href="https://www.linkedin.com/in/dysonlisa">Dr. Lisa Dyson</a>, CEO and co-founder of <a href="https://airprotein.com/">Air Protein</a>, pioneers sustainable protein production by transforming carbon dioxide into protein using innovative microbial technology. These trailblazers have not only shaped the present but are influencing and inspiring the next generation. By highlighting the remarkable contributions of Black visionaries we hope to weave a new narrative in society that enriches our collective understanding of history and paves the way for a more inclusive future. <h2 id="celebrating-black-history-month-at-1password">Celebrating Black History Month at 1Password</h2> Now, as we shift our focus to celebrating Black History Month at 1Password, we carry forward this commitment to diversity, inclusion, and the amplification of voices that have, for too long, been underrepresented. Black History Month provides a meaningful opportunity to amplify and celebrate the rich contributions of Black people. Here’s how we’re striving to create a more inclusive narrative inside 1Password: <ul> <li> Real Talk Panel. We’re putting on a panel with four of our Black Caucus ERG (employee resource group) members who will share the profound impact of art, music, dance, and literature on their lives. </li> <li> Black Caucus-led Book Club. We’re excited to offer a book club to our ERG members to create a space that celebrates the diverse voices of Black authors across genres. This isn&rsquo;t just about reading; it&rsquo;s a powerful way to support Black creatives and contribute to a more inclusive literary landscape. </li> <li> Virtual Celebration with DJ K-Love. We&rsquo;re excited to present DJ K-Love who will guide our employees through an hour of music by Black artists across all genres, accompanied by engaging and fun music facts. </li> </ul> And here&rsquo;s what we&rsquo;re doing externally to make a positive impact: <ul> <li> Donating 1Password memberships. In the spirit of giving back, we&rsquo;re donating 100 subscriptions to a Canadian-based organization that supports Black youth. By providing resources and tools, we aim to contribute to the growth and development of future leaders. </li> <li> Supporting Big Brothers Big Sisters. We’re encouraging our employees to volunteer at <a href="https://www.bbbs.org/">Big Brothers Big Sisters</a>, a charity that provides mentorship to young people and, in the process, strengthens local communities. Through conscious choices, we can collectively contribute to a more vibrant world. </li> </ul> <h2 id="lets-build-a-more-inclusive-future-together">Let&rsquo;s build a more inclusive future together</h2> We hope you join us in honoring the past, celebrating the present, and working towards a more inclusive future. Your participation and support make a difference not just this month but throughout the year. Let&rsquo;s continue building a community that values and uplifts diverse voices.</description></item><item><title>Every business leader should find their tractor</title><link>https://blog.1password.com/business-leaders-find-hobby-distraction/</link><pubDate>Thu, 08 Feb 2024 00:00:00 +0000</pubDate><author>info@1password.com (Jeff Shiner)</author><guid>https://blog.1password.com/business-leaders-find-hobby-distraction/</guid><description> <img src='https://blog.1password.com/posts/2024/business-leaders-find-hobby-distraction/header.png' class='webfeedsFeaturedVisual' alt='Every business leader should find their tractor' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> It’s easy for leaders to get swept up in the fast-paced and always-on nature of our jobs, leaving little opportunity for downtime. My mind races far too much, so it’s become important to find activities to engage in regularly that take me away from Zoom and Slack, and give me perspective. In today’s busy world, the emphasis on being constantly connected and productive can be overwhelming. However, through my own work and career, I’ve noticed an essential truth: everyone needs a hobby or distraction from work. It’s more than just a hobby though – it’s a necessity for maintaining a healthy mind and body. For those who don’t know me well enough just yet, that escape is my tractor. Large equipment has always been a significant part of my life. This hobby started when I was 8 or 9 years old with my granddad bringing me to the rock quarry where he worked and letting me “drive” the various machines. As part of my upbringing, this hobby is both a connection to my past and something that grounds me in the present. <img src='https://blog.1password.com/posts/2024/business-leaders-find-hobby-distraction/shiner-tractor.jpg' alt='Jeff Shiner, CEO of 1Password, standing in front of a tractor.' title='Jeff Shiner, CEO of 1Password, standing in front of a tractor.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="life-on-my-farm">Life on my farm</h2> I&rsquo;m fortunate to have a small farm on the outskirts of Waterloo, Ontario, Canada – a few acres of corn and soybean along with some forest and trails. Being out in nature, driving my tractor and tending to my property requires a perfect combination of focus and attention. I find it incredibly grounding and in complete contrast to the around-the-clock nature of my job. It’s also a welcome change of scenery that allows me to recharge my batteries. Working on my tractor has become more than just a pastime – it’s an opportunity to center myself and find balance. It keeps me refreshed and ready to tackle any tough problems that come my way in life. There’s also this undeniable satisfaction in getting my hands dirty – it’s a rewarding experience that’s completely different from what I encounter in my day-to-day work at 1Password. Everything feels a bit more manageable when I’m on my farm – it’s like my own personal version of yoga! The feeling of accomplishment when I do something ‘hands-on’ is therapeutic in a way that’s hard to put into words. The beauty of this hobby is that it demands just enough concentration to prevent my thoughts from drifting back to work, yet it&rsquo;s not so demanding that it creates another source of stress. <img src='https://blog.1password.com/posts/2024/business-leaders-find-hobby-distraction/shiner-tractor2.jpg' alt='Five tractor parts hanging on a blue rack inside a garage.' title='Five tractor parts hanging on a blue rack inside a garage.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> For me, the difference between fun and frustrating is the amount of time it takes to accomplish a task, and because of that, I set no deadlines on my tractor work. In the moment, time slows down, and I have a sense of peace that can be hard to come by in the hustle and bustle of the tech world. It’s just me, the tractor, and the land, and the simplicity of that is something I find invaluable. In tech, we often talk about innovation and pushing boundaries. But sometimes, simply stepping away from the screen can result in returning to a task with a clearer and more effective state of mind. I solve problems better, think through complex issues more creatively, and (I believe) become a better leader. My hobby feels like hitting the ‘reset’ button and giving myself opportunities to find clarity and inspiration. It’s a self-reminder that success isn’t just about the hours we put into our work – it also comes from the ways we recharge and take care of ourselves. <h2 id="find-your-version-of-my-tractor">Find your version of my tractor</h2> If you haven’t done so already, I encourage you to find your &lsquo;tractor&rsquo;. It should be something that requires just enough attention to force your mind away from work but not one that adds extra pressure to your day. Finding this balance is crucial. Engage in what ignites your passion, and watch how it transforms not just your free time but your productivity and mindset too. It could be anything that resonates with you. Just make the time for it. What matters is that it’s an activity that allows you to unwind and offers a sense of fulfillment. As for my current project, I recently bought a 10-year-old tractor that I’m excited to bring back to life. Revitalizing it is a lot like working through the various challenges that crop up in the tech world. You learn, adapt, and see pieces come together in a rewarding way. It’s already been an exciting adventure that helps me clear my mind – and if you’re curious, you’re welcome to follow along on <a href="https://www.instagram.com/jshiner_eh">Instagram</a>. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Follow Jeff Shiner on LinkedIn</h3> Read more of my thoughts and advice, as well as updates about what's happening inside 1Password, over on LinkedIn! <a href="https://www.linkedin.com/in/jshiner/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Follow on LinkedIn </a> </div> </section></description></item><item><title>Securing identities in hybrid environments</title><link>https://blog.1password.com/identity-security-in-hybrid-work-environments/</link><pubDate>Tue, 06 Feb 2024 00:00:00 +0000</pubDate><author>info@1password.com (Rob Boone)</author><guid>https://blog.1password.com/identity-security-in-hybrid-work-environments/</guid><description> <img src='https://blog.1password.com/posts/2024/identity-security-in-hybrid-work-environments/header.png' class='webfeedsFeaturedVisual' alt='Securing identities in hybrid environments' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> This is the second in a series of four posts on how to secure your hybrid workforce. For an overview of the topics discussed in this series, download <a href="https://1password.com/resources/access-management-ebook/?utm_ref=blog">The new perimeter: Access management in a hybrid world</a>. In the first post in this series, we identified <a href="https://blog.1password.com/securing-your-hybrid-workforce/">four key challenges to securing your hybrid workforce</a>: identity, shadow IT, the security vs. productivity tradeoff, and cybersecurity costs. Today, let&rsquo;s dive into identity and access management. (We&rsquo;ll explore the other topics in upcoming posts, so stay tuned.) <h2 id="recap-the-new-perimeter">Recap: The new perimeter</h2> In 2023, <a href="https://www.verizon.com/business/resources/reports/dbir/">70% of data breaches involved an identity element</a>, which can be a vulnerability as simple as a stolen password. And that number is growing – <a href="https://www.forrester.com/blogs/predictions-2024-security-and-risk/">Forrester expects it to climb to 90% in 2024</a>. This is happening for a number of reasons, but hybrid work is high on the list. Instead of badging in to a secure workplace, or <a href="https://blog.1password.com/how-a-vpn-works/">using a VPN</a> to access a secure network, we&rsquo;re working everywhere: from the office, from home, from the coffee shop, at the airport. And instead of working on-premises solely from company-provided devices, we&rsquo;re working both in the office and remotely from many devices, including our own personal devices. We&rsquo;re also using a ton of apps to get work done. Today <a href="https://www.gartner.com/document/4248899?ref=solrResearch&amp;refval=373845128&amp;">we use twice as many apps for work as we did in 2019</a>, according to Gartner. It&rsquo;s a lot. And as a result, <a href="https://www.gartner.com/document/4022188?ref=solrResearch&amp;refval=373844826&amp;">IT has to manage and secure about 125 apps</a>. We access them from multiple devices and from many different locations, and so the perimeter that IT is tasked with defending is porous and always moving. It&rsquo;s no longer possible to build a virtual wall around those company networks and company-provided devices. Instead, securing a hybrid workforce requires verifying identity. Not just &ldquo;should this access attempt be allowed?&rdquo; but &ldquo;Is this person who they say they are?&rdquo; If a cyberattack starts with access, every access attempt starts with identity. When you verify identity, you secure the source of the access attempt. <h2 id="3-aspects-of-identity-security">3 aspects of identity security</h2> But how do you do that? What additional security measures help verify identity to secure a hybrid workforce? To answer that, let&rsquo;s start with a new technology that illustrates why strong identity verification works so well: passkeys. <h3 id="passkeys">Passkeys</h3> <a href="https://1password.com/product/passkeys">Passkeys</a> are a more secure replacement for passwords. They consist of two parts: a public key and a private key. The public key resides with the service you create the passkey for. The private key stays on your device. The two keys are mathematically linked, like interlocking puzzle pieces. When you try to access a service, that service checks to see if the puzzle pieces fit together. If they do, you&rsquo;re signed in. Passkeys are often backed by biometrics. You give the service in question permission to check that your private and public keys match up using your device&rsquo;s built-in biometrics, like your fingerprint or Face ID. Let&rsquo;s break down why this is more secure than traditional passwords. Think back to what you know about multi-factor authentication (MFA). The reason it&rsquo;s &ldquo;multi-factor&rdquo; is because it uses multiple factors to sign you in. Those factors come in one of three forms: something you know, something you have, or something you are. MFA typically uses two of those three factors. It wouldn’t be particularly secure to back up something you know with something else you know, since both can be stolen. The password, for example, is something you know. If you use a hardware key (like a Yubikey) for two-factor authentication, you&rsquo;re combining something you know (your password) with something you have (the Yubikey). That&rsquo;s harder to falsify. Biometrics verify your identity with something you are (your face or fingerprint). So while passkeys are something you have (the private key on your device), they&rsquo;re backed up with something you are (biometrics) when you give a service permission to access that private key. That&rsquo;s how passkeys verify your digital identity: by verifying something only you have and something only you are. And the private key never leaves your device, so it can&rsquo;t be compromised in a phishing attack. In fact, that&rsquo;s what makes it resistant to most social engineering attempts. So, passkeys illustrate why verifying an access attempt at the identity level is the secure way to go. <h3 id="strong-unique-logins">Strong, unique logins</h3> Partly for that reason – and partly because they&rsquo;re so darn convenient – passkeys are the future (and the present). But passwords aren&rsquo;t going away anytime soon. They&rsquo;re too ubiquitous, too widely supported, and everyone knows how to use them. That doesn&rsquo;t change the fact that weak, compromised, and reused passwords are still the weakest link against cyberthreats. But if we&rsquo;re juggling dozens if not hundreds of apps, how realistic is it to expect employees to create strong, unique passwords for every app they use – let alone manage all of them themselves? Not very, which is why an <a href="https://1password.com/enterprise">enterprise password manager</a> (EPM) is the key to securing a hybrid workforce. It doesn&rsquo;t matter if employees are signing in to an approved app on a company device from the office, or a productivity app on their phone from the airport. If they&rsquo;re using an EPM, the EPM is doing the work for them. Companies can set their own minimum security requirements, and the EPM will ensure that every sign-in, on every device, meets those requirements. It can also flag weak, reused, or compromised passwords so employees can fix the problem before it becomes an issue. That being the case, employees don&rsquo;t even have to remember, let alone manage, all those passwords. The EPM will simply autofill their credentials for them. This is what it means to make the secure thing to do the easy thing to do. Most EPMs also support passkeys, to varying degrees. So employees can stop thinking about how they sign in (Password? Passkey? Something else?) and just&hellip; sign in. <h3 id="principle-of-least-privilege-polp">Principle of Least Privilege (PoLP)</h3> Finally, the <a href="https://blog.1password.com/guiding-principles-how-least-privilege-leads-to-more-security/">principle of least privilege</a> is another key aspect of identity security. PoLP is usually at the heart of a robust zero trust strategy. The premise is simple: only give people the minimum amount of access they need to do their jobs, and no more. By minimizing the total number of assets someone has access to, you reduce your overall risk and your attack surface. Again, EPMs make this easier by giving you control over how your employees access, use, and share items. Because you have control over user access, you can permit access in a way that aligns with your security policies. That might mean creating IP restrictions, mandating certain MFA requirements, or integrating with your SSO provider and policies. <h2 id="secure-digital-identities--a-secure-hybrid-workforce">Secure digital identities = a secure hybrid workforce</h2> Passkeys, strong, unique logins, and the principle of least privilege help us secure hybrid workforces at the source of each access attempt. And that might be enough, if we knew exactly what employees were logging in to. But with hybrid work, we often don&rsquo;t. So in addition to securing access to the apps we know about (managed apps), we have to secure access to the ones we don&rsquo;t (unmanaged apps, or shadow IT). We&rsquo;ll explore how to do that – including the mindset shift it requires of IT and security teams, and why single sign-on alone leaves gaps in your sign-on security model – in the next post. In the meantime, you can learn how to secure your hybrid workforce right now by downloading The new perimeter: Access management in a hybrid world. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">The new perimeter: Access management in a hybrid world</h3> Learn about the four key considerations to securing your hybrid workforce, and why reducing risk starts with securing employee login credentials. <a href="https://1password.com/resources/access-management-ebook/?utm_ref=blog" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Download now </a> </div> </section></description></item><item><title>Everything, everywhere all at once: Securing the new perimeter</title><link>https://blog.1password.com/securing-your-hybrid-workforce/</link><pubDate>Tue, 30 Jan 2024 00:00:00 +0000</pubDate><author>info@1password.com (Rob Boone)</author><guid>https://blog.1password.com/securing-your-hybrid-workforce/</guid><description> <img src='https://blog.1password.com/posts/2024/securing-your-hybrid-workforce/header.png' class='webfeedsFeaturedVisual' alt='Everything, everywhere all at once: Securing the new perimeter' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> This is the first in a series of four posts on how to secure your hybrid workforce. For a complete overview of the topics discussed in this series, download <a href="https://1password.com/resources/access-management-ebook/?utm_ref=blog">The new perimeter: Access management in a hybrid world</a>. <h2 id="what-is-hybrid-work">What is hybrid work?</h2> To secure your company, it used to be enough to secure the workplace and its entry points – because work was happening at work. There was a clearly defined perimeter to defend against attackers. In hybrid work environments, work happens everywhere: in the office and at home, at coffee shops and coworking spaces, on laptops and phones and tablets. And to get that work done, we use a lot of apps. Hybrid work – which was a thing well before the pandemic, but was massively accelerated by it – is the new normal we’re all adjusting to. Even now, <a href="https://www.mckinsey.com/mgi/our-research/empty-spaces-and-hybrid-places-chapter-1">office attendance is 30% lower</a> than it was pre-pandemic. There’s no going back. Suddenly secure networking, VPNs, endpoint protection, and employer-provided devices (basically the entirety of our old cybersecurity toolset) are no longer enough. How do you secure access in a hybrid world where remote work is more common than ever? How do you protect a perimeter that&rsquo;s constantly shifting and often spans the globe? <h2 id="how-do-you-secure-a-hybrid-workforce">How do you secure a hybrid workforce?</h2> This is the question every CISO, every IT and security team, and indeed every business is grappling with. And while the discussion of how to protect your company against the next big data breach or cyberattack could fill a library on its own, the question of where to start is surprisingly simple. Let’s break down four key considerations to securing your hybrid workforce: identity, bring-your-own-device (BYOD) and shadow IT, the security vs. productivity tradeoff, and security costs. For a deeper dive into these four considerations, download <a href="https://1password.com/resources/access-management-ebook/?utm_ref=blog">The New Perimeter: Access management in a hybrid world</a>. <h2 id="the-new-perimeter">The new perimeter</h2> 70% of data breaches in 2023 still involved an identity element. Protecting your company starts with validating the identity of every single sign-in attempt. Frankly, many companies don’t do this particularly well right now, so herein lies the greatest opportunity – the lowest-hanging fruit – to strengthen your security posture. Identity requires arguably the biggest mindset shift in a hybrid world. Instead of securing the entry point for a given access attempt, hybrid work requires that we secure the source of the attempt: the identity of the person or entity trying to gain access to business resources. In other words, instead of asking “should this person have access to this resource,” a focus on identity means asking “Is this person who they say they are?” For example, single sign-on (SSO) providers were built for a pre-hybrid world. A predefined list of company-approved apps are secured behind SSO, so that no one can sign in to those services unless they first sign in to their SSO provider. It’s a stronger credential that users are signing in with – but SSO alone can’t prove that someone is who they say they are. <h2 id="its-time-to-embrace-byod-and-shadow-it">It’s time to embrace BYOD and shadow IT</h2> SSO also leaves gaps in coverage, because only the apps and services that IT knows about can be approved, and thus put behind SSO. But on average, 30% of applications used by employees are not managed by the company, <a href="https://www.gartner.com/document/4022188?ref=solrResearch&amp;refval=373844826&amp;">according to Gartner</a>. In fact, they’re a complete blind spot: IT doesn’t even know workers are using these apps to get things done. That’s shadow IT. When someone in Finance spins up a Google Spreadsheet instead of the company-approved Excel, or someone in Design uses Sketch instead of the company-approved Figma, that’s shadow IT. By definition, IT can’t see that sign-in, so they can’t secure it. All those sign-in attempts can originate anywhere, on any device – and IT only provides secure access to a sliver of them. Workers aren’t trying to skirt security protocols, of course. They’re just trying to get things done, and sometimes the approved tools are limiting. <h2 id="productivity-and-security-can-work-together">Productivity and security can work together</h2> 85% of employees have knowingly broken cybersecurity rules in order to get work done (<a href="https://hbr.org/2022/01/research-why-employees-violate-cybersecurity-policies">Harvard Business Review</a>). Historically, strong security comes at the cost of diminished productivity. This is a false tradeoff. This is because it used to be IT’s job to stop certain unvetted activities from happening. Today, IT needs to be a business enabler. To do that, they need to understand business goals and how workers get things done, in order to help them get those things done securely. Taking this path requires, first and foremost, the right tools for the job. Where legacy security tools are notoriously difficult to navigate and impose new friction in workflows, the ideal tool does the opposite, making the secure thing to do the easy thing to do. In that scenario, everyone wins: The tool itself ensures that minimum security requirements defined by the company are always met, and the worker doesn’t have to use crazy workarounds that compromise security to do their job. <h2 id="getting-a-handle-on-security-costs">Getting a handle on security costs</h2> The cost of continuing to do things the old way grows every year. There&rsquo;s the cost of a data breach itself ($4.45 million on average, <a href="https://www.ibm.com/reports/data-breach">according to IBM</a>). There’s the SSO tax, or the cost of adding new services to your SSO provider. And there’s the cost of things like password resets, <a href="https://thehackernews.com/2021/04/cost-of-account-unlocks-and-password.html">which comprise a surprising amount of IT’s overall workload</a>. It all adds up, but it doesn&rsquo;t have to. In the coming weeks, we&rsquo;ll explore these topics in more depth here on the 1Password blog, but you can learn how to secure your hybrid workforce right now by downloading <a href="https://1password.com/resources/access-management-ebook/?utm_ref=blog">The new perimeter: Access management in a hybrid world</a>. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">The new perimeter: Access management in a hybrid world</h3> Learn about the four key considerations to securing your hybrid workforce, and why reducing risk starts with securing employee login credentials. <a href="https://1password.com/resources/access-management-ebook/?utm_ref=blog" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Download now </a> </div> </section></description></item><item><title>1Password Watchtower can now help keep your SSH keys safe</title><link>https://blog.1password.com/watchtower-ssh-keys/</link><pubDate>Wed, 24 Jan 2024 00:00:00 +0000</pubDate><author>info@1password.com (Bryan Byrne & Floris van der Grinten)</author><guid>https://blog.1password.com/watchtower-ssh-keys/</guid><description> <img src='https://blog.1password.com/posts/2024/watchtower-ssh-keys/header.png' class='webfeedsFeaturedVisual' alt='1Password Watchtower can now help keep your SSH keys safe' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Starting today, you can review and mitigate potential SSH key security risks in 1Password Watchtower. When was the last time you reviewed the SSH keys on your local disk? Do you know which encryption algorithm your keys use? Is every key secured with a passphrase, or are some stored as plaintext? We take care to protect many of the credentials we work with everyday. But too often we store SSH keys – the keys we use to access servers, databases, and other infrastructure – on the local drive and promptly forget about them. When left unaddressed, insecure and unencrypted SSH keys are security vulnerabilities that can be exploited by bad actors. Just this month, researchers discovered <a href="https://www.reversinglabs.com/blog/gitgot-cybercriminals-using-github-to-store-stolen-data">malicious NPM packages designed to upload stolen SSH keys to GitHub</a>. Fortunately both packages were removed before they could be widely distributed, but this was yet another example of malicious actors using open-source package managers to target developers and engineering organizations. <h2 id="a-new-way-to-monitor-the-security-of-your-ssh-keys">A new way to monitor the security of your SSH keys</h2> <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/OOy-6zjUyXY" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> You can now choose to let 1Password Watchtower review the SSH keys stored on your local disk. 1Password will then provide security alerts and recommendations so you can easily address potential SSH key security risks. This is in addition to the many ways <a href="https://developer.1password.com/docs/ssh/">1Password for SSH and Git</a> can make SSH keys less of a headache. Watchtower recommendations can include the option to import your SSH keys into 1Password for safekeeping. Once your SSH keys are imported, you can <a href="https://blog.1password.com/1password-ssh-agent/">use the built-in SSH agent</a> to securely create, organize, and use SSH keys wherever they are needed. <img src="https://blog.1password.com/posts/2024/watchtower-ssh-keys/watchtower-ssh-keys.png" alt="1Password Watchtower showing a new option to scan developer credentials" title="1Password Watchtower showing a new option to scan developer credentials" class="c-featured-image"/> If the feature (now in beta) is enabled, Watchtower will let you know about: <ol> <li>SSH keys that don’t have a passphrase set. It can be easy to forget to set a passphrase when creating a new SSH key – resulting in an unencrypted SSH key being stored on a local disk and increasing the risk of the key being compromised.</li> <li>Outdated and vulnerable SSH keys. Over time, SSH keys that were once considered secure can become outdated and vulnerable, such as those created using Digital Signature Algorithm (DSA) or RSA with a small bit length.</li> </ol> <h2 id="how-to-get-started">How to get started</h2> You can get started with SSH keys in Watchtower in just three steps. <img src="https://blog.1password.com/posts/2024/watchtower-ssh-keys/developer-credentials-toggle.png" alt="1Password settings with a new option to check for developer credentials on disk" title="1Password settings with a new option to check for developer credentials on disk" class="c-featured-image"/> First, enable “Check for developer credentials on disk” in 1Password developer settings. This will allow the 1Password application to look on your local disk for developer credentials. (You can <a href="https://developer.1password.com/docs/watchtower/">learn more about how this works in the documentation</a>). <img src="https://blog.1password.com/posts/2024/watchtower-ssh-keys/vulnerable-ssh-keys.png" alt="Vulnerable SSH keys found by 1Password" title="Vulnerable SSH keys found by 1Password" class="c-featured-image"/> Next, open Watchtower to review alerts and recommendations. If Watchtower finds any SSH keys in your <code>~/.ssh</code> directory, you’ll be presented with a list of alerts and recommendations. <img src="https://blog.1password.com/posts/2024/watchtower-ssh-keys/watchtower-ssh-key-recommendations.png" alt="List of SSH keys found by 1Password that need attention, and recommended actions" title="List of SSH keys found by 1Password that need attention, and recommended actions" class="c-featured-image"/> Finally, take action on the recommendations. Copy suggested commands or file paths, or import supported key types directly into 1Password to use with the SSH agent. <img src="https://blog.1password.com/posts/2024/watchtower-ssh-keys/1password-ssh-key.png" alt="SSH key saved in 1Password, with notes and tags field" title="SSH key saved in 1Password, with notes and tags field" class="c-featured-image"/> <h2 id="simplify-your-ssh-workflows-with-1password">Simplify your SSH workflows with 1Password</h2> The 1Password SSH agent has <a href="https://blog.1password.com/1password-ssh-changed-how-i-work/">changed the way developers work</a>. Signing Git commits, authenticating SSH clients, and managing SSH keys is easier than ever. 1Password has always been about making the secure way the easy way. Now Watchtower makes it simple for developers and software engineering teams to secure their SSH keys. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Manage and secure developer credentials with 1Password</h3> Use 1Password Watchtower to diagnose and remediate security issues found with SSH keys stored on your local disk. <a href="https://developer.1password.com/docs/watchtower/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Explore the documentation </a> </div> </section></description></item><item><title>One breach. One leak. And a lot of hard lessons about passwords.</title><link>https://blog.1password.com/one-breach-one-leak/</link><pubDate>Wed, 24 Jan 2024 00:00:00 +0000</pubDate><author>info@1password.com (1Password)</author><guid>https://blog.1password.com/one-breach-one-leak/</guid><description> <img src='https://blog.1password.com/posts/2024/one-breach-one-leak/header.png' class='webfeedsFeaturedVisual' alt='One breach. One leak. And a lot of hard lessons about passwords.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> It’s January, and 2024 is already seeing two major security announcements with wide-scale implications for security teams. While these announcements may seem disconnected at first, they highlight the continued importance of good password hygiene, and ensuring that employees are protecting themselves online inside and outside of the workplace. Here’s the TL;DR. <h2 id="what-happened">What happened?</h2> Two significant security announcements have been reported: <ol> <li><a href="https://www.npr.org/2024/01/20/1225835736/microsoft-russian-hackers-accessed-senior-leaders-emails">Microsoft email breach</a> - State-backed Russian hackers broke into Microsoft’s email system, including access to the accounts of senior leadership members and the company’s cybersecurity team. The hackers were able to gain access by using “password spraying” and used a single, common password in an attempt to login to multiple accounts.</li> <li><a href="https://cybernews.com/security/billions-passwords-credentials-leaked-mother-of-all-breaches/">The mother of all breaches</a> (MOAB) - A massive database built from previous breaches, leaks, and private databases across a wide range of business and consumer sites from Twitter and LinkedIn to Adobe and Dropbox has been released by an unknown source. This breach is composed of roughly 26 billion records, and is being referred to as the “mother of all breaches.”</li> </ol> <h2 id="whos-impacted">Who’s impacted?</h2> In the Microsoft case, it appears only the company’s internal systems and operations were compromised. This exemplifies how no matter how sophisticated your company is, or how powerful your enterprise security tools are, you&rsquo;re still at risk from something as simple as a compromised password. For MOAB, the range of companies included implies that if you have used ANY of the 3,800 services or apps whose data is included in the database, you are at risk. This breadth is astounding and especially highlights the risk of using the same password across services both personal and professional. The thread between both? Passwords. Anyone that has simple or common passwords, or reuses credentials across personal and business accounts, is creating risk for themselves and the organization they works for. <h2 id="what-you-need-to-do-immediately">What you need to do immediately</h2> In the short term, enterprises should review the list of companies compromised by MOAB, decide which ones pose a significant security risk, and then encourage employees to update their usernames and passwords for those sites – especially in the case that multi-factor authentication (MFA) is not in use. Wherever possible, ensure employees are implementing MFA or, even better, <a href="https://passage.1password.com/post/why-passkeys-are-better">adopting passkeys</a> to ensure strong authentication practices. You should also suggest that employees rotate any passwords that are used to access single-sign on (SSO) services, as they often represent the “keys to the kingdom” for employees and teams. If you’re a 1Password Business customer, you should encourage your employees to: <ul> <li>Make sure that <a href="https://support.1password.com/watchtower/">Watchtower is “on”</a> for both your personal and business accounts.</li> <li>Open their 1Password application and check Watchtower for any alerts or flags on existing accounts.</li> <li>Go to the appropriate websites and update any compromised accounts.</li> <li>Where possible, encourage employees to use MFA at a minimum, and to use passkeys as the ideal state.</li> </ul> If you’re not a 1Password customer, you should encourage your employees to: <ul> <li>Go to <a href="https://haveibeenpwned.com/">Have I Been Pwned</a> and check if any of their data has been compromised.</li> <li>Go to the appropriate websites and update any compromised accounts with strong passwords with <a href="https://1password.com/password-generator/">1Password’s free password generator</a>.</li> <li>Consider purchasing and implementing an enterprise password manager to ensure that strong password policies can be easily implemented across your organization (or you can simply <a href="https://start.1password.com/sign-up/business">try 1Password Business for free for 14 days</a>).</li> </ul> <h2 id="what-you-need-to-do-going-forward">What you need to do going forward</h2> Long term, the challenge is it’s no longer enough to focus solely on changing behavior, nor is it enough to just put up additional defenses around your organization. You must do both. That means providing tools that are easy and convenient to use (which drives adoption) and further secures your company (such as MFA and passkeys). In terms of passwords, taking this approach requires: <ul> <li> Using an enterprise password manager, such as 1Password, to streamline the creation, management, and usage of strong, unique passwords across your entire organization. </li> <li> Implementing password policies that require unique, strong passwords for every employee login. </li> <li> Requiring multi-factor authentication where possible, as strong authentication is the first line of defense against breaches. </li> <li> Beginning to use passkeys as a safe password alternative that makes credential stealing impossible. </li> <li> Auditing your password risk with a tool like Watchtower. </li> </ul> <h2 id="how-1password-can-help">How 1Password can help</h2> 1Password provides an enterprise password manager (EPM) that can streamline how passwords are created across your entire organization, and ensure that safe, unique passwords are created for every employee credential. 1Password&rsquo;s offerings provide critical functionality to prevent and detect breaches. Highlights include: <ul> <li>Simplified creation and management of strong, unique passwords for every employee.</li> <li>Secure sharing of credentials across teams.</li> <li>Alerts when credentials have been compromised as part of an attack with <a href="https://watchtower.1password.com/">Watchtower</a>.</li> <li>Protect your (and your customers’) data with simple and straightforward implementation and management of <a href="https://blog.1password.com/how-save-manage-share-passkeys-1password/">passkeys</a> with <a href="https://passage.1password.com/">Passage by 1Password</a>.</li> <li>Enterprises that use 1Password also get a free family account for every employee, helping to ensure that passwords are not reused across personal and business accounts.</li> </ul> While it’s not possible to prevent 100% of breaches, it is possible to arm your employees with the tools they need to break their bad password habits. Or even better – as in 1Password&rsquo;s case – provide your team with a tool that will also be easy to use and easy to adopt. To learn more about 1Password, <a href="https://1password.com/contact-us">contact us today</a>.</description></item><item><title>What to do if you were impacted by “The Mother of All Breaches”</title><link>https://blog.1password.com/what-to-do-mother-of-all-breaches/</link><pubDate>Wed, 24 Jan 2024 00:00:00 +0000</pubDate><author>info@1password.com (1Password)</author><guid>https://blog.1password.com/what-to-do-mother-of-all-breaches/</guid><description> <img src='https://blog.1password.com/posts/2024/what-to-do-mother-of-all-breaches/header.png' class='webfeedsFeaturedVisual' alt='What to do if you were impacted by “The Mother of All Breaches”' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The mother of all breaches (MOAB). That’s how security experts are referring to the recent discovery of a massive database that is composed of data from thousands of previous breaches, leaks, and private data databases. “But why should I care? How does it impact me?” The breach includes over 26 billion records. That’s staggering. And that means if any of your accounts are included (or if you reuse passwords anywhere), you need to take action in order to protect yourself and your family. Here’s the TL;DR. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> What Happened? A massive database built from previous breaches, leaks, and private databases across a wide range of business and consumer sites from Twitter and LinkedIn to Adobe and Dropbox has been released by an unknown source. This breach is composed of roughly 26 billion records, and is being referred to as the “mother of all breaches”. Who’s impacted? The database includes data from a wide variety of commonly used websites, including <a href="https://www.itpro.com/security/data-breaches/why-the-mother-of-all-breaches-is-a-wake-up-call-for-everyone">Tencent, Deezer, Dropbox, and LinkedIn,</a> among others. How can I tell if I’ve been breached? Cybernews.com has published a <a href="https://cybernews.com/personal-data-leak-check/">personal data leak checker</a>. You can enter your email address to see if it was included in the leak. 1Password customers should also check <a href="https://support.1password.com/watchtower/">WatchTower</a> within the 1Password app to see if any breach alerts have been triggered. </div> </aside> <h2 id="what-to-do-if-youve-been-breached">What to do if you’ve been breached</h2> Anyone that has an account with these sites, or has reused passwords associated with these sites, should take action immediately. That means resetting passwords and updating login information wherever necessary to protect yourself. If you have a family, don’t forget to check and update any of their passwords as well. Long term, there are a few things you can do to help prevent this from happening to you in the future. You can: <ul> <li>Secure you and your household as soon as possible by using a password manager to make it easy to create and manage unique, strong passwords for your accounts.</li> <li>1Password user? Check Watchtower. 1Password’s Watchtower feature will provide alerts and notifications if any of your accounts have been included in major breaches or leaks. It’s a great starting point for updating any accounts that have been compromised.</li> <li>Use passkeys that use biometrics (like your thumbprint or facial recognition) wherever possible to bypass having to use passwords.</li> </ul> <h2 id="how-1password-can-help">How 1Password can help</h2> The breadth and scale of breaches today makes it all but inevitable that some of your credentials will eventually be compromised. Not even the most sophisticated companies in the world are immune to this. 1Password can help you get a handle on all of your passwords, while also greatly simplifying the hassle of managing them. With 1Password, you can: <ul> <li>Ensure your entire household is using strong and unique passwords across their accounts (or at least give them no excuse not to).</li> <li>Simplify management of your digital life with a single, safe place to store and manage all of your digital credentials, across all of your devices.</li> <li>Have confidence that your data is protected by the same solution that’s trusted by millions of customers and over 100,000 businesses.</li> </ul> Password management is a great example of “an ounce of prevention is worth a pound of cure.” While it may seem like a lot to get it under control, it is still significantly easier to manage than having your identity be compromised. You can get started with 1Password today. <div class="c-call-to-action"> <section class="c-call-to-action-box c-call-to-action-box--purple"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get peace of mind with 1Password Families</h3> Use 1Password Families to protect your online accounts and share important passwords with the people you trust and care about. <a href="https://start.1password.com/sign-up/family" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--purple" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section> <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get peace of mind with 1Password Individual</h3> Keep all of your accounts, documents, and credit cards secure with 1Password, the world’s most-trusted password manager. <a href="https://start.1password.com/sign-up/individual" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section> </div></description></item><item><title>Security in 2024: Our experts’ predictions</title><link>https://blog.1password.com/security-trends-predictions-2024/</link><pubDate>Mon, 22 Jan 2024 00:00:00 +0000</pubDate><author>info@1password.com (Megan Barker)</author><guid>https://blog.1password.com/security-trends-predictions-2024/</guid><description> <img src='https://blog.1password.com/posts/2024/security-trends-predictions-2024/header.png' class='webfeedsFeaturedVisual' alt='Security in 2024: Our experts’ predictions' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Here we are again: the beginning of a brand new year. Brimming with possibility, it’s the perfect time to reflect, evaluate, and plan. Everyone here at 1Password is looking ahead — including our Security team. As you can imagine, they have a few thoughts and predictions for the coming year. Maybe you want to know what to watch for as you and your family live and work on the internet. Perhaps your company is budgeting for security and you wonder where funds are best spent. Whatever you’re planning for, information is key. From (more) <a href="https://blog.1password.com/what-are-passkeys/">passkeys</a> to increasingly sophisticated hacking techniques, there’s a lot in store for 2024. Let’s dive in. <h2 id="dont-believe-what-you-see">Don’t believe what you see</h2> As AI continues to permeate our lives, the use of <a href="https://www.techtarget.com/whatis/definition/deepfake">deepfakes</a> will grow rapidly in both targeted <a href="https://blog.1password.com/what-is-social-engineering-hacking-101/">social engineering</a> attacks and broader attempts to influence public opinion. While AI-generated audio, photos, and video is still far from perfect, it’s good enough to trick most people — and improving rapidly. <h2 id="your-employees-are-the-targets">Your employees are the targets</h2> While <a href="https://blog.1password.com/future-of-1password/">the human element of security is always critical</a>, attacks on businesses are focused on people rather than systems, now more than ever. Social engineering is becoming more sophisticated, effective, coercive, and sometimes even threatening. <h2 id="passkeys-passkeys-passkeys">Passkeys, passkeys, passkeys</h2> The effort to kill passwords has been in motion for decades. This year we’ll see passwords relegated to a second-class experience (though far from dead) as passkeys continue to gain traction quickly, providing a better user experience and increased security versus traditional passwords. As we’ve covered in the past, <a href="https://blog.1password.com/passkeys-vs-passwords-differences/#what-passwordless-means-for-your-security">passkeys are highly phishing resistant</a>. As adoption increases, we’ll see a decrease in phishing sites that have been set up to harvest credentials. Instead, we expect more investment in sophisticated targeted attacks — specifically, getting on users’ computers to steal local and session data from web browsers. The balance will slowly shift from large-scale, wide-net attacks to more targeted social engineering. <h2 id="its-about-the-money">It’s about the money</h2> Attacks focused on profit will continue to multiply as threats become even more sophisticated and flexible, and attackers take full advantage of the latest technologies to improve their efficiency. The line between criminal organizations and state-sponsored groups will continue to blur, and attribution will become ever more difficult. We can look at 2023 as just a preview of what the future will hold. These groups will only improve, becoming more professional and dedicated. The days of a loose collective looking for quick profit are gone as attacks are dominated by more professional organizations. <h2 id="quantum-computers-arent-a-threat--yet">Quantum computers aren’t a threat — yet</h2> It’s important to develop and refine plans to adjust your systems to threats posed by quantum computers, like plans to implement post-quantum cryptography. But we’re still <a href="https://www.theverge.com/2021/5/19/22443453/google-quantum-computer-2029-decade-commercial-useful-qubits-quantum-transistor">years away from a quantum computer that may be useful</a>, much less pose a threat to systems that are in use today. That said, now is the time to plan, prepare, update threat models, and reevaluate security controls. With that in mind, NIST <a href="https://www.nist.gov/news-events/news/2022/07/nist-announces-first-four-quantum-resistant-cryptographic-algorithms">announced the winners of their post-quantum cryptography contest</a>, and defined draft standards for <a href="https://csrc.nist.gov/news/2023/three-draft-fips-for-post-quantum-cryptography">two post-quantum secure digital signatures and one post-quantum key exchange mechanism</a> — an important milestone. The wider cryptographic community seems to agree the algorithms are worth standardizing, which means early movers will likely adopt post-quantum algorithms in their stack. In fact, <a href="https://signal.org/blog/pqxdh/">Signal messenger is trialing the CRYSTALS-Kyber key encapsulation mechanism</a> that NIST selected. <h2 id="the-bottom-line-preparation-is-key">The bottom line: Preparation is key</h2> If there’s an overarching trend for 2024, it just might be: Prepare now. Whether that means adopting passkeys, educating your team, or experimenting with post-quantum algorithms, progress in 2024 means less cause for worry down the road. A special thank you to the 1Password Security team members who contributed to this article: <ul> <li>Adam Caudill – Security Architect</li> <li>Rick van Galen – Team Lead, Product Security</li> </ul></description></item><item><title>How to save, share, and manage passkeys using 1Password</title><link>https://blog.1password.com/how-save-manage-share-passkeys-1password/</link><pubDate>Tue, 16 Jan 2024 00:00:00 +0000</pubDate><author>info@1password.com (Nick Summers)</author><guid>https://blog.1password.com/how-save-manage-share-passkeys-1password/</guid><description> <img src='https://blog.1password.com/posts/2024/how-save-manage-share-passkeys-1password/header.png' class='webfeedsFeaturedVisual' alt='How to save, share, and manage passkeys using 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> You can save <a href="https://blog.1password.com/storing-1password/">all sorts of sensitive information in 1Password</a> including your usernames and passwords, addresses, credit cards, and <a href="https://blog.1password.com/introducing-the-medical-record/">medical records</a>. It&rsquo;s also a safe and convenient place to store your <a href="https://blog.1password.com/what-are-passkeys/">passkeys</a> – a new type of login credential that lets you sign in to accounts with unmatched security and convenience. In this guide, we&rsquo;ll break down how to save, use, manage, and share passkeys using 1Password. You&rsquo;ll learn what passkeys are, the different ways you can organize them in 1Password, and how to discover which apps and websites support them. By the end, you&rsquo;ll know how to get the most out of passkeys so you can sign in to online accounts and protect your data fuss-free. <h2 id="contents">Contents</h2> <ul> <li><a href="#what-are-passkeys">What are passkeys?</a></li> <li><a href="#what-you-need-to-save-and-sign-in-with-passkeys-using-1password">What you need to save and sign in with passkeys using 1Password</a></li> <li><a href="#how-to-find-websites-and-apps-that-support-passkeys">How to find websites and apps that support passkeys</a></li> <li><a href="#how-to-create-passkeys-for-your-online-accounts">How to create passkeys for your online accounts</a></li> <li><a href="#how-to-sign-in-to-an-account-with-a-passkey">How to sign in to an account with a passkey</a></li> <li><a href="#how-to-manage-and-organize-passkeys-in-1password">How to manage and organize passkeys in 1Password</a></li> <li><a href="#how-to-share-passkeys-using-1password">How to share passkeys using 1Password</a></li> <li><a href="#get-started-with-passkeys-in-1password">Get started with passkeys in 1Password</a></li> </ul> <h2 id="what-are-passkeys">What are passkeys?</h2> For the longest time, passwords have been the de facto way to log in to our favorite websites and apps. Everyone is comfortable using them but that doesn&rsquo;t mean they&rsquo;re the best option available. One problem is that if you don&rsquo;t use a <a href="https://blog.1password.com/password-manager/">password manager</a>, it can be hard to create and remember strong passwords. Another problem that’s out of your control is how different apps and websites protect your passwords. If a website you use is breached and they haven&rsquo;t been storing your data securely, it&rsquo;s possible for an attacker to discover your password. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> If you use 1Password, <a href="https://watchtower.1password.com/">Watchtower</a> will tell you when your passwords have appeared in data breaches. You can then update the affected password before an attacker can exploit it. </div> </aside> Passkeys are a form of passwordless authentication that solve many of the issues associated with passwords. First, they&rsquo;re easy to use. You don&rsquo;t have to come up with anything manually or type anything out to sign in. Secondly, passkeys are strong by default. There&rsquo;s no such thing as a &lsquo;weak&rsquo; passkey and, unlike traditional passwords, you can&rsquo;t fall into the trap of re-using the same passkey to secure different accounts. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/DELDP_wbuE4?si=VQ4KiFVKIJwHFGBY" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> Passkeys also can&rsquo;t be stolen in a data breach. Behind the scenes, every passkey has two parts – a public key and a private key – and only one half is shared with the service you&rsquo;re signing in to. If an attacker breaches the website or app you’ve made an account for, the best they can hope to find is your public key – they’d still need your private key to access your data. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Read our <a href="https://blog.1password.com/passkeys-faqs/">FAQs post</a> if you want to learn more about passkeys and how they work! </div> </aside> <h2 id="what-you-need-to-save-and-sign-in-with-passkeys-using-1password">What you need to save and sign in with passkeys using 1Password</h2> If you&rsquo;re a long-time 1Password user, you likely have everything required to start using passkeys today. Here’s what you need to go passwordless with 1Password: <ul> <li> The desktop version of <a href="https://1password.com/downloads/browser-extension/">1Password in the browser</a>. You&rsquo;ll need our browser extension if you want to save and sign in with passkeys on your Mac or Windows-based devices. </li> <li> <a href="https://1password.com/downloads/ios/">1Password for iOS or iPad OS</a>. You can create and use passkeys in the mobile version of Safari and passkey-supported apps provided your device is running iOS 17/iPad OS 17 or higher. </li> </ul> You can also use the 1Password app on any device to view, organize, and share your saved passkeys. That includes Macs, Windows PCs, iPhones, iPads, and Android devices. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> There are many benefits to using the 1Password app and browser extension in tandem. <a href="https://blog.1password.com/1password-apps/">Learn why we built the 1Password apps and how they make your life simpler</a>. </div> </aside> <h2 id="how-to-find-websites-and-apps-that-support-passkeys">How to find websites and apps that support passkeys</h2> As we&rsquo;ve established, passwords have been around for an awfully long time. Passkeys, by comparison, are the new kid on the block. The good news: A growing number of websites and apps are now offering passkeys as a sign-in option. The bad news: there are still plenty that don&rsquo;t. The fastest way to discover where you can start using passkeys is via <a href="https://support.1password.com/watchtower/">Watchtower</a>. <aside class="c-technical-aside-box c-technical-aside-box--background" aria-labelledby="what-is-watchtower"> <h2 class="c-technical-aside-box__title" id="what-is-watchtower"> What is Watchtower? </h2> <div class="c-technical-aside-box__description"> Watchtower is built into 1Password and serves as your personal security HQ. It uses the world-renowned <a href="https://haveibeenpwned.com/">Have I Been Pwned</a> database to see if any of your passwords have appeared in known data breaches. It also flags weak or duplicate passwords, and sites where you can turn on <a href="https://1password.com/features/two-factor-authentication/">two-factor authentication</a>. </div> </aside> You can access Watchtower from the sidebar in 1Password for Mac, Windows, and Linux. If you&rsquo;re using 1Password on a mobile device, you&rsquo;ll see the Watchtower option in the menu bar at the bottom of the screen. <img src='https://blog.1password.com/posts/2024/how-save-manage-share-passkeys-1password/watchtower-passkeys.png' alt='The Watchtower section of 1Password with cards, one of which states that the user has &#39;10 passkeys available.&#39;' title='The Watchtower section of 1Password with cards, one of which states that the user has &#39;10 passkeys available.&#39;' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Inside Watchtower, there’s a section that shows how many of your existing logins are compatible with passkeys. We recommend using this list of items as your personal passkey checklist! Write them out in order of importance and then work through them one-by-one. Remember: You don&rsquo;t have to tackle them all in a single day. Update them at a pace that makes sense for you. Next, check out our online <a href="https://passkeys.directory/">passkeys directory</a>. It&rsquo;s a community-driven project that lists which services currently offer passkeys. You can submit websites and apps that have already added passkey support but aren’t yet in the directory. It&rsquo;s also possible to put forward and upvote services you wish offered passkeys as a sign-in option! <img src='https://blog.1password.com/posts/2024/how-save-manage-share-passkeys-1password/passkeys-directory.png' alt='The passkeys.directory website showing a list of services that currently support passkeys.' title='The passkeys.directory website showing a list of services that currently support passkeys.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="how-to-create-passkeys-for-your-online-accounts">How to create passkeys for your online accounts</h2> Ready to start saving and signing in with passkeys? Awesome! You&rsquo;ll do this in one of two ways: <ul> <li>On the website the account is associated with.</li> <li>In the relevant mobile or desktop app.</li> </ul> There&rsquo;s no &lsquo;right&rsquo; approach. You&rsquo;ll likely use both methods depending on the service and devices you own. The process of creating a passkey will vary ever so slightly depending on the service. That&rsquo;s because every website or app is designed in a different way, with different pages and layouts. But most developers put their &lsquo;create a passkey&rsquo; option in one of two places, which we recommend trying first: <ul> <li>The sign-in page or screen. You&rsquo;ll often see a button next to or underneath the password field giving you the option to set up a passkey.</li> <li>Your account settings. Most websites and apps will have a ‘security’ or ‘sign-in methods’ section where you can change your password, (hopefully) enable two-factor authentication, and alter other login settings. Unsurprisingly, this is usually the place where you can set up or disable a passkey for your account, too.</li> </ul> Once you&rsquo;ve chosen the option to create a passkey, follow the instructions presented by the website or in the app. 1Password will offer to save your new passkey, and at this moment you&rsquo;ll be able to choose what vault it&rsquo;s saved in, and whether the passkey should be added to an existing item. The latter is helpful if you already have a login item containing your traditional username and password. You can add your passkey to that same vault item, keeping everything together and organized. We suspect you&rsquo;ll want to do this in most instances however you always have the choice to save the passkey as a new item instead. <img src="https://blog.1password.com/posts/2024/how-save-manage-share-passkeys-1password/passkeybrowser.png" alt="A screenshot showing a passkey being created and saved using 1Password in the browser." title="A screenshot showing a passkey being created and saved using 1Password in the browser." class="c-featured-image"/> If you&rsquo;re creating a brand new account, the process will be largely the same. First, go to the page or screen that lets you create an account. You may immediately see an option to create an account with a passkey instead of a password. In other instances, you&rsquo;ll need to make an account with a traditional username and password first before creating a passkey. <h2 id="how-to-sign-in-to-an-account-with-a-passkey">How to sign in to an account with a passkey</h2> Once you&rsquo;ve saved a passkey in 1Password, using it to sign in couldn&rsquo;t be simpler. <ul> <li>Open the website or app you want to sign in to and find the login page or screen.</li> <li>1Password will automatically offer to use your saved passkey. If you have more than one passkey for the website or app, they will appear as a list.</li> </ul> <img src='https://blog.1password.com/posts/2024/how-save-manage-share-passkeys-1password/passkey-sign-in.png' alt='A prompt by 1Password in the browser offering to sign in to Shopify using a saved passkey.' title='A prompt by 1Password in the browser offering to sign in to Shopify using a saved passkey.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> You might be wondering: In what scenarios would I have more than one passkey? Take Google as an example. You might have a few personal Gmail accounts – each of these can be secured with its own passkey. 1Password shows all of your available passkeys at the sign-in page so you can pick the account you need at that moment. <ul> <li>Select &lsquo;sign in&rsquo; next to the passkey you want to use, and 1Password will handle the rest.</li> </ul> And that&rsquo;s it! You&rsquo;ve signed in to an account using a passkey. <h2 id="how-to-manage-and-organize-passkeys-in-1password">How to manage and organize passkeys in 1Password</h2> You&rsquo;ll want to make sure your passkeys are organized in a way that makes the most sense to you. Generally, passkeys work just like any other item you&rsquo;ve saved in 1Password. That means you have plenty of options for creating a personalized system or two. <h3 id="vaults">Vaults</h3> You can think of <a href="https://support.1password.com/create-share-vaults/">vaults</a> like special folders. They can store multiple items, and you can create as many of them as you like. As we covered earlier, when you create a passkey, 1Password will ask which vault you want to save it in. You can then move the passkey to a different vault at any time by following these steps: <ul> <li>Find the relevant item in 1Password.</li> </ul> Remember: You may have updated an existing login item so it contains both a passkey and a traditional password. <ul> <li>Select the three-dot item in the top right-hand corner of the app.</li> <li>Choose &ldquo;move&rdquo;.</li> <li>Select the vault that you would like to move the passkey to.</li> </ul> <img src='https://blog.1password.com/posts/2024/how-save-manage-share-passkeys-1password/move-vault-1password.png' alt='Moving an item into a different vault in 1Password.' title='Moving an item into a different vault in 1Password.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Why move a passkey? You might save a passkey in your default private vault, only to realize it&rsquo;s better placed in a different vault. For example, you may have a shared vault with some of your family members or coworkers. Or you might have a separate vault that contains items related to a side project or specific hobby that you&rsquo;re interested in. <h3 id="tags">Tags</h3> 1Password lets you <a href="https://support.1password.com/favorites-tags/">tag</a> individual items with custom labels so they&rsquo;re easier to find. There are many different ways to use tags – check out <a href="https://www.reddit.com/r/1Password/comments/rvxlco/creative_uses_of_tags/">this Reddit thread</a> for inspiration – and don’t forget, you can assign more than one tag to each item. Tags make it simpler to what you need in a flash. For example, you can search for a tag on any device. Alternatively, you can find your tags in the sidebar in 1Password for Windows, Mac, and Linux. (You can toggle this via Settings &gt; Appearance). Your tags are also listed in the Items section of 1Password for iOS and Android. <img src='https://blog.1password.com/posts/2024/how-save-manage-share-passkeys-1password/tags-1password-mac.png' alt='A list of user-created tags in 1Password for Mac.' title='A list of user-created tags in 1Password for Mac.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Here&rsquo;s how to add a tag to your passkeys: <ul> <li>Find the relevant item in 1Password.</li> <li>Select &ldquo;edit&rdquo; in the top right-hand corner of the screen.</li> <li>Scroll to the bottom and choose &ldquo;add tag&rdquo;.</li> <li>Select one of your existing tags or create a new one.</li> <li>Select save.</li> </ul> <h3 id="notes">Notes</h3> Sometimes you&rsquo;ll want to scribble a little note about one of your passkeys. For example, you might want to remind yourself that a certain passkey works on the company&rsquo;s website but not its iOS or Android apps yet. Follow these steps to add a note: <ul> <li>Find the relevant item in 1Password.</li> <li>Select the &ldquo;edit&rdquo; option at the top of the screen.</li> <li>Scroll down to the notes section.</li> <li>Type out your note.</li> </ul> <img src='https://blog.1password.com/posts/2024/how-save-manage-share-passkeys-1password/note-tag-item.png' alt='Adding a note to an item in 1Password.' title='Adding a note to an item in 1Password.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <ul> <li>Select &ldquo;save&rdquo; at the top of the screen.</li> </ul> <h2 id="how-to-share-passkeys-using-1password">How to share passkeys using 1Password</h2> With 1Password, you can share your saved passkeys using shared vaults. These are a great way to organize and share your items with other people who are covered by your <a href="https://1password.com/personal">1Password Families</a> membership or <a href="https://1password.com/business">1Password Business</a> account. You might want to share a vault that only contains passkeys, or a combination of item types – it&rsquo;s totally up to you, and what works best for your situation. Here are some instructions for creating and sharing a vault: <h3 id="desktop">Desktop</h3> <ul> <li>Click &ldquo;+&rdquo; in the sidebar, above your list of vaults.</li> <li>Choose an icon, name, and description.</li> </ul> <img src='https://blog.1password.com/posts/2024/how-save-manage-share-passkeys-1password/create-vault-mac.png' alt='Creating a new vault in 1Password for Mac.' title='Creating a new vault in 1Password for Mac.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <ul> <li>Add one or more passkeys to the vault.</li> <li>Right-click the vault in the sidebar of 1Password.</li> <li>Choose &ldquo;Manage Access&rdquo;.</li> <li>Choose &ldquo;Add People&rdquo;.</li> <li>Select the people you want to share the vault with, then choose &ldquo;Next&rdquo;.</li> <li>Select &ldquo;Share&rdquo;.</li> </ul> <h3 id="mobile">Mobile</h3> <ul> <li>Select &ldquo;Items&rdquo; in the navigation bar.</li> <li>Select &ldquo;New Vault&rdquo;.</li> <li>Choose an icon, name, and description.</li> <li>Open the vault, add one or more passkeys, and then tape the three-dot icon.</li> <li>Choose &ldquo;Manage Access&rdquo;.</li> <li>Tap the &ldquo;+&rdquo; icon and select the people you want to share the vault with, then choose &ldquo;Next&rdquo;.</li> <li>Tap &ldquo;Share&rdquo;.</li> </ul> There will be times when you want to share a passkey-protected account with someone who isn&rsquo;t part of your 1Password Families membership, or 1Password Business account. That&rsquo;s where <a href="https://support.1password.com/guests/">guest accounts</a> come in. As the name implies, these are helpful if you want to share access with a guest on a short-term basis. Guest accounts don&rsquo;t have their own private vaults – instead, they have access to a single shared vault, which you choose. You can set up that vault to contain one or more passkeys, along with any other relevant items. A 1Password Families membership or 1Password Teams account grants you up to five guest accounts. 1Password Business, meanwhile, includes up to 20 guests. You can also add extra guest accounts for an additional cost. <h2 id="get-started-with-passkeys-in-1password">Get started with passkeys in 1Password</h2> <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/DN3M5hx7_iA?si=uRX-xatfcaK4v7sA" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> There&rsquo;s no better time to start using passkeys. The passwordless credential is simple to use and, thanks to <a href="https://blog.1password.com/what-is-public-key-cryptography/">public-key cryptography</a>, more secure than passwords because they can&rsquo;t be stolen in a data breach. If you haven&rsquo;t done so already, <a href="https://1password.com/downloads">download 1Password</a> on your devices and set up <a href="https://support.1password.com/getting-started-browser/">1Password in the browser</a>. Now you can start saving, using, managing, and sharing passkeys! We recommend that you regularly revisit <a href="https://watchtower.1password.com/">Watchtower</a> and our <a href="https://passkeys.directory/">passkeys directory</a> to discover new services that have added passkey support. Welcome to the passwordless future. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Subscribe to our passwordless newsletter</h3> Get our latest passkey updates delivered right to your inbox, as well as guides, interviews, and other interesting articles about the next generation of sign-in technology. <a href="https://1password.com/passwordless-news/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Subscribe to Beyond Passwords </a> </div> </section></description></item><item><title>Now in beta: Create and unlock a 1Password account with a passkey</title><link>https://blog.1password.com/unlock-1password-individual-passkey-beta/</link><pubDate>Thu, 14 Dec 2023 00:00:00 +0000</pubDate><author>info@1password.com (Mitch Cohen)</author><guid>https://blog.1password.com/unlock-1password-individual-passkey-beta/</guid><description> <img src='https://blog.1password.com/posts/2023/unlock-1password-individual-passkey-beta/header.png' class='webfeedsFeaturedVisual' alt='Now in beta: Create and unlock a 1Password account with a passkey' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Ready to go truly passwordless? Starting today, anyone can join our public beta and create a new 1Password Individual account using a passkey. Choosing this passwordless sign-in method means you don’t have to memorize a <a href="https://blog.1password.com/toward-better-master-passwords/">1Password account password</a> or look after a <a href="https://blog.1password.com/what-the-secret-key-does/">Secret Key</a>. All you need is your passkey, which is both convenient and secure to use. This is a major milestone for 1Password. Earlier this summer, we <a href="https://blog.1password.com/unlock-passkey-private-beta/">launched a private beta</a> that allowed a small group of testers to try this new feature with a 1Password test account. A huge thank you to everyone who took part. Today we’re opening up the beta to everyone. A passkey is a fast and secure way of accessing everything stored in your password manager, and makes it even simpler to get things done throughout the day. We can’t wait for you to try it. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> The ability to unlock 1Password with a passkey is currently for new accounts only. Next year, we’ll make this feature available to anyone with an existing 1Password account. </div> </aside> <h2 id="what-is-a-passkey">What is a passkey?</h2> Not sure <a href="https://blog.1password.com/what-are-passkeys/">what passkeys are, and how they work</a>? We’re here to help. Passkeys are the simpler and more secure successor to passwords. They’re a form of passwordless authentication that lets you sign in to accounts – including 1Password itself – without memorizing or typing anything in. Passkey support has already been added to many websites and apps, as well as all of the major operating systems run by Apple, Google and Microsoft, and password managers like 1Password. Passkeys are simple to use, resistant to phishing, and can’t be stolen in data breaches. They’re a win-win all round, basically. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Learn more about what passkeys are, and how they work, <a href="https://blog.1password.com/passkeys-faqs/">in our FAQs blog post</a>! </div> </aside> <h2 id="how-a-passkey-secures-your-1password-account">How a passkey secures your 1Password account</h2> Behind the scenes, passkeys rely on <a href="https://blog.1password.com/what-is-public-key-cryptography/">public-key cryptography</a>. That means every passkey consists of two parts: a private key and a public key. When you create a 1Password account with a passkey, the private key is never shared with 1Password. The public key is kept on our servers and used to verify your login attempts. Crucially, it’s useless without your corresponding private key. So if an attacker somehow broke into our servers, they wouldn’t find everything required to sign in to your 1Password account. <h2 id="passkey-security-vs-password-and-secret-key">Passkey security vs. password and Secret Key</h2> 1Password&rsquo;s <a href="https://support.1password.com/1password-security/">traditional security model</a> revolves around an account password and Secret Key. Your account password is chosen by you, and is never seen or stored by 1Password. It&rsquo;s combined with your Secret Key to create the full encryption key that secures your data. This approach has stood the test of time for a reason: it’s a great way to protect the data stored in your vaults. But passkeys are a more convenient and <a href="https://blog.1password.com/passkey-secret-key-account-security/">equally secure</a> solution. If you want to learn more, you can read <a href="https://blog.1password.com/passkey-secret-key-account-security/">a full explanation in this blog post</a>. <h2 id="how-to-unlock-1password-with-a-passkey">How to unlock 1Password with a passkey</h2> <img src="https://blog.1password.com/posts/2023/unlock-1password-individual-passkey-beta/passkeyunlockpublicbeta.png" alt="Three devices showing the option to sign in to 1Password with a passkey." title="Three devices showing the option to sign in to 1Password with a passkey." class="c-featured-image"/> New to 1Password, and want to go passwordless from the jump? If so, follow these steps: <ul> <li>Download 1Password if you haven’t done so already.</li> <li>Use our <a href="https://1password.com/sign-up/passkey-preview">mobile</a> or <a href="https://start.1password.com/sign-up?c=NOPASSWORD">desktop</a> sign-up link to join the public beta.</li> <li>Start creating your new Individual account.</li> <li>When prompted, follow the instructions to create your passkey.</li> </ul> <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Visit <a href="https://support.1password.com/passkeys">our support site</a> for detailed instructions on how to create and unlock a 1Password account with a passkey! </div> </aside> Once you&rsquo;ve created a passkey, you can unlock 1Password by using biometrics or, as a fallback, the passcode that protects your device. You can then use your first device to set up more trusted devices with 1Password. <h2 id="recovery-codes-a-safety-net-for-passkeys">Recovery codes: a safety net for passkeys</h2> You might be asking yourself: “What happens if I lose my devices?” Unlocking 1Password with a passkey depends on you having access to at least one of your devices. So the more trusted devices you have, the safer you’ll be. Still, emergencies can happen and we believe you should always have access to your 1Password account. So we’ve added the ability to create an optional recovery code. You can generate a recovery code by signing in to your 1Password account on 1Password.com, clicking your name in the top right-hand corner, and choosing &ldquo;Authentication&rdquo;. You can save your code, print it, store it in a safe location, or even share it with someone you trust. Recovery codes ensure you’ve always got a backup option to securely sign in to 1Password, even if you lose your passkey or all your trusted devices. Even so, the key to success with passkey unlock is setting up trusted devices. That way, you can quickly and conveniently unlock 1Password wherever you are, on Mac, iOS, iPadOS, Windows, and Android. You can also unlock 1Password with a passkey in our web app and browser extension, which is available for Chrome, Firefox, Edge, Brave, and Safari. <aside class="c-technical-aside-box c-technical-aside-box--background" aria-labelledby="sign-in-to-apps-and-websites-with-passkeys-using-1password"> <h2 class="c-technical-aside-box__title" id="sign-in-to-apps-and-websites-with-passkeys-using-1password"> Sign in to apps and websites with passkeys using 1Password </h2> <div class="c-technical-aside-box__description"> We <a href="https://blog.1password.com/1password-is-joining-the-fido-alliance/">joined the FIDO Alliance</a> last year and since then we’ve been hard at work bringing passkey support to 1Password. You can already <a href="https://support.1password.com/save-use-passkeys/">save and sign in with passkeys</a> using the <a href="https://1password.com/downloads/browser-extension/">desktop version of 1Password in the browser</a>, as well as devices running <a href="https://1password.com/downloads/ios/">iOS 17 and iPadOS 17</a>. It works on an ever-increasing number of apps and websites including GitHub, Shopify, and WhatsApp. You can also use 1Password on any device to view, organize, and share your passkey logins. Open Watchtower in 1Password or browse our online <a href="https://passkeys.directory/">passkeys directory</a> to learn where you can start using passkeys. </div> </aside> <h2 id="download-and-unlock-1password-with-a-passkey-today">Download and unlock 1Password with a passkey today</h2> We’re excited for people to start securing their 1Password accounts with a passkey. If you want to get involved, download 1Password and join our public beta. Creating a 1Password account via our new public beta will grant you an extended free trial that lasts for the duration of the beta. We can’t wait to share when anyone with an existing 1Password account – whether they use it at work, in their personal life, or both – is able to try this new feature too. To learn more about passkeys, check out: <ul> <li>The <a href="https://1password.com/product/passkeys">passkeys page</a> on our website</li> <li>Our <a href="https://1password.com/passwordless-news/">passwordless newsletter</a></li> <li>Our community-driven <a href="https://passkeys.directory/">passkeys directory</a></li> </ul> <div class="c-call-to-action"> <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Join our public beta on a desktop device</h3> On a desktop device right now? Click the button below to join our public beta and create a new 1Password Individual account with a passkey. <a href="https://start.1password.com/sign-up?c=NOPASSWORD" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Join our public beta </a> </div> </section> <section class="c-call-to-action-box c-call-to-action-box--purple"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Join our public beta on a mobile device</h3> On a mobile device right now? Click the button below to join our public beta and create a new 1Password Individual account with a passkey. <a href="https://1password.com/sign-up/passkey-preview" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--purple" data-event-category="CTA" data-event-action="call-to-action-button"> Join our public beta </a> </div> </section> </div></description></item><item><title>New in 1Password Business: Help separate work and personal information with approved item domains</title><link>https://blog.1password.com/email-domain-policy/</link><pubDate>Wed, 13 Dec 2023 00:00:00 +0000</pubDate><author>info@1password.com (Skylar Nagao)</author><guid>https://blog.1password.com/email-domain-policy/</guid><description> <img src='https://blog.1password.com/posts/2023/email-domain-policy/header.png' class='webfeedsFeaturedVisual' alt='New in 1Password Business: Help separate work and personal information with approved item domains' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Personal information stored in business-owned accounts is a risk, especially when it contains vulnerabilities like weak or reused passwords. Separation of work and personal information is critical for companies – and for employees. This is precisely why every 1Password Business implementation includes access to <a href="https://support.1password.com/link-family/">free 1Password Families memberships</a> for employees’ personal use. Employers never have visibility or access to anything stored in a 1Password Individual or Families account – and neither does 1Password. This separation helps foster the ideal security culture: work information in 1Password Business accounts; personal information in 1Password Individual or Families accounts. Aside from security best practices, no one wants to change jobs and lose access to their personal email because the credentials were mistakenly stored in a work account. In July, we released a feature for all 1Password accounts to help <a href="https://blog.1password.com/new-features-unlocked-summer-2023/">keep work and personal information separate right from the start</a> – when you save a new item to 1Password. Today, we&rsquo;re giving 1Password Business admins a new, optional policy that works in a very similar way. 1Password Business admins can now create a custom list of approved email domains for items. If the policy is enabled, the username field of newly saved items will be checked against the list of company-wide approved domains. Cross-referencing usernames with the list of approved domains will help flag items saved in work accounts that might belong in a personal account. <h2 id="helping-1password-business-admins-keep-personal-information-out-of-work-accounts">Helping 1Password Business admins keep personal information out of work accounts</h2> <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> For simplicity, let&rsquo;s call the 1Password Business account a work account, and the 1Password Individual or Families account the personal account. </div> </aside> Here&rsquo;s how the new email domains for items policy works. Let&rsquo;s say I’m a 1Password Business admin and I add only one domain to the list of approved email domains: mycompany.com. That means gmail.com isn&rsquo;t an approved email domain. Now let&rsquo;s suppose one of my team members saves a new item to their work account. If the username field for that new item is <a href="mailto:myemail@mycompany.com">myemail@mycompany.com</a>, nothing will happen. But if the username field for that item is <a href="mailto:myemail@gmail.com">myemail@gmail.com</a>, 1Password will suggest that the team member move the item to a personal account. <img src='https://blog.1password.com/posts/2023/email-domain-policy/saving_personal_items.png' alt='Save item dialog in 1Password. The username contains a personal email address, so a message at the bottom of the window suggests moving the item to a personal account.' title='Save item dialog in 1Password. The username contains a personal email address, so a message at the bottom of the window suggests moving the item to a personal account.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="how-to-create-a-list-of-approved-item-domains-for-your-team">How to create a list of approved item domains for your team</h2> To create a list of approved email domains for items, navigate to the sidebar and select Policies &gt; App Usage. To enable the policy, enter your list of approved email domains. To remain opted out of the policy, simply leave the list blank. <img src="https://blog.1password.com/posts/2023/email-domain-policy/approved_email_domain_policy.png" alt="Email domains for items policy in 1Password Business, with a list of approved domains." title="Email domains for items policy in 1Password Business, with a list of approved domains." class="c-featured-image"/> When the policy is enabled, admins will see a new &ldquo;Issues&rdquo; category in the <a href="https://support.1password.com/reports/#create-a-business-watchtower-report">Business Watchtower Report</a>. This number is a tally of items across your team that include a username that doesn’t match the list of approved domains. If the count is high, it might be time to send a reminder to employees to claim their free Families membership, and to move personal items out of their work accounts. <img src="https://blog.1password.com/posts/2023/email-domain-policy/watchtower_items_in_wrong_account.png" alt="1Password Business Watchtower Report, with a filter for items in the wrong account selected." title="1Password Business Watchtower Report, with a filter for items in the wrong account selected." class="c-featured-image"/> <h2 id="how-to-help-team-members-redeem-their-free-1password-families-account">How to help team members redeem their free 1Password Families account</h2> Team members may not always be aware that they have access to a free 1Password Families membership. If that’s the case, we recommend distributing both the <a href="https://support.1password.com/link-family/">support article</a> and the <a href="https://vimeo.com/showcase/10590688/video/855116093">walkthrough video</a>. Both include instructions on how to redeem their free membership, or to link an existing account. Here&rsquo;s a quick reminder of what team members get with their free Families account: <ul> <li>A free Families membership for up to 5 family members, with the option to add more members for $1 per user per month.</li> <li>A private vault for each family member, and a shared vault for anything the whole family needs access to.</li> <li><a href="https://support.1password.com/share-items/">Secure item sharing</a>, for anything that needs to be shared on an individual, temporary basis. Think sharing the Wi-Fi password with the visiting in-laws, or sharing the gate code with your Airbnb guest. Note: You can share items with anyone, even if they don&rsquo;t use 1Password.</li> <li>The ability to designate a family member as a <a href="https://support.1password.com/family-organizer/">family organizer</a>. Organizers get an easy-to-use dashboard to manage the account and the resources each family member has access to.</li> </ul> <h2 id="stay-tuned-for-more-policy-customization-options">Stay tuned for more policy customization options</h2> Approved email domains is just the latest addition to <a href="https://blog.1password.com/policies-update/">customizable policies</a> that help give you more control and visibility into your 1Password Business account. Policies help you adapt 1Password to your security strategy to easily govern how and where employees use 1Password. More options are coming, so stay tuned.</description></item><item><title>Will quantum computers break your passkeys?</title><link>https://blog.1password.com/passkeys-quantum-computers-encryption/</link><pubDate>Fri, 01 Dec 2023 00:00:00 +0000</pubDate><author>info@1password.com (Megan Barker)</author><guid>https://blog.1password.com/passkeys-quantum-computers-encryption/</guid><description> <img src='https://blog.1password.com/posts/2023/passkeys-quantum-computers-encryption/header.png' class='webfeedsFeaturedVisual' alt='Will quantum computers break your passkeys?' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Passkeys have been publicly available for roughly a year. Engineered for security and phishing protection, this new form of passwordless authentication is still in the headlines — now under scrutiny. Some in the industry have questioned the longevity of passkey technology; specifically, how vulnerable they might be in a world where quantum computing is the norm. Many are questioning whether passkeys will remain a formidable force for decades or be rendered a liability faster than you can say “asymmetric cryptography.” We feel pretty strongly about <a href="https://1password.com/product/passkeys">passkeys around here</a>, so this topic begs to be explored and I’m thrilled you’re joining us for the journey. We have a jam-packed itinerary today: establishing a few fundamentals, traveling through time (no big deal), and uncovering some missing pieces before we arrive at a conclusion. Are passkeys built to succeed in a world of quantum computing or doomed to fail? Let’s find out. <h2 id="built-to-win">Built to win</h2> <a href="https://blog.1password.com/what-are-passkeys/">Passkeys</a> allow you to access your accounts and data without a traditional plaintext password. Behind each individual passkey is actually a pair of keys: a public key and private key. The public key is just that — publicly available, and safe to share with websites and apps you want to sign in to. Its partner, the private key, is never shared with websites or apps and, in fact, never leaves your 1Password vault unless you choose to securely share a passkey with someone you trust. This security design is based on <a href="https://blog.1password.com/what-is-public-key-cryptography/">public key cryptography</a> and differs from the typical username-and-password credentials, <a href="https://blog.1password.com/passkeys-vs-passwords-differences/">which rely on a shared secret</a>. The long and short of it: Passkeys are among the few inherently secure login methods around. They’re also built for (and on) classic computers — the laptops, phones, and tablets you know and love; the ones you rely on every day. And worlds away from the computing and devices we’re accustomed to, you’ll find <a href="https://www.newscientist.com/question/what-is-a-quantum-computer/">quantum computers</a>. While quantum computers share some characteristics with classic ones – like algorithms, binary code and objects to encode it – they use quantum bits, or qubits, to process information. And that process is very different from the one that takes place on our everyday devices. Now I’ll do complete injustice to what is a deeply complex and utterly fascinating topic with a summary (for the sake of brevity).<a href="#fn:1" class="footnote-ref" role="doc-noteref">1</a> Quantum technology capitalizes on subatomic particles and their unique ability to exist in more than one state at a time. When it comes to computing, this means the potential to store vast amounts of information and use minimal energy while doing so (apart from cooling costs, but that’s a tangent for another day). It also means ridiculous speed — processors that are a million or more times faster than those currently available, given certain tasks. Given such incredible and unprecedented power, the first commercial quantum computer <a href="https://phys.org/news/2011-06-d-wave-commercial-quantum.html">sold in 2011</a> for a reported $10 million USD. It was a behemoth of a machine used for research and development on the limited number of problems the system was designed to address. But its buyer, Lockheed Martin, planned to build on the technology over time. Twelve years later, the current valuation has only <a href="https://thequantuminsider.com/2023/04/10/price-of-a-quantum-computer/">increased</a> thanks to inflation and technological advancements. But the ability to break otherwise-unbreakable classic cryptography is not among those technological advancements — and may not be as imminent as the hyperbole suggests. <h2 id="leaps-and-bounds">Leaps and bounds</h2> With that out of the way, perhaps your curiosity has shifted to the plausibility. And, to put it bluntly, how much time we have before today’s cybersecurity crashes and burns. Analyses and subsequent declarations of quantum’s dismantling of classic encryption (and there’s plenty) typically have something in common: <a href="https://en.wikipedia.org/wiki/Shor%27s_algorithm">Shor’s algorithm</a>. In 1994, Dr Peter Shor<a href="#fn:2" class="footnote-ref" role="doc-noteref">2</a> presented a quantum algorithm that could solve discrete logarithms in about the same time it took a classic computer to do so — and he saw potential for even better performance. Building on initial findings, Shor went on to show that a (hypothetical) quantum computer could solve <a href="https://www.cuemath.com/numbers/prime-factorization/">prime factorization</a>. Well, one could argue there are countless ‘problems’ more deserving of a solution given prime factorization is used in many public-key cryptography systems<a href="#fn:3" class="footnote-ref" role="doc-noteref">3</a> — we rely on it to <a href="https://www.scienceabc.com/innovation/how-are-prime-numbers-used-in-cryptography.html">encrypt</a> innumerable secrets every single day. In other words, when Shor proved quantum computers would have the ability to break large numbers into their prime factors much faster than classic computers, he proved quantum computers could weaken or break many of the encryption methods we use today. As for the timeline, just last year <a href="https://avs.scitation.org/doi/10.1116/5.0073075">researchers determined</a> 13 x 10⁶ (13 million) physical qubits and an entire day are required to break 256-bit elliptic curve encryption (ECC). Coincidentally, ECC – specifically <a href="https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm">Elliptic Curve Digital Signature Algorithm (ECDSA)</a> – is the public key cryptography approach that goes to work every time you log in with a passkey. And as of November 2023, the largest quantum computer ever was <a href="https://www.newscientist.com/article/2346074-ibm-unveils-worlds-largest-quantum-computer-at-433-qubits/">433 physical qubits</a>. I’m no mathematician, but I believe 13,000,000 is significantly larger than 433; that tells me there’s work to be done before quantum technology can be used to decimate cybersecurity as we know it. What’s more, as time passed and we learned more about quantum technology and the requirements to break sophisticated classic encryption (i.e. a ton of logic gates are needed to tackle a 2048-bit RSA key), proclamations of doom have been hedged and softened by many, including <a href="https://news.mit.edu/2023/weird-weird-quantum-world-peter-shor-killian-lecture-0310">Dr Shor</a>. “Softened” is far from disproven, though; we have to consider broken encryption a real (future) possibility. So, let’s do that. Imagine your passkeys circa 2023 are being used in a world alongside a quantum computer that’s large enough (and of sufficient <a href="https://www.okta.com/identity-101/fault-tolerance/">fault tolerance</a>) to weaken/break classic crypto: a cryptographically relevant quantum computer (CRQC). Those passkey credentials and the accounts they protect would certainly be vulnerable in that exact world. So, join me, friends, as I abandon passkeys; panic and live in fear! No, and definitely not. Because there’s a fairly relevant factor some of the folks tackling this issue fail to take into account: The entire hypothesis we’re addressing assumes quantum computing will evolve by leaps and bounds while passkeys remain completely stagnant. But as quantum computing grows teeth, post-quantum security does, too. <h2 id="safe-and-sound">Safe and sound</h2> Cyberattacks grow more sophisticated every day. That’s hardly news. But future advances are factored into crypto-systems in anticipation; essentially design features. That means there’s a ton of work going into thwarting the malicious use of quantum power. Google released an implementation of quantum-resistant encryption and NIST, an agency of the US government – the US government that reportedly earmarked $1.2 billion of its 2022 defense budget for post-quantum security development – conducted a <a href="https://csrc.nist.gov/news/2016/public-key-post-quantum-cryptographic-algorithms">project</a> to standardize a quantum-resistant public-key algorithm. And, what relies on public-key crypto? Passkeys. When they were released to the public in 2022, passkeys were a brand new method of passwordless authentication — let’s call them Passkeys v1.0. They have a lot of room (and time) to grow. It’s highly likely, if not inevitable, passkeys will evolve to be quantum safe. Which brings us to the other information some of these articles lack: There are different degrees of post-quantum resistance. In other words, an encryption protocol might be less than quantum safe and still be acceptable for use. Dubbed what I’ve decided is the best technological term coined in the 2000s, these protocols are considered quantum annoying (<a href="https://eprint.iacr.org/2021/696.pdf">seriously</a>). Quantum annoying describes an encryption protocol that can be compromised by a quantum computer, but the time and effort required to do so makes it an unattractive and unrealistic target. Crypto-systems that meet this criterion will likely delay the dire need for quantum-safe encryption by a number of years, until quantum computing catches up. Which should provide the time we need to establish quantum-safe crypto. It may very well prove too expensive and unwieldy to build a quantum computer with a processor capable of cracking strong encryption methods we use today — at least for the foreseeable future. But beyond the foreseeable lies quantum computing that just may be able to break that one passkey you created in 2023 and somehow haven’t used or updated since.<a href="#fn:4" class="footnote-ref" role="doc-noteref">4</a> Your passkeys are secure today (and will be tomorrow), and given the vast development potential of post-quantum security, they’ll likely evolve with that status intact.<a href="#fn:5" class="footnote-ref" role="doc-noteref">5</a> <section class="footnotes" role="doc-endnotes"> <hr> <ol> <li id="fn:1" role="doc-endnote"> I very much encourage you to <del>fall down a few rabbit holes</del> /explore the topic on your own.&#160;<a href="#fnref:1" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a> </li> <li id="fn:2" role="doc-endnote"> Inspired by and building on decades of work by others: <a href="https://ep-news.web.cern.ch/content/interview-peter-shor">https://ep-news.web.cern.ch/content/interview-peter-shor</a>&#160;<a href="#fnref:2" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a> </li> <li id="fn:3" role="doc-endnote"> No, it&rsquo;s not that simple, and forgive me for entirely oversimplifying in the interest of brevity. Learn much more: <a href="https://www.livinginternet.com/i/is_crypt_pkc_work.htm">https://www.livinginternet.com/i/is_crypt_pkc_work.htm</a>&#160;<a href="#fnref:3" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a> </li> <li id="fn:4" role="doc-endnote"> This is a stretch for effect as passkeys are much simpler to update than passwords. As PQC becomes more mainstream, users may see prompts from their service to update their passkey. Just one click later and they will be PQ secure.&#160;<a href="#fnref:4" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a> </li> <li id="fn:5" role="doc-endnote"> A final disclaimer that we&rsquo;ve not even scratched the surface today. Grace and forgiveness is appreciated :)&#160;<a href="#fnref:5" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a> </li> </ol> </section></description></item><item><title>Developer secrets keep leaking. Can we stop the flood?</title><link>https://blog.1password.com/exposed-developer-secrets-gitguardian/</link><pubDate>Wed, 29 Nov 2023 00:00:00 +0000</pubDate><author>info@1password.com (Andrew Stiefel)</author><guid>https://blog.1password.com/exposed-developer-secrets-gitguardian/</guid><description> <img src='https://blog.1password.com/posts/2023/exposed-developer-secrets-gitguardian/header.png' class='webfeedsFeaturedVisual' alt='Developer secrets keep leaking. Can we stop the flood?' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> A crisis has been quietly brewing behind the shiny facade of the latest software and technology. The problem: exposed developer credentials. What started as a slow leak has now become an impossible-to-ignore flood. These leaks, stemming from the accidental exposure of API keys, security tokens, and other credentials in code, have led to <a href="https://www.darkreading.com/application-security/inside-threat-developers-leaked-10m-credentials-passwords-2022">a surge in recent security incidents</a>. The technology industry has known about this issue for almost a decade, and <a href="https://www.nginx.com/blog/nginx-tutorial-securely-manage-secrets-containers/#challenge-2">there have been countless attempts</a> to solve it. But <a href="https://arstechnica.com/security/2023/11/developers-cant-seem-to-stop-exposing-credentials-in-publicly-accessible-code/underscores">a recent report by Ars Technica</a> just how severe the issue has become. It reveals that even the most sophisticated and security-conscious engineering organizations are not immune to lapses, indicating that more work needs to be done to reverse the trend. <h2 id="almost-4000-leaked-secrets-discovered">Almost 4,000 leaked secrets discovered</h2> The Ars Technica story centers on <a href="https://blog.gitguardian.com/uncovering-thousands-of-unique-secrets-in-pypi-packages/">a study by GitGuardian</a> that looked at exposed secrets in just one popular open source repository used by developers. The results provide a rare look into the scale of the problem today. In total, the report found: <ul> <li>3,938 unique secrets exposed across all projects.</li> <li>768 of those unique secrets were still in active use.</li> <li>2,922 projects contained at least one unique exposed secret.</li> </ul> Any exposed credential can be problematic because they create vulnerabilities that can be exploited by attackers, similar to exposing your password. But many of the secrets discovered in this report were especially concerning given the broad degree of access they provide. Here are some examples of the exposed secrets that GitGuardian discovered: <ul> <li>Azure Active Directory API Keys</li> <li>GitHub OAuth App Keys</li> <li>Database credentials for MongoDB, MySQL, and PostgreSQL</li> <li>SSH Credentials</li> <li>Twilio Master Credentials</li> </ul> The problem seems to be growing. GitGuardian found that over 1,000 unique secrets have been exposed via new projects and commits in the last year alone. The ongoing proliferation of exposed credentials serves as a stark reminder that industry practices need to change, and fast. <h2 id="are-developers-to-blame">Are developers to blame?</h2> It’s tempting to blame the problem on immature coding practices, as the Ars Technica story does. After all, shouldn&rsquo;t developers know better than to use plaintext secrets in their code? But complexity is the real culprit. Most engineering teams are under immense pressure to deliver projects on a strict schedule. To make matters worse, they often have to use tools that lack sensible defaults or simple workflows. These two factors often lead to mistakes. Small errors like setting a private repo as public, pushing internal packages public, or forgetting to add a file to .gitignore can result in secrets getting exposed. One <a href="https://www.freecodecamp.org/news/heres-how-you-can-actually-use-node-environment-variables-8fdf98f53a0a/">often-repeated solution</a> is to use a .env file stored separately from the shared code repository. This is a simple text file used to store variables, such as API keys and database passwords, which are programmatically loaded into an application&rsquo;s environment at runtime. But .env files come with their own security risks and challenges, including: <ul> <li> Lack of encryption. The contents of the file are typically stored in plaintext, which means the information is immediately readable if accessed by an attacker. </li> <li> Exposure on local disks. Attackers can access these files if they gain access to a developer&rsquo;s machine, giving them full access to development and production secrets. </li> <li> Easily committed. .env files have no protections if they are accidentally committed with other files to a shared public code repository (for example, when building a package). </li> </ul> It&rsquo;s clear .env files have implications for security, but what about their impact on team productivity? <blockquote> Help! I&rsquo;m in environment variable hell trying to keep prod, preprod, ci and dev environment variables up to date in my #Django #python #docker_compose app. Any advice? Symptoms include broken deployments, failed ci runs, broken dev environments&hellip; <a href="https://hachyderm.io/@graham_knapp/111448943729346079">@graham_knapp@hachyderm.io</a> </blockquote> The constant headache of manually configuring .env files has mostly been normalized and is considered accepted complexity by developers. For them, it’s just an assumed cost of modern software development. It’s a problem that will be familiar to engineering teams, who are often forced to pick between speed and security. The future has to be both: how can developers hit their deadlines and ship great code while also being secure? <h2 id="security-must-be-easy-and-fast">Security must be easy and fast</h2> Security and engineering leaders need to encourage their organizations to hit pause and consider the culture, tools and workflows required to secure their developer secrets. We’ve all seen in the news that a huge leak <a href="https://www.securityweek.com/sourcegraph-discloses-data-breach-following-access-token-leak/">can have massive financial ramifications</a>. So it&rsquo;s better to take a long-term view and do the right thing now, rather than ignoring the issue and letting the inevitable (hack) happen. Wondering where to start? The best and least expensive time to catch secrets is before the code is ever committed to a shared repository. Developers should be equipped with processes and tools that integrate security into the software development lifecycle from line 1. But it’s also critical to provide solutions that are simple and easy to use. User experience (UX) design emerged as a common discipline at software companies by the early 2000s, but only recently has a similar focus on developer experience <a href="https://blog.1password.com/developers-deserve-great-ux/">started to gain traction</a>. Working with secrets should be nearly effortless for developers: find them, replace them with a reference, save them into encrypted storage, and inject them into production. Too many tools are the opposite, and require developers to run local vault servers or to shuffle around .env files. <h2 id="summary">Summary</h2> Our industry has a choice. We can choose to stem the flood of developer secrets leaking into open source and enterprise code repositories. Or we can choose to tolerate the problem for another decade. I know which option I would pick. Developers should be able to work securely and efficiently without interrupting their workflows. Let’s work together and make that happen for them. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Secure your engineering team with 1Password Developer Tools</h3> Keep your team safe without slowing them down. Keep secrets out of code and securely run in production with 1Password Developer Tools. <a href="https://developers.1password.com" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Explore the documentation </a> </div> </section></description></item><item><title>How to ensure everyone’s voice is heard in a virtual meeting</title><link>https://blog.1password.com/how-run-virtual-meetings-voices-heard/</link><pubDate>Tue, 28 Nov 2023 00:00:00 +0000</pubDate><author>info@1password.com (Desirée McConnell & Elizabeth Tam)</author><guid>https://blog.1password.com/how-run-virtual-meetings-voices-heard/</guid><description> <img src='https://blog.1password.com/posts/2023/how-run-virtual-meeting-voices-heard/header.png' class='webfeedsFeaturedVisual' alt='How to ensure everyone’s voice is heard in a virtual meeting' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Virtual meetings are critically important for any company that’s embraced remote or hybrid work. Ensuring these spaces are inclusive not only leads to stronger team morale, but better communication and more innovative outcomes. Ultimately, enabling more perspectives and contributions from your team members will result in better products. But how do you do this? We’re glad you asked. Here at 1Password, creating an inclusive culture is a big part of how we do our work. Our team has accomplished a lot this year, which couldn’t have been possible without fostering an environment where everyone’s voice can be heard. Employees at 1Password are encouraged to think about and use the following principles during their meetings: <ol> <li>Take space and make space</li> <li>Embrace discomfort</li> <li>One voice at at time</li> </ol> As a team that’s been remote-first since day one, we’re no stranger to searching for the best ways to work together online. Here are some tips we’ve gathered about creating inclusive, effective virtual meetings. <h2 id="pre-meeting-preparation">Pre-meeting preparation</h2> Send an agenda along with any relevant resources or documents. If you set clear objectives and share all the necessary background information, people will feel more up to speed and confident in their ability to contribute. Provide a place for team members to send questions in advance. Anyone who is hesitant to share their thoughts live will be more likely to add their perspective. This is one way you can make space for everyone to contribute to the discussion. Enable and draw attention to available accessibility tools. For example, <a href="https://support.zoom.com/hc/en/article?id=zm_kb&amp;sysparm_article=KB0058810">turn on your video-calling app’s automated caption settings</a> and call out how to access the feature at the beginning of a meeting. This way, attendees relying on closed captions, including those who are deaf or hard of hearing, can easily use the feature. Be clear about who needs to attend the meeting. When you send out a meeting invite, explain who must attend, and who are considered ‘optional’. The latter can decide whether their voice needs to be heard – or if they can make space for someone else and simply stay informed via the meeting recording or notes. Additionally, be sure to check teammates’ time zones and working hours when you schedule meetings with them. This will enable your colleagues to balance work with any caretaking responsibilities, appointments, or additional priorities. Clarify whether the meeting will be recorded and where it will be distributed. Attendees will feel more comfortable if they know where and how their contributions on the call will be shared with other people. Plus, those who miss the meeting due to conflicting priorities will be able to catch up and stay involved in the discussion. <h2 id="creating-a-welcoming-environment">Creating a welcoming environment</h2> Ensure the host knows their pivotal role in setting the tone. The host of the meeting has a responsibility to create a calm and welcoming environment. Depending on the meeting&rsquo;s size and the participants' familiarity with one another, you might want to begin with introducing everyone. If you do this, the host should prompt everyone to share their names, roles, pronouns and <a href="https://disabilityphilanthropy.org/resource/how-to-make-accessible-inclusive-self-introductions/">visual introductions</a> (when needed). This will ensure that participants understand how to address one another and why everyone has been invited to attend the meeting. Explore the possibility of rotating hosts for regular meetings. Sharing this opportunity with your team will give everyone a chance to direct the proceedings and take on the lead role in facilitating conversation. Embracing this rotation might offer some the chance to step into the discomfort of a new role, nurturing personal growth, while also allowing for the emergence of new perspectives and communication styles within the team. Welcome diverse, engaging styles during the meeting. Some people may prefer using the chat function over speaking. That could be due to public speaking hesitations, concurrent caregiving responsibilities, or other reasons. Additionally, allow attendees to have their webcams off. The expectation of always being on video can create unnecessary pressure and make some people nervous. By accommodating various participation preferences, you’ll create a more comfortable and inclusive environment. <h2 id="active-facilitation">Active facilitation</h2> Embrace the diversity of language skills within the group. With remote collaboration here to stay, many organizations (like 1Password!) are building teams globally. In this era of connectivity, you should be mindful that English isn’t everyone’s first language. It’s important to speak in layman’s terms so you don’t alienate anyone and to explain acronyms to groups who may not be familiar with them. A thoughtful approach to how we use our language ensures that communication remains accessible and inclusive for everyone. Encourage dynamic discussion by asking open-ended questions. With this approach you can solicit input from everyone, creating an environment where participants feel comfortable sharing authentic thoughts and feedback. When ideas are shared, it’s also important to acknowledge and appreciate participants' input. These comments will encourage others to contribute and continue the free flow of ideas. Don’t be afraid of silence. It gives more introspective people a chance to jump in and contribute their thoughts if they haven’t already. Instead of fearing silence, embrace the discomfort of these moments as a valuable pause for diverse voices to surface. Acknowledge that there are inherent power dynamics. Meeting attendees will come from varying levels of the business, socioeconomic backgrounds, and underrepresented groups. Being mindful of these realities is crucial so you can actively create an inclusive environment where everyone feels truly welcome and able to contribute. <h2 id="post-meeting-follow-up">Post-meeting follow-up</h2> Share a follow up message that keeps everyone informed and aligned. The message should include key points and takeaways that emerged during the meeting. Sharing this will ensure that everyone is on the same page and understanding of the discussion. Additionally, outline action items and those who are responsible. This will provide a roadmap for the team to move forward, ensuring accountability and progress towards shared goals. Encourage feedback and reflections. Embrace a culture of continuous improvement by seeking feedback from attendees on how the meeting went. Recognize that diverse perspectives contribute to growth, and feedback is a valuable tool for refining processes and enhancing meeting outcomes. Point attendees to a designated space for sharing feedback and reflections. Whether through a dedicated chat thread, the host&rsquo;s DMs, or a post-meeting survey, this specific space ensures that insights are captured and can drive future improvements. This dedicated space is also critically important for those who were unable to attend live. It gives them an opportunity to contribute to the discussions and decision-making that happened during the meeting. For example, a simple chat thread is a great way to maintain the sense of a &ldquo;live&rdquo; meeting in an asynchronous setting. Consider leaving the thread open for a defined timeframe, signifying the dynamic nature of the discussion before officially concluding the meeting. This approach not only captures diverse perspectives but also extends the collaborative spirit beyond the live session. <h2 id="keep-refining-your-meetings">Keep refining your meetings</h2> By actively taking steps like these to ensure everyone’s voice is heard before, during, and after a meeting, you empower all team members to do their best work. As an organization grows, clear company-wide guidelines can also help establish a sense of safety and equity across employees. Identify ways to share the guidelines, like uploading them to a platform such as Notion, and how to keep them top of mind, like making them a part of managers’ internal training. At 1Password, one way we spotlight our community guidelines is by introducing them at the start of every company-wide meeting hosted by the Diversity, Equity, Inclusion, and Belonging (DEIB) team. We hope that the tips we’ve shared resonate – whether they serve as reminders or new ways you can champion inclusivity. Try bringing some of them to your next virtual meeting for a more inclusive and productive team experience! <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Learn more about 1Password&#39;s commitment to DEIB</h3> Read more about how we committed to Diversity, Equity, Inclusion, and Belonging (DEIB) in 2023. <a href="https://www.linkedin.com/feed/update/urn:li:activity:7125874506115514368/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Read our DEIB report </a> </div> </section></description></item><item><title>Can a passenger hack an airplane? Ethical hacker Ken Munro has the answer</title><link>https://blog.1password.com/can-you-hack-plane-ken-munro-interview/</link><pubDate>Fri, 24 Nov 2023 00:00:00 +0000</pubDate><author>info@1password.com (Jenn Marshall)</author><guid>https://blog.1password.com/can-you-hack-plane-ken-munro-interview/</guid><description> <img src='https://blog.1password.com/posts/2023/can-you-hack-plane-ken-munro-interview/header.png' class='webfeedsFeaturedVisual' alt='Can a passenger hack an airplane? Ethical hacker Ken Munro has the answer' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Hollywood <a href="https://www.imdb.com/title/tt3997466/">would have us believe</a> that an airplane can be hacked by a tech-savvy passenger. But can they really? Ethical hacker <a href="https://twitter.com/TheKenMunroShow">Ken Munro</a> decided to dig into airplane security and answer some common movie questions, like ‘what can a hacker do from seat 23A?’ Ken Munro’s company, Pen Test Partners, does cybersecurity consulting and testing for a variety of industries and organizations – everything from banking apps to railway infrastructure. The team of ethical hackers saw an opportunity to <a href="https://www.ibm.com/topics/penetration-testing">pen(etration) test</a> some decommissioned airplanes while passing by a plane graveyard. Michael “Roo” Fey, Head of User Lifecycle &amp; Growth at 1Password, spoke with Munro on the <a href="https://randombutmemorable.simplecast.com/">Random But Memorable</a> podcast to separate the movie myths from the real airplane threats. Read on for the interview highlights or <a href="https://randombutmemorable.simplecast.com/episodes/wrong-movie-airplane-tampering">listen to the full podcast episode</a>. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/klVawPwfW4Q?si=q7uarEScBuHFOezy" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> Editor’s note: This interview has been lightly edited for clarity and brevity. The views and opinions expressed by the interviewee don’t represent the opinions of 1Password. Michael Fey: What comes to mind when you think about airplane security? Ken Munro: A lot of airplanes are retired super early. Several years earlier than expected. We thought we would have a little investigation and see if we could learn some new things. Back in the day, we would spend a lot of time looking at the Internet of Things (IoT). The great thing about IoT is that it’s really easy to research. You simply buy the device or appliance from Amazon or eBay. It&rsquo;s easy. It&rsquo;s accessible. The price points are low. The problem with airplanes is that you don&rsquo;t find them on eBay very often! <blockquote> &ldquo;The problem with pen testing airplanes is that you don&rsquo;t find them on eBay very often!&quot; </blockquote> For independent researchers, this makes the barrier to entry so big that it’s essentially insurmountable. But COVID changed that. I remember driving past an airplane boneyard that was full of planes. One of my colleagues said, “I wonder what&rsquo;s going to happen to those?” We bravely picked up the phone and asked the yard, “What happens next with those airplanes?” They said, “Well, we&rsquo;re backed up. We might take apart 10 or 12 airplanes each year and we&rsquo;ve got 50 sitting here. So it&rsquo;s going to take a while. But these planes flew in yesterday so they still work.” We said: “If we gave you some money for the fuel and got some ground power into them, could we come and learn how to hack them?” And to our surprise, they said yes! <blockquote> &ldquo;It was like a sandbox for us to learn and play in safely.&quot; </blockquote> A big challenge for researchers is that you should never tamper with an airplane that&rsquo;s going to fly again. And that was the great thing about these airplanes: they were going to be taken apart. It was like a sandbox for us to learn and play in safely. We found all sorts of interesting things. MF: What mischief did you manage to get into in this very safe environment? KM: One big question is: Can a passenger hack the airplane from their seat? They can&rsquo;t. Most airplane manufacturers, unsurprisingly, are on it. They understand the threat from hackers. The airplane networks are very carefully segregated. You have a bit in the cabin that&rsquo;s called the Passenger Information Entertainment Services Domain. That’s completely isolated from what we call the Aircraft Control Domain, or ACD. That&rsquo;s the bit the pilots work on. That&rsquo;s not to say you can&rsquo;t hack some stuff on planes. Over a number of visits to different airplanes, we did find ways to compromise the in-flight entertainment systems. But one of the limitations of our research is that the airplanes that are being retired – they&rsquo;re the old ones. One of the systems we were working on was 27 years old. It was running Windows NT 4.0. <blockquote> &ldquo;That&rsquo;s not to say you can&rsquo;t hack some stuff on planes.&quot; </blockquote> The first challenge was trying to remember how the heck to compromise it, given that so many of the tools we use today have dependencies that simply aren&rsquo;t present on NT. It was a trip down memory lane. We had some fun exercises compromising the in-flight entertainment system. We were taking control and flashing up silly messages. But did it really matter? What&rsquo;s the worst that could happen? Bad press coverage? <blockquote> &ldquo;We had some fun exercises compromising the in-flight entertainment system. We were taking control and flashing up silly messages.&quot; </blockquote> Here’s a riskier situation. Do you remember back in the day when you would see the captain and the crew carrying great big black cases in the airport? Those contained the maps or charts. When you made an approach in certain conditions you needed to make sure you had the exact approach, or map if you like, showing how the instrument landing system worked. You had to have those. And you had to have them locally. You carried them around and they had to be updated every 30 days. It cost a fortune. And the cases were really heavy. To improve everything and make airlines more efficient, the concept of an electronic flight bag was brought in. So, pilots didn&rsquo;t have to carry paper charts around and they were easy to update. That is where we found some interesting issues. MF: With the electronic flight bags? KM: Yes. Here’s an example. It might surprise you to know that airplanes don&rsquo;t often use full power. This is because aviation fuel is expensive, and we need to be super conscious of the environment. We don&rsquo;t want to burn more fuel than we need to. We also don’t want to wear down those incredibly expensive jet engines. It&rsquo;s actually quite rare for an airplane to use full power when it&rsquo;s taking off. Pilots do a calculation for how much power is needed to take off safely, and use their electronic flight bag to do that. One of the most important things is probably the weight of the airplane. Another is which way the wind is blowing. There’s also what we call the “pressure altitude” or the air pressure outside and the altitude of the runway. There&rsquo;s lots of other things that go into that calculation too. All of those calculations are done on a tablet. Can you see where I&rsquo;m going here? <blockquote> &ldquo;It&rsquo;s actually quite rare for an airplane to use full power when it&rsquo;s taking off.&quot; </blockquote> We started talking to pilots and airlines to understand how those tablets – and the apps on them – were secured. What we found was quite scary. For instance, if you&rsquo;ve got a smartphone and it&rsquo;s connected to your business systems, you would expect it to be pretty locked down. It&rsquo;s going to be protected by a good pin, a good password, or biometrics so that if you lose your phone, someone can&rsquo;t compromise your corporate systems. We were expecting these electronic flight bags, these tablets, to be locked down in a similar way. We were a bit surprised to find that security was operator-dependent and varied between airlines. Some of them had a really simple pin – something as simple as four zeros. Some of them had the pilot&rsquo;s birthdate as the pin, which obviously you can get from open sources. Some of them had no pin at all. We often found them not updated with critical security updates. We also discovered vulnerabilities in some of the apps, which meant if someone had compromised one of these tablets, they could mess around with the calculations. Remember, those calculations tell the pilot how much power they need! <blockquote> &ldquo;Some electronic flight bags had no pin at all.&quot; </blockquote> We realized you could convince the pilots to use the wrong amount of power for their departure. The most likely consequence of that is what&rsquo;s called the “tail strike”. That&rsquo;s where the pilot tries to rotate, but they haven&rsquo;t got enough power. Instead of going up, the tail goes down and they drag the plane&rsquo;s tail along the runway, causing damage. One thing I want to mention that I love about the aviation industry compared to the cyber industry is that incidents and accidents are reported and shared without blame attributed. That way everyone can learn. As a result, the safety of flying has gone through the roof over the last 50 years. <blockquote> &ldquo;Incidents and accidents are reported and shared without blame attributed. That way everyone can learn.&quot; </blockquote> That also means independent security researchers can download all the incident reports and find the cases where things have gone wrong and why they&rsquo;ve gone wrong. We’ve discussed before about how it can be really challenging to get IoT vendors to wake up and take responsibility for their actions. Aviation is a whole different ball game! MF: It&rsquo;s instilled in the culture, isn&rsquo;t it? It&rsquo;s expected. KM: So you would think. It&rsquo;s been an interesting journey. We&rsquo;ve looked at seven different electronic flight bag systems and found reportable vulnerabilities in all of them. What&rsquo;s really interesting is how some manufacturers have been really good, and others have been really difficult to deal with. You hope that if someone came to you saying, “We found a security bug in one of your systems that we think could lead to a safety incident,” they&rsquo;d be all over you like a rash trying to find out everything we found and getting it fixed. It&rsquo;s not always the case. I really want to give Boeing a big hat tip. Because with the first vulnerability we found, Boeing came back to us within 24 hours and said, “We agree with you. Only problem is, it&rsquo;s going to take us about 18 months to fix.” We were blown away thinking ‘how can a vulnerability take 18 months to fix?’ Boeing said, “We actually can fix it in a week but we have to certify the software is safe. Every time we change some code in our apps, we have to re-certify to make sure it&rsquo;s safe in every single possible case.” We didn&rsquo;t know that, so we learned something. In the end, Boeing did it in about 14 months and rolled it out to the fleet. MF: I&rsquo;m having a hard time wrapping my head around the ownership and the responsibility on the side of the manufacturer. And the potential catastrophe if something was ever exploited in a way that led to loss of life. There&rsquo;s very stark business things to look at from that point of view. KM: I found it extremely frustrating that not everyone in the industry was taking things as seriously as perhaps they could. But the good thing is that planes are safe. And as a result of the way the industry discloses incidents, they’re getting safer all the time. But as airplanes become more connected, both for efficiency reasons and for the convenience of the passengers, that&rsquo;s when things start to get interesting. For example, real-time air traffic control communications. <blockquote> &ldquo;As airplanes become more connected, both for efficiency reasons and for the convenience of the passengers, that&rsquo;s when things start to get interesting.&quot; </blockquote> Problems happen when we use our voice. When someone says something, it can be quite easy to mishear it, write it down incorrectly, or misremember something. And when the frequencies are busy, it can be quite difficult to get a word in to get your clearance to approach to land, for example. To increase efficiency, we&rsquo;re moving towards a system where clearances and other messages are sent digitally to the cockpit. That&rsquo;s a huge step forward. But some of those systems which are in use are unencrypted. Some of them are plaintext, so there&rsquo;s potential to start tampering with some of the information that goes to pilots. <blockquote> &ldquo;Some of those systems which are in use are unencrypted. So there&rsquo;s potential to start tampering with some of the information that goes to pilots.&quot; </blockquote> Obviously, pilots will know if something doesn&rsquo;t make sense. But there have been some documented cases where the wrong flight plan was sent to an airplane. The pilots realized it only when they were flying over the wrong bit of the sea. They thought, “I&rsquo;m sure we were going east and this plane&rsquo;s definitely going west.” They then queried everything and realized, “We&rsquo;ve got the wrong flight plan.” MF: But overall, this is a much more hopeful discussion <a href="https://randombutmemorable.simplecast.com/episodes/remote-location-smart-toys">than we had last time about IoT</a>. KM: Safety&rsquo;s baked into aviation. If something goes wrong, we talk about it. That&rsquo;s a really, really positive message that we could all learn from. What if every cyber breach had a public report that we shared with everyone? Then everyone else could be like, “Okay. I&rsquo;ll make sure that doesn&rsquo;t happen to me. I&rsquo;ll learn what to look for.” Wouldn&rsquo;t it be great if we could share a bit more about breaches without fear of being chased by lawyers? Without fear of being sued? Wouldn&rsquo;t it be great if we could share our experience with other organizations, so they don&rsquo;t make the same mistakes? Surely cybersecurity would improve? MF: Where can people go to hear more from you? KM: There&rsquo;s a lot of information and data on our blog on <a href="https://www.pentestpartners.com/">pentestpartners.com</a>. We&rsquo;ve got some videos too, showing what the effects on systems are when you start tampering with data. <section class="c-call-to-action-box c-call-to-action-box--yellow"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Subscribe to Random but Memorable</h3> Listen to the latest news, tips and advice to level up your security game, as well as guest interviews with leaders from the security community. <a href="https://randombutmemorable.simplecast.com/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--yellow" data-event-category="CTA" data-event-action="call-to-action-button"> Subscribe to our podcast </a> </div> </section></description></item><item><title>A CFO explains why every business needs 1Password</title><link>https://blog.1password.com/cfo-why-every-business-needs-1password/</link><pubDate>Wed, 15 Nov 2023 00:00:00 +0000</pubDate><author>info@1password.com (Jeannie De Guzman)</author><guid>https://blog.1password.com/cfo-why-every-business-needs-1password/</guid><description> <img src='https://blog.1password.com/posts/2023/why-business-enterprise-needs-1password/header.png' class='webfeedsFeaturedVisual' alt='A CFO explains why every business needs 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> As the Chief Financial Officer of 1Password, I’d love to share how 1Password the product empowers my Finance team to be at its best. We work in an uncertain financial environment and strive for efficiency and prioritization, just like everyone else. From the <a href="https://www.verizon.com/business/resources/reports/dbir/">Verizon Data Breach Investigations Report (DBIR)</a>, we know that stolen login credentials are the most common pathway for breaches. This is especially true in our remote-first, hybrid working world where employees bring their own devices and sometimes use unauthorized software and online services. As a result, the potential impact of Shadow IT increases. To quote Alex Stamos, former Chief Security Officer at Facebook: <blockquote> &ldquo;The number one reason people’s privacy is violated massively is that they reuse passwords everywhere. You do not want to have a contagion effect where somebody [reuses a stolen credential] to take over your email and take bank account(s)&quot; - Collision, 2021 </blockquote> 75% of data breaches begin from compromised login credentials, and while 1Password is the first step to closing the most consequential security gap, I’m not a security practitioner. We have experts like <a href="https://1password.com/company/meet-the-team/pedro-canahuati/">Pedro Canahuati</a>, our CTO, and Daed Latrope, our VP of Security, for that. I love that 1Password makes my team secure. But even better is that it also accelerates productivity. I evaluate 1Password against four jobs: <ul> <li>Resetting passwords</li> <li>Privileged Access and Collaboration</li> <li>Lowering the SSO Tax</li> <li>Auditing Application Use</li> </ul> <h2 id="password-resets">Password resets</h2> A CFO at a Fortune 100 company told me that they calculate they spend over $350,000 a year on password resets solely driven by call volume, not even accounting for productivity loss. The <a href="https://1password.com/resources/total-economic-impact-of-1password-business/">Forrester Total Economic Impact report</a> estimates a 70% reduction in help desk tickets representing over $1 million in productivity benefits for companies who use 1Password. How? 1Password automatically creates strong, random passwords for every application, reducing the need to mandate password rotations. This means fewer frustrating moments getting locked out right before an investor call or waiting for the help desk to reset your password every six months. The payback period for this time drain by itself is under six months. <h2 id="privileged-access-and-collaboration">Privileged access and collaboration</h2> I can’t think of accounts more important to secure than corporate bank accounts, yet there’s no situation in which you can put SSO in front of a commercial bank account. We also need to secure all the shared applications and even files shared with our accounting firms, banks and board audit committees. Every day, my team relies on 1Password to securely access the most privileged logins in the whole company, and we even use secure storage to share private spreadsheets and documents with vendors and customers. During every fundraising round, we operated our data room from 1Password, which really opened our eyes to the value of our product. The best thing is that we’re able to temporarily and securely <a href="https://blog.1password.com/psst-item-sharing/">share secrets and files even if the recipient is not a 1Password user</a>. <h2 id="lowering-the-sso-tax">Lowering the SSO tax</h2> One of the more frustrating developments over the last decade has been the SSO Tax - vendors charging for basic security controls behind a price hike. What we’ve found is a typically 3-year cycle of application deployment where a small subset of a team utilizes a tool, then rolls it out department-wide, and sometimes the application graduates to organization-wide deployment. In this environment, we’re looking for raw returns on every tool we bring onboard. With 1Password, we’re able to secure those applications whether they’re used by six folks - like the corporate bank account - or hundreds of folks, with strong passwords, avoiding the SSO tax or waiting until organization-wide deployment to justify security investment. <h2 id="audit-it-access">Audit IT access</h2> One of the most difficult requests I make to every team at the end of year is who is using what software. As mentioned earlier under the SSO use case, increasingly more and more software comes in via shadow IT and small sub-teams, which are not under a centrally managed system. That can make us feel like we&rsquo;re lacking visibility into certain app usage. 1Password’s ability to store logins of any type - password-based or federated - allows us to easily work with department heads to audit software usage and inform budget allocation. <h2 id="conclusion">Conclusion</h2> For me, 1Password is way more than a security tool. It’s the indispensable tool for the finance team, handling the most sensitive information and accounts at the company. It’s more than a password manager, it’s a productivity accelerant for our day-to-day work, and I don’t know how we’d have been able to scale 10x in revenue, customers, and size without it. We also want your employees to be as secure at home as they are at work, which is why <a href="https://support.1password.com/link-family/">every business license of 1Password comes with a complimentary family license</a> for each employee. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Secure your enterprise with 1Password</h3> Keep your team safe without slowing them down. Choose 1Password Business to gain complete control over passwords and other sensitive business information. <a href="https://1password.com/enterprise/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>'Of equal merit to taking drugs': Katie Paxton-Fear on the thrill of bug bounty hunting</title><link>https://blog.1password.com/bug-hunting-katie-paxton-fear/</link><pubDate>Tue, 14 Nov 2023 00:00:00 +0000</pubDate><author>info@1password.com (Jenn Marshall)</author><guid>https://blog.1password.com/bug-hunting-katie-paxton-fear/</guid><description> <img src='https://blog.1password.com/posts/2023/bug-hunting-katie-paxton-fear/header.png' class='webfeedsFeaturedVisual' alt=''Of equal merit to taking drugs': Katie Paxton-Fear on the thrill of bug bounty hunting' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> What do you need to become a successful bug bounty hunter? Most importantly: a hoodie. But qualities like professionalism, a growth mindset, and good communication skills count, too. <a href="https://twitter.com/InsiderPhD">Katie Paxton-Fear</a> never thought she’d become an expert in cybersecurity yet she now teaches the subject at Manchester Metropolitan University. She’s also the creator of <a href="https://www.youtube.com/c/InsiderPhD">InsiderPhD</a>, a Youtube channel where she shares her adventures and expertise with other aspiring ethical hackers. Paxton-Fear joined Michael &ldquo;Roo&rdquo; Fey, Head of User Lifecycle &amp; Growth at 1Password, on the <a href="https://randombutmemorable.simplecast.com/">Random but Memorable</a> podcast to share some of her most fascinating vulnerability discoveries, how she got into the field, and her advice for anyone interested in joining the bug hunting ranks. Read the interview highlights here, or <a href="https://randombutmemorable.simplecast.com/episodes/halloween-bug-hunting-tricks">listen to the full podcast episode</a>. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/8nhnr1e-ffs?si=aYrKCwjiX4C7Or5f" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> Editor’s note: This interview has been lightly edited for clarity and brevity. The views and opinions expressed by the interviewee don’t represent the opinions of 1Password. Michael Fey: How did you get into the field of cybersecurity? Katie Paxton-Fear: I always describe it as kind of an accident. I did a usual computer science degree. I finished university. I got a job and realized about six months into that job that I hated it. Why am I doing this job? I had this realization and a bit of panic and I was like, &ldquo;You know what? I&rsquo;m going to do a PhD. I&rsquo;m going to be a researcher and an academic and I&rsquo;m going to read books all day.&rdquo; Unfortunately, I had this realization around Christmas time and the intake for PhDs was basically nothing. But when I realized I hated my job, I really hated it. So I said, &ldquo;Well, I guess I&rsquo;ll get the first PhDs that comes to me.&rdquo; And it happened to be in cybersecurity! I never really intended to get into cybersecurity. My background is in machine learning and ancient language decipherment, so it was quite different. I then ended up getting into hacking through a live hacking event. I was invited as a mentee. My friends pushed me to apply. I didn&rsquo;t want to apply. I was like, &ldquo;I&rsquo;m not good at security. I make websites. That&rsquo;s what I do. That&rsquo;s my job.&rdquo; <blockquote> &ldquo;I found my first few bugs in Uber and it was an incredible experience. I was literally shaking.&quot; </blockquote> And then I got invited to this live event and when I was there, despite knowing literally nothing ahead of time, I found my first few bugs in Uber and it was an incredible experience. I was literally shaking. The elation I felt was like nothing else and I haven’t stopped since. That was three or four years ago. MF: What were the bugs that you found? KPF: I can&rsquo;t share them in detail for obvious reasons. But I can share a little bit about them. Essentially it was the ability to change the price of something in Uber without being authorized. For example, changing the cost of somebody else&rsquo;s Uber ride. Making it really high or really low. And not only that, you could also change it to be a negative number. Now, I don&rsquo;t know if that would&rsquo;ve gone through, but it’s quite funny to imagine you get into an Uber and the cost is $1,000 for a five-minute ride or even better, minus-$1,000 and Uber pays you to enjoy that ride. They were super simple bugs, not very technically complex. They were very obvious. I’m surprised nobody else found them, to be honest! MF: You&rsquo;ve gone on to uncover vulnerabilities in tons of systems and applications. What are some of your most memorable discoveries? KPF: There are two main bugs that I think about. One was really interesting technically, and one was really interesting for its impact despite being a very boring bug. There are types of bugs that we like to call “access control issues” where you don&rsquo;t have permission to do something. Maybe you’re a low-level user and you&rsquo;re trying to do an admin function. Maybe you’re a part of one organization but you&rsquo;re trying to impact a different organization – those kinds of issues. It was a very typical bug where all you needed was somebody&rsquo;s email address to access a form that this same person had already filled in. This website didn&rsquo;t have proper accounts and didn&rsquo;t want to deal with password resetting. The problem was that as long as somebody knew your email address and knew you&rsquo;d made a request to this website, they could see that request and edit it. You might think, &ldquo;Okay, no big deal.&rdquo; Well, this particular website was being used for air shows and you could specify a runway length for an aircraft. <blockquote> &ldquo;This particular website was being used for air shows and you could specify a runway length for an aircraft.&quot; </blockquote> Technically it wasn’t a very interesting bug. But there&rsquo;s a reason why airplanes have specific runway lengths for different aircraft. You can&rsquo;t land a big plane on a small runway. The actual impact of this in real life would&rsquo;ve been huge! That&rsquo;s the most interesting one impact-wise. For my technical example, I once used an error message to find a bug that was not in the software I was testing, and not in the software that that software was using, but there was a dependency of a dependency of a piece of software that it was then developed on top of like a framework. I used this error message in a ton of fingerprinting. I felt huge hacker vibes from that one. MF: Finding a dependency tree that lets you exploit a vulnerability has got to feel pretty epic. KPF: It did because I had never seen this before, so I felt like I was uncovering treasure. MF: What would you say drives your passion for hunting down vulnerabilities? Are you just chasing a high or is it something more? KPF: I&rsquo;ve never done drugs but I’m certain that the high you get from bug hunting and finding a vulnerability, reporting it, and then getting paid is probably of equal merit to taking drugs. It&rsquo;s a fantastic feeling! My real passion is problem-solving and puzzles. Because when you’re bug hunting, you’re often completely outside. You don&rsquo;t have any information about how any of the systems are supposed to work. You’re piecing together this jigsaw of different technology stacks. All the jigsaw pieces are blank and you’re not really sure if they belong to the same set but you’re still trying to place them. <blockquote> &ldquo;There&rsquo;s nothing like the experience of putting together all those little pieces and coming out with a security vulnerability.&quot; </blockquote> I don&rsquo;t think there&rsquo;s anything quite like that experience of putting together all those little pieces and coming out with a security vulnerability. When I go to live events and I see some of my friends getting thousands of dollars literally every few minutes, it&rsquo;s just crazy. It&rsquo;s the weirdest experience. MF: Your YouTube channel provides tons of insights into the world of bug bounty hunting. What inspired you to share your experiences and knowledge that way? KPF: I originally wanted to make videos because I was a mentee at this HackerOne event and I didn&rsquo;t really know what I was doing. I had the background of being a web developer and looking at a HTTP request. I knew what that was, I knew what the response was. I could read JSON, I knew what an API was, I had all that kind of technical knowledge. But I had never seen an HTTP request before, meaning the actual raw text that goes into one. I would describe it like this: you know how to drive a car but if you open it up, you&rsquo;d have no idea which part was going “vroom vroom”. <blockquote> &ldquo;I had never seen an HTTP request before, meaning the actual raw text that goes into one.&quot; </blockquote> During that time I was learning Burp Suite, the main tool that bug bounty hunters use. I was learning how to make raw HTTP requests. I was also looking at raw API requests and responses. I learned a lot in five hours about security testing! Then I was fortunate to be invited to another event as a mentee – in Vegas! If someone offers you a free trip to Vegas from the UK, you do not turn that down. When I was there, I had this experience where I was looking at some of the other invited mentees and realized that I was a little bit further along the learning pathway. Not massively, but I did realize there was this gap between what I had learned in that first experience when I was putting together those pieces and finding my first bug and where they were coming from. Not that they were bad hackers or anything! <blockquote> &ldquo;I realized that I was a little bit further along the learning pathway.&quot; </blockquote> These were people who worked actual AppSec jobs and weren’t Ph.D. students having fun. They were technical security people and they were still struggling to find a bug. I got back from Vegas and thought, &ldquo;I&rsquo;m going to make a YouTube video explaining what you&rsquo;re supposed to do with Burp Suite and what all the tabs do.&rdquo; Because I didn&rsquo;t understand that, and neither did they. &ldquo;I know a little bit about how those tabs work now, so I&rsquo;m just going to make the video.&rdquo; People liked it and I was like, &ldquo;Wow, this is amazing.&rdquo; I thought, &ldquo;Well, I&rsquo;ll make some other videos,&rdquo; thinking about what people were struggling with and also bringing in my academic background. I really wanted to do something closer to a traditional classroom in more of a lecture format, which is how I was used to learning as a student. <blockquote> &ldquo;I&rsquo;ve received nothing but kindness and support from the community.&quot; </blockquote> I haven&rsquo;t stopped making videos since. It&rsquo;s been amazing to watch a community grow. The cybersecurity community is incredible. I think a lot of people, especially women, are quite scared because they&rsquo;re like, &ldquo;Oh, they&rsquo;re going to be abusive towards me.&rdquo; Honestly, I&rsquo;ve received nothing but kindness and support from the community. To be recommended by some of the best hackers in the world who say, &ldquo;Yeah, you should watch Katie&rsquo;s videos, her videos are really great&rdquo; – it&rsquo;s a humbling experience. MF: You’re a lecturer of cybersecurity at Manchester Metropolitan University, so it seems teaching is a huge passion and motivator for you. How do we inspire the next generation of security professionals? KPF: This question is really interesting. I don&rsquo;t know that it&rsquo;s a problem to have the next generation of hackers stay on the right side as it was previously. Nowadays there are so many different outlets, from training programs like <a href="https://tryhackme.com/">TryHackMe</a> and <a href="https://www.hackthebox.com/">Hack The Box</a> to both online and local CTFs (Capture The Flag games). For anyone who&rsquo;s interested in security, there is nothing but opportunity out there. Especially with things like the rise of bug bounty hunting. There&rsquo;s also an opportunity to develop skills at a younger age. If you were a teenager who was interested in cybersecurity at the same time I was a teenager, you&rsquo;d end up on a hacking forum. Nowadays, teens can get involved in <a href="https://www.hackerone.com/">HackerOne</a> or <a href="https://www.bugcrowd.com/">Bugcrowd</a>. They can do a CTF competition and get a prize. <blockquote> &ldquo;A lot of the students and people I talk to feel like it’s not for them. They&rsquo;re interested in it but they’re worried they&rsquo;re not good enough.&quot; </blockquote> There are so many legal, well-paid ways to engage with that interest nowadays that honestly, the hard part is getting students to see the potential in themselves. A lot of the students and people I talk to feel like it’s not for them. They&rsquo;re really interested in it but they’re worried they&rsquo;re not good enough. I think that&rsquo;s far more of an issue. MF: Going back to bug bounty hunting, how do you disclose vulnerabilities to companies in a way that actually prompts action and fixes? KPF: I have some controversial takes here. I used to work in triage at Bugcrowd. For people who aren&rsquo;t aware, when a vulnerability gets submitted it usually goes through the triage services of a bug bounty program before it goes to a company like 1Password. This is because bug bounty programs get a lot of spam. Any person who&rsquo;s familiar with bug bounties who thinks, &ldquo;Yeah, it can&rsquo;t be that bad&rdquo; – it&rsquo;s bad. <blockquote> &ldquo;Bug bounty programs get a lot of spam.&quot; </blockquote> A lot of people will lie about the severity of their bugs. This is why I have some controversial takes. First, you&rsquo;ve got to be honest. If your bug is terrible, or if it isn’t very severe, just be honest and say that! You&rsquo;ve got to realize that this isn&rsquo;t a competition. It&rsquo;s not you versus triage versus the customer. You’re all working together, and I promise that everybody wants things to be more secure! Nobody wants to leave horrible bugs outstanding. I always recommend professionalism. I always recommend clarity and having the kind of attitude that you&rsquo;re okay with the decision maker saying, &ldquo;You know what? We don&rsquo;t care about this. It&rsquo;s fine. Totally fine.&rdquo; In terms of how you actually get a fix, that&rsquo;s when it comes down to steps of reproduction, and making sure the client really understands the impact. <blockquote> &ldquo;You also need soft skills like report writing, professionalism.&quot; </blockquote> You&rsquo;ll note that none of these things that I&rsquo;ve mentioned have anything to do with technical skills. It&rsquo;s not that technical skills aren&rsquo;t important, but you also need soft skills like report writing, professionalism, engagement, and making sure you have clear steps. All of that really benefits a program and gets your bugs triaged quickly and resolved. MF: What are some of the essential traits and habits for becoming a good security researcher or bug bounty hunter? KPF: First of all, have a growth mindset. You cannot have the mindset that “something has happened, therefore you are useless”. Mental health-wise, it&rsquo;s not going to do you any favors. But also, it&rsquo;s not going to keep you motivated. You have to have a mindset of, &ldquo;I am interested in this. I want to learn this. If I&rsquo;m bad at something, I can improve.&rdquo; Technical skills are very important. You have to be somebody who wants to dive into the technical details. At the start it&rsquo;s not necessarily important. If you know you want to get into hacking, you can just start. There&rsquo;s nothing special. There&rsquo;s no course. There&rsquo;s no book. There&rsquo;s no magic spell. There&rsquo;s nothing that will be like, &ldquo;I depart unto you all bug hunting knowledge. You may now go out and download Burp Suite and have a go yourself.&rdquo; Being somebody who&rsquo;s willing to question, why is that the case? You don&rsquo;t have to be a genius. You have to be somebody who&rsquo;s willing to go into insane amounts of detail. And finally, I think it&rsquo;s also just being a good professional. It&rsquo;s being somebody who&rsquo;s willing to work with a team and to work within the constructs of something like an NDA. It&rsquo;s being somebody who&rsquo;s able to be flexible and not necessarily be the star all the time. <blockquote> &ldquo;While we may wear hoodies, we also go into an office and take the bus at nine o&rsquo;clock in the morning and go to Starbucks.&quot; </blockquote> A lot of people have this viewpoint that hackers are completely outside the sphere of normal people. They&rsquo;re scary people who live in basements and wear hoodies. While we may wear hoodies, we also go into an office and take the bus at nine o&rsquo;clock in the morning and go to Starbucks and buy lattes just like everybody else who works in an office. MF: What is some advice that you would give to individuals who are interested in pursuing a career? KPF: The best advice I can give people is to follow me on YouTube with the ad blocker off. No, I can&rsquo;t say that seriously! There are so many good pieces of content and security creators out there. You really can&rsquo;t go wrong. Listen to podcasts, watch YouTube videos, listen to conference talks. They&rsquo;re all great places to get started. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Subscribe to Random but Memorable</h3> Listen to the latest news, tips and advice to level up your security game, as well as guest interviews with leaders from the security community. <a href="https://randombutmemorable.simplecast.com/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Subscribe to our podcast </a> </div> </section></description></item><item><title>How password managers work</title><link>https://blog.1password.com/how-password-managers-work/</link><pubDate>Thu, 09 Nov 2023 00:00:00 +0000</pubDate><author>info@1password.com (1Password)</author><guid>https://blog.1password.com/how-password-managers-work/</guid><description> <img src='https://blog.1password.com/posts/2023/how-password-managers-work/header.png' class='webfeedsFeaturedVisual' alt='How password managers work' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> You’ve probably heard of a few password management options, like <a href="https://1password.com/">1Password</a> (👋), <a href="https://blog.1password.com/1password-vs-dashlane/">Dashlane</a>, and <a href="https://blog.1password.com/1password-vs-lastpass/">LastPass</a> – but what do they all do? We’ve all dealt with the pains of password management, but there&rsquo;s a lot more to it. Whether it’s repeatedly resetting passwords, searching for your wallet every time you want to make an online purchase, or struggling to securely share passwords, we need digital life management, too – and that&rsquo;s where a password manager comes in. So, let’s take a deeper look at what password managers are, how they work, if they’re safe, and everything else you may need to know. <h2 id="what-is-a-password-manager">What is a password manager?</h2> Simply put, password managers are apps that can generate and store all the passwords for your online accounts in one secure place. The passwords are stored securely and, using autofill, can be automatically entered on websites and apps when you need to log in. It creates and remembers strong, unique passwords – and you don’t have to type out or memorize them, saving you from having to constantly reset your passwords when they’re inevitably forgotten. Many other common forms of password management, including simply reusing the one password you’ve memorized for every account or just writing them down, can put your security at risk: <ul> <li>When you <a href="https://blog.1password.com/how-to-protect-yourself-from-password-reuse-attacks/">use the same, often weak, password everywhere</a>, a hacker only needs to crack it once to gain access to all your important information.</li> <li>Not only is it inconvenient to properly manage passwords stored in a notebook or on sticky notes, passwords stored this way are often reused, vulnerable to hacking, and susceptible to <a href="https://blog.1password.com/how-do-hackers-steal-passwords/">social engineering</a>.</li> </ul> The best password managers, like <a href="https://1password.com/">1Password</a>, will offer options to store more than just strong passwords, like credit cards, financial accounts, sensitive documents, secure notes, and more. Additional features can include syncing passwords across devices, secure password sharing, data breach detection, dark web monitoring, <a href="https://1password.com/features/two-factor-authentication/">two-factor authentication</a>, end to end encryption, and more. Not only do password managers offer the convenience of generating and storing strong, unique passwords, they centralize cybersecurity controls while encouraging good security habits. They can help you avoid weak passwords, protect your sensitive information from <a href="https://blog.1password.com/data-breach-101-stay-safe-online/">phishing</a> and cybercriminals, and alert you to security issues you can fix to stay safe. Using a password manager is the safest and most convenient option for staying secure online, particularly when compared to the alternatives, like memorizing passwords, duplicating passwords, or even using a free password manager with very limited features. <h2 id="how-do-password-managers-work">How do password managers work?</h2> So what exactly is happening when you use a cloud-based password manager to create a password? In the case of 1Password, here’s a basic overview: <ul> <li>1Password randomly generates a strong password using a built-in strong <a href="https://1password.com/password-generator/">password generator</a>.</li> <li>The password is automatically saved in your password vault.</li> <li>Your vault is end-to-end encrypted using <a href="https://blog.1password.com/how-1password-protects-your-data/">AES 256-bit encryption</a> and guarded by other security measures. This means that what you save in 1Password is protected on our servers, in transit, and on your device.</li> <li>1Password uses a <a href="https://1password.com/features/zero-knowledge-encryption/">zero-knowledge approach</a>, which means only you have the keys to your information — it&rsquo;s never visible or accessible to 1Password.</li> <li>Your 1Password <a href="https://support.1password.com/strong-account-password/">account password</a> and <a href="https://blog.1password.com/what-the-secret-key-does/">Secret Key</a> combine to provide incredibly <a href="https://1password.com/features/zero-knowledge-encryption/">powerful protection</a>.</li> <li>The updated version of your encrypted vault data is sent to 1Password&rsquo;s server for syncing and that new password will be available across all of your devices.</li> </ul> Having a general understanding of a password manager’s functionality, including <a href="https://support.1password.com/1password-security/">security</a> and <a href="https://support.1password.com/1password-privacy/">privacy</a>, can help you choose the right password management system for you. <h2 id="do-password-managers-work-on-all-devices">Do password managers work on all devices?</h2> The best password managers will sync information seamlessly across all of your devices, operating systems, and web browsers. For example, 1Password is available on <a href="https://support.1password.com/get-the-apps/?mac">Mac</a>, <a href="https://support.1password.com/get-the-apps/?ios">iOS</a>, <a href="https://support.1password.com/get-the-apps/?windows">Windows</a>, <a href="https://support.1password.com/get-the-apps/?android">Android</a>, and <a href="https://support.1password.com/get-the-apps/?linux">Linux</a>, and you can get the 1Password browser extension for <a href="https://chrome.google.com/webstore/detail/1password---password-mana/aeblfdkhhhdcdjpifhhbdiojplfjncoa">Chrome</a>, <a href="https://apps.apple.com/app/1password-for-safari/id1569813296">Safari</a>, <a href="https://addons.mozilla.org/en-US/firefox/addon/1password-x-password-manager/">Firefox</a>, <a href="https://microsoftedge.microsoft.com/addons/detail/1password---password-mana/dppgmdbiimibapkepcbdbmkaabgiofem">Edge</a>, and <a href="https://chrome.google.com/webstore/detail/1password---password-mana/aeblfdkhhhdcdjpifhhbdiojplfjncoa">Brave</a>. <a href="https://blog.1password.com/why-trust-1password-cloud/">Password syncing</a> means your data is shared across all your devices. You only need to sign in to 1Password on a new device, and all your saved passwords and other important information are available nearly instantly. Let’s say you update a password using the 1Password browser extension for Firefox on your laptop. That password will also automatically be updated on the 1Password for iOS app on your iPad, and the 1Password for Android app on your phone, without any extra work. <h2 id="are-password-managers-safe-to-use">Are password managers safe to use?</h2> Password managers are a safe, effective way to increase your online protection and enforce secure passwords both at home and at work. Using a password manager is a much better option than any of the alternatives. Password managers can also offer additional protection from hackers and cybercriminals. Here are some examples of how 1Password does much more than create <a href="https://blog.1password.com/how-1password-calculates-password-strength/">strong passwords</a>: <ul> <li>When 1Password saves your passwords, it also saves the exact URLs they should be used on. That means 1Password won’t offer to autofill your passwords on scam phishing sites with deceiving URLs (for example, paypa1.com rather than paypal.com).</li> <li>1Password lets you know which sites offer two-factor authentication (2FA) or multi-factor authentication (MFA) so you can easily activate this extra layer of security.</li> <li>1Password will continuously flag weak passwords and password reuse by identifying which items share a password and which passwords are easy to guess. 1Password will automatically offer an option to update those saved items so you can easily generate new, secure passwords on the spot.</li> </ul> Lastly, while it may seem counterintuitive to keep all of your sensitive data in one place, most established password managers employ several layers of security against data breaches, like end-to-end encryption and a zero-knowledge approach. Your password manager should keep your data safe, even in the unlikely event their <a href="https://blog.1password.com/what-if-1password-gets-hacked/">servers are breached</a>. For example, in addition to the account password you choose, 1Password protects your information with your unique 128-bit Secret Key that&rsquo;s never shared with us or our server. Even if an attacker actually knows your account password, your <a href="https://blog.1password.com/what-the-secret-key-does/">Secret Key has enough entropy</a> to keep your 1Password data safe. That means a random attacker trying to guess both your account password and Secret Key wouldn&rsquo;t stand a chance. <h2 id="family-password-management">Family password management</h2> Many password managers offer subscription options not just for yourself, but for your loved ones, as well. Whether it’s your spouse, kids, or roommates, sharing a password manager with your nearest and dearest can significantly streamline your digital lives. <a href="https://1password.com/personal">1Password Individual</a> and <a href="https://1password.com/personal">1Password Families</a> offer robust features like: <h3 id="convenience">Convenience</h3> <ul> <li>Autofill logins, financial information, two-factor codes, credit card information, and much more.</li> <li>Securely share individual items stored in 1Password, like the Wi-Fi password or login information, with anyone – even if they don&rsquo;t use 1Password.</li> <li>Use guest 1Password accounts to share vaults with anyone for a limited time.</li> <li>Organize your stored items using tags, categories, and collections so you can easily find whatever you need.</li> </ul> <h3 id="security">Security</h3> <ul> <li>Get security alerts for websites where your passwords may have been exposed in a data breach</li> <li>Identify reused and weak passwords by seeing which items use the same password and which passwords are easy to guess.</li> <li>Identify non-secure logins you&rsquo;ve saved for websites that support HTTPS.</li> <li>Find logins for websites that support two-factor authentication, but don’t have a one-time password.</li> <li>Find items that have expired or are expiring soon, so you can take action (like credit cards, memberships, and driver’s licenses that are expiring within 2 months).</li> </ul> <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> <a href="https://1password.com/business-pricing">Check out a comprehensive list of 1Password features</a>. </div> </aside> <h2 id="business-password-management">Business password management</h2> From small and growing businesses to large enterprises, every organization needs a password manager. 1Password can help you monitor for security threats, comply with security standards, improve productivity, and reduce the workload around secrets management so you can balance the various needs across your organization. <a href="https://1password.com/business">1Password Business</a> and <a href="https://1password.com/enterprise">Enterprise</a> solutions come with additional features like: <h3 id="administrative-controls">Administrative controls</h3> <ul> <li>Tailor 1Password to your needs by creating custom sign-in rules and monitor access for events like sign-in attempts.</li> <li>Create and manage custom groups to organize your team and delegate responsibilities.</li> <li>Easy to deploy with support available every step of the way, along with extensive <a href="https://support.1password.com/">support documentation</a>, free <a href="https://1password.com/webinars/">webinars</a>, <a href="https://1password.com/resources/">resources</a>, and <a href="https://www.1password.university/learn">1Password University</a>.</li> <li>Free Families plan for all users to encourage great security habits at home, too.</li> </ul> <h3 id="security-and-reporting">Security and reporting</h3> <ul> <li>Generate custom reports (usage, breach, account activity).</li> <li>Create and manage custom groups to organize your team and delegate responsibilities.</li> <li>Get actionable recommendations on potential breaches, password health issues, and team usage with 1Password Insights.</li> <li>Proactively prevent threats and increase compliance with custom security policies.</li> </ul> <h3 id="integrations">Integrations</h3> <ul> <li>Unlock with Single Sign-On (SSO).</li> <li>Provisioning with Azure AD, Google Workspace, Okta, OneLogin, Rippling, and JumpCloud.</li> <li>Stream events to SIEM tools like Splunk, Elastic, Sumo Logic, and Panther (or build your own integration).</li> </ul> <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> <a href="https://1password.com/business-pricing">Check out a comprehensive list of 1Password features</a>. </div> </aside> <h2 id="making-password-management-simple">Making password management simple</h2> When it comes to quickly locating important logins, sharing password access with others, and securing your most sensitive information, there’s really no simpler solution than a password manager. In fact, with a password manager like 1Password, not only can you prevent cybersecurity from being complicated, you can actually make managing your digital life easy. <section class="c-call-to-action-box c-call-to-action-box--purple"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Secure your digital life with 1Password</h3> Organize and secure all your online accounts with 1Password, the world’s most-trusted password manager. Get started today with a free 14-day trial. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--purple" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>Security writer Graham Cluley on reformed hackers, deepfake calls, and bad jargon</title><link>https://blog.1password.com/security-deepfakes-interview-graham-cluley/</link><pubDate>Tue, 07 Nov 2023 00:00:00 +0000</pubDate><author>info@1password.com (Jenn Marshall)</author><guid>https://blog.1password.com/security-deepfakes-interview-graham-cluley/</guid><description> <img src='https://blog.1password.com/posts/2023/security-deepfakes-interview-graham-cluley/header.png' class='webfeedsFeaturedVisual' alt='Security writer Graham Cluley on reformed hackers, deepfake calls, and bad jargon' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Technology and cybersecurity changes so fast. But when businesses fail to put basic protections and processes in place, who’s to blame? Graham Cluley – writer, blogger, and host of the <a href="https://www.smashingsecurity.com/">Smashing Security</a> podcast – shares his 30-year perspective on this question, and what’s going on in cybersecurity today. He joins 1Password&rsquo;s Matt Davey on the <a href="https://randombutmemorable.simplecast.com/">Random But Memorable</a> podcast to talk about trends that come and go, the buzzwords that drive him crazy, why machine learning is yesterday’s news, and why we shouldn’t put all the blame for successful hacks on new technology like deepfakes. Read the interview below or <a href="https://randombutmemorable.simplecast.com/episodes/private-electronic-graffiti-tags">listen to the full podcast</a> for (buzzword alert!) Cluley’s “VORIWGM”: voice of reason in a world gone mad. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/VgND7AXaUXY?si=MnoVpqrl7wIJxcy6" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> Editor’s note: This interview has been lightly edited for clarity and brevity. The views and opinions expressed by the interviewee don’t represent the opinions of 1Password. Matt Davey: You’ve spent many years writing about security. How has the cybersecurity landscape changed since you started? Graham Cluley: My first professional day in the cybersecurity industry was in January 1992. I was writing antivirus software for a company called Dr. Solomon&rsquo;s, and in those days we saw about 200 new viruses every month. And people told us that was a lot! We used to send out updates on floppy disks and most people received their updates every three months. They didn&rsquo;t need them more regularly than that because viruses didn&rsquo;t spread very quickly. Most people weren&rsquo;t on the internet, so things were transferred via sneakernet: people taking a floppy disk from one computer to another. The situation we have now is that there are millions and millions of attacks every day. It’s such an enormous industry with a conveyor belt of cybercrime going on all the time because everyone&rsquo;s online. Everyone&rsquo;s got a computer in their pocket and everyone&rsquo;s doing everything online rather than the old-fashioned way with telephones and notepads. <blockquote> &ldquo;There are millions of attacks every day. It’s such an enormous industry with a conveyor belt of cybercrime going on all the time.&quot; </blockquote> Way back then, it was all kids in their bedrooms, doing hacking as a form of electronic graffiti. And of course, what happened was that we began to see state-sponsored attacks. It&rsquo;s pure James Bond, utter science fiction. If you came to someone in 1992 and said, &ldquo;One day the Chinese government will be planting malware or stealing passwords from other people or breaking into computers,” you&rsquo;d think, &ldquo;Oh, come off it. How likely is that to happen? It&rsquo;s much more likely they’d be parachuting someone behind enemy lines.” Now, of course, we see countries spying on each other, stealing information, launching attacks, disrupting systems all the time. Perhaps the biggest change of all is money. Because now cybercrime – business email compromise, ransomware – doesn&rsquo;t just make money, it makes huge amounts of money. I&rsquo;m sure we&rsquo;ve seen criminal gangs move from old-fashioned crime into cybercrime. They&rsquo;ve realized it&rsquo;s maybe safer and more profitable. <blockquote> &ldquo;We&rsquo;ve seen criminal gangs move from old-fashioned crime into cybercrime. They&rsquo;ve realized it&rsquo;s maybe safer and more profitable.&rdquo; </blockquote> Money has changed everything – for the vendors as well as the criminals. There&rsquo;s lots of money to be made for the vendors. Computer security is a hot industry to be in. It&rsquo;s something which companies continue to invest in. And cybercrime has escalated because of the sheer amount of money which can be made. MD: Do you think we&rsquo;ll see a <a href="https://youtu.be/h0jMpNZukjg?si=dNj__1w8LsxH9xoT">LADbible-esque interview</a> with a cybercriminal in 10 years? Like we do with gangsters now? GC: In a way we already do. There are cybercriminals who have been caught. Some of them have gone to prison and then, once they get out, they set up cybersecurity consultancies because they pitch themselves as “poacher turned gamekeeper”. Some of them have absolutely rested on the laurels of their notoriety to make themselves a substantial amount of money. That really riles me. There are people who have shown a real lack of ethics but have actually been able to have a more successful career in some cases than the people who remained honest. Sometimes I think maybe we shouldn&rsquo;t celebrate these guys as being such heroes. Let&rsquo;s not forget they got caught. They weren&rsquo;t as smart as they sometimes claim. Maybe the real smart ones are the ones we never hear of. <blockquote> &ldquo;We shouldn&rsquo;t celebrate these guys as being such heroes. Let&rsquo;s not forget they got caught.&quot; </blockquote> I was emceeing an event a couple of years ago, and they had this guy on who was a hacker who had been caught. He stood up there for 45 minutes telling all these stories: “This is how I hacked these guys, this is how I hacked these guys.” I thought, when are you going to get to the bit where you say what you did was wrong? When are you going to say, &ldquo;Don&rsquo;t do what I did. I realize now that I caused harm. I cost companies money and if companies lose money, they may have to let people go. There&rsquo;s an impact on real people.” <blockquote> &ldquo;When are you going to say, &lsquo;Don&rsquo;t do what I did. I realize now that I caused harm. I cost companies money and if companies lose money, they may have to let people go.'&quot; </blockquote> I thought, you should be putting effort into classes where there are young kids who are beginning to dabble into these areas and saying, &ldquo;Don&rsquo;t do this because what happened was really bad and going to jail was a horrible experience and traumatic for my family and my friends. And it’s cast a shadow over the rest of my career.&rdquo; MD: Instead of jumping straight to: &ldquo;Here&rsquo;s how you protect against hacks like the one I did,&rdquo; which is where most of them immediately go. GC: Maybe I&rsquo;m a bit of a stick in the mud. I&rsquo;m getting old so maybe I have to recognize that new generations are different. When I started in antivirus, for instance, we had a very simple rule: when we were hiring people, if they were too enthusiastic about computer viruses, we wouldn&rsquo;t hire them. People ask me all the time, &ldquo;Did you ever write a virus?&rdquo; Absolutely not. I could have, but I had a sense of ethics and morals. I didn&rsquo;t think it would be right for my code to run on someone else&rsquo;s computer without their permission and cause harm. I would love those people who have obviously taken the wrong path to make a more determined decision to not only go by the right path, but actually prevent others from taking the wrong path as well. MD: Going back to your writing career, I&rsquo;m sure you’ve seen some strange and creative terminology in some of the stories you&rsquo;ve covered. What&rsquo;s your favorite buzzword or jargon that’s come up recently? GC: You just can&rsquo;t get away from them, can you? First we had <a href="https://blog.1password.com/what-is-phishing-and-how-can-you-protect-your-business/">phishing</a>, then we had <a href="https://blog.1password.com/sms-phishing-tale/">smishing</a>, then we had <a href="https://www.techtarget.com/searchunifiedcommunications/definition/vishing">vishing</a>. It&rsquo;s just like, &ldquo;For goodness&rsquo; sake can we not?&rdquo; Sometimes as an industry we really gravitate towards these words. I sometimes get requests from journalists saying, can you tell me about &ndash; and they put a random sequence of letters &ndash; and I have no idea what they&rsquo;re talking about. I have to go on to Google and think, &ldquo;Is this what they&rsquo;re actually asking me about and what does that really mean?&rdquo; My favorite acronym was used by a former colleague of mine, Paul Ducklin, called VORIWGM. That stands for “voice of reason in a world gone mad&rdquo;, which I think is something that is probably “random but memorable”. <blockquote> &ldquo;VORIWGM stands for &lsquo;voice of reason in a world gone mad.'&quot; </blockquote> There&rsquo;s one I do love, which is TEOTWAKI, “The End of the World As We Know It”. We hear about that, well, most Thursdays don&rsquo;t we in the cybersecurity world? We’re always being told it&rsquo;s the end of everything! Right now, we&rsquo;re surrounded by all this generative AI talk and chitchat. Every security company out there is now saying, &ldquo;We&rsquo;ve got to say we&rsquo;ve got AI! We have to have machine learning!&rdquo; Actually, machine learning is yesterday&rsquo;s news. But these companies think, &ldquo;We have to have this kind of component in our technology, otherwise it&rsquo;s not going to be able to compete&rdquo; Some of these things are things that products and services have had for years. They just haven&rsquo;t been dressed up using these particular phrases. In terms of cybersecurity, AI is going to democratize attacks. I think we&rsquo;re going to start seeing that with deepfakes as well. There have been reports of CEOs who&rsquo;ve been defrauded for millions. They thought they were speaking to the group chairman and moved millions into an attacker’s account. They say, &ldquo;Well, it was because there was a deepfake call. It sounded just like my boss, and that&rsquo;s why I did it.&rdquo; <blockquote> &ldquo;AI is going to democratize attacks.&quot; </blockquote> When I see these reports, I think, &ldquo;Well, how does the CEO know it was a deepfake – it was just on the phone. How do they know it wasn&rsquo;t just someone doing an impression of the group chairman? How do they know it wasn&rsquo;t someone like Rory Bremner or John Culshaw simply doing a convincing impression of somebody? Sometimes people are going to start blaming deepfakes and chatGPT and AI, just like they&rsquo;re blaming state-sponsored hackers. And it&rsquo;s like, &ldquo;Oh, come on guys. You just need the normal checks, provisions and procedures, along with and a bit of technology in place to prevent your company from falling for these things.&rdquo; <blockquote> &ldquo;People are going to start blaming deepfakes and chatGPT and AI, just like they&rsquo;re blaming state-sponsored hackers.&rdquo; </blockquote> I&rsquo;ve played around with AI. It’s amazing. It does an incredible job at pretending to be other people. We&rsquo;ve all seen the <a href="https://youtu.be/jnNQEiPs5r0?si=xiOU_uNlD6wYfA7v">deepfake Tom Cruise</a>, and you can go on YouTube and see dead artists singing modern songs. Who knows where we&rsquo;re going to be in two years’ time because this technology has moved so quickly and that’s kind of terrifying. But we also need a little bit of skepticism when everyone starts to blame the technology. Looking at AI from the cybersecurity point of view, there are lots of new things for people to learn about how to protect themselves on these different services. There are subtleties and differences in the way some of these things work, which may mean they&rsquo;re not as private as you imagined they were. It&rsquo;s a confusing time. MD: Do you have any other security tips or advice for listeners? Maybe ones that you give friends and family? GC: When I travel to give talks, I take a taxi from the airport to the venue. When the driver asks what I do, I always share the same advice because I&rsquo;ve only got a short amount of time and I can&rsquo;t get too nerdy. The top one is: Use different passwords on different websites. Stop using the same password because you can be sure the taxi driver and most of the people you encounter in regular life are reusing the same passwords in different places. That inevitably causes them to say, &ldquo;Well, how am I going to remember all these passwords?&rdquo; And that&rsquo;s when you say you get yourself a <a href="https://blog.1password.com/password-manager/">password manager</a>, which will also generate the passwords randomly for you. It will also provide a level of protection against phishing because it won&rsquo;t offer to enter your credentials if it doesn’t recognize the domain name as being for that particular password entry. <blockquote> &ldquo;Use different passwords on different websites. Stop using the same password.&quot; </blockquote> Once they&rsquo;ve swallowed that one, I then say, &ldquo;Okay, for dessert, I&rsquo;m going to tell you to turn on multi-factor authentication for as many accounts as you can. So when your password does get phished, when you make a mistake, or if you have made the mistake of reusing passwords, you’ve got an additional layer of security.” Now there are tricks for getting round multi-factor authentication but it requires a lot more effort by the criminal and normally they don&rsquo;t bother. The final one is: Keep your computer patched and up to date with the latest security patches and run security software on your computer. Don&rsquo;t think that magic crystals sitting on your bookshelf are going to somehow defend your computer or &ldquo;I&rsquo;ve got a Mac and therefore I don&rsquo;t have to worry.&rdquo; MD: Where can people go to find out more about you or the Smashing Security podcast? GC: I&rsquo;ve got a website, <a href="https://grahamcluley.com/">grahamcluley.com</a>, and a podcast called <a href="https://www.smashingsecurity.com/">Smashing Security</a>. <section class="c-call-to-action-box c-call-to-action-box--yellow"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Subscribe to Random but Memorable</h3> Listen to the latest news, tips and advice to level up your security game, as well as guest interviews with leaders from the security community. <a href="https://randombutmemorable.simplecast.com/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--yellow" data-event-category="CTA" data-event-action="call-to-action-button"> Subscribe to our podcast </a> </div> </section></description></item><item><title>How to save and store passwords on multiple devices with a password manager</title><link>https://blog.1password.com/save-store-passwords-on-devices/</link><pubDate>Thu, 02 Nov 2023 00:00:00 +0000</pubDate><author>info@1password.com (1Password)</author><guid>https://blog.1password.com/save-store-passwords-on-devices/</guid><description> <img src='https://blog.1password.com/posts/2023/save-store-passwords-on-devices/header.png' class='webfeedsFeaturedVisual' alt='How to save and store passwords on multiple devices with a password manager' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> For many people, trying to remember all their passwords is a lost cause. But clicking “forgot password” to do yet another password reset and coming up with yet another permutation of your pet’s name is a colossal waste of time – not to mention a poor approach to protecting your most important information. <a href="https://blog.1password.com/password-manager/">Password managers</a> offer an escape from sticky notes and password spreadsheets by giving you an easy way to create, store, and use secure passwords wherever you need them. <h2 id="the-risks-of-not-storing-your-passwords-securely">The risks of not storing your passwords securely</h2> You’ve likely heard about the importance of good password management – using strong passwords that you keep safe – many times over the years. While the obvious risk of improperly storing passwords means that someone other than you can get your password and into your account, the inconvenience, and more importantly, the dangers, can be more far-reaching than you’d think. Here are just a few examples: <ul> <li>When you use the same, easy-to-remember password everywhere, a hacker only needs to successfully crack it once to gain access to all your important data.</li> <li>It&rsquo;s hard to manage passwords stored in a notebook or on sticky notes, and more importantly, passwords stored this way are often reused, vulnerable to hacking, and <a href="https://blog.1password.com/how-do-hackers-steal-passwords/">vulnerable to social engineering</a>.</li> </ul> <h2 id="the-benefits-of-password-management">The benefits of password management</h2> When it comes to the best option for password management, the simple answer is: use a password manager! Not only can you store all of your saved passwords in one secure location, a great password manager will also offer plenty of other benefits that will actually add convenience to your digital life, rather than slowing it down. 1Password makes it a breeze to create and store passwords for all of your online accounts with just a few clicks. But you can do a lot more than just store passwords: <ul> <li>You can access all your passwords and other items from any of your devices, whether you&rsquo;re online or offline.</li> <li>1Password gives you the ability to <a href="https://blog.1password.com/psst-item-sharing/">securely share individual items stored in 1Password with anyone, like the Wi-Fi password or an alarm code</a>, even if the recipient doesn’t use 1Password.</li> <li>Prefer to <a href="https://blog.1password.com/sign-in-with-other-providers/">sign in to a site with a Google account, Apple ID, or other providers</a>? 1Password can save that information too, and log you in with a single click.</li> <li>1Password’s built-in <a href="https://blog.1password.com/a-smarter-password-generator/">password generator</a> creates strong, unique, and truly random passwords for all your online accounts.</li> <li>You can also store and autofill data like your financial accounts, credit cards, and identity information like your name and address. The types of data you can store in 1Password include <a href="https://support.1password.com/item-categories/">documents, passcodes, secure notes, software licenses, medical records, passport info, and much more</a>.</li> <li>If you’re using an account password to unlock 1Password, you can use <a href="https://1password.com/resources/guides/using-biometrics-fingerprint-as-password/">biometrics for faster access</a> with features like Touch ID, Windows Hello, and other methods of authentication that you use to unlock devices. You can also <a href="https://blog.1password.com/unlock-passkey-private-beta/">use a passkey to unlock 1Password</a> (currently in private beta). <a href="https://blog.1password.com/what-are-passkeys/">Passkeys</a> are a new, more secure, and easy-to-use alternative to passwords. Over time, they’ll replace passwords entirely as more sites and services add support for them. You can already save passkeys using 1Password for iOS and 1Password in the browser and use them to log in to your sites and services that support passkeys.</li> <li><a href="https://watchtower.1password.com/">1Password Watchtower</a> alerts you to security problems with the websites you use so you can keep all your accounts safe. It lets you know where you can enable <a href="https://1password.com/features/two-factor-authentication/">two-factor authentication</a>, notifies you if any of your passwords have appeared in a data breach, and alerts you to weak or reused passwords.</li> </ul> <h2 id="saving-and-storing-passwords-for-iphone-ipad-and-mac-with-1password">Saving and storing passwords for iPhone, iPad, and Mac with 1Password</h2> <h3 id="iphone-and-ipad">iPhone and iPad</h3> <h3 id="set-up-password-autofill-on-an-ios-device">Set up Password Autofill on an iOS device</h3> Before you can use 1Password to save your logins and sign in on your iOS devices, you’ll need to <a href="https://support.1password.com/get-the-apps/?ios">set up 1Password on your device</a>. Then follow these steps: <ol> <li>Open the Settings app on your iPhone or iPad.</li> <li>Tap Passwords, then tap Password Options.</li> <li>Turn on AutoFill Passwords and Passkeys.</li> <li>Select 1Password.</li> </ol> From now on, you’ll be able to save passwords or passkeys and sign in on your iPhone or iPad, without ever opening the 1Password app. <h3 id="save-create-and-autofill-passwords-on-an-ios-device">Save, create, and autofill passwords on an iOS device</h3> To save, create, or fill a password, open an app or visit a website you want to sign in to on your iPhone or iPad, then <a href="https://support.1password.com/ios-autofill/">follow these steps</a>. <h3 id="mac">Mac</h3> To create a new login or store passwords on your Mac, follow these steps: <ol> <li>Open the 1Password app.</li> <li>Click + New Item.</li> <li>Click Password from the menu.</li> <li>In the New Item window pop-up, name the item you are creating.</li> <li>Click the username field and type in your username.</li> <li>Click the password field and select Create a New Password.</li> <li>Click save.</li> </ol> <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Tip: To stop iCloud Keychain from asking to save your passwords or passkeys, deselect iCloud Passwords &amp; Keychain. Then you’ll always know your information is saved in 1Password, without any confusion. </div> </aside> <h3 id="universal-autofill-on-mac">Universal Autofill on Mac</h3> With 1Password and Universal Autofill, you can fill your usernames and passwords everywhere you need to sign in on your Mac, like all your apps and websites, anywhere you’re asked to log in as an administrator on your Mac, and when you run sudo commands in your terminal app. Plus, not only will you be able to use 1Password for Mac to fill your usernames and passwords without opening the 1Password app, you can also take advantage of keyboard shortcuts. Use the Command-Backslash keyboard shortcut to fill in an app or browser, and use 1Password’s <a href="https://support.1password.com/quick-access/">Quick Access</a> (Shift-Command-Space) to find and fill your logins. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> <a href="https://support.1password.com/mac-universal-autofill/">Visit our Universal AutoFill support article for detailed steps</a>. </div> </aside> <h2 id="saving-and-storing-passwords-for-android-with-1password">Saving and storing passwords for Android with 1Password</h2> <h3 id="set-up-autofill-on-an-android-device">Set up Autofill on an Android device</h3> Before you can use 1Password to fill and save your passwords on an Android phone or device, you’ll need to <a href="https://support.1password.com/get-the-apps/?android">set up 1Password on your device</a>. Then follow these steps: <ol> <li>Open and unlock 1Password.</li> <li>Tap the picture of your account or collection at the top right and choose Settings &gt; Autofill. If you&rsquo;re using a tablet, tap your account or collection at the top of the <a href="https://support.1password.com/sidebar/?android">sidebar</a>.</li> <li>Tap Autofill to turn it on.</li> <li>In the list of Autofill services, tap 1Password, then tap OK.</li> </ol> To turn on filling suggestions above the keyboard or in a dropdown, tap “Show filling suggestions”. <h3 id="autofill-save-and-create-passwords-on-an-android-device">Autofill, save, and create passwords on an Android device</h3> To fill, save, or create a password, open an app or visit a website you want to sign in to on an Android device, then <a href="https://support.1password.com/android-autofill/#save-create-and-fill-passwords">follow these steps</a>. <h2 id="saving-and-storing-passwords-in-google-chrome-safari-firefox-and-microsoft-edge-with-1password">Saving and storing passwords in Google Chrome, Safari, Firefox, and Microsoft Edge with 1Password</h2> Open your preferred web browser and navigate to the website you want to save or create a login for. Then, follow these steps: <h3 id="save-an-existing-login">Save an existing login</h3> <ol> <li>To save a login, enter your username and password. Then choose Save in 1Password.</li> <li>You can edit the name of the login and the vault where you want to save it. Then click Save.</li> <li>1Password will save your username and password, along with the information entered in other fields.</li> </ol> <h3 id="sign-up-for-a-new-account-on-a-website">Sign up for a new account on a website</h3> 1Password will create a strong password for you whenever you sign up for an account on a website. <ol> <li>Enter your account details on the sign-up page. 1Password may suggest usernames and email addresses from your <a href="https://blog.1password.com/storing-1password/">Identity items</a>.</li> <li>Click the 1Password icon in the password field and choose Use Suggested Password.</li> <li>1Password will ask you to save your new login. Click Save.</li> </ol> <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> <a href="https://support.1password.com/getting-started-browser/">View our web browser support article for more details</a>. </div> </aside> <h2 id="hassle-free-security">Hassle-free security</h2> Deciding to use a password manager is a great first step toward keeping yourself safe online. That said, all the security you can get doesn’t make a difference if a password manager doesn’t actually make your life easier. 1Password does. <ul> <li>Works on all of your devices. <a href="https://support.1password.com/get-the-apps/?mac">Mac</a>, <a href="https://support.1password.com/get-the-apps/?ios">iOS</a>, <a href="https://support.1password.com/get-the-apps/?windows">Windows</a>, <a href="https://support.1password.com/get-the-apps/?android">Android</a>, and <a href="https://support.1password.com/get-the-apps/?linux">Linux</a>.</li> <li>Works in all your browsers. <a href="https://chrome.google.com/webstore/detail/1password---password-mana/aeblfdkhhhdcdjpifhhbdiojplfjncoa">Google Chrome</a>, <a href="https://apps.apple.com/app/1password-for-safari/id1569813296">Safari</a>, <a href="https://addons.mozilla.org/en-US/firefox/addon/1password-x-password-manager/">Firefox</a>, <a href="https://microsoftedge.microsoft.com/addons/detail/1password---password-mana/dppgmdbiimibapkepcbdbmkaabgiofem">Microsoft Edge</a>, and <a href="https://chrome.google.com/webstore/detail/1password---password-mana/aeblfdkhhhdcdjpifhhbdiojplfjncoa">Brave</a>.</li> <li>Saves you time. 1Password autofills passwords, addresses, credit cards, and more so you never have to type them out again.</li> <li>Alerts you to security issues. Find out about security issues so you can take action immediately.</li> <li>Stores more than just passwords. Login credentials, passcodes, documents, secure notes, software licenses, medical records, passport info, and much more can be kept safe in 1Password.</li> <li>Helps you share securely. Securely share individual items stored in 1Password, like the Wi-Fi password or alarm code, with anyone – even if they don&rsquo;t use 1Password.</li> </ul> <section class="c-call-to-action-box c-call-to-action-box--purple"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Secure your digital life with 1Password</h3> Organize and secure all your online accounts with 1Password, the world’s most-trusted password manager. Get started today with a free 14-day trial. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--purple" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>Build organizational resiliency with Microsoft’s Chief Security Advisor</title><link>https://blog.1password.com/build-organizational-resiliency-interview/</link><pubDate>Tue, 31 Oct 2023 00:00:00 +0000</pubDate><author>info@1password.com (Jenn Marshall)</author><guid>https://blog.1password.com/build-organizational-resiliency-interview/</guid><description> <img src='https://blog.1password.com/posts/2023/build-organizational-resiliency-interview/header.png' class='webfeedsFeaturedVisual' alt='Build organizational resiliency with Microsoft’s Chief Security Advisor' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Major incidents like cyber attacks, terrorism, and pandemics are likely in the making right now but it doesn’t mean they’re inevitable. Learning from past incidents, asking the hard &lsquo;what ifs&rsquo;, and helping businesses build organizational resilience is always top of mind for security leader Sarah Armstrong-Smith. Chief Security Advisor at Microsoft and author of the book <a href="https://www.amazon.com/Effective-Crisis-Management-Demonstrating-Experiences/dp/9355512716?source=ps-sl-shoppingads-lpcontext&amp;ref_=fplfs&amp;psc=1&amp;smid=ATVPDKIKX0DER">Effective Crisis Management</a>, Armstrong-Smith has more than 25 years of experience working on the strategic, tactical, and operational response to major incidents and crises. Read her interview from <a href="https://randombutmemorable.simplecast.com/">Random but Memorable</a> (or listen to <a href="https://randombutmemorable.simplecast.com/episodes/resilient-leader-rock-band">the full podcast episode</a>) to learn why security is actually a business problem, how leaders can build an effective security culture and the costs that companies bear if they don’t prepare and protect themselves. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/20lkzTadTsQ?si=5fXVpPGy910IbZgE" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> Editor’s note: This interview has been lightly edited for clarity and brevity. The views and opinions expressed by the interviewee don&rsquo;t represent the opinions of 1Password. Matt Davey: How do you stay optimistic with all the &lsquo;what ifs&rsquo; associated with disasters? Sarah Armstrong-Smith: I used to think I was a little bit jinxed! Wherever I go there are these major incidents. I thought, &ldquo;Is it me?&rdquo; But actually, slowly but surely, I&rsquo;ve realized I&rsquo;m exactly where I need to be. And over the years, it&rsquo;s made me think more about where the opportunities are, and where there are lessons to be learned. Writing my first book, Effective Crisis Management, came about by accident. I never intended to write a book, but for Cyber Awareness Month in 2021, I wrote an A to Z of crisis management. It made me reflect on those incidents over the last 20-plus years. What works well and what doesn&rsquo;t? What are the opportunities around these lessons learned, and what are we going to do to make positive change? MD: Can you share a few insights from some of the challenging incidents you&rsquo;ve experienced? I’ve always been interested in the human side of security. When someone has physical injuries, people sympathize and show empathy for them. But when you have mental injuries like PTSD, it&rsquo;s not visible, and you get treated very differently. I think this is synonymous with cybersecurity. If you&rsquo;re the victim of a physical crime, people are like, &ldquo;Oh my goodness, how did this happen?&rdquo; They show empathy and sympathy. But when you&rsquo;re the victim of a cybercrime it&rsquo;s very different. It&rsquo;s your fault even though you’re the victim &ndash; whether you&rsquo;re an organization or an individual. <blockquote> &ldquo;When you&rsquo;re the victim of a cybercrime, it&rsquo;s very different. It&rsquo;s your fault even though you’re the victim.&quot; </blockquote> When I was 12, <a href="https://www.theguardian.com/business/2013/jul/04/piper-alpha-disaster-167-oil-rig">Piper Alpha</a> happened. It was fascinating to me that there&rsquo;s normally a series of events that lead up to a major incident. Missed warning signs, audit reports and test reports that are ignored, poor culture, poor leadership. Slowly but surely, over time, these things escalate into a major incident. What I&rsquo;ve put into the book are some of the worst examples of major incidents. I&rsquo;m reflecting on 9/11, Deepwater Horizon, and other major events. Again, how bad does it have to get before we take action? It&rsquo;s really about stopping the cycle. That&rsquo;s what I&rsquo;m trying to aim at. <blockquote> &ldquo;It&rsquo;s really about stopping the cycle. That&rsquo;s what I&rsquo;m trying to aim at.&quot; </blockquote> It&rsquo;s similar to what we see with cyber attacks. They&rsquo;re slowly but surely escalating. And at some point, we&rsquo;re going to see a cyber attack so big that it&rsquo;s probably going to cause fatalities, particularly when we think about some of the attacks on critical infrastructure and operational networks. We&rsquo;ll have this major incident, and at that point, we will look backwards and say, &ldquo;How did we get here?&rdquo; And then questions will be raised again. But if we look back at the history of some of these major incidents, we shouldn&rsquo;t be surprised when we see these types of incidents occurring. MD: If you want to get better at mitigation, you’re saying there&rsquo;s a pattern of events that slowly gets bigger. How can organizations and individuals prepare themselves to manage and spot these events? SAS: In the last three years, we&rsquo;ve not one but three major incidents. We&rsquo;ve had a global pandemic, we&rsquo;ve had one of the most sophisticated cyber attacks we&rsquo;ve ever seen <a href="https://www.wired.com/story/the-untold-story-of-solarwinds-the-boldest-supply-chain-hack-ever/">which was attributed to SolarWinds</a>. And since the beginning of last year, we&rsquo;ve had the war in Ukraine. If you think about the pandemic in particular, what it showed is how many organizations and individuals understand what it means to be resilient. That&rsquo;s organizational resilience, emotional resilience, crisis management – having these kinds of major events right in front of you and dealing with them. <blockquote> &ldquo;The pandemic showed how many organizations and individuals understand what it means to be resilient.&quot; </blockquote> We&rsquo;ve seen a lot of companies rethinking their business models. We&rsquo;ve seen companies embracing hybrid working. I&rsquo;ve seen a mass acceleration to the cloud. We&rsquo;ve seen companies invest in new technologies, new innovations, smart technologies – AI in particular – over the last year. These are positive changes that we can take away from that. But the reverse of that surfaces if we think about SolarWinds and the war in Ukraine. We&rsquo;ve seen this willingness, in particular, from nation-sponsored actors – Russia, North Korea, Iran, and China are the big four nation-sponsored actors. Historically, these actors would&rsquo;ve been focused on espionage and stealth. What we&rsquo;ve learned is they don&rsquo;t care when they&rsquo;ve been detected! This thing that we&rsquo;re looking at right now is going from disruption to destruction. We&rsquo;ve seen this in Ukraine in particular where there’s a huge increase in destructive malware, wiper malware – you can think about it as ransomware without the extortion demand. It&rsquo;s locking up networks, it&rsquo;s encrypting machines, it&rsquo;s wiping machines. <blockquote> &ldquo;What we&rsquo;ve learned is they don&rsquo;t care they&rsquo;ve been detected.&quot; </blockquote> We&rsquo;re seeing more actors who are doing these things, and it&rsquo;s alluding to what I mentioned before with the scale of attacks. We see the run-of-the-mill things all the time, but ultimately, we need to be prepared for major events that are going to shift our perspective and make us pivot into having to take different types of solutions, and different types of actions as a result. MD: You mentioned that fatalities and destruction of information are what these bad actors are building up to. What would you say are some of the true costs of these major incidents that probably go unseen? SAS: A lot of it comes down to reputation damage. When you think about the cost of downtime, we&rsquo;ve seen a change in tactics, even with ransomware operators. Some of them are foregoing the initial encryption and just moving straight to the exfiltration of data. They&rsquo;re willing to take their time with reconnaissance and learn about the business. They want to know which data is going to cause the most impact and which data you really care about. When these things are played out in the public domain, it&rsquo;s about trying to stir the emotions of the general public. Whether it&rsquo;s personal data, private data, maybe medical data, and even <a href="https://www.electoralcommission.org.uk/media-centre/electoral-commission-subject-cyber-attack">what we&rsquo;ve seen in the last few months with regards to the Electoral Commission</a> [in the UK], people are concerned that a lot of their private data has leaked and has been leaked for a very long time. Even though you can argue that a lot of that data is already in the public domain. But again, it&rsquo;s the emotions behind it. And arguably, a lot of attackers want it to be played out in the public domain because it puts more pressure on the organization. It&rsquo;s in the media, it&rsquo;s in the public domain. There&rsquo;s lots of pressure coming from you, from customers, consumers, and partners. All of those things are bearing down on you. You&rsquo;re under extreme pressure to decide whether you pay or don’t pay or whatever the case may be. They&rsquo;re trying to bring that level of manipulation and control to force you into making a decision that maybe you wouldn&rsquo;t normally make. <blockquote> &ldquo;Why would I waste my time trying to break into your network when I can go directly to the source? That source is people themselves.&quot; </blockquote> And as technology gets better at blocking known threats, a lot of the attackers are going backwards into social engineering. Why would I waste my time trying to break into your network when I can go directly to the source? That source is people themselves. We&rsquo;ve seen actors who are very blatant with regards to their willingness to buy credentials, buy a multi-factor authentication (MFA) bypass. You can think about it in the current climate, that there are more people who might be willing to turn a blind eye with the economy potentially going into recession and the interest rates going up. Sometimes they&rsquo;re going to be willing and able, and that means they turn into an insider threat. MD: How does Microsoft promote a culture of security among its employees? And what advice would you give to other organizations that are seeking to improve their security culture? SAS: It&rsquo;s a lot of “lead by example”. If you think about Microsoft, it&rsquo;s a household name. It was founded in 1975, which makes it the granddaddy of Big Tech. Think about how many individuals and organizations are utilizing Microsoft products: Windows, the cloud, Xbox, Bing, LinkedIn. When you have that many people across the globe utilizing one or more products, you bear a lot of responsibility for that. If I think about Office, for example, and Teams, and lots of people all of a sudden utilizing collaboration tools – they&rsquo;re maybe not familiar with those tools and what should be shared. You might have people who are trying to copy sensitive data from an application and put that into Teams. Teams will fire up with a policy tip and say, &ldquo;This is personal data, this is financial data, it&rsquo;s intellectual property. This is outside of policy.&rdquo; This is educating people as it happens or when they&rsquo;re doing it, rather than a week later when it&rsquo;s been and gone. <blockquote> &ldquo;It&rsquo;s working with them rather than against them.&quot; </blockquote> It&rsquo;s about empowerment. That&rsquo;s a really big thing about how we help people to be more security aware without them even realizing it – when it&rsquo;s actually being built into the process. It&rsquo;s working with them rather than against them. MD: Have you found any other initiatives or strategies to be effective? A lot of companies do just two weeks of training a year. SAS: The problem with doing “30 minutes of e-learning once a year” is that it&rsquo;s done from a compliance perspective. It’s a tick-box approach that focuses on how many people did the training. It&rsquo;s very simplistic and not relevant to people&rsquo;s different roles. What&rsquo;s going to be relevant to marketing or someone in HR or an engineer is completely different. When you have this one-size-fits-all approach, people just get despondent. They don&rsquo;t particularly care. That&rsquo;s one aspect with regards to having the security built in – making it personal. <blockquote> &ldquo;When you have this one-size-fits-all approach, people just get despondent. They don&rsquo;t particularly care.&quot; </blockquote> How do we turn things around? A lot of that comes down to the language that we use. We have to stop referring to people as the weakest link, repeat offenders, a problem to be fixed. Telling people the things they shouldn’t do. All of these are negative and turn people off. So a lot of it is, how do we make it relevant, explaining why they should care, and making people feel empowered about what they can do rather than what they can’t do. MD: Cybersecurity threats are always evolving. How should people stay up to date and keep their skills sharp? SAS: The attacks are evolving at pace, and some of that is a result of access brokers – cybercrime as a service. The barriers to entry for many cyber attackers have reduced substantially. For a few dollars, they can buy exploit kits on the dark web and they&rsquo;re ready to go. We hear a lot in the media about the sophistication and the ferocity of some of these attacks. The reality is the vast majority of attacks aren&rsquo;t that sophisticated. Over 80% of attacks are phishing &ndash; they&rsquo;re still trying to do the simplest thing possible. If I can get you to willingly give up your credentials, or click an attachment that downloads malware in the background – happy days! <blockquote> &ldquo;The vast majority of attacks aren&rsquo;t that sophisticated. Over 80% of attacks are phishing &ndash; they&rsquo;re still trying to do the simplest thing possible.&quot; </blockquote> Again, put that into perspective with regards to identity and phishing and password sprays. Microsoft identifies and blocks over 77,000 brute force attempts every minute, and that&rsquo;s because it works. So unless you&rsquo;re a nation-state or a ransomware operator or some of those bigger types of organized crime, the vast majority of attackers are still doing the same thing they&rsquo;ve always done. From a resiliency perspective, it&rsquo;s not about stopping every attack, it&rsquo;s about anticipating them. It&rsquo;s about how quickly you can detect and respond. The most important thing is learning from each attack. How did they get in or get access? If we&rsquo;re talking about social engineering, did they have a specifically crafted, well-engineered email, or was it just luck of the draw because the person was stressed? Are we the target? Or are we just unlucky? <blockquote> &ldquo;From a resiliency perspective, it&rsquo;s not about stopping every attack, it&rsquo;s about anticipating them.&quot; </blockquote> Analyzing these things is what actually provides the resilience. What I find is when we have near misses – you&rsquo;ve evaded an attack, you just stopped it in the nick of time – people wipe their brow and move on. Actually this is a brilliant opportunity to learn and follow it through. What if it didn&rsquo;t get stopped in time? What would&rsquo;ve happened? What would&rsquo;ve been the impact? What are the lessons learned? What are the vulnerabilities? What are the things we need to think about? And on the positive side, the reason why it was stopped might be because you had a great plan. You had great technology, great processes, people are really alert – all of these things should be celebrated. The key is that no matter what size organization, it&rsquo;s thinking about the type of technology that they&rsquo;re investing in. Sometimes we feel like we have to buy more tools, the newest thing. The reality, and even what we see at Microsoft, our people are vastly underutilizing the technology they already have. <blockquote> &ldquo;We feel like we have to buy more tools &hellip; the newest thing. The reality is that people are vastly underutilizing the technology they already have.&quot; </blockquote> Instead, think about what you&rsquo;ve already invested in and how you can get the very best out of that technology. Is that technology being integrated? Is it getting the full visibility, or are things falling in between the cracks? I would hazard a guess that a lot of companies have already made investments in lots of different capabilities. They&rsquo;re just not utilizing them or they&rsquo;ve just not refined it. They&rsquo;ve not set the right policies and the right conditions. They&rsquo;re not doing that evaluation. One of the great things is automation. Automation blocking known threats as quickly and efficiently as possible. And having something as simple as anti-malware. Anti-malware should be one of the key things that everyone should have, irrespective of the size of the company. Anti-malware, when it&rsquo;s tuned properly and it&rsquo;s detecting and it&rsquo;s blocking and doing all the things that it&rsquo;s expected to do, makes a huge difference. MD: Where can people find out more about you and the work that you&rsquo;re doing? SAS: You can connect with me on <a href="https://www.linkedin.com/in/sarah-armstrong-smith/">LinkedIn</a> and <a href="https://twitter.com/SarahASmith75">Twitter</a>. And you can find my book <a href="https://www.amazon.com/Effective-Crisis-Management-Demonstrating-Experiences/dp/9355512716?source=ps-sl-shoppingads-lpcontext&amp;ref_=fplfs&amp;psc=1&amp;smid=ATVPDKIKX0DER">Effective Crisis Management</a> on Amazon. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Subscribe to Random but Memorable</h3> Listen to the latest news, tips and advice to level up your security game, as well as guest interviews with leaders from the security community. <a href="https://randombutmemorable.simplecast.com/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Subscribe to our podcast </a> </div> </section></description></item><item><title>1Password vs. Dashlane: The ultimate guide</title><link>https://blog.1password.com/1password-vs-dashlane/</link><pubDate>Fri, 27 Oct 2023 00:00:00 +0000</pubDate><author>info@1password.com (1Password)</author><guid>https://blog.1password.com/1password-vs-dashlane/</guid><description> <img src='https://blog.1password.com/posts/2023/1password-vs-dashlane/header.png' class='webfeedsFeaturedVisual' alt='1Password vs. Dashlane: The ultimate guide' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Whether you’re in the market for a new password manager or looking to try a password management platform for the first time, you’ve likely come across both 1Password and Dashlane in your research. To help you decide which app is best for you, we’re comparing pricing, features, security, and functionality across both password managers. <h2 id="1password">1Password</h2> <h3 id="pricing-and-choosing-the-right-subscription">Pricing and choosing the right subscription</h3> You can use 1Password to protect your most <a href="https://1password.com/personal">sensitive personal information for $2.99 per month</a>. With <a href="https://1password.com/personal">1Password Families</a>, you can extend that protection to four more family members for only $4.99 per month. Additional family members or loved ones can be added for $1 per user per month. For businesses, 1Password offers three different options depending on your needs: <a href="https://1password.com/teams/">1Password Teams</a> accounts secure up to 10 team members for $19.95 per month, and comes with selective sharing and the ability to identify threats with built-in risk detection. <a href="https://1password.com/business">1Password Business</a> accounts include features like integration with identity providers to unlock 1Password with single sign-on (SSO) and automate provisioning, custom reports and customizable security policies, SIEM tool integration, and actionable insights to prevent risks and threats. <a href="https://1password.com/enterprise">1Password Enterprise</a> customers enjoy all the features of Business, as well as free, tailored onboarding and training, a dedicated Customer Success Manager, and migration support customized to their business. 1Password also offers friendly, 24/7 customer support <a href="https://1password.com/business-pricing">for all plans</a>. <h3 id="free-trial">Free trial</h3> Every 1Password plan is free to try for 14 days. At the end of your free 14-day trial, you can begin your subscription. <h3 id="switching-from-another-password-manager">Switching from another password manager</h3> You can quickly and easily import data into 1Password from <a href="https://support.1password.com/import/#roboform">Dashlane, LastPass, KeePass, KeePassX, RoboForm, Delinea Secret Server, Chrome, Firefox, Edge, Brave, and Safari</a>. You can also import data from other applications using the c<a href="https://support.1password.com/import/#import-a-csv-file-from-another-app">omma-separated values (CSV) file format</a>. <h3 id="features">Features</h3> <h3 id="saving-and-filling-passwords-in-1password">Saving and filling passwords in 1Password</h3> As a password manager, 1Password makes it easier than ever to store all your login credentials in one place so you never have to remember more than a few passwords again. Since 1Password remembers all of your sensitive data for you, you can save time and autofill passwords when you log in to a site or service, as well as autofill out form fields with your name, address, and credit card. Prefer to <a href="https://blog.1password.com/sign-in-with-other-providers/">sign in to a site with Google, Apple, or other providers</a>? 1Password can save that information too, and log you in with a single click. You can also store and autofill <a href="https://blog.1password.com/totp-and-1password/">time-based one-time passwords (TOTPs)</a>, the string of numbers that you enter after your username and password for further authentication. Instead of relying on additional authenticator apps like Google Authenticator, or getting the TOTP via SMS which <a href="https://blog.1password.com/what-is-sim-swapping/">can be intercepted</a>, all you need is 1Password. <h3 id="storing-other-types-of-sensitive-data">Storing other types of sensitive data</h3> Despite the name, 1Password is much more than a password manager! You can also store sensitive data like your financial accounts, credit cards, and identity information like your name and address. You can autofill this information, too, making online shopping and filling out forms a breeze – no more typing out every detail manually. The types of information you can store in 1Password include <a href="https://support.1password.com/item-categories/">documents, secure notes, software licenses, medical records, passport info, and much more</a>. To keep you organized, 1Password will automatically sort items according to their type, or you can <a href="https://support.1password.com/favorites-tags/">create your own tags</a> to help you organize items by theme. Your items are stored within vaults in 1Password, each with its own permission settings. Your personal vault contains items that are just for you, and if you’re using 1Password Families, you can also create shared vaults to give other users access to the contents of that vault. With 1Password, you can create as many vaults as you like, allowing you to get granular with your organization. For example, you can create a vault just for tax documents, a vault just for your pet’s vet receipts and vaccination documents, and a vault just for household items like mortgage documents and the internet service provider (ISP) login. <h3 id="passkeys-and-biometrics">Passkeys and biometrics</h3> If you’re using an account password to unlock 1Password, you can <a href="https://1password.com/resources/guides/using-biometrics-fingerprint-as-password/">use biometrics for faster access</a> with features like Touch ID, Windows Hello, and other methods of authentication that you use to unlock devices. You can also <a href="https://blog.1password.com/unlock-passkey-private-beta/">use a passkey to unlock 1Password</a> (currently in private beta). <a href="https://blog.1password.com/what-are-passkeys/">Passkeys</a> are a new, more secure, and easy-to-use alternative to passwords. Over time, they’ll replace passwords entirely as more sites and services add support for them. You can already save passkeys using 1Password for iOS and 1Password in the browser and use them to log in to your sites and services that support passkeys. <h3 id="strong-password-generator">Strong password generator</h3> 1Password&rsquo;s built-in <a href="https://blog.1password.com/a-smarter-password-generator/">password generator</a> creates strong, unique, and truly random passwords for all your online accounts. 1Password predicts password requirements and makes appropriate suggestions, and you can further customize random password length, add numbers and symbols, or also create memorable passwords and PINs. <h3 id="secure-password-sharing">Secure password sharing</h3> 1Password gives you the ability to <a href="https://blog.1password.com/psst-item-sharing/">securely share individual items stored in 1Password with anyone</a> – even if the recipient doesn’t use 1Password. <a href="https://support.1password.com/create-share-vaults/https://support.1password.com/create-share-vaults/">Shared vaults</a> are great for long-term collaboration with your loved ones and make updating any items, like shared passwords, across everyone’s devices quick and simple. Conversely, secure item sharing is built for more granular, temporary sharing and makes a copy of an item at a moment in time, like a snapshot. If you later update that item, the change won’t reflect in the copy of the shared item. Item sharing makes it easy to choose what you securely share with the people you trust. For example, you can share the Wi-Fi password with visiting friends, or share a password with a freelancer who will only need it as long as you’re working together. <h3 id="1password-watchtower">1Password Watchtower</h3> <a href="https://watchtower.1password.com/">1Password Watchtower</a> alerts you when you need to take action to strengthen your security. If one of your saved passwords has been involved in a data breach, if you’ve stored weak or reused passwords, or if a site you use supports two-factor authentication but you haven’t enabled it yet, you’ll see it all in Watchtower, alongside further recommended actions you can take to protect yourself online. <h3 id="1password-travel-mode">1Password Travel Mode</h3> <a href="https://1password.com/features/travel-mode/">Travel Mode</a> lets you designate certain vaults as “safe for travel.” This means those vaults will be accessible to you during travel, but the rest won’t. Travel Mode protects you and your privacy as you cross borders by hiding vaults you decide aren’t safe for travel from authorities (or anyone else) until you’re in a safe place and turn Travel Mode off. <h3 id="security">Security</h3> 1Password uses Advanced Encryption Standard (AES) 256-bit encryption to encrypt your vaults. 1Password also uses a zero-knowledge approach, which means what you save in your 1Password vaults is only accessible to you — the person with the keys to the vault. It&rsquo;s never visible nor accessible to 1Password. A number of security features are fairly common among most password managers, but some have unique features that are worth calling out. <h3 id="secret-key">Secret Key</h3> 1Password uses a randomly generated 128-bit key to help secure your information. This <a href="https://blog.1password.com/what-the-secret-key-does/">Secret Key</a> is combined with your account password to create an encryption key that’s effectively unbreakable. <h3 id="pake-protection">PAKE protection</h3> When you sign in to 1Password, authentication happens on your device. That means your account password and Secret Key remain safe from theft and interception because they’re never sent over the internet. This is made possible by a password authenticated key exchange (PAKE) protocol called <a href="https://blog.1password.com/developers-how-we-use-srp-and-you-can-too/">Secure Remote Password (SRP)</a>. <h3 id="supported-platforms">Supported platforms</h3> 1Password has desktop apps for Mac, Windows, and Linux, mobile devices apps for Android and iOS with Watch OS support, and as a browser extension for Chrome, Firefox, Edge, Brave, and Safari. With seamless syncing, all the sensitive data you store in 1Password is instantly available on all your <a href="https://1password.com/downloads">desktop and mobile devices</a>. 1Password is also available as a command line interface with <a href="https://developer.1password.com/docs/cli/">1Password CLI</a>, as well as <a href="https://1password.com/developers">many other workflow integrations for developers</a>. <h2 id="dashlane">Dashlane</h2> <h3 id="pricing-and-choosing-the-right-subscription-1">Pricing and choosing the right subscription</h3> For personal use, Dashlane offers a Premium plan for $3.33 per month, and a Friends &amp; Family plan for $4.99 per month for 10 members. For business plans, Dashlane offers three different options: A Starter plan for $20 per month for 10 seats that includes unlimited passwords and passkeys, secure sharing, Business and Personal Spaces, audit logs, and Dark Web Insights. A Business plan for $8 per seat, per month that includes single sign-on (SSO) integration, SCIM provisioning, a free Friends &amp; Family plan for all Business users, on-demand phone support, VPN for Wi-Fi protection, and real-time phishing alerts. An Enterprise plan that includes everything in the Business plan along with a dedicated Customer Success Manager, Onboarding Customer Support Specialists, and an Onboarding Technical Engineer. <h3 id="free-trial-1">Free trial</h3> Dashlane offers a free 30-day trial for all Premium plans. Dashlane offers a free plan with limited features, Dashlane Free. However, starting November 7, 2023, new and existing Dashlane Free customers can only save up to 25 logins in their vault. To put this in perspective, the <a href="https://tech.co/password-managers/how-many-passwords-average-person">average person has around 100 passwords</a>. Starting on December 7, 2023, interactive customer support will be provided for premium customers only. <h3 id="switching-from-another-password-manager-1">Switching from another password manager</h3> Dashlane offers instructions for how to move your passwords from LastPass, 1Password Bitwarden, KeePass, Keeper, Roboform, Chrome, Firefox, Edge, Safari and iCloud Keychain. <h3 id="features-1">Features</h3> Saving and filling information in Dashlane Dashlane offers the ability to generate, store, and autofill passwords. Like 1Password, you can store multiple types of information like credit cards, secure notes, sensitive documents, and passport information in Dashlane. And you can use Dashlane to generate time-based one-time passwords, like 1Password. Dashlane also offers passkey support for iOS, Android, and the Dashlane web app. Dashlane offers a built-in password generator, as well, and also allows you to organize your logins using collections. <h3 id="password-sharing-in-dashlane">Password sharing in Dashlane</h3> Dashlane lets you securely share logins and Secure Notes, but only with other people who use Dashlane. <h3 id="additional-features">Additional features</h3> Dashlane offers Password Health, a score calculated based on all your passwords stored in Dashlane and whether they&rsquo;re Compromised, Reused, or Weak. Dashlane also alerts you if one of your accounts is compromised or at risk, and offers the option to use a <a href="https://blog.1password.com/how-a-vpn-works/">Virtual Private Network (VPN)</a>. <h3 id="security-1">Security</h3> Before storing each individual’s vault on its servers, Dashlane encrypts it using Advanced Encryption Standard (AES) 256-bit encryption. Dashlane is designed using zero-knowledge architecture, with the data encrypted locally on the user’s device. <h3 id="argon2">Argon2</h3> Dashlane uses a modern and robust key derivation function (KDF) called Argon2 to generate an Advanced Encryption Standard (AES) 256-bit key. The key is derived from your master password and protects your information before it’s sent to Dashlane servers, and on its servers. <h3 id="supported-platforms-1">Supported platforms</h3> Dashlane has web apps available on Windows and Mac, and apps for iOS and Android platforms. Dashlane supports Edge, Chrome, Firefox and Safari browsers. Dashlane is not currently available on Linux. <h2 id="1password-vs-dashlane-final-thoughts">1Password vs. Dashlane: Final thoughts</h2> At first glance, 1Password and Dashlane might seem like fairly similar password managers. Both certainly offer a significant upgrade over no password manager at all. However, depending on what matters to you, the differences can definitely be significant: <ul> <li>1Password is effectively impossible to crack. Two distinct secrets, known only to you, work together to safeguard the data you store in 1Password. Your Secret Key ensures the security of your information, even in the unlikely event of a breach. Your account password and Secret Key remain safe because they’re never sent over the internet.</li> <li>You should always have customer support. 1Password’s free, 24/7 customer support is the best in the business – and available to all customers.</li> <li>We&rsquo;re all in on passkeys. The option to <a href="https://blog.1password.com/unlock-passkey-private-beta/">use a passkey to unlock 1Password</a> (currently in private beta) is well on its way, giving you the best of both worlds: great security paired with maximum convenience.</li> <li>Unique features can make a difference. Travel often? 1Password’s Travel Mode may be crucial for you. Share login credentials or sensitive documents a lot? The ability to securely share anything with anyone, even if they don’t use 1Password, will be invaluable. Your password manager should keep up with your digital life.</li> <li>Convenience matters. If a security tool isn’t convenient, you&rsquo;re not going to use it. 1Password seamlessly integrates into your system, making it easy to keep you and your loved ones safe. It’s security at the speed of life.</li> </ul> <section class="c-call-to-action-box c-call-to-action-box--purple"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Secure your digital life with 1Password</h3> Organize and secure all your online accounts with 1Password, the world’s most-trusted password manager. Get started today with a free 14-day trial. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--purple" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>How ethical hacker Jamie Woodruff used a pizza delivery to break into a server room</title><link>https://blog.1password.com/jamie-woodruff-ethical-hacking-interview/</link><pubDate>Mon, 23 Oct 2023 00:00:00 +0000</pubDate><author>info@1password.com (Jenn Marshall)</author><guid>https://blog.1password.com/jamie-woodruff-ethical-hacking-interview/</guid><description> <img src='https://blog.1password.com/posts/2023/jamie-woodruff-ethical-hacking-interview/header.png' class='webfeedsFeaturedVisual' alt='How ethical hacker Jamie Woodruff used a pizza delivery to break into a server room' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Not all hackers are bad. A subset known as white hat hackers, or ethical hackers, use their knowledge and skills for good, testing companies' defenses and discovering vulnerabilities for them. And those vulnerabilities can come in many forms! From pizza delivery driver disguises to voice synthesizers to bugged e-cigarettes – some hackers go all out, no matter which side they’re on. To get an insider perspective on what it’s like to be a white hat hacker, we sat down with Jamie Woodruff on the <a href="https://randombutmemorable.simplecast.com/">Random but Memorable</a> podcast. Woodruff is currently a chief technology officer and the cyber safety advisor for the Cybersmile Foundation, an organization that helps victims of cyberbullying. He’s an ethical hacker who has reported vulnerabilities to high profile businesses, websites, and social platforms. Read the interview below (<a href="https://randombutmemorable.simplecast.com/episodes/ethical-pizza-delivery-hobbies">or listen to the podcast</a>) to find out more about Woodruff’s unorthodox career path and why he thinks no company in the world is totally secure. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/xILlbJzwuRc?si=SgEFTmOFWQuXvlGP" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> Editor’s note: This interview has been lightly edited for clarity and brevity. The views and opinions expressed by the interviewee don’t represent the opinions of 1Password. Michael Fey: As an ethical hacker, you&rsquo;ve got a unique perspective on cybersecurity. What led you to start hacking and reporting bugs rather than exploiting them? Jamie Woodruff: It&rsquo;s a weird journey, really. I&rsquo;m autistic, as well as dyslexic and dyspraxic. I&rsquo;ve always disassociated myself from individuals or people. I didn&rsquo;t get actively involved in making friendships during my childhood and stuff like that. I resonated more with technology. I&rsquo;ve always been interested in how mechanical things work, and how you can take things apart. When I was nine years old my father brought a computer home. I started taking the computer apart and then put everything back together. When my father came back to fire up the computer, it wasn&rsquo;t working, and it went off to the local store to get repaired. I went to the store and it turns out I hadn&rsquo;t slotted the RAM in correctly. I then started to break it deliberately. I would go to the store and sit with the guys who would teach me about different tech, and I&rsquo;d learn a lot about how this side of things operated. <blockquote> &ldquo;I&rsquo;d always wanted to help individuals and help people.&quot; </blockquote> And then I started tinkering around, looking at different types of malware. I had that choice – if I went down the white hat path or the black hat path, and I&rsquo;d always wanted to help individuals and help people. I got into hacking at such a young age. I got expelled from school for hacking. And then I went to college and got expelled again for hacking. I hacked Moodle, which was their online learning CRM. I found and disclosed several vulnerabilities and they weren&rsquo;t too happy about it at the time. So then I ended up working in the mental health sector with people with learning difficulties and different disabilities. I did that for about two to three years, which was wonderful for me because I could turn off work at 7:00 PM and all the residents would be asleep by 11:00 PM and I got to play on my laptop until 7:00 AM. I used to go after bug bounties to make extra money. <blockquote> &ldquo;I used to go after bug bounties to make extra money.&quot; </blockquote> Then I got heavily involved in the social side. I wanted to focus primarily on the human side of security because when people make decisions, a lot of it’s random. If you wake up and decide one day that you&rsquo;re going to rebel or go against everything you&rsquo;ve ever done, it&rsquo;s very difficult for AI to pick up on that. It&rsquo;s very difficult to look at the human, emotional side of things and apply that to cybersecurity. But then equally, we are very repetitive in what we do. If we wake up at a certain time, we have a routine – we drive to work using the same route, or we arrive at roughly the same time and have a preferred parking spot. Over time, you can pick up on individuals’ traits. MF: We know that you&rsquo;ve disclosed vulnerabilities at many notable tech giants. Do you have any particularly memorable examples? JW: I recently disclosed one with Amazon and AWS. I don&rsquo;t really go down the bug bounty route anymore, just when I&rsquo;m bored or have free time on my hands. I tend to just have an explore-around. There was an issue with the identity and access management (IAM) permissions that I disclosed. I got one phone call from a tech lead that turned into 20 tech leads, which then turned into a lot of individuals. MF: I read something about you impersonating a Domino&rsquo;s pizza delivery driver&hellip;? JW: Well, I wouldn&rsquo;t say impersonating. I was employed for four days. But there are many notable attacks that I&rsquo;ve done over the years. It’s all about thinking outside the box – that&rsquo;s what we&rsquo;ve got to do. I have many different uniforms that I utilize: FedEx, DPD, UPS, DHL, Royal Mail. In this instance, it was Domino&rsquo;s that allowed me to gain access to the company&rsquo;s infrastructure. I&rsquo;d been contracted by a particular organization to find a weakness. During the six-week investigation, I was looking at entry points, access points, exit points, employee parking facilities, associated third-party contractors. What CCTV systems are they using? The alarm companies, the engineers that are associated with that infrastructure – just delving into absolutely everything to find a particular weakness. <blockquote> &ldquo;In this instance, it was Domino&rsquo;s that allowed me to gain access to the company&rsquo;s infrastructure.&quot; </blockquote> Every Friday, this guy would turn up with maybe five, 10 pizza boxes. He would get a visitor badge, he&rsquo;d go inside the infrastructure, and then he&rsquo;d return 10-15 minutes later. I followed him back to the Domino&rsquo;s that he was working at and applied to be a delivery driver. I got a bum belt and a t-shirt from Domino&rsquo;s, and then I worked for the period of four days before I quit. On that particular Friday, I did the delivery drop. I turned up to the infrastructure, I got a visitor&rsquo;s badge, and I walked through the first layer of security, which was the first set of access doors. You know how there are fire department plans and layouts and schematics and stuff – you can have a map to where things are, based on what you&rsquo;re looking at. I was able to find one of the server rooms, and it wasn&rsquo;t any of the access rights that we see nowadays. It used an old-school twist lock to get in. So I sprayed it with a luminol and the luminol shows up under a black light, and you can see the smudges of the person that last utilized that lock. I was able to shine a black light under it and then see where the pins were punched. From there, I could have deployed ransomware, I could have deployed malware. And again, this took maybe a period of four to five weeks of just doing some investigative research and going through things such as planning, town hall submission applications, who they&rsquo;re working with, who they&rsquo;re utilizing from a third-party supply chain perspective. <blockquote> &ldquo;If malicious individuals want to target your organization, they&rsquo;re going to find a way in.&rdquo; </blockquote> Nine times out of 10, attacks are crimes of opportunity. But if malicious individuals want to target your organization, they&rsquo;re going to find a way in. No company around the world is secure. If you have time to conduct research or have financial means, then it&rsquo;s fair game. MF: In your experience, what are some of the most common mistakes or oversights that individuals or organizations make when it comes to securing their systems? JW: Not having an adequate budget for their particular organization. I meet a lot of security and IT guys, and their budgets are constrained because C-level executives or board executives don&rsquo;t really understand the nature of what they do. They just know that their systems remain online and operational. The biggest threat that companies face now is ransomware or insider threats. That&rsquo;s on a massive rise. There was some stuff published recently about how malicious individuals were reaching out to employees and trying to persuade them to run or execute malware internally, and then they&rsquo;ll get a payout. They&rsquo;re going above and beyond! They&rsquo;re changing the way that they&rsquo;re approaching organizations. <blockquote> &quot;[Hackers] are reaching out to employees and trying to persuade them to run or execute malware internally.&rdquo; </blockquote> There&rsquo;s an interesting case that I&rsquo;ve worked on recently that I think is relevant. I was working with a company that has about 180 employees. I got a phone call and they said, &ldquo;Hey, Jamie, we&rsquo;ve got a bit of an issue that&rsquo;s quite serious and we don&rsquo;t really know how to approach it.&rdquo; I said, &ldquo;Right, okay. What is it?&rdquo; They said, &ldquo;Well, we&rsquo;ve got this guy internally and whatever he touches tends to get infected with ransomware.&rdquo; I was like, &ldquo;Okay, well, that sounds really fun.&rdquo; I went to the company and I followed him around his working day. I had lunch with him. I went out for a cigarette with him, and I just basically studied his behavior: the way that he was operating and what he was doing, what programs he was utilizing, etc. One thing that I noticed was, some days he&rsquo;d come to work with his electronic cigarette, and it would be fully charged because he had charged it at home, but on one particular day it wasn&rsquo;t. The battery was dead. He pulls out this cable from his desk drawer, plugs it into his machine, plugs it into his e-cigarette and starts to charge it. About 15 minutes later, their antivirus (AV) solution shows the computer gets completely isolated from the network. We found out that in this particular cable there was a hidden SIM card. <blockquote> &ldquo;In this particular charging cable there was a hidden SIM card.&quot; </blockquote> When he plugged it in, it was going to a remote C&amp;C server that was attempting to download and drop malware on his machine. His particular machine wasn&rsquo;t fully patched and updated. Now, to me this was mad because, during the cleanup operation we went through all the WatchGuard firewall logs. We found out that the cable was bought from a malicious store on wish.com. The person behind the store had taken out paid marketing to target all employees of that particular company, and everybody within a 2-mile radius of that building. This employee had only spent £3.50 buying a cable that looked really good. It didn’t look sketchy at all. And then to have a SIM card embedded into it to target that particular company just goes to new heights. So yeah, that really did blow my mind. MF: You mentioned budget as a security oversight. If you’re someone who is trying to manage a very small security budget within a company, how do you bring more attention to it, or what steps do you take? JW: I recommend companies work directly with vendors. People will often buy some software and just try and implement it or install it themselves. Especially if it’s a smaller IT department in an SME. Also, a lot of people take on cloud services but don&rsquo;t understand if it&rsquo;s a managed service or if it&rsquo;s an unmanaged service until something affects them. Then, all of a sudden, they can&rsquo;t get any support or access to their stuff. Another big thing: companies say, “My data is protected.” Well, what are the most critical systems? What systems do you need to get back online after an attack or after a breach to ensure that your employees can continue working and you&rsquo;re not just hemorrhaging money? <blockquote> &ldquo;A lot of companies go into liquidation and end up shutting down just because a breach has occurred.&quot; </blockquote> Another one is cybersecurity insurance. A lot of companies don&rsquo;t have any cybersecurity insurance, so if they become victim to a malicious attack, insurance won&rsquo;t pay out. A lot of companies go into liquidation and end up shutting down just because a breach has occurred. So, it’s important to relay all this information, look across the entire company, make a plan, make an inventory to understand exactly what’s occurring. Taking a step back to think, what new stuff have we had? What new vendors have we worked with? What third-party supply chain perspectives are we utilizing? What&rsquo;s the communication level? Who has access to the required rights to do their roles? Again, a lot of people still have local administrative rights, for instance, in SMEs, which is a big danger. MF: How does the development of AI and this surge we&rsquo;re seeing in large language models impact social engineering attacks? Does it add another layer of complexity? JW: If we look at the rise of <a href="https://blog.1password.com/clint-bodungen-chatgpt-security-interview/">ChatGPT</a>, this has revolutionized everything from recruitment – getting individuals inside of an organization – to understanding there&rsquo;s an issue with your programming. For instance, say we&rsquo;re writing a LUIS (Language Understanding Intelligent Service) script. You&rsquo;ve got a bug. You just copy-paste it into ChatGPT, and it&rsquo;ll tell you what&rsquo;s wrong with it or what function needs to be added, or what library needs to be added, etc. It has also made it so much easier to access information about weaknesses from a malicious side. You can dig in, you can gather research, you can learn from facts, statistics, and trends of what&rsquo;s happening. <blockquote> &quot;[ChatGPT] has also made it so much easier to access information about weaknesses from a malicious side.&quot; </blockquote> There&rsquo;s a bank in the Middle East that got breached in January of last year. What they did was they used Fruity Loops, the software that anyone can download and use for editing music and creating different tracks. To synthesize the voice of the CEO, they looked for all the YouTube videos and press releases that the CEO had done, and they found out through some phishing attacks of the way he treated and spoke to his employees. They then called up the bank and managed to transfer millions to an offshore account that then got laundered back through cryptocurrency. MF: I have a closing question, which I&rsquo;m almost wary to ask, which is: is there any optimism about the current cybersecurity landscape? JW: From a vendor perspective, there’s a lot of outreach now towards companies. I&rsquo;ve worked with quite a lot of managed service providers (MSPs) that have dealt with multiple clients, end-user level, and they&rsquo;re getting support now. There’s stuff like the new Microsoft security standards. Mandatorily pushing stuff like multi-factor authentication (MFA), for instance. And that helps a company by having the vendor display different training material that they could utilize, explaining some of the benefits of services, but not directly pushing a product down a person or an organization&rsquo;s throat. <blockquote> &ldquo;We all need to work together. It&rsquo;s a community-led approach.&quot; </blockquote> That&rsquo;s one thing that I am seeing change. People understand that the threats are out there. They&rsquo;re in the wild. There are zero days every millisecond of us talking. There&rsquo;s going to be a new way in, and every time you patch one place, it creates another problem. And that other problem will be found by somebody else. So we all need to work together. It&rsquo;s a community-led approach. It’s amazing to see a lot of companies now pushing open-source technologies. You are actually seeing how that software is operating or how that program is being utilized, and how even that can be adapted for different services. I&rsquo;m quite intrigued to see how the landscape&rsquo;s going to change over the next 10 to 20 years. <section class="c-call-to-action-box c-call-to-action-box--purple"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Subscribe to Random but Memorable</h3> Listen to the latest news, tips and advice to level up your security game, as well as guest interviews with leaders from the security community. <a href="https://randombutmemorable.simplecast.com/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--purple" data-event-category="CTA" data-event-action="call-to-action-button"> Subscribe to our podcast </a> </div> </section></description></item><item><title>Okta Support System incident and 1Password</title><link>https://blog.1password.com/okta-incident/</link><pubDate>Mon, 23 Oct 2023 00:00:00 +0000</pubDate><author>info@1password.com (Pedro Canahuati)</author><guid>https://blog.1password.com/okta-incident/</guid><description> <img src='https://blog.1password.com/posts/2023/okta-incident/header.png' class='webfeedsFeaturedVisual' alt='Okta Support System incident and 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We detected suspicious activity on our Okta instance related to their Support System incident. After a thorough investigation, we concluded that no 1Password user data was accessed. On September 29, we detected suspicious activity on our Okta instance that we use to manage our employee-facing apps. We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing. Since then, we’ve been working with Okta to determine the initial vector of compromise. As of late Friday, October 20, we’ve confirmed that this was a result of <a href="https://sec.okta.com/harfiles">Okta’s Support System breach</a>. See our internal <a href="https://blog.1password.com/files/okta-incident/okta-incident-report.pdf">Okta Incident Report</a> for additional details. Your trust is paramount to us. Our systems and policies were able to identify and terminate this attack, and we are continuously enhancing our security measures to <a href="https://support.1password.com/1password-security/">keep you and your data safe</a>. This blog post includes an incident report that was updated on October 25, 2023. We received additional logs from Okta after we finalized our prior report that confirmed Okta as the source of the incident. This update also confirms that our Google instance was not impacted by this attack.</description></item><item><title>Build on 1Password for Visual Studio Code at Hacktoberfest!</title><link>https://blog.1password.com/hacktoberfest-2023/</link><pubDate>Fri, 20 Oct 2023 00:00:00 +0000</pubDate><author>info@1password.com (Jason Harris)</author><guid>https://blog.1password.com/hacktoberfest-2023/</guid><description> <img src='https://blog.1password.com/posts/2023/hacktoberfest-2023/header.png' class='webfeedsFeaturedVisual' alt='Build on 1Password for Visual Studio Code at Hacktoberfest!' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> This October, we’re excited to invite contributions to <a href="https://developer.1password.com/docs/vscode/">1Password for Visual Studio Code</a>. <a href="https://hacktoberfest.com/">Hacktoberfest</a> is a time where code meets celebration and open source enthusiasts come together to contribute to projects they care about. Personally, I’ve always been a watcher of Hacktoberfest, and I’m excited that this year 1Password is participating in the global event – now in its tenth year! Open source is in our DNA at 1Password. We&rsquo;ve open-sourced several critical projects like <a href="https://github.com/1Password/typeshare">Typeshare</a>, our <a href="https://blog.1password.com/passkey-crates/">passkey libraries</a> and 1Password for VS Code. We&rsquo;re consistently impressed by the community contributions that bring speed and security to developer workflows. In particular, I want to shout out Zachary Cutlip, author of <a href="https://github.com/zcutlip/pyonepassword">pyonepassword</a>, a Python API to query the 1Password CLI. Also, a collective shout-out to everyone who&rsquo;s contributed to <a href="https://github.com/1Password/shell-plugins">1Password Shell Plugins</a>. We&rsquo;re now more than 40 shell plugins strong, meaning more developers than ever can bring one-touch 1Password access to their favorite CLI. We’re excited to extend our community by inviting Hacktoberfest participants who use <a href="https://code.visualstudio.com/">VS Code</a> to submit contributions to <a href="https://developer.1password.com/docs/vscode/">1Password for VS Code</a>. <h2 id="1password-for-vs-code">1Password for VS Code</h2> I love VS Code’s versatility and the fact I can use it on my Mac at work and my Windows-based homelab machine at home. I truly don’t know what I’d do without it. Introduced <a href="https://blog.1password.com/1password-visual-studio-code/">in 2022</a>, 1Password for VS Code helps keep credentials and secrets out of your code and safely stored in a 1Password vault. 1Password for VS Code enables developers to securely retrieve secrets, passwords, or other sensitive data stored in 1Password while working in VS Code. It makes facilitating secure development practices easier by reducing the need to hard-code sensitive data into the codebase. The extension is powered by the <a href="https://developer.1password.com/docs/cli/get-started/">1Password CLI</a>, and has been fully open source since its release under the MIT license. <h2 id="lets-get-hacking">Let’s get hacking!</h2> To get started, feel free to explore the following repositories: <ul> <li><a href="https://github.com/1Password/op-vscode">op-vscode</a></li> <li><a href="https://github.com/1Password/op-js">op-js</a></li> </ul> 1Password for VS Code is powered by op-js, a JavaScript wrapper for 1Password CLI written in TypeScript that allows you to execute over 60 CLI commands in any Node environment, with support for biometric unlock and Connect. In both of these GitHub repositories, you’ll find contributing guidelines accompanied by issues that have been identified as great candidates for your October contributions. While we’ve picked these to help guide your efforts, any and all contributions are welcome. If you have questions or just want to chat, join the conversation in the <a href="https://developer.1password.com/joinslack">1Password Developers Slack community</a>. Once you sign up, drop in to the #vs-code channel and say hi! Happy coding! <h2 id="maintainers-get-1password-free-for-your-open-source-project">Maintainers: Get 1Password free for your open-source project</h2> If you’re a maintainer of an open-source project, you may qualify for a free 1Password Teams account. Check out <a href="https://github.com/1Password/1password-teams-open-source">1Password for Open Source</a> for more information.</description></item><item><title>October Cybersecurity Awareness Month: How to empower smart security in your business</title><link>https://blog.1password.com/cybersecurity-awareness-month-smart-security/</link><pubDate>Wed, 11 Oct 2023 00:00:00 +0000</pubDate><author>info@1password.com (Stacey Harris)</author><guid>https://blog.1password.com/cybersecurity-awareness-month-smart-security/</guid><description> <img src='https://blog.1password.com/posts/2023/cybersecurity-awareness-month-smart-security/header.png' class='webfeedsFeaturedVisual' alt='October Cybersecurity Awareness Month: How to empower smart security in your business' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Every October the industry puts together information to share how people and businesses can be safer online. For this blog, we&rsquo;re focusing on shadow IT – the hardware or software that employees use that isn’t managed by the company’s IT team – and how using a password manager can help. As employees found new ways to work and collaborate amidst the adjustment to hybrid work during the pandemic, the use of shadow IT rose dramatically. <blockquote> In 2021, over 60% of US workers created at least one shadow IT account. – <a href="https://blog.1password.com/challenges-of-shadow-it/">1Password research</a> </blockquote> Shadow IT can improve employee productivity, but also carries along with it the risk of employees unwittingly introducing security vulnerabilities like unsecured sensitive data. While many employees have started moving back to physical offices at least part of the time, shadow IT is here to stay. Security and IT teams might be tempted to crack down with a zero tolerance policy for shadow IT. Few will follow through, though, because their primary job is to help their business be as efficient as possible as securely as possible. <h2 id="why-employees-choose-to-use-shadow-it">Why employees choose to use shadow IT</h2> Employees often use apps and devices that are not provided or managed by their company because these apps are convenient and improve productivity. It’s not that employees are actively trying to circumvent the organization&rsquo;s IT rules, it’s often a byproduct of employees choosing apps and devices that will help streamline their workflow. <h2 id="how-to-embrace-shadow-it-safely-in-your-business">How to embrace shadow IT safely in your business</h2> Instead of trying to limit shadow IT, it’s important to focus on how you can empower your employees to make smart security decisions while putting processes in place that help you manage the use of shadow IT. Here are a few things you can do to help keep your business safe: <ul> <li>Educate your people about cybersecurity. It’s important to keep your team informed about online security best practices, including educating them about common attacks like phishing, the importance of good password health, and how to identify safe apps to use when completing work.</li> <li>Create a simple shadow IT policy. Make an easy-to-follow policy and share it with your team. The policy should include things like a guide to submitting requests for new tools, what information can and cannot be used in shadow IT apps, and even a ‘shared’ shadow IT part of an exit interview for departing employees.</li> <li>Ask your team to share what tools they use. Create an easy process for people to notify IT about the different apps and programs they’re using to complete their work. This lets your IT team review what tools are being used, and, if necessary, recommend safer alternatives.</li> <li>Use a password manager. Encourage your team to create and use strong passwords for all their accounts – including shadow IT. Implementing a password manager like 1Password gives your people a safe way to store and share passwords and other sensitive information. By allowing your team to keep any shadow IT accounts stored in the company password manager, you can ensure that when an employee is offboarded, they&rsquo;ll lose access to all company logins, including access to whatever shadow IT login information they had stored.</li> <li>Act on your team&rsquo;s password health. With <a href="https://support.1password.com/insights/">1Password Insights</a> you can view any data breach affecting company email addresses – for both IT approved, and non-IT approved apps.</li> </ul> <h2 id="cybersecurity-awareness-month-at-1password">Cybersecurity Awareness Month at 1Password</h2> Curious about shadow IT and want to know more about what you can do to protect your business and also help your employees put their best foot forward? We&rsquo;ve got upcoming programming that can help. First, check out the How Datadog strengthened and streamlined its security workflows with 1Password webinar and join Datadog’s Ryan Whitesides and 1Password’s David Hogg in this live talk to discover: <ul> <li>Why Datadog chose to implement a password manager.</li> <li>The security risks that Datadog was looking to address with 1Password.</li> <li>How Datadog successfully deployed 1Password across its entire organization.</li> <li>How different departments utilize 1Password to streamline their security workflows.</li> </ul> <blockquote> <a href="https://1password.com/webinars">Register for the webinar</a> on Tuesday October 24 at 10AM PT / 1PM ET. </blockquote> Next, watch the How to turn shadow IT from a security risk into your team’s superpower webinar and join Sarah Armstrong-Smith, Chief Security Advisor at Microsoft, in a live talk to learn more about shadow IT, including: <ul> <li>How shadow IT exposes your business to external and internal threats.</li> <li>The potential risks for businesses that don’t create policies around app downloads.</li> <li>How employees downloading non-IT approved software can create security gaps.</li> <li>How to mitigate shadow IT risks before they become a problem.</li> </ul> <blockquote> <a href="https://1password.com/webinars">Register for the webinar</a> on Thursday October 26 at 9AM PT / 12PM ET. </blockquote> <h2 id="make-every-month-about-cybersecurity-awareness">Make every month about cybersecurity awareness</h2> Being cybersecurity smart is more than just tuning in for one month of the year – it’s an ongoing education as threats and solutions evolve and change. As a cybersecurity professional, you can take a human-centered approach to security to protect both employees and the business. Check out our <a href="https://1password.com/resources/">resource library</a> and <a href="https://www.1password.university/learn/signin">1Password University</a> to improve your cybersecurity skills all year long. We even have a <a href="https://www.1password.university/learn/course/external/view/elearning/443/humanizing-shadow-it-with-1password-and-kolide">course about Shadow IT</a> that you can start today.</description></item><item><title>1Password vs. LastPass: Which is right for you?</title><link>https://blog.1password.com/1password-vs-lastpass/</link><pubDate>Fri, 29 Sep 2023 00:00:00 +0000</pubDate><author>info@1password.com (Rob Boone)</author><guid>https://blog.1password.com/1password-vs-lastpass/</guid><description> <img src='https://blog.1password.com/posts/2023/1password-vs-lastpass/header.png' class='webfeedsFeaturedVisual' alt='1Password vs. LastPass: Which is right for you?' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> If you&rsquo;re comparing password managers, two names are likely to come up: 1Password and LastPass. So how do you know which is right for you? Let&rsquo;s look at the similarities and differences between the two password management platforms so you can make an informed decision. <h2 id="1password-features">1Password features</h2> <h3 id="saving-and-filling-passwords-in-1password">Saving and filling passwords in 1Password</h3> 1Password includes all the features you&rsquo;d expect from a password manager. You can generate strong passwords with a click, and store all your login credentials in one place. The only password you need to remember – your one password – unlocks 1Password to give you access to every other login credential. With those credentials stored in 1Password, you can automatically fill – or autofill – passwords to log in to a site or service. There&rsquo;s no need to remember the login information yourself, since 1Password will handle it for you. You&rsquo;re also not limited to traditional username and password combinations. If you <a href="https://blog.1password.com/sign-in-with-other-providers/">sign in to a site with Google, Apple, or other providers</a>, 1Password will save that information too, and log you in with a click. You can also store and autofill <a href="https://blog.1password.com/totp-and-1password/">time-based one-time passwords (TOTPs)</a>: that six-digit string of numbers that you enter after your username and password. Instead of relying on separate authenticator apps such as Google Authenticator, all you need is 1Password. <h3 id="storing-other-types-of-personal-information">Storing other types of personal information</h3> 1Password can also store information like your credit cards, and identity information like your name and address. You can autofill those, too, instead of manually typing them into your web browser. The types of information you can store is too long to list here. It includes <a href="https://support.1password.com/item-categories/">documents, secure notes, software licenses, medical records, passport info, and much more</a>. And you have a number of ways to organize all your personal information. 1Password will automatically organize items according to their type, or you can create tags to help you organize items by theme. Your items are stored within vaults in 1Password, each with its own permission settings. Your personal vault contains items that are just for you, and you can create shared vaults to give other 1Password users access to the contents of the vault. <h3 id="passkeys-and-biometrics">Passkeys and biometrics</h3> <a href="https://blog.1password.com/what-are-passkeys/">Passkeys</a> are a more secure and easier-to-use alternative to passwords. Eventually, they&rsquo;ll replace passwords altogether as more sites and services add support for them. Right now, you can save passkeys using 1Password for iOS and 1Password in the browser, and use them to log in to your sites and services – no password required. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/DN3M5hx7_iA?si=r2pZDbHA5gNWwLjk" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> You can also <a href="https://blog.1password.com/unlock-passkey-private-beta/">use a passkey to unlock 1Password</a> (currently in private beta). Or, if you&rsquo;re using an account password to unlock 1Password, you can <a href="https://1password.com/resources/guides/using-biometrics-fingerprint-as-password/">use biometrics for faster access</a>. Think Touch ID, Windows Hello, and other methods of authentication that you use to unlock devices like your phone and laptop. <h3 id="1password-platform-and-device-support">1Password platform and device support</h3> <a href="https://1password.com/downloads/mac/">1Password is available</a> on desktop devices for Mac, Windows, and Linux, mobile devices running iOS and Android, and as a browser extension for Chrome, Firefox, Edge, Brave, and Safari. All information you store in 1Password is available on all your desktop and mobile devices, instantly. 1Password also includes some features that are platform-specific. For example, with <a href="https://blog.1password.com/navigate-1password-quick-access/">Quick Access</a> on Mac, Windows, and Linux, you can press a keyboard shortcut to instantly search through everything you&rsquo;ve stored in 1Password. On mobile devices, 1Password includes a customizable home screen, where you can pin individual fields like passwords or credit card numbers for fast access. 1Password is also available as a command line interface with <a href="https://developer.1password.com/docs/cli/">1Password CLI</a>, as well as <a href="https://1password.com/developers">several other workflow integrations for developers</a>. <h3 id="1password-watchtower">1Password Watchtower</h3> <a href="https://watchtower.1password.com/">1Password Watchtower</a> notifies you when you can take action to strengthen your security. If a saved password has been involved in a data breach, if you&rsquo;ve stored weak passwords, or if a site supports two-factor authentication but you haven&rsquo;t enabled it, you&rsquo;ll see it all in Watchtower, along with recommended actions to take to protect yourself. <h3 id="1password-travel-mode">1Password Travel Mode</h3> Use <a href="https://1password.com/features/travel-mode/">Travel Mode</a> to designate certain vaults as &ldquo;safe for travel.&rdquo; Those vaults will be accessible to you during travel, but the rest won&rsquo;t. Travel Mode protects you as you cross borders by hiding vaults you select from authorities (or anyone else) until you&rsquo;re in a safe place and turn Travel Mode off. The Associated Press, for example, <a href="https://1passwordstatic.com/files/resources/associated-press-case-study.pdf">uses Travel Mode to protect journalists and their sources</a>. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/rPjxuRmhVgs?si=dDYj5xvXz-YfhuJ7" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h3 id="secure-password-sharing">Secure password sharing</h3> Finally, 1Password gives you the ability to <a href="https://blog.1password.com/psst-item-sharing/">securely share individual items stored in 1Password with anyone else</a> – even if the recipient doesn&rsquo;t use 1Password. While <a href="https://support.1password.com/create-share-vaults/">shared vaults</a> are useful for long-term collaboration within a family or organization, secure item sharing is built for more granular, temporary sharing. You can share the Wi-Fi passwords with the visiting in-laws, for example, or share a password with a contractor who will only need access to it for a short while. It&rsquo;s easier than sharing passwords via instant message, email, or spreadsheets – and much more secure. <h2 id="1password-security">1Password security</h2> 1Password and LastPass share some commonalities in their approach to security. Both use 256-bit AES encryption to encrypt your account password, for example, making it effectively impossible to decrypt. Both also utilize a zero knowledge approach to your account password, meaning it&rsquo;s never seen by either company. There are several meaningful differences in the security approaches of 1Password and LastPass, though. Let&rsquo;s start with the Secret Key in 1Password. <h3 id="2-secret-key-derivation">2-Secret Key Derivation</h3> While LastPass requires only your Master Password to access your vault, 1Password requires both your account password and <a href="https://blog.1password.com/what-the-secret-key-does/">your unique Secret Key</a>. Like LastPass&rsquo;s Master Password, you create your 1Password account password. The Secret Key, however, is generated automatically when you create your account. The Secret Key is a 128-bit key (34 letters and numbers, separated by dashes) that&rsquo;s mathematically infeasible to crack. The Secret Key and account password are combined to create the full encryption key that encrypts all the data you store in 1Password. This approach is known as 2-Secret Key Derivation (2-SKD). Attackers would need both keys to access your 1Password vaults, which is why <a href="https://blog.1password.com/how-1password-protects-your-data/">your 1Password data would be safe</a> even in the unlikely event of a breach. You don&rsquo;t need to enter your Secret Key every time you access 1Password. It&rsquo;s stored in the 1Password apps, once you use those apps to sign in to your account on <a href="https://1Password.com">1Password.com</a>. <h3 id="additional-security-measures-in-1password">Additional security measures in 1Password</h3> 1Password also uses a third layer of encryption known as the <a href="https://blog.1password.com/developers-how-we-use-srp-and-you-can-too/">Secure Remote Password (SRP)</a> in addition to the industry-standard Transport Layer Security (TLS). SRP proves to the server that you know your account password and Secret Key. But, crucially, you never actually have to share them with the server, which prevents anyone from trying to steal that information in transit. 1Password also encrypts the entire contents of your vaults. That includes metadata like the website URLs you&rsquo;ve stored, or vault names. This can help protect against phishing attacks, because an attacker wouldn&rsquo;t know if they were cracking a vault with credit cards or cookie recipes. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Webinar: 1Password Solutions Engineer Cameron Nixon details <a href="https://1password.com/webinars/how-1password-keeps-your-data-safe/">how 1Password keeps your data safe</a>. </div> </aside> <h2 id="1password-plans-and-pricing">1Password plans and pricing</h2> 1Password offers <a href="https://1password.com/personal">Individual and Families plans</a> for $2.99 per month and $4.99 per month, respectively. Families plans can include up to five users, and additional users can be added for $1 per user per month. Each plan is available to try for free for 14 days. 1Password Teams accounts protect up to 10 team members for $19.95 per month, and adds the ability to identify threats with the Domain Breach Report. <a href="https://1password.com/business">1Password Business</a> adds enterprise-grade features like integration with identity providers to unlock 1Password with single sign-on (SSO) and automate provisioning, custom reports and customizable security policies, SIEM tool integration, and actionable insights to proactively reduce risk and prevent threats. Both 1Password Teams and 1Password Business are also available to try for free for 14 days. <a href="https://1password.com/enterprise">1Password Enterprise</a> customers enjoy complimentary, customized onboarding and training, a dedicated Customer Success Manager, and migration support tailored to their business. <h2 id="lastpass-features">LastPass features</h2> <h3 id="storing-and-filling-personal-information-in-lastpass">Storing and filling personal information in LastPass</h3> Like 1Password, LastPass includes the ability to generate, store, and autofill unlimited passwords so you only have to remember one password (to unlock LastPass). Also like 1Password, you can store multiple types of information like credit cards, secure notes, sensitive documents, and passport information in LastPass. And you can use LastPass to generate time-based one-time passwords, just like 1Password. LastPass also plans to support logging in to services with passkeys, though that functionality isn&rsquo;t available at the time of this writing. LastPass has not announced plans to support unlocking your LastPass account with a passkey, but does support a form of passwordless login using the LastPass Authenticator. LastPass does not support logging in to sites with Google, Apple, and other providers. LastPass also organizes your information in password vaults, and offers folders, including nested folders, to further organize your vaults. <h3 id="lastpass-platform-and-device-support">LastPass platform and device support</h3> LastPass is available for Windows, Mac, Linux, and has mobile apps for iOS and Android. It&rsquo;s also available as a browser extension for Chrome, Firefox, Edge, and Opera. All information you&rsquo;ve stored in LastPass is instantly synced so it&rsquo;s available on all your devices. And LastPass, too, gives users a way to monitor their overall security health with the security dashboard. The dashboard will calculate an overall security score and let you know if you need to update weak or reused passwords. It&rsquo;ll also monitor your accounts for data breaches, though those alerts will come via email instead of in-app. While 1Password Watchtower is available on all devices 1Password supports, the LastPass security dashboard isn&rsquo;t available for iOS or Android. Users can take a security challenge on mobile, however, to get some of the same information available in the security dashboard. <h3 id="sharing-in-lastpass">Sharing in LastPass</h3> LastPass includes the ability to share passwords with others more securely than conventional methods like messaging and email. There are several options here: one-to-one sharing, one-to-many sharing, and shared folders. Access to these features varies according to your plan (more on that in a moment). As of this writing, LastPass does not give customers a way to share items with non-customers. <h2 id="lastpass-security">LastPass security</h2> LastPass, like 1Password, utilizes zero-knowledge encryption, which means that only you know your Master Password, and LastPass does not. The encryption method involves 256-bit AES encryption, a secure hash (SHA256), and salting. The hash ensures that the data (in this case the Master Password) is authentic. Salting adds additional value to the end of the password. Together, hashing and salting make the password cracking process more complicated. (1Password also utilizes hashing and salting to protect your data.) <h2 id="lastpass-plans-and-pricing">LastPass plans and pricing</h2> LastPass offers free and premium plans for individuals and families. The free plan is limited to one user on one device type (desktop or mobile), and sharing is limited to sharing with one trusted LastPass user. The premium plan, at $3 per month, adds one-to-many sharing and unlimited devices, among other features. The Families account includes up to six users at $4 per month, and adds a family manager dashboard and unlimited shared folders. Both LastPass Premium and LastPass Families offer a 30-day free trial, and the free plan includes 30 days of LastPass Premium. For businesses, LastPass Teams includes up to 50 users for $4 per user per month. That includes features like a private vault for each user, shared folders, a security dashboard, and multi-factor authentication. LastPass Business adds SSO integration (including three SSO apps with MFA), custom security policies, and customizable user management (among other features) for unlimited users for $7 per user per month. Both 1Password Business and LastPass Business include free Families accounts for employees. <h2 id="whats-right-for-you">What’s right for you?</h2> 1Password and LastPass each offer a significant upgrade over poor security practices like reusing the same password for multiple websites. But the differences can be substantial, depending on what matters to you: <ul> <li> The 1Password security model is meaningfully different. 2-Secret Key Derivation, encrypting the entirety of your vaults, and Secure Remote Password provide protection you can feel good about. The same careful security design also applies to <a href="https://blog.1password.com/unlock-sso-deep-dive/">Unlock with SSO</a>. </li> <li> Consider your collaboration needs. If you share login credentials or sensitive documents often – especially in a business setting – how you share matters. 1Password&rsquo;s ability to securely share individual items with anyone can minimize the need for insecure workarounds. </li> <li> Convenience matters. If a security tool isn&rsquo;t convenient, you simply won&rsquo;t use it. 1Password makes it easy to stay safe – and things are getting even more convenient with 1Password <a href="https://www.future.1password.com/passkeys/">leading the transition to passwordless</a>. </li> </ul> <section class="c-call-to-action-box c-call-to-action-box--purple"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Secure your digital life with 1Password</h3> Organize and secure all your online accounts with 1Password, the world’s most-trusted password manager. Get started today with a free 14-day trial. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--purple" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>Integrate 1Password with Obsidian Security for extra peace of mind</title><link>https://blog.1password.com/1password-obsidian-security-integration/</link><pubDate>Thu, 28 Sep 2023 00:00:00 +0000</pubDate><author>info@1password.com (Micah Neidhart)</author><guid>https://blog.1password.com/1password-obsidian-security-integration/</guid><description> <img src='https://blog.1password.com/posts/2023/1password-obsidian-security-integration/header.png' class='webfeedsFeaturedVisual' alt='Integrate 1Password with Obsidian Security for extra peace of mind' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Businesses can now automate threat detection for 1Password and their broader work environment with <a href="https://www.obsidiansecurity.com/">Obsidian Security</a>, a security platform for software as a service (SaaS) tools. Keeping your organization secure online is a never-ending challenge, especially when you have hundreds or thousands of employees. People are great at many things but following ever-changing <a href="https://blog.1password.com/stay-secure-without-burning-out-guide/">cybersecurity best practices</a> often isn’t one of them. That&rsquo;s why 1Password focuses on human-centric security and making sure you don’t have to choose between convenience and security. Even so, people don&rsquo;t always make the right choices, which is why we&rsquo;re excited to introduce a new integration by Obsidian Security that can give you extra peace of mind. Obsidian Security provides automated threat detection capabilities for your entire SaaS environment, including 1Password, utilizing advanced machine learning to detect impossible travel, successful logins from unusual locations, spikes in failed login attempts, and more. <h2 id="how-does-the-1password-and-obsidian-security-integration-work">How does the 1Password and Obsidian Security integration work?</h2> By tapping into the <a href="https://support.1password.com/events-reporting/">1Password Events API</a>, Obsidian can continuously aggregate and analyze activity data from your organization&rsquo;s 1Password deployment, including sign-in attempts, item usage, and vault changes. This information is tied to specific users and automatically monitored for potential problems based on policies you set. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Learn about <a href="https://blog.1password.com/events-api-enhancements-2023/">the latest enhancements to the 1Password Events API</a>! </div> </aside> You can integrate Obsidian Security with many of the SaaS apps you use in addition to 1Password. That allows Obsidian Security to look at the bigger picture and detect what might seem like innocuous anomalies, enabling you to identify, investigate, and mitigate threats faster. Obsidian Security’s platform adapts to your organization’s needs, too. You can use out of the box policies or build custom alerts as needed to fit your specific requirements. <h2 id="whats-an-example-use-case">What’s an example use case?</h2> Let&rsquo;s say an employee called Jim logs into your organization&rsquo;s 1Password account at 9AM from Cupertino, California. There&rsquo;s nothing unusual about that. Then, at 9:15AM, Jim accesses a different corporate app from Jakarta, Indonesia. Now we have a problem. The two sign-ins are an example of &ldquo;impossible travel&rdquo; because it’s impossible for Jim to go from California to Jakarta in such a short timeframe. It’s therefore a good signal that something is wrong. Thankfully, your organization is using Obsidian Security to monitor its SaaS environment. So your security team is instantly alerted to potential issues based on policies you set. You can quickly investigate the “impossible travel” sign-ins and filter all activity based on the IP addresses involved or other relevant data. In situations like the one we just described, a quick response can make a huge difference. <h2 id="1password-and-obsidian-security-better-together">1Password and Obsidian Security: Better together</h2> 1Password helps your workforce protect sensitive information by bringing security and convenience together. But with the Obsidian Security integration, you can get even more peace of mind that everything is safe and sound with round-the-clock monitoring. The 1Password integration with Obsidian Security is available now to customers with a <a href="https://1password.com/business">1Password Business</a> or <a href="https://1password.com/enterprise">1Password Enterprise</a> account. Learn more about Obsidian Security <a href="https://obsidiansecurity.com/">by visiting the company&rsquo;s website</a>. Interested in becoming an integration partner with 1Password? Email <a href="mailto:tech-partnerships@1password.com">tech-partnerships@1password.com</a> to find out more. <section class="c-call-to-action-box c-call-to-action-box--purple"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Secure your team with 1Password Business</h3> Keep your team secure without slowing them down. Choose 1Password Business to gain complete control over passwords and other sensitive business information. <a href="https://1password.com/business-pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--purple" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>How to give your business a security edge with ChatGPT</title><link>https://blog.1password.com/clint-bodungen-chatgpt-security-interview/</link><pubDate>Wed, 27 Sep 2023 00:00:00 +0000</pubDate><author>info@1password.com (Stacey Harris)</author><guid>https://blog.1password.com/clint-bodungen-chatgpt-security-interview/</guid><description> <img src='https://blog.1password.com/posts/2023/clint-bodungen-chatgpt-security-interview/header.png' class='webfeedsFeaturedVisual' alt='How to give your business a security edge with ChatGPT' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Generative AI, large language models, and <a href="https://chat.openai.com/auth/login">ChatGPT</a> are dominating the headlines and people&rsquo;s imaginations at the moment. While the incoming AI revolution <a href="https://www.forbes.com/sites/bernardmarr/2023/06/02/the-15-biggest-risks-of-artificial-intelligence/?sh=5ef527ae2706">may have some drawbacks</a>, it also has the power to transform the way we learn, work, and play. Clint Bodungen, author of the upcoming <a href="https://www.packtpub.com/product/chatgpt-for-cybersecurity-cookbook/9781805124047">ChatGPT for Cybersecurity Cookbook: Learn practical generative AI recipes to supercharge your cyber skills</a>, joined Matt Davey, Chief Experience Officer at 1Password, on the <a href="https://randombutmemorable.simplecast.com/">Random but Memorable</a> podcast to discuss: <ul> <li>The different ways ChatGPT can give your business a security edge.</li> <li>How companies can use ChatGPT to improve their security training.</li> <li>Why ChatGPT is the best way to build apps faster.</li> </ul> Read the interview below or <a href="https://randombutmemorable.simplecast.com/episodes/teach-bot-cybersecurity-recipes">listen to the full episode</a> on your podcast app of choice. Editor’s note: The views and opinions expressed by the interviewee don&rsquo;t represent the opinions of 1Password. <div class="c-simplecast-embed"> <iframe class="c-simplecast-embed__iframe" title="1Password Random but Memorable Podcast" width="100%" frameborder="no" scrolling="no" seamless src="https://player.simplecast.com/b1ea2812-86bb-4e94-bc94-310b66d2400b?dark=false"></iframe> </div> <a href="https://randombutmemorable.simplecast.com/episodes/teach-bot-cybersecurity-recipes">Listen to episode 113 ›</a> Matt Davey: What will the book cover and who&rsquo;s it for? Clint Bodungen: I focused on content for those who are already in cybersecurity and want to make their skillset more efficient and to augment the skills that they already have. But more importantly, I&rsquo;m a huge proponent into trying to usher in the next generation of talent into cybersecurity. There are a lot of people who don&rsquo;t know how to get into cybersecurity, or can&rsquo;t afford [the relevant] certifications. I wanted to make sure I touched an audience that could really utilize this new, literally revolutionary technology to enhance and augment their skill set. The book primarily covers ChatGPT but also the <a href="https://platform.openai.com/">OpenAI API</a>. Right now everybody&rsquo;s writing an ebook or doing YouTube videos on ChatGPT prompt engineering. This book goes beyond prompt engineering. It’s talking about how to use the OpenAI API with Python code, and some JavaScript. <blockquote> &ldquo;This book will help you get under the hood of what&rsquo;s going on.&quot; </blockquote> You can build your own apps and extend the capabilities of just ChatGPT. This book will help you get under the hood of what&rsquo;s going on to build your own plugin-like functionality, to build your own code interpreter functionality, and to get ahead of the next feature set that might be within ChatGPT. The later chapters talk about other frameworks, like how to use other large language models such as open source rather than just GPT and OpenAI-branded large language models. MD: What are some of the most exciting and practical AI recipes in your book? CB: The most exciting recipes teach you how to turn ChatGPT or <a href="https://www.anthropic.com/index/claude-2">Claude 2</a> into a cybersecurity-themed role-playing game. You might be familiar with old school text-based role-play games like Hitchhiker&rsquo;s Guide to the Galaxy or Zork. Those sorts of games. I teach readers how to turn ChatGPT into a text-based role-playing game where it acts as the game master. It will instantly create an entire scenario. It&rsquo;s a “choose your own adventure” basically which you can go through and it will train you on cybersecurity. For companies that do <a href="https://www.cisa.gov/resources-tools/services/cisa-tabletop-exercise-packages">incident response tabletop exercises</a>, I have recipes in the book that show you how to create and run those exercises using ChatGPT. I have simple GPT recipes from the web interface where you can just get help with GRC cybersecurity standards. You don&rsquo;t understand what a standard is saying? You can feed it excerpts or entire standards and then get your questions answered. You can have it create entire vulnerability assessment plans. You can actually have it create a cybersecurity policy, an entire 80-page cybersecurity policy. <blockquote> &quot;[ChatGPT] is not meant to replace human work. It&rsquo;s not meant to be &lsquo;set it and forget it&rsquo; like an easy bake oven.&quot; </blockquote> This is not meant to replace human work. This is not meant to be &lsquo;set it and forget it&rsquo; like an easy bake oven. This is literally meant to give you a first draft. This is meant to make things more efficient and optimize your time, and then you become the editor and fine-tune it to your liking. There are recipes in there to make all aspects of your cybersecurity job more efficient or more productive, like helping you with pen testing. MD: How do we trust AI to generate what it says it&rsquo;s generating? CB: I don’t recommend sending anything confidential or private out to the internet when you&rsquo;re using the API, whether that’s the cloud ChatGPT or something else. That&rsquo;s why we&rsquo;re developing an open source cybersecurity model that is intended to be used locally without any connection to the internet. This way you can do these things privately on your own without risking exposure. In later parts of the book, I teach people how to use local open source models on their own if they&rsquo;re concerned about privacy and security. In the meantime, if you do want to experiment with the API version – the online version and ChatGPT – then you can sanitize or anonymize your requests. How do you trust what ChatGPT is giving you? I would highly recommend that for anything you&rsquo;re doing in terms of testing or penetration testing, you do it on a trusted or secured network, or a sandbox network, before you put it on a customer&rsquo;s network or your own network. <blockquote> &ldquo;The same caveats that apply to any cybersecurity operation or testing, such as making sure what you&rsquo;re doing is tested and verified before you put it on a production network, stand true here as well.&quot; </blockquote> The same caveats that apply to any cybersecurity operation or testing, such as making sure what you&rsquo;re doing is tested and verified before you put it on a production network, stand true here as well. And then in terms of writing code, I don&rsquo;t recommend that you just take any code that it generates at face value. If you&rsquo;re not a programmer you should try it out in a sandbox environment to make sure it works first. MD: Are you writing the book, or is ChatGPT writing the book? CB: I’m writing the book. Am I using ChatGPT at all to help with this book? Yes. Am I using it to help me write better code? Absolutely. But I&rsquo;m the primary author and I double check everything. I use ChatGPT in my everyday life for everything now. MD: Do you think AI and ChatGPT give you a competitive edge in security? Are there downfalls in that? What do you think people need to take into consideration? CB: AI absolutely gives you a competitive edge because it makes you more efficient and makes you able to work faster. Anything that you do, ChatGPT can help you do better or faster. For example, it&rsquo;s better than Google search in a lot of instances. If I use Google, I have to search through the links and then click on each one and then see if those have relevant information. ChatGPT gives me the answer right away. You could use it for anything. If you want a meal plan, it&rsquo;ll generate meal plans. If you want an exercise routine, it&rsquo;ll generate exercise routines. It&rsquo;ll literally do and enhance just about anything you can think of. <blockquote> &ldquo;If you&rsquo;re asking it for factual information, you do need to do your fact checking like you should do for anything.&quot; </blockquote> The caveat is you still need to be cautious about facts. If you&rsquo;re asking it for factual information, you do need to do your fact checking like you should do for anything. The nature of a large language model and the way it works is that if it doesn&rsquo;t know something, it can sometimes make stuff up. Or, worse, say things that sound realistic but aren’t true. So you have to be careful. If you&rsquo;re using this to enhance your knowledge, or to try to get a job, you have to be careful about using this to enhance your own skills, but then not furthering your skills to learn more. For example, you can use it as a tutor to educate you and enhance the productivity and knowledge you already have. But if you use it to share knowledge that you don&rsquo;t have, or use it to pretend you have knowledge that you don&rsquo;t really have, it&rsquo;s going to get you in trouble. MD: Where can people learn more about you or pre-order this book? CB: You can pre-order the book <a href="https://www.packtpub.com/product/chatgpt-for-cybersecurity-cookbook/9781805124047">on Packt Publishing&rsquo;s website</a> and <a href="https://www.amazon.com/ChatGPT-Cybersecurity-Cookbook-generative-supercharge/dp/1805124048/">on Amazon</a>. I&rsquo;m also the founder of <a href="https://threadgen.com/">Thread Gen</a>, a cybersecurity startup with a cybersecurity training game simulation platform. You can visit <a href="https://cybersuperhuman.ai/">cybersuperhuman.ai</a> and <a href="https://threadgen.com/">threadgen.com</a> to find out more about me and my other works. Editor’s note: This interview has been lightly edited for clarity and brevity. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Subscribe to Random but Memorable</h3> Listen to the latest news, tips and advice to level up your security game, as well as guest interviews with leaders from the security community. <a href="https://randombutmemorable.simplecast.com/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Subscribe to our podcast </a> </div> </section></description></item><item><title>How to ace your 1Password interview</title><link>https://blog.1password.com/how-ace-1password-interview/</link><pubDate>Mon, 25 Sep 2023 00:00:00 +0000</pubDate><author>info@1password.com (Liz Tam)</author><guid>https://blog.1password.com/how-ace-1password-interview/</guid><description> <img src='https://blog.1password.com/posts/2023/how-ace-1password-interview/header.png' class='webfeedsFeaturedVisual' alt='How to ace your 1Password interview' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Okay, so you’ve just landed an interview at 1Password. It’s natural to feel a bit nervous about what you’ll be asked and what you should say. Here’s our advice: share your experiences from the perspective of our company values. At 1Password, our company values are woven into everything we do. They inform how we show up to work, how we treat our colleagues and customers, and how we connect with our company mission. Through recognition programs such as Bonusly, which lets team members thank each other with redeemable points, and our newly formalized Values Awards, team members are empowered to live our values in ways that feel meaningful to them. Below, we share our best pieces of advice to help you succeed in your interview and embrace our three company values: keep it simple, lead with honesty, and put people first. <h2 id="keep-it-simple">Keep it simple</h2> &ldquo;Keep it simple&rdquo; reflects how 1Password employees strive to focus on what’s most important. It prompts us to stay solutions-oriented and communicate with each other clearly, concisely, and intentionally. <h3 id="tip-share-clear-and-concise-stories">Tip: Share clear and concise stories</h3> As you prepare for your interview, identify specific examples from your previous experiences that demonstrate your abilities and accomplishments. Try to adopt the perspective of the interviewer and structure your story in a way that makes it easy for them to understand the significance of your contributions. Some of our Talent Partners at 1Password recommend using the <a href="https://www.themuse.com/advice/star-interview-method">STAR (Situation, Task, Action, Result) framework</a> to help you lay out your narrative. <h3 id="tip-dont-be-afraid-to-write-down-questions-for-the-interviewer">Tip: Don’t be afraid to write down questions for the interviewer</h3> Does preparing written questions in advance help you to feel at ease? Then we encourage you to do just that. Our interviewers love a two-way conversation, and this way, you’ll be able to focus on the conversation knowing you won’t forget the questions you had in mind. Our hiring managers enjoy answering questions about their team, their management style, their vision for the role, and where they see the team moving in the future. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> “I’m always happy to take a few minutes to answer questions from candidates. Anyone that takes the time to ask questions about details that are important to them definitely stand out. If a candidate wants to learn about our company culture and what values are important to the employee experience, I’m always happy to provide all the insights I can!” – Justine Ahloy, Talent Acquisition Specialist at 1Password </div> </aside> <h2 id="lead-with-honesty">Lead with honesty</h2> &ldquo;Lead with honesty&rdquo; helps us hold ourselves accountable and reminds us of the role we play in others’ growth. It encourages us to stay curious, ask questions that challenge the status quo, and continuously seek growth opportunities. <h3 id="tip-embrace-a-growth-mindset">Tip: Embrace a growth mindset</h3> During your interview, don’t be afraid to own all that you’ve accomplished and learned along your professional journey. And don’t shy away from telling us about mistakes that turned into growth opportunities! Instead, demonstrate how you leaned into those opportunities and took them as a chance to be curious, adaptable, or resilient. This will help illustrate how you’d thrive and develop in your career at 1Password. <h3 id="tip-bring-your-whole-self">Tip: Bring your whole self</h3> We hope that you’ll feel comfortable showing up to the interview as your authentic self. We’re eager to learn more about you as a person and the life experiences you bring with you. As you describe your past experiences as well as your goals for the future, we encourage you to share what drives you, what matters to you, and what you value. <h3 id="tip-stay-calm-and-confident">Tip: Stay calm and confident</h3> To combat interview nerves and ground yourself in the moment, focus on practicing active listening, take the time to respond thoughtfully and honestly, and stay positive. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> “Staying calm and confident is incredibly helpful for tackling interview nerves. It allows you to have a genuine interaction and leave a lasting positive impression. It’s one of the top pieces of advice I share with my candidates before their interviews.” – Tara Gothreau, Executive Recruiter </div> </aside> <h2 id="put-people-first">Put people first</h2> &ldquo;Put people first&rdquo; helps 1Password employees actively create a safe and inclusive space where everyone can thrive. It inspires us to celebrate each others’ contributions, make space for diverse voices, and work together to deliver results. <h3 id="tip-be-curious-about-the-interviewers-experience">Tip: Be curious about the interviewer’s experience</h3> The interview is a chance to build a one-on-one connection with a potential future teammate. We encourage you to prepare questions specific about their experience: what it’s like to be on their team, the challenges they’re currently facing, what they’re excited to be working on, or what it’s like to be a part of our remote-first work environment. <h3 id="tip-practice-remote-meeting-etiquette">Tip: Practice remote meeting etiquette</h3> Beyond the screening call, we conduct interviews on Zoom. We highly recommend practicing using Zoom if you haven’t before, and reviewing your settings ahead of time. If you’re comfortable doing so, we encourage you to <a href="https://support.zoom.us/hc/en-us/articles/4402698027533-Adding-and-sharing-your-pronouns">add your pronouns to your Zoom profile</a> so that our interviewers can refer to you using your pronouns. On the day of your interview, an easy way to show respect for the interviewer’s time is to arrive promptly and aim to wrap up the conversation before the end of the allotted time. <h3 id="tip-showcase-your-interest-in-contributing-to-an-inclusive-community">Tip: Showcase your interest in contributing to an inclusive community</h3> The interview is an opportunity to contribute to a safe and inclusive space, as well as demonstrate how you’d continue to do so as a potential future member on the team. You can lead by example by sharing your pronouns when you introduce yourself if you are comfortable doing so, asking the interviewer to clarify the pronunciation of their name, and using inclusive language throughout the interview. At 1Password, <a href="https://blog.1password.com/pride-2023/">we take pride in our Diversity, Equity, Inclusion, and Belonging (DEIB) initiatives</a>, so we invite you to ask questions about our DEIB programming or take some time to share what you’re passionate about. <h2 id="good-luck-in-your-interview">Good luck in your interview!</h2> We hope these tips help you to feel confident as you prepare for your interview. Ultimately, we want to make sure that you and 1Password are a great fit for each other. That&rsquo;s not only for our benefit – it&rsquo;s also for yours! We want you to work somewhere that&rsquo;s going to make you feel fulfilled. We hope that you find these insights valuable as you continue on your journey towards applying and becoming a part of the 1Password team. Visit our <a href="https://1password.com/jobs/">careers page</a> to see our current openings and <a href="https://www.linkedin.com/company/1password">follow us on LinkedIn</a> to stay updated on how we’re growing our teams.</description></item><item><title>Now available: Save and sign in with passkeys using 1Password in the browser and on iOS</title><link>https://blog.1password.com/save-use-passkeys-web-ios/</link><pubDate>Wed, 20 Sep 2023 00:00:00 +0000</pubDate><author>info@1password.com (Travis Hogan)</author><guid>https://blog.1password.com/save-use-passkeys-web-ios/</guid><description> <img src='https://blog.1password.com/posts/2023/save-use-passkeys-web-ios/header.png' class='webfeedsFeaturedVisual' alt='Now available: Save and sign in with passkeys using 1Password in the browser and on iOS' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The moment you’ve been waiting for has finally arrived. Passkey support is now available in 1Password, letting you create, manage, and sign in with passkeys on a growing number of websites and apps. Starting today, you can <a href="https://support.1password.com/save-use-passkeys/">save and sign in with passkeys</a> using the <a href="https://1password.com/downloads/browser-extension/">desktop version of 1Password in the browser</a>, as well as your <a href="https://1password.com/downloads/ios/">iOS 17 and iPadOS 17 devices</a>. You can also use 1Password on any device to view, organize, and share your saved passkeys. It’s the most convenient and complete passkey experience. There&rsquo;s no better time to get started with Google, Nintendo, GitHub, and others turning on capabilities for passkeys this summer. Visit our online <a href="https://passkeys.directory/">passkey directory</a> or open <a href="https://watchtower.1password.com/">Watchtower</a> in 1Password to discover which of your logins can be upgraded with a passkey. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/DN3M5hx7_iA?si=uRX-xatfcaK4v7sA" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h2 id="passkeys-are-here">Passkeys are here</h2> Need a refresher on <a href="https://blog.1password.com/what-are-passkeys/">what passkeys are, and how they work</a>? No problem. Passkeys are the future of account security and how we protect our private data. And they&rsquo;re here to stay. You can use passkeys to sign in to compatible websites and apps without entering a password. No magic links. No two-factor authentication codes. Just passwordless bliss. Passkeys are secure, convenient to use, and backed by the largest companies in the world. Here are just a few reasons why you should start using passkeys in 1Password: <ul> <li> Signing in with passkeys is quick and hassle-free. You don&rsquo;t have to memorize or type out anything when you sign in with a passkey. Find the login page or button and, if prompted, choose the passkey option. 1Password will then handle the rest. </li> <li> Passkeys are secure. Unlike passwords, every passkey has two parts: a public key and private key. The private key isn&rsquo;t shared with the service you&rsquo;re signing in to. That&rsquo;s why passkeys are resistant to phishing and can&rsquo;t be stolen in data breaches. </li> <li> You can sync your passkeys between devices. Passkeys are synced just like any other item saved in your password manager. You can access them on any device and any major web browser, and organize them using tags and vaults. </li> </ul> <h2 id="save-and-sign-in-using-passkeys-in-the-browser">Save and sign in using passkeys in the browser</h2> Ready to start using passkeys? <a href="https://1password.com/downloads/browser-extension/#browsers">Download the 1Password extension</a> for one of the following browsers: <ul> <li>Chrome (macOS, Windows, and Linux)</li> <li>Edge (macOS, Windows, and Linux)</li> <li>Brave (macOS, Windows, and Linux)</li> <li>Safari (macOS, iOS, and iPadOS)</li> <li>Firefox (the ability to save and sign in with passkeys is coming soon)</li> </ul> Next, find a site that supports passkeys. You can do this by browsing our <a href="https://passkeys.directory/">passkey directory</a>, or by opening Watchtower in 1Password, which now flags all of your existing logins that could be updated with a passkey. Locate the site&rsquo;s sign in page or button and follow the prompts to create a passkey. 1Password will ask which account and vault you’d like to save it in. <img src="https://blog.1password.com/posts/2023/save-use-passkeys-web-ios/passkeybrowser.png" alt="A screenshot showing a passkey being created and saved using 1Password in the browser." title="A screenshot showing a passkey being created and saved using 1Password in the browser." class="c-featured-image"/> <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Visit our support site for detailed instructions on <a href="https://support.1password.com/save-use-passkeys/?utm_medium=social&amp;utm_source=blog&amp;utm_campaign=save-and-signin-with">how to save and sign in with passkeys in your browser</a>. </div> </aside> <h2 id="save-and-sign-in-with-ios-passkeys">Save and sign in with iOS passkeys</h2> Here’s what you need to start using passkeys on your iPhone or iPad: <ul> <li>iOS 17 or higher.</li> <li>The latest version of 1Password for iOS.</li> </ul> <img src='https://blog.1password.com/posts/2023/save-use-passkeys-web-ios/passkeymobile.png' alt='A screenshot showing a passkey being created with 1Password on a mobile device.' title='A screenshot showing a passkey being created with 1Password on a mobile device.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Visit our support site for detailed instructions on <a href="https://support.1password.com/ios-autofill/">how to save and sign in with iOS passkeys on your iPhone or iPad</a>. </div> </aside> <h2 id="coming-soon-save-and-sign-in-with-android-passkeys">Coming soon: Save and sign in with Android passkeys</h2> Google is working on Android 14 and APIs that will enable password managers like 1Password to create and use passkeys inside Chrome and any other app that has added passkey support. 1Password is ready and will support these APIs as soon as they&rsquo;re available, giving you the option to save and sign in with passkeys on your Android 14 phones and tablets. <h2 id="passkeys-at-work-what-you-need-to-know">Passkeys at work: What you need to know</h2> We know that every business is different. That&rsquo;s why we&rsquo;re letting 1Password Business admins choose when their team can start saving and using passkeys. To make your choice, <a href="https://signin.1password.com/">sign in to 1Password.com</a> and select Policies from the sidebar. Here, you’ll find an option that lets you enable and disable passkey support. <h2 id="the-future-is-passwordless">The future is passwordless</h2> We&rsquo;re proud to be at the forefront of passwordless authentication and offering the industry’s most complete passkey solution. For years, 1Password has given you a safe place to store not only your passwords but everything else that&rsquo;s important in your life, like credit cards, addresses, and medical records. Now, 1Password is the perfect home for your passkeys too. You can access your new login credentials anytime, anywhere. It&rsquo;s the passwordless experience done right. We’ll be keeping our ears to the ground to understand how we can build on what we&rsquo;ve released today. Our goal is to go above and beyond your expectations, and we’re just getting started. Thank you for using 1Password during this exciting time. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Discover how to save and sign in with passkeys</h3> Ready to create some passkeys? Learn how to get started with the desktop version of 1Password in the browser and 1Password for iOS. <a href="https://support.1password.com/save-use-passkeys/?utm_medium=social&amp;utm_source=blog&amp;utm_campaign=save-and-signin-with" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Get started with passkeys in 1Password </a> </div> </section></description></item><item><title>Passkeys vs. SSO: What are the differences?</title><link>https://blog.1password.com/passkeys-vs-sso-differences/</link><pubDate>Tue, 19 Sep 2023 00:00:00 +0000</pubDate><author>info@1password.com (Stacey Harris)</author><guid>https://blog.1password.com/passkeys-vs-sso-differences/</guid><description> <img src='https://blog.1password.com/posts/2023/passkeys-vs-sso-differences/header.png' class='webfeedsFeaturedVisual' alt='Passkeys vs. SSO: What are the differences?' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Understanding how passkeys fit into the existing landscape of security and authentication is what our &lsquo;versus&rsquo; series is all about. The goal of authentication is to verify that the person trying to gain access to a secret (e.g. an account) has permission to access it. In previous posts, we&rsquo;ve compared passkeys to <a href="https://blog.1password.com/passkeys-vs-passwords-differences/">passwords</a>, <a href="https://blog.1password.com/passkeys-vs-magic-links-differences/">magic links</a>, and <a href="https://blog.1password.com/passkeys-2fa-totp-differences/">2FA and TOTP</a> – now we’re going to dive into single sign-on (SSO). <h2 id="what-is-sso">What is SSO?</h2> Single sign-on authentication allows users to sign in to accounts using a single identity provider rather than individual credentials for each account. This means people don’t need to remember unique credentials for every account. Instead, they just have to log in to their SSO provider. To learn more about a topic we could discuss for hours, check out our <a href="https://blog.1password.com/1password-and-sso-a-perfect-match/">blog post</a> on the differences between SSO and password managers, and why they make a great pair. <h2 id="what-are-passkeys">What are passkeys?</h2> <a href="https://blog.1password.com/what-are-passkeys/">Passkeys</a> are the cool new authentication kid on the block. They’re the next serious contender to shift people toward a simpler, safer authentication experience, one that traditional passwords could never provide. Passkeys don’t require a password, magic link, or one-time code. Instead, you only need your biometric information or device passcode to access your passkey-protected accounts. Passkeys are quick and easy to use, and more secure than other authentication methods. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/DELDP_wbuE4?si=VQ4KiFVKIJwHFGBY" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> Now that we&rsquo;ve got some basic definitions out of the way, let&rsquo;s compare passkeys to SSO so you can better understand when and why you might choose one authentication method over another. <h2 id="fast-is-better-at-least-for-signing-in">Fast is better, at least for signing in</h2> The purpose of authentication is to verify your identity to keep your accounts and data secure. But for most people, going through the sign-in process is just a necessary nuisance that slows them down. After all, no one actually enjoys the login process – it’s just a means to an end. That’s why improving the sign-in flow, especially the speed at which we sign in, is so valuable to workers and businesses alike. The SSO process makes it so you only need to log in to one account – your SSO provider – in order to access the tools you need. This means you’re able to start working quickly since all your accounts are now accessible with a single sign on. Passkeys are just as fast, in a different way. While you still have to sign in to each account you&rsquo;ve protected with a passkey, the process is quick, easy, and seamless. Scanning your fingerprint or face, or entering your device passcode, authorizes your passkey for use. The rest of the sign-in process takes place in milliseconds and entirely behind the scenes – you’ll be too busy getting on with your day to even notice how smooth the experience was. Passkeys are both seamless and passwordless. <h2 id="security-is-paramount-for-authentication">Security is paramount for authentication</h2> But with signing in feeling so simple, there can be a feeling that your accounts aren’t as secure. That’s simply not the case. Both SSO and passkeys are secure authentication methods and also do a great job at reducing your risk of attack. SSO reduces the total number of usernames and passwords required for each employee. That means there are fewer entry points to be targeted, and thus exploited. The biggest risk for SSO security is that it has a single point of failure. If your SSO account is compromised, then all the accounts within that system are also compromised. That’s why choosing a strong, unique password and storing it somewhere safe is crucial to keeping your secrets secure. <blockquote> SSO reduces the total number of usernames and passwords required for each employee. </blockquote> Passkeys, on the other hand, are created unique for each account, meaning a breach on one website won’t expose anything useful that can be used for that website or any other. That&rsquo;s because passkeys use <a href="https://blog.1password.com/what-is-public-key-cryptography/">public-key cryptography</a>, which means that each passkey is made up of two parts: a public key and a private key. When you opt to protect an account with a passkey, the website or app stores your public key. When you return to sign in, you authorize the use of your private key, which is only ever stored on your device – unless you securely sync or share your passkeys. For someone to sign in using your passkey, they would need access to your device to steal your private key (unless you’ve shared it) – something not easily achieved. This makes you a more complicated target than someone using traditional passwords. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Read <a href="https://blog.1password.com/what-are-passkeys/">our passkeys FAQs blog post</a> to learn more about this new type of login credential. It answers common questions including &ldquo;where are passkeys stored?&rdquo; and &ldquo;will passkeys replace passwords?&rdquo; </div> </aside> <h2 id="risks-versus-rewards">Risks versus rewards</h2> No solution is without limitations. Losing access to your saved secrets could be detrimental to your entire day, even if it is only temporary. From logging in to work applications to joining meetings, authentication is at the core of our workdays. If your SSO provider experiences an outage, that means access to all connected sites is lost. Since SSO is used to sign in to multiple sites, your team won’t have access to the tools they need to complete their jobs. That’s lost productivity and lost business depending on how long it takes to get back up and running. But if your team&rsquo;s accounts are protected by passkeys, a provider outage might not be a problem. Of course, depending on how you choose to store your passkeys, you would have to create a plan should your storage solution experience an outage. And with passkeys you still need to consider storage, secure syncing across devices, and access control. Whether it&rsquo;s an SSO provider or the service you use to store your passkeys, losing access means a loss of productivity and business. <h2 id="implementation-options">Implementation options</h2> Now that we know what the differences and benefits of the two options are from security to usability, the question is: what’s easier to implement – SSO or passkeys? Well, it depends. Different SSO providers have unique workflows that need to be considered with your own internal systems. Implementing SSO is complex and can be expensive. Passkeys were designed to be both easy to use and secure. Employees can start using passkeys relatively quickly. All they have to do is set up passkeys to work with their biometrics or device passcode, and the login process will work seamlessly – and securely – in the background. Not all websites and apps support passkeys at the moment. But the number that do is quickly growing, giving you more places to use this new, safer sign-in option. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Not sure where you can use passkeys? Browse our <a href="https://passkeys.directory/">passkey directory</a>! </div> </aside> The cost to your business to have employees start using passkeys rather than SSO would be minimal to none — especially if you&rsquo;re already using 1Password. Passkeys you create and save in 1Password and are like any other items in your vaults. You can view, edit, move, and even share them with other people. If your business is considering implementing passkey login for your own website, that can also be simple, since developers don’t have to start from scratch. Just as with passwords, off-the-shelf solutions exist for passkeys as well. <a href="https://blog.1password.com/passage-by-1password/">Passage by 1Password</a> has two options to help developers add passkey support to any website or app. <h2 id="so-which-should-you-choose--sso-or-passkeys">So which should you choose – SSO or passkeys?</h2> Why not both? Ever heard the saying that too much of a good thing is bad? That’s not the case when it comes to SSO and passkeys! While passkeys are leading the charge to a passwordless future, SSO still has a necessary part to play in business and enterprise security. We would even argue that businesses will be more secure if they use both methods in tandem. SSO gives admins a high degree of access control. For example, you can choose exactly which employees are able to create a Google Workspace account with their work email address. Passkeys are unlikely to replace SSO in a business setting but will be a secure way to protect everything not covered by SSO. <blockquote> Protect the majority of accounts with SSO, and the others – including the SSO accounts – with strong passkeys. </blockquote> Speaking of things that work well together, many SSO providers allow you to sign in with a passkey rather than the traditional username/password combination. This means organizations keep the administrative powers of SSO while reducing the risk of employees using weak or reused passwords. The two systems work well in tandem to make securing your entire business less stressful. Protect the majority of accounts with SSO, and the others – including the SSO accounts – with strong passkeys. <a href="https://blog.1password.com/unlock-with-okta/">Unlock 1Password with SSO</a>, then create, save, and sign in to accounts with passkeys using 1Password (<a href="https://blog.1password.com/save-sign-in-passkeys-1password/">currently in beta</a>). <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Subscribe to our passwordless newsletter</h3> Get our latest passkey updates delivered right to your inbox, as well as guides, interviews, and other interesting articles about the next generation of sign-in technology. <a href="https://1password.com/passwordless-news/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Subscribe to Beyond Passwords </a> </div> </section></description></item><item><title>Why you should care about a data breach</title><link>https://blog.1password.com/data-breach-impact/</link><pubDate>Wed, 13 Sep 2023 00:00:00 +0000</pubDate><author>info@1password.com (Nick Summers)</author><guid>https://blog.1password.com/data-breach-impact/</guid><description> <img src='https://blog.1password.com/posts/2023/data-breach-impact/header.png' class='webfeedsFeaturedVisual' alt='Why you should care about a data breach' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Data. Breach. We see these two words all the time <a href="https://www.theguardian.com/australia-news/2023/sep/08/dymocks-warns-customer-records-may-be-on-dark-web-after-possible-data-breach">in the news</a>, <a href="https://www.threads.net/@dataprivacycanada/post/CxCEgNyuW7n">on social media</a>, and in company emails notifying us that our information might have been affected. (You may have read about one <a href="https://krebsonsecurity.com/2023/09/experts-fear-crooks-are-cracking-keys-stolen-in-lastpass-breach/">affecting a password manager recently</a>.) Data breaches occur so frequently that it’s easy to tune out or convince yourself they’re not worth paying attention to. “Are these breaches really all that bad?” “Is anything really going to happen if I ignore a breach that might have affected one of my personal accounts?” It’s never been more important to be proactive when you hear about a data breach that affects one of your online accounts. To do this, you don’t need to be a security professional or devour the news every day. You simply need to know the potential impacts of data breaches, and how the right tools can <a href="https://blog.1password.com/data-breach-101-stay-safe-online/">help you quickly and effectively respond to them</a>. <h2 id="what-is-a-data-breach">What is a data breach?</h2> Let’s start with a quick data breach definition. The term refers to any security incident where a criminal gains access to sensitive data, such as financial information or social security numbers. Data obtained via a data breach can be sold on the dark web, held under ransom for payment, or leaked to the public. Attackers utilize many different techniques to sneak past their target’s digital defenses, such as <a href="https://blog.1password.com/what-is-social-engineering-hacking-101/">social engineering</a>. Now, let’s dig into how a data breach can affect you. <h2 id="losing-personal-account-access-from-a-data-breach">Losing personal account access from a data breach</h2> Some services protect their users’ login details better than others. If a company is breached and they haven’t been following best security practices, it’s possible that an attacker could obtain your login credentials and try to sign in to your personal account. If the thief gains access to your account, they could try to change the password. This would be like someone running inside your house while you’re on vacation and changing the locks on your doors. People have been locked out of accounts before this way. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Tip: Use <a href="https://support.1password.com/one-time-passwords/">two-factor authentication</a> to add an extra layer of security for your accounts. And keep your eyes peeled for ‘unusual sign-in attempts’ emails! </div> </aside> <h2 id="losing-access-to-other-accounts-that-use-the-same-password">Losing access to other accounts that use the same password</h2> Many people use the same password, or just a handful or different passwords, for all of their online accounts. While convenient, it’s also a security risk. If a company is breached and your password is exposed, an attacker might use a technique called <a href="https://blog.1password.com/how-1password-keeps-you-safe-from-cyber-attacks/">credential stuffing</a> to test whether they can use that same login credential to sign in to any of your other online accounts. For example, imagine an attacker obtains a password for one of your less important accounts, like a shopping website. A thief might wonder whether that same password can grant them access to higher-value accounts, like your online banking. <h2 id="stolen-personal-information">Stolen personal information</h2> To get the most out of the internet, we often have to share some of our sensitive personal information. You might have shared your full name with a social media platform, your home address with an e-commerce company, or your date of birth with a streaming service. If one of these services is breached, it&rsquo;s possible that some of the information you shared with them will be exposed. Attackers want these personal details because they can help them access your other accounts and effectively impersonate you (more on that later). <h2 id="stolen-credit-cards-and-other-financial-information">Stolen credit cards and other financial information</h2> Some of your accounts will likely be tied to paid services. In these situations, you’ll likely be asked to enter a credit or debit card. That could be for a subscription, to complete individual orders, <a href="https://blog.1password.com/openai-chatgpt-exposed-api-keys/">or for services like OpenAI</a>, which charge based on your usage. Companies should take appropriate measures to safeguard your financial information. Unfortunately, this isn&rsquo;t always the case. Some breaches have exposed customers' financial information before, allowing attackers to make fraudulent transactions. <h2 id="identity-theft-and-impersonation">Identity theft and impersonation</h2> A knock-on effect of a data breach can be impersonation. If an attacker obtains one of your passwords and successfully signs in to the associated account, they might try to use that access to manipulate someone else. A criminal could pose as you and ask someone you know to transfer them money, or share a password for a work-related account. Similarly, if a criminal obtains some of your personal details, like your full name, current address, and date of birth, they can use this to impersonate you. Many companies will ask security questions, for example, that can be answered correctly using this information. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Tip: Use 1Password to <a href="https://blog.1password.com/orange-facile-glossary-and-other-questions-answered/">create and store random answers to security questions</a>! </div> </aside> <h2 id="how-1password-helps-to-protect-you-against-data-breaches">How 1Password helps to protect you against data breaches</h2> 1Password makes security simple. Here&rsquo;s how our password manager helps you minimize and avoid the impact of a data breach: <h3 id="watchtower-protects-you-during-a-data-breach">Watchtower protects you during a data breach</h3> No-one can keep track of every breach happening around the world. With <a href="https://watchtower.1password.com/">Watchtower</a>, you don&rsquo;t have to. 1Password’s digital lookout monitors the world-renowned <a href="https://haveibeenpwned.com/">Have I Been Pwned</a> database and will alert you if any of your saved passwords appear in a known data breach. These notifications ensure you know about relevant breaches as soon as possible. Armed with this information, you can update the exposed password to something new, strong and unique, shutting attackers out of the account before they can cause any trouble. <h3 id="1passwords-security-model">1Password’s security model</h3> Okay, but what happens if your password manager has been breached? It&rsquo;s an understandable concern, especially if you’ve read recent headlines. The good news is that if you’re a 1Password customer, <a href="https://blog.1password.com/how-1password-protects-your-data/">there’s nothing you need to do and no reason to worry</a>. If there was an attack on 1Password’s servers, the best an attacker could hope to find is an encrypted copy of your vault data. The criminal wouldn’t be able to read this data without two pieces of information: <ul> <li>Your account password. This is the password you choose, and the only one you need to remember in order to access your vaults.</li> </ul> Some password managers only rely on an account password to encrypt your data. 1Password goes a step further by utilizing… <ul> <li>Your Secret Key. It’s an account-specific, 128-bit strong encryption ingredient that contains 34 letters and numbers, separated by dashes. Crucially, your Secret Key is never sent to us in full. We receive only the first eight characters, which are used to identify your account.</li> </ul> Together, your account password and Secret Key form an incredibly strong encryption key that’s challenging – and in practical terms, virtually impossible – for a hacker to crack. <h2 id="the-bottom-line">The bottom line</h2> Breaches do occur, and are likely to continue occurring for the foreseeable future. No defense is perfect, which is why security incidents can happen to companies large and small, <a href="https://blog.lastpass.com/2023/03/security-incident-update-recommended-actions/">including those that develop password managers</a>. If you don’t work in security, it can be tempting to bury your head in the sand. But there’s a better choice: be proactive and update exposed passwords before they’re exploited by criminals. With a password manager like 1Password, you can create strong passwords and use two-factor authentication everywhere it’s offered. Our security model also ensures your vault data is effectively useless to attackers, even if they somehow got their hands on it. 1Password’s built-in Watchtower also helps you respond to any data breach so you can lock down your accounts before attackers have a chance to do any damage. Don’t wait for a breach to impact your data. Instead, stay secure with just a few simple steps. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Secure your digital life with 1Password</h3> Organize and secure all your online accounts with 1Password, the world’s most-trusted password manager. Get started today with a free 14-day trial. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>Shell Plugins summer roundup: Pulumi, Cloudflare Workers, and more</title><link>https://blog.1password.com/shell-plugins-summer-2023/</link><pubDate>Tue, 05 Sep 2023 00:00:00 +0000</pubDate><author>info@1password.com (Jason Harris)</author><guid>https://blog.1password.com/shell-plugins-summer-2023/</guid><description> <img src='https://blog.1password.com/posts/2023/shell-plugins-summer-2023/header.png' class='webfeedsFeaturedVisual' alt='Shell Plugins summer roundup: Pulumi, Cloudflare Workers, and more' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://blog.1password.com/shell-plugins/">1Password Shell Plugins</a> bring one-touch access to programmers' favorite command line interfaces (CLIs). I&rsquo;ll never get tired of cutting steps from what was once a manual process, especially if we can secure that workflow in the process. And that&rsquo;s exactly what shell plugins do. As of this writing, 42 Shell Plugins are now available – and the developer community has written 22 of them! Because they&rsquo;re open source, <a href="https://github.com/1Password/shell-plugins">anyone can write a shell plugin</a> for their favorite CLI. In fact, 1Password Engineer Amanda Crawley created a walkthrough to show you how to build one in less than ten minutes: <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/XKA2uE0M3IU" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> Let&rsquo;s explore the latest additions: Cloudflare Workers, Snyk, Pulumi, and Laravel. <h2 id="cloudflare-workers">Cloudflare Workers</h2> <a href="https://developers.cloudflare.com/workers/">Cloudflare Workers</a> is your web development superpower. It’s like having a team of speedy mini servers all over the world. Instead of living on a distant server, your code runs on &ldquo;edge&rdquo; servers, speeding up your site for visitors. Plus, you control these servers with your own code, written in familiar languages like JavaScript. The <a href="https://developer.1password.com/docs/cli/shell-plugins/cloudflare-workers/">1Password Cloudflare Workers Shell Plugin</a> enables you to securely authenticate to Wrangler, the Cloudflare CLI that’s used to create, test, and deploy your Workers projects. We extend a special thanks to <a href="https://github.com/shyim">Soner Sayakci</a> for contributing the Cloudflare Worker shell plugin. <h2 id="snyk">Snyk</h2> <a href="https://snyk.io">Snyk</a> is like a smart security assistant for developers. It watches over your software projects and code to catch any sneaky security holes or problems that could cause trouble. It&rsquo;s all about finding and fixing these issues early, before they turn into big headaches. Snyk works right alongside your coding process, helping you make sure your creations are strong and safe. It&rsquo;s like having a guardian for your code, keeping the bad stuff out so you can focus on making awesome things without worrying about surprises. With the <a href="https://developer.1password.com/docs/cli/shell-plugins/snyk/">Snyk 1Password Shell Plugin</a>, the <a href="https://developer.1password.com/docs/cli/">1Password CLI</a> will return a list of credentials you’ve configured to use with Snyk, as well as their default scopes and a list of aliases, configured for Snyk. <h2 id="laravel">Laravel</h2> We’re lucky to have two Laravel CLIs for two different products, <a href="https://forge.laravel.com/">Laravel Forge</a> and <a href="https://vapor.laravel.com/">Laravel Vapor</a>. Let’s start by looking at Laravel Forge, which is a management tool for servers that host Laravel applications. With Forge, you effortlessly deploy and manage servers on various cloud providers such as AWS, Digital Ocean, Linode and more. It provides a friendly interface to configure settings, install software, and handle databases. Forge&rsquo;s automation streamlines tasks like SSL setup, backups, and updates, while tight integration with version control platforms enables easy application deployment. Laravel Vapor is used by developers to deploy Laravel apps on AWS. As your apps’ needs scale, Vapor automates provisioning servers, using Lambda for execution – so you pay for actual usage. If you&rsquo;re a Laravel developer looking for smooth deployment without server worries, Vapor is your go-to, making scaling and managing your apps a breeze. If you’re a Laravel developer, make use of the shell plugins for <a href="https://developer.1password.com/docs/cli/shell-plugins/laravel-forge">Laravel Forge</a> and <a href="https://developer.1password.com/docs/cli/shell-plugins/laravel-vapor">Laravel Vapor</a> for fast and easy authentication. Thank you to <a href="https://github.com/andresayej">Andre Sayej</a> who contributed these two Laravel shell plugins. <h2 id="pulumi">Pulumi</h2> <a href="https://pulumi.com">Pulumi</a> is a developer favorite because it’s an open-source utility that simplifies and modernizes infrastructure management. With Pulumi, you can define cloud resources using code, in the programming languages you&rsquo;re comfortable with, and then efficiently deploy and manage them across different cloud environments. Pulumi supports cloud providers such as AWS, Azure, Google Cloud, and Kubernetes, and is used to provision, update and manage resources. Being almost entirely controlled using the Pulumi CLI, the <a href="https://developer.1password.com/docs/cli/shell-plugins/pulumi">1Password Pulumi Shell Plugin</a> helps you securely authenticate to Pulumi by keeping credentials in 1Password – not on disk, where they are vulnerable. To see Pulumi and 1Password in action, <a href="https://www.pulumi.com/resources/getting-started-with-1password-and-pulumi/">join us for a live workshop on September 12</a>. Engineers from 1Password and Pulumi will explore how to use the 1Password CLI to manage secrets in a Pulumi workflow. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get started with 1Password and Pulumi</h3> Register to learn how to access 1Password secrets from the Pulumi CLI on Tuesday, September 12 at 11 AM ET / 8 AM PT. <a href="https://www.pulumi.com/resources/getting-started-with-1password-and-pulumi/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Register now </a> </div> </section></description></item><item><title>4 reasons why Visma chose 1Password as its enterprise password manager</title><link>https://blog.1password.com/visma-enterprise-password-manager-interview/</link><pubDate>Mon, 04 Sep 2023 00:00:00 +0000</pubDate><author>info@1password.com (Stacey Harris)</author><guid>https://blog.1password.com/visma-enterprise-password-manager-interview/</guid><description> <img src='https://blog.1password.com/posts/2023/visma-enterprise-password-manager-interview/header.png' class='webfeedsFeaturedVisual' alt='4 reasons why Visma chose 1Password as its enterprise password manager' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Why do businesses choose 1Password over other options on the market? <a href="https://1password.com/resources/total-economic-impact-of-1password-business/">We have a few ideas</a> but thought it would be better to ask one of our customers directly. <a href="https://www.visma.com/">Visma</a> is a European powerhouse that builds software for schools, governments, accounting departments, and more. They often acquire other software companies, which means they’re constantly onboarding new employees and teaching them about their security policies. <a href="https://www.linkedin.com/in/vlad-boldura-7b6a1655/?originalSubdomain=ro">Vlad Boldura</a>, security manager at Visma, and Daytona Earley, customer success manager at 1Password, joined the <a href="https://randombutmemorable.simplecast.com/">Random but Memorable</a> podcast to discuss: <ul> <li>Why Visma chose 1Password.</li> <li>How they successfully rolled it out across the organization.</li> <li>The expected, and unexpected impact 1Password has made since implementation.</li> </ul> Read the interview below or <a href="https://randombutmemorable.simplecast.com/episodes/wannabe-barbie-watchtower-craze">listen to the full episode</a> on your podcast app of choice. <div class="c-simplecast-embed"> <iframe class="c-simplecast-embed__iframe" title="1Password Random but Memorable Podcast" width="100%" frameborder="no" scrolling="no" seamless src="https://player.simplecast.com/571e0820-de9f-41c3-95eb-07276bd81e20?dark=false"></iframe> </div> <a href="https://randombutmemorable.simplecast.com/episodes/wannabe-barbie-watchtower-craze">Listen to episode 112 ›</a> Michael “Roo” Fey: Can you tell us about the importance of cybersecurity and credential security at Visma? Vlad Boldura: The focus on security in Visma is top-notch. Since we build mission-critical systems, security is built into the heart of these products. You can imagine how important it is for data to be secure in the public sector, like in schools, defense, public transportation, accounting, or any area that handles personal sensitive information. Whatever applications we build, we need to make sure we build them securely and correctly. Credential security is especially important these days. After being in the industry for so long, we realized that building bigger, better walls, or more and more advanced tools, or scanning more and more often wasn&rsquo;t the way to go. There’s a very important aspect in security these days: many hacks and breaches begin with credential theft. We realized that we need to invest in this area and not have it as a blind spot. MF: How did you manage password security prior to 1Password, and what were some of the pain points with how you were doing it before? VB: We had a password policy and all the standard stuff that you would expect in an enterprise customer. But we really didn&rsquo;t have a centralized solution. The biggest pain point was the lack of visibility. If you don&rsquo;t have a solution like 1Password deployed in your enterprise, you have no idea about the level of the problem you have with passwords. You don’t know how many passwords are being reused, how your employees are sharing credentials, if they&rsquo;re sharing insecurely through text messages or if they&rsquo;re putting sticky notes on their monitors with admin passwords. We had no idea about these things. <blockquote> &ldquo;If you don&rsquo;t have a [password manager], you have no idea about the level of the problem you have with passwords.&quot; </blockquote> Credential and secret sharing for our technical teams – which includes 6,000 developers, as well as DevOps teams and IT teams – was cumbersome. We found out that our average engineer had around 150 to 200 logins that they used every week and sharing between teams was a complicated process. MF: What was it that made you choose 1Password? VB: We had a thorough due diligence process and eventually chose 1Password for four reasons: <ol> <li> The varying level of <a href="https://1password.com/product/features">features in 1Password</a>. It&rsquo;s a tool that can help the most advanced developers solve their problems. It’s also useful to the least technical person you can find among Visma’s 18,000 employees. That was really important to us. </li> <li> The ease of use post-setup. We found other password managers that were maybe easier to set up but not easy to use day in, day out. We wanted a solution that worked day in, day out with as few problems as possible. </li> <li> The <a href="https://1password.com/security/">security</a>. We analyzed a bunch of security white papers and made a very good choice with 1Password. Two years (since we adopted it), the inbuilt security of your password manager still stands. When we see breaches around the industry, 1Password has none. </li> <li> The good <a href="https://support.1password.com/">support structure</a> and client focus. The customer success management tool you have is really up to speed. If we need help, the 1Password team is right there for us. </li> </ol> MF: And Daytona, what’s your role as a customer success manager? Daytona Earley: I’m here to ensure that the customer, in this case Visma, is getting the most from their investment and achieving their value milestones that align with their strategic priorities. We act as a trusted advisor and the main point of contact – connecting customers with the right internal 1Password experts including our sales engineers, solution architects, and product onboarding. We&rsquo;re helping customers move the needle towards the goals they want to achieve. MF: How have you supported Visma since they&rsquo;ve deployed 1Password? DE: It&rsquo;s a team effort. We celebrate their successes both with Visma and internally at 1Password. For instance, we connected Vlad with 1Password’s product teams so we can understand what new features would most benefit Visma’s employees. We&rsquo;ve also partnered on security initiatives including presentations about 1Password and password management, password hygiene, and more. MF: Vlad, what impact has 1Password had inside your organization? VB: The impact has been a lot wider than even I expected. I have fewer worries about bad passwords. We see from the security insights function if we have passwords that have been found in data breaches and if we have reused passwords in our shared vaults. It&rsquo;s really beneficial for our security posture. We have more visibility into our overall password security, so we have an idea about what&rsquo;s happening. Even if it&rsquo;s good or bad, we at least know where to put our efforts to improve it, which is always great in security. <blockquote> &ldquo;We have more visibility into our overall password security.&quot; </blockquote> One of the benefits I really didn&rsquo;t expect after deploying 1Password was a better understanding of our own company and environment. Trying to deploy a relatively user-friendly tool to everybody in the company regardless of where they work, what their level of technical knowledge is, and if they were ever involved in using security tools before – that really opened some eyes in the company about the value of using a password manager. MF: Is there a 1Password feature that is your favorite or that adds the most value to Visma as a business? VB: My personal favorite is <a href="https://watchtower.1password.com/">Watchtower</a> because it&rsquo;s a unique way of improving your personal security while also feeling like you&rsquo;re playing a game. We even had a contest around this in Visma last year during <a href="https://cybersecuritymonth.eu/">European Cybersecurity Month</a>. I basically gave out swag to the people inside the company that could share the highest Watchtower score with me! I was extremely thrilled to have six emails from the same person sharing one higher score after the other. They were telling me, &ldquo;Hey, I found two more weak passwords, I just changed them and I upped my Watchtower score by two points. Can you put this new score in the contest?&rdquo; <blockquote> &ldquo;I was thrilled to have six emails from the same person sharing one higher Watchtower score after the other.&quot; </blockquote> That&rsquo;s my personal favorite, both for business and for personal use. But the close second in Visma is the ability to create shared vaults. MF: If there was one reason to recommend 1Password, what would it be? VB: 1Password is the best mix out there between ease of use and security. That mix is never easy. Usually the more security you have, the more cumbersome it is to use. It’s great to have a password manager that offers state-of-the-art security, but is also easy to use on whatever platform you choose to do it from, like your browser, workstation, or phone. I think 1Password has a mix that you can&rsquo;t find elsewhere in the market. MF: Where can people go to follow you or find out more about Visma? VB: We have a lot of information on <a href="https://www.visma.com/">our website</a> about who we are and what we&rsquo;re doing. We recently launched our new <a href="https://www.visma.com/trust-centre">trust center</a> for anybody that wants to see all the cool things that Visma is doing around security. We&rsquo;re really active on social media, so you can follow both <a href="https://www.linkedin.com/in/vlad-boldura-7b6a1655/?originalSubdomain=ro">myself</a> and <a href="https://www.linkedin.com/company/visma">Visma</a> on LinkedIn, <a href="https://www.instagram.com/vismasolutions/?hl=en">Instagram</a> and <a href="https://www.facebook.com/vismagroup/">Facebook</a>. We regularly post business stuff and security stuff, as well as other great campaigns we&rsquo;re a part of. And if you&rsquo;re ever in Europe, we have an office or a company almost everywhere on the continent. Editor’s note: This interview has been lightly edited for clarity and brevity. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Subscribe to Random but Memorable</h3> Listen to the latest news, tips and advice to level up your security game, as well as guest interviews with leaders from the security community. <a href="https://randombutmemorable.simplecast.com/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Subscribe to our podcast </a> </div> </section></description></item><item><title>We're open-sourcing the library that powers 1Password's ability to log in with a passkey</title><link>https://blog.1password.com/passkey-crates/</link><pubDate>Mon, 28 Aug 2023 00:00:00 +0000</pubDate><author>info@1password.com (René Léveillé)</author><guid>https://blog.1password.com/passkey-crates/</guid><description> <img src='https://blog.1password.com/posts/2023/passkey-crates/header.png' class='webfeedsFeaturedVisual' alt='We're open-sourcing the library that powers 1Password's ability to log in with a passkey' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> You may have heard that 1Password beta testers can sign into <a href="https://blog.1password.com/save-sign-in-passkeys-1password/">websites using passkeys stored in their vaults</a>. We’re actively developing the internal library powering passkey authentication, and now we’re open-sourcing it! You can use the same <a href="https://crates.io/crates/passkey">passkey crate</a> that powers 1Password&rsquo;s authenticator to develop a <a href="https://www.w3.org/TR/webauthn-3/">WebAuthn</a> client and/or authenticator. The <code>passkey v0.1.0</code> crate is an easy access crate that doesn&rsquo;t implement anything itself. Instead, it re-exports the other crates as modules: <ul> <li><a href="https://crates.io/crates/passkey-authenticator">passkey-authenticator</a></li> <li><a href="https://crates.io/crates/passkey-client">passkey-client</a></li> <li><a href="https://crates.io/crates/passkey-transports">passkey-transports</a></li> <li><a href="https://crates.io/crates/passkey-types">passkey-types</a></li> </ul> We&rsquo;re also open-sourcing our <a href="https://crates.io/crates/public-suffix">public-suffix</a> library, which is based on the one from the Go standard library. Before setting off any language wars, please read the FAQ below for the reasons why. All of these libraries are released at version 0.1 as they are still in relatively heavy development to support <a href="https://developer.android.com/jetpack/androidx/releases/credentials">Android 14&rsquo;s new credentials library</a> and <a href="https://developer.apple.com/documentation/authenticationservices">Apple&rsquo;s updated Authentication Services APIs</a>, which will release with iOS 17. We are also planning on adding more features and making the API easier to use, so we expect breaking changes to happen fairly frequently as we continue to develop and polish the passkey features. To get a feel for how it works, you can try it out on any of the websites in <a href="https://passkeys.directory/">passkeys.directory</a> by starting a <a href="https://1password.com/business-pricing">free 14-day trial</a>. Or if you maintain an open-source project, you can apply for a <a href="https://github.com/1Password/1password-teams-open-source">free team account</a>. Now let me answer a few questions which I&rsquo;m certain your fingers are itching to ask in the comments. <h2 id="why-not-use-webauthn-rs">Why not use webauthn-rs?</h2> Let me preface the following by saying that this library is very well-written and I highly recommend it if you are implementing a rust-powered website backend. It makes the setup so easy. It&rsquo;s even what powered our <a href="https://www.future.1password.com/passkeys/">passkey demo website</a> for a while. When we started out building this feature we began with a fork, until we hit the following issues. <h3 id="typeshare">Typeshare</h3> Not long ago, we <a href="https://blog.1password.com/typeshare-for-rust/">open-sourced Typeshare</a>. We use this utility throughout our codebase to communicate between our Rust core and all our front-ends. Naturally we want to use this to pass the requests from the browser extension’s TypeScript to the Rust core compiled to WASM. For the code-gen to work, the annotation needs to be defined on the type definition and that definition needs to be in-tree. So a hard fork is necessary to set typeshare on all the types without having to redefine these in TypeScript. We also can’t use the ones defined in the <a href="https://developer.mozilla.org/en-US/docs/Web/API/CredentialsContainer/create#web_authentication_api">Web APIs</a> as they’re defined with <a href="https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/ArrayBuffer">ArrayBuffers</a> for all the array types. These can’t simply be serialized with <a href="https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON/stringify">JSON.stringify</a>, so we have to convert the types to something that can be serialized for Typeshare to work. <h3 id="wasm-compatibility">WASM compatibility</h3> We use <a href="https://dteare.medium.com/behind-the-scenes-of-1password-for-linux-d59b19143a23">Rust at the core of all our client applications</a>, including the browser extension through WASM. Unfortunately, <code>webauthn-rs</code> uses OpenSSL as their cryptographic library, and the Rust wrapper <a href="https://github.com/sfackler/rust-openssl/issues/1016">doesn&rsquo;t officially support WASM</a>. Not only that, but we already bundle <code>ring</code> and other RustCrypto libraries, so why bundle a third library – especially when WASM has a set limit of methods it can have in a bundle? We try our best to keep that number as low as possible. Forking the library and replacing the cryptography library isn&rsquo;t hard though, and that&rsquo;s what we initially did! Until we hit the next issue. <h3 id="ctap2-support">CTAP2 support</h3> There are a multitude of FIDO-defined specifications for authenticators. There&rsquo;s U2F, UAF and CTAP. We&rsquo;re interested in the first and last. <a href="https://web.archive.org/web/20220520201808/https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-overview-v1.2-ps-20170411.html">Universal 2nd Factor (U2F)</a> is one of the first specifications for WebAuthn authenticators, and it’s easy to implement. The issue is that development has concluded in favor of the <a href="https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html">Client To Authenticator Protocol (CTAP2)</a>, where the 2 in CTAP2 indicates the version, which can be thought of as a successor to U2F. So what does this have to do with <code>webauthn-rs</code>? At the time, in summer 2022, <code>webauthn-authenticator-rs</code> only really implemented U2F. The issue with this is that passkeys are a credential type that was developed to only support CTAP2. We would have to write an entirely new implementation. We could have upstreamed this new implementation to <code>webauthn-rs</code>, but we would still be stuck with a fork to replace the cryptography. So we developed our own library. This turned out to be a good choice, since now it could fit nicely with the architecture of our existing codebase instead of being full of workarounds. This also allowed us to grow the library organically to fit our changing needs instead of worrying about keeping the fork compatible with an upstream version. This is a big reason why, when we learned that CTAP2 was being worked on in <code>webauthn-rs</code>, we opted to stick with our implementation instead. <h2 id="why-not-use-psl">Why not use psl?</h2> The public suffix list (<a href="https://github.com/addr-rs/psl">psl</a>) library is indeed used by a lot of people and existing libraries. It even has a variant that allows you to dynamically load a new list if you have custom changes, which we do for our browser auto-filling features. The difference comes down to the codegen. <h3 id="wasm-compatibility-1">WASM compatibility</h3> Since the <code>psl</code> crate is pure Rust, it compiles to WASM seamlessly&hellip; until you compile it as part of a large application bundle. As soon as we added the crate to our dependency tree, we broke WASM compilation by hitting the method number limit we mentioned regarding bundling OpenSSL. The issue stems from the fact that the codegen for the <code>psl</code> crate creates a method for each item in that list. They&rsquo;re marked with the <code>#[inline]</code> directive, but our best guess is that the compiler decided to ignore those. <h3 id="performance">Performance</h3> Our very un-scientific bench test showed significant latency in our suggestions for autofill when using <code>psl</code> in comparison to our previous <code>public-suffix</code> implementation, which has been driving our domain extraction since the inception of 1Password 8. As mentioned earlier, this is based on the Go version which uses a highly optimized lookup table. This gives us the performance we need to give suggestions at an acceptable speed, all while only adding six methods to our WASM bundle. For these reasons, we decided it would be less work to open-source our implementation and use that as a dependency in <code>passkey-client</code> rather than trying to make <code>psl</code> work for our context. <h2 id="get-started-with-passkey-rs">Get started with passkey-rs</h2> If you want to get a feel for how <code>passkey</code> works, check out our <a href="https://github.com/1Password/passkey-rs/blob/main/passkey/examples/usage.rs">example</a>, or try using it yourself by adding <code>passkey = “0.1”</code> to your project’s <code>Cargo.toml</code>. Or if you only want to use a single part, check out any of the sublibraries we’re announcing today: <ul> <li><a href="https://crates.io/crates/passkey">passkey</a> v0.1.0</li> <li><a href="https://crates.io/crates/passkey-authenticator">passkey-authenticator</a> v0.1.0</li> <li><a href="https://crates.io/crates/passkey-client">passkey-client</a> v0.1.0</li> <li><a href="https://crates.io/crates/passkey-transports">passkey-transports</a> v0.1.0</li> <li><a href="https://crates.io/crates/passkey-types">passkey-types</a> v0.1.1</li> <li><a href="https://crates.io/crates/public-suffix">public-suffix</a> v0.1.0</li> </ul> If you just want to read code, browse the <a href="https://github.com/1Password/passkey-rs">source code on GitHub</a> where you can also see our other open-source libraries like <a href="https://github.com/1Password/typeshare">Typeshare</a>. If you find anything or simply want to collaborate, reach out by creating an issue or a pull request on the repository.</description></item><item><title>Why protecting 1Password with a passkey is just as secure as a password and Secret Key</title><link>https://blog.1password.com/passkey-secret-key-account-security/</link><pubDate>Fri, 25 Aug 2023 00:00:00 +0000</pubDate><author>info@1password.com (Nick Summers)</author><guid>https://blog.1password.com/passkey-secret-key-account-security/</guid><description> <img src='https://blog.1password.com/posts/2023/passkey-secret-key-account-security/header.png' class='webfeedsFeaturedVisual' alt='Why protecting 1Password with a passkey is just as secure as a password and Secret Key' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://blog.1password.com/toward-better-master-passwords/">Account password</a>. <a href="https://blog.1password.com/what-the-secret-key-does/">Secret Key</a>. These two pieces of information have been the backbone of 1Password&rsquo;s security model for years. The Secret Key in particular is what makes 1Password fundamentally different to other password managers, and why you can be confident that your data is always safe, <a href="https://blog.1password.com/how-1password-protects-your-data/">even if someone breached our servers</a>. Now, we&rsquo;re introducing the ability to <a href="https://blog.1password.com/unlock-1password-with-passkeys/">create and unlock a 1Password account with a passkey</a>. (It&rsquo;s currently in <a href="https://blog.1password.com/unlock-passkey-private-beta/">private beta</a>, and we&rsquo;re working on a version that&rsquo;s ready for everyone.) This is a big and exciting change, to put it mildly, that will streamline the experience of using 1Password for many people. But it also raises the question: Does a passkey offer the same level of protection as 1Password&rsquo;s existing account password and Secret Key combo? The short answer is yes. While the two solutions protect your 1Password account in slightly different ways, they both offer excellent security. So whichever option you choose, you can rest easy knowing your data is well protected. <h2 id="how-your-account-password-and-secret-key-secure-your-1password-account">How your account password and Secret Key secure your 1Password account</h2> First, let&rsquo;s recap how 1Password&rsquo;s traditional security model works. To sign in to your account and access your data on a new device, you need to provide your account password and your Secret Key. Your account password is chosen by you. It&rsquo;s the only password you need to remember once you&rsquo;ve saved all of your other credentials in 1Password. Your account password is never stored by or visible to us. So if an attacker somehow breached our servers, they wouldn&rsquo;t find your account password. That means the thief couldn’t unscramble your encrypted data using what they had found on our servers. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Learn more about <a href="https://support.1password.com/strong-account-password/">how to pick a strong account password</a>. </div> </aside> Unlike some other password managers, we don&rsquo;t rely solely on the strength of your account password to protect your private data. That&rsquo;s why we also use… Your Secret Key. It’s an account-specific, 128-bit strong encryption ingredient that contains 34 letters and numbers, separated by dashes. Crucially, it&rsquo;s never sent to us in full. We receive only the first eight characters, which are used to identify your account. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Learn more about <a href="https://support.1password.com/secret-key-security/">the Secret Key and how it protects your private data</a>. </div> </aside> Your account password and Secret Key are combined to create the full encryption key that secures your data. The result? Increased security that doesn&rsquo;t impact the day-to-day convenience of signing in and unlocking 1Password. You only have to memorize one piece of information – your account password – but get the protection of an encryption key that&rsquo;s been strengthened by your Secret Key. Thanks to that additional encryption ingredient, your encryption recipe has more than 128 bits of entropy. (If you haven&rsquo;t come across the term before, <a href="https://csrc.nist.gov/glossary/term/entropy">entropy</a> is used to measure how unpredictable something is.) That level of unpredictability makes it difficult – and in practical terms, virtually impossible – for an attacker to crack using a <a href="https://blog.1password.com/what-is-a-brute-force-attack-and-whats-the-best-defense/">brute force attack</a>, which relies on trial and error. There are simply too many combinations that your encryption key could be. <h2 id="how-a-passkey-secures-your-1password-account">How a passkey secures your 1Password account</h2> Now that we&rsquo;ve covered 1Password&rsquo;s traditional security model, we can compare it to the protection you get from a passkey. When you unlock 1Password with a passkey, the process is different from using an account password and Secret Key. There are still two parts involved but there&rsquo;s nothing to create or memorize. Here&rsquo;s a quick refresher on <a href="https://blog.1password.com/what-are-passkeys/">how passkeys work</a>: Behind every passkey is a private key and a public key. They&rsquo;re mathematically linked to one another, so you can&rsquo;t use your private key in conjunction with someone else&rsquo;s public key. It would be like jamming a stranger&rsquo;s key into the lock on your front door. Passkeys are also specific to the app, website, or service you&rsquo;re signing in to. So if you create a passkey for a food delivery app, you can&rsquo;t use that same passkey to sign in to your banking app. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Learn more about <a href="https://blog.1password.com/passkeys-faqs/">passkeys and how they work by reading our FAQs</a>! </div> </aside> What does this mean in the context of 1Password? If you choose to secure your 1Password account with a passkey, the public key is kept on our servers. This public key is useless without its corresponding private key. So if an attacker somehow broke into our infrastructure, they wouldn&rsquo;t find everything required to sign in to your account and read your data. Crucially, your private key is never shared with 1Password. It&rsquo;s just that – private. The upside of this system, which is known as <a href="https://blog.1password.com/what-is-public-key-cryptography/">public-key cryptography</a>, is that you can prove you own the private key without ever sharing it. The private key is stored on your device unless you securely sync passkeys across devices. When you sign in to 1Password with a passkey, you don&rsquo;t have to type out or enter anything. Instead, you’ll be asked to provide your biometrics, or enter your device’s passcode. Next, your private key will sign a &lsquo;challenge&rsquo; – a complicated mathematical problem – which 1Password checks is correct using your unique public key. Keeping the private key on your device means that it can&rsquo;t be intercepted by an attacker. Passkeys are also really, really hard to crack. There&rsquo;s a lot of complicated math that goes into the key generation process (<a href="https://arstechnica.com/information-technology/2013/10/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/">read this article</a> if you want to learn more). But the bottom line is there are a mind-boggling number of possible permutations, and this is what makes passkeys so hard to crack. <h2 id="which-is-more-secure-a-passkey-or-an-account-password-and-secret-key">Which is more secure: a passkey, or an account password and Secret Key?</h2> Both options provide the level of security you expect from 1Password. It&rsquo;s true that the security models underpinning passkeys and our classic &lsquo;account password plus Secret Key&rsquo; combination are different. But the important thing to remember is they both provide a truly incredible level of protection for your most important data. That&rsquo;s why we&rsquo;re confident about adding passkeys as an option to create and unlock your 1Password account. The account password and Secret Key will continue to be an option. If you&rsquo;re happy with our existing security model, you don&rsquo;t have to change anything. When we release the ability to unlock 1Password with a passkey to everyone, you&rsquo;ll have the choice to: <ul> <li>Unlock your 1Password account with a passkey.</li> <li>Continue using an account password and Secret Key.</li> <li>Use both options in tandem. So you can use a passkey on devices where it makes sense for you, and your account password and Secret Key in other scenarios.</li> </ul> <h2 id="the-bottom-line">The bottom line</h2> One of the many reasons why people choose 1Password is because of its security model. Together, the account password and Secret Key give your passwords and other sensitive data the protection they deserve. Your private data will always be just that: private. We pride ourselves on our high security standards and only introduce new functionality when we&rsquo;re sure it will enhance them. The bottom line is that we believe in passkeys as the future of authentication. Unlocking your 1Password account with a passkey is not only secure but convenient because you no longer have to memorize an account password, or look after a Secret Key. Whatever method you choose to secure your 1Password account, you can feel safe in the knowledge that your data is locked down tight. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Subscribe to our passwordless newsletter</h3> Get our latest passkey updates delivered right to your inbox, as well as guides, interviews, and other interesting articles about the next generation of sign-in technology. <a href="https://1password.com/passwordless-news/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Subscribe to Beyond Passwords </a> </div> </section></description></item><item><title>Introducing a new way to try experimental 1Password features</title><link>https://blog.1password.com/labs-experimental-features/</link><pubDate>Thu, 24 Aug 2023 00:00:00 +0000</pubDate><author>info@1password.com (Matt Grimes)</author><guid>https://blog.1password.com/labs-experimental-features/</guid><description> <img src='https://blog.1password.com/posts/2023/labs-experimental-features/header.png' class='webfeedsFeaturedVisual' alt='Introducing a new way to try experimental 1Password features' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We&rsquo;re incredibly excited to introduce labs, a new space in the 1Password apps that lets customers test new experimental features to help influence the future of 1Password. These experimental features will be in the early stage of development, so we can collect valuable feedback from customers like you. You hold the power to enable or disable each of these features, putting you in full control of your 1Password experience. <h2 id="why-are-we-adding-this-to-1password">Why are we adding this to 1Password?</h2> We have a lot of great ideas that come up from customer feedback, the community forums, and social media. We’d like to explore more of these ideas before committing to bringing a new feature to 1Password. This way we know if we should continue to invest time and energy into a project or, sometimes more importantly, if we should move on to something else that better suits the needs of our customers. Labs lets us share early prototypes and new product explorations to every 1Password customer, so you’ll be able to tell us if we should keep working on them. While we’ve been leading the industry in passkeys and passwordless, there’s so much more we’re innovating on that we want to share with you! <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> What&rsquo;s the difference between labs and the beta prereleases of 1Password? The <a href="https://support.1password.com/betas/">beta versions</a> of the 1Password apps are for validation and feedback from a more technical audience that can provide detailed bug reports. If we&rsquo;ve added a feature to a beta release, it’s because we want to make sure it&rsquo;s going to work as expected without causing any issues. We already know we want to bring the feature to 1Password, we just have to test carefully before doing so! Labs is for potential features we want to try, but haven’t validated yet. We want to make sure you find value in the feature before investing the time implementing it, so it’s a little more unpolished. Once we have an answer, we can move to a beta version where we&rsquo;ll work on fixing any bugs or issues. </div> </aside> <h2 id="how-long-will-experimental-features-run">How long will experimental features run?</h2> Labs is intended to help us innovate and make decisions faster, so experimental features will run for no longer than a few months. Our aim is to quickly identify the features that provide the most value to our customers, so we can focus on releasing them faster. <h2 id="how-do-we-know-if-experimental-features-went-well">How do we know if experimental features went well?</h2> One of our goals is to quickly improve the features we introduce to 1Password, so we&rsquo;ll be carefully tracking the performance of each experimental feature by: <ul> <li>Providing a link to feedback forms for each experimental feature to capture customer insights.</li> <li>Creating community threads for each feature under the <a href="https://1password.community/categories/labs">new labs category</a> so that we can hear directly from you and answer any questions.</li> </ul> If an experimental feature has successfully gathered enough positive feedback, the feature will progress through the beta 1Password apps and eventually be officially released into all 1Password apps. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Remember, these are unreleased, experimental features. Instead of providing direct support, our goal is to gather valuable insights by collecting feedback about your experience through our <a href="https://1password.community/categories/labs">1Password Community</a> threads and feedback forms. </div> </aside> <h2 id="how-do-you-try-experimental-features">How do you try experimental features?</h2> In the 1Password mobile and desktop apps under Settings, you&rsquo;ll find a new Labs tab. Select Labs, and you&rsquo;ll see a list of all available experimental features. From there, you can easily toggle each feature on or off at any time. <img src='https://blog.1password.com/posts/2023/labs-experimental-features/1password-labs.jpg' alt='A screenshot of the 1Password app&#39;s Settings menu with the Labs tab highlighted.' title='A screenshot of the 1Password app&#39;s Settings menu with the Labs tab highlighted.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="the-first-experimental-feature-default-details">The first experimental feature: default details</h2> For our first experimental feature, we’re addressing a piece of feedback we&rsquo;ve received frequently in the past. It can be a hassle to sort through a long list of identity items (like your name, birthdate, address, phone number, and more), email addresses, or credit cards when you’re autofilling a form field. That&rsquo;s why we&rsquo;re introducing default details. This experimental feature will give you the ability to claim a preferred identity and a preferred payment card. Whenever you need to fill that information in, those set details will take the top position in the suggested list via 1Password in the browser to help you autofill even faster. It&rsquo;s a clean, simple, and high-value solution that we think you&rsquo;ll love! You can choose your default details in any 1Password app and begin testing right away when you autofill information on your desktop or iOS. The autofill functionality for default details on 1Password for Android will be available soon. We can’t wait to hear your feedback as you try out new experimental features and work with us to make 1Password even better at simplifying your digital life.</description></item><item><title>Easily govern how and where teams use 1Password from the new policies page</title><link>https://blog.1password.com/policies-update/</link><pubDate>Tue, 15 Aug 2023 00:00:00 +0000</pubDate><author>info@1password.com (Tyler Durkin)</author><guid>https://blog.1password.com/policies-update/</guid><description> <img src='https://blog.1password.com/posts/2023/policies-update/header.png' class='webfeedsFeaturedVisual' alt='Easily govern how and where teams use 1Password from the new policies page' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Policies are getting a new home, making it easier for 1Password Business admins to govern how and where teams use 1Password to help them stay in compliance. Employees don&rsquo;t want to violate security protocols. When they do, <a href="https://www.darkreading.com/privacy/6-reasons-why-employees-violate-security-policies?slide=4">it&rsquo;s often a result of stress</a> – or simply trying to get things done. The trick is to put the right guardrails in place so employees don&rsquo;t have to think about protocol. Ideally, they can just go about their work. With the new, dedicated policies page, we’ve brought together all of 1Password’s existing policies, making it easier to manage them and to put the right guardrails in place to help employees stay secure. Going forward, we’re focused on giving you even more flexibility by expanding available policies, and adding more precise controls and granularity so you can configure 1Password to your exact specifications. <h2 id="what-are-policies">What are policies?</h2> Policies in 1Password are a collection of security and administrative controls you can use to govern how and where your workforce accesses and uses 1Password. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/BSqIKU_zB2k" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> Policies currently cover four main security and administration categories: <ul> <li>Authentication policies help you manage how your team authenticates with and into 1Password. From here, you can strengthen the requirements for 1Password account passwords, require two-factor authentication, and more.</li> <li>App usage policies give you precise control over how your team uses 1Password. You can specify who can view and edit items, for example, or whether team members can share or create new vaults.</li> <li>Firewall policies can allow, report, or deny sign-in attempts from certain locations or IP addresses.</li> <li>Unlock with Identity provider policies is where you can integrate 1Password with a supported identity provider to set up single sign-on, so you can verify user identity before they access 1Password.</li> </ul> <h2 id="where-can-i-find-my-policies">Where can I find my policies?</h2> The new 1Password policies page brings together a host of previously available policies. <img src="https://blog.1password.com/posts/2023/policies-update/policies.png" alt="1Password Business policies overview with sections for authentication, app usage, and firewall policies, and identity provider configuration" title="1Password Business policies overview with sections for authentication, app usage, and firewall policies, and identity provider configuration" class="c-featured-image"/> When you sign in to 1Password.com, you&rsquo;ll notice a new &ldquo;Policies&rdquo; option in the sidebar. Select it to access and modify your Authentication, App usage, Firewall, and Configure Identity Provider policy settings. Here you&rsquo;ll find everything you need to customize how your team uses 1Password to align with your compliance, auditing, and security requirements. <h2 id="stay-tuned-for-more-policies-updates">Stay tuned for more policies updates</h2> When you set a security policy in 1Password, workers don&rsquo;t have to wonder who they can share an item with, or whether their password is compliant. Instead, 1Password does the work for them, and they can focus on the task at hand. The default policies are aligned with industry standards and best practices – perfect for small businesses and startups. For enterprises with global workforces and more complex needs, it’s now even easier to tweak those dials to match your security strategy. 1Password Business customers can access their new policies page right now. Keep an eye out for the addition of new policies later this year, like the ability to automatically delete suspended users. We&rsquo;re in active conversation with customers about the security and administrative policies they want to see added. If you&rsquo;d like to suggest a particular policy, <a href="https://forms.gle/P65An6P54xedju9F8">please share your thoughts in a short survey</a>. We’re listening, and we’ll review all suggestions in the coming months. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get started with 1Password Business</h3> Start your free trial of 1Password Business to customize policies for a secure fit. <a href="https://start.1password.com/sign-up/business?l=en?utm_medium=social&amp;utm_source=blog&amp;utm_campaign=policies-launch" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Get started </a> </div> </section></description></item><item><title>Reduce your digital footprint: 5 steps recommended by Theresa Payton</title><link>https://blog.1password.com/theresa-payton-digital-footprint-interview/</link><pubDate>Fri, 11 Aug 2023 00:00:00 +0000</pubDate><author>info@1password.com (Stacey Harris)</author><guid>https://blog.1password.com/theresa-payton-digital-footprint-interview/</guid><description> <img src='https://blog.1password.com/posts/2023/theresa-payton-digital-footprint-interview/header.png' class='webfeedsFeaturedVisual' alt='Reduce your digital footprint: 5 steps recommended by Theresa Payton' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We all leave a trail of digital breadcrumbs from our adventures in the online world. They might seem harmless but these breadcrumbs can lead others to a digital treasure trove of your personal information. The websites you visit should respect your privacy and security – but that&rsquo;s often not the case. That means it&rsquo;s up to you, the individual, to take steps to cover your digital tracks. So what should we be doing? Theresa Payton, the first female White House Chief Information Officer and CEO of security consulting company Fortalice Solutions, has a few ideas. She joined Matt Davey on the <a href="https://randombutmemorable.simplecast.com/">Random but Memorable</a> podcast to share some simple, practical, and fast steps you can take to minimize your digital footprint. <div class="c-simplecast-embed"> <iframe class="c-simplecast-embed__iframe" title="1Password Random but Memorable Podcast" width="100%" frameborder="no" scrolling="no" seamless src="https://player.simplecast.com/3baacf47-54c2-45df-a26e-fc3ea82074f9?dark=false"></iframe> </div> <a href="https://randombutmemorable.simplecast.com/episodes/fake-hacker-digital-footprint">Listen to episode 111 ›</a> Editor’s note: This interview has been lightly edited for clarity and brevity. The views and opinions expressed by the interviewee don’t represent the opinions of 1Password. Matt Davey: Could you explain what a digital footprint is and why individuals should be aware of their online presence? Theresa Payton: A digital footprint is like a trail of fairy dust that’s left behind as we&rsquo;re dancing barefoot through the online world. It’s an absolute record of our daily digital adventures. Everything we do, post, interact with. Maybe you aren’t active online but chances are the people around you are. This record of our daily digital adventures are real footprints. They&rsquo;re just in the digital realm. I highly recommend that each of us really mind our digital steps. You want to leave a positive impression in the digital wonderland but at the same time, you have to safeguard your own privacy and security. MD: What are some practical steps people can take to minimize their digital footprint and maintain a higher level of privacy? TP: I’ve boiled this down so you can be nearly unhackable in five steps that take 15 minutes or less. 1. Change all of your passwords to your online accounts. There are some free services, like <a href="https://leakpeek.com/">LeakPeak</a> and <a href="https://haveibeenpwned.com/">HaveIBeenPawned</a>, where you can type in all the different email accounts you use and see if they&rsquo;ve been in past breaches. Consider using a secure password manager to manage your passwords. We&rsquo;ve standardized my company on 1Password – I wasn’t asked to say this but it’s a great product! 2. Implement multi-factor authentication (MFA) on all online accounts. There&rsquo;s a type of attack called <a href="https://blog.1password.com/how-1password-keeps-you-safe-from-cyber-attacks/">credential stuffing</a>. A study done by Security Boulevard found MFA actually blocks almost 90% or more of the password credential stuffing attacks. 3. Deactivate any dormant and inactive online accounts. If you&rsquo;re not sure [what accounts of yours are out there], try doing a search that includes your name and the name of different social media platforms [e.g. &ldquo;Theresa Facebook&rdquo;]. You can also do a free search on your name on <a href="https://www.spokeo.com/">Spokeo</a> and similar sites. It&rsquo;ll tell you whether or not it thinks there are some social media accounts you&rsquo;ve forgotten about. 4. Do a simple digital footprint assessment of yourself for free, or hire a firm. This is something we do for organizations and individuals but you could do this for free yourself. Pick three of your favorite search engines and search different variations of your name. That can give you a really good assessment. 5. Consider using single use business domains for things like mergers and acquisitions, trade secrets, money movement, and in your personal life use single use emails. With Google Voice you can get <a href="https://www.talkatone.com/">Talkatone</a> and forward calls from your burner number to your real cell phone or email address. That way you&rsquo;re not handing out your most important email address – the one that’s attached to your most important parts of your life. Or your cell phone number, which is used for MFA. MD: What do you think are the common pitfalls that are associated with normal social media usage? And are there any steps we can take to safeguard the personal information we’re sharing online? TP: Before embarking on any of your online escapades or posting something, ask yourself this: &ldquo;Would I be embarrassed if my beloved grandmother was looking over my shoulder and saw what I was about to post?&rdquo; If so, don&rsquo;t post it. Then on the other shoulder, I&rsquo;ve got this ominous figure who&rsquo;s got nefarious intentions. Could they exploit what I&rsquo;m about to post to hurt me digitally or physically, or the people that I care about? If the answer is yes, don&rsquo;t post even if you think it&rsquo;s an encrypted platform and things are going to be deleted. You should also take advantage of privacy settings. <blockquote> &ldquo;You need to opt-in to the privacy that you want.&quot; </blockquote> They have you for sale. These services are all free so they need to monetize you [to make money]. If you want privacy and confidentiality, you must constantly double check those privacy settings and make sure they&rsquo;re set at the level that you’re happy with. MD: How do you envision the future of digital footprints, especially in the wake of things like AI? TP: I’m concerned that when quantum computing is here and matched with generative AI (AI for algorithms) passwords will be unlocked at a pace and scale we&rsquo;ve never seen before. <blockquote> &ldquo;A lot of people don&rsquo;t realize an encrypted password is nothing but a big old math problem.&quot; </blockquote> The reason why it’s hard to decrypt something is because you have to work out a math problem to undo the lock to the password. My concern with the advent of quantum computing, big data analytics, AI algorithms, and generative AI, is that someone with very little technical know-how can now figure out how to crack the math problem. Having said all of that, we’re not doomed. We know what&rsquo;s coming. We have tools that help us take back control. If you implement my five steps that take about 15 minutes or less to do to be nearly unhackable, it does empower you to stand against what is going to be coming at us next. MD: What do you feel needs to be done in terms of regulation? TP: Here are three things I would love to see happen: 1. Create international accords and collaborative frameworks. We need to get government leaders, countries, academia and industry stakeholders together to create more adaptable regulatory frameworks. If we keep waiting for each country to do it on our own, we&rsquo;re never going to get there. Look at the United States right now. We haven&rsquo;t really passed substantive privacy policy at the federal level. We have a patchwork quilt of very confusing privacy policies that have been developed by the state. We need international accords and collaborative frameworks. 2. Develop ethical guidelines. These ethical guidelines need to be clear, comprehensive, and written in people speak, not legal speak, so that you and I know what we&rsquo;re opting into, what we&rsquo;re opting out of. It needs to be done by industry. For example, healthcare may have its own set of ethical guidelines. I would love to see it say for generative AI at this point in time, based on the technology, we will leverage generative AI for transcription services, but we will always have a human being double check the transcription to make sure that patient care is always put first. We need these ethical guidelines so that each industry can leverage the power of this transformation technology, but do it in a way that takes care of you and me in the process. 3. Keep it dynamic and fresh. As technology advances and gets enhanced, we have to have continuous assessment and governance. We need to have these international courts and collaborations with these industry-based ethical guidelines written in human speak, not legal speak, we have to have this continuous assessment and governance of how the technologies are going? Are the frameworks keeping up, and do they have some type of a maker-checker rule? Is there some type of governance that says, &ldquo;You told us you were going to do this, are you really doing this?&rdquo; <blockquote> &ldquo;Why aren&rsquo;t we incentivizing responsible innovation? We really need to encourage the industry to prioritize these responsible and ethical AI practices.&quot; </blockquote> MD: What were your key learnings from operating at the highest of levels in the White House that you learned from TP: It always comes down to the human user story. Everybody wants to do a great job. When you understand the human user story you understand where technology gets in the way of them getting their job done. And where security is actually a blockade that they have to go around in that moment to get the job done. That&rsquo;s really where they enter the danger zone. <blockquote> &ldquo;Chances are the safety nets and security nets that you think are in place are going to be completely bypassed on the path to trying to get their job done for you.&quot; </blockquote> It’s a failure on us, the security industry and the technology industry, not the user. We have something wrong in our design and algorithms. We clearly didn&rsquo;t understand the human user story and because we didn&rsquo;t understand it, we didn&rsquo;t design for the human. And you know who really does understand the human user story, and this is why they win sometimes? Cyber criminals. MD: Where can people go to find out more about you, Fortalice, or any of your training courses? TP: People can always reach out to me on LinkedIn. We do have <a href="http://www.fortalicesolutions.com">a website</a> with an experts blog where people on our team share their knowledge. We have company accounts on <a href="https://www.linkedin.com/company/fortalicellc/">LinkedIn</a>, on <a href="https://twitter.com/FortaliceLLC">X</a> – the app formerly known as Twitter – <a href="https://www.instagram.com/fortalicesolutions">Instagram</a> and <a href="https://www.threads.net/@fortalicesolutions">Threads</a>. <section class="c-call-to-action-box c-call-to-action-box--green"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Subscribe to the Random but Memorable podcast</h3> Be prepared for Random but Memorable moments, as well as the latest security news, tips and tricks, and expert interviews. <a href="https://randombutmemorable.simplecast.com/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--green" data-event-category="CTA" data-event-action="call-to-action-button"> Subscribe now </a> </div> </section></description></item><item><title>1Password is attending Black Hat USA 2023!</title><link>https://blog.1password.com/black-hat-2023/</link><pubDate>Tue, 08 Aug 2023 00:00:00 +0000</pubDate><author>info@1password.com (Gina Fels)</author><guid>https://blog.1password.com/black-hat-2023/</guid><description> <img src='https://blog.1password.com/posts/2023/black-hat-2023/header.png' class='webfeedsFeaturedVisual' alt='1Password is attending Black Hat USA 2023!' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 1Password will be in Las Vegas for the annual Black Hat USA conference. Will we see you there? Black Hat USA is an internationally recognized cybersecurity event series providing the most technical and relevant InfoSec research. The global security community congregates at the conference for the latest cutting-edge research, developments, and trends. This year, we’re thrilled to be sponsoring the event, hosting our own booth, and running a session on passkeys. Here’s a quick rundown of everything we’ll be up to: <h2 id="stop-by-the-1password-booth">Stop by the 1Password booth</h2> If you’re attending Black Hat USA, come by booth 2816 any time and say hi! Come chat with our team about all things cybersecurity, enterprise solutions, developer tools, and passwordless. You’ll find out why over 100,000 businesses trust 1Password with their security and get to leave with a smile. Plus, you can come grab a free drink and see 1Password in action with a live demo during the scheduled booth crawl. Black Hat Booth Crawl August 9, 4:00 – 5:00 PM PT Booth 2816, Mandalay Bay Business Hall <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Use <a href="https://www.expocad.com/host/fx/informa/23bhusa/exfx.html">this map</a> if you need a hand tracking us down in the Business Hall. </div> </aside> <h2 id="catch-our-passkeys-seminar">Catch our passkeys seminar</h2> Black Hat is packed with insightful sessions and seminars featuring some of the most influential members of the security industry. Make sure you don’t miss <a href="https://www.blackhat.com/us-23/sponsored-sessions/schedule/index.html#passkeys-preventing-social-engineering-attacks-in-the-era-of-generative-ai-34319">1Password’s seminar</a>: Passkeys: Preventing Social Engineering Attacks in the Era of Generative AI August 9, 1:50 PM PT – 2:10 PM PT Mandalay Bay L Join this session with Anna Pobletts, head of passwordless at 1Password, to discuss the evolution of social engineering attacks against authentication and identity systems and the crucial role that passkeys play in protecting users, their digital identities and shaping the future of security. Online identity is rapidly evolving, but still reliant on humans protecting themselves from cyber threats. As major advancements in AI threaten to upskill the attacker, we&rsquo;ll see more sophisticated, hyper-realistic, and strategic attacks. The ultimate goal should be removing human error altogether. A passwordless future with passkeys promises to do just that. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Visit our <a href="https://1password.com/blackhat2023">event page</a> for more details and free resources. </div> </aside> <h2 id="come-say-hi">Come say hi!</h2> If you see any 1Password team members, come up and say hello! Black Hat is all about geeking out with fellow security-conscious friends, discussing complex problems, and learning how we can make the world a safer place for everyone. <section class="c-call-to-action-box c-call-to-action-box--purple"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Secure your team with 1Password Business</h3> Keep your team secure without slowing them down. Choose 1Password Business to gain complete control over passwords and other sensitive business information. <a href="https://1password.com/business-pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--purple" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>Author Scott J. Shapiro explains the role of ‘upcode’ in famous hacks</title><link>https://blog.1password.com/scott-shapiro-upcode-hacks-interview/</link><pubDate>Mon, 07 Aug 2023 00:00:00 +0000</pubDate><author>info@1password.com (Jenn Marshall)</author><guid>https://blog.1password.com/scott-shapiro-upcode-hacks-interview/</guid><description> <img src='https://blog.1password.com/posts/2023/scott-shapiro-upcode-hacks-interview/header.png' class='webfeedsFeaturedVisual' alt='Author Scott J. Shapiro explains the role of ‘upcode’ in famous hacks' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Here’s an existential question: is technology always the answer? Or are there other ways to solve our biggest problems? Author Scott J. Shapiro explores this debate in a book called <a href="https://www.getfancybear.com/">Fancy Bear Goes Phishing, The Dark History of the Information Age in Five Extraordinary Hacks</a>, which breaks down how some of the most fascinating cybercrimes were committed and what we can learn from them. Matt Davey, Chief Experience Officer at 1Password, spoke with Shapiro on the <a href="https://randombutmemorable.simplecast.com/">Random but Memorable</a> podcast about when it makes sense to use technology to solve a problem like cybersecurity – and when it doesn’t. Hint: The answer has to do with “upcode” and “downcode” and lawyers being programmers – sort of. Read the interview below or listen to the <a href="https://randombutmemorable.simplecast.com/episodes/fancy-bear-grunge-nostalgia">full podcast episode</a> to get Shapiro’s perspective on why fixing cybersecurity will involve rewiring more than just our technology. <div class="c-simplecast-embed"> <iframe class="c-simplecast-embed__iframe" title="1Password Random but Memorable Podcast" width="100%" frameborder="no" scrolling="no" seamless src="https://player.simplecast.com/40b50b19-eddb-48db-90bb-096713ff2cd9?dark=false"></iframe> </div> <a href="https://randombutmemorable.simplecast.com/episodes/fancy-bear-grunge-nostalgia">Listen to episode 107 ›</a> Matt Davey: Can you give us a bit of background on you and why you decided to write this book? Scott J. Shapiro: I had been a developer-coder through college. I gave it up when I was in the middle of law school and got a PhD in philosophy. Then the World Wide Web came on the scene, and there was just a lot of stuff that I didn&rsquo;t stay up with. As my career went on, I just forgot all about computers and the internet. I mean, I used it of course. When I wrote a book with my colleague Oona Hathaway on the history of war from 1600 to the present, people kept asking me, &ldquo;What about cyber war? That&rsquo;s the new thing, isn&rsquo;t it?&rdquo; And I was like, &ldquo;I don&rsquo;t know.&rdquo; I started doing research on it and I found it almost impenetrable, which was really strange, because I had a very strong background in programming and theoretical computer science, and I had no idea what was going on. MD: That&rsquo;s cool that you learned about cybersecurity while writing the book. That gives you an interesting angle to translate it to others who are going to learn along with you. SS: In my career I&rsquo;ve always tried to write books that I wish existed so I could read them. And there was no book like this because cybersecurity is a very young field. You either have sensationalistic books that tell us how we&rsquo;re all going to die, or books that yell at us because our passwords aren&rsquo;t long enough or because we don&rsquo;t use a <a href="https://blog.1password.com/password-manager/">password manager</a>. I wished there was a book that was readable that would explain how these cybersecurity-related things happen. So that&rsquo;s what I did. It was really hard to do because it&rsquo;s really hard to learn about the subject. MD: In the book, you outline five hacks. One of them I&rsquo;m assuming has something to do with the Fancy Bear group. What are the details of one or two others? SS: The five hacks are the <a href="https://en.wikipedia.org/wiki/Morris_worm">Morris worm</a>, the first time that somebody had taken down the internet in 1988. The second was the Bulgarian virus writers from the early 1990s, who were extremely good at writing computer viruses generally for DOS machines and PCs. Then the <a href="https://www.wired.com/2005/02/paris-hilton-hacked-or-not/">hack of Paris Hilton&rsquo;s cell phone</a> in 2005, and the eponymous <a href="https://www.theguardian.com/technology/2016/jul/26/dnc-email-leak-russian-hack-guccifer-2">Fancy Bear hack of the Democratic National Committee</a> in 2016, which some people think might have led to the election of Donald Trump. And then finally, the <a href="https://spectrum.ieee.org/mirai-botnet">Mirai botnet</a> by three teenage boys who put together an Internet of Things (IoT) botnet that took down the internet in October 2016. <blockquote> &ldquo;I tried to pick things that were interesting and had an element of mystery.&quot; </blockquote> I chose these five hacks in part because they interested me and they also dealt with different aspects of computer security: viruses, worms, IoT, botnets, nation-state espionage, and just kids acting like idiots. I tried to pick things that were interesting and had an element of mystery. A lot of these hacks, people don&rsquo;t exactly know how they happened, and so I found it interesting to try to figure them out. MD: The technologies involved in these hacks are wide-ranging, from IoT to what people might describe as quite easy social engineering-style hacks. Were there commonalities between any of them? SS: There are commonalities but I just picked stories that I was interested in, so I don’t want to draw too much from any patterns. But the first thing that I would say is that we tend to think of hacking – because obviously it&rsquo;s very technical – as a strictly technical activity. But there&rsquo;s also an enormous amount of social engineering going on. There&rsquo;s a lot of human manipulation happening in the background, not only in terms of the hack, but because the vulnerabilities that are exploited by these hackers really come about because of some kind of political vulnerability in the rules that regulate our behavior. In the book I make a distinction between what I call “downcode”, which is all the computer code below our fingertips, and the “upcode”, which is all the rules above our fingertips. That includes our personal ethics, our habits, the organizational norms that were part of our social norms, our legal norms, industrial standards in terms of service – all these kinds of rules that give us incentives to either produce technology or to use technology. <blockquote> &ldquo;I make a distinction between what I call “downcode”, which is all the computer code below our fingertips, and the “upcode”, which is all the rules above our fingertips.&quot; </blockquote> What I try to show is that there&rsquo;s always some glitch, some bug, some vulnerability in the upcode which generates vulnerabilities in the downcode. When we see hackers exploiting the downcode, in some sense, it&rsquo;s already too late. There have already been so many mistakes beforehand in the upcode. One of the messages of the book is not to treat cybersecurity as this purely technical activity but also as this political inquiry into why the rules we have give us bad incentives. That&rsquo;s one commonality. Another commonality is that in almost every one of these cases the intelligence agencies and analysts confuse young, teenage boys for nation-state actors, and that&rsquo;s kind of funny. MD: The upcode, as you say, is always a lot harder and a lot slower to change than the downcode; reprogramming something is usually the easiest route. What do you think we need to change as a society to avoid issues with the upcode? SS: I imagine your listeners are very familiar with the idea of a stack of code. People talk about having a “full stack”. So we have a downcode stack, but we also have an upcode stack, or a set of interlocking and hierarchical rules which govern our behavior. There are many ways to intervene in the upcode stack to change our incentives. One example is the Mirai botnet from 2016. A bunch of teenagers put together an IoT botnet – DVRs, security cameras, things like that – and created a very powerful distributed denial-of-service (DDoS) attack apparatus for taking down Minecraft servers. They were able to do this because the IoT devices that they were exploiting had default passwords. In many cases, nobody was able to change the default passwords or they were very hard to change. The teenagers exploited these default passwords because the passwords were Googleable. They were listed in the DVR manuals. One very simple change in the law, which was a California-enacted security law, required users of IoT devices to change the password when they set it up or take other kinds of precautions. This change essentially eliminated the problem, at least in the United States. It&rsquo;s not to say that it doesn&rsquo;t exist anymore, but that one change in a California law had a ripple effect throughout the entire United States, because of how big California&rsquo;s market is. <blockquote> &ldquo;Teenagers exploited these default passwords because the passwords were Googleable. They were listed in the DVR manuals.&quot; </blockquote> That&rsquo;s just one basic example of a targeted upcode change. Another example of a much more general upcode change is imposing software liability for negligently constructed software that has very bad security vulnerabilities. The book gives lots of examples of how you might be able to change upcode in order to create stronger and more secure downcode. MD: As someone who works for a technology company, we talk about companies leading solutions, solving things like phishing with technology like passkeys. That might solve a chunk of the problem but you make a great point about how there&rsquo;s also societal change that needs to happen. SS: People say, “You&rsquo;re a law professor, why are you writing a book on cybersecurity? Lawyers are coders! They&rsquo;re just upcoders, not downcoders. I would like to see lawyers become technologists and, more importantly, work with technology people to try to come up with the right sort of upcode-downcode fixes so that we&rsquo;re not constantly trying to fix problems that were caused way earlier in the upcode stack and could have been solved sooner and more efficiently. MD: I think that missed connection between technology and the law happens around encryption as well. It&rsquo;s “let&rsquo;s outlaw this little bit of encryption and not this bit.” There&rsquo;s a huge misunderstanding of one side believing it&rsquo;s a moral argument and the other side believing it&rsquo;s a mathematical one. SS: That&rsquo;s right. That&rsquo;s an upcode thing too. In the privacy community, you have people who have very strong values about privacy, which I&rsquo;m not sure are shared by people outside that community, to be perfectly honest with you. Not that I&rsquo;m anti-privacy, of course not. I&rsquo;m actually very strongly pro-encryption. I&rsquo;m also very against any type of backdoors, and not only for the obvious reasons of breaking security protocols. <blockquote> &ldquo;The law has many solutions to the problem of encryption that we can avail ourselves of instead of changing the entire way that the entire world encrypts information.&quot; </blockquote> One thing that people don&rsquo;t realize is that in U.S. law, which has very strict rules about these things, there are lots of ways of getting around the problem of encryption that we ought to be exploring. That is, the law has many solutions to the problem of encryption that we can avail ourselves of instead of changing the entire way that the entire world encrypts information on the internet. There are so many easier ways of doing it than we are currently exploring right now. MD: Did writing this book change your outlook on security or cybercrime or the landscape in general? SS: Yes. The first thing I learned was never believe what you read about the cause of a hack. People say crazy things all the time, but they really don&rsquo;t know. My favorite example is that The New York Times had this big story about how Paris Hilton&rsquo;s cell phone probably was hacked, and found that all these celebrities were using Bluetooth-enabled devices, so maybe Paris Hilton&rsquo;s Bluetooth was hacked. And this is The New York Times! So you think, oh man, maybe her Bluetooth was hacked – until you find out that the cell phone she had didn&rsquo;t have Bluetooth. The other thing is, I think so much of the industry is built on fear and freaking people out and making us feel like anything we do to protect ourselves is going to be ultimately futile. But just because a device is hackable doesn&rsquo;t mean that it&rsquo;s going to be hacked. The person who&rsquo;s doing it has to have some incentive to do it. In so many instances, there&rsquo;s just no incentive to hack your device, because there&rsquo;s no money to be made from it. <blockquote> &ldquo;just because a device is hackable doesn&rsquo;t mean that it&rsquo;s going to be hacked.&quot; </blockquote> If you&rsquo;re a normal person, follow the very basic things that people tell you not to do. Don&rsquo;t click on links and emails. Use a password manager. Don&rsquo;t write it on a sticky note and put it on your laptop. If you&rsquo;re a high value target, I think it’s a very different story. If you&rsquo;re a journalist, human rights activist, in the C-suite, have control over money, all those things, then you really need to take it seriously, because people really are out to get you. MD: What&rsquo;s the main thing that you&rsquo;d like readers to take away from your book? SS: I tried to at least make the book fun to read. The stories are just wild, crazy stories. There are a lot of amazing and somewhat funny things that are happening in these stories. I also want readers to learn. I&rsquo;m a professor. I like teaching, and I would love for people to read the book and walk away thinking, “Oh wow, I learned how the internet works. I learned how passwords are stored as hashes in operating systems.&rdquo; Things like that. So I would like people to become more secure but ultimately I&rsquo;d like them to become more educated. Editor’s note: This interview has been lightly edited for clarity and brevity. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Subscribe to Random but Memorable</h3> Listen to the latest news, tips and advice to level up your security game, as well as guest interviews with leaders from the security community. <a href="https://randombutmemorable.simplecast.com/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Subscribe to our podcast </a> </div> </section></description></item><item><title>Congratulations to the 1Password Hackathon winners! 🏆</title><link>https://blog.1password.com/2023-1password-hackathon-winners/</link><pubDate>Thu, 03 Aug 2023 00:00:00 +0000</pubDate><author>info@1password.com (Jason Harris)</author><guid>https://blog.1password.com/2023-1password-hackathon-winners/</guid><description> <img src='https://blog.1password.com/posts/2023/2023-1password-hackathon-winners/header.png' class='webfeedsFeaturedVisual' alt='Congratulations to the 1Password Hackathon winners! 🏆' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> I remember my first hackathon. I was a junior developer at a civil engineering firm in Portland. I built a learning platform for employees to learn internal policies and procedures. It was a project that moved fast because we had a deadline - and my partner and I had so much fun. All of which is to say, this year’s 1Password Hackathon came with a heavy dose of nostalgia. Everyone obviously had a lot of fun – and I’m blown away by the ingenuity of the submissions. Some of you submitted entries to secure daily workflows (in true 1Password fashion!). Some built <a href="https://ansellmax.hashnode.dev/making-a-memory-game-with-an-authenticated-leaderboard-with-passage">fun games</a>, including one to help us all <a href="https://robinryf.hashnode.dev/1password-cli-the-lost-password-game">strengthen our passwords</a>. Others built integrations that extend passkeys to new integrations and frameworks. In short, we saw a whirlwind of innovation, collaboration, and groundbreaking submissions. <h2 id="the-1password-hackathon-prizes">The 1Password Hackathon prizes</h2> A quick recap on the hackathon itself. Hackathon participants competed for $10,000 in prize money across five different categories, including: <ol> <li>Innovation Award: Goes to the most surprising and imaginative entry.</li> <li>Most Inventive Use of the 1Password CLI: Build 1Password into your favorite integration or extend 1Password in a new way.</li> <li>Best Use of <a href="https://passage.1password.com/">Passage</a>: Extend passkey integration or Passage to a new framework.</li> <li>Most Shell Plugins Written: Write the most shell plugins to bring biometric authentication to your most-used CLIs.</li> <li>Developer Delight: Make developers' day-to-day lives easier.</li> <li>People’s Choice: Garner enough community votes and be rewarded!</li> </ol> Each entry was submitted via a blog post and demo video on Hashnode. <h2 id="announcing-the-winners-of-the-1password-hackathon-">Announcing the winners of the 1Password Hackathon! 🎉</h2> Without further ado, let’s go to our winners! <h3 id="innovation-award-mike-almeloo">Innovation Award: Mike Almeloo</h3> <img src='https://blog.1password.com/posts/2023/2023-1password-hackathon-winners/mike_almeloo.png' alt='Partial diagram of Mike Almeloo&#39;s entry in the 2023 1Password Hackathon' title='Partial diagram of Mike Almeloo&#39;s entry in the 2023 1Password Hackathon' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The Innovation Award goes to Mike Almeloo for their enhancement of the <a href="https://blog.mikealmel.ooo/supercharging-the-1password-ssh-agent">1Password SSH agent using the CLI</a>. Mike’s solution creates a seamless way to manage multiple SSH keys with 1Password. Congratulations, Mike! <h3 id="most-inventive-use-of-the-1password-cli-zachary-cutlip">Most Inventive Use of the 1Password CLI: Zachary Cutlip</h3> <pre tabindex="0"><code>[MAIN] config-path = ./tests/config/mock-op response-path = responses response-dir-file = response-directory.json [whoami] type=whoami [item-get-example-login-1-vault-test-data] type=item-get item_identifier = Example Login 1 vault = Test Data [item-get-invalid] type = item-get item_identifier = Invalid Item expected-return = 1 </code></pre>Community member Zachary Cutlip and his <a href="https://shadowfile.hashnode.dev/introducing-mock-op-the-1password-cli-emulator">mock-op project</a> take home the award for Most Inventive Use of the 1Password CLI. Zachary’s contribution enables automated testing for developers building on the 1Password CLI by providing a stand-in for the op command line utility when testing isolation is needed. <h3 id="best-use-of-passage-shreyas-chaliha">Best Use of Passage: Shreyas Chaliha</h3> <img src='https://blog.1password.com/posts/2023/2023-1password-hackathon-winners/shreyas_chaliha.png' alt='Logged-in user view in Shreyas Chaliha&#39;s Post iT application' title='Logged-in user view in Shreyas Chaliha&#39;s Post iT application' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> For Best usage of Passage, we are in awe of <a href="https://shreyas-chaliha.hashnode.dev/share-your-milestones-and-memories-with-post-it">Post iT</a>, written by Shreyas Chaliha. We commend Shreyas for the quality of their Passage implementation along with the descriptive blog post outlining their app development process. Providing easy sign-in using passkeys with Passage, Post iT enables developers to share milestones and achievements in their project workflows. <h3 id="most-shell-plugins-written-maniraja-vela-manoharan">Most Shell Plugins Written: Maniraja Vela Manoharan</h3> <img src='https://blog.1password.com/posts/2023/2023-1password-hackathon-winners/maniraja_vela_manoharan.png' alt='Code snippet from Maniraja Vela Manoharan in the 1Password Hackathon' title='Code snippet from Maniraja Vela Manoharan in the 1Password Hackathon' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The Most Shell Plugins Written award goes to the prolific Maniraja Vela Manoharan, who wrote a whopping six shell plugins for amazing CLIs such as Contentful, Kaggle, Todoist and more! Special thanks to all the shell plugin authors who contributed. Your PRs make developers' day-to-day easier and more secure. 🙏 <h3 id="developer-delight-younes-laaroussi">Developer Delight: Younes Laaroussi</h3> <pre tabindex="0"><code>use Eludadev\Passage\Passage; use Eludadev\Passage\Middleware\PassageAuthMiddleware; // With Laravel Route::get('authenticatedRoute', function (Request $request) { $passage = new Passage(env('APP_ID'), env('API_KEY')); $userID = $request-&gt;userID; })-&gt;middleware(PassageAuthMiddleware::class); </code></pre>The entry that provided the most developer delight came from Younes Laaroussi and their amazing <a href="https://eludadev.hashnode.dev/passage-php-sdk">PHP SDK for Passage</a>. With Younes’ project, PHP developers can secure secrets and make passkey implementation simple and easy. As PHP is one of the most used programming languages globally, this project is a significant contribution to the development community. <h3 id="peoples-choice-award-joysankar-majumdar">People’s Choice Award: Joysankar Majumdar</h3> <img src='https://blog.1password.com/posts/2023/2023-1password-hackathon-winners/joysankar_majumdar.png' alt='Authentication flow for FitGo, Joysankar Majumdar&#39;s entry in the 2023 1Password Hackathon' title='Authentication flow for FitGo, Joysankar Majumdar&#39;s entry in the 2023 1Password Hackathon' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Now - for the final award - the People’s Choice winner! Based on community votes via Twitter and likes on Hashnode, we’re thrilled to announce that <a href="https://qdot.hashnode.dev/fitgo-android-fitness-tracker">FitGo</a>, written by Joysankar Majumdar, was the crowd favorite! Joysankar’s submission is an Android application that uses Passage for authentication and Firebase to store authentication data. FitGo impressed the 1Password team with its ease of use and everyday utility. <h2 id="thank-you">Thank you!</h2> To all those who took part in the 1Password Hackathon, thank you! To see all of the entries, browse the <a href="https://hashnode.com/n/buildwith1password">#BuildWith1Password</a> tag on Hashnode. We can’t wait to see what other projects you build as you develop with <a href="https://1password.com/developers">1Password Developer Tools</a> and <a href="https://passage.1password.com/">Passage</a>!</description></item><item><title>New 1Password SIEM integration with Datadog</title><link>https://blog.1password.com/siem-integration-datadog/</link><pubDate>Mon, 31 Jul 2023 00:00:00 +0000</pubDate><author>info@1password.com (Clarence Wong)</author><guid>https://blog.1password.com/siem-integration-datadog/</guid><description> <img src='https://blog.1password.com/posts/2023/siem-integration-datadog/header.png' class='webfeedsFeaturedVisual' alt='New 1Password SIEM integration with Datadog' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We’re thrilled to share that we’ve partnered with <a href="https://www.datadoghq.com/">Datadog</a> to give you greater visibility into the security posture of your business, all from one central location! Starting now, your team can view 1Password security reporting in Datadog to easily monitor potential risks and investigate security issues while spending less time jumping between dashboards. Integrating with Datadog is simple and secure, and will give you and your team everything you need to monitor the security health of your business. Datadog customers can connect their 1Password Business account in minutes and use pre-built rules from Datadog to start monitoring for security events right away. <h2 id="1passwords-events-api">1Password’s Events API</h2> The <a href="https://support.1password.com/events-reporting/">1Password Events API</a> lets you stream 1Password events to your SIEM (security information and event management) tool. These 1Password events can then be incorporated into things like custom dashboards, alerts, visualizations, and search to give you a deeper understanding of how your team uses 1Password. 1Password’s enhanced Events API supports all events captured by the 1Password Activity Log, including: <ul> <li>Account changes</li> <li>Billing changes</li> <li>Changes to email addresses</li> <li>Device addition or removal</li> <li>Families account changes</li> <li>File uploads</li> <li>Group access changes</li> <li>Group vault access changes</li> <li>Integration events</li> <li>Shared items</li> <li>Team member and guest invitations</li> <li>User access changes</li> <li>Vault changes</li> <li>Vault item changes</li> <li>Views of administrative reports</li> </ul> This means you can do things like monitor user adoption and usage, as well as set up alerts to be notified when a secret is shared, when a specific vault with sensitive data is accessed, or when a user is granted admin/owner privileges – all by streaming 1Password events to third-party SIEM tools like Datadog. <h2 id="datadog-and-1password">Datadog and 1Password</h2> <a href="https://www.datadoghq.com/blog/monitor-1password-datadog-cloud-siem/">Datadog</a> is a SIEM tool that collects, aggregates, searches, and monitors company data and notifies you of any potential risks or attacks. This makes it easier to stay secure, avoid downtime, and give your customers the best user experience. Using the 1Password Events API, Datadog can now stream 1Password data into its own application for customers to use for dashboarding and analysis. If you’re a 1Password Business customer, you can combine 1Password events with information from Datadog to: <ul> <li>Create custom reports, dashboards, alerts, and visualizations.</li> <li>Track 1Password adoption across the organization.</li> <li>Isolate certain security events in the service of an investigation.</li> <li>Better support auditing and compliance workflows.</li> <li>More easily monitor and report on security posture.</li> </ul> Yash Kumar, Senior Director of Product at Datadog, puts it best: <blockquote> &ldquo;By monitoring and analyzing activity generated from 1Password, Datadog Cloud SIEM detects threats and suspicious activities where highly sensitive information may be compromised – signaling attacks such as credential theft or brute-forcing. When threats do occur, we equip teams with the runtime context and security analytics needed on a single platform, enabling them to prioritize threats more easily, rule out false positives faster, investigate the full scope of activity through log visualizations, collaborate efficiently across teams and timezones in workspaces, and accelerate response with workflow automation to quickly contain attacks and reduce their impact on the business.&quot; </blockquote> <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Interested in becoming an integration partner with 1Password? Email <a href="mailto:tech-partnerships@1password.com">tech-partnerships@1password.com</a> to find out more. </div> </aside> <h2 id="getting-started">Getting started</h2> This integration is available now to anyone with a 1Password Business account and a Datadog account. Not using 1Password Business yet? <a href="https://start.1password.com/sign-up/business?l=en/?utm_ref=blog">Try it free for 14 days!</a> If you’re already a customer of both 1Password and Datadog, then you can <a href="https://support.1password.com/events-reporting/">get started and connect them</a> from the integrations directory in your 1Password Business account. Once you’ve integrated your SIEM partner with 1Password, you can start enabling features. <section class="c-call-to-action-box c-call-to-action-box--purple"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Secure your team with 1Password Business</h3> Keep your team secure without slowing them down. Choose 1Password Business to gain complete control over passwords and other sensitive business information. <a href="https://1password.com/business-pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--purple" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>Meet Allie Weiner, Manager of Account Management (Mid-Market)</title><link>https://blog.1password.com/meet-allie-weiner/</link><pubDate>Fri, 28 Jul 2023 00:00:00 +0000</pubDate><author>info@1password.com (1Password)</author><guid>https://blog.1password.com/meet-allie-weiner/</guid><description> <img src='https://blog.1password.com/posts/2023/meet-allie-weiner/header.png' class='webfeedsFeaturedVisual' alt='Meet Allie Weiner, Manager of Account Management (Mid-Market)' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Have you ever wondered what it&rsquo;s like to work at <a href="https://1password.com/">1Password</a>? Or wanted to know the career paths that other people followed before taking a job here? You&rsquo;re not alone! In this blog series, we&rsquo;re sharing what it&rsquo;s really like to work at 1Password. To do this, we sat down and talked to team members from across our more than 900-strong organization, including engineering, human resources, and customer support. You&rsquo;ll learn about the journeys that each person took to 1Password, as well as their their current role and day-to-day responsibilities. Today, we&rsquo;re chatting with Allie Weiner, who leads our Account Management (mid-market) team at 1Password! Why did you join 1Password, and how did you end up here? Back in October 2020 I was searching for my next role. A former colleague (and now friend of mine!) had just joined 1Password and had nothing but brilliant things to say about the organization and the direction it was heading in. <blockquote> A former colleague had just joined 1Password and had nothing but brilliant things to say. </blockquote> After doing my research and having some honest and in-depth conversations with 1Password’s leaders, I was even more certain that this is where I wanted to take the next step in my sales career. What’s your current role, and what are your day-to-day responsibilities? I currently oversee one of our account management teams looking after the mid market segment. I have two team leads who are direct reports plus a team of 13 sales reps. My day-to-day responsibilities include managing the team’s pipeline, providing an accurate forecast to upper management, getting creative with different sales strategies and offering valuable advice on tactics. I keep a close eye on the team’s performance, provide coaching where needed and identify any knowledge gaps and areas for development. I make every effort to lead with empathy and foster a supportive team culture to inspire peak performance. What’s your favorite 1Password memory? This isn’t much of a 1Password memory but more of an overall sentiment. I received incredible support from 1Password the moment I announced I was expecting my first child. I was immediately assured they would accommodate my needs during this exciting time in my life. This unwavering support alleviated any anxiety I had about balancing my professional responsibilities with impending parenthood and it reinforced my sense of belonging within the organization. <blockquote> I received incredible support from 1Password the moment I announced I was expecting my first child. </blockquote> Quick! You’re boarding a plane and you can only bring one item on your trip. What is the one thing you can’t live without? If my son was with me on the plane, my one item would be his stuffed hippo. The entire plane and I wouldn’t want to witness or hear the repercussions if we left Hippo behind! Fun fact: Hippo was actually given to us by one of my 1Password teammates! Any fun personal plans for 2023? How are you planning to use your PTO? This year I’m going on a trip that is the complete opposite to what I would normally do for a vacation. I was convinced (read: I was told) to go on a golf trip with my partner and his family. We’re heading to the east coast for four nights to a beautiful golf course. Side note: this will be my second time ever picking up a golf club (apparently mini golf doesn’t count). Wish me luck! Or better yet … wish the people in the hole behind us luck! <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Want to work for 1Password?</h3> Browse our current job openings to see if there’s an opportunity that matches your career goals. <a href="https://1password.com/jobs/?utm_ref=blog" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> View our open positions </a> </div> </section></description></item><item><title>Passkeys vs. 2FA and TOTP: What are the differences?</title><link>https://blog.1password.com/passkeys-2fa-totp-differences/</link><pubDate>Thu, 27 Jul 2023 00:00:00 +0000</pubDate><author>info@1password.com (Megan Barker)</author><guid>https://blog.1password.com/passkeys-2fa-totp-differences/</guid><description> <img src='https://blog.1password.com/posts/2023/passkeys-2fa-totp-differences/header.png' class='webfeedsFeaturedVisual' alt='Passkeys vs. 2FA and TOTP: What are the differences?' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We’ve compared passkeys to <a href="https://blog.1password.com/passkeys-vs-passwords-differences/">passwords</a> and <a href="https://blog.1password.com/passkeys-vs-magic-links-differences/">magic links</a>, and <a href="https://blog.1password.com/1password-2fa-passwords-codes-together/">recently explored</a> two-factor authentication (2FA) and time-based one-time passwords (TOTP). We think this calls for a passkey and 2FA face-off, don’t you? Passkeys are the hot topic right now. This form of passwordless authentication allows you to sign in to websites and apps (that support passkey authentication) without a typical plaintext password. You authenticate with your biometric information or device passcode, and everything else happens behind the scenes, like that. Two-factor authentication <a href="https://blog.1password.com/1password-2fa-passwords-codes-together/">requires two separate and distinct factors</a> — it’s not merely the step of entering a TOTP that creates true 2FA. Let’s say you store your passwords digitally — in a <a href="https://1password.com/">first-rate password manager</a>, for example. If you want the protection of true 2FA, your one-time passwords need to come from a different device than the one that holds your account passwords. So, passkeys or traditional 2FA? Let’s look at the differences between them, and what sets passwordless technology apart from (and above) the password-plus-TOTP combination the security industry <a href="https://blog.1password.com/stay-secure-without-burning-out-guide/">has encouraged for years</a>. <h2 id="a-tale-of-two-differences">A tale of two differences</h2> There are two primary differences between passkeys and traditional forms of 2FA. The first contrast is the presence, or lack of, a password. Passwordless authentication is passwordless by definition – it&rsquo;s designed to replace your passwords. Two-factor authentication is an entirely different concept. Rather than replacing something, 2FA adds a step (factor) to help strengthen the security of a password-protected account. But your traditional password remains the first factor or step in most 2FA flows. The other notable difference is susceptibility to attack. Signing in with a passkey is relatively automatic – meaning there’s nothing to type or enter – and inherently more secure because passkeys lack additional steps and codes that might be vulnerable to theft, phishing, and interception <a href="https://blog.1password.com/what-is-social-engineering-hacking-101/">if you’re not careful</a>. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/DELDP_wbuE4?si=VQ4KiFVKIJwHFGBY" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> But passkeys and 2FA have one thing in common: both improve upon traditional password-only account protection (one-factor security). Replayability is arguably the biggest issue with traditional plaintext passwords. Data is replayable when it can be intercepted, delayed, and reused. Passwords are considered very replayable: After an attacker steals your password once, they can use it to access the associated account (or accounts) as often as they want. Multi-factor authentication (MFA) methods provide protection against replayability. Time-based one-time passwords are generated securely and expire after 30 seconds. The expiration eliminates the TOTP’s ability to be used again which, in turn, can help protect your accounts and data. Where MFA adds protection to your passwords, passkeys have fundamental protection of their own. <h2 id="to-kill-a-password">To kill a password</h2> The added security of MFA is core to the passkey design — it’s built right in. When you authorize the use of a passkey with your biometric information or device passcode, you prove you own and can unlock the device that holds the passkey. And with that, you’ve proven more than you will ever prove by signing in with a password only (one-factor security). But there’s more. Each passkey consists of a public and private key and those components get to work next. The keys exchange information<a href="#fn:1" class="footnote-ref" role="doc-noteref">1</a> and after you prove possession of the private key – the sole match for the public key stored by the website or app you want to access – you’re signed in to your account. <blockquote> There’s nothing of value to lose, intercept, steal, forget, or expire because your private key never leaves your device. </blockquote> These processes happen in one ultra-quick step without a password or one-time code in sight. So there’s nothing of value to lose, intercept, steal, forget, or expire because your private key never leaves your device. The moral of the story: Passkeys have non-replayability built in without requiring additional time, effort, and risk like typical MFA methods. <h2 id="gone-with-the-2fa">Gone with the 2FA…?</h2> Passwords will be around for some time and various methods of MFA will be right alongside them for the foreseeable future. And as we shift toward a passwordless future, there still may be a few niche scenarios that call for a strong password and second factor (2FA). Imagine, for example, you store your passkeys in 1Password so they’re quickly and easily accessible across your devices. But you need to sign in to 1Password to use your passkeys. Beyond the account password and Secret Key combination (that’s <a href="https://blog.1password.com/why-trust-1password-cloud/">exceptionally robust on its own</a>), you might further protect your 1Password information by <a href="https://support.1password.com/two-factor-authentication/">turning on 2FA</a> and <a href="https://support.1password.com/security-key/">registering a hardware security key</a> as your second factor. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> 1Password will soon give you the ability to <a href="https://blog.1password.com/unlock-1password-with-passkeys/">create and unlock your 1Password account with a passkey</a>, rather than an account password and secret key! </div> </aside> Overall, passkeys address the replayability risk of plaintext passwords and mitigate the threats presented by TOTPs, which makes them intrinsically safer than both forms of authentication — combined. They’ll make traditional MFA options far less prevalent (and somewhat unnecessary) but passkeys may not make them entirely obsolete just yet — especially when you consider your most critical assets. And that may change. As technology advances, threats advance, and how we combat those threats has to advance just as rapidly. Traditional forms of two-factor authentication have been helpful, and may continue to be, but hackers long ago solved any mystery the process held when they learned how to <a href="https://blog.1password.com/what-is-sim-swapping/">SIM swap</a>, perform person-in-the-middle attacks, <a href="https://blog.1password.com/what-is-phishing-and-how-can-you-protect-your-business/">phish</a>, and <a href="https://blog.1password.com/how-do-hackers-steal-passwords/">otherwise socially engineer</a>. <blockquote> Two-factor authentication has been helpful, and may continue to be. </blockquote> At the moment, passkeys are relatively impenetrable and a great solution to a number of problems presented by traditional authentication methods. Will hackers find a workaround for the incredible cryptographic design of passkeys? Maybe. But passwordless technology will advance, too. And right now, passkeys are fantastic, just what we need, and only the beginning. If you want to learn more about passkeys and how they&rsquo;ll be supported in 1Password, check out <a href="https://www.future.1password.com/passkeys/">our passkeys microsite</a>, listen to our passwordless special on the <a href="https://randombutmemorable.simplecast.com/episodes/the-passwordless-special">Random but Memorable podcast</a>, and subscribe to our <a href="https://1password.com/passwordless-news/">new passwordless newsletter</a>. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Subscribe to our passwordless newsletter</h3> Get our latest passkey updates delivered right to your inbox, as well as guides, interviews, and other interesting articles about the next generation of sign-in technology. <a href="https://1password.com/passwordless-news/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Subscribe to Beyond Passwords </a> </div> </section> <section class="footnotes" role="doc-endnotes"> <hr> <ol> <li id="fn:1" role="doc-endnote"> An exceptionally condensed version of the process. <a href="https://blog.1password.com/passkeys-faqs/">Learn how passkeys work</a> and more about <a href="https://blog.1password.com/what-is-public-key-cryptography/">public key cryptography</a>.&#160;<a href="#fnref:1" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a> </li> </ol> </section></description></item><item><title>Privacy-preserving usage data: Under the hood</title><link>https://blog.1password.com/privacy-telemetry-deep-dive/</link><pubDate>Wed, 26 Jul 2023 00:00:00 +0000</pubDate><author>info@1password.com (Hal Ali)</author><guid>https://blog.1password.com/privacy-telemetry-deep-dive/</guid><description> <img src='https://blog.1password.com/posts/2023/privacy-telemetry-deep-dive/header.png' class='webfeedsFeaturedVisual' alt='Privacy-preserving usage data: Under the hood' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We <a href="https://blog.1password.com/telemetry-system-roll-out/">recently shared</a> that we’ll soon be rolling out a privacy-preserving telemetry system that will help us improve 1Password by leveraging aggregated, de-identified usage data. Here we’ll share technical details about how this system works and the steps we’ve taken to protect customer privacy while engaging with the resulting data. Our goal is to understand more about how our growing customer base – not specific individuals – are using 1Password. Our intent is to pinpoint where and how we need to improve our products by studying and drawing insights from aggregate usage patterns. While this is our goal, we are also 100% committed to our privacy and security standards and our technical architecture is designed to align with our core privacy principles: <ul> <li> The passwords, credit card numbers, URLs, and other data that you save in your 1Password vaults is end-to-end encrypted using secrets that only you know. 1Password’s <a href="https://1password.com/features/zero-knowledge-encryption/">zero-knowledge architecture</a> will remain unchanged. Our telemetry system cannot, by design, have insight into the end-to-end encrypted data you store in 1Password. That information is <a href="https://1password.com/security/">owned by and known only to you</a>. </li> <li> We will only collect what is needed to provide our service and build a better 1Password experience. We&rsquo;ve designed our telemetry system so it only collects what we truly need and nothing else. <a href="https://blog.1password.com/telemetry-system-roll-out/">You can learn more about this approach in our previous blog post</a>. </li> <li> We won’t collect product usage telemetry data without your awareness and consent. That’s why you’ll see the following in-app prompt when the rollout reaches your Individual or Family account, letting you choose whether you would like to participate: </li> </ul> <img src="https://blog.1password.com/posts/2023/privacy-telemetry-deep-dive/telemetry1.png" alt="A screenshot showing the in-app message for 1Password&#39;s privacy-preserving telemetry system." title="A screenshot showing the in-app message for 1Password&#39;s privacy-preserving telemetry system." class="c-featured-image"/> You can <a href="https://support.1password.com/telemetry">change these preferences</a> at any time in “Manage Account”. <img src="https://blog.1password.com/posts/2023/privacy-telemetry-deep-dive/telemetry2.png" alt="A screenshot showing the settings menu in 1Password where customers can update their telemetry preference." title="A screenshot showing the settings menu in 1Password where customers can update their telemetry preference." class="c-featured-image"/> <h2 id="how-were-doing-data-collection">How we’re doing data collection</h2> The telemetry system we’re adding to 1Password, which has been developed by our internal teams and vetted by our security and privacy experts, is built to collect “metrics” and “events”. An event represents an action or moment that occurred inside a 1Password app. For example, an event could be “unlocking 1Password”. A metric is a measurement calculated client-side (to maintain user privacy) using multiple events, such as the time between when a 1Password invitation is accepted and when the subsequent profile is set up. Everything starts with the consent module shared above, which will be rolled out in phases. The choice you make will be synced back to our systems. This means you only need to make this choice once for an account, and it will be synced across every 1Password app that account is signed in to. You will be able to change this setting at any time. <blockquote> Our telemetry system won’t disrupt your workflows. </blockquote> Our privacy-preserving telemetry system will operate in the background without changing your daily experience with 1Password. We want to make sure we’re not getting in your way. So our telemetry system won’t block you from using 1Password or disrupt your workflows. Behind the scenes, 1Password will fire an event when one of a predefined set of actions occurs. Depending on the app and its offline operations, the event may be sent on to an intermediary layer called the batcher, which serves to reduce network calls. Once a set amount of time or number of events is reached, this layer will send a batch of events on to the tracker. <img src="https://blog.1password.com/posts/2023/privacy-telemetry-deep-dive/telemetrydiagram1.png" alt="A diagram showing how client event data is processed via the batcher, tracker, and collector." title="A diagram showing how client event data is processed via the batcher, tracker, and collector." class="c-featured-image"/> The tracker is responsible for converting that batch of events into the appropriate protocol, attaching any necessary metadata to contextualize the events, and sending it to the collector, which we’ll unpack in a moment. This is the point at which the data transitions from the customer’s app to our infrastructure. <h2 id="collection-architecture">Collection architecture</h2> Event data is stored in a collector hosted entirely within our own environment for security and privacy purposes. For this aspect of our collection architecture, we host an open-source data platform built by <a href="https://snowplow.io/">Snowplow</a>. All of the tools we use for event collection have been customized by our engineering teams. In some cases we’ve modified and adapted Snowplow to better align with our requirements and platforms. In other cases, we’ve developed entirely new code from scratch. In both scenarios, our goal has been to ensure that we maintain complete control over the data we collect and how we handle it. We are committed to collecting only the minimum data necessary and not sharing this raw data outside of our infrastructure. <h3 id="raw-events-and-storage">Raw events and storage</h3> The event data in the collector is considered “raw”. It contains all the data and metadata that was originally collected from the app. Let’s look at an example for an <code>app_unlock</code> event: <pre tabindex="0"><code>{ &quot;app_id&quot;: &quot;1&quot;, &quot;platform&quot;: &quot;mob&quot;, &quot;etl_tstamp&quot;: &quot;2023-07-04T20:58:44.903Z&quot;, &quot;collector_tstamp&quot;: &quot;2023-07-04T20:58:44.299Z&quot;, &quot;dvce_created_tstamp&quot;: &quot;2023-07-04T16:30:18.018Z&quot;, &quot;event&quot;: &quot;unstruct&quot;, &quot;event_id&quot;: &quot;#########################&quot;, &quot;name_tracker&quot;: &quot;core&quot;, &quot;v_tracker&quot;: &quot;rust-fork-0.1.0&quot;, &quot;v_collector&quot;: &quot;ssc-2.9.0-kinesis&quot;, &quot;v_etl&quot;: &quot;snowplow-enrich-kinesis-3.8.0&quot;, &quot;user_ipaddress&quot;: &quot;##.###.###.###&quot;, &quot;network_userid&quot;: &quot;#########################&quot;, &quot;contexts_com_1password_core_app_context_2&quot;: [ { &quot;version&quot;: &quot;8.10.7&quot;, &quot;name&quot;: &quot;1Password for iOS&quot; } ], &quot;contexts_com_1password_core_account_context_1&quot;: [ { &quot;account_uuid&quot;: &quot;#########################&quot;, &quot;account_type&quot;: &quot;B&quot;, &quot;billing_status&quot;: &quot;A&quot;, &quot;user_uuid&quot;: &quot;#########################&quot;, } ], &quot;contexts_com_1password_core_device_context_1&quot;: [ { &quot;device_uuid&quot;: &quot;#########################&quot;, &quot;os_name&quot;: &quot;iOS&quot;, &quot;os_version&quot;: &quot;16.5.1&quot; } ], &quot;unstruct_event_com_1password_app_app_unlock_successful_1&quot;: { &quot;unlock_method&quot;: &quot;PASSWORD&quot; }, &quot;dvce_sent_tstamp&quot;: &quot;2023-07-04T20:58:43.581Z&quot;, &quot;derived_tstamp&quot;: &quot;2023-07-04T16:30:18.736Z&quot;, &quot;event_vendor&quot;: &quot;com.1password.app&quot;, &quot;event_name&quot;: &quot;app_unlock_successful&quot;, &quot;event_format&quot;: &quot;jsonschema&quot;, &quot;event_version&quot;: &quot;1-0-0&quot; } </code></pre>Raw events exist within a &ldquo;black box&rdquo; for us. They are stored in an S3 bucket that our team members do not analyze. Instead, this component of the infrastructure is highly restricted – all of our validations and subsequent steps in the data pipeline are automated. In fact, all components of this system have limited access, maintained with RBAC under the <a href="https://blog.1password.com/guiding-principles-how-least-privilege-leads-to-more-security/">principle of least privilege</a>. Raw events are validated against data schemas developed by 1Password to ensure they’re in a format our pipeline can process. If an event does not conform to our data schemas, it’s labeled as a “bad event.” All raw events and associated data, whether they pass validation or not, are purged after 21 days. <img src="https://blog.1password.com/posts/2023/privacy-telemetry-deep-dive/telemetrydiagram2.png" alt="A diagram showing how data is validated and deidentified before being used internally by 1Password&#39;s product team." title="A diagram showing how data is validated and deidentified before being used internally by 1Password&#39;s product team." class="c-featured-image"/> Events that pass data schema validation proceed through our pipeline, where they undergo a series of transformations to be enriched and de-identified. <img src="https://blog.1password.com/posts/2023/privacy-telemetry-deep-dive/telemetrydiagram3.png" alt="A diagram showing how 1Password&#39;s privacy-preserving telemetry system works from beginning to end." title="A diagram showing how 1Password&#39;s privacy-preserving telemetry system works from beginning to end." class="c-featured-image"/> <h2 id="enrichment-and-de-identification">Enrichment and de-identification</h2> Valid events land in an AWS account dedicated to the enrichment and de-identification processes. The enrichment process adds meaningful metadata to events that we can’t pick up at the time an event is fired, as the 1Password apps hold limited information that would serve to contextualize this data, which is stored elsewhere as service data. This enriched metadata is defined and based on specific event types, and can include information such as the account type and if the trial period is active. After the enrichment process is done, we de-identify values from selected fields in the Snowplow schema. A number of strategies are employed here, such as cryptographically hashing (with HMAC-SHA256) any UUIDs collected. That cryptographic secret is generated and rotated on a quarterly basis using an AWS Lambda function. Once enriched and de-identified, the raw data is dropped, and only the de-identified events are moved forward in the pipeline. <h3 id="de-identification-details">De-identification details</h3> To improve 1Password, we don’t need precise timestamps of actions, specific account information, IP addresses associated with 1Password apps, or other sensitive data points. Aggregated, actionable data is our goal, as this will allow us to derive meaningful insights at scale. So before we analyze events, we aim to reduce the possibility of reidentifying individual users or having more information than necessary. Here are some elements we will be de-identifying and the methods we’ll be using to achieve that: <div class="table-overflow"> <table> <thead> <tr> <th>Element</th> <th>Method</th> </tr> </thead> <tbody> <tr> <td>Event timestamps</td> <td>Truncated to the hour</td> </tr> <tr> <td>User UUID, account UUID, and device UUID</td> <td>Hashed cryptographically with HMAC-SHA256. Keys are rotated on a quarterly basis</td> </tr> <tr> <td>Account size</td> <td>Bucketed. For example, categorized as 0-5 users and 6+ users on a Family account</td> </tr> <tr> <td>IP address</td> <td>Dropped</td> </tr> </tbody> </table> </div> <h3 id="but-why-collect-these-data-points-in-the-first-place">But why collect these data points in the first place?</h3> You might be wondering: Okay, you’re de-identifying some of the values associated with each data event. But why collect that information in the first place? Let&rsquo;s consider the example of a timestamp. The timestamp in the raw event records when an action occurred, providing valuable insights into behavior patterns. But we don&rsquo;t need to know the exact minute, second or millisecond the event took place. That level of granularity could potentially identify individuals if combined with enough data points. So we will truncate that timestamp to the hour, rendering it statistically useless in any de-identification attack. That way, we’ll only know that the associated action was performed around a certain time. When combined with other events, we’ll still be able to learn a lot from this de-identified information. It’s the best of both worlds – valuable insights while protecting customer privacy. Similarly, the identity of the user who performed an action isn’t necessary. That’s why we’ll use a de-identification pipeline to generate a unique token, refreshed every quarter, to prevent de-identification attacks relying on accumulation of dimensions or state changes. This will allow us to view usage patterns and derive insights without being able to identify individual users. To maintain and protect customer privacy, we’ll be rotating the keys for this hashing on a quarterly basis. Once the keys are rotated everyone will become a totally new person in our system – their hashed UUID will be different, and the one they had before will be gone. <h2 id="analyzing-de-identified-data">Analyzing de-identified data</h2> After we’ve taken the measures outlined above to protect individual privacy, the enriched and de-identified data will be streamed to an analytics platform. For this portion of the pipeline, we&rsquo;ve chosen an open-source platform built by PostHog, which was evaluated by our security and privacy team. As with other aspects of our pipeline, we’ve adapted the platform to our needs rather than sticking with what&rsquo;s available “out-of-the-box”. Most importantly, as described above, we handle data collection separately from the platform. Once the data is in PostHog, our product analytics team will build reports and conduct analyses designed to answer pre-defined business questions. For example, we may want to understand how customers are using our import functionality so we can focus optimizations - one-click imports - in the most impactful areas. In the future, we may share details about the insights we’ve gleaned from the telemetry data set, and how these have helped us make product improvements. We’ve thought critically about who on our team will need to perform these analyses and have restricted everyone else’s access to our analytics platform. <h2 id="conclusion">Conclusion</h2> From the outset, we’ve built our telemetry system with privacy and security in mind. As reflected in our de-identification design, we continue to prioritize customer privacy over more granular data and insights. As always, thank you for your continued trust and support. We don’t take it for granted and wouldn’t be where we are today without you. If you have any questions or thoughts about this, please <a href="https://support.1password.com/contact-telemetry/">reach out and let us know</a>.</description></item><item><title>Now in private beta: Create a 1Password account using a passkey</title><link>https://blog.1password.com/unlock-passkey-private-beta/</link><pubDate>Wed, 19 Jul 2023 00:00:00 +0000</pubDate><author>info@1password.com (Mitch Cohen)</author><guid>https://blog.1password.com/unlock-passkey-private-beta/</guid><description> <img src='https://blog.1password.com/posts/2023/unlock-passkey-private-beta/header.png' class='webfeedsFeaturedVisual' alt='Now in private beta: Create a 1Password account using a passkey' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 1Password’s summer of passkey announcements continues! Earlier this year, we said “<a href="https://blog.1password.com/unlock-1password-with-passkeys/">goodbye passwords</a>” and shared that we&rsquo;re going all-in on <a href="https://blog.1password.com/what-are-passkeys/">passkeys</a>: a simpler and more secure alternative to passwords. Since then, we&rsquo;ve been hard at work bringing passkey support to 1Password. You can already <a href="https://blog.1password.com/save-sign-in-passkeys-1password/">create and use passkeys to sign in to online accounts</a> with the <a href="https://1password.com/downloads/browser-extension/#beta-downloads">public beta versions of 1Password in the browser</a>. Plus, you can also use the 1Password desktop and mobile apps to view, organize, share, and delete passkeys saved via the browser. But you might remember we promised something else too: the ability to unlock a 1Password account with a passkey, rather than a password. Today, we’re delighted to share that we’re launching a private beta that allows a small group of testers to create and unlock a 1Password account with a passkey. This is an important step as we move toward our goal of releasing this capability for everyone later in the year. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Learn more about what passkeys are, and how they work, <a href="https://blog.1password.com/passkeys-faqs/">in our FAQs blog post</a>! </div> </aside> <h2 id="using-a-passkey-to-unlock-1password">Using a passkey to unlock 1Password</h2> Protecting 1Password with a passkey keeps your data secure while eliminating the need to create and memorize a password. When you want to unlock 1Password, you simply use the biometric solution built into your device. Once you&rsquo;ve created a passkey, you can use that same piece of hardware to unlock your 1Password account on other trusted devices. In short, unlocking 1Password with a passkey offers the best of both worlds: best-in-class security paired with maximum convenience. <h2 id="our-private-beta">Our private beta</h2> Here&rsquo;s a quick summary of what&rsquo;s included in our private beta: Create a new 1Password test account with a passkey using an iPhone or iPad. This test account is a temporary way to try an experimental feature. It&rsquo;s free to set up and doesn&rsquo;t replace a testers' existing 1Password account. To get started, we&rsquo;re asking our small group of beta testers to create a new 1Password account using a beta version of 1Password for iOS. Unlock 1Password with a passkey on iOS, macOS, and the web. Once testers have created their new test account with a passkey, they can use that same passkey to unlock 1Password on all of their other devices. <h2 id="whats-coming-next">What’s coming next</h2> Our private beta is just the beginning. We&rsquo;ll be releasing updates regularly as we work toward a public beta and, ultimately, a version that&rsquo;s ready for all of our customers. Our current roadmap includes: <ul> <li> The ability to create a new 1Password account with a passkey on other platforms – not just iOS and iPadOS. </li> <li> The ability to unlock 1Password with a passkey on Android, Windows, and Linux. </li> <li> The option to update your existing 1Password account so it can be unlocked with a passkey. </li> <li> The ability to secure a 1Password account with both a passkey in addition to a traditional account password and Secret Key. </li> </ul> <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> For example, you could unlock 1Password with a passkey on your phone, but keep using your account password on your tablet and laptop. If you have two accounts – one for work, and one for personal use – you could secure one with a passkey, and the other with an account password and secret key. </div> </aside> <ul> <li> The option to secure a 1Password account with multiple passkeys tied to different devices. </li> <li> Recovery codes that allow you to unlock 1Password in the event that you lose your passkey and other trusted devices. </li> </ul> <h2 id="the-future-is-passkeys">The future is passkeys</h2> We would like to thank everyone who is taking part in the private beta and sharing feedback. We can’t wait to share when everyone can join in and start securing their 1Password account with a passkey. To learn more about passkeys, <a href="https://1password.com/passwordless-news/">subscribe to our passwordless newsletter</a> and explore the <a href="https://www.future.1password.com/passkeys/">passkeys section of our future of 1Password microsite</a>. You can also check out: <ul> <li><a href="https://passkeys.directory/">Our passkeys directory, a community-focused index of websites, apps, and services that support passkeys</a>.</li> <li><a href="https://randombutmemorable.simplecast.com/episodes/the-passwordless-special">Our passkey special episode of the Random but Memorable podcast</a>.</li> <li><a href="https://blog.1password.com/passwordless-research/">Our research report looking at the public’s attitude towards passkeys and passwordless authentication</a>.</li> </ul> <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Subscribe to our passwordless newsletter</h3> Learn about the latest passkey updates coming to 1Password, as well as the best guides, interviews, and podcast episodes exploring all things passwordless. <a href="https://1password.com/passwordless-news/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Subscribe to Beyond Passwords </a> </div> </section></description></item><item><title>Darknet Diaries host Jack Rhysider talks about hacker teens and his AI predictions</title><link>https://blog.1password.com/darknet-diaries-cybercrime-interview/</link><pubDate>Mon, 17 Jul 2023 00:00:00 +0000</pubDate><author>info@1password.com (Jenn Marshall)</author><guid>https://blog.1password.com/darknet-diaries-cybercrime-interview/</guid><description> <img src='https://blog.1password.com/posts/2023/darknet-diaries-cybercrime-interview/header.png' class='webfeedsFeaturedVisual' alt='Darknet Diaries host Jack Rhysider talks about hacker teens and his AI predictions' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> It’s human nature: when we do something we’re excited about, we want to share it. So it’s not surprising that cybercriminals and others in the hacker space love an audience. <a href="https://darknetdiaries.com/">Darknet Diaries</a>, a podcast that delves into the how’s and why’s and implications of incidents of hacking, data breaches, cybercrime and more, has become one way for hackers to tell their stories – whether or not they get caught. Darknet Diaries creator and host Jack Rhysider joined 1Password’s Michael Fey (aka Roo) on the <a href="https://randombutmemorable.simplecast.com/">Random but Memorable</a> podcast to chat about some of the fascinating cybercrime stories he’s covered recently. Read highlights from the interview below or <a href="https://randombutmemorable.simplecast.com/episodes/unlock-darknet-data-doom">listen to the full episode</a> for answers to questions you might never have thought to ask, such as: <ul> <li>What nefarious shenanigans are some of today’s hacker teens up to?</li> <li>How can I get someone else to pay for my burrito?</li> <li>What’s a hacker’s version of a microtransaction?</li> </ul> Bonus: Find out how Darknet Diaries gets these stories and who wants to take credit for them! Editor’s note: The views and opinions expressed by the interviewee don&rsquo;t represent the opinions of 1Password. <div class="c-simplecast-embed"> <iframe class="c-simplecast-embed__iframe" title="1Password Random but Memorable Podcast" width="100%" frameborder="no" scrolling="no" seamless src="https://player.simplecast.com/b304828c-4174-46d3-97e6-a693341c915f?dark=false"></iframe> </div> <a href="https://randombutmemorable.simplecast.com/episodes/unlock-darknet-data-doom">Listen to episode 104 ›</a> Michael Fey: What are some of the wildest stories that you&rsquo;ve covered recently? Jack Rhysider: The one that really caught me by surprise was one I called <a href="https://darknetdiaries.com/episode/112/">Dirty Coms</a>. It&rsquo;s a story about the scams and hacks teenagers are doing online. People are breaking into rich people&rsquo;s Bitcoin wallets. It&rsquo;s not uncommon for some of the kids in these circles to have $100,000 to $1 million <a href="https://thewordcounter.com/meaning-of-hit-a-lick/">licks</a> in a Saturday night. And then they’re going crazy in chat, like, &ldquo;Hey, I just stole this much Bitcoin! Now what should I do? I&rsquo;ve got a million bucks!&rdquo; It&rsquo;s just a wild peek into this strange circle that&rsquo;s going on, and that took me by surprise. When you think about who&rsquo;s stealing Bitcoin, you might be thinking, &ldquo;Oh, organized cyber gangs and the Russians.&rdquo; You don&rsquo;t think of some teenager in Oakland, California, who&rsquo;s doing it. It&rsquo;s wild. MF: When I was a teenager, my Friday nights were a bucket of popcorn and watching Hercules followed by Xena. I wasn&rsquo;t hacking people&rsquo;s computers. JR: When we were teenagers, Pirate Bay was going around. We had the <a href="https://en.wikipedia.org/wiki/Warez_scene">Warez scene</a>. You&rsquo;d swap music or maybe video games or movies and download that stuff because you&rsquo;re a teenager and you see other people do it online. People were making audio demos and video demos. It was a cool underground place. This is where teenagers were in the &rsquo;90s and early 2000s online. Then, in the mid-2010s or so, you had Anonymous. There were a lot of teenagers in Anonymous. We all know what trouble they got into. They were <a href="https://blog.1password.com/what-is-a-ddos-attack/">DDoSsing</a> places they didn&rsquo;t like as a protest. They were hacking into places. It became a threat. What is the teenage subculture doing today? They’re technocrats, the tech-affiliated people who want to rebel. It&rsquo;s wild just to see how things have evolved over time. You don&rsquo;t hear about Anonymous hacking anything these days. It&rsquo;s fizzled out as far as their hacking presence goes. MF: I guess it’s possible I had a copy of Doom II back in the day that wasn&rsquo;t entirely legit. I guess this is the latest evolution of that. Outside of teens hacking Bitcoin wallets, is there a particular type of data breach or hacking gang that&rsquo;s really caught your attention? JR: I’m fascinated with what teenagers are doing because it goes into all kinds of areas you just never expected. These kids aren&rsquo;t just stealing Bitcoin. They&rsquo;re doing whatever they can however they can. The other day I saw a post from somebody who works at Taco Bell. Their post was something like, &ldquo;$5 for a coupon for free food. $30 for a password reset for any user at tacobell.com. $90 for a full account. Here&rsquo;s your username and password.&rdquo; Somebody who works at Taco Bell is selling their access to whatever you want. I don&rsquo;t really know Taco Bell that well, but I know this works for Chipotle. If you can take over someone else&rsquo;s Chipotle account, their credit card may be attached to it. Then, you can order Chipotle and get that free burrito. I think this might also be happening at Taco Bell. Like, &ldquo;Hey, I work at Taco Bell. How can I make money surreptitiously while I work here without breaking too many rules or laws? I&rsquo;m not just giving free burritos out to people. But I&rsquo;m doing this weird thing online.&rdquo; <blockquote> &ldquo;These kids aren&rsquo;t just stealing Bitcoin. They&rsquo;re doing whatever they can however they can.&quot; </blockquote> Hilton&rsquo;s Honors is another example. People have Hilton&rsquo;s Honors rewards. You can get a free hotel night&rsquo;s stay if you can take over someone&rsquo;s account, and they have enough Honor rewards points. You could just say, &ldquo;Hell, yeah. Here&rsquo;s my name. Here&rsquo;s my points. Please use this to book me a room.&rdquo; People are stealing someone else&rsquo;s points to get into the rooms. MF: You just don&rsquo;t hear about this. They aren&rsquo;t shutting down oil pipelines or disrupting the meat industry. It’s small pockets of people doing nefarious nonsense. JR: I think a lot of stores accept a certain amount of loss. They&rsquo;re going to have people returning things and will lose items to theft. They don&rsquo;t actually investigate how this got scammed or refunded or whatever the case is. They&rsquo;re just like, &ldquo;Look, sorry, your Chipotle account got taken over. Here are your points back. We&rsquo;ll give you two free burritos if you stay as a customer.&rdquo; You get these weird clues – like people in Chipotle’s subreddit saying, “How come I’ve bought all these burritos? – that something is going on. Something I&rsquo;ve seen in the Spotify subreddit a lot is, “Somebody keeps listening to music on my account, and it&rsquo;s not me. I didn’t listen to these songs. I don&rsquo;t know why this is happening.&rdquo; There are all these people who are like, &ldquo;Me too! Somebody listened to those exact same songs on my account!&rdquo; Why are all these accounts listening to this music? My theory is there are certain songs that get played to make money. You get 0.01 cents, or whatever, for playing a song. If somebody can take over a big swath of Spotify accounts and then play the same songs&hellip; and these are crappy songs. These are songs you&rsquo;ve never heard of. They&rsquo;re just garbage. But if you could play it, then Spotify will give that creator a royalty check. MF: You know what this is, Jack? It&rsquo;s like the microtransaction version of hacking. JR: Scraping pennies off of every transaction. And not letting the accounting department know. That&rsquo;s where 1Password can come in. You can have a good, complex password for your Spotify account. MF: Exactly. I appreciate you keeping it on brand and bringing it back home. Let&rsquo;s talk about how you&rsquo;re covering some of these stories. Have you had to find your way into some murky circles to get the inside scoop? JR: I think it&rsquo;s luck. There are three kinds of luck in the world. Dumb luck where you just stumble upon a random winning lottery ticket. Then there&rsquo;s luck after a lot of hard work. You just keep digging and digging and digging. At some point, you&rsquo;ll find gold after you just dig enough. Then there&rsquo;s the third kind of luck, which is, &ldquo;I&rsquo;m lucky in that people are bringing me stories.&rdquo; This is luck I&rsquo;ve actually created for myself because I&rsquo;ve created the show that digs into this kind of stuff. I think what&rsquo;s happening is the people who are sharing these stories are actually doing this stuff. They&rsquo;re the criminals behind it. Some of them have been caught. Some are just in the circles, watching others do it. They hear my show and are like, &ldquo;This guy isn&rsquo;t someone from mainstream media who doesn&rsquo;t understand who the hacker named 4chan is. He understands this and isn’t painting it in a scary way.&rdquo; <blockquote> &ldquo;I&rsquo;ve had federal agents message me.&quot; </blockquote> People are bringing me these stories. They’re like, &ldquo;I just got out of prison. I don&rsquo;t know who you are, but people are telling me I should tell you my story. Here&rsquo;s my indictment.” I&rsquo;m like, &ldquo;Oh, wow. This is an interesting story you have here.” There was someone from the NSA who tapped me on the shoulder when I was at Def Con one year and was like, &ldquo;Would you like the NSA to tell you a story?&rdquo; I&rsquo;m like, &ldquo;Yeah, but I don&rsquo;t think the NSA is going to tell me a story.&rdquo; He&rsquo;s like, &ldquo;I think I can make it happen.&rdquo; The story that came out of that connection was <a href="https://darknetdiaries.com/episode/50/">Operation Glowing Symphony</a>. The NSA actually came on the record and talked to us about how they hacked ISIS and all the different things that happened. It was actually US Cyber Command, but it&rsquo;s close enough. Then there are people in these comms – communication circles – that are like, &ldquo;Hey, have you ever looked into SIM swapping? Do you ever want to have a story about that?&rdquo; I&rsquo;m just like, &ldquo;How do you know this?&rdquo; They&rsquo;re like, &ldquo;Well, I&rsquo;m in these circles.&rdquo; <blockquote> &ldquo;All the players in this space are tuned in.&quot; </blockquote> Or, &ldquo;Hey, I&rsquo;m the one who made that tool you mentioned. I was the guy you mentioned in that episode. I got arrested in New York.&rdquo; I&rsquo;m like, &ldquo;Oh, okay. You&rsquo;re that guy.&rdquo; I&rsquo;ve had federal agents message me too. In fact, law enforcement and attorneys have reached out and said, &ldquo;Yeah, I was the one who worked that case. I can&rsquo;t believe you got him to admit all that because I couldn&rsquo;t get him to admit all that on the stand.” It just goes to show that all the players in this space are tuned in. MF: The last time you were on the show, you mentioned that the news reporting of cybercrime is &ldquo;the first draft of history,&rdquo; and the media often doesn&rsquo;t get it right from the outset. Do you think that&rsquo;s still the case? JR: There&rsquo;s just all this guessing of who did it and why they did it and what they took and how impactful it could be. But we&rsquo;re often not creative enough to come up with ideas about how the crime could hurt someone. For example, you’ll hear someone say, &ldquo;Well, they took a list of email addresses of these users. What is that even going to do?” They can&rsquo;t think of what harm that can lead to in the bigger picture. When I listen to the news, I cringe because it&rsquo;s just so lacking context. People are talking sideways – it&rsquo;s everyone. We&rsquo;re guessing, and it&rsquo;s all wrong. That&rsquo;s why I want to not be in that situation. I want to wait until I know what&rsquo;s going on. It&rsquo;s funny because a lot of people, when the latest news is breaking, they&rsquo;re like, &ldquo;Oh, Jack, jump on this. Make an episode on this.&rdquo; I&rsquo;m like, &ldquo;Okay, in three years, because I don&rsquo;t know anything right now.&rdquo; I&rsquo;m definitely a slow news junkie. I don’t like to jump into things until I know all the stuff. MF: Do you have any predictions for the year or for the future? JR: We&rsquo;ve had different phases of technology. The first big technology phase was the industrial revolution, and then the electrical age, and then the computer age. I think AI is the next phase. What you&rsquo;ve got here are computers that are smarter than us and can do things in a quicker and better way than we can. What is it going to mean? We&rsquo;ve seen ChatGPT show us how to find bugs in code. You can exploit this like, &ldquo;Oh, here&rsquo;s a smart contract. Can you help me find the bug in here?&rdquo; That could be a million-dollar bug bounty or just stealing stuff. Now AI is our hacker front. It&rsquo;s the criminal front, maybe. But at the same time, we now have AI as the defense front saying, &ldquo;Hey, here&rsquo;s my code. Help me find the bug in it.&rdquo; <blockquote> &ldquo;I&rsquo;m excited to see the world of AI and how it affects security.&quot; </blockquote> Why can&rsquo;t we integrate that into development tools to begin with? Like, &ldquo;Let&rsquo;s run it through AI and make sure that it&rsquo;s good before you push it.” Maybe it&rsquo;s some automated testing environment at some point or something like that. I&rsquo;m excited to see the world of AI and how it affects security and changes everything in our whole world. MF: Do you have any advice for folks or businesses to prevent being exposed to the kinds of things that you&rsquo;ve seen in the past or stuff that you think is coming in the future? JR: I think data is a liability. I&rsquo;m constantly disappointed when I go to my barber, and they&rsquo;re like, &ldquo;Fill out this form and give us your name and phone number.&rdquo; Like, &ldquo;Dude, I just need a haircut.” Why are so many companies collecting so much data on us? It&rsquo;s for marketing or whatever. But no, it&rsquo;s not. There are so many places that I&rsquo;ve never gotten an email from and never been marketed to. It drives me crazy. Just this week, I&rsquo;ve been hearing rumors that the InfraGard website got hacked. This is where you report things to the FBI if you’re a victim of a crime. You make an account on this website. That whole database is now for sale on the dark web, supposedly. Holy cow. If the FBI can&rsquo;t secure their own data, how can my local barber do any better? Stop collecting data on people. There&rsquo;s no need for it. It&rsquo;s going to be a liability. MF: Where can people go to find out more about you or check out the podcast? JR: I make the podcast Darknet Diaries. You can find it in any podcast player. Just search for it and you&rsquo;ll find it! <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Subscribe to Random but Memorable</h3> Listen to the latest news, tips and advice to level up your security game, as well as guest interviews with leaders from the security community. <a href="https://randombutmemorable.simplecast.com/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Subscribe to our podcast </a> </div> </section></description></item><item><title>1Password is now available on the Microsoft Store on Windows</title><link>https://blog.1password.com/microsoft-store/</link><pubDate>Thu, 13 Jul 2023 00:00:00 +0000</pubDate><author>info@1password.com (Clarence Wong)</author><guid>https://blog.1password.com/microsoft-store/</guid><description> <img src='https://blog.1password.com/posts/2023/microsoft-store/header.png' class='webfeedsFeaturedVisual' alt='1Password is now available on the Microsoft Store on Windows' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We’re delighted to announce that 1Password is now available for download on the Microsoft Store on Windows! <h2 id="not-soft-on-security">Not soft on security</h2> In 2021, Microsoft unveiled a brand new, redesigned Microsoft Store on Windows, offering apps, games, movies, and TV content. If you’ve been looking to try 1Password and prefer to download and manage all your apps from the Microsoft Store on your Windows device, the wait is over! <a href="https://apps.microsoft.com/store/detail/1password-password-manager/XP99C9G0KRDZ27">1Password is now available to download directly from the Microsoft Store</a>. All content in the Microsoft Store is tested for security, family safety, and device compatibility, so you can feel confident that the 1Password app meets these requirements. <h2 id="safety-at-the-speed-of-life">Safety at the speed of life</h2> 1Password keeps you and your loved ones safe online without giving up on convenience – the whole family can create, store, and autofill login credentials whenever and wherever they need to. With intuitive apps and seamless syncing, 1Password puts your data at your fingertips across all your devices. From credit cards and Wi-Fi passwords to files and financial accounts, you can easily protect, share, and manage your most important information hassle-free: <ul> <li>Create, save, and autofill login credentials, addresses, credit cards, and more across all your devices.</li> <li>Temporarily share individual items with anyone (even if they don&rsquo;t use 1Password!)</li> <li>Organize stored items using tags, categories, and collections.</li> <li>Get actionable security alerts from your Watchtower dashboard.</li> <li>Help others in your Families account recover their account if they get locked out.</li> <li>Guest accounts for vault sharing.</li> <li>And much more!</li> </ul> Download 1Password from the <a href="https://apps.microsoft.com/store/detail/1password-password-manager/XP99C9G0KRDZ27">Microsoft Store</a> on Windows today. <section class="c-call-to-action-box c-call-to-action-box--purple"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Streamline your digital life</h3> Organize and secure all your online accounts with 1Password, the world’s most-trusted password manager. Get started today with a free 14-day trial. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--purple" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>1Password: New features unlocked [Summer edition]</title><link>https://blog.1password.com/new-features-unlocked-summer-2023/</link><pubDate>Tue, 11 Jul 2023 00:00:00 +0000</pubDate><author>info@1password.com (Cassaundra McLeod)</author><guid>https://blog.1password.com/new-features-unlocked-summer-2023/</guid><description> <img src='https://blog.1password.com/posts/2023/new-features-unlocked-spring-23/header.png' class='webfeedsFeaturedVisual' alt='1Password: New features unlocked [Summer edition]' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> A big part of 1Password’s mission is to make it both easier and safer for you to get things done every day, whether you’re at home or at work. Over the past few months, we’ve been hard at work making improvements to our apps and browser extensions so you can enjoy a faster, more consistent and convenient experience whenever you use 1Password. Watch our video to see what’s new in action, or read on for a rundown of what we’ve been up to. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/pwHaTgvXagM" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h2 id="save-new-items-to-the-correct-1password-account">Save new Items to the correct 1Password account</h2> If you have multiple 1Password accounts, like one for home and one for work, 1Password will now automatically suggest saving it to the correct account based on the email address you use to create the new login. No more mixups! <img src="https://blog.1password.com/posts/2023/new-features-unlocked-spring-23/new-item.png" alt="A screenshot of the 1Password app open to a New Item being created with an alert that says, &#39;This looks like it should be in your Families account instead.&#39;" title="A screenshot of the 1Password app open to a New Item being created with an alert that says, &#39;This looks like it should be in your Families account instead.&#39;" class="c-featured-image"/> Plus, you’ll now also see a Watchtower alert if a login may have been saved to the wrong account, so it’s easier to fix even if some logins still do get misplaced. <img src="https://blog.1password.com/posts/2023/new-features-unlocked-spring-23/watchtower-alert.png" alt="A 1Password screenshot of an item in Watchtower with an alert that says, &#39;This item may belong in your other account.&#39;" title="A 1Password screenshot of an item in Watchtower with an alert that says, &#39;This item may belong in your other account.&#39;" class="c-featured-image"/> <h2 id="manage-accounts-directly-from-the-1password-mobile-and-desktop-apps">Manage accounts directly from the 1Password mobile and desktop apps</h2> If you’re a Family Organizer for a 1Password Families account, you can now handle common management tasks on the go by using the 1Password apps on any of your devices. This means you don&rsquo;t have to sign in to 1Password.com to do things like add new people to your account, or to resend or cancel an invitation. Read our <a href="https://blog.1password.com/manage-accounts-in-the-1password-app/">recent blog post</a> to find out more! <h2 id="an-enhanced-browsing-experience">An enhanced browsing experience</h2> We&rsquo;ve simplified sign-ins for certain websites by eliminating competing authentication prompts. Regardless of whether you use a password, passkey, or third-party provider, 1Password seamlessly remembers your preferred sign-in method for each website, automatically logging you in with the right credentials on the first try. Plus, 1Password can now autofill your name on websites, so you’ve got one less thing to type when you’re filling something out. <h2 id="additional--sign-in-with-providers">Additional “Sign in with” providers</h2> Right now, you can use 1Password to <a href="https://blog.1password.com/sign-in-with-other-providers/">sign in to sites using common providers</a> like Apple, Google, and Facebook. Soon, we’ll be launching support for additional providers, starting with Amazon and Discord this summer! If you use the <a href="https://support.1password.com/betas/">beta version of 1Password in the browser</a>, you can try these new “Sign in with” providers as soon as they’re available. <h2 id="create-save-and-sign-in-with-passkeys">Create, save, and sign in with passkeys</h2> The latest beta of 1Password for your browser now includes a new kind of login: passkeys. With passkeys, you can create, save, and sign in to your online accounts without relying on passwords. These login credentials don’t need to be memorized, there’s no such thing as a “weak” passkey, and they can’t be stolen in a data breach. Check out our <a href="https://blog.1password.com/save-sign-in-passkeys-1password/">recent blog post</a> to get all the details! <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Subscribe to our monthly newsletter, <a href="https://1password.com/passwordless-news/">Beyond Passwords</a>, for passkey news, guides, and events, as well as early access to passwordless product updates. </div> </aside> <h2 id="unlock-a-better-experience">Unlock a better experience</h2> To take advantage of a more secure, streamlined, and accessible 1Password experience, all you have to do is update to the latest version of 1Password on all your devices. Plus, stay tuned for the next edition of 1Password: New features unlocked so you don’t miss out on the latest features we have in store! <section class="c-call-to-action-box c-call-to-action-box--yellow"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Streamline your digital life</h3> Organize and secure all your online accounts with 1Password, the world’s most-trusted password manager. Get started today with a free 14-day trial. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--yellow" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>How Kanad Gupta made a 1Password Shell Plugin for ReadMe</title><link>https://blog.1password.com/readme-1password-shell-plugin-interview/</link><pubDate>Mon, 03 Jul 2023 00:00:00 +0000</pubDate><author>info@1password.com (Jenn Marshall)</author><guid>https://blog.1password.com/readme-1password-shell-plugin-interview/</guid><description> <img src='https://blog.1password.com/posts/2023/readme-1password-shell-plugin-interview/header.png' class='webfeedsFeaturedVisual' alt='How Kanad Gupta made a 1Password Shell Plugin for ReadMe' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Why should consumers have all the fun (and less friction) using biometrics to stay secure? 1Password offers a <a href="https://1password.com/developers">suite of tools</a> to help developers work faster and more securely. One of these tools is <a href="https://developer.1password.com/docs/cli/shell-plugins/">1Password Shell Plugins</a>, which enables one-touch access to command-line interfaces (CLIs) in your terminal. Know of a CLI we haven’t built a Shell Plugin for yet? Great news: you can build your own! Many developers <a href="https://blog.1password.com/shell-plugins-roundup/">have done just that</a>. In a recent episode of our <a href="https://randombutmemorable.simplecast.com/">Random but Memorable</a> podcast, host Michael Fey (aka Roo) talked with Kanad Gupta, the creator of the <a href="https://developer.1password.com/docs/cli/shell-plugins/readme/">ReadMe Shell Plugin</a>. Read the interview below (or <a href="https://randombutmemorable.simplecast.com/episodes/the-developer-special">listen to the podcast episode</a>) to learn about Kanad’s experience using 1Password Developer Tools, how he built the ReadMe Shell Plugin – and how you can create one, too. <div class="c-simplecast-embed"> <iframe class="c-simplecast-embed__iframe" title="1Password Random but Memorable Podcast" width="100%" frameborder="no" scrolling="no" seamless src="https://player.simplecast.com/ec1c4473-61aa-472a-a424-c151889a573f?dark=false"></iframe> </div> <a href="https://randombutmemorable.simplecast.com/episodes/the-developer-special">Listen to episode 107 ›</a> Michael Fey: Can you explain what <a href="https://readme.com/">ReadMe</a> is? Kanad Gupta: ReadMe is a small startup. We’re essentially a CMS platform for API-first companies that are trying to build out an interactive developer hub so people can use their API successfully. Our users range from small mom-and-pop API companies to enterprises as large as Amazon and Lyft. In my opinion, we have the best API reference for REST APIs in the game, where you can actually make API calls directly from the docs, tooling to help you understand API usage, and the like. MF: Tell us what you’re like as a developer. What&rsquo;s your area of expertise and what types of projects do you usually work on? KG: I describe myself as a “fullish” stack JavaScript developer – with a slight preference towards server-side development. Saying “full stack” implies that I have a full understanding of the entire stack, but I’m constantly learning new things. These days, I&rsquo;ve been working on our CLI tool a lot, which also functions as a CI/CD tool, and on the development and design of our API. Our CLI tool is a client for the ReadMe API. MF: What language is your CLI written in? KG: It&rsquo;s all JavaScript. It&rsquo;s a Node.js TypeScript CLI. We recently started doing some pretty cool stuff with Vercel pkg, which allows us to compile Node libraries into single executable files. We&rsquo;ve been trying to come up with creative ways to keep the developer experience of TypeScript internally while also trying to get the performance and distribution benefits. MF: You&rsquo;ve been working with some 1Password Developer Tools recently. How long have you been doing that and what features have you used? KG: I&rsquo;ve been in the 1Password ecosystem as a non-developer user for eight years now. I would say my first foray into the 1Password developer tool ecosystem was pretty recent. I think I first caught wind of the Shell Plugin ecosystem when you <a href="https://blog.1password.com/shell-plugins/">announced it in December</a>. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/7aT4K1AMfGI" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> Since then, I&rsquo;ve been playing around with the 1Password CLI. I have a bunch of little aliases for injecting one-time passwords and commands and whatnot, and just using it to optimize my general daily workflow. But my first real foray into it was developing the <a href="https://developer.1password.com/docs/cli/shell-plugins/readme/">ReadMe Shell Plugin</a>. MF: What does the ReadMe Shell Plugin do with 1Password? KG: The ReadMe CLI is essentially a CI/CD-type tool that users can integrate into GitHub, GitLab, or any sort of CI/CD process to sync documentation from wherever they want to store it, like their markdown files, into ReadMe. As part of that, people are often juggling API keys – that&rsquo;s just a day in the life of developers. So, we have ReadMe API keys for people to sync documentation to their ReadMe projects. Essentially, the ReadMe CLI, in tandem with the ReadMe Shell Plugin, allows you to take your ReadMe API keys when they&rsquo;re stored with 1Password and invoke authenticated commands into ReadMe directly. Pretty cool stuff. MF: Without having plaintext secrets out in the world. KG: Exactly. MF: What was your experience submitting merge requests to our Shell Plugins repo on GitHub, and contributing to 1Password’s open source project for Shell Plugins? Where did you find yourself reaching for Stack Overflow and where did you use your own street smarts to get this thing up and running? KG: I was reaching in all kinds of places because I had never written a line of Go in my life up until that point. I&rsquo;ve been pretty much exclusively embedded in the JavaScript ecosystem for the last five years! It was daunting at first, but a bunch of individuals were super helpful on the 1Password developer team answering my questions and giving detailed review feedback and whatnot. <blockquote> &ldquo;I felt very supported from end-to-end.&quot; </blockquote> I had the VS Code Go extension, and that was honestly wonderful. There were certain semantics around the Go programming language, and it auto-formatted my code. It yelled at me when I wrote things improperly. Having training wheels in that sense was very helpful. And any time I had basic Go semantics questions, I was able to open up an issue in that repository and people addressed my questions very quickly and easily. I felt very supported from end-to-end – because I definitely needed it. MF: Now that the ReadMe plugin is out in our Shell Plugins repo, anyone using ReadMe and 1Password can hook everything up that they need to completely self-serve? KG: That&rsquo;s right. It feels like a first-party integration with 1Password in many senses, just because we have our own dedicated docs page on the 1Password developer docs, and we&rsquo;ve been able to refer to that when talking about it internally and externally. So yeah, it&rsquo;s out there in the world. It&rsquo;s been out for a couple months. It&rsquo;s exciting. MF: One of the major challenges of building security tools for developers is building them in a way that actually speeds up people&rsquo;s workflows instead of slowing them down. How did we do with that? KG: I&rsquo;m always trying to over-index and over-optimize my workflows. Any time I can spend 30 minutes turning three clicks into two, it&rsquo;s worth my time. <blockquote> &ldquo;It&rsquo;s been a dream.&quot; </blockquote> When you publish a package to the NPM registry, every time you run the publish command locally, you normally have to click to open 1Password, click to grab the one-time password token, click back and paste it in. Just being able to alias all that, do all these kinds of little things to optimize a lot of these different click journeys and whatnot, it&rsquo;s been a dream. I get the sense that there are people like me behind these 1Password developer tool decisions because it’s all done so wonderfully. MF: Are you working on anything else right now? What&rsquo;s next for ReadMe? KG: We have some exciting things in the works with respect to creating an all-encompassing dashboard for developers to access their API keys and make successful requests. A lot of different ways for when end users interact with an API, they can just go to their docs and make those calls, and get all the tools they need to be successful with the API. So, continued investment on that front. Enterprise authentication is also a big priority for us and we&rsquo;ve been looking into passkey support. But nothing to announce on that front yet. MF: We’re very much embracing a passkey future at 1Password. I&rsquo;m pretty excited about all of that. KG: 1Passkey, is that the plan? MF: You heard it here first! It&rsquo;s going to be 1Passkey. Kanad, where can people go to find out more about you and what ReadMe is working on? KG: ReadMe is on most social media platforms. We’re on <a href="https://twitter.com/readme?lang=en">Twitter</a> and <a href="https://www.linkedin.com/company/readme">LinkedIn</a>. We have <a href="https://blog.readme.com/">a blog you can follow</a>. We&rsquo;re going to be writing about our 1Password Shell Plugin there pretty soon. Also, you can check us out at <a href="https://readme.com/">readme.com</a>. Editor’s note: This interview has been lightly edited for clarity and brevity. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Secure your workflows with 1Password Developer Tools</h3> 1Password Developer Tools streamline how you manage SSH keys, API tokens, and other infrastructure secrets throughout the entire software development life cycle. <a href="https://1password.com/developers" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Explore the tools </a> </div> </section></description></item><item><title>Unlock 1Password with Duo, OneLogin, and more</title><link>https://blog.1password.com/unlock-with-sso-oidc/</link><pubDate>Wed, 28 Jun 2023 00:00:00 +0000</pubDate><author>info@1password.com (Yashpreet Kaur)</author><guid>https://blog.1password.com/unlock-with-sso-oidc/</guid><description> <img src='https://blog.1password.com/posts/2023/unlock-with-sso-oidc/header.png' class='webfeedsFeaturedVisual' alt='Unlock 1Password with Duo, OneLogin, and more' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 1Password Business customers can now unlock 1Password with identity providers (IdPs) that support the generic OpenID Connect (OIDC) configuration like Duo, OneLogin, JumpCloud, and others. We announced <a href="https://blog.1password.com/unlock-with-okta/">Unlock with Okta</a> for 1Password Business earlier this year, and Unlock with Azure soon followed. Feedback from 1Password Business customers on those releases has confirmed our expectations: Pairing 1Password with your identity and access management (IAM) infrastructure simplifies adoption and improves auditing, compliance, and reporting workflows. <blockquote> “Everyone is now used to unlocking with Okta, and they definitely love that they don’t need to remember an extra password (anymore).” – David Baverstock, Senior IT Engineer at Airwallex </blockquote> Okta and Azure were our most popular integration requests, so between the two, a sizable portion of 1Password Business customers gained the ability to pair 1Password with their existing identity and access management (IAM) infrastructure. <h2 id="unlock-1password-with-additional-identity-providers">Unlock 1Password with additional identity providers</h2> Our next task was to bring Unlock with SSO to as many customers as possible. To do that, we built on top of the foundation laid by our integrations with Okta and Azure. Both Unlock with Okta and Unlock with Azure were built using the OIDC identity protocol – a modern, secure identity layer built on top of the OAuth 2.0 protocol. OIDC is simpler and more flexible to work with, and includes support for native and mobile applications. In short, OIDC is where things are headed. Building a generic OIDC configuration allowed us to build support for many providers at once – such as Duo, OneLogin, JumpCloud and more. After private and public testing, all 1Password Business customers can now integrate 1Password with identity providers that support the OIDC protocol. I’d like to give a huge shout-out from our team to the teams at Duo and OneLogin who were gracious enough to help us test and optimize the OIDC configuration. Please note that while Google Workspace isn&rsquo;t supported in this release, we’re working to bring support for Google Workspace to Unlock with SSO later this year. We&rsquo;ll share more on that integration – and supporting the Security Assertion Markup Language (SAML) protocol – in the coming months. <h2 id="maintaining-zero-knowledge">Maintaining zero knowledge</h2> We&rsquo;ve gone into great detail about <a href="https://blog.1password.com/unlock-sso-deep-dive/">how we engineered Unlock with SSO</a> to meet the stringent security standards you&rsquo;ve come to expect from 1Password, using a trusted device model to maintain zero knowledge. <img src='https://blog.1password.com/posts/2023/unlock-with-sso-oidc/sign_in_with_duo.png' alt='Connect 1Password with Duo' title='Connect 1Password with Duo' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Because Unlock with SSO using the generic OIDC configuration is built with the same underlying architecture as Unlock with Okta and Azure AD, <a href="https://support.1password.com/sso/">admin setup is the same</a> for Duo, OneLogin, JumpCloud, and others. <img src='https://blog.1password.com/posts/2023/unlock-with-sso-oidc/duo_successful_connection.png' alt='Successfully connected 1Password to Duo' title='Successfully connected 1Password to Duo' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> And for end users, it&rsquo;s just as easy. <a href="https://support.1password.com/sso-trusted-device/">The process for setting up a trusted device</a> is the same as Unlock with Okta and Unlock with Azure AD. <h2 id="a-word-from-duo">A word from Duo</h2> Duo is pleased to partner with 1Password to help joint customers provide seamless, secure access to workforce applications, both cloud and on-premises. <a href="https://duo.com/product/single-sign-on-sso">Duo Single-Sign On (SSO)</a> is a cloud-hosted OpenID provider offering inline self-service enrollment and passwordless authentication with <a href="https://guide.duo.com/universal-prompt">Duo Universal Prompt</a>. Already used by thousands of organizations to enable access to popular applications such as Microsoft 365, Workday, and Salesforce, Duo SSO now supports <a href="https://duo.com/docs/sso-oidc-1password">1Password</a>. 1Password Unlock with Duo SSO will replace a user&rsquo;s 1Password account password, Secret Key, and Emergency Kit. Duo admins can configure the application via the Duo Admin Panel. Duo SSO also includes the ability to define policies that enforce unique controls for each individual SSO application. For example, you can require that Salesforce users complete two-factor authentication at every login, but only once every seven days when accessing 1Password. Duo checks the user, device, and network against an application&rsquo;s policy before allowing access to the application. <h2 id="how-to-get-started">How to get started</h2> If you&rsquo;re using an identity provider that supports the generic OIDC configuration, you can <a href="https://support.1password.com/cs/sso-configure-generic/">connect your provider to 1Password</a> right now: <ol> <li>Create a 1Password integration with your identity provider.</li> <li>Configure Unlock with SSO from your 1Password account on 1Password.com by selecting Security in the sidebar, then Unlock 1Password with Identity Provider.</li> <li>Create a custom group and add the team members who will gain access to Unlock with SSO.</li> </ol> That’s it! Now you can secure employees no matter how they sign in – because while your SSO provider protects logins for approved apps that you specifically add to them, 1Password protects virtually everything else. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Unlock 1Password with Duo, OneLogin, JumpCloud, and more</h3> Unlock 1Password with identity providers that support OpenID Connect to secure every login. <a href="https://support.1password.com/cs/sso-configure-generic" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Get started </a> </div> </section></description></item><item><title>New: Manage accounts directly from the 1Password app</title><link>https://blog.1password.com/manage-accounts-in-the-1password-app/</link><pubDate>Tue, 27 Jun 2023 00:00:00 +0000</pubDate><author>info@1password.com (Max Applin)</author><guid>https://blog.1password.com/manage-accounts-in-the-1password-app/</guid><description> <img src='https://blog.1password.com/posts/2023/manage-accounts-in-the-1password-app/header.png' class='webfeedsFeaturedVisual' alt='New: Manage accounts directly from the 1Password app' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Coming to iOS later this week and available today on macOS, Windows, Linux, and Android, manage invites, guests, and more – all directly from the 1Password app. We’re making it a lot easier to protect and organize you and your loved ones’ online lives. You can now take care of some of the most common administrative tasks right from the 1Password app on your phone or computer instead of signing in to 1Password.com. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/kt00IwHYick" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h2 id="whats-new">What’s new</h2> Managing your 1Password Families membership just got a lot more accessible no matter where you are. As a Family Organizer, open the 1Password app on any of your devices and navigate to Manage Accounts… from the menu. You can now: <h3 id="invite-people-to-join-your-families-account">Invite people to join your Families account</h3> Ready to share passwords with your new love interest or roommate? Quickly send out an invite from the 1Password app to new members or guests. Plus, you can also confirm or reject any new members who are listed under Waiting to be confirmed. <img src='https://blog.1password.com/posts/2023/manage-accounts-in-the-1password-app/invite-people.png' alt='An iPhone screenshot showing the 1Password app open on the People menu with the option to invite your family to your account and a second iPhone screenshot showing the 1Password app open on the People menu showing an account member with the status of waiting to be confirmed.' title='An iPhone screenshot showing the 1Password app open on the People menu with the option to invite your family to your account and a second iPhone screenshot showing the 1Password app open on the People menu showing an account member with the status of waiting to be confirmed.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h3 id="check-the-progress-of-account-invitations">Check the progress of account invitations</h3> If you’re wondering why someone hasn’t accepted your invite yet, you can now see if you need to give them a little nudge by checking the status of any pending invitations, or choosing to resend or cancel them. <img src='https://blog.1password.com/posts/2023/manage-accounts-in-the-1password-app/pending-invitations.png' alt='A screenshot of the 1Password app open on the People menu showing the option to cancel or resend an invitation.' title='A screenshot of the 1Password app open on the People menu showing the option to cancel or resend an invitation.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h3 id="see-the-status-of-all-members-in-your-account">See the status of all members in your account</h3> Need a reminder if you started the account recovery process for a family member? You can easily check the status of all the members in your 1Password account, including Guest, Suspended, or Recovery started and Recovery pending. <img src='https://blog.1password.com/posts/2023/manage-accounts-in-the-1password-app/account-status.png' alt='An iPhone screenshot showing the 1Password app open on an account member showing the status Guest and Recovery started and a second iPhone screenshot open on the 1Password app showing a list of account members and their status, including Guest and Suspended.' title='An iPhone screenshot showing the 1Password app open on an account member showing the status Guest and Recovery started and a second iPhone screenshot open on the 1Password app showing a list of account members and their status, including Guest and Suspended.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Did you know? You can now use a <a href="https://blog.1password.com/introducing-1password-recovery-codes/">recovery code</a> to self-recover your 1Password account should you lose your Secret Key or forget your account password. Create one today! </div> </aside> <h3 id="see-a-list-of-your-trusted-devices-and-browsers">See a list of your trusted devices and browsers</h3> If you want to see a list of all the devices and browsers your 1Password Families account is being accessed on, you can now do it right in the app. <img src='https://blog.1password.com/posts/2023/manage-accounts-in-the-1password-app/devices-and-browsers.png' alt='A screenshot of the 1Password app showing the trusted devices of a Family Organizer in the Your Details menu and a second screenshot of the 1Password app showing a list of trusted devices and browsers, along with the current device in use.' title='A screenshot of the 1Password app showing the trusted devices of a Family Organizer in the Your Details menu and a second screenshot of the 1Password app showing a list of trusted devices and browsers, along with the current device in use.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="more-control-wherever-you-are">More control wherever you are</h2> 1Password is making it more seamless than ever to manage your security and keep your loved ones safe no matter where you are. From inviting a new guest to checking on trusted devices, with more power at your fingertips, you can now enjoy more peace of mind – without sacrificing convenience. <section class="c-call-to-action-box c-call-to-action-box--purple"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Streamline your digital life</h3> Organize and secure all your online accounts with 1Password, the world’s most-trusted password manager. Get started today with a free 14-day trial. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--purple" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>Securing CI/CD pipelines with 1Password Service Accounts</title><link>https://blog.1password.com/1password-service-accounts/</link><pubDate>Tue, 27 Jun 2023 00:00:00 +0000</pubDate><author>info@1password.com (Michael Carey)</author><guid>https://blog.1password.com/1password-service-accounts/</guid><description> <img src='https://blog.1password.com/posts/2023/1password-service-accounts/header.png' class='webfeedsFeaturedVisual' alt='Securing CI/CD pipelines with 1Password Service Accounts' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Attention developers and DevOps teams! Today we’re excited to announce that <a href="https://developer.1password.com/docs/service-accounts/get-started">1Password Service Accounts</a> are now generally available to all users. Whether you’re a growing startup, a thriving mid-size company, or a sprawling enterprise, service accounts offer a secure, automated way to access infrastructure secrets exactly where they’re needed. This post will guide you through integrating service accounts with <a href="https://github.com/features/actions">GitHub Actions</a>, one of the leading CI/CD platforms, to secure your secrets within your pipelines. We also offer <a href="https://developer.1password.com/docs/ci-cd">pre-built integrations for CircleCI and Jenkins</a>. <h2 id="managing-secrets-in-shared-environments-is-challenging">Managing secrets in shared environments is challenging</h2> We all know that secrets management can be tough, especially in shared environments. With the stakes so high, it’s essential to keep secrets secure and ensure they don’t end up in the wrong place, like logs or code repositories. With service accounts and the CLI, you can encrypt all of your secrets in 1Password and grant applications programmatic access, with the ability to control which vaults are accessible and which actions the service account can perform. This helps reduce secrets sprawl across your organization by securing your secrets in a single place and eliminating hard-coded secrets. There’s no need to spin up additional infrastructure, and rotating secrets and securely collaborating with your team is much more convenient. <h2 id="github-actions-integration-automating-secrets-management">GitHub Actions integration: automating secrets management</h2> To illustrate how service accounts can streamline your workflow, let’s look at our integration with GitHub Actions. This integration allows you to load secrets from 1Password directly into your GitHub Actions runner, providing an easy way to manage secrets in a single source of truth and eliminating the risk of exposing plaintext secrets in code. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/kVBl5iQYgSA" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h2 id="configuring-the-action-for-enhanced-security">Configuring the action for enhanced security</h2> Using the GitHub Actions integrations with service accounts is simple. Start by creating a service account in 1Password and then set the <code>OP_SERVICE_ACCOUNT_TOKEN</code> <a href="https://docs.github.com/en/actions/security-guides/encrypted-secrets#creating-encrypted-secrets-for-a-repository">environment variable in GitHub</a> to the service account token. This will give the GitHub Actions runner access to 1Password. Next, set up a workflow YAML file that specifies the secrets to be loaded into your job. An example configuration might look like: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">on: push jobs: hello-world: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Load secret uses: 1password/load-secrets-action@v1 with: # Export loaded secrets as environment variables export-env: true env: OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} SECRET: op://app-cicd/hello-world/secret - name: Print masked secret run: echo &#34;Secret: $SECRET&#34; # Prints: Secret: *** </code></pre></div>With this setup, your secrets are secure and accessible only when needed within your CI/CD pipelines. <h2 id="get-started-with-1password-service-accounts">Get started with 1Password Service Accounts</h2> Service accounts help dev teams manage their secrets more securely and efficiently. The integration with GitHub Actions is just one example of how this feature can be leveraged to automate secrets management, enhance security, and improve the efficiency of CI/CD pipelines. Check out the <a href="https://developer.1password.com/docs/service-accounts/get-started">service accounts documentation</a> to get started. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get started with 1Password Service Accounts</h3> Secure secrets and programmatically access them in your apps – without deploying additional infrastructure. <a href="https://developer.1password.com/docs/service-accounts/get-started/?utm_ref=blog" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Explore the documentation </a> </div> </section></description></item><item><title>Developers: Stop exposing your OpenAI API keys</title><link>https://blog.1password.com/openai-chatgpt-exposed-api-keys/</link><pubDate>Mon, 26 Jun 2023 00:00:00 +0000</pubDate><author>info@1password.com (Micah Neidhart)</author><guid>https://blog.1password.com/openai-chatgpt-exposed-api-keys/</guid><description> <img src='https://blog.1password.com/posts/2023/openai-chatgpt-exposed-api-keys/header.png' class='webfeedsFeaturedVisual' alt='Developers: Stop exposing your OpenAI API keys' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Less than six months ago, artificial intelligence (AI) was largely considered to be in its infancy and primarily used for niche applications, like <a href="https://www.dpreview.com/news/2247211287/adobe-updates-photoshop-ai-power-livestreaming-photoshop-for-ipad">editing photos</a> and <a href="https://blog.google/products/google-nest/behind-scenes-new-nest-thermostat/">keeping your home at a comfortable temperature</a>. But that&rsquo;s all changed. Since OpenAI <a href="https://openai.com/blog/chatgpt">introduced GPT-3.5 in November 2022</a>, the possibilities of generative AI have come to dominate the popular imagination. <img src="https://blog.1password.com/posts/2023/openai-chatgpt-exposed-api-keys/aigoogletrend.png" alt="A graph showing the growth in search queries for &#39;artificial intelligence&#39; over time." title="A graph showing the growth in search queries for &#39;artificial intelligence&#39; over time." class="c-featured-image"/> And with good reason: ChatGPT-4 not only <a href="https://www.forbes.com/sites/johnkoetsier/2023/03/14/gpt-4-beats-90-of-lawyers-trying-to-pass-the-bar/?sh=4b48cd430279">outperforms 90%</a> of law students taking the bar exam, it also ranks highly for dozens of specialized tests ranging from economics to writing. Over the last few weeks, you’ve probably seen <a href="https://www.nytimes.com/2023/04/08/technology/ai-photos-pope-francis.html">convincing images of famous people</a>, heard <a href="https://www.theverge.com/2023/4/25/23696155/viral-drake-ai-repurposed-soundcloud-rap">catchy songs by popular artists</a>, and <a href="https://www.axios.com/2023/01/24/chatgpt-media-automation-cnet-saga">read articles</a> all completely generated by AI models. Excited by the untapped potential, many developers are jumping in and building new apps that integrate with OpenAI. Unfortunately, in their enthusiasm to create and share, many of these developers are accidentally giving attackers the opportunity to <a href="https://www.vice.com/en/article/93kkky/people-pirating-gpt4-scraping-openai-api-keys">rack up thousands of dollars</a> on their credit cards. The good news? These kinds of attacks are completely preventable. If you&rsquo;re interested in building with AI, but want to avoid this problem, keep reading. <h2 id="how-are-attackers-pirating-openai-accounts">How are attackers pirating OpenAI accounts?</h2> OpenAI offers an application programming interface (API) that enables developers to leverage GPT-4 and other models in their own projects. To use the API, developers need to add a credit card to their accounts so they can be billed based on how much they use the system. Developers can then generate and use API keys to connect the projects they are building to their OpenAI accounts. Each key is essentially a credential like a password. This is a standard way to integrate third-party services into an application. <img src="https://blog.1password.com/posts/2023/openai-chatgpt-exposed-api-keys/apikeys.png" alt="A screenshot of a page from the OpenAI website with an example API key." title="A screenshot of a page from the OpenAI website with an example API key." class="c-featured-image"/> But here’s the problem: many developers are referencing their OpenAI API keys directly in their code. That means <a href="https://www.vice.com/en/article/93kkky/people-pirating-gpt4-scraping-openai-api-keys">their keys are exposed</a> whenever they share their projects, which is very common in the budding AI community. Attackers are always scanning public repositories for unprotected keys, and when they find them, they can easily use them in their own unauthorized projects. Stealing another person’s API key in this way means they don’t have to pay anything. OpenAPI doesn’t know the theft has taken place and charges the owner of the API key – the developer – for the additional API usage. The end result is potentially devastating charges for the actual account owners. <h2 id="why-does-it-matter">Why does it matter?</h2> Leaking developer secrets like API keys in code <a href="https://blog.1password.com/risks-of-mismanaging-corporate-secrets/">isn’t a new problem</a>. It’s a growing issue that has led to <a href="https://blog.gitguardian.com/why-its-urgent-to-deal-with-your-hard-coded-credentials/">significant breaches and financial losses</a> for major brands and individual developers alike. Whether you&rsquo;re working with OpenAI or a different service, protecting your API keys should be a top priority. Securing workflows is critical not only for developers and enterprise businesses, but also for consumers and technology enthusiasts. We&rsquo;ve already seen a wave of people who aren&rsquo;t traditional developers flock to OpenAI and create interesting projects. That number is only going to grow as organizations like OpenAI find ways to make AI even more accessible to users. If you’re experimenting with AI services, it’s important that you equip yourself with tools like 1Password that allow you to secure your API keys and other sensitive information. <h2 id="how-you-can-protect-developer-secrets-with-1password">How you can protect developer secrets with 1Password</h2> Hardcoding secrets like API keys into your projects is never a good idea. It’s how most secrets are leaked. To avoid this, many developers use environment variables to save secrets in separate files and only include references to the secrets in code. This is a safer approach but can lead to ‘secrets sprawl’ where it’s hard to track down where different secrets are stored. The problem only gets worse when you’re moving a project through different environments or collaborating with a team. 1Password offers a better way for you to manage your secrets. Take a look at this practical demo of how you can use <a href="https://developer.1password.com/docs/service-accounts">1Password Service Accounts</a> and <a href="https://developer.1password.com/docs/cli">Command-line Interface (CLI)</a> to protect your OpenAI API keys: <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/MR1N7p2fKAo" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> This demo shows a good example of how you can secure your API keys and other development secrets in encrypted 1Password vaults. Using the <a href="https://developer.1password.com/docs/cli">1Password CLI</a>, you can then replace hardcoded secrets in your code with references that point to where the keys are stored in 1Password. At runtime, these references securely and automatically switch out for the actual API key values. <a href="https://developer.1password.com/docs/service-accounts">1Password Service Accounts</a> give you even more control by enabling you to limit your app’s access to specific vaults in 1Password, and controlling the actions your apps can perform. Keeping all of your secrets in a single source of truth that syncs across devices makes it easier to manage them throughout the software development lifecycle, rotate them when needed, and, if you’re working for an organization, securely share them with other members of your team. <blockquote> Thanks to 1Password, your code no longer contains any secrets directly, including your OpenAI API key. </blockquote> Let&rsquo;s go back to the OpenAI scam that attackers have been running recently. Thanks to 1Password, your code no longer contains any secrets directly, including your OpenAI API key. Instead, it just includes references to where those secrets are stored in 1Password. So when you share the project on a public repository, an attacker can&rsquo;t look through your code and steal the key. <h2 id="so-whats-next">So, what’s next?</h2> We can say with confidence that artificial intelligence is here to stay. It’s likely to have a major impact across industries and many aspects of our daily lives over the next few years, so we need to learn to protect ourselves as we build with this new technology. If you’re one of the people exploring AI tools, or thinking of joining the expanding AI community, it’s critical that you take steps to secure your sensitive information. With 1Password it&rsquo;s much easier to keep attackers from exploiting your credit cards and other secrets. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Secure your workflows with 1Password Developer Tools</h3> 1Password Developer Tools streamline how you manage SSH keys, API tokens, and other infrastructure secrets throughout the entire software development life cycle. <a href="https://1password.com/developers" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Explore the tools </a> </div> </section></description></item><item><title>1Password and 2FA: Is it wrong to store passwords and one-time codes together?</title><link>https://blog.1password.com/1password-2fa-passwords-codes-together/</link><pubDate>Thu, 22 Jun 2023 00:00:00 +0000</pubDate><author>info@1password.com (Megan Barker)</author><guid>https://blog.1password.com/1password-2fa-passwords-codes-together/</guid><description> <img src='https://blog.1password.com/posts/2023/1password-2fa-passwords-codes-together/header.png' class='webfeedsFeaturedVisual' alt='1Password and 2FA: Is it wrong to store passwords and one-time codes together?' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We introduced support for time-based one-time passwords (TOTP) way back in the dark ages of 2015. The addition of TOTP storage lets you <a href="https://support.1password.com/one-time-passwords/">use 1Password as an authenticator for websites that support two-factor authentication (2FA)</a>. As 2FA became increasingly common, even required in many cases, people started to question the safety and security of using 1Password to store TOTP instead of an authenticator app that exists solely for that purpose. It remains a fairly common question — and a great one. The short answer is that storing your TOTP in 1Password is safe. It’s also faster and more convenient than using a separate, dedicated app. The rest of this article is the nuanced (and far less brief) answer. It addresses what dedicated authenticator apps provide (and don’t provide), and how you can 2FA the right way. <a href="#fn:1" class="footnote-ref" role="doc-noteref">1</a> <h2 id="a-little-two-step">A little two-step</h2> Let’s create a (theoretical) account to illustrate the authentication process – and it is a process – then dive into those infamous factors and what we need from them for true 2FA. The process starts with the question “Who are you?” You’d probably identify yourself with your name in person; online identification typically takes the form of an email address. But identification is only a claim. You can provide any email address you want — it means nothing unless you can verify ownership. Verification comes next and asks “Are you really who you say you are?” The server sends a unique code to the email address you entered as identification. If you provide the right code, you verify you own (or have control of) the email address. Verification is important — it establishes trust. And that trust allows you to secure the account with a secret: a password of your choice. <blockquote> You corroborate your verified identity each time you want to access the account. </blockquote> Verification generally happens once, as part of account creation, then you corroborate your verified identity each time you want to access the account. This step is known as authentication, and it’s successful if you can enter that shared secret — your password. Proving you know a shared secret is only one of three authentication factors. If you’ve read our blog, you may recognize the factors as something you know, something you have, and something you are. In short: knowledge, possession, and inherence. There’s a (significant) caveat when it comes to multi-factor authentication: Each factor must be separate and distinct to be valid. And that, my friends, is part of the reason we’re here today. That separation and distinction of factors is critical, and directly impacts the outcome of the 1Password vs dedicated authenticator app debate. <blockquote> Each factor must be separate and distinct to be valid. </blockquote> For many of us, signing in to an account protected by 2FA means using 1Password to fill our password (verification), then proving we possess something to authenticate. That something is usually a second shared secret called a TOTP. We switch to our preferred TOTP-storage app, copy the one-time code, paste, and submit. Authentication is successful and we’re in. Sound familiar? That process is two-step verification (2SV). While you turn on the 2FA setting in your account, and subsequent sign-ins require your password and a TOTP, you lack a true second factor when both secrets originate from the same device. And that means you have the same level of protection whether you store your TOTP in 1Password or an authenticator app (on the same device). <h2 id="twos-a-crowd">Two&rsquo;s a crowd</h2> It’s important to acknowledge that 2SV is a very valid way to secure your accounts, and improves upon the standard use of a username and password (one-factor authentication). The additional required step can prevent account compromise by someone who gains access to your login information; it acts as a barrier regardless of TOTP location. But there’s an incredibly specific (and unlikely) scenario in which storing your TOTP in a separate authenticator app may offer additional protection. If an attacker got ahold of your 1Password login information (and your 2FA secret if you’ve added that layer of protection to your 1Password account) but didn’t have control of your device, the separation between your passwords and TOTP could prove useful. <blockquote> To my knowledge, there’s no authenticator app or password manager that can protect data from an attacker who has compromised the device itself. </blockquote> I hedged with may and could because this theoretical attacker who somehow gained access to your 1Password sign-in details would know your email address, Secret Key, and account password (at minimum). Anyone with the ability to gather that much sensitive intel is unlikely to see an authenticator as much of a challenge. And, to my knowledge, there’s no authenticator app or password manager on the market that can safeguard data on a <a href="https://blog.1password.com/watch-what-you-type-1passwords-defenses-against-keystroke-loggers/">compromised device</a>. So, I’ve addressed 1Password and authenticator apps but does any of this information matter when neither option offers true 2FA? <h2 id="it-takes-two">It takes two</h2> I’ll explain why it matters. We established that a true second factor is a device other than the one used to store your password — it might be a <a href="https://support.1password.com/security-key/">Yubikey</a>, <a href="https://cloud.google.com/titan-security-key/">Titan</a>, or an old device you use primarily for authentication. But that fact is secondary (appropriately) to a more important message: There’s no wrong way to increase account security. For every person who’s unwilling to storing their TOTP in 1Password for fear they’d keep all their (secret) eggs in one basket, there’s another person who decides to store their TOTP in 1Password in an effort to decrease their personal attack surface. <a href="#fn:2" class="footnote-ref" role="doc-noteref">2</a> Storing your TOTP in 1Password rather than a separate app is a perfectly safe and reliable option. You’ll perform 2SV rather than 2FA, and those two steps will be faster and easier with your passwords and TOTP stored together — especially when 1Password is set up to <a href="https://support.1password.com/one-time-passwords/#use-your-one-time-password">fill TOTP automatically</a>. The convenience will usually outweigh the fairly negligible amount of security that may be sacrificed. <blockquote> The correct choice is the one that works best for you. </blockquote> For the majority of people, storing TOTP in 1Password is well within their risk tolerance. There will always be those of you who will trade that convenience because you want or require the added protection of true 2FA. And to those faithful hardware key crew members: Think of your true second factor as less “extra layer of security,” and more granular protection that will apply only if you’re subject to certain forms of attack. Security guidance is largely straightforward — X is bad, do Y instead — but two-factor security is a rare case in which the correct choice is the one that works best for you. It’s not the mechanism that matters. When 2FA is enabled, your account is safer, and that is 2FA the right way. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Read our beginner&#39;s guide to cybersecurity</h3> Want to learn more about how to stay safe online? Read our beginner’s guide to cybersecurity, which covers passwords, software, hardware, connectivity, and more! <a href="https://1password.com/resources/beginners-guide-to-cybersecurity/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Read the guide </a> </div> </section> <section class="footnotes" role="doc-endnotes"> <hr> <ol> <li id="fn:1" role="doc-endnote"> Yes, I’m using 2FA as a verb.&#160;<a href="#fnref:1" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a> </li> <li id="fn:2" role="doc-endnote"> You decrease your personal attack surface when you minimize the number of third-party apps with access to your sensitive information.&#160;<a href="#fnref:2" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a> </li> </ol> </section></description></item><item><title>Rolling out our privacy-preserving telemetry system</title><link>https://blog.1password.com/telemetry-system-roll-out/</link><pubDate>Wed, 21 Jun 2023 00:00:00 +0000</pubDate><author>info@1password.com (Matt Grimes)</author><guid>https://blog.1password.com/telemetry-system-roll-out/</guid><description> <img src='https://blog.1password.com/posts/2023/telemetry-system-roll-out/header.png' class='webfeedsFeaturedVisual' alt='Rolling out our privacy-preserving telemetry system' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Back in March, <a href="https://blog.1password.com/privacy-preserving-app-telemetry/">we shared our plan</a> to develop a privacy-preserving telemetry system that will help us build an even better 1Password. The goal was simple: to better understand how people are using 1Password, where they&rsquo;re getting stuck, and which updates we should be focusing on first. Since that announcement, we&rsquo;ve been testing our telemetry system internally with 1Password employees before rolling it out to anyone else. We wanted to be certain that our system, which collects small amounts of in-app usage data, could deliver valuable insights while staying true to our privacy principles. After months of development and refinement, we&rsquo;re now confident we can deploy this system in a way that helps us build a better 1Password without compromising on our commitment to protect your privacy. Later this summer, you’ll see the option to participate in our telemetry system and help improve 1Password. You don’t need to take any action right now, and we won’t collect any usage data without your awareness and consent first. Participation will be optional for Individual and Family plan customers. And at this time, our telemetry system won’t be rolled out to any team or business using 1Password. <h2 id="our-privacy-principles">Our privacy principles</h2> We know that in the technology industry, “analytics” and “usage data” can be an excuse to invade your privacy. But that&rsquo;s not what&rsquo;s happening here. From the outset, we&rsquo;ve used the following privacy principles to guide our telemetry work: <ul> <li>All data saved in your vaults is end-to-end encrypted using <a href="https://1password.com/security/">secrets that only you know</a>.</li> <li>We will only collect what is needed to provide our service and build you a better 1Password.</li> <li>We won’t collect usage data without your awareness and consent.</li> </ul> <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Usage data is separate from <a href="https://support.1password.com/1password-privacy/">the small amount of personally identifiable information we collect to provide our services and assist you in troubleshooting.</a> </div> </aside> <h2 id="why-were-doing-this">Why we&rsquo;re doing this</h2> Up until this point, we’ve used our own usage and your feedback to inform our decision-making. We&rsquo;ve <a href="https://blog.1password.com/ux-keeping-you-at-the-center/">learned</a> and <a href="https://blog.1password.com/better-more-useful-1password/">improved</a> a lot this way. But there&rsquo;s always been a drawback to this approach: we don’t know what your 1Password experience is like unless you tell us. In short, anyone who doesn&rsquo;t share their opinions online, or in conversations with our team, is under-represented when we make product decisions. And that’s an awful lot of people. To build an even better 1Password, we need to understand our community&rsquo;s usage at a much broader level and measure the effectiveness of our solutions with personally non-identifiable, aggregated data. <h2 id="what-our-telemetry-system-looks-like">What our telemetry system looks like</h2> We&rsquo;ll be rolling out our privacy-preserving telemetry system to customer accounts gradually. You&rsquo;ll see this message when you open 1Password on mobile and desktop when it&rsquo;s time for you to choose whether you would like to participate: <img src='https://blog.1password.com/posts/2023/telemetry-system-roll-out/telemetry2.png' alt='A screenshot showing the in-app message for 1Password&#39;s privacy-preserving telemetry system.' title='A screenshot showing the in-app message for 1Password&#39;s privacy-preserving telemetry system.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> If you haven’t seen this message yet, telemetry isn’t active on your 1Password account. The choice to share your data is yours. We won&rsquo;t collect anything unless you&rsquo;ve confirmed you&rsquo;re happy to share in-app usage data moving forward. The selection you make will be applied to your entire account – you won&rsquo;t have to repeat the process on all of your devices. If you want to change your selection, you can do so via your account settings at any time. The change will take effect the next time you unlock 1Password. <img src='https://blog.1password.com/posts/2023/telemetry-system-roll-out/telemetry1.png' alt='A screenshot showing the settings menu in 1Password where customers can update their telemetry preference.' title='A screenshot showing the settings menu in 1Password where customers can update their telemetry preference.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="what-telemetry-data-will-be-collected">What telemetry data will be collected</h2> We&rsquo;ve designed our telemetry system to collect data on &ldquo;events&rdquo;. An event is essentially an action, like: <ul> <li>Finishing our in-app onboarding.</li> <li>Unlocking 1Password.</li> <li>Creating a new item.</li> <li>Filling an item in a website or app.</li> </ul> We won’t be collecting your saved passwords, passkeys, usernames, and any URLs associated with your items. Your private information is just that – <a href="https://support.1password.com/1password-security/">private</a>. All event data will be de-identified and processed in aggregate before it’s used for analysis. Taking this approach will give us valuable insights into how people are using 1Password while also allowing us to avoid associating telemetry data with any individuals or accounts. We may collect a small amount of metadata alongside these events. For example, our system might note the type of device the action was performed on and the version of the 1Password app used. That way, we can contextualize the event and make informed decisions. Event data and metadata will follow the same processes of de-identification and aggregation before they’re used for any aggregate analysis. <h2 id="how-we-decide-what-to-collect">How we decide what to collect</h2> We&rsquo;ve designed our telemetry system so it only collects what we truly need, and nothing else. But how do we decide what&rsquo;s really needed? We&rsquo;ve created a clear set of internal processes that ensure any data we collect has a clear business case and meets our privacy standards. The process starts with some questions we need to answer, such as: &lsquo;Are customers able to use a new feature we’ve launched?&rsquo; and &lsquo;How might we improve our new feature for a future version of the app?&rsquo; Next, we’ll figure out the events that will help us answer them. The telemetry request will then be reviewed by an internal group of privacy-focused engineers and legal experts. If the request passes, our telemetry system will be updated accordingly. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Want to know more about how our telemetry system works? We&rsquo;ll be sharing a technical deep dive that breaks down the architecture of our system, including our de-identification requirements and strategies. </div> </aside> <h2 id="what-happens-next">What happens next</h2> Right now, there&rsquo;s nothing you need to do. Our telemetry system isn&rsquo;t live yet for customer accounts. Starting this summer, we&rsquo;ll gradually roll out our new telemetry system. When the rollout reaches your account, you&rsquo;ll unlock 1Password and see an in-app message where you can select your sharing preferences. You can update your selection at any time via your account settings. As always, thank you for your continued trust and support. We don’t take it for granted and wouldn’t be where we are today without you. If you have any questions or thoughts about this, please <a href="mailto:support+telemetry@1password.com">reach out</a> and let us know.</description></item><item><title>WWDC23: What’s in our vision this year?</title><link>https://blog.1password.com/wwdc-2023-roundup/</link><pubDate>Mon, 19 Jun 2023 00:00:00 +0000</pubDate><author>info@1password.com (Kevin Hayes)</author><guid>https://blog.1password.com/wwdc-2023-roundup/</guid><description> <img src='https://blog.1password.com/posts/2023/wwdc-2023-roundup/header.png' class='webfeedsFeaturedVisual' alt='WWDC23: What’s in our vision this year?' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> It’s that time of year again. Summer? Yes … but no. Vacation? No. It’s <a href="https://developer.apple.com/wwdc23/">WWDC</a>, Apple’s World Wide Developer Conference! Each year, the company uses this event to give us a sneak peak at some of the new software headed to Apple’s devices, and sometimes new devices themselves! While one new product <a href="https://www.apple.com/newsroom/2023/06/introducing-apple-vision-pro/">definitely stole the show</a> this year, there was a lot more to take in and plenty that could benefit 1Password in the near future! So let’s get into what caught our team’s attention, and how we&rsquo;re thinking about some of Apple&rsquo;s most important announcements. <h2 id="vision-pro">Vision Pro</h2> Wow, nobody — okay, almost everybody — saw this coming. But Apple’s first spatial computer exceeded our expectations. The device is packed with impressive hardware, including two micro-OLED displays with 23 million collective pixels, an M2 processor, and an all-new R1 chip. The <a href="https://www.apple.com/apple-vision-pro/">Vision Pro</a> could be the future of personal computing. We’re excited about this new platform, and how 1Password could play a part in it. Our team is anxiously awaiting the SDKs to see how Vision Pro works, and can’t wait to try it out for ourselves early next year. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/TX9qSaGXFyg" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h2 id="passkeys">Passkeys</h2> If you haven’t heard the news, <a href="https://www.future.1password.com/passkeys/">we’re all in on passkeys</a>. Apple announced a new passkey API that allows password managers like 1Password to create and use passkeys inside any native app that has added passkey support. It’s such a big deal that we felt it warranted <a href="https://blog.1password.com/apple-passkey-api-wwdc/">its own blog post</a>. Check out the article to see how we’re leveraging passkeys to streamline the process of registering and logging in to sites and apps! Here’s a sneak peek at what we’re working on for iOS 17: <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/-TOOXQoxHOI" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h2 id="widgets-in-new-places">Widgets in new places</h2> We’ve <a href="https://blog.1password.com/wwdc22-roundup/">experimented with widgets in the past</a> but later this year we’ll have many, many new places to offer widgets. In the next version of macOS, widgets will escape the Notification Center and <a href="https://www.engadget.com/macos-sonoma-brings-widgets-to-the-desktop-180459498.html">you’ll have the option to display them on your desktop</a>. Meanwhile on iOS 17, widgets will appear when your phone is in a new <a href="https://9to5mac.com/2023/06/05/landscape-standby-mode-iphone-lock-screen/">Standby Mode</a>. When you put your iPhone on a charger in landscape orientation, you&rsquo;ll be given the choice to see some large widgets, like a clock and calendar. We’re actively experimenting with these new widget options, as well as all the other locations that can surface 1Password information in useful contexts. Here’s an early look at how we’re exploring Watchtower widgets along with the Swift Charts framework. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/5Pab9WB9k-M" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h2 id="shortcuts">Shortcuts</h2> Every year, Shortcuts — Apple’s UI based scripting feature — keeps getting better and better. And this year is no different. Shortcuts can now be used in more places including Spotlight searches. We&rsquo;ve been looking at how we can utilize Shortcuts to simplify the process of storing your private information in 1Password. <img src='https://blog.1password.com/posts/2023/wwdc-2023-roundup/shortcuts_screenshot.jpg' alt='An iPhone screenshot showing shortcuts to open 1Password, create a new item, search items, and create a new note.' title='An iPhone screenshot showing shortcuts to open 1Password, create a new item, search items, and create a new note.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="under-the-hood">Under the hood</h2> New hardware and software features always steal the show. However, Apple also uses WWDC to introduce a lot of “under the hood” changes that are just as important for developers. These not-so-flashy updates will improve performance and stability on a range of Apple hardware, and reduce the time it takes for us to implement new tools and capabilities in 1Password. This year was no exception. We look forward to using Apple’s new tools to enhance the quality and experience of 1Password in the coming months. We’ll put our heads down and work hard over the summer to ensure 1Password is the best it can be on iOS 17, iPad OS 17, and macOS Sonoma when they ship later this year!</description></item><item><title>1Password named in Enterprise Tech 30 list for 2023</title><link>https://blog.1password.com/enterprise-tech-30-list-2023/</link><pubDate>Fri, 16 Jun 2023 00:00:00 +0000</pubDate><author>info@1password.com (Nick Summers)</author><guid>https://blog.1password.com/enterprise-tech-30-list-2023/</guid><description> <img src='https://blog.1password.com/posts/2023/enterprise-tech-30-list-2023/header.png' class='webfeedsFeaturedVisual' alt='1Password named in Enterprise Tech 30 list for 2023' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We’re proud to announce that 1Password has been selected as one of 30 companies in the prestigious <a href="https://www.enterprisetech30.com/">Enterprise Tech 30</a> list for 2023. <h2 id="whats-the-enterprise-tech-30">What’s the Enterprise Tech 30?</h2> Now in its fifth year, the Enterprise Tech 30 showcases the most promising private companies in the enterprise technology space. The 30 chosen companies are split into three groups that reflect their size and the level of investment they’ve attracted to date: early, mid, and late stage. 1Password made the Enterprise Tech 30 list for the first time this year. We came eighth in the late-stage group, which features other amazing organizations like Rippling, Canva, and Notion. And when all 30 companies are sorted by industry, we rank number one in the security category. We’re honored to be recognized for our impact in the enterprise space and proud to play a part in helping organizations secure their data. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Read <a href="https://assets.website-files.com/643f233757edc323870e651f/6464006ae96ab724bce071ec_et30-2023-report-16May2023%20(1).pdf">the report</a> to see the full list of companies that were chosen for the Enterprise Tech 30 this year. You’ll also learn about the emerging trends in enterprise technology. </div> </aside> <h2 id="how-1password-supports-enterprises">How 1Password supports enterprises</h2> Workplace security has never been more important. It’s rare that a day goes by without a company hack making the news, and according to research by IBM, the average cost of a data breach <a href="https://newsroom.ibm.com/2022-07-27-IBM-Report-Consumers-Pay-the-Price-as-Data-Breach-Costs-Reach-All-Time-High">rose to $4.35 million in 2022</a>. 1Password’s mission has always been to simplify security for everyone. That includes enterprise-level businesses with hundreds or thousands of employees with different levels of technical proficiency. More than 100,000 businesses choose 1Password because it offers: <ul> <li> Security you can count on. 1Password’s unique dual-key encryption model ensures a breach of our systems would pose no threat to the sensitive information stored in your vaults. We encrypt the entire contents of your vaults, including crucial metadata, and are audited periodically by independent security experts. </li> <li> Visibility into your team’s security posture. 1Password gives you a comprehensive overview of your organization’s security. It’s paired with simple, centralized, and granular controls that help you manage everything, and robust integrations that make 1Password even more helpful and seamless to use. </li> <li> Streamlined onboarding for team members. 1Password empowers everyone in your organization to create, use, and securely share strong passwords. 1Password works on all devices and every major web browser, which ensures team members are always staying safe online and can access everything they need anytime, anywhere. </li> </ul> 1Password doesn&rsquo;t just help you and your team members stay more secure. It also saves you money. Research by Forrester found that a composite organization can expect <a href="https://1password.com/resources/total-economic-impact-of-1password-business/">a 206% return on investment over a three-year period</a>, with benefits worth $1.3 million. <h2 id="securing-the-future-what-you-can-expect-from-1password">Securing the future: What you can expect from 1Password</h2> Over the last six months, we’ve released a number of new business-focused tools and capabilities, including: <ul> <li><a href="https://blog.1password.com/unlock-with-okta/">Unlock with Okta</a></li> <li><a href="https://support.1password.com/sso-configure-azure/">Unlock with Azure</a></li> <li><a href="https://blog.1password.com/events-api-enhancements-2023/">Enhanced 1Password Events API</a></li> <li><a href="https://blog.1password.com/enforce-hardware-security-key-2fa/">The ability to enforce security key two-factor authentication (2FA)</a></li> <li><a href="https://blog.1password.com/admin-dashboard/">New, streamlined admin dashboard</a></li> <li>And more!</li> </ul> Of course, we’re not stopping there. We’ll live up to the honor of being included in the Enterprise Tech 30 list by continuing to improve 1Password with new capabilities that help large businesses protect their people. Throughout 2023 and beyond, you can expect new integrations like <a href="https://blog.1password.com/unlock-with-sso-oidc/">our recently announced support</a> for identity providers that use the generic OpenID Connect (OIDC) configuration. You and your team members will also be able to use <a href="https://blog.1password.com/what-are-passkeys/">passkeys</a> – a simpler and more secure alternative to passwords – to protect work-related accounts. And we&rsquo;ll continue to improve <a href="https://blog.1password.com/passage-by-1password/">Passage by 1Password</a>, which gives businesses a fast and secure way to add passkey support to their websites and apps. These updates are just a snapshot of what we’re working on. We’re committed to building a solution that makes strong security easy for employees and gives you the visibility you need to take action when you need to. Thank you to everyone who voted for 1Password in the Enterprise Tech 30 this year, and congratulations to all the other companies that made the list. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Secure your enterprise with 1Password</h3> Keep your team safe without slowing them down. Choose 1Password Business to gain complete control over passwords and other sensitive business information. <a href="https://1password.com/enterprise/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>Safety and security are human rights: How 1Password is honoring Pride</title><link>https://blog.1password.com/pride-2023/</link><pubDate>Thu, 15 Jun 2023 00:00:00 +0000</pubDate><author>info@1password.com (Erin Figueroa)</author><guid>https://blog.1password.com/pride-2023/</guid><description> <img src='https://blog.1password.com/posts/2023/pride-2023/header.png' class='webfeedsFeaturedVisual' alt='Safety and security are human rights: How 1Password is honoring Pride' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Pride month can be a time full of joy and is a great reminder of so much progress and so many people to be thankful for – but it’s also a reminder that the fight for 2SLGBTQIA+ rights is far from over. While our community has faced ongoing prejudice, we’ve recently seen a significant increase in hatred, discrimination, and transphobia. With uncertainty, fear, and anti-2SLGBTQIA+ legislation on the rise, it’s a particularly important time to advocate for the community, whether you’re a member or an ally. We believe that safety and security are basic human rights. These rights extend to everyone, and we can all play a part in making sure they’re protected all year round. Here’s some of what 1Password is doing to fight for equality and inclusion. <h2 id="pride-month-initiatives">Pride month initiatives</h2> We’re always focused on finding ways to support our 2SLGBTQIA+ team members and the community in tangible, effective ways, and we encourage other businesses who publicly support the 2SLGBTQIA+ community to commit to doing the same! These are just a few of our Pride initiatives: <ul> <li>Donations: This year we donated $25,000 to the <a href="https://www.aclu.org/">ACLU</a> on <a href="https://ccgsd-ccdgs.org/trans-visibility/">Trans Day of Visibility</a>, and $10,000 to <a href="https://www.thetrevorproject.org/">The Trevor Project</a> in honor of Pride month. Additionally, we’re encouraging everyone at 1Password to take part and use some of their allowance on <a href="https://bonus.ly/">Bonusly</a>, our internal recognition program, to easily donate to The Trevor Project and the ACLU with just a few clicks.</li> <li>Making changes to our benefits: Noting the recent rise of transphobia and anti-trans rhetoric, we made the decision earlier this year to extend our benefits coverage to support gender affirmation care and expenses. We’ll also continue to work on new ways to support our transgender team members.</li> <li>Pride Employee Resource Group (ERG): 1Password’s Pride ERG represents the interests of 2SLGBTQIA+ team members and supports our diversity and inclusion goals. The group helps create safe spaces, increases awareness around 2SLGBTQIA+ challenges, and advocates for representation in marketing, donations of money and time, and vendor selection.</li> <li>Pride month celebrations: Our Pride ERG has planned a variety of events throughout the month to help everyone at 1Password both celebrate and learn about the 2SLGBTQIA+ community. We’re starting with a keynote by <a href="https://www.syrusmarcusware.com/about">Syrus Marcus Ware</a>, a celebrated Canadian 2SLGBTQIA+ artist, activist, educator, and <a href="https://blacklivesmattertoronto.ca/">Black Lives Matter – Toronto</a> organizer. He’ll discuss hope and possibility in a changing world, and dreaming into queer futures while understanding our rich pasts.</li> </ul> We’ll also be hosting our first virtual Pride ERG gathering, playing a fun and informative trivia challenge around 2SLGBTQIA+ pop culture and history, and watching 1999’s <a href="https://www.imdb.com/title/tt0179116/">But I’m a Cheerleader</a> together. Finally, as the Pride ERG executive sponsor, I’ll be hosting an AMA (Ask Me Anything) centered around creating safe spaces to share with 2SLGBTQIA+ colleagues. <h2 id="diversity-equity-inclusion-and-belonging-initiatives">Diversity, Equity, Inclusion, and Belonging initiatives</h2> Last year, we worked to formalize our internal Diversity, Equity, Inclusion, and Belonging (DEIB) program named Strong, Unique Voices. We’re building on this work with the launch of our DEIB Council, a cross-functional group that helps steer DEIB at 1Password and keeps us accountable. This includes mentorships and ERGs, along with tracking and reporting on the outcomes of our diversity strategies. Our Talent Acquisition team is continuing to work on ensuring that all of our candidates have the same fair and positive experience. This includes partnering or working with <a href="https://www.thereadyset.co/">ReadySet</a>, <a href="https://www.shegeeksout.com/">SheGeeksOut</a>, and <a href="https://peopleofcolorintech.com/">POCIT</a>, conducting training on inclusive hiring, and sourcing applications from underrepresented communities in tech, including 2SLGBTQIA+. <h2 id="1passwords-commitment-to-the-community">1Password’s commitment to the community</h2> Pride is a time to reflect on the progress our community has made, celebrate diversity, and continue the fight for equality. By embracing our history, advocating for change, and fostering inclusivity, we can create a world where every 2SLGBTQIA+ person can live authentically and with pride. 1Password is made up of real people who genuinely care about your security – and not just online. Safety is a human right for everyone. That includes every 2SLGBTQIA+ person who works with us or uses 1Password to protect their passwords and digital lives. We’re here for you. Let’s stand together, uplift each other, and protect everyone’s human rights. Happy Pride! 🏳️‍🌈 🏳️‍⚧️ <section class="c-call-to-action-box c-call-to-action-box--purple"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Want to join 1Password?</h3> Our vision is to create a safer, simpler digital future for everyone. Come help us unlock peace of mind so everyone can stay secure online. <a href="https://1password.com/jobs/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--purple" data-event-category="CTA" data-event-action="call-to-action-button"> Careers at 1Password </a> </div> </section></description></item><item><title>Passkeys in iOS 17: Watch a sneak peek at what's coming to 1Password for iOS</title><link>https://blog.1password.com/apple-passkey-api-wwdc/</link><pubDate>Wed, 07 Jun 2023 00:00:00 +0000</pubDate><author>info@1password.com (Steve Won)</author><guid>https://blog.1password.com/apple-passkey-api-wwdc/</guid><description> <img src='https://blog.1password.com/posts/2023/apple-passkey-api-wwdc/header.png' class='webfeedsFeaturedVisual' alt='Passkeys in iOS 17: Watch a sneak peek at what's coming to 1Password for iOS' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We’re always captivated by WWDC, Apple’s annual developer conference, and the announcements shared during its keynotes and various breakout sessions. This year’s conference was particularly exciting because Apple <a href="https://developer.apple.com/passkeys/">unveiled a new passkey API</a> that will be implemented in iOS 17. The API will enable password managers like 1Password to create and use passkeys inside any native app that has added passkey support, including Safari. We’re thrilled about this announcement. If you need a quick refresher: <a href="https://blog.1password.com/what-are-passkeys/">passkeys are a new kind of login credential</a> that entirely replaces passwords. Passkeys don&rsquo;t need to be memorized, there&rsquo;s no such thing as a &ldquo;weak&rdquo; passkey, and they can&rsquo;t be stolen in a data breach. These passwordless login credentials also speed up the process of signing in to your online accounts. Research by Google shows that signing in with a password <a href="https://security.googleblog.com/2023/05/making-authentication-faster-than-ever.html?m=1">takes twice as long as a passkey login</a>. Apple’s newly announced API will make passkeys even more useful and seamless to use on iPhones. Our developers have jumped into action and are already hard at work integrating the new passkey API in 1Password for iOS. Here’s a sneak peek at what we’re building: <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/CCMckjhhLg0" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h2 id="why-you-should-save-your-passkeys-in-1password">Why you should save your passkeys in 1Password</h2> If you haven’t heard the news, <a href="https://blog.1password.com/unlock-1password-with-passkeys/">we’re all in on passkeys</a>. We <a href="https://blog.1password.com/1password-is-joining-the-fido-alliance/">joined the FIDO Alliance last year</a>, and have committed to building safer, simpler, and faster login solutions for everyone. When you create a new passkey on your iPhone, iPad or Mac, you&rsquo;ll be able to choose where to store it. Here are just a few reasons why 1Password is the most secure and convenient place for your passwordless login credentials: <ul> <li> You can sync your passkeys between devices. Other solutions may lock your passkeys to a specific device, or only support syncing within a specific ecosystem. 1Password lets you use your passkeys on any device, and any major browser. </li> <li> You can share your passkeys with anyone. Need to give a co-worker or family member access to one of your passkey-protected accounts? Just put the passkey in a shared vault. Or use item sharing for short-term access. </li> <li> You can store passkeys alongside your passwords and other important data. 1Password gives you a secure and convenient place to store passkeys, passwords, credit cards, addresses, medical records, and everything else that&rsquo;s important in your digital life. </li> </ul> <h2 id="passkeys--1password-the-journey-so-far">Passkeys &amp; 1Password: the journey so far</h2> Itching to start using passkeys? Here’s the progress we’ve made so far. <h3 id="save-and-sign-in-with-passkeys-using-1password-in-the-browser">Save and sign in with passkeys using 1Password in the browser</h3> You can now <a href="https://blog.1password.com/save-sign-in-passkeys-1password/">create and use passkeys with the public beta of 1Password in the browser</a>. Once you’ve <a href="https://1password.com/downloads/browser-extension/#beta-downloads">downloaded one of our beta extensions</a>, find a website that supports passkey login, and follow their instructions to secure your account with a passkey. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/Go1UqI4QTAQ" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Not sure where you can use passkeys? Browse our <a href="https://passkeys.directory/">passkey directory</a>! In our latest 1Password beta apps, <a href="https://watchtower.1password.com/">Watchtower</a> will also tell you when one of your existing accounts can be secured with a passkey. </div> </aside> An on-screen prompt will explain where your new passkey will be stored. If you already have an account with the website, you&rsquo;ll see an option to update your current credential with the new passkey or save it as a new one. Once you&rsquo;ve confirmed that the new passkey should be saved in 1Password … that&rsquo;s it! You&rsquo;re all done. <h3 id="view-edit-move-share-and-delete-passkeys-using-1password">View, edit, move, share, and delete passkeys using 1Password</h3> When you create and save a passkey using 1Password in the browser, it will automatically be synced across your devices and available in 1Password for Mac, iOS, Windows, Android, and Linux. You can use these apps to: <ul> <li>View your passkeys.</li> <li>Organize your paskeys with notes and tags.</li> <li>Move passkeys to different vaults.</li> <li>Share passkeys securely with other people.</li> <li>Delete passkeys you no longer need.</li> <li>And more!</li> </ul> <h2 id="coming-soon-save-and-use-passkeys-in-any-android-app-using-1password">Coming soon: Save and use passkeys in any Android app using 1Password</h2> Own an Android phone or tablet? You’ll soon be able to create and use passkeys to sign in to Android apps on your phone. We plan to roll this out alongside or shortly after the launch of Android 14. When it goes live, you’ll be able to save and use passkeys not only in Chrome for Android but also in any other native Android app that supports passkeys. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/ZrayWva-Wkw" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h3 id="coming-soon-unlock-1password-with-a-passkey">Coming soon: Unlock 1Password with a passkey</h3> For passkeys to succeed, they need to replace all of your passwords, including the one you use to unlock 1Password. We’re working on giving you the option to <a href="https://blog.1password.com/unlock-1password-with-passkeys/">create and unlock your 1Password account with a passkey</a>, rather than a password. Securing 1Password with a passkey will be just as secure as an account password and Secret Key, but much easier to manage. We’ll be launching this functionality in private beta later this summer. Here’s a sneak peek that will give you a feel for how it’s going to work: <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/gDK-p_GBG5U" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h2 id="the-future-is-passkeys">The future is passkeys</h2> The passkey APIs that Apple announced this week are a crucial tool that will help us realize our vision of building truly simple, fast, and secure login solutions for everyone. Once the conference is over, we&rsquo;ll be putting our heads down and working hard on bringing the best passkey experience possible to iOS and macOS. If you want to learn more about passkeys and our plans to support them, check out: <ul> <li><a href="https://blog.1password.com/what-are-passkeys/">Our passkeys explainer</a></li> <li><a href="https://blog.1password.com/unlock-1password-with-passkeys/">Our announcement that you’ll soon be able to create and unlock a 1Password account using a passkey</a></li> <li><a href="https://www.future.1password.com/passkeys">Our future of 1Password microsite</a></li> <li><a href="https://blog.1password.com/passwordless-research/">Our research report looking at the public’s attitude toward passkeys and passwordless authentication</a></li> <li><a href="https://passkeys.directory/">Our passkeys directory, a community-driven index of websites, apps, and services that support passkeys</a></li> </ul> <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Subscribe to our passwordless newsletter</h3> Get our latest passkey updates delivered right to your inbox, as well as guides, interviews, and other interesting articles about the next generation of sign-in technology. <a href="https://1password.com/passwordless-news/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Subscribe to Beyond Passwords </a> </div> </section></description></item><item><title>Now in beta: Save and sign in with passkeys using 1Password in the browser</title><link>https://blog.1password.com/save-sign-in-passkeys-1password/</link><pubDate>Tue, 06 Jun 2023 00:00:00 +0000</pubDate><author>info@1password.com (Travis Hogan)</author><guid>https://blog.1password.com/save-sign-in-passkeys-1password/</guid><description> <img src='https://blog.1password.com/posts/2023/save-sign-in-passkeys-1password/header.png' class='webfeedsFeaturedVisual' alt='Now in beta: Save and sign in with passkeys using 1Password in the browser' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Last year, we joined the FIDO Alliance and <a href="https://blog.1password.com/1password-is-joining-the-fido-alliance/">committed to building safer, simpler, and faster login solutions</a> for everyone. Today, we’re taking a major step forward and announcing that passkey support has started to arrive in 1Password. Using the <a href="https://1password.com/downloads/browser-extension/#beta-downloads">public beta versions of 1Password in the browser</a>, you can now save and sign in to online accounts with passkeys. Our <a href="https://1password.com/downloads/browser-extension/#beta-downloads">beta extensions</a> cover the following browsers: <ul> <li>Chrome (macOS, Windows, and Linux)</li> <li>Firefox (macOS, Windows, and Linux)</li> <li>Edge (macOS, Windows, and Linux)</li> <li>Brave (macOS, Windows, and Linux)</li> <li><a href="https://testflight.apple.com/join/wdCBan7N">Safari</a> (macOS)</li> </ul> 1Password for Mac, iOS, Windows, Android, and Linux have also been updated so you can view, edit, move, share, and delete any passkey you&rsquo;ve created using 1Password. If you need a quick refresher: <a href="https://blog.1password.com/what-are-passkeys/">passkeys are a new kind of login credential</a> that entirely replaces passwords. Passkeys don&rsquo;t need to be memorized, there&rsquo;s no such thing as a &ldquo;weak&rdquo; passkey, and they can&rsquo;t be stolen in a data breach. These passwordless login credentials also speed up the process of signing in to your online accounts. Research by Google shows that signing in with a password <a href="https://security.googleblog.com/2023/05/making-authentication-faster-than-ever.html?m=1">takes twice as long as a passkey login</a>. We&rsquo;re proud to be leading the transition from passwords to passkeys, and can&rsquo;t wait for you to start saving your own passkeys in 1Password. <h2 id="why-you-should-create-and-store-passkeys-in-1password">Why you should create and store passkeys in 1Password</h2> Passkeys aren&rsquo;t just a new type of login. They&rsquo;re <a href="https://blog.1password.com/passkeys-vs-passwords-differences/">a simpler, more secure alternative to passwords</a> that will make it easier for all of us to protect our online accounts. Here are just a few reasons why you should start using passkeys in 1Password: <ul> <li> Signing in with a passkey is fast and convenient. Unlike traditional passwords, there’s nothing to type out or memorize. You simply open the website you want to sign in to, find the sign in page or button, and let 1Password handle the rest. </li> <li> Passkeys are secure. Behind the scenes, every passkey has two parts, and only one of them is shared with the website you&rsquo;re signing in to. You need both parts of a passkey to authenticate, which means no-one can access your online accounts unless they have physical access to your devices – and a way to unlock them. </li> <li> You can sync your passkeys between devices. Other solutions may lock your passkey to a specific device or only support syncing within a specific ecosystem. 1Password lets you use your passkeys on any device and any major browser. </li> <li> Saving passkeys in 1Password will keep your digital life organized. Store your passkeys, passwords and other sensitive information in one secure and convenient place. That way, you know that everything you need is always at your fingertips in 1Password. You can also organize your passkeys with vaults, tags, and more! </li> <li> 1Password remembers where you’ve chosen to use passkeys. Signing in can be overwhelming when you use a variety of passkeys, passwords, SSO, and &lsquo;sign in with&rsquo; services. 1Password will sign you in with the correct credentials every time, regardless of the website and login method. </li> <li> You&rsquo;ll know when it’s possible to secure your accounts with passkeys. In the latest 1Password beta apps, <a href="https://watchtower.1password.com/">Watchtower</a> will tell you when a website that you use has added passkey support. </li> <li> You can share your passkeys. Need to give a co-worker or family member access to one of your passkey-protected accounts? Just put the passkey in a shared vault, or give them access via item sharing. </li> </ul> <h2 id="how-to-get-started">How to get started</h2> Ready to start saving and signing in to accounts using the latest 1Password in the browser beta? Follow these steps: <ul> <li>Open a website that supports passkey login. You can find passkey-compatible sites in our <a href="https://passkeys.directory/">passkey directory</a>. In the latest 1Password beta apps, Watchtower will also tell you when one of your existing accounts can be secured with a passkey.</li> </ul> <img src='https://blog.1password.com/posts/2023/save-sign-in-passkeys-1password/watchtower-alert.png' alt='Screenshot of an item with a Watchtower notification, informing the user they can now use a passkey for that item.' title='Screenshot of an item with a Watchtower notification, informing the user they can now use a passkey for that item.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <ul> <li> Follow the account creation process and choose the option to create your account with a passkey, rather than a password. If you&rsquo;re updating an existing account, sign in as usual and look for the passkey login option in your account settings. </li> <li> An on-screen prompt will explain where your new passkey will be stored. If you already have an account with the website, you&rsquo;ll see an option to update your current credential with the new passkey or save it as a new one. Once you&rsquo;ve confirmed that the new passkey should be saved in 1Password … that&rsquo;s it! You&rsquo;re all done. </li> </ul> <img src='https://blog.1password.com/posts/2023/save-sign-in-passkeys-1password/save-passkey.png' alt='Screenshot of 1Password in the browser notifying the user where their newly-created passkey will be saved.' title='Screenshot of 1Password in the browser notifying the user where their newly-created passkey will be saved.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <ul> <li>The next time you want to sign in to the account, the beta version of 1Password in the browser will offer to use your newly-created passkey.</li> </ul> <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Learn more about <a href="https://support.1password.com/save-use-passkeys/">how to create and use passkeys with 1Password in the browser</a>. </div> </aside> <h2 id="coming-soon-unlock-1password-with-a-passkey">Coming soon: Unlock 1Password with a passkey</h2> Earlier this year, we said &lsquo;<a href="https://blog.1password.com/unlock-1password-with-passkeys/">goodbye, passwords</a>&rsquo; and announced you&rsquo;ll also be able to unlock your 1Password account with a passkey, rather than a password. We&rsquo;ve been working hard on this functionality and will be launching it in beta later this summer! Here&rsquo;s a sneak peek of how unlocking 1Password with a passkey is going to work: <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/kpTxD6KEDxw" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Sign up to our <a href="https://1password.com/passwordless-news/">passwordless newsletter</a> to get early access to future betas, as well as the latest passkey news, podcasts, and more sent directly to your inbox! </div> </aside> <h2 id="the-future-is-passkeys">The future is passkeys</h2> Today’s public beta launch of saving and signing in with passkeys is just the beginning. We’ll continue to update 1Password so that passkeys are even more seamless and useful, regardless of which device or browser you’re using. For example, you’ll be able to <a href="https://youtu.be/aUsQd8MS-u0">save and sign in with passkeys on an Android device</a> later this summer, once Android 14 is available. This will work not only in Chrome for Android but also in other native Android apps that support passkeys. We’re also hard at work bringing the same level of passkey support to iOS! That means you’ll be able to save and use passkeys in any app installed on your device, including Safari. (We’ll have more to share on this soon.) Passkeys are the future. And the future has finally arrived. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Start using passkeys</h3> Ready to create some passkeys? Start by downloading the beta version of 1Password in the browser. You can then save and sign in with passkeys on compatible websites! <a href="https://1password.com/downloads/browser-extension/#beta-downloads" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Download 1Password in the browser beta </a> </div> </section></description></item><item><title>Join the 1Password Hackathon hosted by Hashnode and compete for $10,000 in prizes</title><link>https://blog.1password.com/2023-1password-hashnode-hackathon/</link><pubDate>Thu, 01 Jun 2023 00:00:00 +0000</pubDate><author>info@1password.com (Jason Harris)</author><guid>https://blog.1password.com/2023-1password-hashnode-hackathon/</guid><description> <img src='https://blog.1password.com/posts/2023/2023-1password-hashnode-hackathon/header.png' class='webfeedsFeaturedVisual' alt='Join the 1Password Hackathon hosted by Hashnode and compete for $10,000 in prizes' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We love hackathons. In fact, that’s where the idea for 1Password came from – with all-night coding sessions that demanded credentials throughout the process. Hackathons are high-energy, creative marathons that serve as a playground for innovation and collaboration, and often result in exciting projects that are a joy to deliver. That’s why we’re excited to announce the first virtual <a href="https://hashnode.com/hackathons/1password">1Password Hackathon</a> hosted by Hashnode. Taking place June 1st through June 30th, participants will compete for a chance to win $10,000 in cash prizes by building with <a href="https://1password.com/developers">1Password Developer Tools</a> and <a href="https://passage.1password.com/">Passage by 1Password</a>. As much fun as in-person hackathons are, we’re also big fans of virtual ones that are global in scope and inclusive of all skill levels. If you&rsquo;re a developer looking to sharpen your skills, network with like-minded individuals, and craft something extraordinary, the Hashnode Hackathon should be on your list. There are 10,000 reasons why – and utilizing 1Password Developer Tools and Passage can make your experience even better. <h2 id="your-mission--and-the-tools-in-your-toolbelt">Your mission – and the tools in your toolbelt</h2> 1Password Developer Tools brings the speed and security of biometrics to your dev workflows. Passage unlocks passwordless sign-in – powered by passkeys – for your users. Hackathon participants will receive two free months of 1Password and 1Password Developer Tools, including Shell Plugins and 1Password CLI for new customers. For Passage, the free tier will suffice for hackathon purposes. Let’s talk details. For the hackathon event, we’re challenging you to build with or on top of these tools: <ul> <li><a href="https://docs.passage.id/getting-started/quickstart">Passage by 1Password</a>: The easiest way to implement passkey authentication in your app or website.</li> <li><a href="https://developer.1password.com/docs/cli/shell-plugins">1Password Shell Plugins</a>: Eliminate API access keys stored on disc and securely authenticate any CLI with your fingerprint, Apple Watch, or other biometrics.</li> <li><a href="https://developer.1password.com/docs/cli">1Password CLI</a>: Automate administrative tasks, securely provision secrets across development environments, and use biometrics to authenticate in the terminal.</li> </ul> <h2 id="what-are-1password-developer-tools">What are 1Password Developer Tools?</h2> 1Password is a password management platform used extensively in the developer community, in part because of features designed specifically for developers. With 1Password Developer Tools, you can securely store passwords, API keys, and other secrets, then access them in your code or easily share with your team members. This not only makes your project more secure but also simplifies collaboration. <h2 id="what-is-passage-by-1password">What is Passage by 1Password?</h2> Passage allows you to implement seamless passwordless authentication in your app or website with just a few lines of code. Eliminate passwords for good with Passkey Complete, a standalone solution that defaults to passkeys with fallbacks to other passwordless methods. Or use Passkey Flex to add support for passkeys alongside your existing password-based auth flow. Passage takes care of authentication so you can focus on the core logic of your hackathon project. During the June Hackathon, we invite you to show off your skills and submit a project that expands Passage by integrating it with other platforms, like <a href="https://supabase.com/docs/guides/integrations/passage">Supabase</a>. Or, you could build one that shows a creative way <a href="https://docs.passage.id/getting-started/quickstart">Passage</a> can be used to streamline sign-in for your application or service. Want to really impress the judges? Make your project multi-platform and show how Passage works across systems and devices. <h2 id="examples-from-the-community">Examples from the community</h2> 1Password wouldn’t be 1Password without the developer community. In fact, more than half of our published Shell Plugins have been written by the community! <img src='https://blog.1password.com/posts/2023/2023-1password-hashnode-hackathon/1password_vscode.gif' alt='Stripe API key being saved in 1Password directly from VS Code with the 1Password VS Code extension' title='Stripe API key being saved in 1Password directly from VS Code with the 1Password VS Code extension' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We’ve seen some amazing projects and integrations built on the 1Password CLI, including the <a href="https://developer.1password.com/docs/vscode/">VS Code integration</a> and a community-written <a href="https://blog.1password.com/1password-jetbrains/">JetBrains integration</a>. And we can’t wait to see what Hackathon participants build to extend Passage to new frameworks and platforms. If you’re looking for inspiration, we’d love to see more integrations like the newly published <a href="https://supabase.com/docs/guides/integrations/passage">Supabase package</a>. And for even more projects contributed by the community, see the <a href="https://developer.1password.com/community">1Password Community Showcase</a>. To get started, <a href="https://hashnode.com/hackathons/1password">register to participate with Hashnode</a>. You’ll receive an email containing a coupon code and instructions to redeem your two free months of 1Password for new customers. <h2 id="get-support-from-the-1password-community">Get support from the 1Password community</h2> Need some guidance to help you get started – or to stay on track? We’re here to help. <ul> <li>Chat with other devs in <a href="https://join.slack.com/t/1password-devs/shared_invite/zt-1halo11ps-6o9pEv96xZ3LtX_VE0fJQA">our Developer Slack</a> community and on the <a href="https://discord.com/invite/hashnode">Hashnode Discord</a>.</li> <li>Set up a pair programming session with our engineers. To request a session, see the instructions in the Discord channel.</li> <li>We’ll have two live events in June including the <a href="https://www.youtube.com/watch?v=CJlI0BEt384">Hashnode Workshop</a> with demos and Q&amp;A on June 7th and a <a href="https://1password.zoom.us/meeting/register/tJwkfuyhrD4pGdCs_NCEPWvWmAIzmUlFJEat">Community Office Hour on June 23rd</a>.</li> </ul> <h2 id="good-luck-to-all-participants">Good luck to all participants!</h2> This hackathon is an exciting community project and we look forward to meeting and learning from you! We’ll be watching all the action on Discord, our Developer Slack, and GitHub. Please be sure to use #Buildwith1Password so we can help spread the word and profile your work! Let’s get hacking! Please note, this hackathon is a Hashnode contest and terms and conditions apply. You can find all applicable details on <a href="https://hashnode.com/hackathons/1password">the contest website</a>. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">The 1Password Hackathon hosted by Hashnode</h3> Build with 1Password Developer Tools and Passage by 1Password – and compete for $10,000 in prizes. <a href="https://hashnode.com/hackathons/1password" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Register now </a> </div> </section></description></item><item><title>Passkeys vs. magic links: What are the differences?</title><link>https://blog.1password.com/passkeys-vs-magic-links-differences/</link><pubDate>Tue, 30 May 2023 00:00:00 +0000</pubDate><author>info@1password.com (Nick Summers)</author><guid>https://blog.1password.com/passkeys-vs-magic-links-differences/</guid><description> <img src='https://blog.1password.com/posts/2023/passkeys-vs-magic-links-differences/header.png' class='webfeedsFeaturedVisual' alt='Passkeys vs. magic links: What are the differences?' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The term ‘passwordless’ is easy to wrap your head around (no passwords!) but is often used as an umbrella term that includes <a href="https://blog.1password.com/what-are-passkeys/">passkeys</a> and magic links sent via email or text message. That often leads to the question: &ldquo;Are passkeys and magic links the same?&rdquo; The short answer is no. While they both serve as a replacement for passwords, the experience of using them, and how they work behind the scenes, is quite different. Here, we&rsquo;re going to explain what passkeys and magic links are, how they differ, and why more developers are working to include both options on their websites and apps. <h2 id="what-are-passkeys">What are passkeys?</h2> Passkeys allow you to create online accounts and sign in to them without entering a password, copying a one-time code, or clicking on a special link sent to your inbox. Instead, you just: <ul> <li>Confirm your authenticator (in the context of passkeys, this could be your phone, tablet, or PC.)</li> <li>Authenticate with biometrics or your device password when prompted.</li> </ul> Behind the scenes, passkeys use public and private keys, otherwise known as <a href="https://blog.1password.com/what-is-public-key-cryptography/">public-key cryptography</a>. The two keys act like interlocking puzzle pieces – they&rsquo;re mathematically linked to one another, and you need both to successfully authenticate and sign in. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/DELDP_wbuE4?si=VQ4KiFVKIJwHFGBY" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> When you create an account using a passkey, the public key is stored by the website or app, while the private key is kept on your device, and never shared with anyone. The next time you sign in, you&rsquo;ll be asked to authenticate — prove you are you — with biometrics or your device password. In the background, your device will &ldquo;sign&rdquo; a “challenge” using your private key, which is then verified by the app or website using your public key. This all happens in an instant. From your perspective, you simply authenticate and immediately have access to your account. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> 1Password <a href="https://www.future.1password.com/passkeys/">will allow you to sync your passkeys between devices</a>, so you can always sign in to your accounts quickly and securely. </div> </aside> If an attacker breached the website or app&rsquo;s servers, the best they could hope to find is your public key, which is useless without your private key. An attacker would need to physically steal your device and unlock it to have any hope of accessing your passkeys. <h2 id="what-are-magic-links">What are magic links?</h2> Magic links work a little differently. When you sign in this way, you&rsquo;re not asked to authenticate with biometrics or your device password. Instead, you&rsquo;re sent an email or text message that contains a unique, one-time link. Open the email or text message, click the link, and you’ll immediately be logged in – no further authentication required. Here&rsquo;s how magic links work under the hood. When you create a new account, the website or app will ask for an email address or phone number, which is then stored on its server. The system doesn&rsquo;t generate a public and private key pair, which is <a href="https://blog.1password.com/passkeys-vs-passwords-differences/">what makes passkeys so secure and resistant to phishing attacks</a>. Magic links are also different from passwords because you don&rsquo;t have to create or memorize anything. The next time you want to sign in: <ul> <li>You enter your email address or phone number.</li> <li>The app or website checks that your email address or phone number is a valid user account.</li> <li>The app or website generates a unique, one-time token. You can think of this like a private theater ticket that&rsquo;s yet to be hole-punched by the person on the door.</li> <li>The server sends a message containing a magic link to your email address or phone number.</li> <li>You find the email or text message and open the magic link.</li> <li>The app or website verifies that the token you&rsquo;re using matches the one generated by its server.</li> <li>You&rsquo;re allowed to sign in, and the token becomes invalid. (Your ticket has now been hole-punched, and can&rsquo;t be used by someone else to enter the theater.)</li> </ul> Voila! You now have access to your account. <h2 id="passkeys-vs-magic-links">Passkeys vs. magic links</h2> Here are some of the key differences between passkeys and magic links: You don&rsquo;t need to open your email or SMS inbox to use a passkey. That&rsquo;s because the private key is stored on your device. When you want to sign in, the service issues a “challenge” that your device signs with your private key. This exchange is handled in the background using a secure API called <a href="https://blog.1password.com/what-is-webauthn/">WebAuthn</a> – it doesn&rsquo;t rely on any emails or text. By contrast, magic links require you to switch devices, apps, or browser tabs momentarily. Imagine you&rsquo;re signing in to a new social network on your PC. The magic link will be sent via SMS or email, forcing you to grab your phone, or switch to the browser tab or app that contains your emails. Passkeys are secure by design. There&rsquo;s no such thing as a weak passkey. And an attacker can&rsquo;t steal or exploit your passkeys unless they have physical access to your device – and a way to unlock it. By contrast, magic links can be insecure. First, let&rsquo;s take magic links sent via email. A strong and unique password will protect your email account against dictionary attacks and credential stuffing. But if you choose a weak password, it&rsquo;s possible for an attacker to figure it out and sign in to your email account. That would then give them access to magic links sent to that email address. Magic links sent via SMS, meanwhile, are vulnerable to SIM swap attacks. Hackers will call their target’s mobile service provider and recount a fake but believable story like: “I lost my phone and need help transferring my number to a new SIM card.” The hacker then has access to the target’s number and, by extension, any text messages that come through. Passkeys aren&rsquo;t susceptible to this technique because the private key is tied to the device itself, and not your SIM card or phone number. Passkeys don&rsquo;t expire. Each account-specific passkey doesn&rsquo;t change unless you decide to generate a new one. That means your device will use the same private key for verification every time you sign in to that particular site or app. By contrast, magic links are temporary, and can&rsquo;t be used more than once. If you&rsquo;ve signed in with a magic link, you can&rsquo;t use the same email or text message to sign in again. The token tied to each magic link also has a predefined expiration period. If you wait too long, the link won&rsquo;t work anymore, and you&rsquo;ll need to request a new one. Passkeys work by storing a &lsquo;secret&rsquo; indefinitely on the app or website&rsquo;s server. However, only the public key is stored in this way – and it’s useless without the private key, which is stored securely on your device. By contrast, magic links aren’t stored on a server for a long period of time. A new token is generated for every new login attempt, and then discarded once you&rsquo;ve signed in, or after a predetermined expiration period. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Read <a href="https://blog.1password.com/what-are-passkeys/">our passkeys FAQs blog post</a> to learn more about this new type of login credential. It answers common questions including &lsquo;where are passkeys stored?&rsquo; and &lsquo;will passkeys replace passwords?&rsquo;. </div> </aside> <h2 id="passkeys-and-magic-links-in-tandem">Passkeys and magic links in tandem</h2> It might sound counterintuitive, but passkeys and magic links can be offered in parallel to ensure you always have access to your favorite online accounts. For example, imagine you create an account by generating a passkey on your phone. In this scenario, you don&rsquo;t have a traditional username and password for this account. What happens if you need to sign in to your account on your PC, but don&rsquo;t have access to your phone, and aren&rsquo;t using a solution that lets you sync your passkeys? It&rsquo;s an edge case, but one that website and app developers need to be ready for. If you find yourself in this situation, you&rsquo;ll likely have the option to use a magic link instead. That way, you can continue to log in to your account until you have access to your passkeys again. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> <a href="https://www.future.1password.com/passkeys/">Passkey support is coming to 1Password</a>! This will let you create passkeys and access them securely across all of your devices, and any major web browser. </div> </aside> <h2 id="the-future-is-passkeys">The future is passkeys</h2> Passkeys and magic links both have their uses. But here at 1Password, we&rsquo;re most excited about passkeys and their ability to be a modern alternative to passwords. Passkeys offer a better balance of security and convenience than magic links. Passkeys are also easier to use than passwords, harder to steal or crack, and built on WebAuthn, a standard designed to make logging in faster and more secure. We think passkeys are the future of authentication. If you want to learn more about passkeys and how they&rsquo;ll be supported in 1Password, check out <a href="https://www.future.1password.com/passkeys/">our passkeys microsite</a>, listen to our passwordless special on the <a href="https://randombutmemorable.simplecast.com/episodes/the-passwordless-special">Random but Memorable podcast</a>, and subscribe to our <a href="https://1password.com/passwordless-news/">new passwordless newsletter</a>. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Subscribe to our passwordless newsletter</h3> Get our latest passkey updates delivered right to your inbox, as well as guides, interviews, and other interesting articles about the next generation of sign-in technology. <a href="https://1password.com/passwordless-news/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Subscribe to Beyond Passwords </a> </div> </section></description></item><item><title>Introducing Passage by 1Password – the simple way to add passkey support to your app or website</title><link>https://blog.1password.com/passage-by-1password/</link><pubDate>Thu, 18 May 2023 00:00:00 +0000</pubDate><author>info@1password.com (Jeff Shiner)</author><guid>https://blog.1password.com/passage-by-1password/</guid><description> <img src='https://blog.1password.com/posts/2023/passage-by-1password/header.png' class='webfeedsFeaturedVisual' alt='Introducing Passage by 1Password – the simple way to add passkey support to your app or website' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Toward the end of last year, <a href="https://blog.1password.com/1password-acquires-passage/">Passage joined 1Password</a> to bring passwordless authentication to everyone. Now, we’re ready to introduce you to Passage by 1Password: the fastest and most secure way for developers and businesses to add passkey support to their products. According to a FIDO Alliance survey, <a href="https://fidoalliance.org/new-research-reveals-consumer-frustrations-with-online-retail/">58% of consumers in the U.S. have abandoned purchases due to the difficulty of managing passwords</a>. Creating a secure, frictionless sign-in experience will benefit both your customers and your business – they get a smoother login process, and you get happy customers less likely to abandon their purchases. <a href="https://security.googleblog.com/2023/05/making-authentication-faster-than-ever.html?m=1">Recent research from Google</a> shows that users are four times more successful logging in when they authenticate through passkeys rather than passwords. This means businesses who implement passkey support could gain a competitive advantage by making it easier for customers to log in. The problem? Adding a passwordless login experience to your website or app can be complicated. That’s where Passage comes in. <h2 id="passage-by-1password">Passage by 1Password</h2> <a href="https://www.future.1password.com/passkeys/">The future of passwordless authentication is passkeys</a>. Passkeys are tied to your device&rsquo;s existing security and provide a simple and secure way to log in to all your accounts. They’re more secure than traditional passwords, and reduce the risk of phishing attacks. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/soEmaWo7EYo" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> Using passkeys, your customers will simply authenticate on their trusted device with biometrics – like Touch ID or Windows Hello. And that&rsquo;s it! They&rsquo;re immediately signed in to their account. Implementing passkeys can be challenging as there are complexities surrounding cross-platform compatibility, account recovery, and ongoing maintenance. Passage by 1Password makes it simple for you to add passwordless authentication methods on your websites and apps with just two lines of code. We currently offer two solutions – Passkey Complete and Passkey Flex – that will give your customers the smooth sign-in process they deserve. This will increase engagement and conversions without putting a strain on your developers’ most precious resource: time. <h2 id="passkey-complete">Passkey Complete</h2> <a href="https://passage.1password.com/product/passkey-complete">Passkey Complete</a> lets you ditch traditional passwords and enjoy the full business and security benefits of passkeys without your own authentication infrastructure. It’s a ready-to-use solution that completely replaces your existing login flow. If you&rsquo;re building a website or app from scratch, or are ready to make your product fully passwordless, it&rsquo;s the perfect solution for you. With Passkey Complete, you can offer your customers a more secure form of authentication and the best user experience available by completely eliminating passwords. <img src='https://blog.1password.com/posts/2023/passage-by-1password/passkeycomplete.png' alt='A screenshot of a property website with a Passkey Complete login window.' title='A screenshot of a property website with a Passkey Complete login window.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Passkey Complete defaults to passkey logins, but also provides graceful fallbacks to other passwordless methods. This ensures compatibility across systems and devices, as well as effortless account recovery. Passkey Complete can also serve as an identity provider (IdP) by storing user and authentication data. Passkey Complete is available in public beta and you can implement it into your product today or utilize our <a href="https://docs.passage.id/helpful-guides/supabase-integration-guide">integration with Supabase</a> for apps you’re building on that platform. <h2 id="passkey-flex">Passkey Flex</h2> We’re also excited to announce <a href="https://passage.1password.com/product/passkey-flex">Passkey Flex</a>. Not quite ready to go all-in on passkeys? Passkey Flex lets you offer a simple passkey login experience alongside traditional passwords and other authentication methods. <img src='https://blog.1password.com/posts/2023/passage-by-1password/passkeycomplete.png' alt='A screenshot of a property website with a Passkey Flex login window.' title='A screenshot of a property website with a Passkey Flex login window.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Quickly adopt passkeys as an option, giving your business time to validate this new authentication type across your user experiences and systems. Our solution allows you to build towards the future while continuing to support your customers with the traditional methods they know. You’ll lead the transition towards a better, more secure login experience so you are well positioned as consumer passkey adoption accelerates. <a href="https://passage.1password.com/product/passkey-flex">Get started with Passkey Flex</a>, now in public beta. Passage by 1Password takes the stress out of supporting passkeys. Whether you want to completely replace your current identity platform with Passkey Complete, or provide an option alongside your existing infrastructure with Passkey Flex – we’re here to support you in bringing smooth logins to your customers. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Add passkey support with Passage by 1Password</h3> Give your customers the frictionless login experience they deserve. Add passkey support to your website or app with Passage by 1Password. <a href="http://passage.1password.com" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Get started with Passage </a> </div> </section></description></item><item><title>AI can crack your passwords (and other very old news)</title><link>https://blog.1password.com/ai-cracking-passwords/</link><pubDate>Tue, 16 May 2023 00:00:00 +0000</pubDate><author>info@1password.com (Megan Barker)</author><guid>https://blog.1password.com/ai-cracking-passwords/</guid><description> <img src='https://blog.1password.com/posts/2023/ai-password-cracking/header.png' class='webfeedsFeaturedVisual' alt='AI can crack your passwords (and other very old news)' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Artificial intelligence (AI) made a larger-than-usual splash recently when word broke of an AI-powered password cracker. I have a bit of AI fatigue, but these stories immediately grabbed my attention — they had me at “passwords.” If you saw the same headlines and plan to run for the off-the-grid hills — wait. Many of the articles fail to tell the whole truth. AI absolutely can be used to crack a password. And, no, you shouldn’t worry about it. I’ll explore the whole truth (and nothing but the truth), and reveal what needs to happen before AI password cracking can truly become new news. <h2 id="old-news-happening-to-new-people">Old news happening to new people</h2> The password cracker mentioned in the recent spate of articles was <a href="https://arxiv.org/abs/1709.00440">introduced</a> nearly six years ago in September 2017. But the headlines at the time were dominated by other news so the deep-learning technology didn’t earn much attention. I’ll summarize the research to save you a deep dive into an academic paper: The tool was marginally successful but never came close to the accuracy of a skilled human hacker. If you think that’s perhaps a slightly biased view, I’ll provide some context. The researchers used part of an infamous common password list to train the AI-based tool, then tested it on an entirely different set of password hashes (from the <a href="https://krebsonsecurity.com/2016/05/as-scope-of-2012-breach-expands-linkedin-to-again-reset-passwords-for-some-users/">2012 LinkedIn breach</a>, specifically). <blockquote> These AI tools are just that: tools. </blockquote> When tested on new data, the password cracking tool had a 24.2% success rate. That figure rose to 34.2% when researchers removed passwords that overlapped both the training and testing datasets. <a href="https://www.vice.com/en/article/78kk4z/another-day-another-hack-117-million-linkedin-emails-and-password">Human hackers</a> cracked roughly 90% of the same LinkedIn dataset using traditional methods in just 72 hours. These AI tools are just that: tools. They augment utilities already used by human attackers — they’re not the groundbreaking development some media have made them seem. <h2 id="good-news-is-not-news">Good news is not news</h2> There’s more good news: AI needs to evolve, arguably substantially, before it will represent a legitimately measurable threat to your passwords. Along with cracked password datasets, AI technologies can be trained with rules. As it cracks passwords with the rules, the technology learns which are more likely to be successful and applies those rules earlier than others. But rule data is limited by the knowledge and ability of human trainers. And while its data is limited, AI capability will be limited. Now, imagine AI gained access to the type of information held by data brokers and was trained on every piece of data available. That’s something human hackers do already by studying social media profiles and the like, to learn what might influence a person’s passwords. AI could do it at scale. That may sound scary, but it would still present a fairly finite threat (as technology stands now). Along with all available information about an individual, the AI would need knowledge of its target’s method of password creation. <blockquote> While its data is limited, AI capability will be limited. </blockquote> On that note, I decided to put ChatGPT to the test — primarily for reassurance. That particular AI technology failed pretty comprehensively. The bot provided a number of suggestions that could improve password security but the responses lacked any mention of my password-creation scheme. In fact, when asked pointedly, it returned the response: As an AI language model, I don’t have any way of knowing what passwords you create for your accounts or anyone else’s for that matter. It also recommended I rotate my passwords every few months, which is so 90s, but I digress. ChatGPT’s responses to my questions only solidified that it’s far from where it needs to be to pose a risk. But I’d fail comprehensively if I neglected to address password security at a time when everything about you is freely accessible. <h2 id="no-news-is-good-news">No news is good news</h2> I won’t break new ground here, either: You need random, uniformly generated passwords<a href="#fn:1" class="footnote-ref" role="doc-noteref">1</a>. (There’s an <a href="https://1password.com/">app</a> for <a href="https://blog.1password.com/a-smarter-password-generator/">that</a>!) When AI is trained on a subset of data and asked to decipher the remainder of the set, it’s “competitively” successful. But when given new data, the technology must attempt every single possible combination because it lacks any source of previous (applicable) knowledge. AI is helpful only when it can first determine how you choose passwords and, as a result, which passwords are more probable. If all your passwords are created in a truly random manner, each password is just as likely to occur as any other. Even AI will be stumped if tasked with cracking the passwords of an individual without a discernible password-creation pattern. <blockquote> There’s much more advancement in store. </blockquote> Yes, this sort of technology can be trained and learn over time, but if each and every password it encounters is unique and entirely random, the rules learned from cracking one password won’t apply to the next. AI has undoubtedly evolved since the 2017 research paper that spurred this article, and it’s almost definitely safe to say we’ve only scratched the surface; that there’s much more advancement in store. But at this moment, the technology depends on the ever-unpredictable human element. And its limitations. <section class="footnotes" role="doc-endnotes"> <hr> <ol> <li id="fn:1" role="doc-endnote"> This assumes the prevalence of passwords. As we’ve written in the past, it will take time for passwordless authentication (like passkeys) to become the default for every single website, app, and server. Passwords are a reality and will be for a good while.&#160;<a href="#fnref:1" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a> </li> </ol> </section></description></item><item><title>Advice for my younger self: Celebrating AAPI Heritage Month at 1Password</title><link>https://blog.1password.com/aapi-heritage-month-2023/</link><pubDate>Thu, 11 May 2023 00:00:00 +0000</pubDate><author>info@1password.com (Liz Tam)</author><guid>https://blog.1password.com/aapi-heritage-month-2023/</guid><description> <img src='https://blog.1password.com/posts/2023/aapi-heritage-month-2023/header.png' class='webfeedsFeaturedVisual' alt='Advice for my younger self: Celebrating AAPI Heritage Month at 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> May is a particularly special time for the AAPI (Asian American and Pacific Islander) community. The annual celebration of AAPI Heritage Month is a time to honour the histories, cultures, and contributions of AAPI people, as well as draw attention to some of the challenges that the community faces today. It&rsquo;s important to recognize that within the AAPI community, there is no one-size-fits-all experience. Each group within the community has its own unique history and culture. Here at 1Password, we’re honouring these multifaceted stories by embracing the unifying theme of “The Immigrant Experience”. Our goal is to amplify the voices and lived experiences of immigrants and children of immigrant parents. It’s a reflection of the conversations being had within our virtual walls, and beyond. With this in mind, we asked members of our AAPI community for some pieces of advice they would give to their younger selves. Here’s what they shared… <h2 id="dave-chen-senior-director-research--insights">Dave Chen, Senior Director, Research &amp; Insights</h2> Always have an opinion but be open-minded to changing it. A common mistake in workplaces is that people don&rsquo;t come to the table with an opinion or point of view. I&rsquo;ve found this to be especially true for more junior members and people who are just starting out in their careers, usually because they worry about being wrong or being embarrassed in public forums. You’ll be surprised to learn, though, that often you are the subject matter expert in the room – especially if you work in a more specialized role. People want to hear from you and value your input. But keep an open mind - if people give you feedback on your point of view, be open to adapt and iterate on it! Don&rsquo;t be discouraged when you get feedback on your opinion, use it to learn and improve! Over time you&rsquo;ll find people will want to hear from you more and respect you more at the workplace. <h2 id="mica-molder-developer">Mica Molder, Developer</h2> Not everyone can relate to some of the most significant or even basic things in your life. We all experience things differently. You’ll figure out what’s most important to you, and it’s okay to trust your gut because you know yourself best. <h2 id="jordan-rickards-senior-it-ops-analyst">Jordan Rickards, Senior IT Ops Analyst</h2> Growing up in Hawaii as a white-passing Native Hawaiian is going to be hard. You’re white and privileged, but will face unique adversity and have a hard time fitting in and finding your place. Remember to embrace your heritage and ethnicity, even though people around you will call you a Haole. Be involved and learn your culture so you can share it with the people around you. Oh, and don’t sell your Apple stock. <h2 id="sanjana-desai-senior-developer">Sanjana Desai, Senior Developer</h2> Growing up, I always felt as if I was neither here nor there - no matter what language I was speaking, or what I was wearing, I never felt like I quite fit in with the culture of the community around me. I was born and raised in Canada after my parents immigrated from India, so I had two first languages, two names, and essentially two identities. When surrounded by the Indian immigrant community, I would try my best to look and act the part, as if I too shared memories of our homeland even though it had never actually been home. Despite all of this, I would still face criticism for “not being Indian enough”. Meanwhile at school, I would get questions about my parents’ accents, my unfamiliar lunch foods, and why no one else in our class looked like I did. For a long time, I was in denial of my culture and would skirt the question whenever it would arise. In recent years, my perspective has shifted to be more holistic - I have the unique experience of learning from two environments and two sets of values and norms. I’m empowered with the ability to forge my own culture and path based on my exposure to two vastly different ones. Looking back at my younger self, I’d tell her not to worry so much about the opinions others have on my representation. Being able to feel familiar with two very different parts of the world has fundamentally broadened my worldview, and has allowed me to shape my own culture based on the values and learnings from each. <h2 id="celebrating-aapi-heritage-month">Celebrating AAPI Heritage Month</h2> We look forward to amplifying AAPI voices at 1Password throughout May and beyond, as well as coming together to learn from the influential AAPI voices outside our walls.</description></item><item><title>1Password Developer Tools joins the GitHub Student Developer Pack</title><link>https://blog.1password.com/github-student-developer-pack/</link><pubDate>Tue, 09 May 2023 00:00:00 +0000</pubDate><author>info@1password.com (Jason Harris)</author><guid>https://blog.1password.com/github-student-developer-pack/</guid><description> <img src='https://blog.1password.com/posts/2023/github-student-developer-pack/header.png' class='webfeedsFeaturedVisual' alt='1Password Developer Tools joins the GitHub Student Developer Pack' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Students can now get a free year of 1Password with the GitHub Student Developer Pack to jump-start their careers in software development. Once upon a time, I was a computer science student who depended on getting access to academic versions of software development tools for my courses. When Microsoft released Visual Studio Academic, I was excited that I could finally advance my skills without paying thousands of dollars for the suite. Today, things are a bit different. Code development, testing, and deployment require a host of cloud-based tools and platforms such as Amazon AWS, Azure, and others. If you’re learning software development, costs can rack up quickly as you pay for dozens of subscriptions and credits. That’s why we’re excited to partner with GitHub, to help students jump-start their adventure in software development. <h2 id="1password-in-the-github-student-developer-pack">1Password in the GitHub Student Developer Pack</h2> <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/tb1Y7R-4tSk" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> As of today, through our partnership with <a href="https://education.github.com/">GitHub Education</a> and the <a href="https://education.github.com/pack">GitHub Student Developer Pack</a>, all students verified through GitHub Education get access to one free year of 1Password and <a href="https://1password.com/developers">1Password Developer Tools</a>. The GitHub Student Developer Pack gives students access to the real-world tools they need to build and deploy software, without the usual financial burden. We’re honored to be a part of this effort to fuel the next crop of software developers. 1Password is essential as you begin your journey <a href="https://blog.1password.com/why-students-1password-university/">at university</a>, making it simple to follow best security practices while navigating online. It can generate and autofill strong passwords for all your online accounts, remove the hassle from group projects by making credential sharing fast and simple, and give you an at-a-glance overview of your security health with Watchtower. But for developers, 1Password can do a whole lot more. <h2 id="lets-dive-into-1password-developer-tools">Let’s dive into 1Password Developer Tools</h2> 1Password Developer Tools is a suite of capabilities that streamlines and secures your workflows across the entire software development life cycle. That includes: <ul> <li><a href="https://developer.1password.com/docs/ssh/agent/">1Password for SSH and Git</a>. Generate and securely store modern keys, authorize <a href="https://developer.1password.com/docs/ssh/agent">SSH connections</a> with TouchID, Windows Hello or Linux system-auth.</li> <li><a href="https://developer.1password.com/docs/ssh/git-commit-signing">Git commit signing</a>. Get that ‘verified’ badge on your GitHub commits with built-in support for SSH key-powered <a href="https://developer.1password.com/docs/ssh/git-commit-signing">Git commit signing</a>.</li> <li><a href="https://developer.1password.com/docs/vscode">1Password for VS Code</a>. The best defense against secrets leaking from your code is not adding them to your code in the first place. Secret references do just that, replacing actual secrets with references to their location in 1Password. <a href="https://developer.1password.com/docs/vscode">1Password for VS Code</a> brings that functionality to your favorite editor.</li> <li><a href="https://developer.1password.com/docs/cli">1Password CLI</a>. 1Password CLI allows you to automate administrative tasks, securely provision secrets across development environments, and use biometrics to authenticate in the terminal.</li> <li><a href="https://developer.1password.com/docs/service-accounts/">Service accounts</a>. Built for teams, service accounts offer a secure way to automate infrastructure secrets in development and deployment workflows. Service accounts work with the CLI to allow programmatic access to 1Password, support custom access scopes, and are not tied to an individual user.</li> <li><a href="https://developer.1password.com/docs/cli/shell-plugins/">Shell Plugins</a>. Easily configure 1Password to securely authenticate third-party CLIs with your fingerprint, Apple Watch, or system authentication. 14 of the current shell plugins were built by the developer community via <a href="https://github.com/1Password/shell-plugins/blob/main/CONTRIBUTING.md">the open source project</a>… and you can write your own in about ten minutes.</li> <li>Use <a href="https://developer.1password.com/docs/ci-cd">CI/CD integrations</a> to securely access secrets stored in 1Password inside your tool’s configuration.</li> </ul> <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/XKA2uE0M3IU" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h2 id="access-1password-through-the-github-student-developer-pack">Access 1Password through the GitHub Student Developer Pack</h2> To get started with 1Password Developer Tools, sign up for GitHub Education student benefits for access to the Student Developer Pack, which is available to all students aged 13 and above who are enrolled in a degree or diploma-granting course of study. Once you have access to the pack, you can claim your free 1Password Developer Tools subscription, which includes a 1Password individual membership for one year. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Claim one free year of 1Password</h3> Sign in with GitHub to verify your student status and claim one free year of 1Password. <a href="https://1password.com/developers/students/?utm_ref=blog" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Get the details </a> </div> </section></description></item><item><title>Why today is a breakthrough moment for passkeys</title><link>https://blog.1password.com/google-account-passkey-1password/</link><pubDate>Wed, 03 May 2023 00:00:00 +0000</pubDate><author>info@1password.com (Steve Won)</author><guid>https://blog.1password.com/google-account-passkey-1password/</guid><description> <img src='https://blog.1password.com/posts/2023/google-account-passkey-1password/header.png' class='webfeedsFeaturedVisual' alt='Why today is a breakthrough moment for passkeys' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Earlier today, <a href="https://security.googleblog.com/2023/05/so-long-passwords-thanks-for-all-phish.html">Google announced</a> that you can now create and use a <a href="https://blog.1password.com/what-are-passkeys/">passkey</a> to secure your personal Google account. This support is an important step toward the widespread adoption of a simpler, more secure alternative to passwords. You might be wondering: Okay, but what does that have to do with 1Password? We’ve been working hard to bring you the ability to create, store, manage, and use passkeys in 1Password – just like you do with passwords today. Beginning in June, this will mean easy access to all your logins across all your devices, no matter what kind of credential is under the hood. Here’s a sneak peek of how passkeys are going to work in 1Password: <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/yTUngXxmxDw" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h2 id="google--1password">Google &amp; 1Password</h2> We’re delighted that Google is supporting passkeys. There are a handful of critical services on the web that will drive passkey adoption, and Google is right at the top of that list. Google’s announcement will help more people discover passkeys, and encourage other companies to add passkey support to their websites and apps. 2023 is quickly shaping up to be the year of the passkey – and 1Password is all in. Jeff Shiner, CEO of 1Password, puts it best: &ldquo;Passkeys are the first authentication method that removes human error – delivering security and ease of use. With Google turning on passkey support today, more than 1.5 billion people around the world now have the opportunity to adopt passkeys. In order to be widely adopted though, users need the ability to choose where and when they want to use passkeys so they can easily switch between ecosystems. As we actively work with other FIDO Alliance leaders to eliminate passwords, we’ll inevitably remove one of phishers’ biggest rewards – credentials. This is a tipping point for passkeys and making the online world safer.&quot; Google and 1Password are both board members of the FIDO Alliance, an open industry association that works to reduce the world’s reliance on passwords. We’re excited to continue working with Google and other members of the Alliance to accelerate passkey adoption around the world. <h2 id="learn-more-about-passkeys">Learn more about passkeys</h2> The bottom line? 1Password is all in on passkeys. It&rsquo;s a new kind of login credential that has the potential to be a simple, fast, and secure sign in solution for everyone. If you want to learn more about passkeys and our plans to support them, check out: <ul> <li><a href="https://blog.1password.com/what-are-passkeys/">Our passkeys explainer</a></li> <li><a href="https://blog.1password.com/unlock-1password-with-passkeys/">Our announcement that you’ll soon be able to create and unlock a 1Password account using a passkey</a></li> <li><a href="https://www.future.1password.com/">Our future of 1Password microsite</a></li> <li><a href="https://blog.1password.com/passwordless-research/">Our research report looking at the public&rsquo;s attitude toward passkeys and passwordless authentication</a></li> <li><a href="https://passkeys.directory/">Our passkeys directory, a community-driven index of websites, apps, and services that support passkeys</a></li> </ul> <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Subscribe to our passwordless newsletter</h3> Read the latest passkey announcements by 1Password, as well as helpful guides, explainers, and community chatter about passwordless authentication. <a href="https://1password.com/passwordless-news/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Subscribe to Beyond Passwords </a> </div> </section></description></item><item><title>An update on our recent service disruption</title><link>https://blog.1password.com/april-2023-service-disruption-update/</link><pubDate>Tue, 02 May 2023 00:00:00 +0000</pubDate><author>info@1password.com (Pedro Canahuati)</author><guid>https://blog.1password.com/april-2023-service-disruption-update/</guid><description> <img src='https://blog.1password.com/posts/2023/april-2023-service-disruption-update/header.png' class='webfeedsFeaturedVisual' alt='An update on our recent service disruption' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> On April 27th, between 9:03 PM and 9:26 PM ET, 1Password experienced a brief service outage. This was not a security incident, and customer data was not affected in any way. After completing a planned maintenance, our service received an unexpected spike in sync requests from client devices to the servers. During the outage, users erroneously received a message indicating that their Secret Key or password had changed. Our mission is to help people safeguard their most important information. 1Password is designed to protect your information, with local copies of vault data always available on your devices – even without a connection to the 1Password service or the internet itself. As a result, your passwords and other vault items remain safe and sound. We’re deeply sorry for any inconvenience this outage may have caused and appreciate your patience during our investigation. Service has been fully restored, and we can now share further details about what happened and how we’re working to avoid similar situations in the future. <h2 id="what-happened">What happened?</h2> On April 27th, our scheduled maintenance involved migration work for several of our backend databases. After the migration work was complete, we received an unexpected spike in sync requests from devices to our servers and instead of correctly responding to those requests, we responded with a sign-in rejection. Our US servers returned an error code that was interpreted on our client applications incorrectly. The client applications displayed an incorrect message stating: “Your Secret Key or password was recently changed. Enter your new account details to continue.&quot; In reality, neither the Secret Key or password had changed. This affected user sessions in our US environment between 9:03 PM and 9:26 PM ET. <h2 id="what-did-we-do">What did we do?</h2> We closely monitored the service health for the duration of this event, and by 9:26 PM ET on April 27th, the traffic in our US environment had returned to normal with no additional failed sign-in attempts. By April 28th, there were no additional erroneous messages, and we were able to confirm that the fixes were working as expected. <h2 id="what-happens-next">What happens next?</h2> We care deeply about our customers, their data, and their experience, so we take any service disruption like this very seriously. As part of our plan to avoid similar incidents in the future, our immediate next steps are to spend more time analyzing the data we collected and ensure we fully understand the underlying cause of this incident. We will use this analysis to refine our migration process and error handling and ensure that we properly plan for these scenarios in the future. We take the integrity of your data and the stability of our systems very seriously and will continue to work hard every day to earn the trust you’ve placed in us.</description></item><item><title>Watch every episode of Hello CISO on YouTube</title><link>https://blog.1password.com/watch-hello-ciso-youtube/</link><pubDate>Wed, 26 Apr 2023 00:00:00 +0000</pubDate><author>info@1password.com (Anna Eastick)</author><guid>https://blog.1password.com/watch-hello-ciso-youtube/</guid><description> <img src='https://blog.1password.com/posts/2023/watch-hello-ciso-youtube/header.png' class='webfeedsFeaturedVisual' alt='Watch every episode of Hello CISO on YouTube' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Few disciplines change as quickly and continually as cybersecurity. For many CISOs, the pace of change and learning opportunities are what drew them to security in the first place. But it’s also hard to keep up with. That’s why we teamed up with <a href="https://www.troyhunt.com/">Troy Hunt</a>, web security consultant and creator of <a href="https://haveibeenpwned.com/">Have I Been Pwned</a>, on a YouTube series called <a href="https://www.youtube.com/watch?v=6lFxnbA8orc&amp;list=PLeXQRfNcE6-DIjq5PnAF6HDMfZkhfaHaT">Hello CISO</a>. In each episode, Hunt breaks down some of today&rsquo;s biggest security challenges, and the approach you should take to combat them as a modern CISO. <blockquote> &ldquo;The responsibilities of the modern CISO are expanding as digital infrastructure grows more complex. It’s no longer feasible to protect against every single threat, so you have to think more strategically. We need to work smarter, not harder – and that’s what I want to explore in this series.&quot; – Troy Hunt, web security consultant and creator of Have I Been Pwned </blockquote> The last episode in the series was recently published on YouTube, so what better time to sit down and binge watch them all? You can browse individual episodes below, or <a href="https://www.youtube.com/watch?v=6lFxnbA8orc&amp;list=PLeXQRfNcE6-DIjq5PnAF6HDMfZkhfaHaT">check out the full playlist</a> over on our YouTube channel. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/videoseries?list=PLeXQRfNcE6-DIjq5PnAF6HDMfZkhfaHaT" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h3 id="episode-1-parts-1--2-the-downfall-of-on-premise-security">Episode 1 (parts 1 &amp; 2): The downfall of on-premise security</h3> In the premier episode of Hello CISO, Troy goes back to the roots of modern IT: the on-prem model. In this two-part episode, he covers the rise and fall of on-prem, the paradigm shift that followed, and what IT leaders can expect moving forward. <a href="https://youtu.be/6lFxnbA8orc">Watch episode 1 (part 1) on YouTube ›</a> <a href="https://youtu.be/Ied-IL_r2eg">Watch episode 1 (part 2) on YouTube ›</a> <h3 id="episode-2-phishing-advancements-powered-by-ai">Episode 2: Phishing advancements powered by AI</h3> Phishing isn’t the same beast it was 20 years ago. Thanks to advancements in artificial intelligence, phishing attacks are more advanced than ever — and IT leaders are struggling to keep up. In this episode of Hello CISO, Troy touches on the current state of AI in phishing, where it’s headed, and what you can do to prepare. <a href="https://youtu.be/Kv1nCCz1weI">Watch episode 2 on YouTube ›</a> <h3 id="episode-3-parts-1--2-shadow-it-is-here-to-stay">Episode 3 (parts 1 &amp; 2): Shadow IT is here to stay</h3> The work from home trend exposed a growing security threat that’s been on IT’s radar for years: shadow IT. With more people using apps and services outside the purview of IT, a new way of thinking has emerged to confront the new reality. In this episode, Troy explains why shadow IT is here to stay, and why the associated loss of control isn’t the end of the world. <a href="https://youtu.be/3uV-HW2Mchw">Watch episode 3 (part 1) on YouTube ›</a> <a href="https://youtu.be/BC6scQF6PRg">Watch episode 3 (part 2) on YouTube ›</a> <h3 id="episode-4-enterprise-data-collection-and-workers-right-to-privacy">Episode 4: Enterprise data collection and workers’ right to privacy</h3> How do you balance data collection at work with workers’ inalienable right to privacy? It&rsquo;s a fine line to walk, but if you always err on the side of employee privacy, it&rsquo;s hard to go wrong. In this episode, Troy breaks down how to systematize that balance – and how to uncover the hidden costs of data collection. <a href="https://youtu.be/pooiP8cMEXg">Watch episode 4 on YouTube ›</a> <h3 id="episode-5-mfa-in-the-enterprise">Episode 5: MFA in the enterprise</h3> Is multi-factor authentication (MFA) always a good idea? What type of threat does it protect against? Can IT leverage MFA to tighten security without negatively affecting productivity? In this episode, Troy explores MFA in the enterprise: what it is, and perhaps more importantly, what it isn&rsquo;t. <a href="https://youtu.be/3OjzJSnkh5Q">Watch episode 5 on YouTube ›</a> <h3 id="episode-6-how-to-secure-your-network-when-your-workforce-is-remote">Episode 6: How to secure your network when your workforce is remote</h3> IT isn&rsquo;t only about – or even primarily about – technology itself. IT is about people. Nowhere is that more apparent than in our homes, where many of us were forced when the COVID-19 pandemic pushed us out of the office. In this episode, Troy talks about the two most important aspects of securing a work from home environment. <a href="https://youtu.be/cLTl7aJhpKU">Watch episode 6 on YouTube ›</a> <h3 id="episode-7-secrets-management-and-infrastructure">Episode 7: Secrets management and infrastructure</h3> Secrets management isn&rsquo;t just about usernames and passwords anymore, so how do you protect an infrastructure comprised of physical machines, virtual machines, and people all constantly exchanging secrets? In this episode, Troy talks secrets: how to protect them, and why the old way of thinking won&rsquo;t cut it anymore. <a href="https://youtu.be/46J_2QNA0tA">Watch episode 7 on YouTube ›</a> <h3 id="episode-8-common-sense-security-policies-and-the-bullshit-ones">Episode 8: Common sense security policies and the bullshit ones</h3> The best policies for security aren’t always the policies that end up in the company security manual. Why? In this episode, Troy explores the difference between good security policies and cover your ass (CYA) security policies… and how to close the gap between the two. <a href="https://youtu.be/HNHmyHjHZwU">Watch episode 8 on YouTube ›</a> <h3 id="episode-9-practicing-good-breach-response">Episode 9: Practicing good breach response</h3> What makes a company successful at breach response? In a word, preparation. In this episode, Troy breaks down an historically bad example of breach response, and how to avoid a similar fate. <a href="https://youtu.be/diVX3i8Bz38">Watch episode 9 on YouTube ›</a> <h3 id="episode-10-the-ciso-regulation-minefield">Episode 10: The CISO regulation minefield</h3> You can’t undertake every compliance initiative under the sun, so how do you prioritize? Talk to the right people, understand the ripple effects of each initiative, and know which will harm and which will strengthen security. Learn more in this episode of Hello CISO. <a href="https://youtu.be/rXykfMjkkKs">Watch episode 10 on YouTube ›</a> <h3 id="episode-11-parts-1-and-2-hiring-top-tier-security-professionals">Episode 11 (parts 1 and 2): Hiring top-tier security professionals</h3> Hiring can be more art than science. What should you look for when hiring security professionals? How important are degrees and certifications, really? In this episode, Troy breaks down how to spot the brightest talent. <a href="https://youtu.be/kQKwpZw0XIc">Watch episode 11 (part 1) on YouTube ›</a> <a href="https://youtu.be/JWdflH8lNfw">Watch episode 11 (part 2) on YouTube ›</a> <h3 id="episode-12-security-training-thats-actually-useful">Episode 12: Security training that’s actually useful</h3> In this final episode of Hello CISO, Troy’s talking training: how to generate enthusiasm for training initiatives, why that’s so critical for success, and some practical tips to tailor your training to your learners and maximize retention. <a href="https://youtu.be/Sg9_iKMmYa4">Watch episode 12 on YouTube ›</a> <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Subscribe to our business security newsletter</h3> Work in security? Get the latest 1Password news, tips, and announcements delivered right to your inbox. <a href="https://1password.com/newsletter/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Subscribe now </a> </div> </section></description></item><item><title>Hey, we're at RSA!</title><link>https://blog.1password.com/1password-rsa-conference-2023/</link><pubDate>Mon, 24 Apr 2023 00:00:00 +0000</pubDate><author>info@1password.com (Gina Fels)</author><guid>https://blog.1password.com/1password-rsa-conference-2023/</guid><description> <img src='https://blog.1password.com/posts/2023/1password-rsa-conference-2023/header.png' class='webfeedsFeaturedVisual' alt='Hey, we're at RSA!' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> RSA Conference is here! It&rsquo;s the security industry&rsquo;s equivalent of Sundance Film Festival. Or Paris Fashion Week. Or … well, you get the idea. Each year, the security industry flocks to the Moscone Center in beautiful San Francisco for three and a half days of keynotes, seminars, networking, and more. This one is special though because … 1Password is attending for the first time! We’re excited to have our own booth, and to be taking part in some of the conference talks. There&rsquo;s so much to discuss, including how our industry can best support <a href="https://blog.1password.com/what-are-passkeys/">passkeys</a>, a secure and convenient alternative to passwords. (In case you missed it, <a href="https://blog.1password.com/unlock-1password-with-passkeys/">we&rsquo;re all in on passkeys</a>!) Here&rsquo;s a quick rundown of everything we&rsquo;re doing at the show: <h2 id="find-us-on-the-show-floor">Find us on the show floor</h2> If you&rsquo;re attending RSA Conference, swing by our booth and say hello! You can chat with our team and get an in-depth look at how to administer 1Password, our user experience, and our developer tools. You&rsquo;ll find us in the North Expo hall, at booth number 5385. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Use <a href="https://www.rsaconference.com/usa/expo-and-sponsors#q=5385&amp;numberOfResults=25">this map</a> if you need a hand tracking us down on the show floor! </div> </aside> <h2 id="catch-our-demos">Catch our demos</h2> Want a sneak peek at some passkey updates coming to 1Password? You can watch a live demo by Anna Pobletts, 1Password’s Head of Passwordless, and enter for a chance to win a pair of Bose wireless headphones after each demo. If you’re interested, just stop by our booth at the following times: <ul> <li>April 25th, 2:00PM PT</li> <li>April 27th, 11:30AM PT</li> </ul> <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Want to know more about our approach to passwordless authentication? Listen to Steve Won, Chief Product Officer at 1Password, <a href="https://randombutmemorable.simplecast.com/episodes/show-smart-passkey-support">explain how we&rsquo;re thinking about and supporting passkeys</a> on the latest episode of Random but Memorable, our lighthearted security podcast! </div> </aside> <h2 id="watch-our-talks">Watch our talks</h2> RSA Conference is packed full of insightful keynotes and seminars, featuring some of the brightest and most influential members of the security industry. You can catch 1Password at the following seminar: FIDO Alliance Seminar: The State of Authentication in 2023: The Global Progress Past Passwords April 26th, 1:15 PM PT – 5:15 PM PT Moscone South, 314 Join the FIDO Alliance and its industry stakeholders to catch up on the latest innovations in digital identity. You&rsquo;ll learn how enterprises are strengthening their security – and user experience – by shifting from passwords to passkeys. During this seminar, 1Password&rsquo;s Anna Pobletts will be on a panel called A Year with Passkeys: Lessons and Futures, which starts at 2:10 PM PT. You won’t want to miss it! <h2 id="if-you-see-us-say-hello">If you see us, say hello!</h2> If you see our team members roaming the show floor, come up and say hi! RSA Conference is all about meeting new people (and old friends!), discussing complex problems, and learning how we can make the world a safer place for everyone.</description></item><item><title>Through the keyhole: A look at our refreshed brand</title><link>https://blog.1password.com/1password-brand-refresh/</link><pubDate>Thu, 20 Apr 2023 00:00:00 +0000</pubDate><author>info@1password.com (Jon Setzen)</author><guid>https://blog.1password.com/1password-brand-refresh/</guid><description> <img src='https://blog.1password.com/posts/2023/1password-brand-refresh/header.png' class='webfeedsFeaturedVisual' alt='Through the keyhole: A look at our refreshed brand' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> You may have noticed that some things have started to look a little different at 1Password. Over the next few weeks, we’ll continue to roll out new elements of our brand across our website, advertising, social channels, and more. And yes, while we’ve made some visual changes to the way we express our brand, we’re still the same 1Password. The values, goals, and ethos of 1Password are the same today as they were years ago. We’re still the same 1Password that was founded by four friends in Ontario. The same 1Password that’s committed to providing the most secure and easy-to-use password manager. The same 1Password that puts customer safety and satisfaction above everything else. And the same 1Password that will continue to lead and shape the future of authentication. We, like the industry and technology we work with, continue to evolve and advance. In the beginning, we barely acknowledged that what we were building is not only a product, but a brand. In taking the step back to see all that we&rsquo;ve accomplished, we want to recognize the efforts that have been made and crystallize our values, so that going forward, 1Password can continue to point towards the North Star we found back in 2006 when 1Password (or 1Passwd as it was known then!) was first launched. We have big dreams and our brand needs to evolve just as our company and product have. We’ve watched our customer base evolve over the years, and we’re thrilled by the trust that millions of individuals and more than 100,000 businesses have placed in us – including some of the world&rsquo;s leading brands. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/sHJFm_8mSec" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> 1Password is now used in many countries around the world. As our customer base has evolved, we felt it was time to expand and refine our visual identity system to more accurately reflect the many ways 1Password fits into people&rsquo;s lives at home, at work, and beyond. Updating our brand with a new, thoughtful set of colors and design guidelines also enables our teams to work smarter and faster. We wanted to double down on our desire to cultivate a different conversation about security. One that’s not steeped in scare tactics but focuses on capabilities and possibilities instead. <blockquote> It was time to expand and refine our visual identity system. </blockquote> It’s not about what you save in 1Password, it’s about what you get out of using it. When you’re not spending your time resetting passwords and worrying about security, what can you accomplish? What will you create in the world? We truly believe that with 1Password, secrets go in and magic comes out. <h2 id="a-portal-of-possibilities">A portal of possibilities</h2> To guide this process, we spoke to countless customers and employees about what makes 1Password special. It was crucial that we were true to the soul that has made us a trusted partner to so many people and businesses. We kept going back to this idea of trying to visually portray the feeling one gets when they use 1Password. <ul> <li>How does it feel to open one of your vaults and find exactly what you need?</li> <li>What does that moment feel like when you need to pay a bill, or sign in to an account, and your credentials are automatically filled in for you?</li> </ul> We hear from many of you that it kind of feels like magic - and we agree! But what does that look like? Through various motion tests, we landed on an animation that shows our lock icon opening and a series of multi-colored rings bursting out of it. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/iDpEr3CfgNo" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> The rings portray the various colors of life – and the individual approaches we all take to using the precious items in our vaults. We saw this as a portal into the human side of 1Password. This “portal of possibilities” was a core thread for us as it added energy and personality to everything we did. <img src="https://blog.1password.com/posts/2023/1password-brand-refresh/refresh-1.png" alt="1Password&#39;s new lock and &#39;rings&#39; concept, visualized in four different images." title="1Password&#39;s new lock and &#39;rings&#39; concept, visualized in four different images." class="c-featured-image"/> For those of you who like to dig a little deeper in design decisions, we&rsquo;ve broken down some of the core elements of this ever-evolving system in the remainder of this post. All of the work you’re about to see and read about was done in-house by a cross-functional team composed of members of our hugely talented Creative and Product Design teams. <h2 id="our-new-company-logo-and-typeface">Our new company logo and typeface</h2> The 1Password logo you’ve known for years has been pulling double duty for a long, long time as both our product logo and brand logo. As we look to the future and continue to diversify our product offerings, we want to be able to differentiate between our company and our products. We needed something more agile and ultimately opted for a simplified creative canvas. To be clear, the product icon that you’ve come to know and love isn’t changing. When you glance down at your mobile device, the app icon will be the same as before. The app icon floating in your Mac’s dock isn’t changing. And the 1Password icon in your browser is staying the same. And, when you unlock your vault, that lovely animation is, yes, staying the same. <img src="https://blog.1password.com/posts/2023/1password-brand-refresh/refresh-2.png" alt="A design breakdown of 1Password&#39;s new word mark, shown in two different color combinations." title="A design breakdown of 1Password&#39;s new word mark, shown in two different color combinations." class="c-featured-image"/> <img src="https://blog.1password.com/posts/2023/1password-brand-refresh/refresh-3.png" alt="The 1Password brand icon and 1Password product icon, shown side by side." title="The 1Password brand icon and 1Password product icon, shown side by side." class="c-featured-image"/> We’ve sweated all the tiny details and built upon our trusted and distinguished keyhole, using it as a focal point for the new logo. The lock has been removed from the wordmark and placed at the forefront of the logo itself. Our refreshed wordmark is set in our bespoke new typeface, Agile Sans, making our updated logo more readable at any size. Agile Sans is friendly and trustworthy just like 1Password. It features a dash of charm and just the right amount of quirkiness. While the logo itself appears simple, it offers us a flexible canvas we can play with. The simplicity allows it to act as a vessel for us to infuse personality and dynamism into our brand in both sensible and unpredictable ways. Whether we’re creating imagery to acknowledge important dates in the calendar year, varying how we interpret our mark to align with various partners, or just giving us a sense of playfulness by adding unexpected executions into the mix – the possibilities are endless. <img src="https://blog.1password.com/posts/2023/1password-brand-refresh/refresh-4.png" alt="Thre images showing different various of the 1Password icon. A fourth image shows the 1Password wordmark in the Chase Center." title="Thre images showing different various of the 1Password icon. A fourth image shows the 1Password wordmark in the Chase Center." class="c-featured-image"/> <h2 id="an-updated-color-palette">An updated color palette</h2> Our self-imposed color brief was a good balance of one part blue sky and one part constraint. Our mandates were: (1) keep our primary blue brand color (with the caveat that the value of the blue could change as needed), and (2) create a palette that was harmonious and could be mixed and matched with our Brand Blue. The palette we ultimately landed on is made up of a tight triad of core colors – Bits Blue, Intrepid Blue, and a neutral beige we’re calling Biscuit – along with a supporting cast of vibrant accent colors, plus a few functional workhorses for backgrounds and text. <img src="https://blog.1password.com/posts/2023/1password-brand-refresh/refresh-5.png" alt="A diagram showing all of the colors in 1Password&#39;s new color system." title="A diagram showing all of the colors in 1Password&#39;s new color system." class="c-featured-image"/> Taking a look at the before and after, you’ll notice that, relative to the previous color palette, we’ve really just made small adjustments. Our Core Blue has been desaturated a bit so it feels more tactile and almost denim-like, and the anchoring Navy (Intrepid Blue) has had its richness dialed up. The accent colors are similar to the previous palette, but they’ve been tweaked and fine-tuned to harmonize nicely with the new core colors. Our Art Director, Lawren Ussery, led the group developing this new palette and describes the result as “a warmed-up, harmonious palette that will serve as a powerful tool in our visual toolkit driving us toward the goal of continuing to humanize 1Password.” <h2 id="an-expanded-illustration-system">An expanded illustration system</h2> Similar to the dynamism we’ve brought to our new logo, we wanted to continue to add personality to our evolving illustration system. We’ve developed an approach that lets us tackle illustrations from a small, medium, large, and extended perspective. Each level gives us an opportunity to add different levels of narrative detail to our illustrations. This system starts with small iconography, adds a medium level of spot illustration detail, and then gives us the ability to make beautiful narrative illustrations. Finally, it gives us the scalability needed to work with outside illustrators on special projects. <img src="https://blog.1password.com/posts/2023/1password-brand-refresh/refresh-6.png" alt="Four images showing how 1Password&#39;s new art style scales from small to large illustrations." title="Four images showing how 1Password&#39;s new art style scales from small to large illustrations." class="c-featured-image"/> We had to give ourselves some constraints in order to ensure this system was achievable and scalable. Our three mandates were: <ol> <li>Build a system that acknowledges our community and reflects our human-centric, ethos-based brand.</li> <li>Create a system that gives us the capability to design at scale and maintain consistency.</li> <li>Develop a clear connection between brand and product visuals.</li> </ol> Finally, as with every element of this refresh, we wanted to break the mold regarding how our industry approaches the visual storytelling of security. Instead of complicated technical authentication, we wanted to focus on the positive outcomes of being secure. <blockquote> We wanted to break the mold regarding how our industry approaches the visual storytelling of security. </blockquote> Throughout our system, we have consistent tones of positivity, wonder, and quirkiness. In order to keep our brand look cohesive with our product illustration style, we’re adding moments of texture throughout all of our illustrations. We feel this gives us the range we need to execute both thin-lined spot illustrations and more visually rich editorial illustrations. <h2 id="putting-people-in-the-frame">Putting people in the frame</h2> To showcase the more human side of 1Password, we’re incorporating photography and live action video into our system more than ever before. Showcasing our customers’ successes is an important story to tell. We know that on the other end of every login is a human being trying to achieve something. In one of our first refresh alignment sessions, our CEO Jeff Shiner said: “People don’t say ‘I need to authenticate with Zoom.’ They say ‘I need to get on my Zoom call.’” 1Password helps them make that call happen – and that’s just one of the countless ways people at home, in their offices, and everywhere in between benefit from using 1Password. <img src="https://blog.1password.com/posts/2023/1password-brand-refresh/refresh-7.png" alt="Four photographs of people working in an office." title="Four photographs of people working in an office." class="c-featured-image"/> 1Password, as a company, is all about people. They’re at the center of everything we do. This created an exciting opportunity to portray real people using and benefiting from 1Password. Our approach is a “fly on the wall” perspective of work and life, rather than studio-lit shoots. As the year progresses, we look forward to using more and more customers in our key photographic assets. <blockquote> Capturing customer stories on video offers insight into the magic they’re able to create when they use 1Password. </blockquote> In addition to still photography, we’ve begun spending time with a wide variety of customers, from small businesses to enterprises, and from developers to everyday 1Password users. Hearing their stories and capturing them on video offers insight into the magic they’re able to create when they use 1Password. It’s an honor for us to be able to share these stories and celebrate all the amazing things our customers accomplish. <h2 id="bringing-it-all-together">Bringing it all together</h2> <img src="https://blog.1password.com/posts/2023/1password-brand-refresh/refresh-8.png" alt="Nine images showing 1Password&#39;s new branding in different places and scenarios." title="Nine images showing 1Password&#39;s new branding in different places and scenarios." class="c-featured-image"/> These pieces come together across our website, in out-of-home advertising, at trade shows, events, and more. Wherever you encounter us, it always feels like 1Password. We’re excited to see where this new direction takes us as we continue to build a safer and simpler digital future for everyone. Thank you for taking this journey with us.</description></item><item><title>New research: Preparing for a passwordless future</title><link>https://blog.1password.com/passwordless-research/</link><pubDate>Tue, 18 Apr 2023 00:00:00 +0000</pubDate><author>info@1password.com (Emily Chioconi)</author><guid>https://blog.1password.com/passwordless-research/</guid><description> <img src='https://blog.1password.com/posts/2023/passwordless-research/header.png' class='webfeedsFeaturedVisual' alt='New research: Preparing for a passwordless future' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We&rsquo;ve used passwords to protect our private data for a very long time. But if you don&rsquo;t use a password manager, it can be difficult to keep them memorized – especially if you&rsquo;re using strong, unique passwords for each account. Enter <a href="https://blog.1password.com/what-are-passkeys/">passkeys</a>. Passkeys are a modern alternative to passwords. They make it simpler and more secure to sign in by allowing you to create online accounts you can log into without entering a password. All you need is a trusted device to act as your authenticator, which could be your phone, tablet, or PC. When you go to sign in to an account, your device will prompt you to authenticate using your fingerprint or face for maximum protection, or a secure PIN if biometrics aren’t available. Passwordless technology is positioned to change our lives. If we can get rid of passwords, we can also get rid of the many frustrations that come with them, from resets and phishing to failed logins and wasted time. But how do people feel about a passwordless future? Are they open to it, and do they understand what it means? To answer these questions, we surveyed 2,000 adults in North America on their attitudes about passwords, as well as their understanding and willingness towards adopting new technology. Here’s what we found: <h2 id="our-key-findings">Our key findings</h2> <ul> <li> People are desperate to simplify their digital lives. Nearly two in three people (65%) say they’re open to using any new technology that makes life simpler. </li> <li> Passkeys aren’t going mainstream overnight. Only one in four people say they&rsquo;ve heard the term &ldquo;passwordless.&rdquo; </li> <li> People are open to passkeys once they understand what they are and how they work. Three in four people (75%) indicate they&rsquo;d be open to using passkeys, when shown a description and example. </li> <li> Phishing isn’t going away any time soon. 67% of respondents personally received phishing attack messages in the past year, while 100% either received phishing messages or know someone who did. </li> </ul> <h2 id="read-the-full-report">Read the full report</h2> If you want to learn more about the passwordless future and its impact on cybersecurity, <a href="https://1password.com/resources/passwordless-future-report?utm_medium=direct&amp;utm_source=blog&amp;utm_campaign=passwordless">check out the full report</a>. It digs deeper into how passwordless technology is going mainstream and how willing and motivated people are to give it a try. You’ll also learn how passkeys can simplify our digital lives, and how biometrics can make understanding and using them more comfortable and familiar. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Preparing for a passwordless future</h3> Read our report to learn how passkeys are ushering in a password-free future, and what it's going to take to get there. <a href="https://1password.com/resources/passwordless-future-report?utm_medium=direct&amp;utm_source=blog&amp;utm_campaign=passwordless" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Download the report </a> </div> </section></description></item><item><title>Why you should start using 1Password at university</title><link>https://blog.1password.com/why-students-1password-university/</link><pubDate>Mon, 17 Apr 2023 00:00:00 +0000</pubDate><author>info@1password.com (Nick Summers)</author><guid>https://blog.1password.com/why-students-1password-university/</guid><description> <img src='https://blog.1password.com/posts/2023/why-students-1password-university/header.png' class='webfeedsFeaturedVisual' alt='Why you should start using 1Password at university' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Life as a university student can get pretty hectic. You&rsquo;ve got classes to attend, assignments to complete, and notes to memorize ahead of exams. On top of that, you might be juggling a part-time job, extracurricular clubs, and a busy social calendar. Setting up a password manager might not feel like the most important item on your to-do list. But it’s a small investment that can have a large positive impact on your student experience. Here, we&rsquo;ll explain how 1Password will save you time, keep your accounts secure, and give you peace of mind so that you can focus on graduating with top marks. <h2 id="1-youll-never-forget-a-password-for-any-of-your-university-accounts">1. You&rsquo;ll never forget a password for any of your university accounts</h2> Most university courses require you to create a lot of new accounts. You&rsquo;ll likely have an academic email address, accounts for accessing teacher notes and resources, downloading research papers, and even accessing the school library. Remembering the password for each of these new accounts can be a real pain – especially if they’re all unique. With 1Password, you can create strong credentials for all of your accounts, organize them with vaults and tags, and quickly access them on all of your devices. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> &ldquo;While I&rsquo;ve been at university, I&rsquo;ve made so many accounts that I couldn&rsquo;t possibly recollect them all. Having a space where I can look at what I have available, and access everything so easily and conveniently, has been incredible for me.” – Wais Hundekar, student at the University of Waterloo </div> </aside> <h2 id="2-youll-save-time-and-be-more-productive">2. You&rsquo;ll save time and be more productive</h2> 1Password doesn&rsquo;t just memorize your passwords – it <a href="https://1password.com/features/autofill/">autofills</a> them too. Sure, it only takes a few seconds to type out a password, but that&rsquo;s assuming you remember it immediately, and don&rsquo;t make any mistakes typing it out! Consider how often you enter a password, or have to reset one of your passwords – those seconds quickly add up over a semester. 1Password eliminates the frustration of typing out and resetting forgotten passwords, giving you more time for important tasks, like finishing up your dissertation, or playing some Super Smash Bros. Ultimate with your roommates. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> “I like using the 1Password browser extension whenever I need to autofill passwords. That’s one feature that I think is really handy and it saves me the trouble of having to type out my complex passwords. It’s also pretty convenient to have 1Password auto-generate your passwords. I mean, you could go online and generate one in the browser, but it’s not convenient to have to then plug it in everywhere.&quot; – Abhyuday Bose, student at University of Waterloo </div> </aside> <h2 id="3-youll-take-the-hassle-out-of-group-projects">3. You&rsquo;ll take the hassle out of group projects</h2> Group projects are hard. You have to come up with (and agree upon) a central idea, assign tasks, and then ensure everyone delivers their work on time, and at a reasonable standard. Don&rsquo;t make group projects more difficult than they need to be. You can use 1Password to create, organize, and share passwords for important documents, spreadsheets, and cloud storage – <a href="https://blog.1password.com/psst-item-sharing/">even if your team members aren&rsquo;t using a password manager yet</a>. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> &ldquo;If there&rsquo;s something secure that we need to share, 1Password makes it really easy to just copy a link and send it over. You know that your password is safe and you’re not necessarily just coming up with something easy that everyone can remember. You’re doing it in a way that makes sense for everyone.” – Charlene Rocha, student at University of Waterloo </div> </aside> <h2 id="4-youll-be-able-to-apply-to-more-jobs">4. You&rsquo;ll be able to apply to more jobs</h2> Toward the end of your course, you&rsquo;ll likely start the search for a job in your field. It can be a time consuming process that involves tailoring your resume to each job, writing custom cover letters, or the always dreaded copy and pasting of all that information into online forms. With 1Password, you can save all of your personal information, including your name, email address, and phone number, and then autofill it anywhere. The result? Fewer hours spent copying and pasting what&rsquo;s already listed on your resume and LinkedIn profile. Eliminating this part of the process means you can spend more time applying to additional jobs, or focus on making each application really stand out from the crowd. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> &ldquo;So many companies have their own individual job portals that you have to fill out. It can be such a pain to go, ‘Here’s my address, here’s my name, here’s my email, here’s my LinkedIn’. The fact that you can have custom fields in 1Password and click autofill is so easy and it makes the process a lot simpler.&rdquo; – Charlene Rocha, student at University of Waterloo </div> </aside> <h2 id="5-you-can-store-organize-and-share-everything-else-thats-important-in-your-life">5. You can store, organize, and share everything else that&rsquo;s important in your life</h2> Your life extends beyond the classroom. You&rsquo;ve likely got debit and credit cards, Wi-Fi passwords, and login credentials for all the places you frequent online, including music and video streaming services. Not to mention important documents, like your passport, driver’s license, and medical records. 1Password gives you a secure and accessible place to keep all of this information, whether you’re living on campus or at home. You can also securely share it with family, roommates, and friends using <a href="https://support.1password.com/create-share-vaults/">vaults</a> or <a href="https://support.1password.com/share-items/">item sharing</a>. No more annoying – and potentially insecure – text messages, calls, or post-it notes that will inevitably fall off the refrigerator. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> &ldquo;Anytime I’m ordering something, instead of going to get my credit card, I can just check my 1Password vault and pull it up. I also have a PDF of my driver’s license. I could have it stored on my computer, but I feel like it’s a lot more easily available, while also being secure, in 1Password. I can access it on my device rather than having to scan my ID anytime I need to upload identification. It’s all readily available.” – Wais Hundekar, student at University of Waterloo </div> </aside> <h2 id="6-you-can-protect-your-accounts-from-hackers-and-respond-quickly-to-data-breaches">6. You can protect your accounts from hackers and respond quickly to data breaches</h2> The best way to protect your online accounts is by using strong and unique passwords. If you use the same credentials for everything, you’re putting your information at risk. Why? Because if a single service is compromised and your password leaks online, at least one criminal will probably check <a href="https://blog.1password.com/how-1password-keeps-you-safe-from-cyber-attacks/">if they can use it to access your other accounts</a>. When credit cards, home addresses, and personal photos are saved in a variety of accounts, you really don’t want to risk getting compromised. The problem is that no-one can remember 100 passwords that look like this: ! i W Z V - B E b 0 &#43; - 6 p Z F z N . But you no longer have to compromise between secure credentials and easy access to accounts. Just let 1Password generate, store, and autofill strong passwords on your behalf. <a href="https://watchtower.1password.com/">Watchtower</a> will also tell you when any of your passwords have been affected by a known data breach and need to be changed. That way, you can update the password before any criminal has a chance to exploit it. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> &ldquo;I used to have to depend on notifications from the platforms themselves to know whether my passwords were part of a data breach. Or it would depend on whether the breach appeared in the news or not. But now, because of Watchtower, I get to know earlier, and that’s very comforting.” – Abhyuday Bose, student at University of Waterloo </div> </aside> <h2 id="7-you-can-have-true-peace-of-mind">7. You can have true peace of mind</h2> Living as a student can feel like you&rsquo;re spinning a dozen plates simultaneously. You only have so much mental bandwidth, and it&rsquo;s important that you keep some of it free for assignments, personal reflection, and your own sense of work-life balance. Don&rsquo;t make passwords and cybersecurity one of those plates. Instead, hand off the task of remembering and organizing everything in your digital life to 1Password. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> “As a student, one of my top priorities is having that peace of mind. It&rsquo;s knowing that I don’t have anything to worry about in terms of my online security. University is a very transitional period, and there’s going to be a lot of challenges in place. I don&rsquo;t want to have to tackle this and worry about things like ‘Have any of my online accounts been breached?’ or ‘Am I at risk of any cyberattacks?'&quot; – Wais Hundekar, student at University of Waterloo </div> </aside> <h2 id="supercharge-your-student-experience-for-less-than-the-price-of-a-cup-of-coffee">Supercharge your student experience for less than the price of a cup of coffee</h2> We get it – when you&rsquo;re a student, spare cash is hard to come by. To survive, you need to stick to a budget and make every dollar stretch as far as possible. A password manager like 1Password can seem like a luxury, but it&rsquo;s really an essential tool that pays for itself many times over. It&rsquo;ll keep your accounts secure, organize your digital life, and save you time so that you can achieve your goals both inside and outside university. An individual 1Password subscription costs less than a double espresso (or a similarly-priced beverage of your choice) in most major cities. For all the benefits we just covered, that&rsquo;s a price well worth paying. <section class="c-call-to-action-box c-call-to-action-box--purple"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Streamline your digital life</h3> Organize and secure all your online accounts with 1Password, the world’s most-trusted password manager. Get started today with a free 14-day trial. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--purple" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>Passkeys vs. passwords: What are the differences?</title><link>https://blog.1password.com/passkeys-vs-passwords-differences/</link><pubDate>Tue, 11 Apr 2023 00:00:00 +0000</pubDate><author>info@1password.com (Megan Barker)</author><guid>https://blog.1password.com/passkeys-vs-passwords-differences/</guid><description> <img src='https://blog.1password.com/posts/2023/passkeys-vs-passwords-differences/header.png' class='webfeedsFeaturedVisual' alt='Passkeys vs. passwords: What are the differences?' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Humans have used different forms of passwords to guard secrets for <a href="https://en.wikipedia.org/wiki/Password">centuries</a>. These days, we use strings of characters to access everything from garage doors to digital documents. The average person has over 100 passwords, all of which should be complex, random, and unique — a tall order if you don’t use a password manager like 1Password. We can add more special characters and make them absurdly long (when apps and websites allow us to) but they’re still the same passwords with the same risks. It’s time for <a href="https://blog.1password.com/what-are-passkeys/">passkeys</a>. But what are passkeys and how do they differ from passwords? Can you use passkeys and passwords together? And are passkeys safer than traditional passwords? Let’s find out. <h2 id="on-the-surface">On the surface</h2> When you create an account today, you choose a password and enter (or fill) that password when you want to sign in. You’re given access if what you enter matches what you chose when you signed up. Passkeys give the sign-up process a bit of a makeover. You use your biometrics (face or fingerprint) or local device password to secure your new account then prove your identity so you can sign in. The password and passkey processes sound pretty similar on the surface. A specific piece of information protects your account, and you need to provide that same piece of information to log in. So, what’s the difference? It’s a secret. <h2 id="what-lies-beneath">What lies beneath</h2> Traditional passwords are known as shared secrets. While they’re often disguised on your screen as a series of asterisks or bullets, you have to type and submit them in plain text. When you create an online account, the website uses an algorithm – complex, predetermined math – to encrypt, or scramble, that text. The result, which is called a hash, is then saved by the website or app. When you sign in, the website performs the same math on the password you enter or fill. If the resulting hash matches what was stored when you signed up, you’re in. By contrast, passkeys are a form of passwordless authentication that use <a href="https://blog.1password.com/what-is-public-key-cryptography/">public key cryptography</a>. That means each passkey is actually a pair of keys – a public key and private key – that are mathematically linked to one another. Your public key is meant to be shared, and is stored by the app or website when you create a new account. But your private key never leaves your device — it’s a true secret. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/DELDP_wbuE4?si=VQ4KiFVKIJwHFGBY" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> To sign in, your device sends a request and the website returns a challenge that can only be solved (or signed) with the corresponding private key. Your device uses the private key – that only it has – to complete the challenge. The completed challenge is sent back and the website verifies the answer. The fundamental difference between passwords and passkeys is the presence of a true secret. Everything you need to log in to an online account is shared and stored by the app or website. But every passkey has a unique secret, and each one is yours to keep. <h2 id="what-passwordless-means-for-your-security">What passwordless means for your security</h2> Imagine your favorite website supports passkeys. Exciting! You want to go passwordless and wonder if using a passkey over a password will really make your account safer. It will — really. For a number of reasons: <ul> <li> Passkeys can’t be guessed because of their innate complexity. Weak and predictable passwords (and their hashes) are often hacked but there’s essentially an infinite number of passkey combinations. </li> <li> Attackers who gain access to your public key during a data breach will discover it’s useless without its private counterpart. That&rsquo;s the private key, which is always your secret, and never shared with the websites and apps you sign in to. </li> <li> Passkeys leave hackers with nothing to intercept, phish, or socially engineer. It’s possible to view traditional passwords as they’re in transit, or trick people into sharing them (or information about them). Private keys, meanwhile, don’t leave your device, or contain text that can be guessed or shared. </li> </ul> Passwordless authentication also comes with its own multi-factor authentication (MFA). By definition, MFA consists of two or more factors of authentication: something you know (like a password), something you have (like a one-time code), or something you are (biometrics). Passkeys require you to verify both your identity and private key — and it all happens in one quick, easy step. That makes signing in with a passkey faster and simpler than traditional multi-step MFA processes. <h2 id="what-passwordless-means-for-your-passwords">What passwordless means for your passwords</h2> Passkeys offer a lot of advantages but it will take years for the entire internet to support them. That means the passwords we love (to hate) will be around for some time. You’ll need to manage a mixture of passwords and passkeys for a while, and doesn’t that sound like fun? The good news is that 1Password will be there for you. In the near future, 1Password will introduce passkeys as an item type so you can store them right alongside your passwords and use them seamlessly (and easily) across your devices, no matter the operating system. <h2 id="what-passwordless-means-for-you">What passwordless means for you</h2> New technology can be daunting and difficult to master — there’s no denying that — and we often perform internal cost-benefit analyses: we’ll weigh the time and energy it will take to learn and incorporate the technology against the payoff the new technology will offer. The bottom line: Passkeys are worth it. They’re more convenient and safer to use, and they offer better protection than traditional passwords. Passwordless technology is not only a vast improvement over the passwords we use today, it’s the future of authentication. And the future looks bright. If you want to learn more about our thoughts on passkeys and everything else related to passwordless authentication, check out: <ul> <li><a href="https://randombutmemorable.simplecast.com/episodes/the-passwordless-special">This special episode of the Random but Memorable podcast, which explores all things passwordless</a></li> <li><a href="https://www.future.1password.com/">Our future of 1Password microsite</a></li> <li><a href="https://blog.1password.com/1password-is-joining-the-fido-alliance/">Our announcement that we&rsquo;ve joined the FIDO Alliance</a></li> </ul> <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Subscribe to our passwordless newsletter</h3> Get our latest passkey updates delivered right to your inbox, as well as guides, interviews, and other interesting articles about the next generation of sign-in technology. <a href="https://1password.com/passwordless-news/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Subscribe to Beyond Passwords </a> </div> </section></description></item><item><title>Less is more — especially when it’s a 'Learn More'</title><link>https://blog.1password.com/learn-more-content-design/</link><pubDate>Thu, 06 Apr 2023 00:00:00 +0000</pubDate><author>info@1password.com (Ryan Bigge)</author><guid>https://blog.1password.com/learn-more-content-design/</guid><description> <img src='https://blog.1password.com/posts/2023/learn-more-content-design/header.png' class='webfeedsFeaturedVisual' alt='Less is more — especially when it’s a 'Learn More'' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Over a decade ago, the sketch comedy show Portlandia tried to answer a simple question: why do hipsters put birds on everything? Teapots, tote bags, greeting cards, pillows — even toast. When in doubt, <a href="https://youtu.be/iHmLljk2t8M">put a bird on it</a>. It’s always fun to laugh at silly hipster trends, but UX designers also have quirky habits. Last year, the content design team at 1Password started to notice a lot of “Learn More” links across our product. A few Learn Mores are fine, but a website or app full of them creates accessibility and usability problems. To put all of this in super technical UX language: 1Password might have too many birds in it. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/iHmLljk2t8M" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h2 id="the-problem">The problem</h2> Let’s start with accessibility. Screen readers can navigate a page by jumping from link to link. If most of those links say Learn More, it’s impossible to know where they’ll take the user. Too many &ldquo;Learn More&rdquo; links can also make it harder to understand new features or change existing settings. Those are issues that every designer wants to avoid. Our goal is to reduce complexity by explaining features as clearly and concisely as possible within 1Password’s apps and extensions. And fewer birds means a better experience for everyone. <h2 id="breaking-the-habit">Breaking the habit</h2> Given the many shortcomings of Learn More links, the content design team decided to try and fix our bird problem … and have some fun along the way. The result? Learn Nothing Month. Our plan had two parts: <ul> <li>Break the Learn More habit</li> <li>Collaborate on a Learn More content pattern</li> </ul> The first part was easy. We collected a bunch of screen grabs from different parts of 1Password and shared them during one of our weekly team-wide design critiques. Seeing so many Learn More links side-by-side revealed how a small, isolated decision can have unforeseen consequences when it’s repeated over and over again. Of course, the goal was not to shame the product design team or play the blame game. Not every Learn More is bad or unnecessary. Our design team agreed with us, and helped reveal the thinking behind some of those birds. “Learn More links are usually a lapse in proper UX design,” noted one product designer. Another admitted that a lack of time or engineering resources can result in a Learn More link. <blockquote> Not every Learn More is bad or unnecessary. </blockquote> We also didn’t want to put the technical writing team out of business. 1Password&rsquo;s apps can only contain so much information, and we often use “Learn More” to link to support pages and other documentation. But as it turns out, Erin Moore, Technical Writing Manager at 1Password, mostly agreed with me. As she noted a few days before we kicked off Learn Nothing Month: <ul> <li>“Users shouldn’t have to leave the app unless absolutely necessary.”</li> <li>“Learn More is a fast solution, but it doesn’t necessarily mean it’s the best solution.”</li> <li>“We shouldn’t link out to a support page to mitigate a poor user experience.”</li> <li>“Have a team discussion about using a Learn More link at the start of a project, not at the end.”</li> </ul> <h2 id="finding-solutions">Finding solutions</h2> I shared Erin’s thoughts with the product design team and then asked for feedback about Learn More links. Specifically, I wanted to know: <ul> <li>What does a link-free, self-contained experience look like?</li> <li>How do you decide between a tooltip, a link, or a content/product design improvement?</li> <li>How do you decide between a descriptive link versus a good ol’ Learn More?</li> <li>What are the strengths and weaknesses of external links from an accessibility perspective?</li> </ul> Our FigJam board quickly filled up with thoughts and ideas: <ul> <li>“We should provide just enough information to enable users to move forward confidently.”</li> <li>“The Bite, Snack, Meal approach to designing information by Leslie O&rsquo;Flahavan might be a useful framework.”</li> <li>“Screen readers can navigate to links without context. So ‘Learn More, link’ will be read out loud and mean nothing.”</li> <li>“It can be hard to match the Learn More link to the right document.”</li> <li>“I try to avoid tooltips because they’re hard to notice and have potential accessibility issues. And tooltips are not available on mobile devices.”</li> </ul> Our brainstorm generated lots of great insights. It also reminded us not to replace one bad solution with another. Finally, it helped us think more carefully about the user impact of those two simple words. Once we ran out of digital sticky notes, I shared part two of the plan … content patterns. <h2 id="creating-content-patterns-together">Creating content patterns together</h2> Never heard of content patterns before? You’re not alone. But they’re almost exactly what they sound like. As Natalie Shaw <a href="https://medium.com/@natalie_shaw/content-design-patterns-b08013fa4df5">explained back in 2016</a>, content design patterns improve consistency for users by “referring to the same things using the same words and using the same type of patterns with language.” As Shaw goes on to note: “A little bit of consistency really goes a long way, but it’s only really obvious if you write it down.” The biggest challenge with content patterns is getting non-content-designers excited about them. That’s why we asked the entire design team to help improve our approach to Learn More links. We didn’t want people to feel like the content design team was simply telling them what to do. Getting team-wide input meant our content pattern would have a better chance of success. <blockquote> Creating a content pattern involves user needs, product design philosophy, rules, rationale, and accessibility considerations. </blockquote> As a bonus, framing content patterns as (design) systems thinking helped shift the team’s understanding of content design. It’s easy to view the Learn More problem as a simple copywriting issue. But creating a content pattern involves user needs, product design philosophy, rules, rationale, and accessibility considerations. Learn More looks like a small problem, but it provoked larger questions about how we design at 1Password. A few weeks after launching Learn Nothing Month, Matt Davey, our Chief Experience Officer, singled out a Learn More link during design critique, and said: “I will ask about it before Ryan does.” The power of leadership reinforcing your content pattern should not be underestimated. <blockquote> The power of leadership reinforcing your content pattern should not be underestimated. </blockquote> A week or so before that, a designer I was working with on a new flow said: “Much like you said in your presentation, I don’t want birds everywhere. I want to create a self-contained, guided experience.” The power of metaphor should not be underestimated, either. And just before I finished this blog post, I was invited to a Zoom chat with two engineers and a product designer to see if a Learn More link was the right solution. (Spoiler alert: it wasn’t). But the conversation we had about other options reminded me about the thought and effort required to find a solution that clearly explains a new feature in a sentence or two. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Our new Learn More guidelines, which were just added to 1Password’s design system, will make future conversations much smoother. The guidelines encourage our team to: <ul> <li>Explore content and design improvements to eliminate external links whenever possible</li> <li>Use descriptive links (Learn more about Portlandia) whenever possible</li> <li>Deeplink to relevant support content</li> <li>Consult with technical writers and content designers early in a project</li> <li>Use an aria label for “Learn More” links to provide more context for screen readers</li> </ul> </div> </aside> <h2 id="3-lessons-from-learning-nothing">3 lessons from learning nothing</h2> I know, I know. The irony of gaining knowledge during Learn Nothing Month isn’t lost on me. But it’s always important to reflect on a new initiative. <ol> <li> The content design team works. We hold content design workshops twice a week. These workshops serve many purposes, like giving everyone a cross-company view of what we’re building and how we’re building it. Without these content workshops, it would have been hard to notice or correctly diagnose the Learn More problem. </li> <li> The design system team works. Embedding a content designer (that’s me!) in our design system makes it easier to advocate, create, and socialize content patterns. Whenever possible, I try to share an important pattern or component with the product design team for feedback and insight before it’s built. Not every content pattern requires this level of collaboration and outreach, but it definitely helps create alignment and buy-in. </li> <li> The entire team works. Whenever possible, we try to tie smaller initiatives (e.g. content patterns) into larger company goals (e.g. one of 1Password’s values is “keep it simple”). If everything in our product is so complex that it requires further reading to understand or appreciate, we aren’t doing our job. </li> </ol> Our month-long experiment is gaining momentum. But we can’t change every part of 1Password in only four weeks with a few bird jokes. Over the next few months, whenever we can, we’ll make sure that every link earns its rightful place inside our product.</description></item><item><title>How a small team of volunteers is helping people break free of ransomware</title><link>https://blog.1password.com/ransomware-hunting-team-interview/</link><pubDate>Tue, 04 Apr 2023 00:00:00 +0000</pubDate><author>info@1password.com (Stacey Harris)</author><guid>https://blog.1password.com/ransomware-hunting-team-interview/</guid><description> <img src='https://blog.1password.com/posts/2023/ransomware-hunting-team-interview/header.png' class='webfeedsFeaturedVisual' alt='How a small team of volunteers is helping people break free of ransomware' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> It’s like a technological thriller come to life. Ransomware entered the global spotlight in 2021 <a href="https://www.cyber.gc.ca/en/guidance/cyber-threat-bulletin-ransomware-threat-2021">after a number of high-profile cases</a> caught the media’s attention. But long before the growing threat entered the public domain, a small group of individuals started quietly helping thousands of people and businesses get their information back – without paying the ransom. Journalists Renee Dudley and Dan Golden have written about this incredible story in a book called <a href="https://us.macmillan.com/books/9780374603304/theransomwarehuntingteam">The Ransomware Hunting Team, A Band of Misfits’ Improbable Crusade to Save the World from Cybercrime</a>. We invited the pair onto our <a href="https://randombutmemorable.simplecast.com/">Random but Memorable</a> podcast to talk about this remarkable group, and what they&rsquo;ve both learned about the evolution of ransomware and cybercrime. Read on for the highlights of the interview hosted by Michael Fey (Roo), Head of User Lifecycle &amp; Growth at 1Password, or <a href="https://randombutmemorable.simplecast.com/episodes/ransomware-hunting-team-emergency">listen to the entire episode</a> on your favorite podcast player. <div class="c-simplecast-embed"> <iframe class="c-simplecast-embed__iframe" title="1Password Random but Memorable Podcast" width="100%" frameborder="no" scrolling="no" seamless src="https://player.simplecast.com/a57afd24-c130-4fa8-ba27-91efe598ffa0?dark=false"></iframe> </div> <a href="https://randombutmemorable.simplecast.com/episodes/ransomware-hunting-team-emergency">Listen to episode 102 ›</a> Michael Fey: Can you give us some background on how you decided to write this book, and why it was important to write now? Renee Dudley: I had been hearing from chief information security officers at big, publicly-traded companies that ransomware was a growing threat. This was before ransomware was in the news every day. I dove into research and found that everybody connected to this world was recommending I speak to a guy named DemonSlave335. He turned out to be Michael Gilhesby, who would later become the hero of our book. I learned that he&rsquo;s part of a global team of about a dozen people across seven countries who crack ransomware. Ransomware locks victims files, and demands a ransom payment in exchange for a key to unlock those files. Michael and his global ransomware-hunting team find vulnerabilities in different strains of ransomware, and are able to help victims get their files back without having to pay the hackers. <blockquote> &ldquo;He was doing all of that for free, at what appeared to be this great personal expense. He sought no fame, no glory, no compensation whatsoever.&quot; </blockquote> I thought it would be a good idea to visit Michael in-person at his home in rural Illinois. We started talking about ransomware and as he got more comfortable he started sharing more about his personal life. I learned that he had just overcome cancer, was only 28 years old, and was struggling to make ends meet. What was so striking was that all of this was happening in the background while he was saving dozens and dozens of people every day from having to pay hackers the ransom. He was doing all of that for free, at what appeared to be this great personal expense. He sought no fame, no glory, no compensation whatsoever. Now, he&rsquo;s the best in the world at what he does, but he&rsquo;s just this guy doing this on his own with the help of this global team. Dan Golden: One of the requirements for joining the hunting team is you’re not allowed to charge for the code-breaking services you provide. This team has saved millions of people and institutions from paying billions of dollars in ransom. But one of the binding parts of their contract with each other is that they don&rsquo;t charge anybody. MF: Can you tell me about the process of taking this story, and shaping it into a book? DG: We were lucky because we had two compelling stories. One is the story of Michael and the members of the ransomware hunting team. These ordinary, selfless people do extraordinary things at great cost to their personal lives. But the other is the larger story, which is the rise of ransomware. While we were researching the book the threat of ransomware got worse and worse. The targets got bigger, the amounts of money demanded went from a few hundred dollars for individuals to millions of dollars for businesses, hospitals, universities, and even government agencies. <blockquote> &ldquo;Ransomware hacks evolved from ransom demands to stealing information and threatening to leak it if they weren&rsquo;t paid.&rdquo; </blockquote> Ransomware hacks evolved from ransom demands to stealing information and threatening to leak it if they weren&rsquo;t paid. It evolved from an intriguing form of cybercrime to a worldwide threat and crisis – the kind of arc that you can use to shape a book. MF: Can you talk about some of the moral challenges and ransomware scenarios that the team has faced? DG: In a way, the greatest moral challenge is faced by the victims of ransomware. They have to decide whether to pay or not. If you pay, your files are restored. But you&rsquo;re rewarding criminals and incentivizing more ransomware. One chapter of the book looks at the city of Baltimore, <a href="https://www.vox.com/recode/2019/5/21/18634505/baltimore-ransom-robbinhood-mayor-jack-young-hackers">which was hit by a ransomware attack</a>. It shut down a lot of the city&rsquo;s services, and made it hard to buy and sell homes and other important activities. There was a demand for $80,000 and the mayor quite courageously refused to pay. But it took months for the city to recover and officials ended up spending $18 million on recovery costs. The mayor lost his reelection bid, only getting 6% of the vote. <blockquote> &ldquo;The FBI always says don&rsquo;t pay the ransom. But sometimes there aren’t a lot of alternatives.&quot; </blockquote> It&rsquo;s a tough choice. The FBI always says don&rsquo;t pay the ransom. But sometimes there aren’t a lot of alternatives. If you attack a hospital and shut down its records, files, and diagnostic equipment, staff can&rsquo;t treat patients. And sometimes it&rsquo;s a matter of life and death. Or a business might have to shut down if it doesn&rsquo;t pay the ransom. So that&rsquo;s the great moral quandary that the hunting team potentially offers a solution to. But only in some cases because the ransomware hunting team can&rsquo;t crack every code – there has to be a mistake for them to crack it. MF: Can you talk a little bit about some of the tools and tactics the team uses? RD: The hunting team looks for vulnerabilities in the ransomware. One of the vulnerabilities is that cryptography relies on random numbers. Hackers use what&rsquo;s called a random number generator but sometimes it&rsquo;s not truly random. It will start repeating numbers after a certain point, and the hunters can exploit that and use that to find the key. DG: With the random numbers, sometimes you could do what&rsquo;s called brute-forcing the system, where you can make so many efforts to crack the code that eventually you find the pattern and come up with the key. They have a whole variety of tools, and it just depends on the type of ransomware. RD: Other times, they find vulnerabilities in the hacker&rsquo;s infrastructure. They might find a weakness in the server they&rsquo;re using. Michael has actually hacked into the hacker&rsquo;s own servers to retrieve keys, which he then used to develop tools to help victims get back into their systems. DG: The ransomware group might also use the same key too many times. So a victim could pay and get the key, and then they can use that key to help other people who haven&rsquo;t paid. MF: You spoke to a number of people on the ransomware hunting team. Did they have common motivations for joining? RD: A number of them, including Michael, Fabian, and Carsten Hahn, come from backgrounds of poverty or abuse. A lot of them are self-taught. Many of them didn&rsquo;t attend college and some of them even dropped out of high school. They&rsquo;ve taught themselves skills by taking books out of the library, watching YouTube videos, or even learning from each other. <blockquote> &ldquo;This is their way of fighting back against the bullies in the world.&quot; </blockquote> They know that they&rsquo;re some of the only people in the world that have those skills, and they feel the expectation of using them for the greater good. When it comes to their backgrounds, they have an underdog mentality. This is their way of fighting back against the bullies in the world. MF: In the book you call out that this team is helping people where the government, FBI, and law enforcement either can&rsquo;t or won&rsquo;t. Why is that? RD: The FBI tells people not to pay because the more you reward hackers, the more they&rsquo;re going to do it. But the FBI provides no practical alternative. The team gives people an out that doesn&rsquo;t involve paying, and doesn&rsquo;t involve giving up your files. But this is changing in the “post-colonial attack” era. The <a href="https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password">ransomware attack on the colonial pipeline in 2021</a> shut down gas stations across the Southeast. It was a flash point for ransomware because after that, the US government started taking it seriously. Before that, the FBI, the Department of Homeland Security, and others across the federal government treated ransomware as an ankle-biter crime. They thought that the demands were too low, and not enough people were being affected by it. <blockquote> &ldquo;Now that ransomware is seen as a global threat, the bureau is cooperating more and more with members of the hunting team and other private researchers.&quot; </blockquote> This was the mentality even as ransomware was gaining traction and becoming a serious global threat. We talked to FBI agents who were frustrated that this wasn&rsquo;t getting taken more seriously. The cyber division just couldn&rsquo;t get traction on the issues they thought were important, like ransomware. There weren&rsquo;t enough people with advanced technical skills to take on the challenges that were coming in. So the hunting team really filled this void. Now that ransomware is seen as a global threat, the bureau is cooperating more and more with members of the hunting team and other private researchers. The hunting team has been coming up with these free decryptors for certain strains. And now, finally, the FBI is telling victims when those tools are available. MF: How have your views changed while writing this book, and knowing that there is a group of people out there who are fighting the good fight? RD: I&rsquo;m so impressed by the members of this team. They&rsquo;re all just ordinary people. They have regular jobs, they work in IT and cybersecurity. Some of them have families. They&rsquo;re just living their lives, but doing these completely extraordinary things on the side. Many of their own families don&rsquo;t know the extent of how much they&rsquo;ve helped humanity. <blockquote> &ldquo;They’ve helped millions of victims save billions of dollars.&quot; </blockquote> They’ve helped millions of victims save billions of dollars. It&rsquo;s really unbelievable how much they&rsquo;ve been able to accomplish since they banded together in 2016. Ransomware itself is horrible and the problem keeps getting worse. It&rsquo;s reassuring to know there are these unlikely heroes doing amazing work out there. DG: It&rsquo;s uplifting but it&rsquo;s also reinforced how scary the cybercrime threat can be. The ransomware groups are increasingly pairing up with foreign governments like the Putin regime, and acting under state sponsorship. I have a number of friends who&rsquo;ve read our book and said: &ldquo;We&rsquo;re so impressed by the hunting team, but also we&rsquo;re scared to death by ransomware.” I think a lot of people will have that dual reaction. Editor’s note: This interview has been lightly edited for clarity and brevity. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Subscribe to the Random but Memorable podcast</h3> Be prepared for Random but Memorable moments, as well as the latest security news, tips and tricks and expert interviews. <a href="https://randombutmemorable.simplecast.com/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Subscribe now </a> </div> </section></description></item><item><title>Now in beta: Securely automate infrastructure secrets with 1Password Service Accounts</title><link>https://blog.1password.com/1password-service-accounts-beta/</link><pubDate>Wed, 29 Mar 2023 00:00:00 +0000</pubDate><author>info@1password.com (Michael Carey)</author><guid>https://blog.1password.com/1password-service-accounts-beta/</guid><description> <img src='https://blog.1password.com/posts/2023/1password-service-accounts-beta/header.png' class='webfeedsFeaturedVisual' alt='Now in beta: Securely automate infrastructure secrets with 1Password Service Accounts' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Devs, have you ever wished you could quickly and securely automate infrastructure secrets in your apps and development workflows without spinning up additional infrastructure? <a href="https://developer.1password.com/docs/service-accounts/">1Password Service Accounts</a> do exactly that - and today we&rsquo;re making a public beta available to all 1Password Business customers. Service Accounts are a special type of account that isn’t tied to an individual user. They can be customized to only allow access to specific vaults, and to perform certain actions on those vaults. That adds an additional layer of security and access control for organizations when accessing 1Password programmatically using the CLI. It works by configuring the CLI to use a Service Account access token for authentication, rather than requiring a specific user to authenticate manually. Service Accounts provide a convenient way to automate tasks and streamline development and deployment workflows. You can use them to load secrets into GitHub Actions, or to share and manage infrastructure secrets. And once Service Accounts are implemented in your infrastructure, and plain-text credentials are replaced by <a href="https://developer.1password.com/docs/cli/secret-references/">secrets references</a> in environment variables, you can then <a href="https://blog.1password.com/delete-your-example-env-file/">safely check .env files into git</a>. Now let’s see Service Accounts in action. In the following demo, we’re using a Service Account with GitHub Actions to easily and securely push a container image to Docker Hub. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/kVBl5iQYgSA" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> Service Accounts offer an easy and secure way to quickly rotate credentials and other secrets after a possible breach, or when an employee who had access to the secrets leaves the company. Rotating infrastructure secrets is often a time-consuming and error-prone task when done manually. Service Accounts not only help teams comply with security policies and ensure that outdated or compromised credentials are not at risk, they also improve their workflows by saving time and reducing the potential for errors. We can&rsquo;t wait for you to start exploring Service Accounts during the beta period, and we&rsquo;re already hearing some great feedback and suggestions for improvements. Every time we release new developer features, we hear about new and interesting ways you put them to use. We hope Service Accounts are no different. Get started by <a href="https://developer.1password.com/docs/service-accounts/">exploring the documentation</a>, and don&rsquo;t forget to join the <a href="https://join.slack.com/t/1password-devs/shared_invite/zt-1halo11ps-6o9pEv96xZ3LtX_VE0fJQA">Developer Slack Community</a> to share your thoughts and experiences. Let&rsquo;s make service accounts even more useful for devs and security teams everywhere. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get started with 1Password Service Accounts</h3> Ready to automate tasks and streamline your development and deployment workflows? Learn how to create a 1Password Service Account by reading our documentation! <a href="https://developer.1password.com/docs/service-accounts/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Read the documentation </a> </div> </section></description></item><item><title>Bringing my GitHub workflow into Neovim using 1Password CLI</title><link>https://blog.1password.com/1password-neovim/</link><pubDate>Thu, 23 Mar 2023 00:00:00 +0000</pubDate><author>info@1password.com (Mat Jones)</author><guid>https://blog.1password.com/1password-neovim/</guid><description> <img src='https://blog.1password.com/posts/2023/1password-neovim/header.png' class='webfeedsFeaturedVisual' alt='Bringing my GitHub workflow into Neovim using 1Password CLI' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 1Password CLI brings seamless biometric authentication to your favorite terminal-based editor, <a href="https://neovim.io/">Neovim</a>. As a full-time Neovim user, the more things I can do without leaving my terminal, the more efficient my development workflow can be. However, command line tools that require authentication can present a potentially big problem: They all have their own ways of storing credentials, often using plaintext files stored on disk. We can mitigate this and keep everything safe and secure in 1Password using <a href="https://developer.1password.com/docs/cli/">1Password CLI</a>! <h2 id="what-is-neovim">What is Neovim?</h2> <a href="https://neovim.io/">Neovim</a> is a flexible text editor that runs in a terminal. It is a modal editor, which means there are several &ldquo;modes&rdquo; that are optimized for different types of interactions with the interface. For example, there’s Insert mode for typing text, Visual mode for selecting text, Normal mode for navigating around and manipulating text, and Command mode for running commands. While very basic with the default configuration, it can also be highly customized and endowed with all the same magic as a full-fledged IDE, while still maintaining the speed and efficiency that comes with learning to use a modal editor effectively. <h2 id="getting-started-with-neovim">Getting started with Neovim</h2> If you&rsquo;re starting a Neovim configuration from scratch, I highly recommend using Lua (as opposed to <a href="https://learnxinyminutes.com/docs/vimscript/">Vimscript</a>). If you&rsquo;re already familiar with Neovim, feel free to <a href="#github-meet-neovim">skip ahead</a>. To learn the basics of using Neovim, open Neovim by running the <code>nvim</code> command, then type <code>:Tutor&lt;Enter&gt;</code> to run the tutorial. To kickstart your Neovim configuration, we&rsquo;ll start with <a href="https://github.com/nvim-lua/kickstart.nvim">kickstart.nvim</a>, an open-source configuration file that you can use to build your own configurations and personalizations. <code>kickstart.nvim</code> does several things for us. It sets some of the most common options to more sensible defaults, and installs <a href="https://github.com/wbthomason/packer.nvim">packer.nvim</a>, a popular plugin manager for Neovim. It also installs some popular plugins via <code>packer.nvim</code>, including: <ul> <li>Plugins to set up Neovim&rsquo;s built-in <a href="https://neovim.io/doc/user/lsp.html">LSP client</a>, which enables rich language features such as &ldquo;go to definition&rdquo;, &ldquo;go to implementation&rdquo;, &ldquo;find references&rdquo;, autocompletion, and other IDE-like features.</li> <li>Plugins that provide rich <code>git</code> integration.</li> <li><a href="https://github.com/nvim-telescope/telescope.nvim">telescope.nvim</a>, a powerful and extensible fuzzy-finder plugin.</li> <li>Some UI plugins to make everything look cohesive and pretty.</li> </ul> To use this as your starting configuration, simply download <a href="https://github.com/nvim-lua/kickstart.nvim/blob/master/init.lua">the init.lua file</a> and place it at <code>~/.config/nvim/init.lua</code>. Then, from a terminal, run <code>nvim</code> and wait for plugins to install before restarting Neovim by typing <code>:q&lt;Enter&gt;</code> to exit, then <code>nvim</code> to open it again. <h2 id="github-meet-neovim">GitHub, meet Neovim</h2> Recently I found a Neovim plugin called <a href="https://github.com/pwntester/octo.nvim">octo.nvim</a> that provides a nice interface for searching issues, applying labels, and even adding comments and Pull Request reviews, all without ever leaving Neovim. This plugin uses the <a href="https://cli.github.com/">GitHub CLI</a> to interact with GitHub via the GraphQL API. Unfortunately, it only seemed to support authentication using the GitHub CLI&rsquo;s built-in credential manager (the <code>gh auth login</code> command). However, I already had a GitHub token in 1Password and I didn&rsquo;t want to export that to another place I&rsquo;d have to remember if I ever needed to reset my token. I set off on a mission to make <code>octo.nvim</code> and the GitHub CLI integrate with 1Password CLI to retrieve my token directly from 1Password. <h2 id="the-beauty-of-open-source">The beauty of open source</h2> To make that possible, I needed to make a small change to <code>octo.nvim</code> that would allow the plugin to dynamically request the token only when needed. I made <a href="https://github.com/pwntester/octo.nvim/pull/346">a small Pull Request</a> which added a configuration option called <code>gh_env</code> (short for &ldquo;GitHub environment&rdquo;) which would allow the user to pass a set of environment variables, or a function that returns a set of environment variables, that would be used when running GitHub CLI commands. This Pull Request was merged quickly, which then allowed me to easily integrate <code>octo.nvim</code> with 1Password CLI using my own plugin, <a href="https://github.com/mrjones2014/op.nvim">op.nvim</a>, a 1Password plugin for Neovim. The <code>op.nvim</code> plugin provides some first-class editor features for 1Password, like a <a href="https://github.com/mrjones2014/op.nvim#secure-notes-editor">secure notes editor</a> and a sidebar for favorited items and secure notes. But what&rsquo;s particularly interesting in this case is the <a href="https://github.com/mrjones2014/op.nvim#api">native Lua API bindings to 1Password CLI</a>. This means you can run 1Password CLI commands in a way that just feels like writing Lua code. For example, <code>require('op.api').item.get({ 'GitHub', '--format', 'json' })</code> will retrieve an item from 1Password called &ldquo;GitHub&rdquo; in JSON format. <h2 id="lets-get-started">Let&rsquo;s get started</h2> If you haven&rsquo;t already, install <a href="https://developer.1password.com/docs/cli/">1Password CLI</a> and the <a href="https://cli.github.com/">GitHub CLI</a>. You may also want to check out the <a href="https://developer.1password.com/docs/cli/shell-plugins/github/">1Password Shell Plugin for the GitHub CLI</a>! Before we can interact with GitHub via the GitHub CLI in Neovim, we first have to create an access token to use for GitHub authentication. Open the <a href="https://github.com/settings/tokens">GitHub developer settings page</a> and create a new &ldquo;classic&rdquo; token. In the &ldquo;Note&rdquo; field, write &ldquo;Neovim&rdquo; (or anything that will remind you what it is used for) and grant it the <code>repo</code>, <code>read:org</code>, and <code>write:org</code> permission scopes. <img src='https://blog.1password.com/posts/2023/1password-neovim/GitHub_personal_access_token.png' alt='Permission settings while creating a new GitHub access token' title='Permission settings while creating a new GitHub access token' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Then generate the token and save it to your GitHub login item in 1Password, under a field called &ldquo;token&rdquo;. <img src='https://blog.1password.com/posts/2023/1password-neovim/1Password-GitHub_saved_item.png' alt='Example 1Password item storing a GitHub access token' title='Example 1Password item storing a GitHub access token' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="making-the-magic-happen-">Making the magic happen 🪄</h2> To install the required Neovim plugins, open the <code>~/.config/nvim/init.lua</code> file you created earlier. Near the top, where you see the other <code>use</code> statements, add the following snippet of Lua code, which will install <code>octo.nvim</code> and <code>op.nvim</code>: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-lua" data-lang="lua">use({ &#39;pwntester/octo.nvim&#39;, requires = { -- 1Password plugin for Neovim &#39;mrjones2014/op.nvim&#39;, -- another plugin to make the UI a bit nicer &#39;stevearc/dressing.nvim&#39;, }, }) </code></pre></div>Next, jump to near the bottom of the file, add a new section for the configuration of the <code>octo.nvim</code> plugin, and add the following code: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-lua" data-lang="lua">require(&#39;octo&#39;).setup({ gh_env = function() -- the &#39;op.api&#39; module provides the same interface as the CLI -- each subcommand accepts a list of arguments -- and returns a list of output lines. -- use it to retrieve the GitHub access token from 1Password local github_token = require(&#39;op.api&#39;).item.get({ &#39;GitHub&#39;, &#39;--fields&#39;, &#39;token&#39; })[1] if not github_token or not vim.startswith(github_token, &#39;ghp_&#39;) then error(&#39;Failed to get GitHub token.&#39;) end -- the values in this table will be provided to the -- GitHub CLI as environment variables when invoked, -- with the table keys (e.g. GITHUB_TOKEN) being the -- environment variable name, and the values (e.g. github_token) -- being the variable value return { GITHUB_TOKEN = github_token } end, }) </code></pre></div>Then, close and reopen Neovim, and run the <code>:PackerSync&lt;Enter&gt;</code> command to install the new plugins and apply configuration changes. With this configuration, the <code>octo.nvim</code> plugin will automatically request authorization via 1Password CLI, and if enabled, even use biometric authentication via 1Password! To try it out, open Neovim from a GitHub repository directory and run <code>:Octo issue list</code> to list issues in the GitHub repository. Enjoy using in Neovim! If you run into any snags or just want to share your experience, join us in the <a href="https://join.slack.com/t/1password-devs/shared_invite/zt-1halo11ps-6o9pEv96xZ3LtX_VE0fJQA">1Password Developer Slack</a>.</description></item><item><title>Protect 1Password accounts by enforcing security key 2FA at work</title><link>https://blog.1password.com/enforce-hardware-security-key-2fa/</link><pubDate>Tue, 21 Mar 2023 00:00:00 +0000</pubDate><author>info@1password.com (Jasper Patterson)</author><guid>https://blog.1password.com/enforce-hardware-security-key-2fa/</guid><description> <img src='https://blog.1password.com/posts/2023/enforce-hardware-security-key-2fa/header.png' class='webfeedsFeaturedVisual' alt='Protect 1Password accounts by enforcing security key 2FA at work' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Here at 1Password, we&rsquo;re big fans of <a href="https://support.1password.com/two-factor-authentication/">two-factor authentication (2FA)</a>. It adds an extra layer of protection to your online accounts, making it much harder for attackers to break into them. One of the strongest forms of 2FA is a FIDO2/WebAuthn <a href="https://blog.1password.com/hardware-security-keys-explained/">hardware security key</a>, like a <a href="https://www.yubico.com/why-yubico/">YubiKey</a>. That&rsquo;s a small USB dongle that you plug in to your device, or tap via NFC, to authenticate who you are. We <a href="https://blog.1password.com/better-more-useful-1password/">recently introduced</a> the option for 1Password Business admins to enforce this type of 2FA inside their organizations. Once enabled, all team members will be required to use a physical security key when they first sign in on a new device at work. <img src='https://blog.1password.com/posts/2023/enforce-hardware-security-key-2fa/securitykey1.png' alt='A screenshot of the Two-Factor Authentication settings page that&#39;s available to 1Password Business admins.' title='A screenshot of the Two-Factor Authentication settings page that&#39;s available to 1Password Business admins.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 1Password is the only major password manager that gives you the choice to enforce FIDO2/WebAuthn hardware security keys in this way. We understand that the strength of your security matters. That’s why we’re giving you the choice to level up your digital defenses by ensuring your team is using the strongest possible form of 2FA with 1Password. <blockquote> “YubiKeys provide an extra layer of protection for your 1Password account,” said Derek Hanson, vice president, solutions architecture and alliances, <a href="https://www.yubico.com/">Yubico</a>. “With phishing-resistant YubiKeys, our customers receive the highest level of hardware-based security and a great user experience for those who want to use the same security key across services, browsers and applications.” </blockquote> <h2 id="the-advantages-of-hardware-security-keys">The advantages of hardware security keys</h2> 2FA is designed to prove that you or someone you trust – and not a criminal – is trying to access or sign in to something. There are many different ways to use 2FA, most of which revolve around special one-time codes: <ul> <li>SMS</li> <li>Automated phone calls</li> <li>Email</li> <li>Dedicated 2FA apps like Authy</li> </ul> <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> You can also <a href="https://support.1password.com/one-time-passwords/">use 1Password as an authenticator</a> for sites and apps that support 2FA. </div> </aside> Security keys are a particularly strong form of 2FA for two reasons. First, it&rsquo;s resistant to <a href="https://blog.1password.com/what-is-phishing-and-how-can-you-protect-your-business/">phishing</a>. An attacker could send a fake but seemingly legitimate email asking you or another team member for a TOTP, or a 2FA backup code. A FIDO2/WebAuthn security key, meanwhile, only works with the owner&rsquo;s chosen (and legitimate) websites and apps. Second, hardware security keys are a possession factor, which means that authentication is tied to a physical object. It&rsquo;s highly unlikely a criminal will target you (or one of your co-workers) specifically, and then travel to your location and try to steal your key. The process is simply too expensive and time consuming. Instead, criminals are more likely to try other tactics, like phishing, that can target many people at once and be initiated remotely. Security keys are also a small step toward a <a href="https://blog.1password.com/categories/passwordless/">passwordless</a> future. They eliminate one-time codes, which is one less piece of information that you and your co-workers have to copy or type out. <h2 id="hardware-security-keys--1password">Hardware security keys &amp; 1Password</h2> 1Password supports all FIDO2/WebAuthn security keys, including those made by Yubico. Enforcing security keys eliminates TOTPs from the process of signing in to 1Password, while strengthening your overall security by combating phishing attacks, which are increasing in frequency and sophistication. Once enabled, this requirement will cover all the 1Password apps that your team uses for work, including 1Password 8 for Mac, Windows, and Linux. <img src='https://blog.1password.com/posts/2023/enforce-hardware-security-key-2fa/securitykey2.png' alt='A screenshot of the webpage team members will see asking them to set up a hardware security key.' title='A screenshot of the webpage team members will see asking them to set up a hardware security key.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> 1Password Business admins can use Advanced Protection <a href="https://support.1password.com/sign-in-attempts-report/">to monitor sign-in attempts</a> that failed due to a missing or incorrect second factor. </div> </aside> <h2 id="how-to-get-started">How to get started</h2> To enforce hardware security keys at your organization: <ul> <li>Sign in to your account <a href="https://start.1password.com/signin">on 1Password.com</a>.</li> <li>Select &lsquo;Security&rsquo; in the sidebar, followed by &lsquo;Two-factor authentication&rsquo;.</li> <li>Select the &lsquo;Security Key&rsquo; toggle, while leaving the &lsquo;Authenticator App&rsquo; and &lsquo;Duo&rsquo; options turned off.</li> <li>Ensure the &lsquo;Enforce two-factor authentication&rsquo; option is turned on.</li> </ul> Your co-workers will then need to add their security keys the next time they sign in or unlock 1Password. <h2 id="secure-your-secrets">Secure your secrets</h2> Strengthen your security by enforcing FIDO2/WebAuthn keys in your organization. It will safeguard your team&rsquo;s data and give you peace of mind, allowing you to focus on other tasks at work. You’ll also be helping your co-workers develop good security habits inside and outside the office – a crucial step toward <a href="https://1password.com/resources/creating-a-culture-of-security/">building a strong culture of security</a>. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Secure your team by enforcing FIDO2/WebAuthn security keys</h3> Ready to get started? Read our support page for step-by-step instructions on how to enforce FIDO2/WebAuthn security keys when signing in to 1Password. <a href="https://support.1password.com/manage-two-factor-authentication/#enforce-two-factor-authentication" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Read our support page </a> </div> </section></description></item><item><title>7 common misunderstandings about passkeys</title><link>https://blog.1password.com/passkeys-common-misunderstandings/</link><pubDate>Thu, 16 Mar 2023 00:00:00 +0000</pubDate><author>info@1password.com (Nick Summers)</author><guid>https://blog.1password.com/passkeys-common-misunderstandings/</guid><description> <img src='https://blog.1password.com/posts/2023/passkeys-common-misunderstandings/header.png' class='webfeedsFeaturedVisual' alt='7 common misunderstandings about passkeys' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Almost everyone understands what passwords are, and how they work. But <a href="https://blog.1password.com/what-are-passkeys/">passkeys</a>? That&rsquo;s a different story. Here at 1Password, we&rsquo;re excited about passkeys, which let you create online accounts and securely sign in to them without entering a password. But we know it&rsquo;s early days, and the technology hasn’t gone mainstream (yet!) Many people don&rsquo;t know what a passkey is, or have heard an explanation that isn&rsquo;t quite right. Here, we&rsquo;re going to address some of the most common misconceptions so you can better understand how passkeys work, and use them with total confidence. <h2 id="misunderstanding-behind-every-passkey-is-a-password">Misunderstanding: Behind every passkey is a password</h2> Many of us use biometric authentication to unlock our devices and access our favorite online accounts. But in these scenarios, your biometrics don’t eliminate your password. Passkeys, meanwhile, act as a replacement for traditional passwords. Here’s a quick summary of how passkeys work: Passkeys leverage an API called <a href="https://blog.1password.com/what-is-webauthn/">WebAuthn</a>. Instead of a traditional password, WebAuthn uses public and private keys – otherwise known as <a href="https://blog.1password.com/what-is-public-key-cryptography/">public-key cryptography</a> – to check that you are who you say you are. The advantage of this approach is that you never have to share your private key (hence the name), and the public key is useless to an attacker on its own. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> <a href="https://blog.1password.com/what-are-passkeys/">Learn more about how passkeys work!</a> </div> </aside> If there was a password behind every passkey, it would still be possible to &ldquo;phish&rdquo; the account owner. Passkeys are resistant to phishing because there&rsquo;s no plaintext password or &lsquo;secret&rsquo; that the user can be tricked into sharing, or that an attacker can try to intercept. This makes passkeys a more secure option than a traditional password. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/DELDP_wbuE4?si=VQ4KiFVKIJwHFGBY" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> At first, websites and apps will likely offer passkeys alongside traditional password authentication. That way you&rsquo;ll have a choice, and can use both methods in tandem if you wish. <h2 id="misunderstanding-you-need-bluetooth-to-log-in-to-an-account-with-a-passkey">Misunderstanding: You need Bluetooth to log in to an account with a passkey</h2> Some articles have implied that a Bluetooth connection is required to successfully authenticate and sign in to accounts using passkeys. That&rsquo;s simply not true. When you create a passkey, the website will ask you to confirm your authenticator. This could be your phone, tablet, PC … or, in the not so distant future, <a href="https://www.future.1password.com/passkeys/">1Password</a>. The next time you want to sign in, your device will ask you to authenticate using your face or fingerprint as a security measure, but that’s it. Bluetooth only plays a role if you create a passkey using one of the solutions offered by Apple, Microsoft, or Google, and then need to access that same passkey from a device that sits in a different company’s ecosystem. For example, let&rsquo;s say you create an online account with a passkey using Google’s password manager on your Android phone. And then you want to access that same account on your Windows PC. In this scenario, you’ll normally be prompted to authenticate using your Android phone. Bluetooth is required to check that your Windows PC and Android phone are physically close to each other. (This is to prevent phishing.) But passkeys don&rsquo;t rely on Bluetooth&rsquo;s security properties to secure the actual sign-in process. That’s why if you’re using the same device, or a solution that syncs your passkeys between devices, you don’t need a bluetooth connection. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Remember: passkey support is coming to 1Password! This will let you sync your passkeys across all of your devices – no Bluetooth required! </div> </aside> <h2 id="misunderstanding-you-only-need-a-single-passkey-to-access-all-your-online-accounts">Misunderstanding: You only need a single passkey to access all your online accounts</h2> A single passkey isn&rsquo;t a master key that can unlock all of your online accounts. You’ll still need to create a passkey for each online account. That might sound a little tedious, but in practice passkeys are incredibly convenient to create, store, and use. That&rsquo;s because: <ul> <li> You don&rsquo;t have to create anything manually. Your authenticator will generate a passkey – which contains a public and private key pair – on your behalf. </li> <li> Every passkey is strong by default. So you don&rsquo;t have to worry about whether your private key is long or random enough. </li> <li> You don’t have to remember or type out your passkeys. Your private key is stored on your device, and retrieved automatically when you want to sign in to your account. A copy of your public key is stored with the account provider so you never have to type it out. Instead, your passkey is processed seamlessly in the background when you select ‘Sign in’. </li> </ul> <h2 id="misunderstanding-if-someone-steals-your-phone-they-can-instantly-access-your-passkeys">Misunderstanding: If someone steals your phone, they can instantly access your passkeys</h2> Your phone is a safe place to store your passkeys. For starters, most hackers won’t travel to wherever you are because pickpocketing is neither cheap nor time effective. Instead, attackers will likely try other tactics that don’t require them to leave their computer. If someone did manage to steal your phone, it would still be difficult for them to find and exploit your passkeys. That&rsquo;s because they would need to unlock your device first. If you&rsquo;ve secured your phone with biometrics, or an alternative method that&rsquo;s difficult to guess – like a strong and unique password – an attacker will have a hard time breaking in and accessing your passkeys. <blockquote> Your passkeys are well protected, even if a hacker managed to steal your phone. </blockquote> Your confidential passkey data (e.g. the private half of every key pair) is also stored in a <a href="https://trustedcomputinggroup.org/resource/trusted-platform-module-tpm-summary/">Trusted Platform Module (TPM)</a> that is virtually impenetrable. The bottom line is that you can rest easy knowing that your passkeys are well protected, even if a hacker managed to steal your phone. <h2 id="misunderstanding-you-cant-sign-in-to-your-accounts-if-you-dont-have-the-device-that-contains-your-passkeys">Misunderstanding: You can&rsquo;t sign in to your accounts if you don&rsquo;t have the device that contains your passkeys</h2> What happens if you arrive at work and realize you&rsquo;ve forgotten the phone that has all your passkeys? Will you be locked out of all your online accounts? Not necessarily. Google, Apple, and Microsoft will sync your passkeys across devices using their respective cloud-based storage services. So if you create a passkey using an iPhone, you can access the same passkey on your other Apple devices via iCloud. Okay, but what happens if you’ve forgotten your iPhone, but need to use a Windows PC in a public library? In this scenario, you should be given a second option to sign in. For example, a website might send you a “magic link” — a one-time link that lets you instantly sign in — to your chosen email address. Passkey support is also coming to 1Password! (<a href="https://1password.com/passwordless-news/">Sign up to our passwordless newsletter for updates!</a>) This will let you access your passkeys on all your devices, regardless of which operating system they run, and any major web browser. That way, there&rsquo;s no need to worry if you leave your phone at home one day. <h2 id="misunderstanding-youll-lose-access-to-your-accounts-if-you-lose-the-device-that-contains-your-passkeys">Misunderstanding: You&rsquo;ll lose access to your accounts if you lose the device that contains your passkeys</h2> It&rsquo;s natural to worry about what would happen if you broke your phone. Or what would happen if you left your laptop in a public place, like a cafe, and went back only to discover it had vanished. As we&rsquo;ve already covered, it&rsquo;s possible to sync your passkeys between devices. Apple, Google, and Microsoft will offer to sync your passkeys within their respective ecosystems. And, later this year, you&rsquo;ll be able to use 1Password to create, store, and seamlessly sync passkeys. <blockquote> The simpler and less stressful option is to sync your passkeys between devices. </blockquote> If you don&rsquo;t opt in to syncing and lose the device that contains your passkeys … your passkeys will be lost. But don’t worry! You’ll still have other options to access your accounts, like magic links. Once you&rsquo;ve successfully signed in, the site or app should then give you the option to create a new passkey. The simpler and less stressful option is to sync your passkeys between devices. With 1Password, you’ll soon be able to create, save, and access passkeys on any piece of hardware, alongside your passwords, credit cards, and other digital secrets. <h2 id="misunderstanding-your-passkeys-are-vulnerable-if-your-biometrics-are-compromised">Misunderstanding: Your passkeys are vulnerable if your biometrics are compromised</h2> Unlike a password, you can&rsquo;t change your face or fingerprint. (Not easily, anyway!) With this in mind, you might be worried about the possibility of someone stealing your biometric data, and then using that to wreak havoc with your passkeys. Researchers have proven that some Android phones can be fooled by a high-quality photo of the device&rsquo;s owner. This has led to more Android devices with depth-sensing cameras and 3D mapping technology similar to the iPhone. Depth mapping allows your device to turn a photo of your face into a mathematical representation that&rsquo;s only ever stored locally, and never transmitted over the internet. For example, your Apple device stores biometric data encrypted with a key made available only to the Secure Enclave — a component built specifically to safeguard and process sensitive data. <blockquote> An attacker would need physical access to your device and a flawless representation of your face or fingerprint. </blockquote> Apps that offer biometric authentication never have direct access to that data. Instead, a request is sent to the Secure Enclave. It verifies your identity by ensuring the stored mathematical representation of your face matches the one currently being presented. So, what does all this mean? A theoretical attacker needs physical access to your device and a flawless representation of your face or fingerprint. Obtaining both is incredibly difficult. The chances of someone breaking into the Secure Enclave area also extremely slim. And even if they did, they wouldn’t find a picture of your actual face. <h2 id="passkeys-an-exciting-future">Passkeys: An exciting future</h2> The bottom line is that passkeys are safe and convenient for the vast majority of people. That&rsquo;s why we&rsquo;re so excited about this new kind of login credential, and are working hard to make passkeys simple enough for everyone to use in their daily lives. Of course, 1Password will continue to protect your traditional passwords. But we look forward to helping you create, store, and sync passkeys too, so you can live an even simpler, more secure life online. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Subscribe to our passwordless newsletter</h3> Read the latest passkey announcements by 1Password, as well as helpful guides, explainers, and community chatter about passwordless authentication. <a href="https://1password.com/passwordless-news/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Subscribe to Beyond Passwords </a> </div> </section></description></item><item><title>Gain deeper insights into business security with the enhanced 1Password Events API</title><link>https://blog.1password.com/events-api-enhancements-2023/</link><pubDate>Wed, 15 Mar 2023 00:00:00 +0000</pubDate><author>info@1password.com (Skylar Nagao)</author><guid>https://blog.1password.com/events-api-enhancements-2023/</guid><description> <img src='https://blog.1password.com/posts/2023/events-api-enhancements-2023/header.png' class='webfeedsFeaturedVisual' alt='Gain deeper insights into business security with the enhanced 1Password Events API' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> There&rsquo;s one thing IT and security professionals can never have enough of: visibility. Now, 1Password Business customers can gain even greater visibility into their security posture with the upgraded Events API. The enhanced <a href="https://support.1password.com/events-reporting/">Events API</a> features full event parity with the <a href="https://support.1password.com/activity-log/">1Password Activity Log</a>, both to expand your field of vision and to support your auditing efforts. <h2 id="what-is-the-1password-events-api">What is the 1Password Events API?</h2> You can&rsquo;t protect what you can&rsquo;t see. With the <a href="https://blog.1password.com/introducing-events-api/">original Events API</a>, you could stream some 1Password events to your SIEM (Security Information and Event Management) tool. Those 1Password events could then be incorporated into custom dashboards, alerts, visualizations, and search, for example, to give you a deeper understanding of how your team uses 1Password. The Events API makes it easy to correlate and enrich 1Password events data to surface security insights that may require action. Think automated alerts for threat detection, and the ability to visualize 1Password usage. That means you can monitor user adoption, set up alerts to be notified when a secret is shared, or aid investigations by correlating logins with suspicious events. All by streaming 1Password events to third-party SIEM tools using the 1Password Events API. <h2 id="whats-new-in-the-1password-events-api">What&rsquo;s new in the 1Password Events API?</h2> The original Events API included support for three event types: successful sign-in attempts, failed sign-in attempts, and item usage. The enhanced Events API adds support for all events captured by the 1Password Activity Log, including: <ul> <li>Account changes</li> <li>Billing changes</li> <li>Changes to email addresses</li> <li>Device addition or removal</li> <li>Families account changes</li> <li>File uploads</li> <li>Group access changes</li> <li>Group vault access changes</li> <li>Integration events</li> <li>Shared items</li> <li>Team member and guest invitations</li> <li>User access changes</li> <li>Vault changes</li> <li>Vault item changes</li> <li>Views of administrative reports</li> </ul> With these additions, 1Password Business customers can combine 1Password events with data from their SIEM tool to: <ul> <li>Create custom reports, dashboards, alerts, and visualizations.</li> <li>Track 1Password adoption across the organization.</li> <li>Isolate certain security events in the service of an investigation.</li> <li>Better support auditing and compliance workflows.</li> <li>More easily monitor and report on security posture.</li> </ul> Note that if you’re still using 1Password CLI 1.0 to retrieve auditing events, these <a href="https://developer.1password.com/docs/events-api/audit-events">Events API enhancements have replaced the audit command</a> in CLI 1.0. <h2 id="how-to-get-started-with-the-1password-events-api">How to get started with the 1Password Events API</h2> 1Password Business customers can stream events directly from 1Password Events API to their SIEM tool today, either through pre-built integrations with <a href="https://splunkbase.splunk.com/app/5632">Splunk</a> (coming soon) or <a href="https://github.com/1Password/events-api-elastic">Elastic</a>, or with a <a href="https://start.1password.com/integrations/events_reporting/create?type=other">custom integration</a>. Want to start small? Try running a <a href="https://github.com/1Password/events-api-generic">lightweight Python script</a> to learn how to make calls to the Events API. Or <a href="https://support.1password.com/events-reporting/">dive into the documentation</a> to get started with the 1Password Events API and your chosen SIEM tool. <section class="c-call-to-action-box c-call-to-action-box--yellow"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get started with the 1Password Events API</h3> Start sending 1Password account activity to your SIEM tool for deeper security insights. <a href="https://developer.1password.com/docs/events-api/reference/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--yellow" data-event-category="CTA" data-event-action="call-to-action-button"> Explore Events API documentation </a> </div> </section></description></item><item><title>We're changing how we discover and prioritize improvements</title><link>https://blog.1password.com/privacy-preserving-app-telemetry/</link><pubDate>Mon, 13 Mar 2023 00:00:00 +0000</pubDate><author>info@1password.com (Pedro Canahuati)</author><guid>https://blog.1password.com/privacy-preserving-app-telemetry/</guid><description> <img src='https://blog.1password.com/posts/2023/privacy-preserving-app-telemetry/header.png' class='webfeedsFeaturedVisual' alt='We're changing how we discover and prioritize improvements' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> For 17 years, we&rsquo;ve prided ourselves on making 1Password a delight to use. But no product is perfect, and when I hear of someone getting stuck, I get curious. How can we fix it? How can we prevent that friction for future customers? Today, we&rsquo;re taking a step toward being able to better understand those moments by embarking on an internal, employee-only trial of our new in-app telemetry system. And, of course, we&rsquo;re doing it the 1Password way – making sure it doesn&rsquo;t compromise on our commitment to protecting your privacy and your data. Here&rsquo;s a quick summary of what&rsquo;s happening: <ul> <li> 1Password is beginning an internal test of our new, privacy-preserving in-app telemetry system. Initially, this functionality will be active only for 1Password employee accounts using the latest beta builds of the app. </li> <li> No customer vault data can be seen or collected. We&rsquo;re only interested in how people use the app itself, what features and screens they interact with – not what they store in their vaults, what sites they autofill on, or anything like that. </li> <li> This data will be gathered from a randomized selection of accounts, de-identified, and processed in aggregate. This approach allows us to avoid associating telemetry data with individuals or accounts. </li> <li> Customer accounts are not included for now. Once we’re confident it delivers on our privacy standards, we’ll announce a timeline for rolling telemetry out to customer accounts. At that point, we&rsquo;ll also provide guidance on how you can opt out if you&rsquo;d like to. </li> </ul> <h2 id="what-this-is--and-what-its-not">What this is – and what it&rsquo;s not</h2> These days, we know that collecting &ldquo;analytics&rdquo; and &ldquo;usage data&rdquo; is often an excuse to invade your privacy, so I want to make this very clear: that&rsquo;s not what&rsquo;s happening here. We have always <a href="https://blog.1password.com/what-we-dont-know-about-you/">bent over backwards to avoid collecting any unnecessary information about you</a> in our systems. We believe you fundamentally can&rsquo;t have security without privacy, and it&rsquo;s always been our mission to deliver both. Nothing about that is changing. So why add telemetry? Why now? We often remind our customers that they can’t protect what they can’t see. The same principle applies to understanding what product decisions to prioritize. Over the years, we’ve relied on our own usage in conjunction with your feedback to inform our decision making. This presents a challenge, though: we don’t know when you run into trouble unless you tell us. And sure, we have an <a href="https://blog.1password.com/ux-keeping-you-at-the-center/">extensive user research program</a>, and <a href="https://blog.1password.com/better-more-useful-1password/">listen to all of the feedback you share</a> online and in conversations with our team. But there are millions of people using 1Password now, often in cool and innovative ways! If we&rsquo;re going to keep improving 1Password, we can no longer rely on our own usage and your direct feedback alone. That&rsquo;s why we&rsquo;ve been working hard to find a way to collect the information we need to make better decisions, without putting your data or privacy at risk. The goal is to equip ourselves with the visibility needed to ship updates that solve real problems and <a href="https://blog.1password.com/better-more-useful-1password/">make 1Password better for everyone</a>. <h2 id="heres-how-it-works">Here&rsquo;s how it works</h2> As our investigation into gathering app usage data unfolded, it became obvious that none of the off-the-shelf solutions were the right fit for 1Password. We needed a system that didn’t come at the expense of our customers’ privacy. The approach we’ve landed on is designed to keep usage data from being attributable to individual people or accounts. It simply allows us to see where we aren’t living up to the high standards for user experiences you’ve come to expect. These additional signals will help us prioritize our efforts so we can deliver those great experiences faster, and more reliably. Here’s the gist of how it works: we’ll be able to gather only a small set of general events and interactions within our apps. Things like when you unlock the app, when you create a new item (but not its contents!), or when you use autofill (but not what sites you use it on!). Furthermore, this data will be de-identified through a variety of methods, starting with being collected from a randomized group of accounts. The gathered data is then processed in aggregate to provide general insights only. This approach prevents us or anyone else from associating telemetry data with individuals or accounts. And, of course, once this functionality rolls out to customers, you&rsquo;ll be able to control whether or not telemetry is active on your account. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Want to know more? We’ll be sharing a deep dive into how our new system works at a later date. </div> </aside> <h2 id="what-happens-next">What happens next</h2> We want to be 100% certain we have this right before we consider rolling it out to customers. That&rsquo;s why we&rsquo;re testing it on our own accounts here at 1Password first. Soon, the beta builds of our apps will include this new telemetry functionality. It only works on 1Password employees’ accounts, so there&rsquo;s nothing you need to do at this stage. We just wanted to be transparent with you as these plans take shape. We expect our testing and rollout to take some time, and we&rsquo;ll let you know when we&rsquo;re ready to roll things out to a wider group. In the meantime, if you have any questions or thoughts about this, <a href="mailto:support+telemetry@1password.com">please reach out</a> and let us know. As always, thank you for your continued trust and support. We don’t take it for granted, and we wouldn’t be where we are today without you.</description></item><item><title>Introducing Unlock with Okta for 1Password Business</title><link>https://blog.1password.com/unlock-with-okta/</link><pubDate>Wed, 08 Mar 2023 00:00:00 +0000</pubDate><author>info@1password.com (Yashpreet Kaur)</author><guid>https://blog.1password.com/unlock-with-okta/</guid><description> <img src='https://blog.1password.com/posts/2023/unlock-with-okta/header.png' class='webfeedsFeaturedVisual' alt='Introducing Unlock with Okta for 1Password Business' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://blog.1password.com/unlock-with-okta-public-preview/">Unlock with Okta has been available in public preview</a> since February. Starting today, all 1Password Business customers can sign in to 1Password using Okta instead of their account password – and support for other SSO providers is coming soon. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/T7hJByeg1Bk" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> People just aren&rsquo;t built to juggle all the logins we use for work. IT departments spend so. much. time. on login-related issues that adopting <a href="http://1password.com/resources/total-economic-impact-of-1password-business">1Password reduces IT support tickets by 70%</a>. That can save your IT team members 291 hours each every year – a $286,000 efficiency gain. Single Sign-On (SSO) helps, too. SSO can <a href="https://blog.1password.com/how-sso-fits-enterprise-security-framework/">reduce your attack surface, strengthen minimum security requirements, and reduce IT support costs</a>. It&rsquo;s also a better login experience for workers, giving them a single set of credentials to log in to every service covered by your SSO provider. Now, you can combine 1Password and SSO to enforce stronger authentication policies, improve auditing capabilities, and give employees a simpler sign-in experience. <h2 id="unlock-1password-with-okta">Unlock 1Password with Okta</h2> <img src='https://blog.1password.com/posts/2023/unlock-with-okta/unlockwithokta.png' alt='1Password for Mac lock screen with option to sign in with Okta.' title='1Password for Mac lock screen with option to sign in with Okta.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Together, Okta and 1Password further simplify and strengthen security – in a way that SSO, individually, can&rsquo;t. While Okta protects logins for approved apps that you specifically add to Okta, 1Password protects virtually everything else. That includes payment cards, sensitive documents, developer secrets, and logins not added to Okta. And it&rsquo;s all weaved into a comprehensive enterprise security suite with <a href="https://1password.com/business/">granular admin controls, actionable insights, and extensive reporting</a>. When you use Unlock with Okta to access your 1Password account company-wide, you can: <ul> <li>Simplify adoption by giving your employees easier access to their 1Password accounts.</li> <li>Extend Okta’s authentication policies to every 1Password account unlock to strengthen access controls and improve security.</li> <li>Improve your auditing, compliance, and reporting workflows by tracking 1Password account sign-on events with Okta.</li> </ul> Pairing 1Password with your existing identity and access management (IAM) infrastructure <a href="https://1password.com/resources/pair-1password-with-your-exisiting-IAM-infrastructure">fills the gaps in your sign-on security model</a> and secures your employees no matter how they sign in. And because onboarding and offboarding are critical pieces of the puzzle, you can connect 1Password to your identity provider via the <a href="https://support.1password.com/scim/">1Password SCIM bridge</a> to automate provisioning and deprovisioning. <h2 id="sso-the-1password-way">SSO, the 1Password way</h2> <a href="https://support.1password.com/sso-security/">It&rsquo;s all done the 1Password way</a>. Zero-knowledge architecture and end-to-end encryption are preserved, and decryption still happens on-device. Credentials are comprised of the same values traditionally derived from the account password and <a href="https://support.1password.com/secret-key-security/">Secret Key</a>, and are decrypted on employee devices – which means that, as always, we don’t store or have access to the keys we would need to decrypt your data. We’ve gone into detail about <a href="https://blog.1password.com/unlock-sso-deep-dive/">the technical underpinnings of our approach to SSO</a>, but here’s the bottom line. Because we’re using a trusted device model, even if your identity provider credentials are compromised, attackers still wouldn’t be able to access your 1Password data. But the 1Password way is about more than uncompromising security. Great usability is a security feature – if it’s not easy to use, workers will find a workaround in their pursuit of productivity. So we’re not willing to sacrifice ease of use in the name of security. Instead, we find ways to enhance ease of use through security, and vice versa. SSO is no different. <h2 id="what-admins-need-to-know-how-to-enable-unlock-with-okta">What admins need to know: How to enable Unlock with Okta</h2> For admins, setting up Unlock with Okta for your company is simple. You&rsquo;ll notice a new &ldquo;Unlock with Identity Provider&rdquo; heading in the &ldquo;Security&rdquo; section of your admin dashboard. This is where you&rsquo;ll manage the Okta configuration in 1Password. <img src='https://blog.1password.com/posts/2023/unlock-with-okta/unlockwithoktasetup.png' alt='1Password Admin Dashboard displaying the Unlock with Identity Provider setup screen.' title='1Password Admin Dashboard displaying the Unlock with Identity Provider setup screen.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Select Okta as your identity provider, enter your Okta account details, and test the connection. Once complete, you&rsquo;ll see a &ldquo;Successful Connection&rdquo; notification. Next, you can customize your rollout strategy. We recommend a staged rollout for most companies, but you have choices. Either select specific groups to start out and add more later, roll out Unlock with Okta to everyone except guests, or roll it out to everyone at once. <img src='https://blog.1password.com/posts/2023/unlock-with-okta/unlockwithoktasettings.png' alt='1Password Admin Dashboard displaying the Unlock with Identity Provider setup confirmation, with options to change settings.' title='1Password Admin Dashboard displaying the Unlock with Identity Provider setup confirmation, with options to change settings.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> You can also choose the length of time you&rsquo;d like to give employees to complete the migration. Once the period of time you select runs its course, all employees included in the rollout will be required to use Okta to sign in to 1Password. Prior to that, they can continue to sign in using their account password and Secret Key. Each employee included in the rollout will receive an email notification with those details, along with a prompt directly within 1Password 8 to begin making the switch. <h2 id="what-employees-need-to-know-register-your-first-trusted-device">What employees need to know: Register your first trusted device</h2> When your admin enables Unlock with Okta, you&rsquo;ll see a welcome screen the next time you log in to 1Password on any device using your account password. To add your first trusted device, follow the steps outlined on the welcome screen to sign in to your Okta account. <img src='https://blog.1password.com/posts/2023/unlock-with-okta/trusteddevice.png' alt='Two iPhones side-by-side. The first displays a guided setup with an option to sign in to Okta. The second displays the Okta sign-in screen.' title='Two iPhones side-by-side. The first displays a guided setup with an option to sign in to Okta. The second displays the Okta sign-in screen.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Once that&rsquo;s done, you&rsquo;ll see a confirmation that your device has been registered successfully. From that point on, you&rsquo;ll use Okta to sign in to your 1Password account on that device. <h2 id="registering-additional-devices">Registering additional devices</h2> Once you&rsquo;ve registered your first trusted device, you can use it to authenticate additional devices. When you add an account from Settings, you&rsquo;ll see a notification that the account you&rsquo;re signing in to now requires you to sign in with Okta. As you follow the onscreen instructions, a notification will appear on your first trusted device (if you allowed notifications during the initial setup), alerting you to the fact that a new device is trying to use your 1Password account. <img src='https://blog.1password.com/posts/2023/unlock-with-okta/additionaldevices.png' alt='Two iPhones side-by-side. The first displays confirmation that the device is now a trusted device. The second offers instructed to set up another device.' title='Two iPhones side-by-side. The first displays confirmation that the device is now a trusted device. The second offers instructed to set up another device.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> You&rsquo;ll also see a new, one-time code appear on your trusted device. Enter that one-time code on the unregistered device to confirm it as a trusted device. From then on, you&rsquo;ll sign in to 1Password with Okta on that device. <h2 id="not-using-okta-stay-tuned">Not using Okta? Stay tuned.</h2> Unlock with Okta is the best of both worlds. Workers have a simple way to access everything they&rsquo;ve stored in 1Password, using a single set of credentials they already know. Your company gets streamlined security policies, simplified administration and onboarding, and full control over – and visibility into – how employees use their 1Password accounts. Not using Okta? Stay tuned. Unlock with Azure is now in private preview, and you can get a sneak peek in the attached setup video. We&rsquo;ll be rolling out support for additional SSO providers like Duo in the near future. <video class="round shadow" style="display: block; margin: auto; padding: 0;"muted='true'loop="loop" playsinline="" width="100%" alt='Demo video of 1Password working with Azure.' controls> <source src="https://blog.1password.com/posts/2023/unlock-with-okta/azuredemo.mp4" type="video/mp4" /> </video> For a deeper dive into Unlock with Okta, join CPO Steve Won, Product Manager Yash Kaur, and <a href="https://www.airwallex.com/us/business-account?utm_source=1password&amp;utm_medium=event_webinar&amp;utm_campaign=sso-launch">Airwallex</a> Senior IT Engineer David Baverstock for a <a href="http://1password.com/webinars/unlock-1password-with-SSO-what-you-need-to-know/">complete walkthrough on March 29</a> at 9AM PT / 12PM ET. And if you’re considering switching your business to 1Password, a quick reminder: <a href="https://1password.com/switch/">when you make the move, we’ll help cover the cost</a>. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Unlock 1Password with SSO: What you need to know</h3> Save your seat for a walkthrough of Unlock with Okta with 1Password CTO Steve Won, Senior Product Manager Yashpreet Kaur, and special guest, 1Password customer and Airwallex IT Engineer David Baverstock on March 29, 2023. <a href="http://1password.com/webinars/unlock-1password-with-SSO-what-you-need-to-know?utm_campaign=sso-launch" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Register now </a> </div> </section></description></item><item><title>Passkeys and the future of authentication: Q&A with Andrew Shikiar, CMO of FIDO Alliance</title><link>https://blog.1password.com/passkeys-the-future-of-authentication/</link><pubDate>Wed, 01 Mar 2023 00:00:00 +0000</pubDate><author>info@1password.com (Stacey Harris)</author><guid>https://blog.1password.com/passkeys-the-future-of-authentication/</guid><description> <img src='https://blog.1password.com/posts/2023/passkeys-the-future-of-authentication/header.png' class='webfeedsFeaturedVisual' alt='Passkeys and the future of authentication: Q&A with Andrew Shikiar, CMO of FIDO Alliance' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> What are <a href="https://blog.1password.com/what-are-passkeys/">passkeys</a>? How do they fit into a passwordless future? Why is user experience the key to adoption for passwordless? These are just a few of the questions people have for the <a href="https://fidoalliance.org/">FIDO Alliance</a> – an open industry association that wants to reduce the world’s reliance on passwords. <a href="https://1password.com/company/meet-the-team/matt-davey/">Matt Davey</a>, Chief Experience Officer at 1Password, sat down with <a href="https://twitter.com/andrewshikiar">Andrew Shikiar</a>, Executive Director and CMO at FIDO Alliance, on the <a href="https://randombutmemorable.simplecast.com/">Random but Memorable</a> podcast to get answers to these questions and more. Read on for the highlights, or <a href="https://randombutmemorable.simplecast.com/episodes/passwordless-future-chatbot-optimism">listen to the full interview</a> and subscribe to Random but Memorable on your favorite podcast player. <div class="c-simplecast-embed"> <iframe class="c-simplecast-embed__iframe" title="1Password Random but Memorable Podcast" width="100%" frameborder="no" scrolling="no" seamless src="https://player.simplecast.com/b242a83e-36ae-41d3-9ee5-e549744c5aaa?dark=false"></iframe> </div> Matt Davey: Can you give us a bit of the background on FIDO Alliance and its core mission? Andrew Shikiar: FIDO Alliance is an open industry body focused on reducing industry reliance on passwords. When FIDO launched, the problem we were really trying to address was a data breach problem. We still seek to address that but the vast majority of <a href="https://blog.1password.com/data-breach-101-stay-safe-online/">data breaches</a> are due to passwords for knowledge-based credentials. The easiest way to start tackling the data breach problem is to attack the password problem. At a very high level, what we&rsquo;re doing is replacing the concept of a secret on a server, which of course can be hacked or stolen or guessed, with a public key. The public key has no material value to hackers or anyone like that. MD: How has the landscape of passwords and authentication changed during FIDO&rsquo;s time, and in the industry over the past ten years? AS: It comes down to usability. There’s a dustbin of super effective, strong authentication technologies that simply were too difficult to be adopted at scale. FIDO’s focus is on single gesture asymmetrical <a href="https://blog.1password.com/what-is-public-key-cryptography/">public key cryptography</a> – which means all the user does is take a single gesture. Typically for a consumer, it&rsquo;s the same action they take to unlock their device dozens of times a day. That same action can now allow them to securely authenticate to a website or an app. We didn’t invent public key cryptography, but the user-friendly aspect of it and the focus on usability is what differentiates FIDO authentication. Taking on passwords and trying to supplant passwords is an extremely audacious goal. Not everyone likes passwords but everyone knows how to use them. <blockquote> &ldquo;We didn’t invent public key cryptography, but the user-friendly aspect of it and the focus on usability is what differentiates FIDO authentication.&quot; </blockquote> What&rsquo;s really turning the tide toward FIDO Alliance is that we’re the only industry initiative that&rsquo;s looking at creating standards for password authentication. With the backing of every major platform vendor, FIDO authentication is now built into virtually every device that&rsquo;s being unboxed at this very moment. MD: What’s been the impact of passkeys on authentication, and on this drive for ubiquity? AS: Passkeys are a safe replacement for passwords that allow you to leverage the device unlock capability to securely sign in to apps and services. What&rsquo;s so important about it is that it’s the first step towards a truly post-password future. Passkeys are being supported natively in all the major platforms and operating systems, with very strong commitments from Apple, Google, and Microsoft. But our vision has never been limited to those three platforms. It&rsquo;s critical for independent credential providers and password manager providers to be able to manage passkeys as well. <blockquote> &ldquo;It&rsquo;s critical for independent credential providers and password manager providers to be able to manage passkeys as well.&quot; </blockquote> Ultimately, the user shouldn&rsquo;t have to think about how they&rsquo;re signing in – they should just sign in. Someone goes to a website not to enjoy the sign in experience. They go to a website to purchase something, or to learn or engage. Authentication should be a seamless yet strong step in that process. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> <a href="https://blog.1password.com/1password-is-joining-the-fido-alliance/">1Password has joined the FIDO Alliance</a> and is going to be right at the forefront of passkey authentication. Try our <a href="https://www.future.1password.com/passkeys/">passkey demo</a> if you would like a sneak peek at the sign-in experience we&rsquo;re working on. </div> </aside> MD: What are the biggest hurdles toward passkey adoption? And how can password managers play a role in that? AS: FIDO Alliance has done some user experience (UX) research over the past couple of years, and one thing that&rsquo;s become abundantly clear is that seeing passkeys adopted at scale is really a usability and user education issue. A lot of folks listening to this discussion today are probably on the savvier end of the technology spectrum and are comfortable adopting new technologies. But think about others who are not comfortable with technology. There&rsquo;s a massive user education challenge that we, as an industry, have in our hands to get people comfortable with this sign-in process. <blockquote> &ldquo;Seeing passkeys adopted at scale is really a usability and user education issue.&quot; </blockquote> The good news is that the companies commercializing this are user experience experts. For example, the first company to support passkeys at scale is Apple. Having Apple actually bring passkeys to market, focusing primarily on UX is absolutely critical. And it&rsquo;ll start getting consumers comfortable with the concept. The term ‘passkey’ itself is also a new thing. Agreeing on the term passkey, and having an industry logo, will help. We&rsquo;ll start seeing positive reinforcement happening, as more people use passkeys and become comfortable with the terminology and user experience. Password managers have an important role in educating users on the experience they should expect when signing in to websites and applications. <blockquote> &ldquo;Password managers have an important role in educating users.&quot; </blockquote> When I&rsquo;m asked how passkeys work, I often describe it as a perfect password manager … but without any passwords. Passkeys are the password manager experience with secure, seamless access to sites and services, but simply using a biometric, rather than having to recall a password. That user experience is really important in helping educate and accelerate adoption of passkeys moving forward. MD: Do you have any passwordless predictions for the next few years? AS: I&rsquo;m very excited about passkeys but it&rsquo;s important to have a realistic perspective. Passkeys are not going to happen overnight. Some providers are going to be more cautious than others, so I think we&rsquo;ll see brands deploy passkeys incrementally, and then eventually at scale. Between the technology adoption and user education piece, we&rsquo;re looking at multi-year roll outs before this becomes super mainstream, and part of the way we all sign in on a daily basis. <blockquote> &ldquo;Passkeys are not going to happen overnight.&quot; </blockquote> With these capabilities, you start thinking about some interesting applications for passkey and FIDO authentication. One area I&rsquo;ve been seeing a lot of chat around is vehicle authentication. Think about voice biometrics, or fingerprint biometrics, and those modalities for securely signing in to automotive services in your car, or managing your car in a mobile app. We&rsquo;ve seen several companies bring FIDO into the automotive space already in 2022 and 2023. MD: I wonder how the UX of passkeys will change over time with societal change. As people get more familiar with passkeys, it&rsquo;s going to be fascinating to test some of these UX changes and find the right change for society. We may predict where things will go, and then there will be a moment where we are catching up with the rest of society, and trying to push the UX of things along with all of the websites. AS: That&rsquo;s extremely well said. For those who don&rsquo;t know how standards bodies work, they&rsquo;re not terribly exciting. They basically get a bunch of really smart people in a room and debate where semicolons go in specifications. The group will fight and squabble until they decide how a specification looks and then it’s finalized, then you build products against them, which are then certified. It&rsquo;s absolutely critical, but that&rsquo;s how standards work. What FIDO is doing above that, which is unique to any standards body or any industry initiative, is taking on this user experience work. <blockquote> &ldquo;For those who don&rsquo;t know how standards bodies work, they&rsquo;re not terribly exciting.&quot; </blockquote> We&rsquo;ve assembled a group of experts – including you, Matt – who are design and UX leads to give guidance on the best ways to deploy passkeys. We’re using this group to guide our research which will result in data-driven guidance on how to deploy passkeys. These really bright minds and designers will help establish design and UX best practices, which will influence our guidelines and other outputs at FIDO Alliance. MD: Where can people go for more information about you or FIDO Alliance? AS: You can head to our website at <a href="https://fidoalliance.org/">https://fidoalliance.org/</a>. We have a ton of information about FIDO Alliance as a body and also a separate set of websites that we’ll be updating to reflect passkeys. But for now there&rsquo;s <a href="https://loginwithfido.com/">LogInWithFIDO.com</a>, which gives a jargon-free explanation of how passkeys work, both from a consumer point of view and from a service provider point of view. And you can find me personally on <a href="https://www.linkedin.com/in/andrewshikiar/">LinkedIn</a> and <a href="https://twitter.com/andrewshikiar">Twitter</a>! <h2 id="learn-more-about-passkeys">Learn more about passkeys</h2> Those are the highlights, however the full conversation covered so much more. Listen to the <a href="https://randombutmemorable.simplecast.com/episodes/passwordless-future-chatbot-optimism">full interview with Andrew Shikiar</a> on your preferred podcast player, and check out previous episodes of <a href="https://randombutmemorable.simplecast.com/">Random but Memorable</a> to hear some other great interviews with security leaders. If you want to learn more about passkeys, check out these great resources: <ul> <li><a href="https://blog.1password.com/what-are-passkeys/">What are passkeys?</a></li> <li><a href="https://blog.1password.com/1password-is-joining-the-fido-alliance/">1Password has joined the FIDO Alliance</a></li> <li><a href="https://www.future.1password.com/passkeys/">1Password and passkeys demo</a></li> <li>Sign up to our <a href="https://1password.com/passwordless-news/">passwordless newsletter</a> for early access and updates</li> </ul> <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Subscribe to Random but Memorable</h3> Listen to the latest news, tips and advice to level up your security game, as well as guest interviews with leaders from the security community. <a href="https://randombutmemorable.simplecast.com/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Subscribe to our podcast </a> </div> </section></description></item><item><title>1Password is now the official password manager of the Golden State Warriors</title><link>https://blog.1password.com/golden-state-warriors/</link><pubDate>Tue, 28 Feb 2023 00:00:00 +0000</pubDate><author>info@1password.com (Emily Chioconi)</author><guid>https://blog.1password.com/golden-state-warriors/</guid><description> <img src='https://blog.1password.com/posts/2023/golden-state-warriors/header.png' class='webfeedsFeaturedVisual' alt='1Password is now the official password manager of the Golden State Warriors' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Hey Bay Area, we couldn’t be more pumped to announce that 1Password is teaming up with the Golden State Warriors! Anyone can rebound from bad security habits – and partnering with the Dubs brings us one step closer to making online safety a slam dunk for everyone. <h2 id="why-the-golden-state-warriors-">Why the Golden State Warriors? 🌁</h2> We know that passwords and basketball might seem like an odd match at first, but you may have heard that defense wins championships – and defense is 1Password’s specialty, after all. Talk about an MVP. When it comes down to it, sharing the same values and principles as the Warriors made joining forces a pretty easy decision. Whether it’s taking teamwork to the next level, improving our communities, or continuously striving for innovation, 1Password and the Golden State Warriors are truly on the same team. <h2 id="no-more-jumping-through-hoops-">No more jumping through hoops 🏀</h2> When your security is at stake, you deserve the best defense and the best offense – and it shouldn’t be complicated. When we’re on your team, we keep it simple. That’s why from now until the end of the season, when you sign up for 1Password Families, <a href="https://start.1password.com/sign-up/family?l=en&amp;c=GSW25">you’ll get 25% off your first year with us</a>! If you’re a business looking to up your security game, <a href="https://1password.drift.click/warriors-business">we’ve got you covered, too</a>. There’s plenty more to come, so we hope you’re as excited as we are! We truly believe this partnership will help us give more people, families, and businesses across the Bay Area the all-star security they deserve. <div class="c-call-to-action"> <section class="c-call-to-action-box c-call-to-action-box--green"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Secure your home court</h3> Protect your loved ones with 1Password and get 25% off your first year. <a href="https://start.1password.com/sign-up/family?l=en&amp;c=GSW25" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--green" data-event-category="CTA" data-event-action="call-to-action-button"> Get started </a> </div> </section> <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Add an MVP to your team</h3> Secure your team today and get a 1Password Business discount. <a href="https://1password.com/contact-sales?utm_ref=GSW-talk-to-sales" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Let&#39;s talk </a> </div> </section> </div></description></item><item><title>33 Shell Plugins and counting!</title><link>https://blog.1password.com/shell-plugins-roundup/</link><pubDate>Wed, 22 Feb 2023 00:00:00 +0000</pubDate><author>info@1password.com (Jason Harris)</author><guid>https://blog.1password.com/shell-plugins-roundup/</guid><description> <img src='https://blog.1password.com/posts/2023/shell-plugins-roundup/header.png' class='webfeedsFeaturedVisual' alt='33 Shell Plugins and counting!' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> I&rsquo;m always amazed at just how quickly the developer community gets things done. Case in point: Just weeks after we launched <a href="https://blog.1password.com/shell-plugins/">1Password Shell Plugins</a>, we&rsquo;re now 33 plugins strong&hellip; 14 of which were built by you, the developer community. 🤯 <a href="https://developer.1password.com/docs/cli/shell-plugins/">Shell Plugins</a> enable one-touch access to command-line interfaces (CLIs). 1Password embraced an open-source model with Shell Plugins, so anyone can <a href="https://github.com/1Password/shell-plugins">write a Shell Plugin</a> for their most-loved CLI and include them in future releases of the 1Password CLI. Within days of the <a href="https://blog.1password.com/shell-plugins/">Shell Plugins announcement</a>, we received half a dozen contributions! We’re thrilled that there are now 33 Shell Plugins spanning AWS, GitHub, Okta, Stripe, Snyk, Tugboat and more! <img src="https://blog.1password.com/posts/2023/shell-plugins-roundup/shellplugins.png" alt="A list of all 33 products supported by 1Password Shell Plugins" title="A list of all 33 products supported by 1Password Shell Plugins" class="c-featured-image"/> Let’s walk through each Shell Plugin that you can now access through the 1Password CLI. <h2 id="build-and-release">Build and Release</h2> <h3 id="argo-cd-shell-plugin">Argo CD Shell Plugin</h3> <a href="https://argo-cd.readthedocs.io/en/stable/">Argo CD</a> is a declarative, GitOps continuous delivery tool for Kubernetes. We want to give a special thanks to open source contributor <a href="https://github.com/ssttehrani">Seyed</a> for helping make the Argo CD Shell Plugin happen. <a href="https://developer.1password.com/docs/cli/shell-plugins/argo-cd">Explore the Argo CD Shell Plugin documentation</a> <h3 id="cachix-shell-plugin">Cachix Shell Plugin</h3> <a href="https://www.cachix.org/">Cachix</a> is a service for Nix binary host caching. Thanks to <a href="https://github.com/micnncim">micnncim</a> for contributing the Chachix Shell Plugin. <a href="https://developer.1password.com/docs/cli/shell-plugins/cachix/">Explore the Cachix Shell Plugin documentation</a> <h3 id="cargo-shell-plugin">Cargo Shell Plugin</h3> The <a href="https://docs.rs/crate/cargo-cli/latest">Cargo CLI</a> gives developers the ability to create a command-line interface binary with common dependencies. <a href="https://developer.1password.com/docs/cli/shell-plugins/cargo">Explore the Cargo Shell Plugin documentation</a> <h3 id="circleci-shell-plugin">CircleCI Shell Plugin</h3> <a href="https://circleci.com">CircleCI</a> is a CI/CD platform that is used to implement Developer Operations practices. <a href="https://developer.1password.com/docs/cli/shell-plugins/circleci/">Explore the CircleCI Shell Plugin documentation</a> <h3 id="github-shell-plugin">GitHub Shell Plugin</h3> <a href="https://github.com">GitHub</a> is a hosting service for software development that uses the version control system Git. <a href="https://developer.1password.com/docs/cli/shell-plugins/github">Explore the GitHub Shell Plugin documentation</a> <h3 id="gitlab-shell-plugin">GitLab Shell Plugin</h3> <a href="https://gitlab.com">GitLab</a> is a DevOps software package which can develop, secure, and operate software. <a href="https://developer.1password.com/docs/cli/shell-plugins/gitlab">Explore the GitLab Shell Plugin documentation</a> <h3 id="homebrew-shell-plugin">Homebrew Shell Plugin</h3> <a href="https://brew.sh/">Homebrew</a> is a leading package manager that enables users to download, manage and remove software packages. Big thanks to <a href="https://github.com/markdorison">markdorison</a> for authoring the Homebrew Shell Plugin. <a href="https://developer.1password.com/docs/cli/shell-plugins/homebrew">Explore the Homebrew Shell Plugin documentation</a> <h3 id="tugboat-shell-plugin">Tugboat Shell Plugin</h3> <a href="https://www.tugboatqa.com/">Tugboat</a> creates customizable, containerized environments for engineering teams. Special thanks to <a href="https://github.com/markdorison">markdorison</a> for authoring the Tugboat Shell Plugin. <a href="https://developer.1password.com/docs/cli/shell-plugins/tugboat">Explore the Tugboat Shell Plugin documentation</a> <h2 id="cloud-providers">Cloud providers</h2> <h3 id="amazon-web-services-shell-plugin">Amazon Web Services Shell Plugin</h3> <a href="https://aws.amazon.com">AWS</a> is Amazon’s suite of developer tools including the S3 storage service, Amazon ECT, and much more. <a href="https://developer.1password.com/docs/cli/shell-plugins/aws">Explore the Amazon Web Services Shell Plugin documentation</a> <h3 id="cloudflare-workers-shell-plugin">Cloudflare Workers Shell Plugin</h3> <a href="https://workers.cloudflare.com/">Cloudflare Workers</a> is a platform for enabling serverless functions to run as close as possible to the end user. Thanks to <a href="https://github.com/shyim">shyim</a> for authoring the Cloudflare Workers Shell Plugin. <a href="https://developer.1password.com/docs/cli/shell-plugins/cloudflare-workers">Explore the Cloudflare Workers Shell Plugin documentation</a> <h3 id="digitalocean-shell-plugin">DigitalOcean Shell Plugin</h3> <a href="https://www.digitalocean.com/">DigitalOcean</a> is a cloud and infrastructure-as-a-service provider. <a href="https://developer.1password.com/docs/cli/shell-plugins/digitalocean/">Explore the DigitalOcean Shell Plugin documentation</a> <h3 id="fastly-shell-plugin">Fastly Shell Plugin</h3> <a href="https://fastly.com">Fastly</a> makes websites work faster as a leading content delivery network. Thanks to <a href="https://github.com/arunsathiya">Arun</a> for contributing this shell plugin! <a href="https://developer.1password.com/docs/cli/shell-plugins/fastly">Explore the Fastly Shell Plugin documentation</a> <h3 id="heroku-shell-plugin">Heroku Shell Plugin</h3> <a href="https://heroku.com">Heroku</a> is a cloud platform that lets companies build, deliver, monitor and scale applications. <a href="https://developer.1password.com/docs/cli/shell-plugins/heroku">Explore the Heroku Shell Plugin documentation</a> <h3 id="hetzner-cloud-shell-plugin">Hetzner Cloud Shell Plugin</h3> <a href="https://www.hetzner.com/">Hetzner Online</a> provides dedicated hosting, shared web hosting, virtual private servers, managed servers, domain names, SSL certificates, storage boxes, and cloud storage. <a href="https://developer.1password.com/docs/cli/shell-plugins/hcloud/">Explore the Hetzner Cloud Shell Plugin documentation</a> <h3 id="linode-shell-plugin">Linode Shell Plugin</h3> <a href="https://linode.com">Linode</a> is an infrastructure-as-a-service that uses Linux virtual machines and tools to develop, deploy, and scale applications. Thanks to contributor <a href="https://github.com/alexclst">alexclst</a> for authoring the Linode Shell Plugin. <a href="https://developer.1password.com/docs/cli/shell-plugins/linode">Explore the Linode Shell Plugin documentation</a> <h3 id="vultr-shell-plugin">Vultr Shell Plugin</h3> <a href="https://www.vultr.com/">Vultr</a> makes the process of deploying cloud infrastructure simple, performant, and reliable. Special thanks to <a href="https://github.com/arunsathiya">Arun</a> for contributing this shell plugin! <a href="https://developer.1password.com/docs/cli/shell-plugins/vultr">Explore the Vultr Shell Plugin documentation</a> <h2 id="databases">Databases</h2> <h3 id="databricks-shell-plugin">Databricks Shell Plugin</h3> <a href="https://databricks.com">Databricks</a> is a well-known data foundation that powers businesses of all sizes. Thanks to <a href="https://github.com/bsamseth">bsamseth</a> for authoring the Databricks Shell Plugin. <a href="https://developer.1password.com/docs/cli/shell-plugins/databricks">Explore the Databricks Shell Plugin documentation</a> <h3 id="mysql-shell-plugin">MySQL Shell Plugin</h3> <a href="https://mysql.com">MySQL</a> is an open-source relational database management system. <a href="https://developer.1password.com/docs/cli/shell-plugins/mysql">Explore the MySQL Shell Plugin documentation</a> <h3 id="postgresql-shell-plugin">PostgreSQL Shell Plugin</h3> <a href="https://www.postgresql.org/">PostgreSQL</a> is a leading open-source data management system. <a href="https://developer.1password.com/docs/cli/shell-plugins/postgresql">Explore the PostgreSQL Shell Plugin documentation</a> <h3 id="snowflake-shell-plugin">Snowflake Shell Plugin</h3> <a href="https://www.snowflake.com/en/">Snowflake</a> is a cloud data warehouse that can store and analyze all your data records in a single place. <a href="https://developer.1password.com/docs/cli/shell-plugins/snowflake">Explore the Snowflake Shell Plugin documentation</a> <h2 id="services">Services</h2> <h3 id="ngrok-shell-plugin">ngrok Shell Plugin</h3> <a href="https://ngrok.com/">ngrok</a> is a cross-platform tool that exposes local TCP ports to the internet via secure tunneling. Thanks to <a href="https://github.com/arunsathiya">Arun</a> for contributing this shell plugin. <a href="https://developer.1password.com/docs/cli/shell-plugins/ngrok">Explore the ngrok Shell Plugin documentation</a> <h3 id="openai-shell-plugin">OpenAI Shell Plugin</h3> <a href="https://openai.com/">OpenAI</a> is an artificial intelligence company that uses AI research to promote and develop AI technologies. <a href="https://developer.1password.com/docs/cli/shell-plugins/openai">Explore the OpenAI Shell Plugin documentation</a> <h3 id="readme-shell-plugin">ReadMe Shell Plugin</h3> <a href="https://readme.com">ReadMe</a> is a leading tool for building interactive developer hubs. ReadMe was also the first company to build a Shell Plugin – a special thanks to Kanad Gupta for putting it together! <a href="https://developer.1password.com/docs/cli/shell-plugins/readme">Explore the ReadMe Shell Plugin documentation</a> <h3 id="sourcegraph-shell-plugin">Sourcegraph Shell Plugin</h3> <a href="https://about.sourcegraph.com/">Sourcegraph</a> is a tool for helping developers understand, fix, and automate tasks across an entire codebase. Thanks to <a href="https://github.com/arunsathiya">Arun</a> for contributing this shell plugin! <a href="https://developer.1password.com/docs/cli/shell-plugins/sourcegraph">Explore the Sourcegraph Shell Plugin documentation</a> <h3 id="stripe-shell-plugin">Stripe Shell Plugin</h3> <a href="https://stripe.com">Stripe</a> is a suite of APIs powering online payment processing and commerce solutions for internet businesses of all sizes. <a href="https://developer.1password.com/docs/cli/shell-plugins/stripe">Explore the Stripe Shell Plugin documentation</a> <h3 id="twilio-shell-plugin">Twilio Shell Plugin</h3> <a href="https://twilio.com">Twilio</a> provides telecommunications services to developers through their API. <a href="https://developer.1password.com/docs/cli/shell-plugins/twilio">Explore the Twilio Shell Plugin documentation</a> <h2 id="security-and-monitoring">Security and monitoring</h2> <h3 id="dogshell-shell-plugin">Dogshell Shell Plugin</h3> <a href="https://docs.datadoghq.com/developers/guide/dogshell-quickly-use-datadog-s-api-from-terminal-shell/">Dogshell</a> comes with the officially supported datadogpy Python library, often used to send data to Datadog with DogStatsD. <a href="https://developer.1password.com/docs/cli/shell-plugins/dogshell">Explore the Dogshell Shell Plugin documentation</a> <h3 id="fossa-shell-plugin">Fossa Shell Plugin</h3> <a href="https://fossa.com">Fossa</a> is a leading open source risk management platform. <a href="https://developer.1password.com/docs/cli/shell-plugins/fossa">Explore the Fossa Shell Plugin documentation</a> <h3 id="hashicorp-vault-shell-plugin">HashiCorp Vault Shell Plugin</h3> <a href="https://www.vaultproject.io/">HashiCorp Vault</a> secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. <a href="https://developer.1password.com/docs/cli/shell-plugins/vault">Explore the HashiCorp Vault Shell Plugin documentation</a> <h3 id="lacework-shell-plugin">Lacework Shell Plugin</h3> <a href="https://lacework.com">Lacework</a> is a security platform for DevOps, containers, and cloud. Thanks to contributor <a href="https://github.com/colinbarr">colinbarr</a> for authoring the Lacework Shell Plugin. <a href="https://developer.1password.com/docs/cli/shell-plugins/lacework">Explore the Lacework Shell Plugin documentation</a> <h3 id="sentry-shell-plugin">Sentry Shell Plugin</h3> <a href="https://sentry.io/welcome/">Sentry</a> is a provider of open-source error tracking with full stacktraces and asynchronous context. <a href="https://developer.1password.com/docs/cli/shell-plugins/sentry">Explore the Sentry Shell Plugin documentation</a> <h3 id="snyk-shell-plugin">Snyk Shell Plugin</h3> <a href="https://snyk.com">Snyk</a> is a tool for testing vulnerabilities in your code, open source dependencies, container images, and more. <a href="https://developer.1password.com/docs/cli/shell-plugins/snyk">Explore the Snyk Shell Plugin documentation</a> <h2 id="identity-and-access-management">Identity and access management</h2> <h3 id="okta-shell-plugin">Okta Shell Plugin</h3> <a href="https://okta.com">Okta</a> is a leading identity and access management solution. <a href="https://developer.1password.com/docs/cli/shell-plugins/okta">Explore the Okta Shell Plugin documentation</a> <h2 id="give-a-shell-plugins-a-try-or-build-your-own">Give a Shell Plugins a try (or build your own)</h2> Using Shell Plugins is easy. To get started, follow the instructions provided on each of the linked pages above. Got a favorite? Let us know on Twitter or Mastodon by sharing with #BuildWith1Password. If you don’t yet see a Shell Plugin for your favorite CLI, it’s easy to <a href="https://github.com/1Password/shell-plugins/blob/main/CONTRIBUTING.md">contribute your own</a>. Watch 1Password engineer Amanda Crawley build a plugin in under 10 minutes to see how it’s done: <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/XKA2uE0M3IU" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> Stuck? We&rsquo;re happy to help! You can: <ul> <li>Book a <a href="https://calendly.com/d/grs-x2h-pmb/1password-shell-plugins-pairing-session">free pairing session</a> with one of our developers.</li> <li>Join 1Password’s <a href="https://join.slack.com/t/1password-devs/shared_invite/zt-1halo11ps-6o9pEv96xZ3LtX_VE0fJQA">Developer Slack workspace</a> to get answers.</li> </ul> Happy building!</description></item><item><title>Celebrating 100 episodes of Random but Memorable</title><link>https://blog.1password.com/random-but-memorable-100/</link><pubDate>Fri, 17 Feb 2023 00:00:00 +0000</pubDate><author>info@1password.com (Stacey Harris)</author><guid>https://blog.1password.com/random-but-memorable-100/</guid><description> <img src='https://blog.1password.com/posts/2023/random-but-memorable-100/header.png' class='webfeedsFeaturedVisual' alt='Celebrating 100 episodes of Random but Memorable' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Over the past 100 episodes we’ve heard Roo say “drop it in here” approximately 98 times, created six random but fun security games, interviewed leaders from around the globe, and asked the world&rsquo;s greatest philosophical question: are cherries a berry? One of the best parts of producing Random but Memorable has been interviewing so many brilliant security experts. (Second only to hearing from you, our amazing listeners!) We’ve <a href="https://randombutmemorable.simplecast.com/episodes/vivacious-gift-electric-fish">interviewed Twitter royalty @hacks4pancakes (Lesley Carhart)</a>, dived into <a href="https://randombutmemorable.simplecast.com/episodes/email-alias-rabbit-hole">email privacy with Ricardo Signes from Fastmail</a>, and explored how data analysis can <a href="https://randombutmemorable.simplecast.com/episodes/minority-report-super-computer">uncover insider threats with Distinguished Professor David Bader</a>. The podcast has also given us an outlet to share 1Password tips and tricks, like how to <a href="https://support.1password.com/archive-delete-items/">archive items you don’t use often</a>, and how to <a href="https://support.1password.com/share-items/">share items with people who don’t use 1Password</a>. Whether you’ve been listening for the past 100 episodes, or just found us today, we’re excited to share a little more about Random but Memorable, and what you can expect in future episodes! <h2 id="a-beginners-guide-to-random-but-memorable">A beginners guide to Random but Memorable</h2> It’s not always random or memorable, but it is always fun! Meet the 1Password hosts that bring you each episode: <a href="https://twitter.com/mattdavey">Matt Davey</a>, Chief Experience Officer, <a href="https://twitter.com/MrRooni">Michael “Roo” Fey</a>, Head of User Lifecycle &amp; Growth, and Anna Eastick, Podcast Producer. Matt, Roo, and Anna have been sharing security advice and banter with audiences and guests since 2018. First-time listener? Here’s a bit of what you can expect from Random but Memorable: <ul> <li>Expert interviews. Listen to security and privacy leaders break down the latest news and trends in a way that everyone can understand.</li> <li>Product updates. We’re always working to improve 1Password, and our team is always excited to share new features, updates, and news on the podcast.</li> <li>Watchtower updates. Our team jumps down the rabbit hole to break down the most recent leaks, hacks, ransoms, and more in Watchtower Weekly (even though the podcast only comes out every other week).</li> <li>Fun games. We end every episode with a special challenge for our hosts. From Ridiculous Requirements to Play Your Passwords Right, you can always expect some laughs to close out the show.</li> </ul> <blockquote> “A major and fair criticism of Random but Memorable is that it’s hardly very random. You have a short intro, the second part is always depressing news in Watchtower Weekly, then you do the interview, then you have a game or quiz, and you end with I love you’s and goodbye’s. Hardly random, I’d say. It is memorable though, so, five stars in random order from me! Keep up the great work.” – Jørgen, Random but Memorable listener </blockquote> <h2 id="some-of-our-favorite-episodes">Some of our favorite episodes</h2> Here are a few highlight worthy episodes from the past 100. We’ll leave it up to you to discover the rest! Episode 90: Puzzle Solving Developer Community with Jeremiah Peschka from Stack Overflow We spoke with Jeremiah Peschka, Staff Software Developer from Stack Overflow, to learn about how they’re building a community for developers, and encouraging collaboration so everyone can move forward faster. <div class="c-simplecast-embed"> <iframe class="c-simplecast-embed__iframe" title="1Password Random but Memorable Podcast" width="100%" frameborder="no" scrolling="no" seamless src="https://player.simplecast.com/4d4c2599-bc2a-44c6-834a-fa501b183489?dark=false"></iframe> </div> <a href="https://randombutmemorable.simplecast.com/episodes/puzzle-solving-developer-community">Listen to episode 90 ›</a> Episode 76: Another Masked Vigilante Fear with Karen Renaud Karen Renaud – computer scientist, researcher, and professor – joins us to discuss what exactly keeps people from using password managers and whether fear encourages us to care more about privacy. <div class="c-simplecast-embed"> <iframe class="c-simplecast-embed__iframe" title="1Password Random but Memorable Podcast" width="100%" frameborder="no" scrolling="no" seamless src="https://player.simplecast.com/95a57215-faa6-4a87-a246-b2af33706c29?dark=false"></iframe> </div> <a href="https://randombutmemorable.simplecast.com/episodes/another-masked-vigilante-fear">Tune in to episode 76 ›</a> Episode 55: High Profile Fluffy Pet with Dr. Chris Pierson from BlackCloak We were joined by Dr. Chris Pierson, Founder and CEO of BlackCloak, to discover why hackers target CISO’s, business executives, and other high-profile individuals. <div class="c-simplecast-embed"> <iframe class="c-simplecast-embed__iframe" title="1Password Random but Memorable Podcast" width="100%" frameborder="no" scrolling="no" seamless src="https://player.simplecast.com/7c85d1f7-877d-4755-b6fa-85ff95f2bf9a?dark=false"></iframe> </div> <a href="https://randombutmemorable.simplecast.com/episodes/high-profile-fluffy-pet">Give episode 55 a listen ›</a> Episode 100: One Hundredth Episode Special Our intrepid podcast hosts took a trip down memory lane and reviewed the show&rsquo;s random but memorable history. <div class="c-simplecast-embed"> <iframe class="c-simplecast-embed__iframe" title="1Password Random but Memorable Podcast" width="100%" frameborder="no" scrolling="no" seamless src="https://player.simplecast.com/06b22014-136b-48fb-9943-fe482c04534f?dark=false"></iframe> </div> <a href="https://randombutmemorable.simplecast.com/episodes/one-hundredth-episode-special">Celebrate with our 100th show ›</a> <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> You might have noticed we only highlighted shows after episode 50 – that’s because we already took a look back at the earlier episodes! Check out our <a href="https://blog.1password.com/random-but-memorable-is-50/">previous blog post</a> for the best moments in episodes 1-50. </div> </aside> <h2 id="what-to-expect-in-the-future">What to expect in the future</h2> Random but Memorable isn’t going anywhere! We’re excited to bring you more security news, interviews, and games in the coming years. And we have some of our own news to share! Sara Teare, 1Password co-founder, joins the Random but Memorable team as a permanent rotating host. You can pop over to <a href="https://twitter.com/1PSara">Sara’s Twitter</a> to say hi and give her a warm welcome. Whether you’ve been a listener since the start, or joined somewhere along the way – thank you for sticking with us! We can’t wait to share another 100 episodes with you and our guests. And if you’re just hearing about Random but Memorable for the first time, well, listen, like, and subscribe 😉 – you won’t regret it. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Subscribe to the Random but Memorable podcast</h3> Be prepared for Random but Memorable moments, as well as the latest security news, tips and tricks and expert interviews. <a href="https://randombutmemorable.simplecast.com/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Subscribe now </a> </div> </section></description></item><item><title>Meet Megan Barker, Senior Security Specialist at 1Password</title><link>https://blog.1password.com/meet-megan-barker/</link><pubDate>Thu, 16 Feb 2023 00:00:00 +0000</pubDate><author>info@1password.com (1Password)</author><guid>https://blog.1password.com/meet-megan-barker/</guid><description> <img src='https://blog.1password.com/posts/2023/meet-megan-barker/header.png' class='webfeedsFeaturedVisual' alt='Meet Megan Barker, Senior Security Specialist at 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Have you ever wondered what it&rsquo;s like to work at <a href="https://1password.com/">1Password</a>? Or wanted to know the career paths that other people followed before taking a job here? You&rsquo;re not alone! In this new blog series, we&rsquo;re sharing what it&rsquo;s really like to work at 1Password. To do this, we sat down and talked to team members from across our more than 800-strong organization, including engineering, human resources, and customer support. You&rsquo;ll learn about the journeys that each person took to 1Password, as well as their their current role and day-to-day responsibilities. Today, we&rsquo;re chatting with Megan Barker, who works as Senior Security Specialist, Documentation at 1Password! What’s your current role, and what are your day-to-day responsibilities? I write security-focused posts for the 1Password blog, create informative (and lighthearted) posts for an internal security group, and edit security-related information for our Content team. I’m also responsible for all security, compliance, and privacy documentation! My daily activities vary from one day to the next, which is one of the best parts of my job. What is your favorite part of your role? I get to write! Writing is such a large part of who I am – it’s been a passion since before I could physically write. I wrote stories on an absolutely ancient typewriter when I was very young. I graduated to writing chaptered novels in grade school and won a local writing competition when I was 10. TL;DR – Very few people who can say their life’s passion is also how they make a living, and I’m incredibly fortunate and grateful to be one of them. How would you describe your team’s culture to someone who was applying for a role on that team? The Security team is extraordinary. I was on the Documentation team when my role was created. It started as a part-time assignment but I became a full-fledged member of the Security team fairly quickly. I felt at home the very first day, and was welcomed into the fold despite my lack of specialized training. The team took me under their collective wing and taught me – and continue to teach me – almost everything I know about security and privacy. <blockquote> The Security team is extraordinary. </blockquote> We all have different backgrounds, training, knowledge, strengths, and points of view, but share the same strong commitment to the security of 1Password and its customers. What keeps you motivated in your role? My motivation comes from the ability and freedom to do what I love every single day with the support of an amazing manager and team. And for real money (well, I’m paid in Canadian dollars but it’s real money up here). I also have a deep respect for the trust placed in us by millions of people and want to do my part to keep 1Password the best and most secure option available. Any fun personal plans for 2023? My life is pretty boring! I’m a single mom so my 8-year-old son and our two pretty pitties keep me very busy (and close to home). I’m also antsy for some warm weather. We saw lows of -45 Celsius this winter in my area of Ontario, Canada, so summer can’t come soon enough! Quick! You’re boarding a plane and you can only bring one item on your trip. What is the one thing you can’t live without? Catcher in the Rye or The Grapes of Wrath. Lol, j/k. I’d bring my phone. I wish I could say I’d grab some great literary work to paint the picture of some cosmopolitan academic but, really, I couldn’t live without my phone. Memories in picture form, money via online banking or Apple Pay (you’re welcome for the plug, Apple!), and the ability to, you know, phone someone or search for, and navigate to, anything I didn’t bring. For the record, my second choice would be underwear. For what I hope are obvious reasons. Thanks! ♥️ <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Want to work for 1Password?</h3> Browse our current job openings to see if there’s an opportunity that matches your career goals. <a href="https://1password.com/jobs/?utm_ref=blog" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> View our open positions </a> </div> </section></description></item><item><title>Keep your heart and your passwords safe with 1Password</title><link>https://blog.1password.com/keep-your-heart-safe-with-1password/</link><pubDate>Tue, 14 Feb 2023 00:00:00 +0000</pubDate><author>info@1password.com (Emily Chioconi)</author><guid>https://blog.1password.com/keep-your-heart-safe-with-1password/</guid><description> <img src='https://blog.1password.com/posts/2023/keep-your-heart-safe-with-1password/header.png' class='webfeedsFeaturedVisual' alt='Keep your heart and your passwords safe with 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> With February upon us, we can all feel the love in the air. But no matter what kind of love you’re celebrating, you and yours deserve a place to keep your secrets safe – from love letters to passwords. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> 1Password makes sharing passwords, logins, credit cards and more a (romantic) walk in the park. And nothing says my partner is off the market quite like matching clothes, jewelry, and password managers. Show off your couple status by helping them <a href="https://1password.com/switch/">switch to 1Password</a> today – we’ll even help you entice them over by crediting the remainder of their invoice with a competitor when they make the move. </div> </aside> To make your Valentine’s Day even more safe and sweet, we called in our favorite newspaper columnist, the 1LoveExpert, to answer some questions about love and security. 💝 🔑 Dear 1LoveExpert, I need your opinion. Things are getting serious between me and my partner, and I just don’t know if I’m ready. I went to their place for dinner, and we’d just settled in to stream a movie when they said those three words I wasn’t prepared for: “What’s your password?” I just don’t know if I want to move so fast with password sharing. What should I do? Sincerely, Movie-ing too fast 😱 Dear Movie-ing too fast, <a href="https://1password.com/features/secure-password-sharing/">Sharing passwords</a> is a huge step that requires trust and commitment. That said, not sharing passwords at all, regardless of where you’re at in your relationship, can also be a sign of trust and maturity. In fact, 33% of people believe that <a href="https://blog.1password.com/love-and-logins/">not sharing passwords in a relationship is healthy</a>, and a good chunk of younger generations won’t even consider password sharing until they’re <a href="https://blog.1password.com/love-and-logins/">dating exclusively</a>. There&rsquo;s no need to rush. Sharing passwords can be a gradual process that you and your partner discuss over time. In the meantime, if you’re not completely ready to let that firewall down but want to enjoy the convenience of password sharing, 1Password can help. With <a href="https://blog.1password.com/psst-item-sharing/">Item Sharing</a>, you can securely share any item for a limited amount of time, even if they don’t use 1Password. If the relationship doesn’t work out, you can change the password any time. But if cupid did a good job and you’re ready to make that relationship status official, you can share even more while still protecting yourself. 1Password Families lets you share only the logins and information you’re comfortable with while keeping everything else private. Plus, 1Password Families is more affordable than two separate accounts. Sincerely, 1LoveExpert Dear 1LoveExpert, My son&rsquo;s growing up so fast! He’s doing online school right now, and just created an account on a new platform for sending digital Valentines to his classmates. When I was helping him set it up, I noticed he chose the password &ldquo;iloveyou.&rdquo; It melted my heart, but I want him to learn about the importance of strong passwords. How can I start teaching him to build better online security habits at a young age? Anxiously yours, Password Papa 👨‍👦 Dear Password Papa, Building good security habits early is a great way to prioritize online safety, and you’re not the only parent thinking about this. <a href="https://1password.com/resources/the-family-password-paradigm/">40% of parents</a> talk about online security with their preschool children, which is great to see! It’s also important to get your own security habits up to standard so you’re setting a good example your son can eventually take on himself. Alarmingly, <a href="https://1password.com/resources/the-family-password-paradigm/">55% of dads</a> let their children share their family’s streaming account information with friends, for example. While password sharing isn’t wrong in and of itself, doing so securely and selectively is crucial. You can begin with small steps, like making the secure option the easiest option to choose. With 1Password Families, you can help your son get in the habit of creating strong passwords while signing in with a single click. It can also be used to securely access other items he might need to stay safe, like alarm codes, <a href="https://1password.com/features/secure-notes/">secure notes</a>, and limited time logins. Sincerely, 1LoveExpert Dear 1LoveExpert, My long-time partner forgets everything and it’s a constant headache! I love them dearly but It’s been 25 years of reminding them about passwords, credit card verification codes, and even their blood type! Definitely the kind of person to forget their head if it wasn’t attached. How can I make my life easier? Begrudgingly, Chief Memory Officer 😒 Dear Chief Memory Officer, As a member of the forgetful partner community, I apologize on behalf of all of us. If you’re about ready to lock your partner away and “lose” the key, I can offer some perspective. Forgetting passwords is super common, and it’s likely why <a href="https://1password.com/resources/the-family-password-paradigm/">26% of people</a> still use their first-ever password for an online account. Usually, telling that forgetful someone to “write it down” would be a good call, but when it comes to credit cards and other sensitive information, you only want that in a safe place. 1Password is a secure place to store and share everything that&rsquo;s important to you. It gives you the option to &ldquo;write it down&rdquo; without putting yourself at risk. Passport numbers, loyalty cards, medical records – you name it. And when you update a shared password, your partner will have access to the new one right away. You don&rsquo;t have to tell them it&rsquo;s changed, or worry about whether they&rsquo;ll remember the new one when they try to log in. Sincerely, 1LoveExpert <h2 id="share-the-love-with-1password">Share the love with 1Password</h2> When it comes to those you love, never be afraid to wear your heart on your sleeve – but always keep your passwords in 1Password. Make your move and encourage those you love to <a href="https://1password.com/switch/">switch to 1Password</a>, or get started with <a href="https://1password.com/personal/">1Password Families</a> today. Want to know more? You can read about love and logins in our <a href="https://blog.1password.com/love-and-logins/">report on password sharing and relationships</a>, or find out how other families manage the password paradigm in our <a href="https://1password.com/resources/the-family-password-paradigm/">report on online safety in the home</a>. <section class="c-call-to-action-box c-call-to-action-box--purple"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Secure your partner&#39;s digital life with 1Password</h3> Show off your couple status by helping your partner switch to 1Password, the world's most-loved password manager. <a href="https://1password.com/switch/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--purple" data-event-category="CTA" data-event-action="call-to-action-button"> Switch to 1Password </a> </div> </section></description></item><item><title>Goodbye, passwords</title><link>https://blog.1password.com/unlock-1password-with-passkeys/</link><pubDate>Thu, 09 Feb 2023 00:00:00 +0000</pubDate><author>info@1password.com (Steve Won)</author><guid>https://blog.1password.com/unlock-1password-with-passkeys/</guid><description> <img src='https://blog.1password.com/posts/2023/goodbye-passwords/header.png' class='webfeedsFeaturedVisual' alt='Goodbye, passwords' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We’re all in on passkeys, and we’re starting with 1Password. Passkeys are the modern alternative to passwords. They’re easier to use, harder to steal or crack, and built on proven, open standards designed to make logging in to your favorite apps and services <a href="https://blog.1password.com/what-are-passkeys/">faster and more secure</a>. And they couldn’t come at a better time: credential-based attacks are only accelerating. In 2022, it was rare that a month went by without a high-profile social, identity, or security service being breached. Instead of playing whac-a-mole with passwords, why not eliminate that avenue of attack outright? That&rsquo;s our mission. It’s why we&rsquo;re at the forefront of passwordless advocacy, and why we’ve committed to adding full support to 1Password for <a href="https://www.future.1password.com/passkeys/">generating, managing, and using passkeys</a>. But there&rsquo;s still one small gotcha, and it&rsquo;s right there in our name: &ldquo;one password.&rdquo; For passkeys to be the way forward, it&rsquo;s not enough for them to replace some of your passwords. They have to be able to replace all passwords – including the one you use to unlock 1Password. So we’re incredibly excited to announce that, starting this summer, you’ll have the option to create and unlock your 1Password account using only a passkey! No passwords required. <h2 id="what-this-means-for-you">What this means for you</h2> Now, unlocking 1Password without a password is nothing new. It’s something we do every day using biometrics. 1Password was the first third-party iOS app to offer Touch ID, all the way back in 2014, and since then we’ve added support for Face ID, Windows Hello, Android Fingerprint, and more. But as convenient as biometrics are today, they don’t actually replace the password; they only mask it. That’s why 1Password asks you to type in your password periodically in order to ensure that you have it memorized. <img src='https://blog.1password.com/posts/2023/goodbye-passwords/passwordlessdiagram.png' alt='A diagram showing the &#39;past&#39;, where biometrics are used to mask traditional passwords, and the &#39;future&#39;, where biometrics are used to authenticate when you want to use a passkey.' title='A diagram showing the &#39;past&#39;, where biometrics are used to mask traditional passwords, and the &#39;future&#39;, where biometrics are used to authenticate when you want to use a passkey.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Passkeys also use biometrics, but they allow us to go farther and eliminate the underlying password entirely. If you’re curious to learn how exactly they work, you can explore <a href="https://blog.1password.com/what-are-passkeys/">our passkey explainer</a>. But in a nutshell, passkeys are built on the same security foundation as our Secret Key – <a href="https://blog.1password.com/what-is-public-key-cryptography/">public key cryptography</a> – but without requiring a password. This ensures strong security properties, while being a heck of a lot more convenient to use. It’s win-win for both security and usability. All you’ll ever need to sign in to 1Password, unlock your vaults, and securely access your data is your one passkey. More and more <a href="https://passkeys.directory/?utm_medium=direct&amp;utm_source=1password&amp;utm_campaign=passwordless&amp;utm_ref=blog">sites and services are adding passkey support</a> every week, but whether you&rsquo;re first in line to start using them, or you need to rely on passwords for a while longer, we&rsquo;ve got you covered. With 1Password, you can focus on what you need to get done without worrying about how you&rsquo;re signing in. <h2 id="from-1password-to-no-password">From 1Password, to No Password?</h2> It feels counter-intuitive at first: how can your data be safe if you don’t even use a password to access it? Well, the properties that make passkeys more secure than passwords in general also make them ideal for securing 1Password. Unlike user-created passwords, passkeys are strong and unique by default. They’re generated and stored on your devices, and they’re never shared with our cloud service. Passkeys are also resistant to phishing, and they have a full 256 bits of entropy to prevent cracking – providing even more protection than our <a href="https://blog.1password.com/what-the-secret-key-does/">Secret Key</a>. They’re safeguarded by biometrics and hardware-level security. And we’re building them to be portable between all your devices and platforms. Passkeys unlock truly exciting possibilities for 1Password users. With them, you can: <ul> <li>Create a 1Password account without a password or a Secret Key.</li> <li>Sign in on new devices with ease.</li> <li>Use your phone to unlock 1Password on your Mac, PC, and in the browser.</li> <li>Accelerate onboarding for enterprise users, or friends and family.</li> <li>Use built-in biometric authenticators everywhere you use 1Password including on the web.</li> </ul> This is just the beginning of our passkey journey. And while there’s still a lot of work to be done, we wanted to share a glimpse of where we’re headed: <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/gDK-p_GBG5U" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> If you&rsquo;re amped up by what you see here, keep in touch. Sign up for our <a href="https://1password.com/passwordless-news/?utm_source=1password+&amp;utm_medium=blog&amp;utm_campaign=goodbye_passwords">passwordless newsletter</a>, follow us on <a href="https://1password.social/@1password">Mastodon</a>, or reach out directly to <a href="mailto:passwordless@1password.com">passwordless@1password.com</a>.</description></item><item><title>How to disable browser password manager prompts</title><link>https://blog.1password.com/disable-browser-password-manager/</link><pubDate>Wed, 08 Feb 2023 00:00:00 +0000</pubDate><author>info@1password.com (Emily Chioconi)</author><guid>https://blog.1password.com/disable-browser-password-manager/</guid><description> <img src='https://blog.1password.com/posts/2023/disable-browser-password-manager/header.png' class='webfeedsFeaturedVisual' alt='How to disable browser password manager prompts' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> So you’ve set yourself up with a password manager and you’re feeling like a cybersecurity wizard – as you should! Flying high, you hop online, ready to effortlessly log in with a single click – but suddenly, it happens. Your go-to browser is still offering to save your passwords, getting in the way of your smooth sailing. Not cool. These prompts can turn from mild inconveniences to major annoyances fast, so it&rsquo;s best to turn them off as soon as possible. Struggling to find the right option or toggle to disable your browser&rsquo;s built-in password manager? Here&rsquo;s a quick guide for Chrome, Safari, Edge, Brave, and Firefox. <h2 id="disabling-browser-password-manager-prompts">Disabling browser password manager prompts</h2> First, if you haven’t already, make sure to <a href="https://support.1password.com/import/">move any passwords</a> you’ve saved in your browser over to your password manager so they’re safely stored and easily accessible. Now you can move on to disabling your browser password manager prompts: <h3 id="chrome">Chrome:</h3> <ul> <li>Launch Chrome.</li> <li>At the top right, select Profile and then Passwords.</li> <li>Turn Offer to save passwords off.</li> </ul> <a href="https://support.google.com/chrome/answer/95606?hl=en&amp;co=GENIE.Platform%3DDesktop">Learn more &raquo;</a> <h3 id="firefox">Firefox:</h3> <ul> <li>Launch Firefox.</li> <li>In the Menu bar at the top of the screen, select Firefox and select Preferences. Select the menu button.</li> <li>Select Privacy &amp; Security in the panel to the left.</li> <li>Scroll down to the Logins and Passwords section.</li> <li>Uncheck the box next to Ask to save logins and passwords for websites.</li> </ul> <a href="https://support.mozilla.org/en-US/kb/disable-password-saving-firefox">Learn more &raquo;</a> <h3 id="safari">Safari:</h3> <ul> <li>Launch Safari.</li> <li>Select the Safari menu and choose Preferences.</li> <li>Select the AutoFill icon.</li> <li>Turn off all the AutoFill settings: Using info from my contacts, Usernames and passwords, Credit cards, and Other forms.</li> </ul> <a href="https://support.apple.com/en-ca/guide/safari/ibrwa005/16.1/mac/13.0">Learn more &raquo;</a> <h3 id="edge">Edge:</h3> <ul> <li>Launch Edge.</li> <li>Select Settings and more and then choose Settings.</li> <li>Select Profiles and then choose Passwords.</li> <li>Turn off Offer to save passwords.</li> </ul> <a href="https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336">Learn more &raquo;</a> <h3 id="brave">Brave:</h3> <ul> <li>Launch Brave.</li> <li>Open the Main Menu in the top right.</li> <li>Select Settings then Additional Settings then Auto-fill then Passwords.</li> <li>Turn off Offer to Save Passwords.</li> </ul> <a href="https://support.brave.com/hc/en-us/articles/360018185951-How-do-I-use-the-built-in-password-manager-">Learn more &raquo;</a> Once you’re all set, don’t forget to <a href="https://support.1password.com/disable-browser-password-manager/#if-youre-using-chrome-edge-or-brave-mac">erase any passwords</a> that you might have saved using your browser&rsquo;s built-in password manager. This will make sure your sensitive information is only stored in one, easy-to-find spot, and has the added benefit of helping you cut down on <a href="https://blog.1password.com/secure-yourself-digital-declutter-checklist/">digital clutter</a>. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> If you use your phone or tablet for browsing, you can also disable browser password manager prompts <a href="https://support.1password.com/disable-browser-password-manager/">on iOS</a> or <a href="https://support.1password.com/disable-browser-password-manager/">Android</a>. </div> </aside> <h2 id="take-full-advantage-of-your-password-manager">Take full advantage of your password manager</h2> Once you&rsquo;ve disabled your browser&rsquo;s password manager prompts, you can enjoy the <a href="https://blog.1password.com/5-reasons-to-stop-using-your-web-browser-password-manager/">full benefits of a dedicated password manager</a>, including: <ul> <li>Access to your logins on every device and browser.</li> <li>The flexibility to <a href="https://blog.1password.com/storing-1password/">store any kind of sensitive data</a>, not just passwords.</li> <li>A tool focused only on storing and protecting your data, and nothing else.</li> </ul> <h2 id="the-simple-life">The simple life</h2> Adopting a password manager like 1Password is all about making your life as simple and secure as possible, so don’t let unwanted browser prompts get in the way. It can be easy to put off this little bit of digital housekeeping, but trust us – it&rsquo;s a task worth completing sooner rather than later. Once you&rsquo;ve turned off your browser&rsquo;s built-in password manager, you can get back to seamlessly saving and autofilling passwords throughout the day, regardless of which device or browser you&rsquo;re using. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Ready to protect yourself?</h3> Keep all of your accounts secure with 1Password, the world’s most-trusted password manager. Get started today with a free 14-day trial. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>Why you can trust 1Password's cloud-based storage and syncing</title><link>https://blog.1password.com/why-trust-1password-cloud/</link><pubDate>Mon, 06 Feb 2023 00:00:00 +0000</pubDate><author>info@1password.com (Nick Summers)</author><guid>https://blog.1password.com/why-trust-1password-cloud/</guid><description> <img src='https://blog.1password.com/posts/2023/why-trust-1password-cloud/header.png' class='webfeedsFeaturedVisual' alt='Why you can trust 1Password's cloud-based storage and syncing' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> &lsquo;Can I trust a password manager that stores my data in the cloud?' It&rsquo;s a good question to ask. After all, your passwords, credit cards, and other private information are precious. And when you choose a password manager with cloud-based syncing, you&rsquo;re relying on someone else to watch and guard the server where your data is stored. But to answer the question: Yes, you can trust 1Password, which uses the cloud to keep your data in sync across your devices. Our systems are designed so that <a href="https://blog.1password.com/how-1password-protects-your-data/">your data would remain safe</a> even if an attacker gained access to our servers. Here&rsquo;s how it works. <h2 id="what-would-happen-if-1passwords-servers-were-breached">What would happen if 1Password&rsquo;s servers were breached</h2> The data you store in 1Password is always kept fully encrypted on our servers. And when we say &ldquo;data&rdquo;, we mean everything, including the names of your vaults, and the website URLs associated with each saved password. If an attacker somehow infiltrated one of our servers, the best they could hope to find is reams and reams of scrambled information. All of this encrypted gibberish would be useless without the means to decrypt it. Two ingredients are required to access and read your vault data: <ul> <li>Your <a href="https://blog.1password.com/toward-better-master-passwords/">account password</a></li> <li>Your <a href="https://blog.1password.com/what-the-secret-key-does/">Secret Key</a></li> </ul> Let&rsquo;s take each of them in turn, and how they would protect your data in the event of a breach. <h2 id="how-your-account-password-protects-your-data">How your account password protects your data</h2> Your account password is chosen by you. Once you&rsquo;ve set up 1Password and saved all your other logins, it&rsquo;s the only password you&rsquo;ll need to remember. An account password <a href="https://support.1password.com/strong-account-password/">should be long and unique, but also memorable</a>. It can be hard to remember a password like “ t 2 B m i K a E D F M c M q N q 4 C f j ” , so we suggest creating a random passphrase with our <a href="https://1password.com/password-generator/">free online password generator</a>. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Passphrases are created by combining a handful of real but unrelated words. A passphrase could be &ldquo;ball-possibility-moon-car&rdquo;, for instance. As long as each word is random (e.g. the words have no connection to you, or each other) the passphrase will be difficult for hackers to guess or crack with a brute-force attack. </div> </aside> Your account password is never stored by or visible to us. So if an attacker gained access to our servers, they wouldn&rsquo;t find your account password and couldn’t, therefore, unscramble your encrypted data. We understand that many people will find it tough to choose a strong but memorable password. That&rsquo;s why we don&rsquo;t rely solely on the strength of your chosen password to protect your private data. Enter the Secret Key. <h2 id="how-the-secret-key-protects-your-data">How the Secret Key protects your data</h2> The Secret Key is a security feature that’s unique to 1Password. It&rsquo;s an account-specific, 128-bit strong encryption ingredient that contains 34 letters and numbers, separated by dashes. In simple terms, every Secret key represents 340,282,366,920,938,463,463,374,607,431,768,211,456 possible combinations. Cracking it would be an insurmountable task for even the most powerful supercomputer. The Secret Key is generated on your device when you first create your account. It’s never sent to us in full. Only you have access to it. We don’t expect you to memorize your Secret Key – it’s too long for that. Instead, it’s stored securely on all the devices you’ve used to sign in to your account. Your unique Secret Key is combined with your account password to create the full encryption key that encrypts everything you store in 1Password. This process happens on your device, which is why we don&rsquo;t need to store either your account password or Secret Key on our servers. <h2 id="how-tls-and-srp-protect-your-data">How TLS and SRP protect your data</h2> Since we never see your account password or Secret Key, we need another way to confirm your identity and make sure your encrypted data doesn’t fall into the wrong hands. Here’s how we protect you from a theoretical attacker trying to impersonate 1Password and trick you into sharing your account details: Industry-standard Transport Layer Security (TLS) provides a first line of defense, but we’ve bolstered it with a custom protocol known as <a href="https://blog.1password.com/developers-how-we-use-srp-and-you-can-too/">Secure Remote Password (SRP)</a> that handles communication between your devices and our servers. Unlike a traditional login process, SRP ensures you never have to share sensitive information. With SRP, your account password and Secret Key are used to generate a new key – one that&rsquo;s entirely separate from the one that encrypts your 1Password data. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Curious how SRP works? The 1Password app on your device sends our server a series of puzzles. Once solved, these prove to the server that you know your account password and Secret Key without having to share them. Similarly, our server has to prove to your device that it holds the account data you’re asking for. These puzzles are different every time the 1Password app connects to our servers, so they can never be replicated by an outside observer. </div> </aside> <h2 id="trust-our-track-record">Trust our track record</h2> 1Password has been around for more than a decade. And in that time, we’ve always given our customers’ data the protection it deserves. To ensure your information stays secure, we&rsquo;re routinely audited by third-party security experts. <a href="https://support.1password.com/security-assessments/">We also publish the reports produced by each auditor</a>. In addition, 1Password has a bug bounty program with <a href="https://blog.1password.com/increasing-our-bug-bounty-investment/">a top reward of $1 million</a>. This is on top of the time and effort our security team invests every day to ensure your data is kept as secure as possible. <h2 id="the-bottom-line">The bottom line</h2> Can you trust 1Password to look after your passwords, credit cards, and other digital secrets? Absolutely. The idea that it&rsquo;s safer to entrust account credentials, payment info, documents, and identities that make up our modern lives to someone else can feel counterintuitive. But keeping all of this data to yourself means that you – and only you – are responsible for protecting it. That could make you a more attractive mark for thieves. Consider things from the attacker&rsquo;s perspective: what&rsquo;s more likely to succeed &hellip; breaking into a heavily fortified system of interlocking security protocols designed and staffed by a team of experts whose job it is to keep you out? Or snatching an individual&rsquo;s private server, laptop, or password notebook? Here at 1Password, every decision we make is meticulously tested and thought through to ensure it prioritizes the safety of your data above everything else. That includes the design of our cloud-based storage and syncing services. But even if our infrastructure was somehow breached, you can rest assured your data wouldn&rsquo;t be at risk. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Secure your digital life with 1Password</h3> Keep all of your accounts secure with 1Password, the world’s most-trusted password manager. Get started today with a free 14-day trial. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>Git + Touch ID, plus four more reasons why developers love 1Password</title><link>https://blog.1password.com/reasons-why-developers-love-1password/</link><pubDate>Thu, 02 Feb 2023 00:00:00 +0000</pubDate><author>info@1password.com (Amanda Crawley & Andi Titu)</author><guid>https://blog.1password.com/reasons-why-developers-love-1password/</guid><description> <img src='https://blog.1password.com/posts/2023/reasons-why-developers-love-1password/header.png' class='webfeedsFeaturedVisual' alt='Git + Touch ID, plus four more reasons why developers love 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Recent breaches <a href="https://www.techtarget.com/searchsecurity/answer/Uber-breach-How-did-a-private-GitHub-repository-fail-Uber">at Uber</a> and <a href="https://www.wired.com/story/slack-data-breach-security-news-roundup/">Slack</a> highlight the risks of storing secrets in plaintext on disk. But that’s just the way it works, right? <h2 id="1-your-daily-git-pull-is-as-easy-as-scanning-your-fingerprint">1. Your daily <code>git pull</code> is as easy as scanning your fingerprint</h2> With our <a href="https://developer.1password.com/docs/ssh">SSH Agent</a> we’ve made your morning <code>git pull</code> as easy and secure as unlocking 1Password – only a scan of your fingerprint required! New keys can be generated in 1Password and synced with Git clients in seconds, then used without the private key ever leaving 1Password. You can use the SSH agent not only for authenticating Git in your daily work, but also to SSH into remote machines. Plus, when you work from other devices, you can take all your keys with you. <img src='https://blog.1password.com/posts/2023/reasons-why-developers-love-1password/necmttn.png' alt='A tweet from Twitter user &#39;Necmmtn&#39; which reads: This is probably the coolest security upgrade I&#39;ve ever done. Welcome to the feature.' title='A tweet from Twitter user &#39;Necmmtn&#39; which reads: This is probably the coolest security upgrade I&#39;ve ever done. Welcome to the feature.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="2-shell-plugins-make-the-magic-happen-with-all-your-clis">2. Shell plugins make the magic happen with all your CLIs</h2> Why should the magic stop at Git? <a href="https://developer.1password.com/docs/cli/shell-plugins">Shell Plugins</a> allow you to authenticate with biometrics to all the CLIs you know and love, saving you from unnecessary typing or storing keys in plain text on your disk. Not only do we have <a href="https://developer.1password.com/docs/cli/shell-plugins">over two dozen CLIs</a> currently supported, but you can also build your own – it’s <a href="https://github.com/1Password/shell-plugins">open source</a>! <img src='https://blog.1password.com/posts/2023/reasons-why-developers-love-1password/twiliodevs.png' alt='A tweet from Twitter user &#39;TwilioDevs&#39; that reads: &#39;Mac/Linux devs! You can now securely authenticate in the Twilio CLI with your fingerprint using a 1Password shell plugin.' title='A tweet from Twitter user &#39;TwilioDevs&#39; that reads: &#39;Mac/Linux devs! You can now securely authenticate in the Twilio CLI with your fingerprint using a 1Password shell plugin.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <img src='https://blog.1password.com/posts/2023/reasons-why-developers-love-1password/stripedevs.png' alt='A tweet from Twitter user &#39;StripeDev&#39; that reads: Stripe CLI :handshake::skin-tone-2: 1Password.' title='A tweet from Twitter user &#39;StripeDev&#39; that reads: Stripe CLI :handshake::skin-tone-2: 1Password.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <img src='https://blog.1password.com/posts/2023/reasons-why-developers-love-1password/shyim97.png' alt='A tweet from Twitter user &#39;Shyim97&#39; that reads: That&#39;s why I like using 1Password. It improves my developer life a lot with SSH and now even third party CLIs.' title='A tweet from Twitter user &#39;Shyim97&#39; that reads: That&#39;s why I like using 1Password. It improves my developer life a lot with SSH and now even third party CLIs.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="3-verified-commits-for-all-your-teams-projects">3. Verified commits for all your team’s projects</h2> <a href="https://developer.1password.com/docs/ssh/git-commit-signing">Sign your git commits</a> and tags with SSH keys generated and stored in 1Password – no typing, no sensitive secrets on your filesystem, no figuring out archaic GPG keys – and be confident that every team member is who they say they are. This includes your open source projects! (Did you know you can get a free 1Password Teams account for <a href="https://github.com/1Password/1password-teams-open-source">open source projects</a>?) <img src='https://blog.1password.com/posts/2023/reasons-why-developers-love-1password/kenmandk.png' alt='A tweet from Twitter user &#39;Kenmand&#39; that reads: Just realized 1Password v8 streamlined how to create and configure SSH keys for signing git commits, making it a matter of seconds to set up and run.' title='A tweet from Twitter user &#39;Kenmand&#39; that reads: Just realized 1Password v8 streamlined how to create and configure SSH keys for signing git commits, making it a matter of seconds to set up and run.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <img src='https://blog.1password.com/posts/2023/reasons-why-developers-love-1password/paulredmond.png' alt='A tweet from Twitter user &#39;Paulredmond&#39; that reads: It&#39;s a game-changer for me, and I am finally starting to sign my Git commits using a separate key I manage in 1Password.' title='A tweet from Twitter user &#39;Paulredmond&#39; that reads: It&#39;s a game-changer for me, and I am finally starting to sign my Git commits using a separate key I manage in 1Password.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="4-collaborate-without-revealing-plaintext-secrets-in-your-code">4. Collaborate without revealing plaintext secrets in your code</h2> Now that you’re reasonably sure that none of your teammates are secretly two kids in a trench coat, let’s talk sharing. With 1Password CLI you can reference secrets stored within 1Password – underneath <a href="https://blog.1password.com/how-1password-protects-your-data/">several encryption layers</a> – directly in code. This means you can share them securely within your team without plainly saving any sensitive data or sending secrets by carrier pigeon (and let’s be honest, with remote work, trip latency would be guaranteed). 1Password even has integrations with the <a href="https://developer.1password.com/docs/vscode">VSCode</a> and <a href="https://blog.1password.com/1password-jetbrains/">JetBrains</a> IDEs to flag plaintext secrets and make sure you’re sticking to best practices. <img src='https://blog.1password.com/posts/2023/reasons-why-developers-love-1password/ch99q.png' alt='A tweet from Twitter user &#39;_ch99q&#39; which reads: 1Password for design, biometric support, and their focus on developer experiences like biometrics for SSH keys and VSCode extensions for secrets.' title='A tweet from Twitter user &#39;_ch99q&#39; which reads: 1Password for design, biometric support, and their focus on developer experiences like biometrics for SSH keys and VSCode extensions for secrets.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="5-securely-automate-secrets-in-production">5. Securely automate secrets in production</h2> Having all of your secrets at your fingertips (pun intended) in the <a href="https://developer.1password.com/docs/cli">terminal</a> means you can spend less time figuring out key management and more time solving the fun problems you really care about. Not only can you <a href="https://developer.1password.com/docs/ci-cd">provision secrets in your infrastructure with 1Password</a>, but your organization can roll out 1Password to everyone using <a href="https://support.1password.com/scim/">SCIM</a>. <img src='https://blog.1password.com/posts/2023/reasons-why-developers-love-1password/carlozottmann.png' alt='A post from Mastodon user &#39;@czottmann@norden.social&#39; which reads: Man, the 1Password CLI is so damn good! Using secrets stored in a vault in shell scripts is so much easier than ever before, I love it.' title='A post from Mastodon user &#39;@czottmann@norden.social&#39; which reads: Man, the 1Password CLI is so damn good! Using secrets stored in a vault in shell scripts is so much easier than ever before, I love it.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="in-conclusion">In conclusion…</h2> Now that you know why other developers are using 1Password, take it for a spin yourself with a <a href="https://1password.com/business-pricing/">free two-week trial</a>. If you decide to move from another password manager, <a href="https://1password.com/switch/">we’ll even help cover the cost</a> by crediting the remainder of your invoice when you switch.</description></item><item><title>Simplify managing your team and business with the new Admin Dashboard</title><link>https://blog.1password.com/admin-dashboard/</link><pubDate>Tue, 31 Jan 2023 00:00:00 +0000</pubDate><author>info@1password.com (Skylar Nagao)</author><guid>https://blog.1password.com/admin-dashboard/</guid><description> <img src='https://blog.1password.com/posts/2023/admin-dashboard/header.png' class='webfeedsFeaturedVisual' alt='Simplify managing your team and business with the new Admin Dashboard' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Starting today, 1Password Teams and Business customers have access to a new, streamlined Admin Dashboard. The new dashboard is your home for reporting, Insights, Travel Mode, and user management. The current 1Password admin homepage and dashboard have joined forces to give you a single, more helpful homepage experience. The new dashboard brings the 1Password Business features you rely on together into one well-organized, easily accessible place. <h2 id="whats-new">What&rsquo;s new</h2> Bringing together high-level details about your business and quick-access links to useful features, the Admin Dashboard will give you a comprehensive overview of your account, team, and security posture. <img src='https://blog.1password.com/posts/2023/admin-dashboard/Admin-dashboard1.png' alt='The 1Password Admin Dashboard showing the Team Overview, Insights, Reports, Travel Mode status, and team actions.' title='The 1Password Admin Dashboard showing the Team Overview, Insights, Reports, Travel Mode status, and team actions.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> All the 1Password Teams and Business features and functionality you know and love will remain the same, but you’ll now have a more accessible and efficient experience in one central location. <h3 id="find-actionable-information-and-potential-risks-through-insights">Find actionable information and potential risks through Insights</h3> You can now access Insights directly from the Admin Dashboard so you won’t miss a thing. The Insights dashboard consolidates information already available in places like the Team report, domain breach report, and Watchtower reports in one at-a-glance dashboard. <img src='https://blog.1password.com/posts/2023/admin-dashboard/Insights1.png' alt='The 1Password Insights dashboard showing statistics like breach checks, password health, and team usage.' title='The 1Password Insights dashboard showing statistics like breach checks, password health, and team usage.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h3 id="better-understand-how-your-team-uses-1password-with-reports">Better understand how your team uses 1Password with Reports</h3> With 1Password Business, you can create several <a href="https://support.1password.com/reports">different kinds of reports</a> to measure adoption, organize your data, and much more: <ul> <li>An overview report</li> <li>A team report</li> <li>A usage report</li> <li>A domain breach report</li> <li>A Business Watchtower report</li> </ul> Reports are now available right on the Admin Dashboard, making it easy to dig deeper whenever you need to. <img src='https://blog.1password.com/posts/2023/admin-dashboard/Reports1.png' alt='The 1Password Reports dashboard showing options for security issues, account activity, and team insights.' title='The 1Password Reports dashboard showing options for security issues, account activity, and team insights.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h3 id="streamline-managing-guests-members-and-teams">Streamline managing guests, members, and teams</h3> Whether you’re inviting a new user, changing permissions, or keeping track of Travel Mode, being able to efficiently manage your team is crucial. You can now streamline your workflow when it comes to any admin actions or tools with the Admin Dashboard. <img src='https://blog.1password.com/posts/2023/admin-dashboard/Team1.png' alt='The 1Password Admin dashboard showing the team overview, invitations, and account recovery.' title='The 1Password Admin dashboard showing the team overview, invitations, and account recovery.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="everything-you-need-in-one-place">Everything you need in one place</h2> Streamline your workflow, better secure your team, and get the most out of 1Password today. Take advantage of the brand new Admin Dashboard by simply signing into your account on <a href="https://start.1password.com/signin?l=en">1Password.com</a> and exploring your new homepage experience. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Secure your team with 1Password Business</h3> Keep your team secure without slowing them down. Choose 1Password Business to gain complete control over passwords and other sensitive business information. <a href="https://1password.com/business-pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>Building a better, more useful 1Password</title><link>https://blog.1password.com/better-more-useful-1password/</link><pubDate>Mon, 30 Jan 2023 00:00:00 +0000</pubDate><author>info@1password.com (Matt Grimes)</author><guid>https://blog.1password.com/better-more-useful-1password/</guid><description> <img src='https://blog.1password.com/posts/2023/better-more-useful-1password/header.png' class='webfeedsFeaturedVisual' alt='Building a better, more useful 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The difference between good and great software isn&rsquo;t flashy features: it&rsquo;s the feeling of using a tool that just works. With this in mind, our team recently decided to press pause, roll up our collective sleeves, and spend some quality time improving the fundamentals of 1Password 8. First, we collected all the feedback you&rsquo;ve been sharing on our <a href="https://1password.community/">forum</a> and on <a href="https://1password.social/@1password">social media</a>, in various app store reviews, and through conversations with our team. We then turned these requests into a to-do list and tasked ourselves with bringing as many of them to life as possible. Below is a sneak peek at what we’ve been working on. (If you&rsquo;re an iPhone user, there’s a lot to be excited about.) All of these improvements are either live right now, or coming in the near future. We can&rsquo;t wait for you to try them. <h2 id="reorder-fields-and-sections-inside-items">Reorder fields and sections inside items</h2> iOS: Available now Android: Available now Desktop: Available now Every item can contain multiple fields and sections. But what if you want to re-order those different bits of information? Soon, you&rsquo;ll be able to do just that in 1Password 8. Just edit the item, then drag-and-drop to your heart&rsquo;s content. You might notice a couple of limitations at first, but we&rsquo;ll be working hard to give you true freedom and flexibility in every saved item. (We know this is a highly requested feature, so we want to get it into your hands as quickly as possible!) <img src='https://blog.1password.com/posts/2023/better-more-useful-1password/reorderfields.png' alt='Two screenshots showing how to reorder fields in a saved item.' title='Two screenshots showing how to reorder fields in a saved item.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="ability-to-search-within-any-list-of-items">Ability to search within any list of items</h2> iOS: Available now Android: Available now We’re bringing this back to 1Password 8 for iOS and Android. In any list of items, you can enter a query to quickly find the one that you&rsquo;re looking for. <img src='https://blog.1password.com/posts/2023/better-more-useful-1password/searchanytab.png' alt='Two iPhone screenshots showing how to search within a list of items.' title='Two iPhone screenshots showing how to search within a list of items.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="pin-unlock-on-mobile">PIN unlock on mobile</h2> iOS: Coming soon Android: Coming soon You asked for it, and it&rsquo;s happening. Soon, you&rsquo;ll have the ability to use your device PIN code or pattern to unlock 1Password. You will, of course, still have the option to unlock with biometrics or your account password, if that&rsquo;s your preference. <img src='https://blog.1password.com/posts/2023/better-more-useful-1password/unlockpincode.png' alt='Two iPhone screenshots showing how to set a PIN Code in 1Password 8 for iOS.' title='Two iPhone screenshots showing how to set a PIN Code in 1Password 8 for iOS.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="improved-face-id-unlock">Improved Face ID unlock</h2> iOS: Available now Face ID is a fast and secure way to unlock 1Password and access everything stored in your vaults. We&rsquo;re working on a lot of improvements so that Face ID is an even more consistent way to unlock 1Password 8 for iOS and <a href="https://blog.1password.com/1password-for-safari/">1Password for Safari</a>. <h2 id="set-a-default-vault-for-saved-items">Set a default vault for saved items</h2> iOS: Available now Android: Available now Desktop: Available now Do you juggle a mixture of private and shared vaults? Or have a work and personal account, with multiple vaults in each? Set a default vault for all new items that you save via the browser, so that you never misplace any of your sensitive data. <h2 id="better-voiceover-support">Better VoiceOver support</h2> iOS: Available now <a href="https://www.apple.com/voiceover/info/guide/_1121.html">VoiceOver</a> is an amazing accessibility feature by Apple that helps visually impaired people. We&rsquo;ve improved 1Password 8 so that VoiceOver no longer gets stuck in some text fields. The screen reader will also read out all characters as you go past them – even if you start editing the associated text. Finally, if you&rsquo;re typing in a text field and make a mistake, you can go back and find the right spot using the arrow keys. All the text will be selected and read out, however you can also choose a specific part by holding shift and an arrow key. <h2 id="a-simpler-set-up-process-for-new-users">A simpler set up process for new users</h2> Web: Available now We want to make it easier for everyone to use a password manager, regardless of how tech-savvy they are. A new setup process on the web puts a greater focus on importing data and getting started with 1Password in the browser. <h2 id="option-to-turn-off-emergency-kits-1password-business">Option to turn off Emergency Kits (1Password Business)</h2> Web: Available now The <a href="https://support.1password.com/emergency-kit/">Emergency Kit</a> is a helpful document that gives team members all of their account information and a place to write their account password. While useful, we recognize that every business is unique, with its own people, culture, and security policies. So we&rsquo;ve added the option to disable Emergency Kits, reducing the friction for new team members who are getting started with 1Password. <img src='https://blog.1password.com/posts/2023/better-more-useful-1password/disableemergencykit.png' alt='A screenshot showing how admins can turn off Emergency Kits in the web-based dashboard.' title='A screenshot showing how admins can turn off Emergency Kits in the web-based dashboard.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="option-to-turn-off-file-storage-1password-business">Option to turn off file storage (1Password Business)</h2> Web: Available now Don&rsquo;t want your team members storing documents and other files in 1Password? No problem. We&rsquo;re giving you the option to turn off file storage. <img src='https://blog.1password.com/posts/2023/better-more-useful-1password/disablefilestorage.png' alt='A screenshot showing how admins can turn off file storage in the web-based dashboard.' title='A screenshot showing how admins can turn off file storage in the web-based dashboard.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="option-to-enforce-2fa-using-only-security-keys-1password-business">Option to enforce 2FA using only security keys (1Password Business)</h2> Web: Available now Enforcing two-factor authentication (2FA) adds an extra layer of protection to team members' 1Password accounts. But some forms of 2FA are stronger than others. Level up your security by requiring that everyone uses a FIDO2/WebAuthn <a href="https://blog.1password.com/hardware-security-keys-explained/">security key</a> to unlock 1Password. <h2 id="and-so-so-much-more">And so, so much more</h2> Here are some of the other updates that are now live in 1Password 8: <ul> <li> A new indicator in our mobile apps that makes it easier to access additional options within an item. For example, this will bring up the option to copy, reveal, or show a password in large type. </li> <li> An offline indicator will show when you don&rsquo;t have a connection to our servers. </li> <li> The option to specify that an item should &ldquo;never fill on this website&rdquo;. (Live in 1Password 8 for Mac, Windows and Linux, and coming soon to mobile!) </li> <li> A beautiful App Catalog on mobile that suggests items to add to your vaults. (Live in 1Password 8 for iOS, and coming soon to Android!) </li> <li> More ways to customize the home screen of 1Password 8 for iOS and Android. </li> <li> The ability to instantly open a saved address in your preferred map app. </li> <li> Simpler instructions for setting up autofill on an iPhone or Android device. </li> <li> Recently searched items will appear at the top of the search tab in 1Password 8 for iOS and Android. Search results will also load in as soon as you start typing. </li> <li> The option to specify that an item should only be filled on the exact domain you&rsquo;ve chosen. So a password for rick.greatmemes.com doesn&rsquo;t autofill on phil.greatmemes.com (Live in 1Password 8 for Mac, Windows and Linux, and coming soon to mobile!) </li> <li> The ability to edit and delete vaults in 1Password 8 for iOS and Android. </li> <li> Accessibility improvements throughout 1Password 8 for iOS and Android. </li> <li> The ability to import passwords from within 1Password 8 for iOS and Android. </li> <li> 1Password Business: A <a href="https://blog.1password.com/unlock-with-okta-public-preview/">public preview of Unlock with Okta</a>, which gives teams the ability to manage and secure everything in their password manager with single sign-on (SSO). </li> </ul> And here are some additional updates coming soon: <ul> <li> The option to turn off auto-submit while using <a href="https://1password.com/features/how-to-use-universal-autofill-on-mac/">Universal Autofill</a> in 1Password 8 for Mac. </li> <li> Helpful username suggestions that are based on usernames you’ve chosen and saved in 1Password before. </li> </ul> <h2 id="thank-you">Thank you!</h2> These updates are just a snapshot of what we&rsquo;ve been working on recently. If you want to learn more and keep up to date with the latest 1Password builds, check out our <a href="http://releases.1password.com/">releases</a> page. From everyone at 1Password: thank you. Your brilliant requests, ideas, and feedback help us build an even better password manager. One that allows everyone to use strong passwords and navigate the web without fear or friction. We hope you enjoy these new updates, and look forward to sharing even more features, tools, and enhancements with you in 2023! (Editor&rsquo;s note: This post was last updated on 02/15/2023.) <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Make the leap to 1Password 8</h3> Protection has evolved. Download 1Password 8 on all of your favorite devices. It’s everything you need for a worry-free digital life on the go. <a href="https://1password.com/downloads/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Download 1Password 8 </a> </div> </section></description></item><item><title>How the 1Password Starter Kit items keep you secure</title><link>https://blog.1password.com/starter-kit-items-explained/</link><pubDate>Fri, 27 Jan 2023 00:00:00 +0000</pubDate><author>info@1password.com (Megan Barker)</author><guid>https://blog.1password.com/starter-kit-items-explained/</guid><description> <img src='https://blog.1password.com/posts/2023/starter-kit-items-explained/header.png' class='webfeedsFeaturedVisual' alt='How the 1Password Starter Kit items keep you secure' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Allow me to tell you a brief story — a story in which you (yes, you) are the protagonist. You signed up for 1Password, opened the app, and noticed there were items in your newly created vault. You revealed the item fields to find your Secret Key and account password. You didn’t create the item and know 1Password doesn’t have your credentials; you understandably wonder what happened — and how. Sound familiar? You’re in the right place. In this article, I answer those very legitimate questions, in order, for bonus points, and address a couple others that may be lingering in the back of your mind. Let’s start at the beginning. <h2 id="heres-what-happened">Here’s what happened</h2> The 1Password sign-up process consists of many technical and mathematical <a href="https://1passwordstatic.com/files/security/1password-white-paper.pdf">complexities</a>. Among them is the code that triggers the creation of an Identity item and a Login item<a href="#fn:1" class="footnote-ref" role="doc-noteref">1</a> on your device. You’ll find the fields empty in the Identity item — they’re left for you to complete. Add your name, address, phone number, email address, and any other personal information you want at hand to quickly fill online forms. The Login item is completed for you. It contains everything you need to sign in to 1Password: the email address you used to sign up, your Secret Key, and the account password you chose during setup. Both items are secured the way every other 1Password item is <a href="https://support.1password.com/1password-security/">secured</a> — with end-to-end <a href="https://1password.com/security/">encryption</a> that requires both your Secret Key and account password for decryption. Together, the items form your 1Password Starter Kit. <h2 id="why-it-happened">Why it happened</h2> Your completed Identity item lets you quickly and safely fill basic personal information in a variety of web forms. If you save nothing else in 1Password for the rest of your life (not recommended), you’ll save time and hassle with that one item. The Login item is created to help you access your account on 1Password.com. If you need to sign in to make an account change, you can easily fill that complex, intricate, and very specific Secret Key with a click or <a href="https://support.1password.com/keyboard-shortcuts/">keyboard shortcut</a>, rather than digging around in the app, revealing the information, and performing a copy and paste. But there’s more to the item’s creation than convenience: It can also keep your 1Password account details secure. Thanks to <a href="https://support.1password.com/1password-security/#features">inbuilt phishing protection</a>, 1Password will only autofill saved credentials if you’re on the site those credentials were created for. So, imagine a world where you don’t have a Login item for 1Password.com. You receive a sophisticated phishing email that appears to be from 1Password. You click the button in the email and enter your login details, manually or by copy and paste, then sign in — to 1pasword.com. You just shared all the information needed to decrypt your vault and everything in it with… who knows? That’s the point. Thankfully, you do have a Login item for the one-and-only 1Password.com. If you were to follow the link in the same phishing email, your login details wouldn’t be autofilled. And if you attempt to fill them, 1Password wouldn’t immediately oblige. Instead, you’d be notified that something is amiss, and given a gentle reminder to verify the website and form before you fill and transmit any information. Phew. And let’s just put it out there: Occasionally people forget their account passwords. (Not you. Other people.) Provided they can still unlock 1Password via biometrics or other means, they can reveal (and change) their password — after they find it in the Login item. <h2 id="how-it-happened-and-other-concerns">How it happened, and other concerns</h2> Your Starter Kit items are created on your device. 1Password — the software, not the company — has the ability to save your Secret Key and account password because you generated or entered them on that device. <blockquote> You must have access to our credentials if you create the Login item! - Anyone who reads this far in the article (and many redditors) </blockquote> You use your Secret Key and account password to locally encrypt and decrypt your data, so the software can be instructed to save that information the way it saves any other login. We — 1Password the company — have never had, and will never have, access to your Secret Key (<a href="https://blog.1password.com/what-we-dont-know-about-you/">beyond the first eight characters</a>) or the unencrypted (readable) version of your password.<a href="#fn:2" class="footnote-ref" role="doc-noteref">2</a> <blockquote> But the Login item stores my Secret Key and account password together on my device! - You (probably) </blockquote> That’s true, but only you have the tools to decrypt that information. What are those tools? Your Secret Key and account password. Sure, that makes things a bit cyclical — you need your Secret Key and account password to unlock 1Password and access the Starter Kit item that contains your Secret Key and account password. But the item remains useful in the situations I described earlier. <blockquote> So technically anyone with access to my device can steal my credentials? - You (maybe) </blockquote> Not necessarily. If someone has local access to your device, 1Password is still protected by your (unique and secret) <a href="https://support.1password.com/strong-account-password/">strong account password</a>. But there isn’t a password manager on the market that can protect you from someone who knows your account password and has full access to your device — and the knowledge (and desire) to use them for nefarious purposes. It’s also you we’re talking about here — you have a device passcode and biometric unlock enabled, and full-disk encryption set up. (And, no, 1Password <a href="https://support.1password.com/search/?q=biometrics">doesn’t store</a> your biometric data, either.) <h2 id="one-more-question">One more question</h2> Will the Starter Kit items always be part of 1Password? I don’t know if they’ll be generated for every new user until the end of time. But whatever happens — no matter what’s revealed when you open 1Password the first time — know that it was designed and coded with our users, and their security, in mind. When we programmed 1Password to automatically create a Login item that contains your account details, we isolated the process to your device so the data starts and stays protected. You’re the only person who will ever see your Secret Key or know your account password unless you choose to share them.<a href="#fn:3" class="footnote-ref" role="doc-noteref">3</a> If you’ve made it here, you’re likely curious and security conscious and, I suspect, you demand the utmost from the companies with which you entrust your most private information. And you absolutely should. Continue to ask the hard questions: the whys and the hows. Your questions are often the impetus for articles like this one. Articles that have the ability to inform others who, like you, expect and deserve the highest levels of transparency and integrity of 1Password. The company and the software. <section class="footnotes" role="doc-endnotes"> <hr> <ol> <li id="fn:1" role="doc-endnote"> Individuals and 1Password Family members start with two items; 1Password Business customers (and those who join a business) receive one Starter Kit item.&#160;<a href="#fnref:1" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a> </li> <li id="fn:2" role="doc-endnote"> One exception exists: A 1Password employee will see the information if you voluntarily include either detail in a support request. Please don’t! ♥︎ When this occurs, the customer is instructed to change their password and/or regenerate their Secret Key immediately, and we remove the information from our ticketing system.&#160;<a href="#fnref:2" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a> </li> <li id="fn:3" role="doc-endnote"> Seriously, please don’t.&#160;<a href="#fnref:3" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a> </li> </ol> </section></description></item><item><title>Doing good in 2022 and beyond</title><link>https://blog.1password.com/doing-good-in-2022-and-beyond/</link><pubDate>Mon, 23 Jan 2023 00:00:00 +0000</pubDate><author>info@1password.com (Katya Laviolette)</author><guid>https://blog.1password.com/doing-good-in-2022-and-beyond/</guid><description> <img src='https://blog.1password.com/posts/2023/doing-good-in-2022-and-beyond/header.png' class='webfeedsFeaturedVisual' alt='Doing good in 2022 and beyond' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> When I joined 1Password at the beginning of 2022, I immediately recognized the value that the company places on its employees, its customers, and its community. With the support of our employees, we are fortunate to be able to give back and support important initiatives around the world. Our employee survey this year showed that over 80% of employees agreed 1Password is taking action to address issues of fairness, diversity, equity, and inclusion. Alongside our employees, we’re proud to support a range of important causes around the world. We know there is more to do, but we are truly excited to continue building on the partnerships we’ve built. Here are some of the ways we worked to make a difference this year. <h2 id="standing-with-ukraine-">Standing with Ukraine 🇺🇦</h2> 1Password stands with the brave citizens and leaders of Ukraine who are defending their homes and values. Earlier this year, we showed our support in a few different ways: pledging to match employee donations up to $50,000 USD, and standing with other Canadian business leaders in a letter to the Prime Minister in support of Ukraine. <ul> <li>We matched employee donations to the <a href="https://www.icrc.org/en/donate/ukraine">International Committee of the Red Cross</a>, an organization ensuring humanitarian protection and assistance for victims of armed conflict and other situations of violence.</li> <li>We also matched employee donations to the <a href="https://donate.unhcr.org/int/en/ukraine-emergency">UN High Commissioner for Refugees</a>, an organization dedicated to saving lives, protecting rights, and building a better future for refugees, forcibly displaced communities, and stateless people.</li> <li>Using our internal rewards system, Bonusly, our team could donate to the <a href="https://help.rescue.org/donate/ukraine-acq">International Rescue Committee</a>, an organization helping people affected by humanitarian crises to survive, recover, and rebuild their lives.</li> </ul> <h2 id="caring-for-our-environment-">Caring for our environment 🌳</h2> Finding new ways to help the planet and the people around us is some of the most important work we do here at 1Password, so we wanted to continue to work towards making a positive impact for our environment this year: <ul> <li>We partnered with <a href="https://www.soalliance.org/">Sustainable Ocean Alliance</a>, a global community working together to solve the greatest challenges facing our ocean, for an <a href="https://twitter.com/theoceanbottle">Ocean Bottle</a> giveaway.</li> <li>We donated to <a href="https://evertreen.com/">Evertreen</a>, an organization that helps people and businesses plant real trees, offset Co2, and alleviate poverty.</li> </ul> <img src='https://blog.1password.com/posts/2023/doing-good-in-2022-and-beyond/oceanbottle.jpeg' alt='A green reuseable water bottle with 1Password and Ocean Alliance logos on it resting on the sand at the beach.' title='A green reuseable water bottle with 1Password and Ocean Alliance logos on it resting on the sand at the beach.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="truth-and-reconciliation-">Truth and Reconciliation 🧡</h2> September 30th is National Day for Truth and Reconciliation in Canada. We closed our virtual offices for all Canadian employees to honor Indigenous survivors, their families, and their communities, and to set aside time for our teams to get involved in their local community to promote reconciliation. Additionally, we donated to organizations working to recognize the legacy of the Canadian residential school system: <ul> <li><a href="https://www.orangeshirtday.org/orange-shirt-society.html">Orange Shirt Society</a>, a non-profit organization creating awareness of the individual, family, and community intergenerational impacts of Indian Residential Schools.</li> <li><a href="https://nctr.ca/">The National Centre for Truth and Reconciliation</a>, a place of learning and dialogue where the truths of Residential School Survivors, families, and communities are honored and kept safe for future generations.</li> </ul> <h2 id="supporting-gender-equality-">Supporting gender equality 💪</h2> We&rsquo;re committed to gender equality, reproductive rights, and inclusion for everyone. This year, we made donations to organizations working to empower girls and women both in the workplace and beyond: <ul> <li><a href="https://girlswhocode.com/">Girls Who Code</a>, an organization working to close the gender gap in technology and to change the image of what a programmer looks like and does.</li> <li><a href="https://canadianwomen.org/">Canadian Women’s Foundation</a>, a national leader in the movement for gender equality in Canada, supporting women, girls, and gender-diverse people to move out of violence and poverty and into confidence and leadership.</li> </ul> On the heels of the historic decision to overturn Roe v. Wade, we wanted to ensure that we were not only supporting our team members through changes to our benefit programs, but also supporting the organizations ensuring safe access to reproductive healthcare in the United States: <ul> <li><a href="https://www.plannedparenthood.org/">Planned Parenthood</a> and the <a href="https://usow.org/">United State of Women</a>, two organizations supporting health care and reproductive rights.</li> </ul> <img src='https://blog.1password.com/posts/2023/doing-good-in-2022-and-beyond/roe-wade-fb.png' alt='A message from 1Password&#39;s Chief People Officer on the overturning of Roe v. Wade.' title='A message from 1Password&#39;s Chief People Officer on the overturning of Roe v. Wade.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="championing-diversity-">Championing diversity 🤝</h2> This year, we leaned on our employee resource groups (ERGs) to gather information on what organizations would benefit from our donations throughout the year. In starting this conversation, we were able to contribute to three important organizations doing work to support underrepresented group in tech as well as an organization providing opportunities for young people: <ul> <li><a href="https://wearebgc.org/">Black Girls Code</a>, an organization working to build pathways for young women of color to embrace the current tech marketplace as builders and creators by introducing them to skills in computer programming and technology.</li> <li><a href="https://devcolor.org/">/dev/color</a>, a global career accelerator for Black software engineers, technologists, and executives – as well as the go-to accountability partner for the companies who invest in, employ, and are led by them.</li> <li><a href="https://www.scratchfoundation.org/">Scratch Foundation</a>, an organization working to spread collaborative and equitable approaches to coding and learning around the world, while providing young people with digital tools and opportunities to imagine, create, share, and learn.</li> </ul> <h2 id="showing-pride-">Showing Pride 🏳️‍🌈</h2> Many of our 1Password team members are part of the LGBTQ+ community, so it’s crucial to us as a company to be allies. This year, alongside our internal initiatives, we donated to several organizations making an impact for the LGBTQ+ community: <ul> <li><a href="https://www.thetrevorproject.org/">The Trevor Project</a>, a suicide prevention and crisis intervention organization for LGBTQ+ youth.</li> <li><a href="https://www.rainbowrailroad.org/">Rainbow Railroad</a>, an organization that helps LGTBQ+ people facing persecution based on their sexual orientation, gender identity, and sex characteristics.</li> <li><a href="https://pflagcanada.ca/">Pflag Canada</a>, a nonprofit organization which brings together family and friends of LGBTQ+ people to help themselves and their extended family understand and accept LGBTQ+ family members.</li> </ul> <img src='https://blog.1password.com/posts/2023/doing-good-in-2022-and-beyond/pride-quote-1.png' alt='A quote from a 1Password team member that says, To me, Pride is a sense of belonging and being accepted for who you are.It&#39;s acknowledging the past that led us here and the future of equity we continue to seek globally. Pride reminds us that we matter.' title='A quote from a 1Password team member that says, To me, Pride is a sense of belonging and being accepted for who you are.It&#39;s acknowledging the past that led us here and the future of equity we continue to seek globally. Pride reminds us that we matter.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="investing-in-our-community-">Investing in our community 🚀</h2> Whether supporting mental health initiatives, or ensuring that our broader communities had access to healthy food options throughout the year, 1Password supported a number of organizations across the United States and Canada through both financial and volunteer time donations: <ul> <li><a href="https://cmha.ca/">Canadian Mental Health Association</a>, a national leader in working to create a Canada where mental health is a universal human right.</li> <li><a href="https://www.stjude.org/">St. Jude Children’s Research Hospital</a>, a leader in research and treatments focused on defeating childhood cancer and other life-threatening diseases.</li> </ul> To celebrate Thanksgiving, we donated to three different organizations woking to make a difference: <ul> <li><a href="https://foodbankscanada.ca/about-us/">Food Banks Canada</a>, an organization helping those across Canada living with food insecurity by relieving hunger today and preventing hunger tomorrow in collaboration with the food bank network.</li> <li><a href="https://secondharvest.ca/about/">Second Harvest</a>, an organization creating an efficient food recovery network, reducing the environmental impact of food waste while ensuring that everyone – regardless of their economic situation – is able to feed themselves and their family.</li> <li><a href="https://www.unitedway.ca/how-we-help/">United Way Centraide</a>, working across Canada to make change locally, creating opportunities for everyone in our communities to live a better life by reducing poverty, supporting children and youth, and building vibrant neighborhoods.</li> </ul> <h2 id="looking-ahead">Looking ahead</h2> I’m extremely proud of the work our team has accomplished in 2022 but I know that our work is never done. We have so many opportunities in 2023 to continue making an impact with organizations like those we’ve mentioned who are doing important work that champions causes close to our hearts. Thank you for supporting 1Password and helping to make initiatives like these possible. We already have a lot planned for 2023, from supporting our employees to our various communities and partners. We’re looking forward to all that we accomplish – together. K.</description></item><item><title>Unlock with SSO: under the hood</title><link>https://blog.1password.com/unlock-sso-deep-dive/</link><pubDate>Fri, 20 Jan 2023 00:00:00 +0000</pubDate><author>info@1password.com (Rick van Galen & Aidan Woods)</author><guid>https://blog.1password.com/unlock-sso-deep-dive/</guid><description> <img src='https://blog.1password.com/posts/2023/unlock-sso-deep-dive/header.png' class='webfeedsFeaturedVisual' alt='Unlock with SSO: under the hood' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Recently, we announced that 1Password Business customers will soon be able to unlock 1Password with Okta. Since then, we&rsquo;ve spoken with many of you who are eager for more of the technical details – and we&rsquo;re happy to oblige! We love a good deep dive, so let&rsquo;s talk about some of the thinking behind our approach. In this article, we&rsquo;ll pull back the curtain a bit on the technical foundations of Unlock with SSO. We&rsquo;ll touch on why it&rsquo;s a tricky problem and how we engineered a solution that lives up to the 1Password promise – including how we ensured that no one but you can access the data in your vaults. Finally, we&rsquo;ll share some notes on what Unlock with SSO means for the security of your 1Password account, and what the future holds. <h2 id="sso-and-a-decryption-problem">SSO and a decryption problem</h2> Most web services “just” need to solve authentication and authorization problems – ie. determining whether a user is who they say they are, and whether they should have access to a resource. For these kinds of services, SSO is an ideal solution for organizations: It provides centralized management of what users can access, and allows enforcement of strong authentication, policy, and auditability. <img src="https://blog.1password.com/posts/2023/unlock-sso-deep-dive/diagram1.png" alt="A diagram showing how data is decrypted between an SSO provider, user, and regular web service." title="A diagram showing how data is decrypted between an SSO provider, user, and regular web service." class="c-featured-image"/> 1Password also needs to solve authentication and authorization problems - but the password you use for your 1Password account today also needs to decrypt your passwords. Your account password makes sure only you can do that. When we designed 1Password, we had to <a href="https://blog.1password.com/how-1password-protects-your-data/">account for the possibility</a> that some day our servers could be compromised. With the new ability to unlock with SSO, we wanted to stay true to our decryption promise. Our SSO implementation makes sure that neither 1Password nor the identity provider could gain access to your passwords. The challenge is that traditional single-sign on is not made to solve this decryption problem. Popular protocols used for signing in with SSO – OAuth, OIDC, SAML – don’t provide a way for the user to end up with a decryption key only they know. <h2 id="the-1password-solution-and-how-it-works">The 1Password solution and how it works</h2> To stay true to our promise, we needed something on top of traditional SSO. When using an SSO-enabled account, decryption is handled by the device on which 1Password is already installed, using a key – called the device key – that is unique to each device. The device key is stored on users’ devices, and only on users’ devices. <h3 id="signing-in">Signing in</h3> The device key is what helps complete the process of signing in to 1Password with SSO, and it works differently than our traditional unlock. In today’s password and Secret Key accounts, your account password and Secret Key fill two important (but distinct) security roles. Your account password protects your data on your devices, whereas your Secret Key (in addition to your password) protects data on our servers. In other words, your devices are responsible for memorizing a strong cryptographic key (your Secret Key), while your password ensures that only you can unlock 1Password on your device. With SSO-enabled accounts, your device remains responsible for providing a strong cryptographic key (its device key), while your identity provider becomes responsible for making sure that 1Password can only be unlocked by you. How the device key is stored depends on the type of device you are using. The table on <a href="https://support.1password.com/sso-security/#device-keys/">this support page</a> details how this differs between platforms. <blockquote> Your account password and Secret Key fill two important (but distinct) security roles. </blockquote> With password and Secret Key accounts, your password and Secret Key are combined to derive two separate keys: an authentication key, and an encryption key (we call this pair of keys your credential bundle). Both your password and Secret Key are required to be present to create this bundle, which allows you to sign in to 1Password, and then to decrypt your data. <img src="https://blog.1password.com/posts/2023/unlock-sso-deep-dive/diagram2.png" alt="A diagram showing what happens when a 1Password customer signs in using Okta." title="A diagram showing what happens when a 1Password customer signs in using Okta." class="c-featured-image"/> Using an SSO-enabled account, your credential bundle is instead made from two randomly generated keys, and encrypted by your device key. The encrypted credential bundle is then stored on 1Password’s servers. Since the device key is only stored on your device, only your devices can decrypt this credential bundle. 1Password’s servers will only “release” this encrypted credential bundle to your devices if you can sign in with your identity provider. <h3 id="quickly-unlocking-with-biometrics">Quickly unlocking with biometrics</h3> Since the app needs to check with your identity provider every time you unlock 1Password in this setup, by default SSO-enabled accounts can only be used when the app has an active internet connection. However, part of the convenience of 1Password is to have your passwords, secure notes and saved documents available even when connections are spotty. So, to help make secrets still available offline, we’ve leveraged a favorite feature of the 1Password apps: biometric unlock. <blockquote> Once enabled, 1Password clients can use biometrics to securely store your credential bundle and a re-authentication token on-device. </blockquote> Administrators can enable biometric unlock for their users in their account settings. When enabled on devices that support it, 1Password clients can use biometrics to securely store your credential bundle and a re-authentication token on-device. Your device-stored credential bundle is then used to unlock 1Password, even while offline, and the re-authentication token is used to re-authenticate with the 1Password server, so it can continue to synchronize vault data when you’re online. Biometric unlock is supported on macOS using a T2 or Apple Silicon chip, Android and iOS devices with their built-in secure elements, and Windows devices with Windows Hello. (On Windows, the apps don’t use a secure element, but store the re-authentication token in protected memory while the 1Password app is running.) <img src="https://blog.1password.com/posts/2023/unlock-sso-deep-dive/diagram3.png" alt="A diagram showing what happens when a 1Password customer unlocks using biometrics." title="A diagram showing what happens when a 1Password customer unlocks using biometrics." class="c-featured-image"/> A reauthentication token is only ever issued in response to a successful authentication, and when issued, it’s protected by session encryption to guard its long-term secrecy in the event of a TLS confidentiality failure, just like your other 1Password account data. When a re-authentication token is used, it is protected by TLS. Because of this, after a re-authentication token is used, the 1Password server considers it ‘spent’ and it cannot be used again. As a result, a new re-authentication token is requested every time a biometric unlock is performed. 1Password apps also use a re-authentication token, and fetch a new re-authentication token while they are unlocked to ensure 1Password stays unlocked as long as it is permitted. When an admin turns on biometric unlock, they delegate the responsibility of authenticating a user, temporarily, to a user&rsquo;s device, in place of the identity provider. <h3 id="trusted-devices">Trusted devices</h3> When you register with an account using SSO, the device you use to sign up becomes your first Trusted Device. When a device is trusted it means that this device has a device key which has encrypted your credential bundle (and therefore is capable of signing you in). You trusted it to log in. A critical challenge to overcome with Unlock with SSO is setting up additional trusted devices while keeping your credential bundle private. Your first trusted device will generate your credential bundle and then encrypt it with its own device key. But every other device will need to obtain a copy of your credential bundle, so that each device can encrypt this credential bundle with its own device key. When you first sign in on an additional device using your identity provider, that new device will go through an enrollment process. This enrollment process involves securely transmitting your credential bundle from an existing trusted device which has access to it, to a new device that (currently) cannot access it. This will allow your new device to complete sign-in, and to decrypt your 1Password data independently – becoming a trusted device itself. <blockquote> When you first sign in on an additional device using your identity provider, that new device will go through an enrollment process. </blockquote> The first step in this enrollment process is to sign in using your identity provider. This gives 1Password’s servers reasonable confidence that you are trying to sign in on a new device. Once this happens, 1Password’s servers then send a notification to all your currently trusted devices, asking you to approve the new sign-in on one of them. Once you receive this notification on a trusted device, you can approve or deny the sign-in. To approve the sign-in, your trusted device will generate a random code, which you’ll enter on the new device. When you enter this code, your devices will use it to authenticate an end-to-end encrypted handshake (more detail to follow), which will allow your trusted device to securely transmit your credential bundle to the new device. When your new device receives your credential bundle, it will use it to sign in to your 1Password account and register itself as a new trusted device, encrypting the credential bundle with its own device key. <h2 id="end-to-end-encryption-when-enrolling-a-new-device">End-to-end encryption when enrolling a new device</h2> <h3 id="background-and-goals">Background and goals</h3> We wanted to make new device enrollment easy for users to accomplish. Asking them to manually enter a 32-byte key might be one way of securing this, but it’s not very easy to use. Entering a relatively short confirmation code, on the other hand, is easy. However, this presents a tricky security challenge. To secure communications between both your devices, we couldn’t just encrypt your sensitive data with a short code; this would not be secure. Instead, we needed the confirmation code to confirm a channel was trustworthy, without using the code to directly encrypt anything. End-to-end encryption between your devices during enrollment is critically important to keep our promise that only your devices are capable of decrypting your credential bundle. Because 1Password’s servers are relied on to facilitate this enrollment, there are several important considerations to get right, and we’ve designed this exchange to be secure even if someone stores or actively tampers with the communications between your devices. Specifically, this exchange adheres to a security property known as <a href="https://en.wikipedia.org/wiki/Forward_secrecy">Perfect Forward Secrecy</a>. <blockquote> This exchange adheres to a security property known as Perfect Forward Secrecy. </blockquote> The communications between your devices are authenticated by a randomly generated code, but not encrypted by this code. This is important to mitigate against brute-force attacks on the code itself, ensuring that nobody in a network position, including the 1Password server, can decrypt your credential bundle. By instead using this code to authenticate the exchange, your devices can use strong ephemeral keys, and can enforce that only one attempt can be made at providing the correct code. <h3 id="the-key-is-in-the-pake">The key is in the PAKE</h3> To secure this exchange with a code, we use a symmetric Password Authenticated Key Exchange (PAKE) <a href="https://datatracker.ietf.org/doc/draft-irtf-cfrg-cpace/">called CPace</a>. You may already be familiar with the idea of using a PAKE if you’ve ever heard us talk about SRP, or <a href="https://support.1password.com/secure-remote-password/">Secure Remote Password</a>. SRP is an asymmetric PAKE, which means only one party in the exchange – you – has the password. CPace is a symmetric PAKE, which means both participants share a common secret. In our new device enrollment process, the randomly generated code is this shared common secret, and is known by both devices after you enter it on a new device. CPace was purpose-built to facilitate creating a secure channel between two devices, <a href="https://eprint.iacr.org/2021/114">and also comes with a security proof for perfect forward secrecy</a> – so you don’t just have to take our word for it being secure! At a protocol level, CPace neatly neutralizes the possibility of brute-force attacks on the shared code by splitting its handshake into two distinct stages. <img src="https://blog.1password.com/posts/2023/unlock-sso-deep-dive/diagram4.png" alt="A diagram showing how 1Password&#39;s CPace, a symmetric Password Authenticated Key Exchange, works behind the scenes." title="A diagram showing how 1Password&#39;s CPace, a symmetric Password Authenticated Key Exchange, works behind the scenes." class="c-featured-image"/> <h3 id="how-we-use-cpace-in-enrollment">How we use CPace in enrollment</h3> At the first stage of the handshake, both devices use a randomly generated key and the shared code to generate a “commitment” value. Because each side has mixed in a randomly generated key, this commitment cannot be used to guess the code itself (since there are two unknowns). Both devices then use their key and the shared code to derive a new shared key. If both devices had the same code to begin with, they’ll arrive at the same shared key, but if they didn’t (or their commitment values were tampered with) then they’ll end up with different keys. Because this key is bound to the shared code, the handshake state, and each side’s randomly generated key, it is not possible to guess the shared code again without performing an entirely new exchange. Both devices then move on to the second stage of CPace: key confirmation. Each side will use its version of the shared key to authenticate a unique message which identifies it to the other side. The devices will emit different confirmation messages to each other, but both devices (if they have the same key) are capable of verifying the message from the other side. If these authentication messages are correct, each device knows that the other used the correct code, but if not then the device will know they should abort. <blockquote> Both devices (if they have the same key) are capable of verifying the message from the other side. </blockquote> Once this authentication stage has completed successfully, the exchange is complete and the devices can communicate in a way that is end-to-end encrypted. The final step to complete enrollment is for the existing trusted device to use this shared key to encrypt your credential bundle to send it to your new device. Once your new device receives it, it will be able to sign in, decrypt your 1Password data, then register itself as a trusted device by generating its own device key. <h2 id="manageability-and-risks">Manageability and risks</h2> Offering an option to integrate with SSO providers has been a longstanding request for us for good reason. Single sign-on plays a central role in enterprise security by offering enforcement of strong authentication, centralized management of users joining and leaving, and fine-grained auditability of sign-in events. The security of any SSO system comes with tradeoffs, however. Once someone can produce a proof authorization – for example, an OAuth authorization token or a SAML assertion – a resource server will let you access your data. The information to get that authorization is commonly stored on end user devices. Unlock with SSO in 1Password doesn’t solve that problem: in scenarios where an attacker gets access to a user’s computer (or a copy of the data on that computer), they can steal the device key and any SSO sessions a user has from their computer, and proceed to sign in and gain access to their SSO-enabled 1Password account. <a href="https://circleci.com/blog/jan-4-2023-incident-report/">The incident report of the recent breach at CircleCI</a> demonstrates that stealing local credentials is a real concern, even when strong authentication mechanisms are enforced. <blockquote> Protecting sign-ins to SSO services comes down to having a strong device security program and security monitoring. </blockquote> For readers familiar with SSO, this may be an obvious limitation and a risk that is mitigated by other measures. Moreover, many will assert that authorizations in SSO are fundamental, and this is how SSO products should work. For our product this is new territory however, and this took a tremendous amount of consideration for us. We considered the abilities of identity providers to detect and prevent this misuse, but can’t vouch for the abilities of Okta or other identity providers in this regard. On devices that support storing decryption keys in hardware – macOS, iOS and Android – the 1Password apps for these platforms protect the <a href="https://support.1password.com/sso-security/">device key in hardware</a> when possible, making it much more difficult to extract from a device. Fundamentally, protecting sign-ins to SSO services comes down to having a strong device security program and security monitoring. There are other security tradeoffs that prospective adopters of Unlock with SSO should take into consideration, such as educating users about sharing device setup codes and considering the availability of the identity provider for access to passwords. <a href="https://support.1password.com/sso-security/">Read more in our support article about Unlock with SSO security</a>. <h2 id="where-to-next">Where to next?</h2> In this deep dive, you might have noticed that we made few references directly to Okta. Because SSO providers (including Okta) tend to build on open standards, we have built Unlock with Okta in a way that’s extensible in the future. Unlock with Okta will be available to all 1Password Business customers soon. Afterwards, we’ll be focused on Azure, followed by other identity providers like Duo, OneLogin, and more. Our initial flurry of releases will focus on OIDC, but SAML is also on our roadmap. Another thing that might stand out to the keen-eyed: with the credential bundle, does Unlock with SSO still use <a href="https://support.1password.com/secure-remote-password/">Secure Remote Password</a>? The answer is yes. For the moment, it was more straightforward for us to leverage our existing unlock methods – including Secure Remote Password. This allowed us to build Unlock with SSO without needing to reconsider assumptions about how authorization with the 1Password service works. Nonetheless, we are using Secure Remote Password when there are no traditional passwords in play anymore. If you use a password with your identity provider, that’s between the identity provider and you. In the future, we might be interested in using a bespoke system for the 1Password device to talk to a 1Password server when authenticated through SSO. As we expand to more customers with different security requirements, we are also looking to introduce ways to gain even more fine-grained control over how users can sign in to SSO, including helping to enforce protection on the device key. <h2 id="usable-security-for-the-enterprise">Usable security for the enterprise</h2> We built Unlock with SSO in a way that fulfills the 1Password promise: Your secrets remain yours, and yours alone. The device key keeps everything local to your device, and through our use of CPace, adding new devices is quick, easy, and secure. We don&rsquo;t see a contradiction between convenience and security. Ease of use is a security feature, and that holds true for Unlock with SSO. We hope that it helps more organizations enjoy the benefits of an enterprise password manager by making strong security simple – even if the underlying infrastructure is, as we&rsquo;ve seen, a bit more involved. 😉 If you&rsquo;d like to read more details about how SSO sign-in works, check out the SSO content <a href="https://1passwordstatic.com/files/security/1password-white-paper.pdf">in our Security Design whitepaper</a>.</description></item><item><title>What it’s like to be an intern at 1Password</title><link>https://blog.1password.com/internship-what-its-like/</link><pubDate>Wed, 18 Jan 2023 00:00:00 +0000</pubDate><author>info@1password.com (Kate Ryan)</author><guid>https://blog.1password.com/internship-what-its-like/</guid><description> <img src='https://blog.1password.com/posts/2023/internship-what-its-like/header.png' class='webfeedsFeaturedVisual' alt='What it’s like to be an intern at 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Here at 1Password, we’re lucky enough to work with students throughout the year on our goal of creating a safer, simpler digital future for everyone. Roughly 15-20 Canadian university students join us each semester to spend four months as a member of our engineering and technical teams. Each student is given an opportunity to work on important projects, as well as develop relationships with senior members of their teams. We’re big on learning and development, and we believe that co-op programs not only benefit students but our full-time team members as well. Students have fresh perspectives that help us see things differently, and we all benefit from their enthusiasm and excitement for learning new skills. We asked three of our internship students what their experience at 1Password has been like, and what they’ll take with them when they go. <h2 id="andrew-semchism">Andrew Semchism</h2> Developer Intern, Full Stack University of Waterloo What made you choose 1Password for your internship? I chose 1Password because of its excellent ratings from past students and my own interest in cybersecurity. I also thought it would be really interesting to work on a product that thousands of people rely on daily. What have you learned so far in your internship at 1Password? I’ve really improved all aspects of my front-end web development skills. By working on the <a href="https://developer.1password.com/">developer documentation site</a>, I’ve gained lots of experience working with React and a documentation framework called <a href="https://blog.1password.com/docusaurus-documentation-framework/">Docusaurus</a>. I’ve also learned a lot about working on large projects as a team by doing code reviews and taking part in meetings with project managers, designers, content writers, and other developers. <img src='https://blog.1password.com/posts/2023/internship-what-its-like/andrewsemchism.jpg' alt='1Password intern Andrew Semchism sitting at his desk with a MacBook and second monitor.' title='1Password intern Andrew Semchism sitting at his desk with a MacBook and second monitor.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> How will your experience at 1Password help you in the future? I’ve gained a lot of front-end web development skills, which will serve me well in future internship opportunities. Web development is a very in-demand skill at the moment, so I’m happy I got the chance to learn something that will make me more employable after I graduate. Also, working alongside other developers on a long-term project is a valuable learning experience that you rarely get in school. What has been your favourite part of your internship at 1Password? My favourite part has been seeing my work used by customers. It’s really satisfying to see something you worked on being used by thousands of people. What advice would you give to anyone applying for an internship at 1Password? If you’re selected for an interview, be ready to talk more than code! <h2 id="esther-xin">Esther Xin</h2> Developer Intern, Full Stack University of Waterloo What made you choose 1Password for your internship? I’ve actually done two internships at 1Password! I first chose 1Password because it was a well-known and reputable tech company that previous interns recommended for its professional skill development and culture. I returned here because I had an incredible first term. This time, I was able to work on my own four-month project that directly influenced clients and internal staff. I also learned so much about development, the software lifecycle, and the technology industry as a whole. I also received constant support and constructive feedback from other developers. <blockquote> &ldquo;I learned so much about development, the software lifecycle, and the technology industry as a whole.&quot; </blockquote> Finally, 1Password has an amazing work culture that promotes work-life balance and genuinely cares for the learning and development of their students. What have you learned so far in your internship at 1Password? Before coming to 1Password, I didn’t have any experience with backend development or working at a well-established company. I’m now proficient in <a href="https://go.dev/">Go</a>, <a href="https://reactjs.org/">React</a> and <a href="https://en.wikipedia.org/wiki/SQL">SQL</a>, and have learnt all about pipeline configurations and writing scripts. This term, I worked with a team that launched a feature in beta, which meant I could learn about the process and what needs to be done in order to get a feature out to the public. I also learned a lot of interpersonal skills such as communication, taking initiative, having empathy as a developer, and learning when to admit you don’t know something. How will your experience at 1Password help you in the future? I’ll definitely take a lot of software development skills. I grew tremendously in terms of my software and programming knowledge, which will help me greatly in other internships as well as any computer science classes I take in the future. Also, now that I have experience working on larger projects and features, I know what it takes to get something from idea to release. <blockquote> &ldquo;I know what it takes to get something from idea to release.&quot; </blockquote> I’ll also take a lot of career advice from my time here. I met a lot of seasoned developers at 1Password, and through them I was able to ask a lot of questions and gain new insight. What advice would you give to anyone applying for an internship at 1Password? There are a few pieces of advice I’d give. First, have someone edit your resume! A second set of eyes can make a big difference. Secondly, during the interview, get ready to talk about: <ul> <li>Everything you put on your resume, including your past work experience, personal projects, and club participation. You should also be ready to highlight what you learned and any obstacles you faced.</li> <li>Why you want to join 1Password!</li> <li>Your goals for the internship.</li> </ul> Finally, be someone who is always willing to learn, grow, and keep an open mind! <h2 id="adam-hou">Adam Hou</h2> Developer Intern, Product Engineering University of Waterloo What made you choose 1Password for your internship? Prior to joining, I had already been using 1Password as a customer. I chose 1Password for my co-op term because I wanted to work with the team that was developing the software myself and many others use everyday! What have you learned so far in your internship at 1Password? I&rsquo;m constantly improving the technical skills I use as part of the team. I also love to nab neat tips and tricks from my fellow developers that improve my productivity. How will your experience at 1Password help you in the future? The skills that I’ve developed here will be immensely useful as I head back to school and complete my degree. I&rsquo;ll also be taking the cool swag I&rsquo;ve received with me! Outside of work, what&rsquo;s your favorite way to spend your time? I enjoy hanging out with my friends and playing badminton, table tennis, and video games. Editor&rsquo;s note: These interviews have been lightly edited for clarity and brevity. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Interested in an internship at 1Password?</h3> Keep an eye on our careers page for open internship opportunities throughout the year. <a href="https://1password.com/jobs/?utm_ref=blog" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> View our careers page </a> </div> </section></description></item><item><title>Unlock 1Password with Okta: Available in Public Preview</title><link>https://blog.1password.com/unlock-with-okta-public-preview/</link><pubDate>Fri, 13 Jan 2023 00:00:00 +0000</pubDate><author>info@1password.com (Tyler Durkin)</author><guid>https://blog.1password.com/unlock-with-okta-public-preview/</guid><description> <img src='https://blog.1password.com/posts/2023/unlock-with-okta-public-preview/header.png' class='webfeedsFeaturedVisual' alt='Unlock 1Password with Okta: Available in Public Preview' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> A public preview of Unlock with Okta is now available. We’re pleased to announce that a public preview of <a href="https://support.1password.com/sso-beta/">Unlock with Okta</a> is now available for all 1Password Business customers. This allows admins to set up their 1Password account so that team members sign in to 1Password with their Okta username and password, rather than their account password and Secret Key. <h2 id="how-did-we-get-here">How did we get here?</h2> A few years ago, unlocking 1Password with SSO began to come up more and more in conversations with our customers. While the value and benefits were clear, we didn’t pursue this feature because at the time we didn’t have a way to build it that met our stringent security standards. Unlocking with SSO <a href="https://support.1password.com/cs/sso-security/#different-risk-considerations">has its own risk considerations</a> that differ from 1Password’s traditional unlock model, and we wanted to make sure our solution was truly secure. After many months of research and listening to our customers, we’ve engineered a solution with the same careful consideration for our customers' privacy and security as every other feature we&rsquo;ve rolled out. The SSO project officially kicked off in 2022 and since then, we’ve had over a dozen unique teams and over 100 people here at 1Password working to bring this feature to our users in the most secure way possible. <h2 id="sso-the-1password-way">SSO: the 1Password way</h2> Other enterprise password managers support SSO by taking one of two approaches. The first is an auth bridge, which creates a large and attractive target for an attacker, and requires customers to maintain on-premise infrastructure. The second is a shared encryption key, which means if a single employee is compromised, the entire company is put at risk. Neither of these approaches meet our stringent security requirements. We opted for using a trusted device model, which means that if your identity provider credentials are ever compromised, attackers still won’t have access to your 1Password data. Unlock with Okta shifts away from needing the Secret Key that you are used to with your 1Password account, but it does so in a way that keeps all data secured on-device and at the same time increases your convenience. This is because a bad actor would still need a trusted device in order to prove your identity and access the data locked away inside your vaults. Your data will remain protected and now it’ll be even easier to sign into new devices that you own. Our approach maintains zero knowledge, and is end-to-end encrypted, as decryption still occurs on device. We don’t store or have access to the keys needed to decrypt your data. <h2 id="how-unlock-with-okta-works">How Unlock with Okta works</h2> <video class="round shadow" style="display: block; margin: auto; padding: 0;"muted='true'loop="loop" playsinline="" width="100%" alt='Demo video of Unlock with SSO in 1Password.' controls> <source src="https://blog.1password.com/posts/2023/unlock-with-okta-public-preview/sso_demo_11-16.mp4" type="video/mp4" /> </video> Here’s the short version of how our SSO solution works. Once a team member authenticates with Okta and returns to 1Password, the 1Password app <a href="https://support.1password.com/cs/sso-security/#device-keys">downloads the user’s encrypted credentials</a>. The team member’s device key, which is stored only on the user&rsquo;s device, is then used to decrypt the credentials and complete the 1Password authentication process. After authenticating, team members can access their data just like before with biometrics (which can be configured by admins). To add a new trusted device, the team member signs in to Okta again, thereby proving their identity. Then, using an existing trusted device, they enter a randomly-generated verification code (which is used to authenticate an end-to-end encrypted exchange between the new device and existing trusted device). This setup is only needed once for every additional trusted device that’s added to a user’s account. This is because 1Password’s server will store an encrypted version of the account’s unlock key for each trusted device within the user’s account. <img src='https://blog.1password.com/posts/2023/unlock-with-okta-public-preview/verification_code.png' alt='1Password screenshot showing a field to enter a verification code.' title='1Password screenshot showing a field to enter a verification code.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="why-start-with-okta">Why start with Okta?</h2> We’ve had hundreds of requests over the years for various IdP integrations (including Azure, Duo, OneLogin and others). Okta, however, was by far the most requested identity provider, which is why we started with this integration. Until now, our Unlock with Okta project was in a private beta, with a large group of 1Password customers deploying and testing the feature. The feedback helped us identify and solve bugs, make general improvements, and simplify our onboarding experience and documentation to make the deployment even easier. We&rsquo;re excited that many more customers can now try Unlock with Okta through our public preview. We&rsquo;ll share more information as we get closer to general availability and the rollout of additional identity provider integrations. <h2 id="the-experience">The experience</h2> Using 1Password alongside Okta can greatly improve manageability and ease-of-use of your organization&rsquo;s security. As an administrator, you can automate provisioning, enforce stronger, auditable security policies from your identity provider, and give your employees a simpler way to access their passwords and other digital secrets – like documents, Secure Notes, and SSH keys – that aren’t covered by Okta. We designed the setup wizard to be as simple as possible so you can roll out Unlock with Okta with as few clicks as possible. You’ll start by adding your client ID and Okta domain to the 1Password setup wizard. Once that’s configured, you’ll add the 1Password application directly to Okta, configure the grant type and sign-in redirect URIs, and make a few small tweaks to the 1Password application you’re configuring. <img src='https://blog.1password.com/posts/2023/unlock-with-okta-public-preview/okta_details.png' alt='Screenshot showing the setup wizard for setting up a connection to Okta.' title='Screenshot showing the setup wizard for setting up a connection to Okta.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Once you’ve assigned yourself to the Okta application (ensuring your Okta email matches your user profile in 1Password), you can then start testing the initial configuration. <h3 id="deployment-strategies">Deployment strategies</h3> After you’ve successfully authenticated with Okta, you can move on to configuring how to deploy SSO to your employees. The first choice you’ll make is who will need to sign in and unlock with Okta. We have several options for you to choose from, including: <ul> <li>Selected groups</li> <li>Everyone but guests and owners</li> <li>Everyone but owners</li> </ul> The choice is up to you, however, we recommend a staged rollout for most companies: start with a few groups and add more later. You can even <a href="https://support.1password.com/custom-groups/">create a custom group</a> and assign users to it for your initial rollout. Or, you can jump in with both feet and select “Everyone but Owners”. <h3 id="configuring-the-migration-grace-period">Configuring the migration grace period</h3> Afterwards, you’ll configure the “grace period” that employees have to change their sign-in method from our traditional Secret Key and account password. Team members will then see a migration wizard the next time they authenticate with one of their devices. <img src='https://blog.1password.com/posts/2023/unlock-with-okta-public-preview/signin_method_notification.png' alt='Screenshot of a notification in the 1Password app, telling the user their sign-in method is changing.' title='Screenshot of a notification in the 1Password app, telling the user their sign-in method is changing.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <img src='https://blog.1password.com/posts/2023/unlock-with-okta-public-preview/what_you_need_to_know.png' alt='Screenshot of a notification in the 1Password app, explaining what the user needs to know about Sign in with Okta.' title='Screenshot of a notification in the 1Password app, explaining what the user needs to know about Sign in with Okta.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> If a team member doesn’t complete the migration within the allotted time, they’ll be locked out and an administrator will need to recover their account before being able to access their data. <h3 id="biometric-unlock">Biometric Unlock</h3> We have one final configuration option for you when rolling out SSO support: biometric unlock. Enabling this feature will allow team members to access their data offline and sign in to the 1Password apps with Touch ID, Face ID, and Windows Hello. <img src='https://blog.1password.com/posts/2023/unlock-with-okta-public-preview/allow_unlock_via_biometrics.png' alt='A screenshot of a checkbox allowing users to unlock 1Password with biometrics.' title='A screenshot of a checkbox allowing users to unlock 1Password with biometrics.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> What does all of this mean for your team and their account passwords? Once they make the switch to sign in with Okta, they’ll no longer have an account password to sign into 1Password. Instead, they’ll be authenticating with Okta. If you’re an admin, make sure that your rollout of this integration also includes a full review of your Okta configuration. You’ll need to adjust any existing password policy for Okta to ensure users have a “memorable” password set. In addition, if your employees are storing 2FA within 1Password, that too will need to be changed since they’ll be unlocking 1Password with Okta after the initial rollout. <h2 id="what-the-future-holds">What the future holds</h2> The public-ready version of Unlock with Okta will be available to all 1Password Business customers soon. Afterwards, we&rsquo;ll be focused on Azure, followed by other identity providers like Duo, OneLogin, and more. Our initial flurry of releases will focus on OIDC but SAML is also on our roadmap. Here’s a sneak preview of our work on Azure, which will be coming soon as well. <video class="round shadow" style="display: block; margin: auto; padding: 0;"muted='true'loop="loop" playsinline="" width="100%" alt='Demo video of 1Password working with Azure.' controls> <source src="https://blog.1password.com/posts/2023/unlock-with-okta-public-preview/azuredemo.mp4" type="video/mp4" /> </video> Is there a particular identity provider you would like us to support? Send an email to <a href="mailto:business@1password.com">business@1password.com</a> so we can record your request and any additional information that you’d like to share. (Editor&rsquo;s note: This post was last updated on 15/02/2023) <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get started with Unlock with Okta</h3> Ready to try the public preview of Unlock with Okta? Learn more about how it works, and how to get started. <a href="https://support.1password.com/sso-beta/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Learn more </a> </div> </section></description></item><item><title>Happy 1Password updates for the New Year! ~ from Dave's newsletter</title><link>https://blog.1password.com/dave-newsletter-january-2023/</link><pubDate>Thu, 12 Jan 2023 00:00:00 +0000</pubDate><author>info@1password.com (Dave Teare)</author><guid>https://blog.1password.com/dave-newsletter-january-2023/</guid><description> <img src='https://blog.1password.com/posts/2023/dave-newsletter-january-2023/header.png' class='webfeedsFeaturedVisual' alt='Happy 1Password updates for the New Year! ~ from Dave's newsletter' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Hello everyone, I hope you’re having a wonderful New Year so far. I had lots of fun with friends and family over the holidays and am excited about all the things we have planned for 1Password in 2023. Before looking forward, let’s take a look back at some of the things that I didn’t have a chance to share with you last year. <h2 id="security-is-our-foundation">Security is our foundation</h2> <img src='https://blog.1password.com/posts/2023/dave-newsletter-january-2023/security.png' alt='Illustration of a laptop and smartphone, each showing an obscured password.' title='Illustration of a laptop and smartphone, each showing an obscured password.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> I love highlighting our security model whenever I get a chance, and with at least <a href="https://www.theverge.com/2022/12/28/23529547/lastpass-vault-breach-disclosure-encryption-cybersecurity-rebuttal">one of our competitors being breached recently</a>, I thought now would be a great time to review how we designed 1Password to keep you and your data safe. Always. Even in the event of a breach. We built 1Password with security and privacy as our foundation. You see this in the features we add, the “features” we refuse to add, and how we design those features to always preserve your security and privacy. There’s many aspects to this but given recent events, the star of today’s show is our unique Secret Key and how 1Password uses it to encrypt your data in a fundamentally different way. Pedro<a href="#fn:1" class="footnote-ref" role="doc-noteref">1</a> covers this in detail in his post <a href="https://blog.1password.com/how-1password-protects-your-data/">how 1Password is designed to keep your data safe, even in the event of a breach</a>. It’s a great read and I think you’ll enjoy it. I’ll wait here while you give it a look. 🙂 <h2 id="security-parfait">Security parfait</h2> <img src='https://blog.1password.com/posts/2023/dave-newsletter-january-2023/securityparfait.png' alt='A parfait with a 1Password logo at the top, with labels for TLS, SRP, Secret Key and Account Password running down the side.' title='A parfait with a 1Password logo at the top, with labels for TLS, SRP, Secret Key and Account Password running down the side.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Pedro doesn’t use these exact words, but you can think of our design like a security parfait. Just like Shrek and all ogres, great security has layers, and as Donkey points out, everyone loves parfaits. And if we were around back in 2001, I’m sure Donkey would have used 1Password for his analogy. ❤ Our Secret Key is a critical layer in this parfait, yet as tasty as this layer is, we didn’t stop there. In fact, we never stop as security is a process, not a final <del>dessert</del> destination. We’re constantly iterating and improving, and in 2022 alone we hired external security research firms to perform 6 separate audits. This is over and above our bug bounty we have open for a cool $1,000,000. It’s all part of the process of making 1Password the best it can be, and while this can sometimes sound like overkill, with the seemingly endless barrage of companies reporting breaches, including security companies, it’s something we take great pride in. Frankly, I wouldn’t be able to sleep well at night any other way. And I value my sleep way too much to compromise on any of this. 🙂 <h2 id="be-a-security-hero">Be a security hero</h2> I have sympathy for anyone using anything other than 1Password and losing sleep over their security. If you have a friend or colleague who’s limping along with another service or nothing at all, you can be their hero and introduce them to 1Password. Getting started is easy – you can share <a href="https://1password.com/switch/">our welcome page</a> with them for all the details, and our lovely customer support team is ready to help them every step of the way. Even more exciting? If they have a password manager already and email us their current invoice, we’ll give them full credit for their remaining balance. You can share our <a href="https://1password.com/switch/">Switch to 1Password page</a> with them or by all means reply to this email directly and we can help. Your friends will love the better experience, will sleep better with the best security, and with a full trade-in credit they have nothing to lose. Thank you for spreading the good news about 1Password. We wouldn’t be here without heroes like you.♥ <h2 id="many-new-bits--bobs">Many new bits &amp; bobs</h2> There were many cool things that happened in 2022 that I didn’t have a chance to share with you yet. So let’s fix that now with a whirlwind roundup. The biggest news is 1Password 8 for iOS, iPadOS, and Android has been released. It’s an entirely new app so you’ll want to grab the latest 1Password from the App Store. See Roo’s<a href="#fn:2" class="footnote-ref" role="doc-noteref">2</a> post for all the details: <a href="https://blog.1password.com/1password-8-ios-android/">Say hello to 1Password 8 for iOS and Android</a> <img src='https://blog.1password.com/posts/2023/dave-newsletter-january-2023/1password8mobile.png' alt='Two smartphones running the 1Password 8 mobile app.' title='Two smartphones running the 1Password 8 mobile app.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> There’s a lot to love here. I adore the <a href="https://www.youtube.com/watch?v=Qe_BNU7qkOA">kickoff video</a> and all-new Watchtower experience, and what makes me the most excited is we now have 1Password 8 published on every platform, <a href="https://blog.1password.com/1password-8-apple-watch/">including Apple Watch</a>. This was a huge lift from the entire team and I’m so excited to be entering 2023 with our new apps available for all of our customers. Another thing that brought me joy is our new Sign in with feature in the browser. Now when you use a social account like Twitter or Facebook to login in to a website, 1Password will remember that for you. It takes the guesswork out of remembering which account you used when you go to sign in. <img src='https://blog.1password.com/posts/2023/dave-newsletter-january-2023/signinwith.png' alt='A web browser showing 1Password in the Browser and a saved &#39;Sign in with&#39; option.' title='A web browser showing 1Password in the Browser and a saved &#39;Sign in with&#39; option.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://blog.1password.com/sign-in-with-other-providers/">Sign in with Google, Apple, and other providers… and save it in 1Password</a> Oh and you can now <a href="https://blog.1password.com/1password-file-document-sharing/">include files and documents in items you share</a>. It’ll make working with accountants so much easier during tax season this year. I’ll touch on this more in my next newsletter. And for the developers and technical software folks among us, we have a ton of updates and new features available for you: <ul> <li><a href="https://blog.1password.com/git-commit-signing/">Sign your Git commits with 1Password</a></li> <li><a href="https://blog.1password.com/shell-plugins/">Unlock any CLI using biometrics with 1Password Shell Plugins</a></li> <li><a href="https://blog.1password.com/delete-your-example-env-file/">Go ahead, delete your .env.example file</a></li> <li><a href="https://blog.1password.com/1password-jetbrains/">Community spotlight: Extending 1Password for JetBrains users</a></li> <li><a href="https://blog.1password.com/1password-visual-studio-code/">Introducing 1Password for Visual Studio Code</a></li> </ul> <img src='https://blog.1password.com/posts/2023/dave-newsletter-january-2023/shellplugins.png' alt='An illustration of a fingerprint being used to authorize a 1Password Shell Plugin in CLI.' title='An illustration of a fingerprint being used to authorize a 1Password Shell Plugin in CLI.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Don’t worry, if VSCode, git, and environment config files don’t ring a bell for you, you can happily ignore this section. If they do resonate, one of the best ways to see how these features can fit into your workflow is in this post from Jack who <a href="https://blog.1password.com/1password-cli-easier-dns-management/?l-announcement">used the 1Password CLI to make managing his DNS easier</a>. <h2 id="come-and-go-passwordless-with-us-in-2023">Come and go passwordless with us in 2023</h2> Our 2023 planning is just finishing up and it’s going to be an incredible year for 1Password. I can’t share everything just yet though one of the things I’m most excited about is passwordless. <img src='https://blog.1password.com/posts/2023/dave-newsletter-january-2023/passwordless.png' alt='An illustration of the 1Password logo surrounded by icons of clouds, keys, locks, fingerprints, and more.' title='An illustration of the 1Password logo surrounded by icons of clouds, keys, locks, fingerprints, and more.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> What is passwordless? Well it’s many things, but in a nutshell it’s a new technology that is going to simplify logging into websites. It will take years for everyone to adopt, but it’s so exciting that we’ve made several incredible investments into passwordless already as we see it as a critical part of everyone’s future. We’ve <a href="https://blog.1password.com/1password-is-joining-the-fido-alliance/">joined the FIDO Alliance</a> to help keep the future of passwordless open and accessible to all, <a href="https://blog.1password.com/1password-acquires-passage/">acquired Passage</a> to accelerate the adoption of passwordless everywhere, and created a demo site to show off how a passwordless future could look in 1Password: <a href="https://www.future.1password.com/passkeys/">The passwordless experience you deserve</a> There’s a ton of excitement and plans around passwordless and it’s only one of many things we’re working on this year. I’m looking forward to being able to share more with you as the year progresses. Take care and have an amazing 2023! As always please let us know if there is anything we can do to help. You can reply directly to this email or stop by our <a href="https://1password.community/">1Password support community</a> to say hello. 👋 ++dave; <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Dave&#39;s Newsletter</h3> I wrote this letter for my newsletter subscribers and am sharing it here in case you missed it. Sign up and I'll send these directly to your inbox. 🤗 <a href="https://1password.com/newsletter/" class="c-call-to-action-box__link-href" data-event-category="CTA" data-event-action="call-to-action-button"> Sign up to my newsletter </a> </div> </section> P.S. I overwintered my garlic again this year and many have already started to sprout. Seeing them poking out over the snow is a great way to renew my hope that warmer months will be here soon. ⛄ <section class="footnotes" role="doc-endnotes"> <hr> <ol> <li id="fn:1" role="doc-endnote"> I don’t think I had a chance to properly introduce you to Pedro yet. Pedro is our relatively new Chief Technology Officer and interim Chief Security Officer. He joined us 16 months ago to help us continue building and iterating on our security and privacy foundations.&#160;<a href="#fnref:1" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a> </li> <li id="fn:2" role="doc-endnote"> I introduced Roo a few times previously but thought it best to clarify that this is Michael Fey’s nickname. He’s been with us a decade now and nowadays he and his team are focused on making it as easy as possible for everyone to get started with 1Password.&#160;<a href="#fnref:2" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a> </li> </ol> </section></description></item><item><title>How 1Password is designed to keep your data safe, even in the event of a breach</title><link>https://blog.1password.com/how-1password-protects-your-data/</link><pubDate>Tue, 10 Jan 2023 00:00:00 +0000</pubDate><author>info@1password.com (Pedro Canahuati)</author><guid>https://blog.1password.com/how-1password-protects-your-data/</guid><description> <img src='https://blog.1password.com/posts/2023/how-1password-protects-your-data/header.png' class='webfeedsFeaturedVisual' alt='How 1Password is designed to keep your data safe, even in the event of a breach' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> How 1Password protects your sensitive data, and why an attack on 1Password would pose no threat to information stored in your vaults. As data breaches become increasingly common and scary headlines hit the news, you may be feeling a bit uneasy. Here&rsquo;s the good news: if you&rsquo;re a 1Password customer, there&rsquo;s nothing you need to do and no reason for you to worry. We&rsquo;ll explain why below, but if you&rsquo;re in a hurry you can rest easy knowing that: <ul> <li>If you use 1Password, your information is safe. 1Password encrypts your vault data in a fundamentally different way than other password managers. Our dual-key encryption ensures a breach of 1Password&rsquo;s systems would pose no threat to sensitive information stored in your vaults.</li> <li>1Password encrypts crucial metadata to protect your privacy. In addition to the contents of your vaults, we also encrypt vault names and stored website URLs. Without them, someone who obtains your encrypted vault data would have no way to guess what’s inside – they wouldn’t know if they were cracking a vault with credit cards or cookie recipes.</li> <li>You don&rsquo;t have to take our word for it. We invest heavily in being good citizens of the security community, involving third-party researchers for regular assessments, and offering the industry&rsquo;s largest bug bounty to help us discover and resolve vulnerabilities before they can affect you.</li> </ul> Read on to discover how we built 1Password to render your vault data effectively useless to attackers, even if they somehow got their hands on it. <h2 id="what-would-a-breach-of-1password-mean-for-your-passwords">What would a breach of 1Password mean for your passwords?</h2> 1Password has never had a breach. But if one should occur, a breach of our systems would not put your sensitive vault data at risk. When we designed the security architecture of 1Password, we had to account for the possibility that some day our servers could be compromised. When well-equipped, determined attackers target password managers, they do it because they believe the prize is worth the effort. After all, why compromise a single person’s data when you can potentially score millions of bounties? 1Password is built so that if attackers were to breach our systems, any vault data they obtain would be effectively useless to them, even if they had all the computing power in the world available to try cracking it open. How is this possible? <h2 id="how-1password-is-different">How 1Password is different</h2> A password manager is like a safe deposit box: a secure container to put things in, stored at a fortified offsite bank, and locked with a key (your account password). If someone gains access to that bank, they can steal the box and try to pick the lock. At that point it’s only a matter of time before they crack the password&hellip;and it’s often much less time than we think. That’s why with 1Password, your safe deposit box requires a combination of two keys to open, neither of which is ever seen (much less held) by 1Password. <ol> <li>The first key is your account password – this is the password you choose, and the only one you need to remember in order to access your vaults.</li> <li>The second key, unique to 1Password, is called the <a href="https://support.1password.com/secret-key-security/">Secret Key</a>. It’s a 128-bit, machine-generated code that&rsquo;s <a href="https://blog.1password.com/what-the-secret-key-does/">mathematically infeasible to crack</a>.</li> </ol> Other password managers rely on just the first key to protect your data. The problem is that those keys are often much easier to guess because people need to be able to remember them. 1Password adds the unguessable Secret Key to strengthen the encryption and ensure there’s no practical way for your vault data to be cracked. In daily use, you don’t need to think about the Secret Key because the 1Password apps take care of it for you. So you get all the security benefits of dual-key encryption while keeping the convenience of just one password that you need to remember to unlock your vaults. If criminals ever did obtain a copy of your vault data, they’d need both the account password (which only you know) and the Secret Key (which only you have) in order to combine them and unlock your data. Without both keys, your data is effectively impossible to decrypt. Trying to crack the combined encryption scheme provided by this dual-key approach – even using every computer on Earth today – would take, conservatively, several times the known age of the universe. Overkill? We don’t think so. It’s the least we can do to fulfill our promise of making sure your data never falls into the wrong hands. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Ready to make the switch to 1Password? <a href="https://support.1password.com/import/">Learn how to safely migrate your items from another password manager</a>. </div> </aside> <h2 id="stay-skeptical">Stay skeptical</h2> We&rsquo;re confident that our security model provides the best protection you can get, but we want you to feel just as confident about it. It&rsquo;s why we publish a <a href="https://1passwordstatic.com/files/security/1password-white-paper.pdf">detailed security white paper (download)</a> that provides an in-depth look at our approach, including additional aspects that are unique to 1Password, like the <a href="https://support.1password.com/secure-remote-password/">Secure Remote Password (SRP) protocol</a>. But even that&rsquo;s not enough. Things change fast in security, which is why we continually invest in our efforts to stay ahead of the game. The more we can scrutinize and improve how we do things, the more transparency and peace of mind we can offer you as you&rsquo;re evaluating your options. For example, we recently <a href="https://blog.1password.com/increasing-our-bug-bounty-investment/">increased the rewards we pay out to security researchers</a>. These external experts help us identify potential vulnerabilities in our systems so we can fix them before they affect customers. In fact, our million-dollar bug bounty program is now the largest in the password manager space, and it joins other ongoing efforts like <a href="https://support.1password.com/security-assessments/">our third-party security audit program</a> in making sure you always have trustworthy, up-to-date information you can use to evaluate our claims. In other words, when we say we protect your data, you don&rsquo;t have to take our word for it. <h2 id="ready-to-get-started">Ready to get started?</h2> At the end of the day, trust is earned. So while we could ask you to simply trust us, we won&rsquo;t. We want you to stay skeptical, and we love it when you ask us the tough questions about how everything works. Our team is always standing by to help. Whatever you do, don’t settle for “good enough” – we certainly don’t. Because when it comes to protecting your most precious information, &ldquo;good enough&rdquo;&hellip;isn&rsquo;t good enough. <div class="c-call-to-action"> <section class="c-call-to-action-box c-call-to-action-box--green"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Ready to give 1Password a try?</h3> Sign up for 1Password today and get your first 14 days free. <a href="https://1password.com/pricing" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--green" data-event-category="CTA" data-event-action="call-to-action-button"> Get started </a> </div> </section> <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Does your business need help switching?</h3> Our onboarding & customer success teams are standing by to help you react quickly to keep your people safe. <a href="https://1password.com/contact-us/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Let&#39;s talk </a> </div> </section> </div></description></item><item><title>How to password protect your PDF files</title><link>https://blog.1password.com/password-protect-pdf-files/</link><pubDate>Mon, 09 Jan 2023 00:00:00 +0000</pubDate><author>info@1password.com (1Password)</author><guid>https://blog.1password.com/password-protect-pdf-files/</guid><description> <img src='https://blog.1password.com/posts/2023/password-protect-pdf-files/header.png' class='webfeedsFeaturedVisual' alt='How to password protect your PDF files' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> PDF files have become an essential part of our digital lives. We use them to create and share invoices, reports, contracts, and countless other documents every day. Here, you’ll learn several ways to add password protection to your PDFs. This guide also explains how you can securely store and share your PDF files using a password manager like 1Password. <h2 id="why-protect-your-pdf-files">Why protect your PDF files?</h2> By default, a PDF file can be opened and viewed by anyone. This is often useful and convenient. For example, if you run a restaurant, you want everyone to be able to visit your website and look at a PDF version of your menu. But PDFs can also be used to record and share private information. You might create one for your company&rsquo;s next quarterly earnings, or to prove to a mortgage lender that you&rsquo;re earning enough to buy a home. The best way to keep these types of PDFs secure is by protecting them with a strong password. A quick search online will reveal many websites and apps that promise to add password protection to your PDFs. Some but not all are trustworthy. We won’t go through every option – instead, we’ll highlight three of the safest and simplest solutions. <h2 id="setting-a-password-with-adobe-acrobat-pro">Setting a password with Adobe Acrobat Pro</h2> <a href="https://www.adobe.com/acrobat.html">Adobe Acrobat</a> is an app that lets you create, view, edit, and print PDF files. It comes in two versions: Standard and Pro. If you’re using Adobe Acrobat Pro, you have a few options for controlling who can access your PDFs, and whether people have permission to copy, edit, or print them out. Follow these steps to add a password that will prevent people from viewing or editing your PDF: <ul> <li>Choose Tools &gt; Protect &gt; Protect Using Password.</li> </ul> <img src="https://blog.1password.com/posts/2023/password-protect-pdf-files/adobeacrobatpro3.jpg" alt="A screenshot captured on a Windows PC, showing the Tools menu in Adobe Acrobat Pro." title="A screenshot captured on a Windows PC, showing the Tools menu in Adobe Acrobat Pro." class="c-featured-image"/> <ul> <li>Choose Viewing or Editing.</li> <li>Type and retype your password, then select Apply.</li> </ul> <img src="https://blog.1password.com/posts/2023/password-protect-pdf-files/adobeacrobatpro1.jpg" alt="A screenshot captured on a Windows PC, showing how to set a password for viewing and editing in Adobe Acrobat Pro." title="A screenshot captured on a Windows PC, showing how to set a password for viewing and editing in Adobe Acrobat Pro." class="c-featured-image"/> <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Need help creating a strong password? Use our <a href="https://1password.com/password-generator/">free password generator</a>. </div> </aside> You can go a step further and use Adobe Acrobat Pro to encrypt the contents of your PDF files, too. This option also lets you set more granular permissions, such as whether someone can copy any of the text, images, or other content contained within the file. To encrypt a PDF file with Adobe Acrobat Pro: <ul> <li>Choose Tools &gt; Protect &gt; Advanced Options &gt; Encrypt with Password.</li> <li>Select Yes to change the security settings on the document.</li> <li>A Password Security window will appear. Choose Require a Password to Open the Document, then type your password in the corresponding field.</li> </ul> <img src="https://blog.1password.com/posts/2023/password-protect-pdf-files/adobeacrobatpro2.jpg" alt="A screenshot captured on a Windows PC, showing the advanced password security settings in Adobe Acrobat Pro." title="A screenshot captured on a Windows PC, showing the advanced password security settings in Adobe Acrobat Pro." class="c-featured-image"/> You’ll then see three options: <ol> <li> Encrypt all document contents. Encrypts all of the content in your document, including the metadata. </li> <li> Encrypt all document contents except metadata (Acrobat 6 and later). Encrypts all of the content in your document, but search engines will still be able to access the file’s metadata. </li> <li> Encrypt only file attachments (Acrobat 7 and later). Creates a password for opening file attachments. This is useful if you work for an organization that uses Security Envelopes to protect and send multiple PDF files at once. </li> </ol> In this window, you&rsquo;ll also see a section called Permissions, which lets you control what other people can do with the document. The options here include: <ul> <li>Restricting editing and printing of the document.</li> <li>Enabling or disabling copying of text, images, and other content.</li> <li>Enabling text access for screen readers.</li> </ul> Confirm your password and select OK when you’re happy with the options you’ve chosen. <h2 id="setting-a-password-with-adobes-free-online-tool">Setting a password with Adobe’s free online tool</h2> Don’t have a subscription to Adobe Acrobat Pro? No problem. You can still password protect your PDF files using a <a href="https://www.adobe.com/acrobat/online/password-protect-pdf.html">free online tool</a> created by Adobe. You’ll need an Adobe account to use this website. Once you’ve created or signed in with one, you&rsquo;ll be able to upload a PDF, set a password, and download the newly-protected file. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Remember to create a strong password and save it in a password manager like 1Password! </div> </aside> <h2 id="setting-a-password-in-the-preview-app-with-macos">Setting a password in the Preview app with macOS</h2> Another way to password protect your PDFs is by <a href="https://support.apple.com/en-in/guide/preview/prvw587dd90f/mac">using the Preview app</a> that comes preinstalled on every Mac. Like Adobe Acrobat Pro, this app lets you customize the protection applied to your PDFs. You can set a password for opening and editing the file, as well as granular permissions like printing, copying, and editing. Follow these steps to password protect a PDF file with the Preview app on macOS: <ul> <li>Open the PDF in Preview, then choose File &gt; Export.</li> </ul> <img src="https://blog.1password.com/posts/2023/password-protect-pdf-files/previewpdf1.png" alt="A screenshot captured on a Mac, showing the window that appears after selecting File &gt; Export in the Preview app." title="A screenshot captured on a Mac, showing the window that appears after selecting File &gt; Export in the Preview app." class="c-featured-image"/> <ul> <li>Choose Permissions. You’ll then see a variety of options. At the top, you can set a password to open the PDF by choosing Require Password to Open Document. When prompted, type your password, then retype to confirm.</li> </ul> <img src="https://blog.1password.com/posts/2023/password-protect-pdf-files/previewpdf2.png" alt="A screenshot captured on a Mac, showing the various password settings and permissions available in the Preview app." title="A screenshot captured on a Mac, showing the various password settings and permissions available in the Preview app." class="c-featured-image"/> The Permissions screen also gives you a number of granular options. You can require a password to: <ul> <li>Print</li> <li>Copy text or images</li> <li>Insert, delete, or rotate pages</li> <li>And more!</li> </ul> Once you’ve checked the appropriate boxes, you’ll need to enter a password in the Owner Password field (this password can be the same as the one you chose for opening the document). Choose Apply, then Save. You can manage the permissions of your PDF file at any time by selecting File &gt; Edit Permissions. <h2 id="how-a-password-manager-can-help-secure-your-pdfs">How a password manager can help secure your PDFs</h2> Adobe’s tools and the macOS Preview app are a great way to password protect your PDF files. But it can be challenging to create and remember passwords for all your private PDFs. That’s where a <a href="https://blog.1password.com/password-manager/">password manager</a> like 1Password comes in. A password manager helps you create and remember strong passwords for everything else that’s important in your digital life, including your PDF files. You can also use 1Password to securely share passwords with other people. With <a href="https://1password.com/personal/">1Password Families</a> and <a href="https://1password.com/business/">1Password Business</a>, you can <a href="https://support.1password.com/create-share-vaults/">create and share vaults</a> with your family members and co-workers. These vaults are like special folders that you can use to organize and securely share multiple items that you’ve stored in 1Password. You can also use <a href="https://blog.1password.com/psst-item-sharing/">item sharing</a>, which lets you share individual passwords with anyone – even people who don’t have a password manager. <blockquote> 1Password is a secure place to store everything that&rsquo;s important in your digital life, including important files and documents. </blockquote> 1Password isn&rsquo;t just for passwords – it&rsquo;s a secure place to store everything, <a href="https://support.1password.com/files/">including important files and documents</a>. You can store PDF files directly in 1Password and securely share them using shared vaults and item sharing, just like your passwords and other sensitive information. Simple. Secure. With 1Password, you can store passwords, PDFs, and any other private data that you want to keep safe and readily available on all your devices. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Secure your PDFs with 1Password</h3> Create, store, and share strong passwords for all of your PDF files with 1Password, the world's most-loved password manager. Get started today with a free 14-day trial. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>1Password’s top four predictions for security in 2023</title><link>https://blog.1password.com/security-trends-predictions-2023/</link><pubDate>Thu, 05 Jan 2023 00:00:00 +0000</pubDate><author>info@1password.com (Stacey Harris)</author><guid>https://blog.1password.com/security-trends-predictions-2023/</guid><description> <img src='https://blog.1password.com/posts/2023/security-trends-predictions-2023/header.png' class='webfeedsFeaturedVisual' alt='1Password’s top four predictions for security in 2023' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The security landscape is always evolving. This can make predicting what’s going to happen next complicated, but no less necessary. Part of our security team’s job is to keep an eye on the security landscape so that we can be flexible as changes need to be made. As part of that, we’ve asked them to share some of their security-related predictions for 2023. <h2 id="1-passkeys-are-going-to-achieve-critical-mass-in-2023">1. Passkeys are going to achieve critical mass in 2023</h2> People have been talking about the end of passwords for more than a decade at this point, but for once, they might actually be right. With the introduction of <a href="https://blog.1password.com/what-are-passkeys/">passkeys</a> there is now an accessible password replacement option that is strong and secure. Passkeys are digital credentials that let you sign in to apps and websites without using a password. And in 2022, passkeys finally worked their way into mainstream awareness – which is the first step towards reaching mass adoption. Not only do people now know about passkeys – and the passwordless future they promise – but there’s even a <a href="https://passkeys.directory/">passkey directory</a> letting people know which websites already support passkeys for authentication. <blockquote> Businesses need to start supporting passkey authentication on their websites and apps if they don’t want to get left behind. </blockquote> Passkey support is actively being integrated in iOS, Android, and Windows – making it more accessible for everyone. Now it’s up to enterprises to lead the charge in enabling the shift to passwordless to finally take place – something we think will happen in 2023. Enterprise businesses need to start supporting passkey authentication on their websites and apps if they don’t want to get left behind. <blockquote> “In the year ahead, hackers will continue to take advantage of people’s psychological weaknesses, preying on vulnerabilities like false urgency, greed, curiosity, and authoritative figures. But we expect passkeys to reach a critical mass in 2023, which will reduce everyone&rsquo;s attack surface level and combat other forms of human error.” – Steve Won, CPO of 1Password </blockquote> As a business built around making passwords easy to use, you might think we’d be worried about this prediction – but we couldn’t be more excited! In 2022, we shared <a href="https://www.future.1password.com/passkeys/">a glimpse of what passkeys will look like in 1Password</a>, and announced that this functionality will be available to every 1Password customer in early 2023. <h2 id="2-cyber-crime-is-going-to-mature-in-remote-working-organizations">2. Cyber crime is going to mature in remote working organizations</h2> The COVID-19 pandemic forced many workplaces to rush into <a href="https://blog.1password.com/remote-work-tips/">remote working</a> in 2020. Since then, there’s been <a href="https://www.computerweekly.com/news/252523458/Shift-to-remote-work-sees-major-rise-in-cyber-crime">a steady increase</a> of cyber security attacks, both for office workers and remote workers. However, now, as we are further into remote work becoming the norm for many, attacks have had time to mature into tailored attacks on those who work remotely. Specifically, we’re expecting to see a bigger focus on impersonation attacks which take advantage of <a href="https://blog.1password.com/what-is-social-engineering-hacking-101/">social engineering</a> and the fact that many remote workers have never seen or spoken to many of their co-workers. But never having met or spoken to a co-worker isn’t even necessary for social engineering scams to be successful. <blockquote> We expect to see a bigger focus on impersonation attacks which take advantage of social engineering. </blockquote> A common version of this scam is CEO fraud. In this type of scam an attacker will pose as the company CEO in an email and ask an employee to transfer money to an account they control, or request sensitive personal or business information. To learn more about CEO fraud and how to protect your business from these types of attacks, <a href="https://blog.1password.com/stop-ceo-fraud">read our blog post</a> on the topic. Businesses should start preparing their workforces for these threats, if they’re not already. The first step is to adopt and roll out a <a href="https://blog.1password.com/password-manager/">password manager</a> like 1Password. With <a href="https://www.verizon.com/about/news/ransomware-threat-rises-verizon-2022-data-breach-investigations-report">82% of vulnerabilities linked to a human element</a> it’s important for businesses to secure their business by securing their workforce. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Learn how to secure your hybrid workforce <a href="https://1password.com/resources/how-to-secure-your-hybrid-workforce/?utm_ref=resources">with our free guide</a>! </div> </aside> <h2 id="3-its-time-to-create-a-post-quantum-cryptography-strategy">3. It’s time to create a post-quantum cryptography strategy</h2> Time to pull out the virtual planner because we predict that the <a href="https://www.nist.gov/">National Institute of Standards and Technology</a> (NIST) standardization will get to the point where if you need a quantum crypto strategy, you can start making one. Post-quantum cryptography is about creating security systems that protect against both classical and quantum computers while working within existing communications networks and protocols. With developments in the NIST standardization of cryptography, forward looking organizations can start to develop plans for adopting post-quantum cryptography. It’s important to remember that post-quantum cryptography algorithms are not going to be drop-in replacements for classical cryptography, as each has different trade offs in terms of efficiency for a particular usage scenario and what they protect against. In preparation for this shift, start looking at areas where you can use crypto to achieve long term security and start engineering which tradeoffs of proposed crypto algorithms can work for you. <blockquote> Post-quantum cryptography algorithms are not going to be drop-in replacements for classical cryptography. </blockquote> This is to prepare for the finalization of the standard and wider adoption of post-quantum stuff in the coming years, and about being on the cutting edge. While there are no algorithms to select, right now, we are expecting the first ones to be proposed in 2023. So you can start developing your organization&rsquo;s strategy in 2023, while considering an appropriate degree of “cryptographic agility” – the ability to introduce new versions of cryptography in your systems. This will make it easier to update your cryptography to post-quantum in the future. <blockquote> “To cover potential risks stemming from the continued growth of quantum computing, organizations should think about what cryptography they employ and what it’ll take to make those uses post-quantum secure. As standardization occurs, organizations will be able to begin taking these important steps in 2023.” – Rick Van Galen, senior security engineer at 1Password and former ethical hacker </blockquote> <h2 id="4-people-will-expect-and-demand-data-privacy-by-default">4. People will expect and demand data privacy by default</h2> The purpose of strong security is to keep your information – whether that’s business secrets, customer data, or your personal information – private. Customer awareness about data privacy – or in many cases, their lack of data privacy – has increased over the past few years. A growing group of people are calling on the companies that make their devices, apps, and online services to better protect and respect their personal information. As we go through this year, we’ll start to see data privacy as a bare minimum requirement, rather than as a differentiating feature. <blockquote> “In 2023, it’s going to be a requirement for companies versus an active choice. From Apple’s recent announcement on their new encrypted iCloud backup option, to Twitter’s plan for encryption of direct messages, we’re already seeing encryption and privacy by default becoming the norm. While some companies think that focusing on customer privacy means leaving money on the table – long-term trust with users will outweigh any short-term monetization.” – Jeff Shiner, CEO of 1Password </blockquote> <h2 id="no-one-can-predict-the-future">No-one can predict the future</h2> These predictions are based on our security team&rsquo;s current perspective and understanding of the security landscape. But keep in mind, they’re just predictions – none of us have a crystal ball! We’re excited to see what the future holds, and what exciting developments will actually rise up and make an impact on our daily lives. <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Subscribe to our newsletter</h3> Subscribe to our business security newsletter and get advice on running a secure, productive workplace delivered directly to your inbox. <form method="POST" class="oneline" accept-charset="UTF-8" action="https://flow.1passwordservices.com/api/v1/lead" data-event-category="Newsletter" data-event-action="form-newsletter" id="newsletterForm"> <div id="hidden-fields"> <input type="hidden" name="formSubmitted" value="Newsletter"> <input type="hidden" name="formId" value="c100b28e-6493-493f-b325-6a7f8b3cbb89"> </div> <input type="email" class="c-call-to-action-box__newsletter-email" name="email" placeholder="" required /> <input class="c-call-to-action-box__newsletter-button" type="submit" value="Sign up"> </form> <div class="c-call-to-action-box__text"> By signing up you agree to receive emails about the latest 1Password announcements, product updates, and events. <a class="c-newsletter-signup-form__gdpr--link" href="https://www.1password.co/email-preferences.html">Unsubscribe</a> any time. You also agree to our <a class="c-newsletter-signup-form__gdpr--link" href="https://1password.com/legal/terms-of-service/">terms of service</a> and <a class="c-newsletter-signup-form__gdpr--link" href="https://1password.com/legal/privacy/">privacy policy</a>. </div> </div> </section></description></item><item><title>Not in a million years: It can take far less to crack a LastPass password</title><link>https://blog.1password.com/not-in-a-million-years/</link><pubDate>Wed, 28 Dec 2022 00:00:00 +0000</pubDate><author>info@1password.com (Jeffrey Goldberg)</author><guid>https://blog.1password.com/not-in-a-million-years/</guid><description> <img src='https://blog.1password.com/img/headers/security-header.svg' class='webfeedsFeaturedVisual' alt='Not in a million years: It can take far less to crack a LastPass password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> LastPass, a competitor, recently announced that password hashes were included in an August 2022 breach of their cloud storage. The company&rsquo;s notice claimed that if users had followed default settings, “it would take millions of years to guess your master password using generally-available password-cracking technology.” That claim is highly misleading. In this article, I&rsquo;ll explore the LastPass claim and unique 1Password features that protect you — now and in the event of a similar breach. If 1Password were to suffer a similar breach, the attacker would not be able to crack your combination of account password and Secret Key – even if they put every computer on Earth to work on the cracking and ran them for zillions of times the age of the universe. <h2 id="the-news">The news</h2> On December 22nd, LastPass posted <a href="https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/">an update to their announcement</a> around an August 2022 breach. The update states that encrypted user data “remains secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture.” The notice goes on to state that “if you use the default settings above it would take millions of years to guess your master password using generally-available password-cracking technology.” The default settings they refer to are 100,100 rounds of PBKDF2 (Password-based Key Derivation Function 2) for processing passwords and a minimum password length of twelve characters. That “millions of years” claim appears to rely on the assumption that the LastPass user&rsquo;s 12-character password was generated through a completely random process. Passwords created by humans come nowhere near meeting that requirement. As I have said for more than a decade, humans just can&rsquo;t create high-entropy passwords. Seemingly clever schemes to create passwords with a mix of letters, numbers, and symbols do more harm than good. Here&rsquo;s the bottom line: unless your password was created by a good password generator, it is crackable. The LastPass account password “best practices” advice linked to in their announcement says nothing about using a password generator, so it would be incorrect to assume that users are generating their LastPass passwords using a strong password generator. <h2 id="human-vs-machine">Human vs machine</h2> If you consider all possible 12-character passwords, there are something around &ldquo;2 to the power of 72&rdquo; possibilities. It would take many millions of years to try them all. Indeed, it would take much longer. But the people who crack human-created passwords don&rsquo;t do it that way. They set up their systems to try the most likely passwords first. The cracking systems will try things like F i d o 8 m y 2 S o x ! and 2 b | | ! 2 b . t i t q long before they try things like the machine-created z m - @ M v Y 7 * 7 e L . Passwords created by humans are crackable even if they meet various complexity requirements. So if you (or another human) created that 12-character password, it doesn&rsquo;t matter if there are &ldquo;2 to the power of 72&rdquo; different possible 12-character passwords. What matters is whether yours is going to be among the few billion that attackers try first. The number &ldquo;2 to the power of 72&rdquo; has relevance only if each of the &ldquo;2 to the power of 72&rdquo; possibilities is equally likely. <h2 id="not-searching-far-and-wide">Not searching far and wide</h2> Let&rsquo;s use a silly analogy. If I forget where I parked my car after leaving the theater, I have some searching to do. My car, a Subaru Outback, is about 4.87 meters long and 1.88 meters wide. So it covers about 9 square meters. The surface of the Earth is about 510 trillion square meters. This means that there are about 57 trillion (2 to the power of 45) places on the surface of the earth my car could be. It would take millions of years for me to make a dent in searching all of those places. But let&rsquo;s suppose that I start my search in the theater parking lot instead of haphazardly searching the surface of the earth. I can start in the area of the parking lot that I think it might be in, or the part where I typically park. It might take me a frustratingly long time to find my car. I might even have to start looking in adjacent parking lots or street parking. But I don&rsquo;t have to consider all &ldquo;2 to the power of 45&rdquo; possible spaces because most of those are extremely unlikely. I start with the most likely places first and work from there. It makes no sense to consider the time it takes to search &ldquo;2 to the power of 45&rdquo; places on Earth when estimating how long it will take for me to find my car. Similarly, it makes no sense to consider the time it takes to go through &ldquo;2 to the power of 72&rdquo; possible 12-character passwords when estimating how long it takes to guess a human-created password. <h2 id="cracking-costs">Cracking costs</h2> Perhaps the “millions of years” claim is based on poor assumptions about guessing speed. As it happens, we have estimated through a <a href="https://blog.1password.com/cracking-challenge-update/">cracking competition</a> that the cost of cracking passwords hashed with 100,000 rounds of PBKDF2-H256 is around $6 for every &ldquo;2 to the power of 32&rdquo; guesses. (The difference between our 100,000 rounds of PBKDF2 and LastPass&rsquo;s 100,100 rounds is so small that we can ignore it.) Because of how powers of 2 work, the cost of making &ldquo;2 to the power of 33&rdquo; guesses would be $12, while the cost of making &ldquo;2 to the power of 34&rdquo; guesses would be $24. Ten billion guesses would cost less than $100. <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Diminishing marginal gains of PBKDF2 rounds</h3> The security improvement between 100,000 rounds of PBKDF2 and 100,100 rounds is an improvement of 1/1000th. Something that takes $100.00 to crack with 100,000 rounds would take $100.10 to crack with 100,100 rounds. To better understand this see the second, techie, portion of something I wrote about bcrypt in 2015. <a href="https://blog.1password.com/bcrypt-is-great-but-is-password-cracking-infeasible/" class="c-call-to-action-box__link-href" data-event-category="CTA" data-event-action="call-to-action-button"> Bcrypt is great, but ... </a> </div> </section> Given the attacker is starting with the most likely human-created passwords first, that $100 worth of effort is likely to get results unless the password was machine generated. <h2 id="but-what-about-1password-account-passwords">But what about 1Password account passwords?</h2> You may be asking whether a typical 1Password account password is crackable, particularly given we use 100,000 rounds of PBKDF2 in our key derivation. One of the things that sets 1Password apart is the Secret Key. A year ago I explained how your <a href="https://blog.1password.com/what-the-secret-key-does/">Secret Key protects you in the event the data we hold is captured by an attacker</a>. <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Learn more about the Secret Key</h3> You can learn more about the care and feeding of your Secret Key in [our support documentation](https://support.1password.com/secret-key-security/ "About your Secret Key"), or dive into the gory details in the [1Password Security Design whitepaper](https://1passwordstatic.com/files/security/1password-white-paper.pdf). <a href="https://support.1password.com/secret-key-security/" class="c-call-to-action-box__link-href" data-event-category="CTA" data-event-action="call-to-action-button"> About your Secret Key </a> </div> </section> The most relevant facts about your Secret Key are that: <ol> <li>It&rsquo;s created on your device when you first sign up.</li> <li>It&rsquo;s never passed to or through 1Password servers.<a href="#fn:1" class="footnote-ref" role="doc-noteref">1</a></li> <li>It&rsquo;s woven into your account password when deriving the keys needed to decrypt your data.</li> <li>It&rsquo;s high-entropy (128-bits).</li> </ol> The consequence of 1 and 2 is we (and therefore anyone who breaches us) have no access to your Secret Key whatsoever. The consequence of 3 is that an attacker would need to have or guess your Secret Key to decrypt your data. And the consequence of 4 is that it is not going to be guessed. <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">You still need a good account password</h3> Your Secret Key protects you if your encrypted 1Password data is captured from _our servers_, but it does not protect you if your encrypted 1Password data is captured from _your_ machines. So you still need a good account password. <a href="https://support.1password.com/strong-account-password/" class="c-call-to-action-box__link-href" data-event-category="CTA" data-event-action="call-to-action-button"> How to choose a good account password </a> </div> </section> <h2 id="success-requires-designing-for-failure">Success requires designing for failure</h2> We have not been breached, and we do not plan to be breached. But we understand that we have to plan for being breached. We also understand many 1Password users will not follow our advice to use randomly generated account passwords. It can be hard advice to follow. As a result, we have a responsibility to find ways to protect 1Password users in the event of a breach that would expose their encrypted data. The 1Password Secret Key is the solution we settled on seven years ago when we first launched the <a href="https://start.1password.com">1Password.com</a> service. The 1Password Secret Key may not be the most user-friendly aspect of our human-centered design, but it means that we can say with full confidence that your secrets will remain safe in the event of a breach. <section class="footnotes" role="doc-endnotes"> <hr> <ol> <li id="fn:1" role="doc-endnote"> In an earlier version I incorrectly said that the your Secret Key “never leaves your device.” There are a number ways your Secret Key can travel from an enrolled 1Password client to a new client, including end-to-end encrypted iCloud Keychain syncing, end-to-end encrypted Android backup, mechanisms under your control such as scanning a QR code from an enrolled 1Password client or you transmitting a setup code through mechanisms of your choosing. The overall point is that it&rsquo;s never transmitted to 1Password controlled systems, and so is never available to us or to someone who might breach us.&#160;<a href="#fnref:1" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a> </li> </ol> </section></description></item><item><title>How to password protect your Excel spreadsheets</title><link>https://blog.1password.com/password-protect-excel-passwords/</link><pubDate>Thu, 22 Dec 2022 00:00:00 +0000</pubDate><author>info@1password.com (1Password)</author><guid>https://blog.1password.com/password-protect-excel-passwords/</guid><description> <img src='https://blog.1password.com/posts/2022/password-protect-excel-spreadsheets/header.png' class='webfeedsFeaturedVisual' alt='How to password protect your Excel spreadsheets' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Millions of people use Microsoft Excel to record, organize, and analyze important information. If you fall into this group, you may want to password-protect some of your most important spreadsheets and Workbooks. Here, you’ll learn a few different ways to add password protection to your Excel files. We’ll also explain how you can store and share those passwords in a <a href="https://blog.1password.com/password-manager/">password manager</a>, alongside your account logins and everything else that’s important in your digital life. <h2 id="keep-your-important-data-private">Keep your important data private</h2> Many Excel spreadsheets contain a lot of sensitive information. If you’re using the software professionally, that could include client contact details, credit card information, social security numbers, or data about your co-workers. Using Excel for school projects, or to keep your personal life organized? You might still have some spreadsheets that you want to keep private. For example, if you&rsquo;re planning a surprise birthday party for your partner, you don’t want them to find and open the spreadsheet that breaks down all the food, decorations, and entertainment. There are <a href="https://support.microsoft.com/en-us/office/protection-and-security-in-excel-be0b34db-8cb6-44dd-a673-0b3e3475ac2d">many ways to protect your Excel spreadsheets</a>. You can set a password to control who can open an Excel file, and whether they should have read-only or full editing access. Alternatively, you can lock specific worksheets with a password, ensuring that other people can&rsquo;t change anything by mistake. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> In Microsoft Excel, a “worksheet” refers to a single-page spreadsheet with various cells. A “workbook” refers to an Excel file that contains multiple worksheets. </div> </aside> <h2 id="use-a-password-to-control-who-can-open-or-edit-your-workbook">Use a password to control who can open or edit your Workbook</h2> If you want to control who is able to open an Excel Workbook, you can do so by setting a password and sharing it with the people who need access. You can do this in two ways: <h3 id="encryption">Encryption</h3> You can encrypt the Workbook, which means nobody can access it without entering your chosen password. To do this on Windows: <ol> <li>Select File &gt; Info.</li> <li>Select the Protect Workbook box and choose Encrypt with Password.</li> <li>Enter a password, and select OK.</li> <li>Confirm the password and select OK.</li> </ol> <img src="https://blog.1password.com/posts/2022/password-protect-excel-spreadsheets/encryptwindows.jpg" alt="A screenshot captured on a Windows PC, showing how to encrypt an Excel spreadsheet with a password." title="A screenshot captured on a Windows PC, showing how to encrypt an Excel spreadsheet with a password." class="c-featured-image"/> To password protect your Workbook on a Mac: <ol> <li>Select File &gt; Passwords&hellip;</li> <li>Enter a password in the &lsquo;Password to open&rsquo; field.</li> <li>Select OK.</li> </ol> <img src="https://blog.1password.com/posts/2022/password-protect-excel-spreadsheets/encryptmac.png" alt="A screenshot captured on a Mac, showing how to set a password that&#39;s required to open an Excel spreadsheet." title="A screenshot captured on a Mac, showing how to set a password that&#39;s required to open an Excel spreadsheet." class="c-featured-image"/> <h3 id="customize-editing-access">Customize editing access</h3> Alternatively, you can protect your Workbook with two passwords: one to open the file, and another to modify it. For example, if you’re using Excel at work, you might want to give full editing permissions to your manager and read-only access to everyone else. Securing your spreadsheets this way lets you give people different and appropriate levels of access. If you&rsquo;re using a Windows PC: <ol> <li>Select File &gt; Info.</li> <li>Select the Protect Workbook box and choose Always Open Read-Only.</li> <li>Enter a password for editing access, then select OK.</li> <li>Confirm the password and select OK.</li> </ol> <img src="https://blog.1password.com/posts/2022/password-protect-excel-spreadsheets/editingaccesswindows.jpg" alt="A screenshot captured on a Windows PC, showing how to set up an Excel spreadsheet so it always opens as read-only" title="A screenshot captured on a Windows PC, showing how to set up an Excel spreadsheet so it always opens as read-only" class="c-featured-image"/> If you&rsquo;re using a Mac, follow these steps: <ol> <li>Select File &gt; Passwords&hellip;</li> <li>Enter a password in the &lsquo;Password to modify&rsquo; field. Select OK.</li> </ol> <img src="https://blog.1password.com/posts/2022/password-protect-excel-spreadsheets/editingaccessmac.png" alt="A screenshot captured on a Mac, showing how to set a password that&#39;s required to edit an Excel spreadsheet." title="A screenshot captured on a Mac, showing how to set a password that&#39;s required to edit an Excel spreadsheet." class="c-featured-image"/> Now, anyone with access to the file must enter a password to access the Workbook as read-only, and another to gain full editing access. <h2 id="use-a-password-to-control-who-can-change-the-structure-of-your-workbook">Use a password to control who can change the structure of your Workbook</h2> Another way to protect your spreadsheets is by locking down the structure of your Workbook. Doing this prevents other people from viewing hidden Worksheets, as well as adding, moving, deleting, hiding, or renaming Worksheets they’re not working on, or shouldn’t have permission to change. For example, let’s say you created a Workbook for a complex team project. If you lock the Workbook’s structure, your co-workers can still contribute data to individual Worksheets – they just can&rsquo;t alter how the Workbook has been set up and organized. To lock the structure of your Workbook: <ol> <li>Click Review &gt; Protect Workbook.</li> <li>Enter a password (the password is optional, but if you don’t set one, this feature can be toggled on or off by anyone who can open the Excel file).</li> <li>Select OK, re-enter the password to confirm it, and then select OK again.</li> </ol> <img src="https://blog.1password.com/posts/2022/password-protect-excel-spreadsheets/lockworkbook.png" alt="A screenshot captured on a Mac, showing how to protect the structure of a Workbook in Excel." title="A screenshot captured on a Mac, showing how to protect the structure of a Workbook in Excel." class="c-featured-image"/> Anyone with access to the Workbook will now be required to enter a password in order to modify its structure in any way. <h2 id="use-a-password-to-control-who-can-edit-individual-worksheets">Use a password to control who can edit individual Worksheets</h2> You can also use passwords to control who can edit what in specific Worksheets. This will lock the cells you select and stop people from changing, moving, or deleting any data contained in them. For example, let’s say you have a status report Worksheet for your team. You could set a password so coworkers are able to add and change data in specific cells, but nothing else. This would give you granular control over which parts of the sheet are editable, and which ones are off limits. To do this: <ol> <li>Click Review &gt; Protect Worksheet.</li> <li>Enter a password (if you don’t set a password, anyone can toggle editing access on or off)</li> <li>Confirm the password and select OK. The entire Worksheet is now locked.</li> </ol> <img src="https://blog.1password.com/posts/2022/password-protect-excel-spreadsheets/lockworksheet.png" alt="A screenshot captured on a Mac, showing how to protect the structure of a Worksheet in Excel." title="A screenshot captured on a Mac, showing how to protect the structure of a Worksheet in Excel." class="c-featured-image"/> If you&rsquo;re using a Windows PC, you can make specific cells editable by selecting Unlocked Ranges and entering the cell ranges you want unlocked. Anyone who opens the Worksheet will now only be able to modify the unlocked cells (unless they unlock the Worksheet with the password). <h2 id="how-a-password-manager-can-help">How a password manager can help</h2> Passwords are a great way to protect your most important Excel spreadsheets. But remember: if you forget or lose your passwords, Microsoft can’t retrieve them for you. That’s where a password manager like <a href="https://1password.com/">1Password</a> comes in. A password manager helps you create, store, and use strong passwords for your Workbooks and Worksheets. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Need help creating a strong password? Try 1Password&rsquo;s <a href="https://1password.com/password-generator/">strong password generator</a>! </div> </aside> 1Password also gives you a secure and convenient way to share access to your Excel passwords. You can do this with <a href="https://1password.com/resources/guides/create-and-manage-shared-vaults/">shared vaults</a>, which are perfect for teams and families, or <a href="https://blog.1password.com/psst-item-sharing/">item sharing</a>, which is ideal for one-off situations, and sharing passwords with people who don’t have a password manager. Once you’ve finished working on a document, <a href="https://blog.1password.com/storing-important-documents/">you can store it in 1Password, too</a> – giving it the same level of protection as your passwords, addresses, and everything else important in your digital life. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Secure your digital life with 1Password</h3> Keep all of your accounts, documents, and credit cards secure with 1Password, the world’s most-trusted password manager. Get started today with a free 14-day trial. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>From our kitchens to yours: our favorite holiday recipes</title><link>https://blog.1password.com/season-of-giving-cookbook/</link><pubDate>Thu, 15 Dec 2022 00:00:00 +0000</pubDate><author>info@1password.com (1Password)</author><guid>https://blog.1password.com/season-of-giving-cookbook/</guid><description> <img src='https://blog.1password.com/posts/2022/season-of-giving-cookbook/header.png' class='webfeedsFeaturedVisual' alt='From our kitchens to yours: our favorite holiday recipes' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> With the holidays around the corner, our team is not only whipping up ideas and plans for 2023, but also some delicious holiday creations in their kitchens. For the second year in a row, we asked our team to contribute to an internal cookbook that everyone can draw inspiration from. We welcomed both sweet and savory recipes, as well as any stories about how the recipe came to be a favorite. The cookbook is part of a larger program we call Season of Giving. After a long and exciting year, we want to ensure our teams take the time to give back to their communities, chosen families, and themselves. We’ve been running a number of internal events over in December that focus on everything from mental fitness coaching to laughter yoga (yes, it’s a thing!) Our hope is that by taking a moment to reflect and give back, our teams can head into the holiday season feeling proud of what they’ve done in 2022. In the spirit of the season of giving, here are three of the recipes from our cookbook. We promise they&rsquo;re all made with love, from our kitchens to yours! <h2 id="coquito">Coquito</h2> <h3 id="ingredients">Ingredients</h3> 🍴 4 cans of evaporated milk 🍴 2 cans of coconut milk 🍴 1 can of coconut cream 🍴 1 can of condensed milk 🍴 2.5 cups of rum 🍴 1 tsp of vanilla extract For the spice mix: 🍴 1.5 cups of water 🍴 6 cinnamon sticks 🍴 8 anise stars 🍴 4 small pieces of ginger 🍴 A handful of cloves <h3 id="instructions">Instructions:</h3> <ol> <li> Bring the water and spices to a boil. Reduce this until it’s 1 cup of water and a yellowish color. Let it cool. </li> <li> Shake the cans well and pour them one by one into a large mixing bowl. Make sure to keep stirring. </li> <li> Once the spice mix is cool, add it to the mixing bowl. Mix and taste. Then add the vanilla. </li> <li> Add the rum 1 cup at a time. I like 2.5 cups but you can add or reduce the amount. </li> <li> Once you’ve added the rum, taste the Coquito and see if it still needs some sugar or a pinch of salt. </li> <li> Let it cool and refrigerate. </li> </ol> <aside class="c-technical-aside-box c-technical-aside-box--background" aria-labelledby="chefs-story"> <h2 class="c-technical-aside-box__title" id="chefs-story"> Chef&#39;s story </h2> <div class="c-technical-aside-box__description"> This is a family recipe that&rsquo;s been passed down through several generations. Coquito is a traditional coconut holiday drink we have in Puerto Rico. </div> </aside> <h2 id="polish-stew">Polish stew</h2> <h3 id="ingredients-1">Ingredients</h3> 🍴 Kielbasa sausage 🍴 1 carrot 🍴 1 russet potato 🍴 1 yellow onion 🍴 4 cloves of garlic 🍴 Cabbage (or sauerkraut) 🍴 3 Roma tomatoes 🍴 1/2 a can of crushed tomatoes 🍴 1 cup of canned corn 🍴 1/2 tbsp of paprika 🍴 1/2 tbsp of thyme 🍴 1 - 2 bay leaves (optional) 🍴 1 1/2 cups of beef broth (or any other broth you have) <h3 id="instructions-1">Instructions:</h3> <ol> <li> Peel and then cut the onion, carrot and potato into 1/4-inch pieces. (We like to use a grater to shred the carrots instead!) </li> <li> Peel then mince the garlic. </li> <li> Cut the kielbasa sausage into half coins. </li> <li> Cut the tomatoes into 1/4-inch pieces </li> <li> If you’re opting to use fresh cabbage, shred the cabbage. Otherwise, you can use sauerkraut. </li> </ol> Next: <ol> <li> Heat a medium- sized pot over medium-high heat. Once it’s hot, add 1 tbsp of oil. Then add the diced onions and carrots, stirring occasionally until the onions are translucent. Finally, add the cabbage or sauerkraut to the mix, followed by the minced garlic. Stir occasionally until fragrant. </li> <li> Add the paprika and thyme. Stir until the veggies are coated. </li> <li> Sprinkle some salt and pepper. </li> <li> Meanwhile, heat 1 tbsp of oil on medium-to-high heat in a large non-stick pan. Once it’s hot, add your Kielbasa. Stir occasionally for 3-4 minutes until lightly browned. </li> </ol> To build the stew: <ol> <li> Add the cooked kielbasa into the pot with the veggies. Stir occasionally for 1-2 minutes until the sausage is coated with the herbs and spice. </li> <li> Next, pour 1/2 can of crushed tomatoes into the pot. Stir occasionally for 1-2 minutes. </li> <li> Add 1 1/2 cups of broth to the pot and stir. Bring to a gentle boil over high heat. </li> <li> Once it’s boiling, add the diced potatoes. Cover and cook for 10-12 minutes, stirring occasionally until the potatoes are tender. </li> <li> Turn down the stove down to medium-low heat. (Optional add 1 - 2 bay leaves.) Add canned corn to the stew. Let the stew sit on a low heat for 10 minutes. </li> <li> Serve in a bowl on its own, or with rice and/or mashed potatoes. </li> </ol> <aside class="c-technical-aside-box c-technical-aside-box--background" aria-labelledby="chefs-story"> <h2 class="c-technical-aside-box__title" id="chefs-story"> Chef&#39;s story </h2> <div class="c-technical-aside-box__description"> This hearty stew is perfect during the colder seasons! It used to be a go-to for my late grandfather. His version was slightly more simplified – I added the fried onions, carrots and garlic with salt and pepper (this can be found in some Eastern European cooking). This is an incredibly versatile recipe and it varies from member to member in my family. </div> </aside> <h2 id="nanaimo-bars">Nanaimo bars</h2> <h3 id="ingredients-2">Ingredients</h3> 🍴 1 cup of butter, softened, divided 🍴 5 tablespoons of unsweetened cocoa powder 🍴 ¼ cup of white sugar 🍴 1 egg, beaten 🍴 1 ¾ cups of graham cracker crumbs 🍴 1 cup of flaked coconut 🍴 ½ cup of finely chopped almonds (optional) 🍴 3 tbsps of heavy cream 🍴 2 tbsps of custard powder 🍴 2 cups of confectioners' sugar 🍴 4 (1 ounce) squares of semi-sweet baking chocolate 🍴 2 tsps of butter <h3 id="instructions-2">Instructions</h3> <ol> <li> In the top of a <a href="https://www.bonappetit.com/story/double-boiler">double boiler</a>, combine 1/2 cup of softened butter, along with the cocoa powder and sugar. Stir occasionally until it’s melted and smooth. Beat in the egg and stir for 2-3 minutes until it’s thick. </li> <li> Remove from the heat and mix in the graham cracker crumbs, coconut, and almonds. Press into the bottom of an un-greased 8x8-inch pan. </li> <li> For the middle layer, beat the remaining 1/2 cup softened butter with the heavy cream and custard powder until it’s light and fluffy. Mix in the confectioners' sugar until smooth. Spread over the bottom layer in the pan. Chill to set. </li> <li> While the second layer is chilling, melt the semi-sweet chocolate and 2 teaspoons of butter together in the microwave, or over a low heat. </li> <li> Spread the melted chocolate mixture over the chilled bars. Let the chocolate set before cutting into squares. </li> </ol> <aside class="c-technical-aside-box c-technical-aside-box--background" aria-labelledby="chefs-story"> <h2 class="c-technical-aside-box__title" id="chefs-story"> Chef&#39;s story </h2> <div class="c-technical-aside-box__description"> Since I’m more of a chef than a baker, I searched for a “no-bake” recipe a long time ago, and this is one classic that I can manage for the holiday season! </div> </aside></description></item><item><title>Distraction on overdrive: Security in a time of permacrisis</title><link>https://blog.1password.com/state-of-access-report-permacrisis/</link><pubDate>Tue, 13 Dec 2022 00:00:00 +0000</pubDate><author>info@1password.com (Nick Summers)</author><guid>https://blog.1password.com/state-of-access-report-permacrisis/</guid><description> <img src='https://blog.1password.com/posts/2022/state-of-access-report-permacrisis/header.png' class='webfeedsFeaturedVisual' alt='Distraction on overdrive: Security in a time of permacrisis' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Permacrisis: &lsquo;An extended period of instability and insecurity, especially one resulting from a series of catastrophic events.' We can probably all agree that we&rsquo;re living in a state of permacrisis right now. After grappling with Covid-19, the world has been rocked by volatile stock markets, record-setting inflation, and the ongoing conflict in Ukraine. No wonder Collins Dictionary <a href="https://blog.collinsdictionary.com/language-lovers/a-year-of-permacrisis/">chose permacrisis as its word of the year</a> for 2022. Last year, our State of Access report <a href="https://blog.1password.com/state-of-access-report-burnout-breach/">delved into burnout</a> and its impact on cybersecurity in the workplace. This year, we&rsquo;re exploring how these trends, challenges, and behaviors <a href="http://1password.com/resources/2022-state-of-secure-access-report">have evolved in a time defined by permacrisis</a>. To do this, we surveyed 2,000 adults in the U.S. and Canada who are in full-time employment and spend most of their working hours in front of a computer. Here&rsquo;s what we found: <h2 id="our-key-findings">Our key findings</h2> <ul> <li> The permacrisis is causing more stress. One in three employees (32%) told us they&rsquo;re more stressed than ever before. </li> <li> Non-stop crises are making workers more distracted. Four out of five employees (79%) said they feel distracted on a typical working day. </li> <li> Ongoing crises are affecting how people feel about their job. Nearly half of employees working in technology, IT, and telecomms (46%) said these distractions from world events make it hard to care about their job. </li> <li> These distractions are impacting workers’ security habits. 45% of distracted employees don’t follow all the security rules at their organization, compared to 29% who are not distracted. </li> <li> Password reuse is a widespread problem. One in three employees (34%) reuse passwords despite knowing the risk. </li> <li> Senior leaders are more likely to choose poor passwords. Half of workers at the level of VP and above (49%) use personal identifiers in their passwords, compared to a third of individual contributors (34%). </li> </ul> <h2 id="read-the-full-report">Read the full report</h2> If you want to learn more about the permacrisis we’re living through and its impact on cybersecurity, <a href="http://1password.com/resources/2022-state-of-secure-access-report">check out the full report</a>. It dives deeper into the deluge of world issues that have occupied our thoughts over the last 12 months. You&rsquo;ll also learn how many people are currently using a password manager at work, and what employees see as the biggest security threat facing their companies. <h2 id="whats-the-solution">What’s the solution?</h2> Permacrisis, and widespread distractions, may be here to stay. Our report considers how companies should be responding to this phenomenon, and the importance of supporting everyone with human-centric security solutions. <blockquote> “It’s vital that businesses take security off of people’s plates, by implementing seamless systems that eliminate the need for human action. Mishaps are inevitable — it’s not a case of if the world’s distractions will cause employees to become more vulnerable to humor error, it’s a matter of when. The easier we can make security, the less security itself will become yet another distraction.” — Jeff Shiner, CEO of 1Password </blockquote> We hope our research encourages companies to reflect on what&rsquo;s happening around the world, and the strain it might be placing on their employees. This introspection is a critical first step to understanding the problem, and what can be done to make cybersecurity simpler and less stressful for workers everywhere. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Distraction on overdrive: Security in a time of permacrisis</h3> Learn more about permacrisis and its impact on cybersecurity by reading our State of Access report. <a href="http://1password.com/resources/2022-state-of-secure-access-report" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Read the report </a> </div> </section></description></item><item><title>Unlock any CLI using biometrics with 1Password Shell Plugins</title><link>https://blog.1password.com/shell-plugins/</link><pubDate>Wed, 07 Dec 2022 00:00:00 +0000</pubDate><author>info@1password.com (Simon Barendse)</author><guid>https://blog.1password.com/shell-plugins/</guid><description> <img src='https://blog.1password.com/posts/2022/shell-plugins/header.png' class='webfeedsFeaturedVisual' alt='Unlock any CLI using biometrics with 1Password Shell Plugins' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 1Password Shell Plugins brings the security and ease of use of biometrics to every tool in your terminal. I love Touch ID. When I use it to log in to a site or authorize a purchase, authentication just kind of happens. It doesn’t feel futuristic anymore, but it does feel like the present. It’s the modern computing experience. Then I open my terminal, and I&rsquo;m transported right back to the past. Why can&rsquo;t devs have that modern experience? I know I&rsquo;m not alone. When we introduced Touch ID support for <a href="https://blog.1password.com/1password-cli-2_0/">1Password CLI 2.0</a>, one of the most frequent pieces of feedback we heard was: Can we have touch ID for all CLIs? So, about that. <h2 id="introducing-1password-shell-plugins">Introducing 1Password Shell Plugins</h2> <img src='https://blog.1password.com/posts/2022/shell-plugins/gitlab_cli_authorization.gif' alt='GIF of Mac terminal window illustrating Touch ID being used to authorize the use of secrets in the terminal with 1Password' title='GIF of Mac terminal window illustrating Touch ID being used to authorize the use of secrets in the terminal with 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We use CLIs to perform quick actions from the comfort of our terminals and automate recurring tasks. You might use the <a href="https://about.gitlab.com/blog/2022/12/07/introducing-the-gitlab-cli/">GitLab CLI</a> to submit your code in a merge request, so the team can review it and include it in the next release, for example. Many other developer platforms like <a href="https://aws.amazon.com/cli/">AWS</a>, <a href="https://stripe.com/docs/stripe-cli">Stripe</a>, <a href="https://docs.sentry.io/product/cli/">Sentry</a>, and <a href="https://circleci.com/docs/local-cli/">CircleCI</a> offer CLIs as well. Connecting a CLI to your online account often involves generating API access keys in a browser, then pasting those values into the terminal. Those credentials are usually saved in a plaintext config file that gives the CLI persistent access to your account, even after reboots. But if an attacker or process gains access to your system, they have the same level of access to your account that you do. We built 1Password Shell Plugins so you can securely store all of your access keys in encrypted 1Password vaults, rather than on disk. When you use a Shell Plugin for a particular service, access to the associated API keys is restricted to your specific terminal session. Because they&rsquo;re saved in 1Password, you can securely sign in to any CLI with your fingerprint or another form of biometrics. If the service supports it, MFA codes can be filled automatically – so there’s no need to pull out your phone multiple times every day. In fact, there’s no need to type anything. No plaintext, no typing passwords, no hassle – you can stay in the zone and focus on the task at hand. <h2 id="extensibility-built-in">Extensibility built in</h2> We’ve already built Shell Plugins for many popular CLIs, including: <ul> <li><a href="https://developer.1password.com/docs/cli/shell-plugins/gitlab">GitLab</a></li> <li><a href="https://developer.1password.com/docs/cli/shell-plugins/circleci">CircleCI</a></li> <li><a href="https://developer.1password.com/docs/cli/shell-plugins/aws">Amazon Web Services</a></li> <li><a href="https://developer.1password.com/docs/cli/shell-plugins/sentry">Sentry</a> (Get $240 in Sentry credits with code “1Password”)</li> <li><a href="https://developer.1password.com/docs/cli/shell-plugins/stripe">Stripe</a></li> <li><a href="https://developer.1password.com/docs/cli/shell-plugins/twilio">Twilio</a></li> <li><a href="https://developer.1password.com/docs/cli/shell-plugins/github">GitHub</a></li> </ul> There are <a href="https://developer.1password.com/docs/cli/shell-plugins">many more pre-built integrations</a>, but you’re not limited to the ones we built. You can build your own, for any CLI. Shell Plugins are fully extensible and aren’t restricted to specific services. If you don&rsquo;t see an integration you need, you can join the open source project (currently in beta) and <a href="https://developer.1password.com/docs/cli/shell-plugins/contribute/">contribute your own</a>. Want to add MFA support to an existing Shell Plugin? You can do that too. <blockquote> Many of our users rely on GitLab to shorten code review cycles, increase their developer productivity and strengthen overall security at every step. 1Password’s latest rollout is an important development in that last bucket. Launching Shell Plugins will help ensure developers can access our tools in their terminals as quickly and securely as possible. – Kai Armstrong, senior product manager, GitLab </blockquote> <h2 id="your-keys-but-portable">Your keys, but portable</h2> Storing your keys in 1Password means you can use them everywhere. If you switch to a different machine, system, or environment, the process is exactly the same. Just install and configure Shell Plugins on your machine, then use biometrics to grant access to your key in 1Password. If the plugin supports MFA, you can use 1Password to autofill the codes. This all makes setup, developer onboarding, and collaboration simpler. If new teammates are in the relevant group in 1Password, they already have the permissions they need to access the shared credentials and contribute immediately. All they have to do is install the <a href="https://1password.com/downloads/command-line/">1Password CLI</a> and the appropriate Shell Plugins. <h2 id="how-shell-plugins-work">How Shell Plugins work</h2> Once you&rsquo;ve set up 1Password CLI, you can install a supported Shell Plugin with a single command. For example, to install the plugin for GitLab, you would run: <code>op plugin init glab</code> <img src='https://blog.1password.com/posts/2022/shell-plugins/gitlab_cli.png' alt='Mac terminal window displaying the command `op plugin init glab`' title='Mac terminal window displaying the command `op plugin init glab`' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> During the configuration process, you can import existing credentials from your config file or create new credentials in 1Password. <img src='https://blog.1password.com/posts/2022/shell-plugins/gitlab_access_token.png' alt='Mac terminal window displaying the process of saving a GitLab Access Token to 1Password' title='Mac terminal window displaying the process of saving a GitLab Access Token to 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> At this point, your credentials are safely stored in 1Password, so you can remove them from your disk. <a href="https://developer.1password.com/docs/cli/shell-plugins/">Check out the developer docs</a> to learn more about Shell Plugins. <img src='https://blog.1password.com/posts/2022/shell-plugins/1password_gitlab_authorization.png' alt='1Password for Mac displaying GitLab Personal Access Token item with Mac terminal and Touch ID authorization prompt in the foreground' title='1Password for Mac displaying GitLab Personal Access Token item with Mac terminal and Touch ID authorization prompt in the foreground' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="introducing-cicd-integrations">Introducing CI/CD integrations</h2> One more thing. When you’re setting up a CI/CD workflow, you often need to manually enter secrets by visiting the settings page of the tool you’re using. But now you can store those secrets in 1Password, too. You can access them directly within your CI/CD tools – and reference their location in 1Password directly within the job that requires them – via new integrations for: <ul> <li><a href="http://developer.1password.com/docs/ci-cd/circle-ci">CircleCI</a></li> <li><a href="http://developer.1password.com/docs/ci-cd/jenkins">Jenkins</a></li> <li><a href="https://developer.1password.com/docs/ci-cd/github-actions">GitHub Actions</a></li> </ul> Again, feel free to <a href="https://developer.1password.com/docs/ci-cd/">jump into the documentation</a> to get started. <h2 id="securing-the-software-development-life-cycle">Securing the software development life cycle</h2> Our goal is to bring this same level of security and ease of use to the entire <a href="https://1password.com/developers/">software development life cycle</a>. My colleague, Marc Mackenbach, has written about <a href="https://blog.1password.com/developers-deserve-great-ux/">how far the developer user experience has to go</a> before it catches up with the consumer experience in terms of both security and UX. We&rsquo;re working on that. Check out <a href="https://1password.com/developers/">1Password.com/developers</a> for a quick overview of everything we’re building to secure developer workflows. In the meantime, feel free to <a href="https://developer.1password.com/docs/cli/shell-plugins/">start exploring the Shell Plugins documentation</a>. And maybe keep your phone in your pocket. You won’t need it nearly as often anymore. 😉 <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">1Password Developer Tools</h3> Get started with Shell Plugins and other 1Password Developer Tools in 1Password 8. <a href="https://1password.com/developers/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Explore Developer Tools </a> </div> </section></description></item><item><title>What is a hashed password?</title><link>https://blog.1password.com/what-is-hashed-password/</link><pubDate>Tue, 06 Dec 2022 00:00:00 +0000</pubDate><author>info@1password.com (1Password)</author><guid>https://blog.1password.com/what-is-hashed-password/</guid><description> <img src='https://blog.1password.com/posts/2022/what-is-hashed-password/header.png' class='webfeedsFeaturedVisual' alt='What is a hashed password?' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Data breaches <a href="https://www.infosecurity-magazine.com/news/data-breaches-rise-by-70-q3-2022/">are on the rise</a>, so it’s critical that companies properly protect their customers’ passwords. One of the ways that businesses do this is by hashing passwords before storing them. But what is hashing, and how does it work? And can a hashed password ever be cracked? Here, we&rsquo;ll answer all of these questions and more. <h2 id="how-does-password-hashing-work">How does password hashing work?</h2> Hashing is a cryptographic technique <a href="https://medium.com/tech-tales/the-origins-of-hashing-95701bc6a444">invented more than 50 years ago</a>, long before the internet and the personal computer. Today, companies use hashing to secure all kinds of sensitive data, including customer passwords. Hashing is a one-way process that protects a password by turning it into a different and seemingly random string of characters. When you choose a new password for one of your online accounts, it&rsquo;s usually run through a mathematical algorithm called a hash function. The hashed password that comes out the other side is then stored on the company&rsquo;s server. This helps protect it from an attacker who manages to access the password database. <blockquote> Companies use hashing to secure all kinds of sensitive data, including customer passwords. </blockquote> You don’t see any of this – it all happens behind the scenes, in a matter of milliseconds. The next time you want to sign in, you’ll enter your password, which is run through the same algorithm as before. The website or app will then check that the hashed result matches the hashed password stored on its server. If everything lines up exactly, the website or app knows that you’ve entered the correct password and will let you sign in. <h2 id="common-hashing-algorithms">Common hashing algorithms</h2> Cryptographers have developed many hashing algorithms over the years. These include <a href="https://www.avast.com/c-md5-hashing-algorithm">MD5</a>, <a href="https://en.wikipedia.org/wiki/SHA-1">SHA-1</a>, <a href="https://en.wikipedia.org/wiki/SHA-2">SHA-2</a> (SHA is an acronym for Secure Hash Algorithm), <a href="https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.ripemd160?view=netframework-4.8">RIPEMD-160</a>, and <a href="https://www2.seas.gwu.edu/~poorvi/Classes/CS381_2007/Whirlpool.pdf">Whirlpool</a>. Many older hashing algorithms, like SHA-1 and MD5, are no longer considered secure. Why? PC hardware has advanced to the point where they’re too easy to crack with a <a href="https://blog.1password.com/what-is-a-brute-force-attack-and-whats-the-best-defense/">brute-force attack</a>. Other algorithms are still considered secure, however. For example, SHA-256 <a href="https://support.1password.com/1password-security/">is used by 1Password</a>, and considered the most secure hashing algorithm for password storage. <blockquote> If you put a password through the same algorithm twice, the hashed result won’t change. </blockquote> Hashing algorithms might have evolved over the years, but they all share certain characteristics. Because they’re mathematical formulas, the rules that govern them are fixed and consistent. They produce hashed passwords that contain the same number of characters every time, no matter how long the original password is. If you put a password through the same algorithm twice, the hashed result won’t change. They’re also one-way functions, so they can’t be reversed. That means it’s difficult (but not impossible – more on that in a second) to crack a hashed password and discover the original set of characters. <h2 id="what-makes-password-hashing-secure">What makes password hashing secure?</h2> Imagine that a website or app was breached. During this incident, a criminal gained access to a database that contained customer passwords and other sensitive information. If the passwords weren&rsquo;t hashed, this would be a major problem. Hashing means the attacker would only have access to a set of scrambled passwords. These are useless unless the hacker can find a way to crack them and reveal the original passwords. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Learn <a href="https://1password.com/resources/how-to-avoid-a-data-breach/">how to avoid a data breach</a> with our free guide! </div> </aside> <h2 id="can-hashed-passwords-be-cracked">Can hashed passwords be cracked?</h2> Hashing is a great way to protect passwords and other sensitive information. But the process does have some weaknesses. Here are some of the techniques that an attacker can use to crack a hashed password: <ul> <li> <a href="https://blog.1password.com/what-is-dictionary-attack/">Dictionary attack</a>. Attackers will use software to run popular and predictable passwords through commonly used hashing algorithms. The program will compare the hashed results with the scrambled credentials in the hacker’s possession. If there’s a match, the hacker can easily deduce the original password. </li> <li> Rainbow tables. Hackers use “rainbow tables” – you can think of these like spreadsheets – for popular hashing algorithms. These tables contain common passwords and their hashed counterparts. If a hacker obtains a database of hashed passwords, they can look to see if there are any matches in one of these rainbow tables. If there&rsquo;s a hit, they can then use the same table to see what the original password is. </li> </ul> To counter these techniques, many websites and apps will “salt” passwords in addition to hashing them. <h2 id="password-salting-extra-security-flavor">Password salting: extra security flavor</h2> Hashing is a great first step toward protecting passwords and other sensitive data. But as we’ve learned, hashed passwords aren’t actually random. So if you run “123456” through the same algorithm twice, the result will be the same. More steps are therefore required to make hashing truly random. Enter <a href="https://blog.1password.com/a-salt-free-diet-is-bad-for-your-security/">salting</a>! This process adds one or more random characters to the password before it goes through the hashing algorithm. These additions ensure that the same password will produce a different hashed result each time. Salting is effective for two reasons: <ul> <li>It turns the original password into something long and unique that won’t be in a criminal’s password list (dictionary).</li> <li>It turns the hashed password into something truly random that won’t be in any rainbow table.</li> </ul> There are different ways of salting a password. For example, some services will apply a second, secret salt – a practice known as peppering – to its hashed passwords. The pepper isn’t random, but unlike a traditional salt, it’s not stored in the same place as the hashed passwords. <h2 id="how-a-password-manager-can-help">How a password manager can help</h2> The best way to protect your online accounts is by using strong, unique passwords. If they’re long and truly random, it’s unlikely that they’ll appear in a rainbow table, or on a list of commonly hashed passwords. But how do you create and remember strong passwords? That’s where a <a href="https://blog.1password.com/password-manager/">password manager</a> comes in. 1Password will help you create unique, random passwords for all your accounts, ensuring they’re difficult to crack both before and after they’re hashed. <a href="https://watchtower.1password.com/">Watchtower</a> will also alert you if any of your credentials show up in a known data breach, allowing you to change your password before a criminal can exploit it. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Ready to protect yourself?</h3> Keep all of your accounts secure with 1Password, the world’s most-trusted password manager. Get started today with a free 14-day trial. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>Running an Airbnb: How to share passwords securely with your guests</title><link>https://blog.1password.com/airbnb-hosts-share-passwords-securely/</link><pubDate>Mon, 05 Dec 2022 00:00:00 +0000</pubDate><author>info@1password.com (Stacey Harris)</author><guid>https://blog.1password.com/airbnb-hosts-share-passwords-securely/</guid><description> <img src='https://blog.1password.com/posts/2022/airbnb-hosts-share-passwords-securely/header.png' class='webfeedsFeaturedVisual' alt='Running an Airbnb: How to share passwords securely with your guests' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> As an Airbnb host, you have a lot to manage. Reservations, cleaning, finances – the list goes on and on. But one of the most important parts of being a host is keeping your guests, and your property, safe and secure. You might think that Airbnb security starts and stops with having a robust lock for the front door. But there&rsquo;s also a digital aspect that you should be aware of. Sharing passwords securely can protect your property, and your guests, from property damage, hackers, and even uninvited people. In this post we’ll explore some ways you can digitally secure your property, and the people staying there, so everyone has a stress-free experience. <h2 id="lock-down-access-to-your-property">Lock down access to your property</h2> Many Airbnb hosts are happy to meet their guests in person and physically hand over the front door key or passcode. However, an increasing number of property owners are using lockboxes and other solutions that don&rsquo;t require them to be present at arrival. If you fall into this camp, you need to make sure that you&rsquo;re using a secure method to share access instructions with your guests. You could use Airbnb&rsquo;s own messaging system, or an app like Signal or WhatsApp, which support end-to-end encryption. But, if you are a 1Password member, you can create an item in your vault, and then <a href="https://blog.1password.com/psst-item-sharing/">share that item with guests</a>. That item could contain a digital passcode, a lock box combination, or the hidden location of a physical key. Your guest doesn’t even need to have a 1Password account to access the hidden secret. <blockquote> Use vaults to share instructions and other useful but private information about the property. </blockquote> With a 1Password Families account, you can also create vaults to share these instructions and other useful but private information about the property with your guests. You could even save your entire Airbnb home manual in a shared vault. 1Password is ideal for hosts because you can choose how long your guests have access to a shared vault or item. So you don’t have to spend time revoking access after their stay. <h2 id="secure-your-router">Secure your router</h2> Locking up your digital access points is just as important as locking the front door. When you first set up the router in your Airbnb, did you plug it in, set it, and forget it? If so, now is the time to secure your router and, by extension, the Wi-Fi network in your property. First, change the router’s default password. Like any device, you want to make sure you’re using a strong, unique password. Second, consider who has physical access to your router. Ideally, you don’t want any of your guests to be able to put their hands on it. Why? Well, many routers can be factory reset, which could give your guests access to the hardware’s administrator dashboard and settings. Most guests won’t have any malicious plans while staying at your property. But it’s possible that someone could meddle with your router to try to intercept web traffic, adjust which devices get bandwidth priority, or even install malware to spy on future guests' activities. <blockquote> Keep your router in a secure location. </blockquote> Whether your guests have ill intentions or not, it’s best to keep your router in a secure location. Consider keeping it in a space that isn’t accessible to guests – a locked cabinet, for example, or a private room that you or someone you trust is always staying in. <h2 id="create-a-guest-wi-fi-network">Create a guest Wi-Fi network</h2> Providing Wi-Fi at an Airbnb is just as important as providing a mattress. You can save costs by running a single Wi-Fi network for you and your visitors, but much like sharing a mattress, it’s best to give guests their own separate option while they’re staying under your roof. Creating a guest-specific Wi-Fi network will help protect your personal devices – and, by extension, your private data – should the guest network become compromised. If your router doesn’t let you create a guest Wi-Fi network, consider buying a second router to create an additional network. Alternatively, you could pay for a separate internet plan to keep the two networks completely separate. Just like your router, you should use strong, unique passwords to protect the Wi-Fi networks in your Airbnb. Don’t use something easy to remember, like a phone number – use a <a href="https://1password.com/password-generator/">password generator</a> instead to create something truly random. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> <a href="https://blog.1password.com/secure-home-wifi-network/">Learn more ways to keep your home Wi-Fi network secure</a>. </div> </aside> <h2 id="turn-on-automatic-updates-on-all-your-devices">Turn on automatic updates on all your devices</h2> Every host has a lot to keep track of. Reduce your to-do list by turning on automatic updates for all the devices in your Airbnb. That includes door locks, thermostats, security cameras, smart TVs, routers, and anything else that requires updates. It will not only reduce the time you spend looking after devices, but it’ll also make your devices more secure. <h2 id="improve-access-to-streaming-services">Improve access to streaming services</h2> Some hosts offer a few streaming services for their guests. The problem is that some guests will prefer to use their own subscriptions, or accidentally log out of the account you’ve created for them. Helping guests log back in can be a bit of a hassle. But it doesn’t have to be. You could include the passwords in your house manual, or add them to a separate vault that’s just for your Airbnb guests. The advantage of this approach is that you can easily revoke access to the shared vault once your guest has checked out, update the passwords, and then grant access to the next set of guests staying at the property. No need to get cleaning staff to help log in to streaming services between guests, because the guest can do it for themselves at any time without you having to worry that they’re walking off with your passwords! <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Everyone can relate to the struggle of entering a password that contains capital letters, numbers, and symbols. Thankfully, a memorable password is just as secure. This is one that contains a series of real but unrelated words, like “series-basic-dog-innovator”. You can generate a memorable password with our <a href="https://1password.com/password-generator/">password generator</a> by changing the setting from ‘random password’ to ‘memorable password’. To learn more about memorable passwords, <a href="https://blog.1password.com/tip-memorable-password-wifi-tv-apps/">check out our blog post on the topic</a>. </div> </aside> <h2 id="1password--airbnbs">1Password &amp; Airbnbs</h2> A password manager is the perfect complementary tool to running a secure Airbnb. With 1Password, you can secure everything that matters with a strong password, and then share those credentials securely with every guest who comes to visit. It also makes it easy for you to update any passwords that you had to share with your guests after they leave. This ensures they can’t use your Wi-Fi network or streaming services long after they’ve checked out! <blockquote> Protecting your property and guests' information doesn’t have to be complicated. </blockquote> Remember: you can use 1Password for more than just passwords. For example, you can create, store, and share secure notes with your guests. Whether you choose to include your Airbnb house manual, or your top secret s’more recipe, everything can be saved in one secure, easily accessible digital space for your guests. Protecting your property and guests' information doesn’t have to be complicated. Follow the steps outlined above and focus on creating and sharing passwords with your guests. If you take care of everyone’s security this way, you’ll free up time to focus on what truly matters most to you. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Secure your Airbnb with 1Password</h3> Use 1Password to protect your accounts and share important passwords with Airbnb guests. <a href="https://1password.com/personal/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>Sign in with Google, Apple, and other providers... and save it in 1Password</title><link>https://blog.1password.com/sign-in-with-other-providers/</link><pubDate>Thu, 01 Dec 2022 00:00:00 +0000</pubDate><author>info@1password.com (Travis Hogan)</author><guid>https://blog.1password.com/sign-in-with-other-providers/</guid><description> <img src='https://blog.1password.com/posts/2022/sign-in-with-other-providers/header.png' class='webfeedsFeaturedVisual' alt='Sign in with Google, Apple, and other providers... and save it in 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We have more sign-in options than ever, but keeping track of them all is becoming increasingly difficult. So we’re making it easier. Every morning, I sit down with a mug of iced coffee – shoutout to Pilot Coffee Roasters 😉 – and open my laptop. I like to throw on a Spotify playlist before I get started, so my very first action is launching Spotify in my browser. (Some good punk rock always gets me going strong early.) Occasionally I find myself logged out of Spotify, so I need to sign in. And every single time, I fail to remember which set of credentials I used to create the account more than a decade ago. Did I sign up with my Google account? Or maybe it was Apple? Or Facebook? Or an email and password? Luckily, I can avoid the guesswork simply by using <a href="https://1password.com/downloads/browser-extension">1Password in my browser</a> to log in, because it now remembers how I signed in (or signed up), even if I used a Google, Apple, or other account to do so. No more guesswork. No more password reset loops. No more frustration. <h2 id="sign-in-to-your-favorite-sites-using-google-apple-and-other-providers">Sign in to your favorite sites using Google, Apple, and other providers</h2> <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/DULTEFQJcv0" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> When you sign in to or sign up for an account with your Google, Facebook, Microsoft, Apple, Twitter, Okta, or GitHub credentials, 1Password will ask if you’d like to save the login to one of your vaults. The next time you visit that site, 1Password will offer to sign you in using the proper credentials. One click, and you’re in. Even if you juggle six different Gmail accounts, 1Password will remember which one you used to sign in and automatically select the correct account. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/lVZgceNxXko" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> It works in 1Password for <a href="https://1password.com/resources/guides/1password-for-google-chrome/">Chrome</a>, <a href="https://1password.com/resources/guides/1password-for-firefox/">Firefox</a>, Edge, and Brave. You can even view and edit those logins directly with 1Password 8 for iOS and Android. <h2 id="the-future-starts-now">The future starts now</h2> Signing in with providers like Google and Facebook is part of our larger mission at 1Password. More and more authentication options are popping up all over the web – and we&rsquo;re all for having more options. <a href="https://www.future.1password.com/passkeys/?utm_medium=direct&amp;utm_source=1password&amp;utm_campaign=sign-in-with&amp;utm_content=&amp;utm_term=&amp;utm_ref=blog">We&rsquo;re as excited about that future as anyone</a>. But all anyone really wants is to get where they&rsquo;re going securely. We&rsquo;re working on that with Universal Sign-On. Here&rsquo;s the vision: Regardless of the underlying authentication method, 1Password will remember which method and which set of credentials you use, and log you in. Simple as that. So in the future, you won&rsquo;t have to think about how you sign in. We&rsquo;re bringing the same ease of use to other authentication methods that we&rsquo;ve brought to good old usernames and passwords. And if you already use a provider like Google or Apple to sign in to some of your favorite sites, you can get a taste of that future right now. <a href="https://1password.com/downloads/browser-extension">Download 1Password for your browser</a> to get started. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Download 1Password for your browser</h3> Install 1Password in your browser to start signing in to your favorite sites using Google, Apple, and more. <a href="https://1password.com/downloads/browser-extension" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Download 1Password </a> </div> </section></description></item><item><title>We can do better: The tech industry and its response to data breaches</title><link>https://blog.1password.com/tech-industry-response-data-breaches/</link><pubDate>Wed, 23 Nov 2022 00:00:00 +0000</pubDate><author>info@1password.com (Megan Barker)</author><guid>https://blog.1password.com/tech-industry-response-data-breaches/</guid><description> <img src='https://blog.1password.com/img/headers/security-header.svg' class='webfeedsFeaturedVisual' alt='We can do better: The tech industry and its response to data breaches' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> My colleague, 1Password Senior Security Specialist (and all round stand-up guy) Chris Butler, and I recently chatted about a trend that’s emerged over the past few years: attempts to capitalize on cybersecurity incidents through self-promotion. Chris drew an interesting comparison: “Data breaches are similar to car accidents in some ways. And members of the security industry are like the first responders.” Just like highway traffic slows after a collision so drivers can sneak a peek at the damage, all eyes (and minds) are on cybersecurity after a breach. That period of heightened interest and awareness is the ideal time to share information, insight, and instruction. Rather than take to social media and other platforms to essentially shame the affected business and fearmonger others, we should shout about how similar attacks can be prevented. And our industry needs to lead the charge. <h2 id="say-it-loud">Say it loud</h2> Imagine someone could perform a basic Google search and locate a tool that scans your network and identifies IP addresses that lead to unprotected routers. For IT admins and security professionals, it’s the stuff of nightmares. That’s exactly what happened in August 2021 when a hacker targeted the network of the second-largest mobile provider in the United States. He ultimately <a href="https://www.t-mobile.com/news/network/additional-information-regarding-2021-cyberattack-investigation">gained access</a> to the names, driver’s license numbers, Social Security numbers, and unique device identifiers of more than 50 million current and former T-Mobile customers. To prevent a compromise like this, we’d advise companies to: <ul> <li>Have a standard of hardening for endpoints, network devices, and services so they&rsquo;re not used without a hardening process.</li> <li>Recognize the importance of data governance and retention policies. Eternal storage of information may seem appealing but it exponentially increases what might be disclosed in a breach.</li> </ul> <blockquote> Rule of thumb: If information isn&rsquo;t required, get rid of it. </blockquote> Ride-share pioneer Uber <a href="https://www.uber.com/newsroom/security-update/">announced</a> a number of its internal systems had been compromised about 13 months later. The cyberattack was engineered by an 18-year-old who used a combination of credential theft and something called <a href="https://portswigger.net/daily-swig/mfa-fatigue-attacks-users-tricked-into-allowing-device-access-due-to-overload-of-push-notifications">multi-factor authentication fatigue</a> to gain access to a contractor’s Slack account. That access was used to obtain elevated permissions to other services. After an incident of this kind, we’d recommend you: <ul> <li>Use only time-based one-time passwords (TOTP) or FIDO universal second factor (U2F) methods. FIDO U2F keys may not be the easiest option but Cloudflare provides a <a href="https://www.cloudflare.com/static/bc680b9d4d355d9ab543ee3ba0f9236e/Case_Study_How_Cloudflare_stopped_a_targeted_phishing_attack.pdf">recent example</a> of their efficacy.</li> </ul> <blockquote> Audit and improve internal processes and controls with the tools you already have — it can make all the difference. </blockquote> Nine days after the Uber incident, cybersecurity <a href="https://www.bleepingcomputer.com/news/security/microsoft-data-breach-exposes-customers-contact-info-emails/">researchers discovered</a> Microsoft had inadvertently exposed the names and contact information of various business customers and prospects, along with transactional email content and documents. The researchers detected the data leak with a proprietary technology that monitors public buckets (cloud storage) for confidential information; they traced the data back to a misconfigured internet-accessible server maintained by the largest computer software vendor in the world. To prevent a similar event: <ul> <li>Use an infrastructure-as-code system, like Terraform or Ansible, that allows you to program (in a sense) the system you want to build.</li> <li>After code is written, it should be thoroughly reviewed to make sure the bucket is properly configured.</li> </ul> <blockquote> Think like an attacker: Scan your infrastructure for vulnerabilities. </blockquote> I’ve focused on a few recent high-profile incidents but there were breaches before, between, and after the ones named here — and there will be more in the (probably near) future. As Chris said about the security industry as first responders: &ldquo;[We need to] assess the breach report, praise transparency, speak honestly about the implications, and put out a message of practical advice for improvement. “These steps might sell fewer products, but they force us to focus on those impacted, and how our industry can continue to build tools that protect people, companies, and their respective data.&rdquo; I should take a moment to clarify my position: Cybersecurity is a business and, yes, businesses need to make money to survive — that money is the reason you and I can support ourselves. After a public incident, nearly every tech organization will (and should) have something to say to generate interest in its own brand. It’s what we, as members of the tech industry, choose to post and publish that speaks volumes. <h2 id="chasing-rainbows">Chasing rainbows</h2> The English language has more than its fair share of idioms. Piece of cake, cold turkey, when pigs fly, Netflix and… you get the idea. One particular expression came to mind as I wrote this article. To chase rainbows means to pursue unrealistic or impossible goals. A world without data breaches is our rainbow. But it’s not about perfection or hitting the bullseye every single time — it’s about aiming for it. We<a href="#fn:1" class="footnote-ref" role="doc-noteref">1</a> can strive for the ideal and fall short because we’ll land on better (and lead by example along the way). Let&rsquo;s be educators and teach people about emerging threats and how to guard themselves and their organizations against those threats. Let&rsquo;s be activists and raise awareness of incident fallout and what real (easy-to-follow, free-of-charge) actions people can take to safeguard their businesses and confidential information. Let’s beat the attackers and <a href="https://blog.1password.com/shift-left-developer-ownership-security/">shift security left</a>; secure endpoints, create and enforce strict data policies, and employ protection methods that aren’t susceptible to fatigue. Proactive security is everything. Let&rsquo;s shoot for the moon and fall among the stars. Or rainbows. <section class="footnotes" role="doc-endnotes"> <hr> <ol> <li id="fn:1" role="doc-endnote"> An all-inclusive term. 1Password strives to be a great example but is an organization (proudly) run by real humans and, therefore, perfectly imperfect.&#160;<a href="#fnref:1" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a> </li> </ol> </section></description></item><item><title>Rust developers can now generate consistent type schema with Typeshare</title><link>https://blog.1password.com/typeshare-for-rust/</link><pubDate>Tue, 22 Nov 2022 00:00:00 +0000</pubDate><author>info@1password.com (Jason Harris)</author><guid>https://blog.1password.com/typeshare-for-rust/</guid><description> <img src='https://blog.1password.com/posts/2022/typeshare-for-rust/header.png' class='webfeedsFeaturedVisual' alt='Rust developers can now generate consistent type schema with Typeshare' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Today, 1Password is making Typeshare publicly available as an open-source project to help Rust developers generate consistent type schema across multiple languages. With Typeshare, developers can now create FFI (foreign function interfaces) with confidence. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/e4CgVL0hWb0" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h2 id="what-problem-does-typeshare-solve">What problem does Typeshare solve?</h2> We often write code in another language and have Rust call that code. For example, 1Password is powered by a Rust framework built from the ground up to be highly performant and secure, with a separate frontend to display the UI (user interface) on various platforms. Decoupling the display code from our business logic gives us cross-platform consistency while also letting 1Password look great on any device. But the frontends are written in a different language, so we use a foreign function interface to communicate with the frontends. But we needed to ensure the data we gave to the frontend was understood correctly - if the data types between the languages weren’t in sync, it would result in a host of problems. Typeshare was the solution, and today it helps our backend developers rapidly develop new features and fixes without fear of breaking consistency with our display code. I spoke with Jane Lewis, a developer on our Product Frameworks and Tooling team, about why she’s excited for the release of Typeshare. You have 100 words to excite Rustaceans about this. Go: Jane: Typeshare is a battle-tested, home-grown tool that enables seamless synchronization of your shared data types across languages. It integrates with the <code>serde</code> library for serialization and we&rsquo;ve worked hard for it to be both simple and flexible. Under the hood, we use the <code>syn</code> library to parse your annotated Rust types and generate type definitions for each language you need, via our handy CLI. We even support generic types and custom type conversions you can define. This tool has been the backbone for developing across multiple platforms, and we&rsquo;re beyond enthused to see what others build with it! What motivated the team to release this as open source? Jane: Supporting open-source work and giving back to our community is a huge part of what we do at 1Password. Since we use so many open-source frameworks to make our app the best it can be, it seems only fair that we try to open-source as much of our internal work as we can, so others can use it in their projects. In particular, a lot of people were interested in Typeshare after we talked about it in our <a href="https://dteare.medium.com/behind-the-scenes-of-1password-for-linux-d59b19143a23">behind-the-scenes look</a> at 1Password for Linux. What most excites you and the rest of the team about the release? Jane: We’re excited to be getting this out to the public! We actually released a very primitive prototype of Typeshare years ago, but since it changed so much between then and now, we’ve had to find an opportune time to pause active development to make time for a public release. For those who have requested this to become open source, thank you for your patience! Another exciting (and slightly terrifying) part of any open-sourcing effort is knowing you’re suddenly going to get a lot more eyes on your codebase. We’ll no doubt get scrutiny over bugs or unimplemented features. But it’s exciting because now, anyone can help make the tool better! If someone wants to fix a bug or expand Typeshare to cover a new language or use case, they have the power to do that. The scrutiny will also give our team better insight into our blind spots so we can better address any issues that come up. What’s next? Jane: We’ve been working on a real-time REPL for Typeshare! This is both a cool demo and a playground for developers to mess around in. If anyone wants to try it out in its current state, it’s on our “repl” branch in the Git repository. Eventually, we want to make it a public site you can visit instead of a server you have to run locally. There are still a lot of improvements we want to make to Typeshare down the road. One current limitation of our tool is that it can’t recognize types that get generated within macros, and we’re currently figuring out how to solve that. Finally, we have more internal Rust crates that are in the pipeline for a public release, so stay tuned! <h2 id="get-started-with-typeshare">Get started with Typeshare</h2> Typeshare is on <a href="https://crates.io">crates.io</a> and can be integrated with your project as fast as you can run <code>cargo install typeshare-cli</code> and add <code>typeshare = &quot;1&quot;</code> to your dependencies. The <a href="https://github.com/1Password/typeshare">source code is available</a> for anyone to dig through. <h2 id="join-us-live-for-typeshare-office-hours">Join us live for Typeshare Office Hours!</h2> If you have questions or feedback for the Typeshare team, we’re here to help. <a href="https://1password.zoom.us/j/95475415890?pwd=MTVwTVkwQ3NhV1UyeHdrV21hTTcwQT09">Join Jane and myself for a 30-minute Q&amp;A session via Zoom</a> on Tuesday, December 6 at 12-12:30 PM ET. We look forward to seeing you and answering any questions you may have. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Typeshare Q&amp;A Session</h3> Questions or feedback for the Typeshare team? We’re here to help. Join Jane and Jason for a 30-minute Q&A session via Zoom on Tuesday, December 6 at 12-12:30 PM ET. <a href="https://1password.zoom.us/j/95475415890?pwd=MTVwTVkwQ3NhV1UyeHdrV21hTTcwQT09" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Join the Q&amp;A session </a> </div> </section></description></item><item><title>Passkeys & 1Password: The future of passwordless</title><link>https://blog.1password.com/passkeys-are-coming-to-1password/</link><pubDate>Thu, 17 Nov 2022 00:00:00 +0000</pubDate><author>info@1password.com (Steve Won)</author><guid>https://blog.1password.com/passkeys-are-coming-to-1password/</guid><description> <img src='https://blog.1password.com/posts/2022/passkeys-are-coming-to-1password/header.png' class='webfeedsFeaturedVisual' alt='Passkeys & 1Password: The future of passwordless' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> You may have seen mention of a “passwordless future” – the concept of simpler authentication and no passwords. That future is rapidly approaching, and we’re excited to <a href="https://www.future.1password.com/passkeys/">share a glimpse of it with you today</a>. Recently, we’ve shown you <a href="https://www.future.1password.com/">1Password’s vision of the future</a>, a future that goes beyond passwordless to provide a simple sign-in flow no matter what kind of credential you use. We&rsquo;ve been members of the <a href="https://blog.1password.com/1password-is-joining-the-fido-alliance/">FIDO Alliance</a> for some time now, but we were recently invited to sit on the board, where we&rsquo;ll be able to work more closely with our fellow tech leaders to build out a universal password-free sign-in experience. The wider introduction of <a href="https://blog.1password.com/what-are-passkeys/">passkeys</a> is an important step on this path, but what happens next is crucial. As a group, we have to deliver on the promise of making this future accessible to everyone, everywhere, and we see our appointment to the FIDO Alliance board as an important opportunity to strengthen our commitment to the cause. <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Explore passkeys in 1Password</h3> Get a glimpse of passwordless in 1Password. Sign in with a passkey – across any device. <a href="https://www.future.1password.com/passkeys/" class="c-call-to-action-box__link-href" data-event-category="CTA" data-event-action="call-to-action-button"> Try the interactive demo </a> </div> </section> <h2 id="experiencing-the-future-today">Experiencing the future today</h2> It may take time for your favorite websites and services to implement support for passkeys, but we want you to get a glimpse now. We’ll be rolling this functionality out to every 1Password customer in early 2023, but in the meantime we’re thrilled to unveil a live, <a href="https://www.future.1password.com/passkeys/">interactive demo and walkthrough</a> of passkeys in 1Password! To help showcase how passkeys can transform your sign-in experience, the demo site also includes an explainer video with everything you need to know. We walk you through what passkeys are, why it’s so important passwordless technology remains open and interoperable, and exactly what using passkeys in 1Password will look like. <h2 id="where-were-going-we-dont-need-passwords">Where we&rsquo;re going, we don’t need passwords</h2> 1Password and other industry leaders have pledged to come together through the FIDO Alliance to build the passwordless sign-in experience you deserve. We’re committed to building a world where passwordless authentication works across any platform and device, anywhere in the world. It’s an exciting new frontier, but passwordless only works when everyone works together. Together, the FIDO Alliance can give everyone what they want and deserve: security and convenience that doesn&rsquo;t come at the expense of choice.</description></item><item><title>What are SIM swap attacks, and how can you prevent them?</title><link>https://blog.1password.com/what-is-sim-swapping/</link><pubDate>Tue, 15 Nov 2022 00:00:00 +0000</pubDate><author>info@1password.com (1Password)</author><guid>https://blog.1password.com/what-is-sim-swapping/</guid><description> <img src='https://blog.1password.com/posts/2022/what-is-sim-swapping/header.png' class='webfeedsFeaturedVisual' alt='What are SIM swap attacks, and how can you prevent them?' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> SIM swapping, also known as SIM jacking, is a technique used by attackers to gain access to a person’s phone number and, ultimately, their two-factor authentication (2FA) codes. A fraudster will impersonate a target while calling their mobile service provider and ask for the target’s phone number to be ported to a new SIM card. The attacker will then check whether they can use the phone number to intercept any SMS-based 2FA codes. <h2 id="how-does-sim-swapping-work">How does SIM swapping work?</h2> SIM swapping <a href="https://www.pcmag.com/news/fbi-sees-huge-increase-in-sim-swapping-attacks">is a growing problem</a> that leverages <a href="https://blog.1password.com/what-is-social-engineering-hacking-101/">social engineering</a>. Criminals will call their target&rsquo;s mobile service provider and recount a fake but believable story for their SIM swap request. For example, they might say: &ldquo;I lost my phone at a music festival and need help transferring my number to a new SIM card.&rdquo; The mobile service provider will likely ask some security questions to verify the caller&rsquo;s identity. However, criminals are smart and will prepare for these questions by researching their target beforehand. They&rsquo;ll root through prior <a href="https://blog.1password.com/data-breach-101-stay-safe-online/">data breaches</a> and anything that&rsquo;s been shared publicly about the target online. This gives them the information required to impersonate their target and falsely verify themselves as the account owner. Social engineering doesn&rsquo;t always work – sometimes the mobile service provider will see through the lies. But it&rsquo;s effective enough that criminals have adopted it in droves. <h2 id="whats-at-risk-from-sim-swapping">What’s at risk from SIM swapping?</h2> The main objective of a SIM swap attack is to intercept any two-factor authentication (2FA) codes that the target receives via SMS. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> 2FA adds an extra layer of security to your online accounts. Once enabled, anyone who signs in with your username and password will also be asked to submit a special code called a <a href="https://blog.1password.com/totp-and-1password/">time-based one-time password (TOTP)</a>. You can often choose to retrieve your 2FA codes via SMS, automated phone call, email, a dedicated authentication app, or <a href="https://1password.com/features/two-factor-authentication/">a password manager like 1Password</a>. However, some services will only offer to send your codes via SMS or phone call. Many people also choose text messages or phone calls for their 2FA codes because they&rsquo;re reliable and convenient. If an attacker has access to your phone number, they also have access to any codes you receive via SMS or automated phone call. This negates the extra security they’re meant to provide, and puts any account tied to or protected by your phone number at risk. </div> </aside> The scammer will also test whether they can use the target’s phone number to reset any account passwords. For example, some email services will offer to text you a verification code if you can’t remember your password and don’t have access to any other kind of verification, like a secondary email inbox. Finally, a SIM swap can give the criminal access to incoming calls and texts, and potentially other kinds of sensitive information, like the target’s stored contacts. <h2 id="how-do-you-know-if-youve-been-a-victim-of-sim-swapping">How do you know if you’ve been a victim of SIM swapping?</h2> If you notice any of these warning signs, you might have been targeted by a SIM swap attack: <ul> <li>You’re locked out of the account that you use to manage your phone plan, and discover the password has been changed.</li> <li>Your phone unexpectedly loses service, or you suddenly find that you can’t receive calls or text messages, even with good reception.</li> <li>You’re alerted to suspicious login activity on one of your online accounts.</li> </ul> If any of these happen to you, contact your mobile service provider as soon as possible and ask them to shut off access to the SIM card that’s currently using your number. <h2 id="how-to-prevent-sim-swapping-two-factor-authentication">How to prevent SIM swapping: two-factor authentication</h2> As we’ve already established, two-factor authentication (2FA) is a great way to strengthen the security of your online accounts. But it’s only worthwhile if the way you retrieve your 2FA codes isn’t compromised. If you want to protect yourself against SIM swap attacks, use a standalone authentication app, or a password manager like 1Password, which can be used <a href="https://support.1password.com/one-time-passwords/">as an authenticator for sites that support 2FA</a>. After you’ve set it up, 1Password will autofill your one-time codes whenever you need them, just like your passwords and other digital secrets. <a href="https://watchtower.1password.com/">Watchtower</a> will also let you know when 2FA is available, so you can turn it on and increase the protection around your accounts. These kinds of authenticators are safer than SMS because your codes are tied to a specific device – or in the case of 1Password, a series of trusted devices – rather than your phone number. That means a criminal would need physical access to one of these devices to intercept your codes and access your online accounts. <h2 id="other-tips-to-prevent-sim-swapping">Other tips to prevent SIM swapping</h2> Unfortunately, there’s no way to guarantee that your mobile service provider won’t fall victim to social engineering. But you can make it harder for criminals to gain control of your SIM. Here are some extra steps you can take to prevent SIM swapping, and minimize the damage of a successful SIM swap: <ul> <li> Use strong and unique passwords for all of your online accounts. A strong password isn’t predictable, like “12345”. It should be long and complex enough that it can’t be easily cracked with a <a href="https://blog.1password.com/what-is-a-brute-force-attack-and-whats-the-best-defense/">brute-force attack</a>. If an attacker can easily crack your simple password, they are halfway to breaking into your account. All they need is the 2FA code, and they’re in. </li> <li> Set up additional security measures with your mobile service provider. Ask your carrier if they can set up a ‘port freeze’ for your phone number. Some service providers will also let you add an extra PIN, password, or passcode – or another form of authentication – that’s required in order to transfer your phone number to a new SIM card. </li> <li> Limit what personal information you share online. Hackers need some of your personal information to win over the person working for your mobile service provider. You can make the hacker’s life more difficult by restricting what you share publicly, and not revealing personal details like your address, date of birth, and phone number on social media. </li> <li> Use random answers for security questions. Criminals will often research their target to see if they’ve posted anything that inadvertently reveals the answers to their security questions. Choose random answers for your own security questions, <a href="https://blog.1password.com/orange-facile-glossary-and-other-questions-answered/">and store them in a safe place like 1Password</a>. Criminals then won’t be able to answer your mobile service provider’s security questions with information they’ve gleaned online. </li> </ul> <h2 id="protect-yourself-with-strong-password-security-practices">Protect yourself with strong password security practices</h2> It can be overwhelming to hear and read about the rise of SIM swap attacks. And it’s natural to feel powerless to stop them. After all, it’s your mobile service provider – not you – that would be talking to the hacker and ultimately deciding whether to port your number to a different SIM card. But that doesn’t mean you can’t take steps to combat SIM swap attacks. If you use strong passwords and choose a secure way to receive your 2FA codes, you can protect everything that’s important in your digital life. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Secure your digital life with 1Password</h3> Keep all of your accounts secure with 1Password, the world’s most-trusted password manager. Get started today with a free 14-day trial. <a href="https://1password.com/business-pricing/?utm_ref=blog" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>Deploy and manage 1Password 8 with MDM and MSI/PKG installers</title><link>https://blog.1password.com/mdm-msi-pkg-installers/</link><pubDate>Thu, 10 Nov 2022 00:00:00 +0000</pubDate><author>info@1password.com (Avi Singh)</author><guid>https://blog.1password.com/mdm-msi-pkg-installers/</guid><description> <img src='https://blog.1password.com/posts/2022/mdm-msi-pkg-installers/header.png' class='webfeedsFeaturedVisual' alt='Deploy and manage 1Password 8 with MDM and MSI/PKG installers' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Administrators, this one&rsquo;s for you. 1Password 8 for Mac now includes a set of mobile device management (MDM) options. We&rsquo;re also releasing PKG and MSI installers for Windows and Mac respectively, which we know have been highly requested by our business customers. These new tools make it simple to deploy and manage 1Password across your entire organization. But wait, there’s more! We&rsquo;ve also added support for ARM-based Linux devices such as the Raspberry Pi, alongside many other quality-of-life improvements. <h2 id="deploy-1password-8-with-msi-and-pkg-installers">Deploy 1Password 8 with MSI and PKG installers</h2> First, let’s talk about deployment. You can now roll out 1Password 8 to any team member with a Mac using the 1Password PKG installer. Do some or all of your team members use Windows PCs? No problem. You can quickly install 1Password 8 for Windows on a per-user basis with the 1Password .exe installer, or on a per-machine basis using 1Password MSI. These tools streamline the process of rolling out 1Password to new hires and existing team members alike, giving you more time to focus on other tasks. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Ready to get started? Learn more about <a href="https://support.1password.com/deploy-1password/">deploying 1Password on Mac and Windows computers</a> in your organization. </div> </aside> <h2 id="manage-1password-8-for-mac-across-your-team-with-mdm">Manage 1Password 8 for Mac across your team with MDM</h2> If your team uses Macs, you can <a href="https://support.1password.com/mobile-device-management/">use MDM to enforce rules and settings</a> in 1Password 8 that are important to keep your business as secure as possible. For example, you can decide whether: <ul> <li>Team members can unlock 1Password with their biometrics.</li> <li>Saved passwords are concealed with &ldquo;•••&rdquo; inside 1Password.</li> <li>1Password should automatically lock when the screen saver is activated.</li> </ul> These are just a few of the options at your disposal – <a href="https://support.1password.com/mobile-device-management/">be sure to explore them all</a>! MDM gives you an efficient way to control how 1Password works and, by extension, protect everything that&rsquo;s important to your business. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Ready to get started? Learn more about <a href="https://support.1password.com/mobile-device-management/">using MDM to manage how your team uses 1Password</a> at work. </div> </aside> <h2 id="updates-you-might-have-missed">Updates you might have missed</h2> Releasing 1Password 8 for <a href="https://blog.1password.com/1password-8-for-mac/">Mac</a>, <a href="https://blog.1password.com/1password-8-for-windows-is-here/">Windows</a>, and <a href="https://blog.1password.com/welcoming-linux-to-the-1password-family/">Linux</a> was just the beginning. Since then, we’ve been listening to you and improving 1Password based on your feedback. Here are just a few of the ways we&rsquo;ve recently made our desktop apps even more useful and convenient: <ul> <li> Quick and easy import. Are you switching from another password manager? Or have you previously exported all of your data from 1Password? Use the import tool to quickly bring all of your passwords, credit cards, and other digital secrets into 1Password 8. </li> <li> ARM support for Linux. We love the Raspberry Pi and the impact it’s had on computer science. Now, you can run 1Password natively on a Raspberry Pi or any other ARM64-powered device. It even works from within a Linux virtual machine, or a Mac running Apple Silicon. </li> <li> Sort items by frequently and recently used. If you open 1Password and select the Sort Items icon at the top of your item list, you&rsquo;ll see the option to sort by frequently used and recently used. This comes in handy when you&rsquo;re looking at all of your items, the archive, or a specific vault, category, or tag. </li> </ul> <h2 id="level-up-your-security">Level up your security</h2> 1Password protects everything that&rsquo;s important to you and your team. If you&rsquo;re an administrator, explore these support pages to learn more about how to streamline your organization’s deployment and management of 1Password 8: <ul> <li><a href="https://support.1password.com/deploy-1password/">Deploy 1Password for Mac and Windows</a></li> <li><a href="https://support.1password.com/mobile-device-management/">About mobile device management</a></li> </ul> You can also follow our <a href="https://releases.1password.com/">releases page</a> for a full rundown of every update to 1Password for Mac, Windows, Linux, iOS and Android, as well as 1Password in the browser. <section class="c-call-to-action-box c-call-to-action-box--purple"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Deploy 1Password 8 with MSI and PKG installers</h3> Learn more about deploying 1Password on Mac and Windows computers in your organization. <a href="https://support.1password.com/deploy-1password/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--purple" data-event-category="CTA" data-event-action="call-to-action-button"> Learn how to use MSI and PKG installers </a> </div> </section></description></item><item><title>What many recent data breaches have in common</title><link>https://blog.1password.com/what-data-breaches-have-in-common/</link><pubDate>Wed, 09 Nov 2022 00:00:00 +0000</pubDate><author>info@1password.com (Nick Summers)</author><guid>https://blog.1password.com/what-data-breaches-have-in-common/</guid><description> <img src='https://blog.1password.com/posts/2022/what-data-breaches-have-in-common/header.png' class='webfeedsFeaturedVisual' alt='What many recent data breaches have in common' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> When a data breach appears in the news (<a href="https://news.google.com/search?q=data%20breach&amp;hl=en-US&amp;gl=US&amp;ceid=US%3Aen">which has happened a lot recently</a>), many of us picture a hacker in a black hoodie, trawling through reams of code on a custom-built PC. We often imagine them finding a single mistake – a zero that should be a one, or vice versa – that lets them slip through a company&rsquo;s defenses. After all, that&rsquo;s how hacking <a href="https://youtu.be/SZQz9tkEHIg">is usually portrayed in movies and TV shows</a>. But re-read the latest news reports and you&rsquo;ll notice that most data breaches can be traced back to a single cause: <a href="https://blog.1password.com/what-is-social-engineering-hacking-101/">social engineering</a>. Increasingly, hackers are exploiting human psychology, rather than technical vulnerabilities, to access company accounts, tools, and databases. The success of these attacks hinges on how persuasive the hacker can be – or how well they can imitate someone trustworthy – rather than their knowledge of a particular programming language. It&rsquo;s a timely reminder that cybersecurity is always changing, and the best way to protect a company is by focusing on the people who work there, not just the tools and policies that are in place. <h2 id="social-engineering-tactics-different-but-the-same">Social engineering tactics: different but the same</h2> Social engineering is an umbrella term for any type of attack where a criminal tries to manipulate you into sharing sensitive data, or doing something that helps them gain access to confidential information. Hackers use a variety of techniques to pull off these attacks. Here are just a few that you might have heard of: <h3 id="phishing">Phishing</h3> <a href="https://blog.1password.com/what-is-phishing-and-how-can-you-protect-your-business/">Phishing</a> occurs when a hacker tries to trick you with a fake but convincing email. The phony ‘sender’ will often urge you to click on a link which sends you to a scam website. Or they&rsquo;ll ask you to share something confidential with them, like the credentials for one of your accounts. These kinds of attacks aren’t limited to email. Many criminals will also try to dupe you with deceptive phone calls (<a href="https://us.norton.com/blog/online-scams/vishing">vishing</a>), text messages (<a href="https://blog.1password.com/sms-phishing-tale/">smishing</a>), and direct messages on social media. <h3 id="sim-swapping">SIM swapping</h3> Criminals often research a target before calling their cell phone provider and pretending to be the target. They’ll make up a believable story (e.g. &ldquo;I lost my phone&rdquo;) that explains why they need their number ported to another SIM card. If necessary, the hacker will reassure the customer support rep by sharing facts they know about the target. Why is this a problem? Many people receive <a href="https://1password.com/features/two-factor-authentication/">two-factor authentication</a> (2FA) codes via SMS. The criminal will check if they can use the SIM in their possession – which is linked to the target&rsquo;s phone number – to intercept these codes and log in to any online accounts. <h3 id="bombardment">Bombardment</h3> In some cases, the criminal will simply frustrate their target <a href="https://grahamcluley.com/ubers-hacker-irritated-his-way-into-its-network-stole-internal-documents/">by bombarding them with 2FA notifications</a>. They&rsquo;ll then reach out to their target and claim to be a member of their employer&rsquo;s IT department, or a representative from the service the account is tied to. The criminal will come up with a story (e.g. &ldquo;sorry, it&rsquo;s a bug&rdquo;) and tell the target that the notifications will stop if they accept one of them. These are just a few of the tactics that fall under social engineering. While they all differ slightly, the basic approach is the same – the hacker is focusing on people, who are by definition human, and prone to making mistakes every so often. <h2 id="why-social-engineering-is-more-popular-than-ever">Why social engineering is more popular than ever</h2> Social engineering continues to be effective for a handful of reasons: <ol> <li> It’s a low effort, high reward strategy for criminals. Hackers don&rsquo;t have to leave their homes or inspect code to perform a social engineering attack. They can simply write a phishing email, send it to thousands or even millions of people, and then wait to see if anyone falls for it. </li> <li> <a href="https://blog.1password.com/state-of-access-report-burnout-breach/">Many workers are burned out</a>. If you&rsquo;re tired, stressed, or a combination of the two, there&rsquo;s a higher chance that you&rsquo;ll slip up and fall for a criminal&rsquo;s social engineering attack. </li> <li> Social media makes it easier for criminals to research their target. Most people share snippets of their lives on social media. Criminals will collect these digital breadcrumbs and use them to impersonate their target. </li> <li> Criminals are getting better at impersonation. There are <a href="https://quickbooks.intuit.com/r/innovation/phishing-attacks-are-on-the-rise-heres-how-to-avoid-them/">many telltale signs that an email or text message isn&rsquo;t legitimate</a>. However, some criminals are being more careful and stamping out these common mistakes, which makes it harder for people to spot when they&rsquo;re being targeted. </li> <li> It can be difficult for businesses to tackle. Many companies aren&rsquo;t large enough to have a dedicated IT or security department. Others don&rsquo;t have the time or resources to offer security training. This makes it difficult to support people with the guidance, tools, and support they need. </li> </ol> <h2 id="the-solution-human-centric-security">The solution: human-centric security</h2> There&rsquo;s no easy fix for social engineering. But there&rsquo;s an approach that you and your team can adopt to reduce the effectiveness of these tactics: Focus on your people. The latest breaches show that it&rsquo;s human beings – not necessarily technology – that are on the front lines of the security battle. You can adapt with an approach to security that focuses on people and the tools, knowledge, and support they require. This way of thinking is called <a href="https://blog.1password.com/future-of-1password/">human-centric security</a>. <h2 id="what-businesses-can-do-to-protect-their-team-members-and-customer-data">What businesses can do to protect their team members and customer data</h2> What does that mean in practice? Every company is different, but here are some steps and initiatives to consider: <ul> <li> Start at the top. Ensure your leadership team understands the risks of social engineering, and have bought into the idea of <a href="https://1password.com/resources/creating-a-culture-of-security/">creating a strong security culture</a> within your organization. </li> <li> Give team members the tools to succeed. A <a href="https://blog.1password.com/password-manager/">password manager</a> like <a href="https://1password.com/pricing/">1Password</a> will empower everyone to create, store, and use strong passwords with little assistance from your IT department. </li> <li> Make training and education part of your culture. An annual training seminar isn&rsquo;t enough. Use employee onboarding and regular workshops to reinforce good habits and break down the latest threats, including social engineering techniques. </li> <li> Encourage team members to speak up. Vulnerabilities may go unnoticed if team members aren&rsquo;t comfortable asking questions or reporting suspicious activity. Don&rsquo;t criticize anyone&rsquo;s mistakes, and celebrate your company&rsquo;s security wins, no matter how small they seem. </li> <li> Be patient. Creating a culture of security takes time. Staying committed will increase the likelihood of your new culture taking root and spreading naturally across your organization. </li> </ul> <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Want some more tips? Read our guide that explains <a href="https://1password.com/resources/how-to-avoid-a-data-breach/">how to avoid a data breach</a>! </div> </aside> <h2 id="5-tips-to-protect-yourself-against-social-engineering-attacks">5 tips to protect yourself against social engineering attacks</h2> Here are some extra tips to bolster your own security while you&rsquo;re online: <ul> <li> Know the signs. Be on the lookout for typos, strange links, and any language asking you to take urgent action. </li> <li> If in doubt, stop and assess. If something feels off, don&rsquo;t make a rushed decision. Take a deep breath and contact the supposed sender in some other way to verify what you&rsquo;ve just been told. </li> <li> Use strong, unique passwords. This will make it harder for criminals to break into your accounts. The simplest way to create, store, and use strong passwords is with a password manager like 1Password, which works on all of your devices. </li> </ul> <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> A password manager offers additional protections against social engineering attacks. For example, most password managers will save the relevant URL alongside your username and password – that way, they know when to offer to autofill your credentials. If a criminal tried to trick you with a fake site, you would immediately notice that your password manager wasn’t offering to autofill your password. You would then look at the URL and realize you were on a scam site. </div> </aside> <ul> <li> Turn on 2FA when it&rsquo;s available. 2FA adds a second layer of security to your online accounts. If a criminal does discover one of your passwords, this will keep them out of the associated accounts. Just don’t use SMS for 2FA codes if you can, as this could leave you open to a SIM swap attack. Instead, use an authenticator app, or a password manager like 1Password. </li> <li> Check alerts about unusual sign in attempts. Many services will send you an email or push notification if they detect a suspicious sign-in attempt. Most of these alerts will be a false alarm, but you should still pay attention to them, because they could highlight a genuine hack attempt. </li> </ul> <h2 id="what-the-future-holds">What the future holds</h2> Social engineering won&rsquo;t disappear overnight. In fact, there&rsquo;s a good chance it will never disappear entirely. But that doesn&rsquo;t mean it isn&rsquo;t possible to beat the hackers. Stay alert, refine your security habits, and encourage your company to adopt a human-centric security model. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Secure your team with 1Password Business</h3> Keep your team secure without slowing them down. Choose 1Password Business to gain complete control over passwords and other sensitive business information. <a href="https://1password.com/business-pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>How to navigate 1Password like a pro with Quick Access</title><link>https://blog.1password.com/navigate-1password-quick-access/</link><pubDate>Tue, 08 Nov 2022 00:00:00 +0000</pubDate><author>info@1password.com (Rob Boone)</author><guid>https://blog.1password.com/navigate-1password-quick-access/</guid><description> <img src='https://blog.1password.com/posts/2022/navigate-1password-quick-access/header.png' class='webfeedsFeaturedVisual' alt='How to navigate 1Password like a pro with Quick Access' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We like <a href="https://blog.1password.com/productivity-hacks-from-1password/">to get things done</a> at 1Password, which is why we&rsquo;re such big fans of <a href="https://1password.com/features/how-to-use-quick-access-in-1password-8/">Quick Access</a> in 1Password 8. Quick Access gives you &hellip; well, quick access to everything you&rsquo;ve stored in 1Password. If you&rsquo;ve ever used <a href="https://support.apple.com/guide/mac-help/search-with-spotlight-mchlp1008/mac">Spotlight</a> on a Mac, it will feel awfully familiar. Like Spotlight, you can summon Quick Access from anywhere on your desktop with a keyboard shortcut or mouse click. When you do, you&rsquo;ll see a simple search window in the middle of the screen. Start typing to find any item in your 1Password vaults, then take fast action on the item so you can get back to what you were doing. Quick Access is smart, too. Let&rsquo;s talk about what makes Quick Access such a capable companion, and how you can master its capabilities to make quick work of any task that requires one of your saved items. <h2 id="quick-access-basics">Quick Access basics</h2> <img src='https://blog.1password.com/posts/2022/navigate-1password-quick-access/Quick_Access_personal_identity.png' alt='1Password for Mac Quick Access window displaying personal identity item details.' title='1Password for Mac Quick Access window displaying personal identity item details.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> First, the fundamentals. You can open Quick Access using the following default settings: <ul> <li>On Windows or Linux: Use the Ctrl + Shift + Space keyboard shortcut, or select the 1Password icon in your system tray (right-click on Windows) and click Open Quick Access.</li> <li>On Mac: Use the Command + Shift + Space keyboard shortcut, or select the 1Password icon in your menu bar and click Open Quick Access.</li> </ul> You can change these settings for even faster access. For example, you can choose to open Quick Access immediately when you click the 1Password icon in your menu bar, notification area, or system tray. To make that change, open 1Password. Click the open account or collection at the top of the sidebar, then navigate to Preferences &gt; General. You&rsquo;ll see an option to change what happens when you click the 1Password icon. You can set it to: <ul> <li>Open 1Password</li> <li>Open a menu (the default behavior)</li> <li>Open Quick Access</li> </ul> You can also change the keyboard shortcut that opens Quick Access. To do that from Preferences &gt; General, clear the existing keyboard shortcut by clicking the X next to the keyboard shortcut field, then enter your new keyboard shortcut. <h2 id="navigating-quick-access">Navigating Quick Access</h2> When you launch Quick Access, it goes to work in the background determining the actions you&rsquo;re most likely to take. To do that, it takes into account the site and apps you currently have open, as well as the items you use most frequently. If you don&rsquo;t see what you&rsquo;re looking for, just start typing. From there, you can take action on your chosen item. Use the arrow keys to navigate to the item and you&rsquo;ll see a few quick actions you can take with keyboard shortcuts. <img src='https://blog.1password.com/posts/2022/navigate-1password-quick-access/Quick_Access_search.png' alt='1Password for Mac Quick Access window displaying search field with Wi-Fi item highlighted in search results. Options to copy the base station password and wireless network password are displayed at the bottom of the window.' title='1Password for Mac Quick Access window displaying search field with Wi-Fi item highlighted in search results. Options to copy the base station password and wireless network password are displayed at the bottom of the window.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> In this example, I’ve searched for &ldquo;Wi-Fi&rdquo; and surfaced my Appleseed family network information. I can now use keyboard shortcuts to copy the base station password or the network password, or I can use the right arrow key to open the item in Quick Access and see more options. If I do this, I can again use the arrow keys followed by the return key to: <ul> <li>Copy the network name</li> <li>Open the item in a new window</li> <li>Open the item in 1Password</li> </ul> The options will change depending on the item type. For example, if I open my driver&rsquo;s license information in Quick Access, I&rsquo;ll see options to copy the license number, the name on the license, or the expiration date. Regardless of the item type, you can use keyboard shortcuts to copy important fields within the item: (Note: The shortcuts listed below are for the Mac. If you’re on Windows or Linux, replace the Command key with the Control key, and the Option key with the Alt key.) <ul> <li>Command + C copies the username or primary field.</li> <li>Shift + Command + C copies the password.</li> <li>Option + Command + C copies the one-time password for logins.</li> <li>Command + O opens the item details in a new window.</li> <li>Option + Return opens the URL of the selected login in your browser and autofills. the username and password.</li> <li>Shift + Command + O opens the item in 1Password.</li> </ul> <img src='https://blog.1password.com/posts/2022/navigate-1password-quick-access/Quick_Access_WiFi_details.png' alt='1Password for Mac Quick Access window displaying Wi-Fi item details view. Visible options include copying the base station password, copying the wireless network password, copying the network name, opening the item in a new window, and opening the item in 1Password.' title='1Password for Mac Quick Access window displaying Wi-Fi item details view. Visible options include copying the base station password, copying the wireless network password, copying the network name, opening the item in a new window, and opening the item in 1Password.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> You can also press Escape, or click the X in the search field to cancel the current search and start again. If you use a clipboard app that holds multiple items in your clipboard, this can be an easy way to copy all the items you need to your clipboard for a specific task in one go, without ever leaving Quick Access. <h2 id="use-collections-with-quick-access">Use collections with Quick Access</h2> <img src='https://blog.1password.com/posts/2022/navigate-1password-quick-access/Vault_collections.png' alt='1Password for Mac displaying Vault Collections configuration dialog.' title='1Password for Mac displaying Vault Collections configuration dialog.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Like Quick Access, collections are new to <a href="https://1password.com/product/">1Password 8</a>. You can use them to create custom collections of your 1Password vaults. For example, you can separate work and personal items, group items for a specific task or project, or separate some items from all the rest (like all your streaming logins when it&rsquo;s time to wind down). Quick Access works in tandem with collections. That means it will remember your selected collections even if you restart 1Password. You can also switch between collections with keyboard shortcuts: Press Cmd/Ctrl + 1 to go to your first collection, Cmd/Ctrl + 2 to go to your second collection, and so on. <h2 id="use-quick-access-to-fill-native-applications">Use Quick Access to fill native applications</h2> <img src='https://blog.1password.com/posts/2022/navigate-1password-quick-access/Quick_Access_Spotify.png' alt='1Password for Mac Quick Access with a Spotify login item highlighted, despite there being no text in the search field, indicating that Quick Access automatically found the relevant login item with no input. Spotify for Mac is open in the background.' title='1Password for Mac Quick Access with a Spotify login item highlighted, despite there being no text in the search field, indicating that Quick Access automatically found the relevant login item with no input. Spotify for Mac is open in the background.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Quick Access can also save you time when you need to fill information into an app. With the app open, summon Quick Access. If an item is associated with that app, Quick Access will display that item so you can quickly copy what you need to the clipboard. It will also bring that app to the foreground (if it’s not already) so you can get to it quickly. On a Mac? Then you have even more options. With <a href="https://support.1password.com/mac-universal-autofill/">Universal Autofill</a>, 1Password can automatically fill information directly in the app – and in macOS system prompts. If you&rsquo;re logging into Zoom, for example, simply open Zoom on your Mac and press Cmd + \ to autofill your login credentials. If you have multiple logins for Zoom, Quick Access will present those options onscreen so you can select the right one. Once you select it, you&rsquo;ll see an option to either &ldquo;Fill once&rdquo; or &ldquo;Fill and update item&rdquo; if you always want to use those credentials to sign in to the app. <h2 id="get-started-with-quick-access">Get started with Quick Access</h2> <img src='https://blog.1password.com/posts/2022/navigate-1password-quick-access/Quick_Access_advanced_search.png' alt='1Password for Mac Quick Access window illustrating advanced search capabilities. The search field contains a search for the email category. A 1Password email item is displayed and highlighted in the search results.' title='1Password for Mac Quick Access window illustrating advanced search capabilities. The search field contains a search for the email category. A 1Password email item is displayed and highlighted in the search results.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Need even more power? Quick Access supports <a href="https://support.1password.com/search-1password/#search-filters-mac">advanced search shortcuts</a> so you can quickly filter by tag, category, vault, favorites, or untagged items. If search engines are your second brain, 1Password is your secure second brain, helping you find the information you – and only you – need access to (only with slightly better recall). With Quick Access, everything in your secure second brain is just a click or keystroke away. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get started with 1Password 8</h3> Download 1Password 8 for Mac, Windows, or Linux to get started with Quick Access, and navigate 1Password like a pro. <a href="https://1password.com/downloads?utm_ref=blog" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Download 1Password 8 </a> </div> </section></description></item><item><title>What are passkeys and how do they work?</title><link>https://blog.1password.com/what-are-passkeys/</link><pubDate>Mon, 07 Nov 2022 00:00:00 +0000</pubDate><author>info@1password.com (Nick Summers)</author><guid>https://blog.1password.com/what-are-passkeys/</guid><description> <img src='https://blog.1password.com/posts/2022/what-are-passkeys/header.png' class='webfeedsFeaturedVisual' alt='What are passkeys and how do they work?' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Every single day we use passwords to sign in to our online accounts. But that doesn’t mean they’re a perfect solution. If you don’t have a <a href="https://blog.1password.com/password-manager/">password manager</a>, it’s challenging to create and remember hundreds of strong passwords. Many people give up and use the same password for everything, or a few predictable passwords, which makes it easier for cybercriminals to hijack their accounts. Enter passkeys. You <a href="https://www.lemonde.fr/en/economy/article/2022/09/21/no-more-passwords-passkeys-explained-in-three-questions_5997728_19.html">may have heard of them in the news</a>, and with good reason. Many companies (<a href="https://1password.com/product/passkeys">including 1Password!</a>) are excited by this technology as a simple, fast, and secure sign-in solution. Here, we’ll break down what passkeys are, how they work, and some of the benefits they offer over traditional passwords. <h2 id="what-are-passkeys">What are passkeys?</h2> Passkeys allow you to create and sign in to online accounts without a password. When you use a passkey, you don’t have to memorize or type anything out, or enter a <a href="https://1password.com/features/two-factor-authentication/">two-factor authentication (2FA)</a> code. And, if you land on a fake but convincing (phishing) website, your passkeys won’t work, stopping you from sharing any sensitive information by mistake. Signing in with a passkey is dead simple. As a security measure, you&rsquo;ll be asked to authenticate with biometrics (i.e. your face or fingerprint) or, as a fallback, your device&rsquo;s passcode. Successfully authenticate and that&rsquo;s it – you&rsquo;re logged in! By now, you’re probably thinking: “Okay, that sounds great. But how is this possible?” Let’s tackle that question next. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/DELDP_wbuE4?si=VQ4KiFVKIJwHFGBY" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h2 id="how-passkeys-work">How passkeys work</h2> Unlike traditional passwords, passkeys utilize <a href="https://blog.1password.com/what-is-public-key-cryptography/">public-key cryptography</a>. That means every passkey has two parts: a public key and a private key. Together, they keep your accounts secure by allowing websites and apps to check that you are who you say you are. But how? Public and private cryptographic key pairs are mathematically linked to one another. You can think of them like interlocking puzzle pieces – they’re designed to go together, and you need both pieces to authenticate successfully. As the name implies, the public key can be shared publicly. That means the website or app you want to sign in to can see and store your public key. The private key, meanwhile, is kept secret and safe. It&rsquo;s never shared with the website or app you want to sign in to, or stored on their servers. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Developers use an API called <a href="https://blog.1password.com/what-is-webauthn/">WebAuthn</a>, or Web Authentication, to support passwordless login methods like passkeys. Learn more about the standard in <a href="https://blog.1password.com/what-is-webauthn/">our blog post</a>! </div> </aside> <h2 id="what-happens-when-you-create-and-use-a-passkey-to-log-in-to-your-favorite-apps-and-websites">What happens when you create and use a passkey to log in to your favorite apps and websites</h2> Let’s break down how passkeys work in practice. Imagine you visit a website that supports passkeys. First, you follow the prompts to create an account with a passkey, rather than a traditional password. Behind the scenes, the website’s server will share some information about the website. You’ll then be prompted to confirm where your private key will be stored. That could be a device like your phone, tablet, or PC, or a secure password manager like 1Password. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Passkeys can even be stored on <a href="https://blog.1password.com/hardware-security-keys-explained/">hardware security keys</a> like the ones created by Yubico. While secure, this solution has some limitations. For example, a YubiKey can store a maximum of 25 unique passkeys. And, unlike 1Password, you also can&rsquo;t seamlessly sync your passkeys across multiple devices if you&rsquo;re storing them on a hardware security key. </div> </aside> A new passkey – which includes your public and private key pair – will then be generated for that specific website. The public key will be sent to the website’s server for storage, while the private key is kept secure on your device or in your password manager. This process happens behind the scenes, and near instantaneously. The next time you visit the website, you won&rsquo;t have to enter a traditional password. Instead, you&rsquo;ll be asked to authenticate using biometrics. That could be Face ID, Touch ID, Windows Hello, your device passcode, or a similar method. Once you&rsquo;ve authenticated, that&rsquo;s it! The website or app will grant access to your account. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Read <a href="https://blog.1password.com/passkeys-faqs/">our passkeys FAQs blog post</a> to learn more about this new type of login credential. It answers some of the most common questions including where passkeys are stored and whether passkeys will replace passwords. </div> </aside> <h2 id="the-benefits-of-passkeys">The benefits of passkeys</h2> Here are just a few reasons why passkeys are a simple and secure login solution: <ul> <li>Every passkey is strong by default. You don’t have to create anything manually, or worry about whether your private key is long or random enough. When you choose to use a passkey, the public and private key pair is generated for you, securely, within seconds.</li> <li>You don’t have to remember or type out your passkeys. You only need to authenticate with biometrics (or your device passcode) to sign in to your account. There&rsquo;s nothing to memorize and nothing else to type.</li> <li>Your private key is never shared with the website you want to sign in to. That means you don’t have to worry about how the website is storing your credentials. Your private key is always kept private, and the public key is useless on its own.</li> <li>Your public key can’t be used to figure out your private key. If a criminal breaches a website’s servers, the best they can hope to find is your public key, which can’t be used to sign in to your account and can’t be reverse-engineered to reveal your private key.</li> <li>Passkeys are a strong defense against <a href="https://blog.1password.com/what-is-social-engineering-hacking-101/">social engineering</a> and phishing attacks. Criminals will often create fake but seemingly authentic websites to trick you into sharing your login details. WebAuthn protects you by ensuring that you never share your credentials with untrusted websites.</li> <li>Passkeys offer an improved user experience. Signing in with a passkey is more convenient, faster, and smoother than when using traditional passwords. That means you spend less time logging in and more time getting on with why you visited the website in the first place.</li> </ul> <h2 id="start-using-passkeys-in-1password">Start using passkeys in 1Password</h2> Here at 1Password, we’re excited about passkeys. That’s why <a href="https://blog.1password.com/1password-is-joining-the-fido-alliance/">we joined the FIDO Alliance</a>, which includes other passkey supporters like Apple, Google, and Microsoft. Together, we have the opportunity to build safe, simple, and fast login solutions for everyone. There are two ways you can use passkeys with 1Password: <ul> <li><a href="https://blog.1password.com/save-use-passkeys-web-ios/">Save and sign in with passkeys using 1Password</a>. Create and use passkeys to sign in to websites and apps like Amazon, eBay, and TikTok. Store your passkeys securely in 1Password, organize them with vaults and tags, and share them with co-workers, family members – anyone who needs access.</li> <li><a href="https://blog.1password.com/unlock-1password-individual-passkey-beta/">Unlock 1Password with a passkey</a>. Streamline your digital life by unlocking your password manager with a passkey instead of an account password.</li> </ul> <h2 id="the-bottom-line">The bottom line</h2> Passkeys are a promising step forward for passwordless authentication. They’re secure, easy to create, and let you sign in to accounts in a flash. If you want to learn more about passkeys, check out: <ul> <li><a href="https://1password.com/product/passkeys">The passkeys section of our website</a></li> <li><a href="https://randombutmemorable.simplecast.com/episodes/the-passwordless-special">This special episode of the Random but Memorable podcast, which explores all things passwordless</a></li> <li><a href="https://passkeys.directory/">Our community-driven passkey directory</a></li> <li><a href="https://blog.1password.com/passkeys-vs-passwords-differences/">Passkeys vs. passwords: What are the differences?</a></li> </ul> <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Subscribe to our passwordless newsletter</h3> Get our latest passkey updates delivered right to your inbox, as well as guides, interviews, and other interesting articles about the next generation of sign-in technology. <a href="https://1password.com/passwordless-news/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Subscribe to Beyond Passwords </a> </div> </section></description></item><item><title>1Password acquires Passage to help bring passwordless authentication to everyone</title><link>https://blog.1password.com/1password-acquires-passage/</link><pubDate>Thu, 03 Nov 2022 00:00:00 +0000</pubDate><author>info@1password.com (Jeff Shiner)</author><guid>https://blog.1password.com/1password-acquires-passage/</guid><description> <img src='https://blog.1password.com/posts/2022/1password-acquires-passage/header.png' class='webfeedsFeaturedVisual' alt='1Password acquires Passage to help bring passwordless authentication to everyone' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Passage, a leader in modern authentication technology, is joining the 1Password team to help accelerate the adoption of passkeys for developers, businesses, and their customers. Today, I&rsquo;m thrilled to welcome the Passage team to 1Password. Together, we&rsquo;re ushering in the next chapter in our journey toward secure and simple sign-ins for everyone. When I look at the growing interest in passkeys, I can&rsquo;t help asking myself: what will it take to make passwordless technology flourish? How will 1Password contribute? After all, <a href="https://blog.1password.com/what-is-webauthn/">the underlying technology</a> isn&rsquo;t new. What&rsquo;s changed is an emerging consensus around how to make that technology available to any developer, business, or individual that wants to use it – on any platform or device. And that&rsquo;s where Passage comes in. <h2 id="what-is-passage">What is Passage?</h2> <a href="https://passage.id/">The Passage team</a> is dedicated to making it easy for developers and businesses to implement passwordless authentication. Their API allows anyone to build a class-leading sign-in experience that prioritizes device-native biometrics like Touch ID, Face ID, or Windows Hello. No passwords in sight. Instead of each company having to build its own implementation of passkeys, this approach makes it possible for them to adopt a turnkey solution and offer the easiest and most secure sign-in experience to their customers in less time. By taking the hassle out of one of the biggest challenges facing companies interested in passkeys, 1Password is ready to play a key role in broadening the adoption of passwordless authentication industry-wide. We’re thrilled to welcome the Passage team to 1Password, where they’ll continue their work with the support of our growing team alongside them. <h2 id="what-this-means-for-you">What this means for you</h2> Passkeys are a new way of signing in to your favorite apps, websites, and services that doesn&rsquo;t rely on passwords. They&rsquo;re more secure than passwords, and they&rsquo;re also a lot easier to use. With today&rsquo;s acquisition, we&rsquo;re aiming to drastically shorten the adoption curve for passkeys so we can bring a seamless, secure, and interoperable passwordless experience to you sooner. When <a href="https://blog.1password.com/1password-is-joining-the-fido-alliance/">1Password joined the FIDO Alliance</a> earlier this year, it was just the beginning of our passwordless journey. But for us, passwordless is really an extension of our overall mission to make security simpler and more convenient for everyone. We&rsquo;ve been helping individuals and businesses navigate the ever-changing world of authentication for nearly two decades now. New technologies are always emerging to improve upon the solutions we rely on, but making them available to everyone takes time. By easing the adoption of passkeys, we see a significant opportunity to deliver on our promise of making the secure thing to do the easy thing. Over the coming months, we&rsquo;ll be rolling out a comprehensive, end-to-end solution for passwordless authentication, beginning with full support for creating, saving, and using device-agnostic passkeys in 1Password during the first half of 2023. I can&rsquo;t wait to share more details – including information about how you can participate in our beta program to help test the functionality. Keep an eye out for updates right here on the blog, or consider <a href="https://1password.com/newsletter/">signing up to our newsletter</a> so you don&rsquo;t miss a thing.</description></item><item><title>What is a dictionary attack, and how do you protect yourself from it?</title><link>https://blog.1password.com/what-is-dictionary-attack/</link><pubDate>Fri, 28 Oct 2022 00:00:00 +0000</pubDate><author>info@1password.com (1Password)</author><guid>https://blog.1password.com/what-is-dictionary-attack/</guid><description> <img src='https://blog.1password.com/posts/2022/what-is-dictionary-attack/header.png' class='webfeedsFeaturedVisual' alt='What is a dictionary attack, and how do you protect yourself from it?' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Have you ever heard the cybersecurity term “dictionary attack”, and wondered what it means? You’re not alone. Here, we’ll break down what a dictionary attack is, and explain what steps you should take to protect yourself from this threat. <h2 id="what-is-a-dictionary-attack">What is a dictionary attack?</h2> A dictionary attack is a type of <a href="https://blog.1password.com/what-is-a-brute-force-attack-and-whats-the-best-defense/">brute-force</a> hacking method that relies on specific lists (i.e. “dictionaries”) of words or phrases the attacker thinks will have the highest chance of success. Unlike a typical brute-force attack, which tries every possible password combination (e.g. &ldquo;AAA&rdquo;, &ldquo;AAB&rdquo;, &ldquo;AAC&rdquo;, and so forth), a dictionary attack is much more focused and efficient. The list could include words from a dictionary, passwords that have leaked in the past, or common regional references or phrases, like a Florida resident using “ D o l p h i n s f a n 3 0 5 ” . They then use automated programs to try combinations of possible usernames and passwords until they’re able to break into the account. While hackers can use dictionary attacks directly in the login field of an account, many apps and websites protect against this method. If a user enters an incorrect password too many times in a row, some accounts will automatically lock. To get around this, attackers will often use a dictionary attack on a database of <a href="https://blog.1password.com/hashing-fast-and-slow-gpus-and-1password/">hashed passwords</a> they’ve obtained through a data leak. <h2 id="dictionary-attacks-on-hashed-passwords">Dictionary attacks on hashed passwords</h2> When you register with a website or app, your password is often put through a one-way algorithm that scrambles it into a random series of characters. This process is known as hashing and is widely used to secure sensitive data while avoiding storing plaintext passwords. Hashing is considered preferable to encryption when storing passwords for a couple of reasons. First, in the event of a data leak, attackers won&rsquo;t gain access to the plaintext passwords. And second, there’s no need for the website to ever know the user&rsquo;s plaintext password, which keeps it more secure. But there are ways to crack a hashed password. Here are a couple of techniques that an attacker could apply to a database of hashed credentials to figure out one or more of the original passwords: <ol> <li> Running popular and predictable passwords through commonly used hashing algorithms. If the results match anything in their database of leaked credentials, they’ll know that the hashed password from the data leak corresponds to one of the commonly used passwords, which can then be used to access the associated account. </li> <li> Using “rainbow tables” for popular hashing algorithms that contain common passwords and their hashed counterparts. If they find any of the leaked password hashes in the table, they’ll be able to see the corresponding original. This effectively reverses the hashing, letting them know the information they need to get into the user’s account. </li> </ol> <h2 id="how-to-protect-yourself-from-a-dictionary-attack">How to protect yourself from a dictionary attack</h2> It’s impossible to stop every data breach from happening or control how every company protects your credentials. But you can be proactive and take a variety of measures to protect yourself against dictionary attacks: <ul> <li> Create secure passwords. Use a <a href="https://1password.com/password-generator/">password generator</a> to create strong, unique passwords for all your online accounts, so they cannot be easily guessed or cracked. </li> <li> Limit password attempts. Check to see if you’re able to limit how many failed login attempts are permitted before the system locks your account. This can help stop criminals from trying unlimited password combinations until they crack the account. It also alerts you to suspicious login activity so that you can change your password. </li> <li> Change your password if it’s been compromised. If you receive an alert about questionable activity on your account, or if your credentials have appeared in a known data breach, change your password as soon as possible before a potential attacker can use it. </li> <li> Use two-factor authentication (2FA). Wherever possible, turn on <a href="https://1password.com/features/two-factor-authentication/">two-factor authentication</a> to provide an extra layer of security for your account. With 2FA activated, a hacker can’t log in to your account with stolen credentials unless they also have access to the device(s) on which you retrieve your single-use codes. </li> <li> Use a password manager. Password managers can help you create, store, and use strong, unique passwords for all your online accounts. </li> </ul> <h2 id="how-can-a-password-manager-help-protect-you">How can a password manager help protect you?</h2> A dedicated password manager like <a href="https://1password.com/">1Password</a> can help protect you from potential dictionary attacks and the damage they can cause. 1Password makes it easy to create truly random passwords that an attacker won’t have on their list. But it can do more than just help you generate and store strong passwords. 1Password also <a href="https://support.1password.com/one-time-passwords/">works as an authenticator for websites and apps that support 2FA</a>. This way, you save time because you don’t need to open your email or an authentication app to get your verification codes. Instead, 1Password will autofill these codes in your browser the same way it fills your login information. <a href="https://watchtower.1password.com/">Watchtower</a> is a 1Password feature that alerts you if any of your accounts show up in known data breaches, giving you the chance to update the associated credentials before an attacker can use them further. It also lets you know about any weak or reused passwords that are currently saved in your vaults, prompting you to change them to something stronger. <h2 id="password-security-can-be-simple">Password security can be simple</h2> You don’t have to be an IT expert to have strong password security. Follow cybersecurity best practices, such as using a dedicated password manager like 1Password, to protect your digital life from dictionary attacks and other cybersecurity threats. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Ready to protect yourself?</h3> Keep all of your accounts secure with 1Password, the world’s most-trusted password manager. Get started today with a free 14-day trial. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>Tip: Personalize your 1Password experience with custom account, vault, and item icons</title><link>https://blog.1password.com/personalize-1password-custom-icons/</link><pubDate>Thu, 27 Oct 2022 00:00:00 +0000</pubDate><author>info@1password.com (Nick Summers)</author><guid>https://blog.1password.com/personalize-1password-custom-icons/</guid><description> <img src='https://blog.1password.com/posts/2022/personalize-1password-custom-icons/header.png' class='webfeedsFeaturedVisual' alt='Tip: Personalize your 1Password experience with custom account, vault, and item icons' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Your password manager protects your digital life. Passwords. <a href="https://1password.com/resources/guides/saving-credit-cards-and-addresses/">Credit cards</a>. <a href="https://blog.1password.com/storing-important-documents/">Your most important documents</a>. By its nature, the password manager is personal. But you can go a step further and make 1Password truly yours by changing your profile picture and using custom icons for your 1Password Families and 1Password Business accounts, as well as individual vaults and items. With these options, you can: <ul> <li>Reflect your personal sense of style in 1Password.</li> <li>Make it easier to glance at 1Password on any device and find exactly what you&rsquo;re looking for.</li> </ul> Ready to add a personal touch to your favorite password manager? Here’s how… <h2 id="1passwordcom">1password.com</h2> <h3 id="change-your-profile-picture">Change your profile picture:</h3> <ul> <li>Select your name in the top right-hand corner, followed by My Profile.</li> <li>Select Edit Details.</li> <li>Select the arrow on top of your profile picture.</li> <li>Choose from one of our many icons, or upload your own by selecting the &ldquo;+&rdquo; symbol.</li> </ul> <img src="https://blog.1password.com/posts/2022/personalize-1password-custom-icons/web1.png" alt="A web browser window showing the My Profile section of 1password.com." title="A web browser window showing the My Profile section of 1password.com." class="c-featured-image"/> <h3 id="change-your-family-or-business-icon">Change your family or business icon:</h3> <ul> <li>Find your family membership or business account in the sidebar and select Settings.</li> <li>Select the arrow on top of your family or business' icon.</li> <li>Choose from one of our many icons, or upload your own by selecting the &ldquo;+&rdquo; symbol.</li> </ul> <img src="https://blog.1password.com/posts/2022/personalize-1password-custom-icons/web2.png" alt="A web browser window showing how to change a family account icon on 1password.com." title="A web browser window showing how to change a family account icon on 1password.com." class="c-featured-image"/> <h2 id="mac-windows-linux">Mac, Windows, Linux</h2> <h3 id="change-vault-icon">Change vault icon:</h3> <ul> <li>Right click on the vault in the sidebar.</li> <li>Select Edit Vault.</li> <li>Select Change Icon.</li> <li>Choose from one of our many icons.</li> <li>Select Save.</li> </ul> <img src="https://blog.1password.com/posts/2022/personalize-1password-custom-icons/mac1.png" alt="A screenshot of 1Password 8 for Mac, showing how to change a vault icon." title="A screenshot of 1Password 8 for Mac, showing how to change a vault icon." class="c-featured-image"/> <h3 id="change-item-icon">Change item icon:</h3> <ul> <li>Find the item in 1Password.</li> <li>Select Edit in the top right-hand corner.</li> <li>Select the arrow on the icon, followed by Choose New Icon.</li> <li>Find and upload a picture from your device that you&rsquo;d like to use as the new icon.</li> <li>Select Save.</li> </ul> <img src="https://blog.1password.com/posts/2022/personalize-1password-custom-icons/mac2.png" alt="A screenshot of 1Password 8 for Mac, showing how to change an item icon." title="A screenshot of 1Password 8 for Mac, showing how to change an item icon." class="c-featured-image"/> <h2 id="ios-and-android">iOS and Android</h2> <h3 id="change-item-icon-1">Change item icon:</h3> <ul> <li>Find the item in 1Password.</li> <li>Select Edit in the top right-hand corner.</li> <li>Select the arrow on the icon, followed by Choose New Icon.</li> <li>Find and upload a picture from your device that you&rsquo;d like to use as the new icon.</li> <li>Select Save.</li> </ul> <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Want to personalize 1Password even further? 1Password 8 for iOS and Android let you <a href="https://blog.1password.com/1password-8-ios-android/">choose and re-order the information that&rsquo;s visible on your home screen</a>. </div> </aside> Go ahead and get creative! If you&rsquo;re feeling really artistic, you could create your own icons with an app like Procreate or Adobe Illustrator. Or kick it old school and draw some icons on a piece of paper before transferring them to your devices. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Listen to Random But Memorable</h3> Subscribe to our podcast to hear the latest security news, tips and advice to up your privacy game, as well as guest interviews with leaders from the security community. <a href="https://randombutmemorable.simplecast.com/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Listen to the podcast </a> </div> </section></description></item><item><title>WebAuthn: what it is, and how it works</title><link>https://blog.1password.com/what-is-webauthn/</link><pubDate>Fri, 14 Oct 2022 00:00:00 +0000</pubDate><author>info@1password.com (Nick Summers)</author><guid>https://blog.1password.com/what-is-webauthn/</guid><description> <img src='https://blog.1password.com/posts/2022/what-is-webauthn/header.png' class='webfeedsFeaturedVisual' alt='WebAuthn: what it is, and how it works' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> WebAuthn technology is pivotal to passwordless authentication. When implemented correctly, the specification makes it simple and secure to sign in to accounts without entering a traditional password. If you have questions about WebAuthn, you&rsquo;re not alone. After all, it&rsquo;s not a term you hear often in casual conversation … unless you&rsquo;re really into security. Here, we&rsquo;re going to unpack the term and explain how it allows developers to offer passwordless solutions. This will give you a better understanding of where cybersecurity is headed, and why so many companies including 1Password are excited by the technology underpinning it. <h2 id="what-is-webauthn">What is WebAuthn?</h2> WebAuthn, or <a href="https://fidoalliance.org/fido2-2/fido2-web-authentication-webauthn/">Web Authentication</a>, is an API that gives website developers the ability to support a passwordless login experience on their websites and in apps. It’s an essential piece of software that connects those websites and apps with your chosen authenticator. Authenticators <a href="https://developers.yubico.com/Developer_Program/WebAuthn_Starter_Kit/Platform_and_Roaming_Authenticators.html">are available in two forms</a>: <ul> <li>Roaming authenticators. These are standalone devices that are easy to carry around, like a <a href="https://blog.1password.com/hardware-security-keys-explained/">hardware security key</a>.</li> <li>Platform authenticators. These are built into something you already use, like your PC or phone.</li> </ul> The WebAuthn standard was developed by the <a href="https://fidoalliance.org/">FIDO Alliance</a>, an open industry association that wants to reduce the world&rsquo;s reliance on passwords, and the <a href="https://www.w3.org/">World Wide Web Consortium</a> (W3C), a community that works together to develop new standards and guidelines for the web. 1Password <a href="https://blog.1password.com/1password-is-joining-the-fido-alliance/">is a member of the FIDO Alliance</a>, along with some of the largest technology companies in the world including Apple, Google, and Microsoft. <h2 id="how-does-webauthn-work">How does WebAuthn work?</h2> Right now, you likely sign in to most websites and apps with a traditional username and password. The password is usually <a href="https://blog.1password.com/what-is-public-key-cryptography/">run through a hashing algorithm</a>, which turns it into scrambled gibberish that&rsquo;s useless to any theoretical attacker. The website or app then checks that the hashed version of the password you submitted matches the hashed version stored on its server. If everything lines up, the website or app will trust you&rsquo;re the account owner and allow you to sign in. WebAuthn is a different approach. Instead of a traditional password, it uses public and private keys – otherwise known as <a href="https://blog.1password.com/what-is-public-key-cryptography/">public-key cryptography</a> – to verify that you are who you say you are. <blockquote> Unlike a traditional password, your private key is never shared with the website you want to sign in to. </blockquote> Public and private keys are mathematically linked to one another. You can think of them like interlocking puzzle pieces – they&rsquo;re designed to go together, and can&rsquo;t be used with any other public or private keys. As the name implies, the public key can be shared publicly. In the context of WebAuthn, this means the website you want to sign in to knows and holds a copy of your public key. The private key, meanwhile, is kept secret and safe. It’s used to decrypt data that’s been encrypted with your public key. Unlike a traditional password, it’s not shared with the website you want to sign in to. That means it’s also never stored on the website&rsquo;s server. <h2 id="when-you-create-a-new-account-using-webauthn">When you create a new account using WebAuthn</h2> Okay, so those are the basics. To understand how this works in practice, we need to break down: <ul> <li>Creating a new account using WebAuthn.</li> <li>Signing in to an existing account that uses WebAuthn.</li> </ul> Let&rsquo;s start with the former. When you create a new account with WebAuthn, your device sends a request to the website or app&rsquo;s server. Your chosen authenticator – which could be your PC, phone, or a hardware security key – then generates a new public and private key pair. The public key is sent to the website or app&rsquo;s server for storage, while the private key remains on your authenticator. <h2 id="when-you-sign-in-to-an-account-using-webauthn">When you sign in to an account using WebAuthn</h2> Now you can sign in without entering a traditional password. The website or app will issue a &ldquo;challenge&rdquo; to check that your authenticator has the correct private key. You can think of this challenge like a special bank check that will only be accepted if it&rsquo;s signed with your one-of-a-kind fountain pen (i.e., your private key). Your chosen authenticator &ldquo;signs&rdquo; the challenge using your private key and sends the completed signature to the website or app. Finally, the website or app verifies the signature using your public key, which is already stored on its server. All of these steps happen in the background. From your perspective, you simply select the &lsquo;sign in&rsquo; prompt on the app or website and, if required, authenticate using biometrics. And then that&rsquo;s it! You&rsquo;ve successfully signed in using WebAuthn technology. <h2 id="the-advantages-of-webauthn">The advantages of WebAuthn</h2> WebAuthn offers a number of benefits over traditional passwords: <ul> <li> Your private key is never shared with the website you want to sign in to. That means you don&rsquo;t have to worry about how the website is storing your private key. </li> <li> Your public key can&rsquo;t be used to figure out your private key. If a criminal breaches a website&rsquo;s servers, the best they can hope to find is your public key, which can&rsquo;t be used to sign in to your account. </li> <li> WebAuthn is a strong defense against <a href="https://blog.1password.com/what-is-phishing-and-how-can-you-protect-your-business/">phishing</a> and <a href="https://blog.1password.com/what-is-social-engineering-hacking-101/">social engineering</a> attacks. Criminals will often create fake but seemingly authentic websites to try to trick you into sharing your login details. WebAuthn protects you by ensuring that you never share your credentials with untrusted websites. </li> <li> You don&rsquo;t have to memorize or type your private key. However, a website might give you some backup codes to hold onto, or prompt you to create a password, just in case you lose access to your authenticator(s). </li> </ul> <h2 id="how-webauthn-relates-to-passkeys">How WebAuthn relates to passkeys</h2> WebAuthn isn&rsquo;t new. The project was <a href="https://en.wikipedia.org/wiki/WebAuthn">started in 2016</a>, and the WebAuthn Level 1 standard was published as a W3C recommendation three years later. The API is <a href="https://webauthn.me/browser-support">already supported by many web browsers</a>, including Chrome, and various hardware security keys (roaming authenticators). But the standard has yet to go truly mainstream. Most people still use a traditional username and password for all of their online accounts. And few websites offer a passwordless login experience right now. Some of the largest technology companies are working on a solution called passkeys, which leverage the WebAuthn standard. Passkeys allow you to seamlessly and securely sign in using your existing devices (platform authenticators). WebAuthn is <a href="https://blog.1password.com/introducing-support-for-u2f-security-keys/">already in use</a>, however passkeys could give the standard its largest exposure to date, and boost adoption thanks to its convenience, ease of use, and added security. <h2 id="the-bottom-line">The bottom line</h2> WebAuthn is an open standard that helps make it simple and secure to sign in to your favorite websites without a traditional password. Here at 1Password, we&rsquo;re excited by the standard&rsquo;s potential, and are <a href="https://www.youtube.com/watch?v=lYFxfchhR1g">already working to integrate WebAuthn keys</a> into our password manager. (We&rsquo;ll have more to share soon!) If you want to learn more about our thoughts on WebAuthn, passkeys, and everything else related to passwordless authentication, check out: <ul> <li><a href="https://blog.1password.com/1password-is-joining-the-fido-alliance/">Our announcement that we&rsquo;ve joined the FIDO Alliance</a></li> <li><a href="https://www.future.1password.com/">Our future of 1Password microsite</a></li> <li><a href="https://randombutmemorable.simplecast.com/episodes/the-passwordless-special">This special episode of the Random but Memorable podcast, which explores all things passwordless</a></li> </ul> <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Secure your digital life with 1Password</h3> Keep all of your accounts secure with 1Password, the world’s most-trusted password manager. Get started today with a free 14-day trial. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>New research: the realities of parenting and growing up online</title><link>https://blog.1password.com/parenting-and-growing-up-online-report/</link><pubDate>Thu, 13 Oct 2022 00:00:00 +0000</pubDate><author>info@1password.com (Andrew Zangre)</author><guid>https://blog.1password.com/parenting-and-growing-up-online-report/</guid><description> <img src='https://blog.1password.com/posts/2022/parenting-and-growing-up-online-report/header.png' class='webfeedsFeaturedVisual' alt='New research: the realities of parenting and growing up online' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The internet’s evolution is transforming our way of life in real time. That includes the experience of being a parent, and to an even greater degree, a young person. Today, it’s not uncommon for kids to have an online presence before losing their first teeth. But we’re only just starting to learn about the impact of these changing habits, and the challenges they’re creating for families around the globe. There’s never been a greater need to understand the internet’s influence on parenting and childhood – especially as more kids grow up and become parents themselves. That’s why we partnered with Malwarebytes for a comprehensive survey that asked parents and Gen Zers about their habits and honest feelings on the topic. Today, you can read our findings in a joint report titled “<a href="https://1passwordstatic.com/files/resources/parenting-and-growing-up-online-report.pdf">Forever connected: the realities of parenting and growing up online</a>.” <h2 id="the-new-struggles-for-todays-kids">The new struggles for today’s kids</h2> The challenges of life online are far greater than choosing the best profile photo. Misinformation, identity theft, online scams – these are all legitimate threats for more than half of the young people we surveyed. But the largest problem in their eyes is cyberbullying (66%), with self-esteem issues caused by online comparisons (63%) not far behind. Previous generations may have spent their days “<a href="https://idioms.thefreedictionary.com/I+walked+to+school+uphill+both+ways">walking uphill both ways</a>,” but today’s young people are grappling with psychological burdens that are entirely unique to online life. And they need help from their parents or guardians, as well as teachers and mentors, to know how to respond and adapt. A major factor in all of this is the freedom to post whatever you want by age 13. Almost half of Gen Z teenagers (48%) regret things they posted when they were younger. Kids will be kids, and a lot of parents agree that making online mistakes is now just a part of life. But helping the next generation understand the potential risks of what they post, or how they conduct themselves online, can go a long way – especially when paired with <a href="https://blog.1password.com/talking-to-kids-online-safety/">basic online safety precautions</a>. <h2 id="the-critical-role-that-parents-and-guardians-play">The critical role that parents and guardians play</h2> Parents have an opportunity here that cannot be overstated. It’s not just the guidance and support they can offer, but the changes they can make to their own habits, which in turn will benefit kids. For example, many children feel they’ve been stalked or bullied because of something their parents posted online. Also, 73% of Gen Zers wish their parents asked permission before posting pictures of them. Right now, only 34% of parents do. Connected families can’t ignore these topics. Our report highlights the growing urgency for parents to learn more about online threats, offer more security-minded advice to kids, and lead by example through their own digital habits. Most kids (59%) say they’ve learned about online safety on their own, rather than through their parents (21%). So there’s no time like the present for parents to <a href="https://blog.1password.com/family-scam-safety/">read up on these topics</a> and strike up these conversations at home. <h2 id="tips-for-parents-from-1password">Tips for parents (from 1Password)</h2> With a little help from 1Password co-founder (and mother of two) Sara Teare, here are some simple tips for parents to help keep their children safe online and set them up for success: <ol> <li> Have honest discussions about sharing information. As the saying goes, “the internet never forgets”, and people often don’t realize sharing information with an app or with people you’ve met online can be an example of something that can’t be un-shared. </li> <li> Practice good password security yourself. Having a password manager takes all the hassle out of it, so doing it the easy way is also the safe way. </li> <li> Talk about consent. Most everyone has experienced being tagged in a photo you’d prefer to forget. Kids today inhabit an online world. Sharing with them what you’re posting (and where!) helps to teach them the boundaries of sharing, while giving them a chance to control their information early. </li> <li> Share with them. When you get a text message saying your bank account has been breached, show them how you can tell it’s a scam – from a wonky number, spelling errors, incorrect links, or not even having an account with that bank. Learning that things like this happen to everyone offers a great opportunity to teach them how to handle those situations. </li> <li> Talk with them and ask how they’re doing. What apps are their favorite? Did they see this story in the news? And ask them for their advice – have they seen reviews for X product? Should I try A or B for this job? Sometimes it’s little questions that open the door for bigger discussions. </li> <li> Let them be a partner in online education. Kids have a way of picking things up quickly and they are eager to show their new skills – our latest thing has been finding new recipes on TikTok and trying them out. Some are great, most are flops, but by working together, we keep that communication flowing. </li> </ol> <h2 id="get-the-full-report">Get the full report</h2> <a href="https://1passwordstatic.com/files/resources/parenting-and-growing-up-online-report.pdf">Read the full report</a> to learn more about what parents and children are experiencing, where there’s a disconnect between them, and the lessons that future generations can learn from. We’re proud to share these findings – and as we keep learning and exploring this “connected world” together, these perspectives can hopefully shine a light on the best path forward.</description></item><item><title>Introducing 1Password 8 for Apple Watch</title><link>https://blog.1password.com/1password-8-apple-watch/</link><pubDate>Wed, 12 Oct 2022 00:00:00 +0000</pubDate><author>info@1password.com (Matt Grimes)</author><guid>https://blog.1password.com/1password-8-apple-watch/</guid><description> <img src='https://blog.1password.com/posts/2022/1password-8-apple-watch/header.png' class='webfeedsFeaturedVisual' alt='Introducing 1Password 8 for Apple Watch' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Your most precious data is now securely accessible from your most personal device. The all-new 1Password for Apple Watch offers customizable access to nearly anything in your 1Password account, with full support for complications and the same intuitive experience you know and love. For many of us, Apple Watch is the most personal piece of technology we own. It accompanies us even in places our phones do not, offering glanceable access to the time and date, app notifications, the weather, even information about our health and wellbeing. With the latest update to 1Password 8 for iOS, your Apple Watch can now serve as a secure window into your most important information as well – even when your phone isn’t on you, or you have no internet connection. 1Password for Apple Watch provides quick access to two-factor codes, Wi-Fi passwords, secure notes, or any other items you choose to bring with you. <h2 id="complications-large-type-and-more">Complications, Large Type, and more</h2> We’ve rebuilt our Apple Watch app to take full advantage of watchOS’ evolving capabilities. One of the standout benefits of the modern Apple Watch experience is its ability to show tiny, helpful widgets – from any supported app – right on your watch face. In a nod to traditional watchmaking history, Apple calls these widgets “complications”. 1Password now offers complications you can configure for quick access to nearly any kind of information from your 1Password account. Need to keep your booking code handy while traveling? Add it as a complication to your current watch face so you can get to it in a single tap. Always logging into a particular account for work that needs a two-factor code? Pin it to your watch face for at-a-glance access. And because iOS 16 allows you to <a href="https://support.apple.com/en-ca/guide/watch/apd6640937c4/watchos">set up a custom Focus</a> for every context in your life – each with its own Apple Watch face – you can keep only the most relevant information visible. Beyond complications, 1Password for Apple Watch provides full access to your choice of items. View all your custom fields (including multi-line notes) and custom item icons. We even support Markdown for notes. Designate individual items in your 1Password account using your iPhone to have them sync securely to your Watch. From there, you can view them even when you&rsquo;re away from your phone and have no internet connection. Though Apple Watch screens have been getting bigger and bigger, it&rsquo;s still a compact device. That&rsquo;s why we&rsquo;re introducing the ability to view your passwords in Large Type, making them more comfortable to read on a smaller display. Large Type works the same way you&rsquo;re used to from 1Password on other devices, providing a bigger view with helpful character index so you don&rsquo;t lose your place while reading long passwords. <h2 id="security-on-the-go">Security on the go</h2> 1Password for Apple Watch brings the security and convenience of 1Password to your wrist. It’s an extension of our flagship iOS app, providing a familiar experience even when you’re away from your phone. Take it for a spin today and <a href="https://twitter.com/1password">let us know on Twitter</a> how you&rsquo;re using complications or Focus to stay secure and productive. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Download 1Password 8 for iOS to get started</h3> 1Password for Apple Watch is bundled with our iOS app. If you don't have automatic app downloads enabled for your watch, simply install 1Password from the Apple Watch app on your iPhone. <a href="https://1password.com/downloads/ios/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Get started </a> </div> </section></description></item><item><title>Secure your family with 1Password and provide food security to communities</title><link>https://blog.1password.com/thanksgiving-2022/</link><pubDate>Mon, 10 Oct 2022 00:00:00 +0000</pubDate><author>info@1password.com (Sara Teare)</author><guid>https://blog.1password.com/thanksgiving-2022/</guid><description> <img src='https://blog.1password.com/posts/2022/thanksgiving-2022/header.png' class='webfeedsFeaturedVisual' alt='Secure your family with 1Password and provide food security to communities' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Here in Ontario, the leaves have begun changing colors and Thanksgiving has arrived. It’s a welcome reminder to appreciate what we have, from the simplicity of a warm meal to the joy of sharing that meal with loved ones. It’s a great opportunity for us to give thanks and give back to our communities. Since Thanksgiving comes early for Canadians, we’re kicking off our season of giving thanks now! <h2 id="help-your-community-this-thanksgiving-">Help your community this Thanksgiving 💙</h2> From now until November 25th, when someone becomes a new 1Password Families customer, 1Password will be donating to three different charities. These groups work within our communities to help provide food security and build stronger networks for all. <a href="https://foodbankscanada.ca/about-us/">Food Banks Canada</a> helps those across Canada living with food insecurity by relieving hunger today and preventing hunger tomorrow in collaboration with the food bank network. <a href="https://secondharvest.ca/about/">Second Harvest</a> is creating an efficient food recovery network, reducing the environmental impact of food waste while ensuring that everyone – regardless of their economic situation – is able to feed themselves and their family. <a href="https://www.unitedway.ca/how-we-help/">United Way Centraide</a> works across Canada to make change locally, creating opportunities for everyone in our communities to live a better life by reducing poverty, supporting children and youth, and building vibrant neighborhoods. If you’ve ever considered if a 1Password Families account is right for you, you can <a href="https://1password.com/personal/">learn more about it</a>, and if you do create an account, we’ll donate $2 to charity. We believe that the 1Password community is an amazing place to be, and we encourage everyone to take steps to help those around them, no matter how small. Wishing you a happy Canadian Thanksgiving, Sara <section class="c-call-to-action-box c-call-to-action-box--yellow"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get started with 1Password Families</h3> We’re donating $2 for every new 1Password Families customer from now until November 25th. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--yellow" data-event-category="CTA" data-event-action="call-to-action-button"> Get started </a> </div> </section></description></item><item><title>Community spotlight: Extending 1Password for JetBrains users</title><link>https://blog.1password.com/1password-jetbrains/</link><pubDate>Thu, 06 Oct 2022 00:00:00 +0000</pubDate><author>info@1password.com (Jason Harris)</author><guid>https://blog.1password.com/1password-jetbrains/</guid><description> <img src='https://blog.1password.com/posts/2022/1password-jetbrains/header.png' class='webfeedsFeaturedVisual' alt='Community spotlight: Extending 1Password for JetBrains users' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 1Password is serious about securing developers' workflows. That’s why we’ve built and continue to improve upon <a href="https://developer.1password.com/">1Password Developer Tools</a>. Today we&rsquo;re talking to developer and friend of 1Password <a href="https://shyim.me/">Soner Sayakci</a>, who is both a Jetbrains and 1Password user. Just a few weeks ago, Sayakci released a fantastic integration that enables developers to <a href="https://plugins.jetbrains.com/plugin/19698-1password-integration/">make use of 1Password vaults, secret references, and more within the Jetbrains</a> integrated development environment (IDE). By automating tedious tasks, 1Password Developer Tools speeds up development workflows while eliminating the potential for human error. We&rsquo;ve automated SSH key management. We&rsquo;ve added biometric unlock to Git authentication and other SSH workflows to simplify secrets management in the terminal. We also aim to bring 1Password’s security model and ease of use to the tools developers use every day. Earlier this summer, we released <a href="https://blog.1password.com/1password-visual-studio-code/">1Password for VS Code</a>, an open-source integration that enables VS Code users to take secrets (such as Stripe keys, API tokens or Docker credentials) out of their code and replace them with <a href="https://developer.1password.com/docs/cli/secrets-reference-syntax">secret references</a> stored in 1Password. Devs can then automatically manage and deploy those secrets without exposing them within a codebase. 1Password for VS Code was written as a side project by 1Password engineer <a href="mailto:jody.heavener@agilebits.com">Jody Heavener</a> using tools that are fully open to the public. We also <a href="https://github.com/1Password/op-vscode">open-sourced the entire project</a> on our GitHub and invited the public to iterate on our solution or develop a new one on their own. <h2 id="introducing-1password-for-jetbrains-a-community-contribution">Introducing 1Password for JetBrains, a community contribution</h2> While VS Code is an amazing code editor used by many developers, one of our top integration requests has been <a href="https://www.jetbrains.com/">JetBrains</a>, another fantastic offering serving the needs of software developers around the world. 1Password’s Developer Tools team is mighty - but like any dedicated group, we can’t magically take on every project. This is where the amazing software development community and contributors like Soner come in. Where do you work and what’s your role? I’ve been a software developer for 12 years and my work is at Shopware, a fully open source ecommerce platform based in Germany. In my free time, I also like to contribute to open source projects. As a part of my work at Shopware, I&rsquo;ve built an organization called <a href="https://friendsofshopware.com/">Friends of Shopware</a> in which community members work together on extensions for the platform. How did you discover 1Password? For Friends of Shopware, we are participants in <a href="https://github.com/1Password/1password-teams-open-source">1Password for Open Source</a> (a program that makes 1Password free for open-source maintainers) and use it in the day-to-day operation of our work. Tell us about your code and frameworks of choice. My personal stack consists of PHP, JavaScript, and Go. For tooling, my team and I actively use JetBrains because it’s the leader in the PHP and Java programming worlds. How do you use 1Password Developer Tools? Originally, I thought of 1Password as just a password manager, a necessary tool for managing my usernames and passwords in a browser extension. This changed when I discovered 1Password has developer tools such as the SSH agent and CLI. Developers like to move fast when it comes to building solutions; which means we sometimes cut corners like putting secrets in our source code. When we do that, we risk exposing access keys in our codebase and potentially in deploys that can expose our organization. What we need is a helper in the IDE that can protect us from these critical human errors. After I saw the extension for VS Code, I wanted to build something similar for JetBrains. How long did it take to build the JetBrains / 1Password Extension? From start to finish, the JetBrains for 1Password plug-in only took me a few hours to write. I used the VS Code as a template. In building your extension, how was working with the CLI and our team? I found the CLI very easy to use and work against. I’ve built two prior extensions for JetBrains so this wasn’t my first project of this type. After doing some research and reviewing the VS Code extension code, I built my Jetbrains extension without finding any obstacles or major pain points. The 1Password team was immensely helpful and having them on the 1Password Developer Slack helped quite a bit. Do you have any advice for others who want to build with 1Password and the CLI? I must say - after working with many password managers, 1Password is the clear leader when it comes to developer tooling. I’ve seen recently that there’s a new GitHub Action that can prompt you to get secrets from the 1Password’s vault. This is so cool. For other developers, I recommend reading the <a href="https://developer.1password.com/">1Password Developer Docs</a> and getting started building your integration or tool. Also, know that the 1Password team is responsive on the <a href="https://join.slack.com/t/1password-devs/shared_invite/zt-1halo11ps-6o9pEv96xZ3LtX_VE0fJQA">Developer Slack</a> and can answer any questions - and they’re open to feedback (and actually listen!). From the 1Password Developer Tools Team, we thank you Soner and hope the community finds the integration to be most useful!</description></item><item><title>1Password SCIM bridge explained: what it is, and why we made it</title><link>https://blog.1password.com/1password-scim-bridge-explained/</link><pubDate>Mon, 03 Oct 2022 00:00:00 +0000</pubDate><author>info@1password.com (Graham Brown)</author><guid>https://blog.1password.com/1password-scim-bridge-explained/</guid><description> <img src='https://blog.1password.com/posts/2022/1password-scim-bridge-explained/header.png' class='webfeedsFeaturedVisual' alt='1Password SCIM bridge explained: what it is, and why we made it' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The <a href="https://support.1password.com/scim/">1Password SCIM bridge</a> is a powerful tool for businesses that want to use a password manager alongside an identity provider like Okta, Rippling, or Azure Active Directory. But if you haven&rsquo;t used the SCIM bridge before, you might be wondering: What exactly is it? And does my company need a SCIM bridge? Today, we&rsquo;re going to dive in and answer both of these questions. But to do so, we have to explain the problem the SCIM bridge solves. <h2 id="the-problem-your-time-is-valuable">The problem: your time is valuable</h2> How can you effectively provision, manage, and deprovision users in 1Password if you work for a large organization? Imagine you’re an administrator for a Fortune 500 company. You have over 100,000 users in your directory, and management is telling you that everyone needs access to 1Password. Now, let&rsquo;s be generous and assume inviting a user, confirming their account, and placing them in the right 1Password groups takes a total of 30 seconds <a href="https://start.1password.com/signin">via 1Password.com</a>. Congratulations! Your new job for the next three months is going to be adding people to 1Password. And as time goes on, there will be people who change their name, join the company, and leave for other opportunities – all of which will increase your work and take up more of your time. <blockquote> it’s not practical to manage a large number of users in 1Password without some sort of automated solution. </blockquote> In short, it’s not practical to manage a large number of users in 1Password without some sort of automated solution. Your time is valuable, and we want to enable you, not slow you down. <h2 id="a-first-step-the-industry-standard">A first step: the industry standard</h2> Thankfully, 1Password isn’t the first or only company to tackle the problem of managing users at scale. A variety of services exist to store, manage, and act upon user identities such as Okta, Azure Active Directory, and Google Workspace. Collectively these are known as <a href="https://www.okta.com/uk/identity-101/why-your-company-needs-an-identity-provider/">Identity Providers</a>, or IdPs. They’re incredibly useful if set up and configured correctly, allowing a single administrator to invite thousands of users to a new app with a single click. In addition, something like a name change will be reflected automatically in all the apps that the IdP manages. That means there’s no need for any administrator intervention. These changes automatically inform other apps via an industry standard protocol called the <a href="http://www.simplecloud.info">System for Cross-domain Identity Management</a> (SCIM). This protocol allows apps like 1Password – referred to as Service Providers, or SPs – to speak the same language as the identity providers. So when the IdP says &lsquo;add this new user with these characteristics&rsquo;, 1Password knows exactly what to do. To make this work, we needed to build something that can understand and interact with the SCIM protocol. <h2 id="the-1password-encryption-model-an-identity-challenge">The 1Password encryption model: an identity challenge</h2> 1Password is <a href="https://1password.com/security/">designed with security in mind</a>. One of our security beliefs is that your private encryption keys should never come anywhere close to our servers. They’re generated and live on devices you hold and control, and never enter our possession. If we were to be hacked (which has never happened), receive government orders, or just decide to be malicious, we couldn’t gain access to your 1Password account. This means all of your 1Password data is encrypted with a key only you possess. It’s generated on your device using your email address, account password, and Secret Key. But this security creates an added challenge: if your personal encryption key is stored on your device, how can 1Password and IdPs automatically carry out SCIM-related operations? After all, you use your encryption keys on your local device every time you access your account, which then allows you to invite team members, modify group memberships, and remove users. <blockquote> If your personal encryption key is stored on your device, how can 1Password and IdPs automatically carry out SCIM-related operations? </blockquote> To handle requests from your identity provider, another encryption key – stored securely in a location you control – was required to access the encrypted data on our servers. Another problem was that identity providers can’t speak using encryption keys. How could we convert SCIM commands to encryption key-based operations? <h2 id="enter-stage-left-the-scim-bridge">Enter stage left: the SCIM bridge</h2> The SCIM bridge solves these problems via a server that is deployed in your company’s infrastructure. This server holds one set of encryption keys and acts as a &lsquo;bridge&rsquo; between the IdP and 1Password, converting requests from SCIM language to 1Password’s encryption key-oriented language. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Deploying the SCIM bridge this way lets us add additional security measures such as <a href="https://blog.1password.com/developers-how-we-use-srp-and-you-can-too/">Secure Remote Password</a> (SRP) to the communication between the bridge and our servers. </div> </aside> Here’s an example of how the SCIM bridge works when you add someone to a group in 1Password: <ol> <li>You add a user to a group in your identity provider.</li> <li>The identity provider sends a request to the SCIM bridge explaining that the user should be added to the specified group in 1Password.</li> <li>The SCIM bridge reads the request, then fetches the user, group, and encrypted information it needs from 1Password.</li> <li>The SCIM bridge uses encryption keys held on your company’s server to add the user to the group.</li> <li>The SCIM bridge tells your identity provider the operation is complete.</li> </ol> <h2 id="practical-1password-account-management-at-scale">Practical 1Password account management at scale</h2> Using the 1Password SCIM bridge makes it practical to manage 1Password at scale. The bridge cuts down on tedious and time-consuming tasks for administrators, making common tasks automatic. Sending invites, confirming users, managing group memberships, and deprovisioning users all become a thing of the past. Once it’s been deployed, an administrator shouldn’t have to think about the SCIM bridge day-to-day. The changes you make in your identity provider will be reflected automatically in 1Password. Plus, with such deep ties to your existing identity system, you can replicate your internal directory structure in 1Password with the press of a button. <blockquote> 1Password has become automatically managed. </blockquote> In addition, removing someone from your identity provider will trigger the SCIM bridge to do the same in 1Password. That means the team member will lose access to all the vaults and items that were accessible from their 1Password account moments after they are disabled. All of this means you can spend more time on other projects that will help your team stay productive and secure. 1Password has become automatically managed. <h2 id="the-bottom-line">The bottom line</h2> The 1Password SCIM bridge allows you to connect 1Password with your existing identity provider and, thanks to the SCIM protocol, automate tasks like user provisioning and deprovisioning. That means you don’t have to go through the manual process of inviting and managing users in 1Password. The bridge also offers other security benefits like maintaining ownership of your private keys, automating confirmation of validated users, and revoking a person’s access to 1Password as soon as they’re removed from your identity provider. Ready to start? Open up your 1Password Business account and go to the Integrations page to enable provisioning. Still have questions? That makes sense – this is a complicated topic! Start by reading our <a href="https://support.1password.com/scim/">support documentation</a> and asking for help in our <a href="https://1password.community">forum</a>. If you’re still stuck, send an email to <a href="(mailto:integrations@1password.com)">integrations@1password.com</a> and we’ll happily answer any questions you have. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get started with the 1Password SCIM bridge</h3> Ready to deploy the 1Password SCIM bridge? Read this support article for step-by-step instructions on how to get started. <a href="https://support.1password.com/scim/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Get started </a> </div> </section></description></item><item><title>Why SSH security practices need to change (and how 1Password can help)</title><link>https://blog.1password.com/ssh-security-practices-changing/</link><pubDate>Fri, 30 Sep 2022 00:00:00 +0000</pubDate><author>info@1password.com (Jeffrey Goldberg)</author><guid>https://blog.1password.com/ssh-security-practices-changing/</guid><description> <img src='https://blog.1password.com/posts/2022/ssh-security-practices-changing/header.png' class='webfeedsFeaturedVisual' alt='Why SSH security practices need to change (and how 1Password can help)' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> SSH key management practices reflect the environment in which they were first introduced. The 1Password SSH agent is a big step toward aligning practices with the modern world. Earlier this year, we introduced the <a href="https://developer.1password.com/docs/ssh/agent/">1Password SSH agent</a> as part of our commitment to bring developers the kinds of things developers want to see. Today, I’ll discuss a re-evaluation of the security properties and habits some of us old-timers may have regarding SSH keys, and which of those habits are outdated. The short version is that SSH was originally a drop-in replacement for rsh (remote shell) and rlogin, which were centered around one machine trusting another machine, or one account on a machine trusting an account on another machine. SSH private keys were associated not just with individuals, but individual accounts on particular hosts. <blockquote> Some of us old-timers need to adjust how we think about SSH keys. </blockquote> SSH key management tools and conventions grew out of that environment. A key pair didn&rsquo;t so much belong to a person, but a user logged on to a particular host. This all made sense at the time SSH was invented. But certain security practices - and unintended consequences - followed, and they&rsquo;ve been problematic since. The 1Password SSH agent and its integration fix those problems, but it means that some of us old-timers need to adjust how we think about SSH keys. <h2 id="its-about-people-now-not-machines">It&rsquo;s about people now, not machines</h2> We designed the 1Password SSH agent with the belief that: <ol> <li>SSH key pairs belong to people, not to the machine those people SSH from.</li> <li>SSH private keys should be locked and unlocked when other high-value user credentials are locked and unlocked.</li> </ol> I don&rsquo;t think either of these beliefs are controversial. But when in the course of geeky events it becomes necessary for one set of geeks to dissolve practices and conventions, a decent respect to the opinions of others requires that they should declare the causes which impel such a break with tradition. First, we need to understand the reasons for the conventions we&rsquo;re breaking. Only then can we evaluate whether we&rsquo;re doing something good or bad. TL;DR: We&rsquo;re doing something good. Next, I’ll go into some history in an attempt to explain what those original reasons were and why the conventional wisdom was what it was. This will also make it clear that the reasons for some of the SSH key management practices became obsolete quickly. <h2 id="in-the-before-time">In the before time</h2> Back in the 1980s, very few individuals used their own Internet-connected computers. Instead, they used terminals connected to somebody else&rsquo;s computers. In my case, the computers were owned and operated by the universities I attended. The user accounts on these computers were managed by system administrators, and ordinary users had limited rights on them. I could do stuff within my own account but I couldn&rsquo;t touch the system&rsquo;s configuration.<a href="#fn:1" class="footnote-ref" role="doc-noteref">1</a> As more computers in these environments were made available, it became useful for users to log in to one of them from another. For example, imagine two machines called <code>russell</code> and <code>whitehead</code>. Both are administered by the same people with similar policies. It makes sense that if I&rsquo;d logged on to <code>russell</code> as user goldberg, and the operators configured <code>whitehead</code> to trust <code>russell</code>, I should be able to jump over to <code>whitehead</code> with little fuss. I could use <code>rsh</code> to hop over to <code>whitehead</code> if that machine listed <code>russell</code> as a trusted device for this purpose. <blockquote> There were many problems with this scheme. </blockquote> There was some ability to configure things for specific users but this was fundamentally a machine-to-machine trust relationship. Anyone with the same username on both machines could log in to one from the other with no further authentication. There were many problems with this scheme. One was that it didn&rsquo;t provide a reliable way for <code>russell</code> to prove to <code>whitehead</code> that it really was <code>russell</code>.<a href="#fn:2" class="footnote-ref" role="doc-noteref">2</a> And as machines became cheaper and more connected to the network, the people who ran the system could no longer rely on the idea that every machine on their network was honest. It was too easy for someone to get a machine to masquerade as <code>russell</code> to <code>whitehead</code>. SSH was a solution to that, and many other problems. The point here is that rsh, along with the related rlogin, were based on trust between machines. SSH was designed as a replacement, but with cryptographic goodness. <h2 id="user-on-a-machine">User on a machine</h2> Consider a network with a machine called <code>russell</code> that’s carefully managed and receives all security updates within months instead of years. (Things were bad in the bad old days.) Other machines, including <code>quine</code>, don&rsquo;t get the updates as quickly. If SSH were configured like its predecessor – to trust machines and the usernames they provided – very bad things could happen. For example, imagine Mr. Talk (my neighbor&rsquo;s cat and the enemy of my dogs, Patty and Molly) has an account on <code>quine</code> and Molly doesn&rsquo;t. If Mr. Talk gains enough control of <code>quine</code> to create the user <code>molly</code>, then he can SSH over from <code>molly@quine</code> to <code>molly@russell</code>. System administrators recognized the problem fairly quickly and no longer configured SSH to trust their peers had the same usernames. This is when users like Molly set up SSH key pairs for each of their accounts, instead of key pairs just belonging to machines. <blockquote> The practice had shifted from securely authenticating a machine to securely authenticating a user from a particular machine. </blockquote> So Molly might create an SSH key pair on <code>whitehead</code>, and Molly&rsquo;s private key for that key pair would only live on <code>whitehead</code>. She would add the <code>molly@quine</code> private key to her list of authorized keys<a href="#fn:3" class="footnote-ref" role="doc-noteref">3</a> on <code>russell</code>. Molly would also have to create a key pair on each of the hosts that she wanted to SSH from and add the public part as an authorized key on all of the hosts that she wanted to SSH to. When Molly SSH-ed from <code>quine</code> to <code>russell</code>, the magic of public-key cryptography proved to the SSH daemon on <code>russell</code> that the other side of the connection possessed the corresponding private key. This, of course, was done without transmitting any secrets. The SSH daemon on <code>russell</code> was assured that it really was <code>molly@quine</code> connecting. The practice had shifted from securely authenticating a machine to securely authenticating a user from a particular machine. <h2 id="enter-the-agent">Enter the agent</h2> At first, most people didn’t set passphrases on their SSH private keys. As long as you were able to read the private key file, you were able to connect to any location authorized to use that key. It was still enormously more secure than rsh and rlogin, but it meant that (as with rsh and rlogin), if you walked away from your desk, someone could use your logged-in session on one machine to go anywhere you could. This made the private key something like a token. You would create one for each machine you might SSH from. I might have a key with the name <code>jpg@russell</code> and another key named <code>jpg@whitehead</code>. The private part of each key only lived in one place. Access to the private part of <code>jpg@russell</code> was considered proof that I could log in to the account <code>jpg</code> on the machine <code>russell</code>. There are two security problems with this. I had to be very, very careful about locking my workstation if I walked away for a moment, particularly as my <code>jpg@russell</code> key gave me access to more and more places. And anyone who ever gained read access to my disk (or the backup tapes used for these machines) would have identical access. The private key for <code>jpg@russell</code> was only supposed to live in one place, but even if I did everything right, there were many ways an unauthorized person could get hold of it. <blockquote> It was really hard to get people to type in the passphrase for their SSH key every time they wanted to use it. </blockquote> That security practice might seem horrible today, but remember this had been a drop-in replacement for passwordless rsh and rlogin. Sure, we could tell people their SSH keys must be password protected, but few people complied. This was all happening while central management of machines on a host was becoming a thing of the past. There was no way for the administrator of <code>russell</code> to see how easy it would be for an attacker to get hold of Molly&rsquo;s private key on <code>quine</code>. SSH private keys were too easy to steal, and it was really hard to get people to type in the passphrase for their SSH key every time they wanted to use it. The solution to this was <code>ssh-agent</code>. People could password protect their SSH private key files, but would only need to type in their password for that key once per login session. This created some attack opportunities, but it meant that read access to someone&rsquo;s private key was no longer sufficient for an attacker. This was a human-centric security compromise. It was unreasonable to ask or expect everyone to enter their SSH key password each time they wanted to use SSH, so by opening up a one attack vector, we precluded what would otherwise be a far easier attack. <h2 id="bringing-us-to-yesterday">Bringing us to yesterday</h2> That history brings us to yesterday. The standard <code>ssh-agent</code> requires you to unlock your private key once; it’s then usable for the duration of your local login. As soon as SSH private keys were password protected, there was no reason to treat them as tokens any longer: Having access to the private key files wasn’t enough to authenticate. But old habits die hard. When SSH was first introduced, keeping the private key files secure was paramount. You had one for each machine you logged in from – if an attacker gained read access to that disk, that one key could be de-authorized. <h2 id="today">Today</h2> With the 1Password SSH agent, your SSH private key is protected by the same security model used to protect dozens if not hundreds of your secrets. 1Password protects your SSH private key the same way it protects other secrets in the event an attacker gains read access to your disk (<a href="https://blog.1password.com/what-the-secret-key-does/">or ours</a>). You unlock your SSH key just as you unlock your other credentials within 1Password. If an attacker could get the SSH private key merely by having read access to the host, then it made sense to tie that key to that host. In short, keeping a private key on a particular host was reasonable if the private key was available to anyone who could read the disk. In those days, the SSH daemon on <code>russell</code> trusted the private key of <code>molly@quine</code> by trusting that no attacker gained read access to Molly&rsquo;s files on <code>quine</code>. But in the case of 1Password, the security of the private key isn’t threatened by an attacker who gains read access to the disk so there’s no reason to tie the private key to a particular host. Here at 1Password, we can understand the tradition of having an SSH private key that’s never supposed to leave its host. But we understand the reasons that tradition shouldn’t apply when the private key is properly encrypted. So I return to where I started. <ol> <li>SSH key pairs belong to people, not to the machine those people SSH from.</li> <li>SSH private keys should be locked and unlocked when other high-value user credentials are locked and unlocked.</li> </ol> This enables <a href="https://blog.1password.com/1password-ssh-changed-how-i-work/">new, and easier ways of working with SSH</a>. <section class="footnotes" role="doc-endnotes"> <hr> <ol> <li id="fn:1" role="doc-endnote"> The story of how I first gained root access on a machine that wasn&rsquo;t my own isn’t really all that interesting, and will need to wait for another day.&#160;<a href="#fnref:1" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a> </li> <li id="fn:2" role="doc-endnote"> Perhaps if <code>russell</code> provided <code>whitehead</code> with an <a href="https://blog.plover.com/math/PM.html">exceedingly tedious proof that 1 + 1 = 2</a>, that might convince <code>whitehead</code>.&#160;<a href="#fnref:2" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a> </li> <li id="fn:3" role="doc-endnote"> An undocumented feature of SSH is that it will silently accept the British misspelling, &ldquo;authorised_keys&rdquo; of the <code>authorized_keys</code> file. This is similar, though perhaps opposite, to the similarly undocumented fact that while &ldquo;999&rdquo; is the British misspelling of &ldquo;911&rdquo; for calling emergency services, &ldquo;911&rdquo; will also work due to the influence of American television of movies. Do not use or encourage the use of undocumented fall back features.&#160;<a href="#fnref:3" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a> </li> </ol> </section></description></item><item><title>What is public-key cryptography?</title><link>https://blog.1password.com/what-is-public-key-cryptography/</link><pubDate>Thu, 29 Sep 2022 00:00:00 +0000</pubDate><author>info@1password.com (Andrew Zangre)</author><guid>https://blog.1password.com/what-is-public-key-cryptography/</guid><description> <img src='https://blog.1password.com/posts/2022/what-is-public-key-cryptography/header.png' class='webfeedsFeaturedVisual' alt='What is public-key cryptography?' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Encryption is an essential step in cybersecurity that protects confidential information by turning it into scrambled gibberish. This ensures attackers can’t understand it, and only trusted individuals can make it understandable again. There are different types of encryption, with different security and access levels. There are two main types of encryption: <ul> <li>Symmetric, which uses a single key for encryption and decryption.</li> <li>Asymmetric, which relies on pairs of connected keys called a public key and private key. This means a different key is used for the encryption and decryption processes.</li> </ul> Asymmetric or <a href="https://support.1password.com/authentication-encryption/">public-key cryptography</a> is an increasingly popular method used in modern technology. Here, we’ll explain how public and private key pairs work, and why they’ve become such a widely used form of encryption. <h2 id="what-are-encryption-keys">What are encryption keys?</h2> First, let’s establish what a “key” is. In cryptography, it’s a tool that can turn readable data into something indecipherable. It’s not, as it may sound like, a plot device in Indiana Jones. Instead, an encryption key – or cryptographic key – is usually a string of numbers and letters. It’s processed through an encryption algorithm to convert unencrypted data (plaintext) into seemingly random jargon (aka ciphertext). Do you ever chat with your friends on a secure messaging app? Maybe you’ve seen a lock icon in your browser or address bar while shopping online? Do you use <a href="https://1password.com/">1Password</a>? 😊 Then you’ve used encryption keys before. Apps will usually generate and call upon these keys automatically, so you never have to remember or type them in. <h2 id="private-keys-vs-public-keys">Private keys vs. public keys</h2> You can think of public and private keys like interlocking puzzle pieces – they’re mathematically linked to one another and designed to go together. As the name implies, the public key can be shared publicly, usually in a repository or directory. On the other hand, a private key should always be kept secret and safe. It’s used to decrypt data that’s been encrypted with your public key. Unlike a traditional password, it’s never known or stored by the person you’re talking to, or the app or service you’re trying to access. <h2 id="an-example-of-how-it-works">An example of how it works</h2> Public-key cryptography is used in a number of places, like HTTPS websites and cryptocurrency transactions. To understand how this protocol works in practice, let’s look at end-to-end encrypted messaging as an example. <ol> <li> Person A and Person B sign up for the latest secure messenger app. When they create their accounts, each person receives a public and private key pair. The public key is stored on the messenger’s server, while the private key is stored on the account holder’s devices. </li> <li> Person A writes a message, encrypts it with Person B’s public key (available on the server), and then sends it. </li> <li> The message passes through intermediaries – the messenger’s servers, Wi-Fi points, ISP, and more – but only Person B can decrypt it with their matching private key. </li> </ol> <h2 id="how-encryption-is-used-in-passwordless">How encryption is used in passwordless</h2> For the traditional sign-in process, we usually submit a username and password to sign in to online accounts. The website then checks that these details match the hashed information stored on its server. Emerging <a href="https://blog.1password.com/1password-is-joining-the-fido-alliance/">passwordless solutions</a>, like passkeys, use asymmetric encryption. When you create an account on a supported device or website, a public key is stored on the app or website’s server, and a corresponding private key is stored on your device. When you return to sign in, the app or website issues a “challenge” encrypted with your public key. Your device uses the matching private key to create a digital signature and sends the signed challenge back to the provider, which authorizes you after it successfully decrypts the signature with your public key. Only then are you authenticated and signed in. This approach has several advantages. First, you don’t have to share your private key to sign in. Second, you don’t have to remember or type in your private key, as your device or preferred authenticator does it for you! Passwordless technology will likely grow more prevalent in the coming years, in part due to these safer encryption methods at the heart of it. <h2 id="1password-and-public-key-encryption">1Password and public key encryption</h2> 1Password is designed from the ground up with maximum security in mind. All the data you save in 1Password is protected by a private key that uses 256-bit AES encryption. To decrypt your data, you need three things: <ul> <li>Your encrypted data</li> <li>Your account password</li> <li>Your <a href="https://support.1password.com/secret-key-security/">Secret Key</a></li> </ul> A major reason we’re “secure by design” is that your account password and Secret Key are never stored on our servers. This means we couldn’t read your stored items if we tried. And if an attacker <a href="https://blog.1password.com/what-if-1password-gets-hacked/">somehow stole your encrypted data from our servers</a>, they wouldn’t have the means to decrypt it. If you want to learn more about our <a href="https://1password.com/security/">security model</a>, read the <a href="https://1passwordstatic.com/files/security/1password-white-paper.pdf">1Password Security Design white paper</a>. If you’re curious about any more specific details, or want to ask a question related to our security or privacy practices, you can also head over to <a href="https://support.1password.com/category/security/">1Password Support</a>. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Ready to protect yourself?</h3> Keep all of your accounts secure with 1Password, the world’s most-trusted password manager. Get started today with a free 14-day trial. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>How 1Password and SSO fit together – and what comes next</title><link>https://blog.1password.com/1password-sso-what-comes-next/</link><pubDate>Wed, 28 Sep 2022 00:00:00 +0000</pubDate><author>info@1password.com (Graham Jackson)</author><guid>https://blog.1password.com/1password-sso-what-comes-next/</guid><description> <img src='https://blog.1password.com/posts/2022/sso-what-comes-next/header.png' class='webfeedsFeaturedVisual' alt='How 1Password and SSO fit together – and what comes next' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://blog.1password.com/1password-and-sso-a-perfect-match/">Single sign-on (SSO) and 1Password make a great team</a>. Separately, 1Password and SSO each reduce your attack surface by securely logging you in to sites and services you use to get things done. Together, they&rsquo;re a powerful risk reduction duo. And we&rsquo;re working with 1Password Business customers to unlock the true power of that combination. More on that in a bit. Let&rsquo;s talk about why SSO and 1Password are better together, and where the pairing can go from here to improve your security posture by: <ul> <li>Streamlining security policies.</li> <li>Simplifying administration and onboarding for IT.</li> <li>Improving the sign-in experience for your workforce (and why that matters for security).</li> </ul> <h2 id="how-sso-simplifies-your-security-posture">How SSO simplifies your security posture</h2> First, a quick primer on <a href="https://blog.1password.com/how-sso-fits-enterprise-security-framework/">SSO and how it fits into your enterprise security framework</a>. If you&rsquo;re not using a single sign-on provider like Okta, Google Workspace, or Microsoft Azure Active Directory to sign in to work services, it&rsquo;s up to each worker to create their own logins for every service they use. Usually, that login consists of a username and password. They might use a social service like Google to log in, or have two-factor authentication enabled. Regardless, if it’s being used for work, there’s a chance that sensitive company data resides somewhere on the account, which makes it a potential target for cybercriminals. If those credentials are compromised, attackers have a way in (potentially to multiple services, if the credentials have been reused elsewhere). SSO brings all those logins under the umbrella of one strongly vetted identity. Instead of signing into each site and service individually, workers log on to the SSO platform. From there, the SSO provider can then log them in to each service using that one identity. It&rsquo;s a much simpler experience for workers, and allows IT and leadership to consolidate security policies to make reporting and compliance significantly easier. All told, SSO can: <ul> <li>Reduce your attack surface.</li> <li>Strengthen your minimum security requirements.</li> <li>Reduce IT support costs (by reducing your attack surface).</li> <li>Provide a better experience for workers.</li> <li>Create a centralized directory of all employees in the company to simplify onboarding and offboarding.</li> </ul> <h2 id="how-1password-simplifies-your-security-posture">How 1Password simplifies your security posture</h2> What about those logins that aren&rsquo;t covered under SSO? That&rsquo;s where 1Password comes in. For every login not covered by your SSO platform, 1Password makes it easy to create strong, unique logins that are protected by 1Password’s security model, easily shared with colleagues when needed, and easily managed by administrators. If you use Google or another service to log into a site – <a href="https://blog.1password.com/sign-in-with-anything-browser-beta/">1Password will handle that for you</a>, too, along with protecting other sensitive data like payment cards, secure notes and documents. And it’ll make it all easy to manage with granular access controls, an easy-to-read insights dashboard, secure item sharing… you get the idea. Together, SSO and 1Password form a line of defense that stretches across all the sites and services that anyone in your company accesses. <h2 id="sso-and-1password-closing-the-gaps-in-your-security-perimeter">SSO and 1Password: closing the gaps in your security perimeter</h2> To recap, 1Password and SSO provide comprehensive protection for businesses looking to reduce their risk and simplify security for their workforce. But there are more benefits there for the taking – if 1Password and SSO work in tandem. Security, compliance, reporting, auditing would be easier. Onboarding and offboarding times would be drastically reduced. And, perhaps most importantly, it would improve the employee experience. Security tools are only effective if people use them, so great usability can go a long way towards reducing your attack surface. In short, security tools have to make your life easier in order to make them more secure. Take <a href="https://blog.1password.com/duke-university-password-manager-adoption/">Duke University, who tripled their password manager adoption after migrating to 1Password</a>, bringing all those formerly stray logins under the protection of 1Password. Great usability is a win for security. <h2 id="coming-soon-unlock-with-okta">Coming soon: unlock with Okta</h2> That&rsquo;s why we&rsquo;ve been working with 1Password Business customers to bring 1Password and SSO together so you can unlock 1Password with Okta. Doing so will not only combine the benefits of 1Password and SSO, but simplify security across the board with a unified experience that makes workers' lives easier. And that makes it easier for security teams to do their jobs, too. Support for other leading identity providers is coming soon. Reach out to be the first to know about the latest updates and integrations.</description></item><item><title>3 of the most common ways hackers steal passwords</title><link>https://blog.1password.com/how-do-hackers-steal-passwords/</link><pubDate>Mon, 26 Sep 2022 00:00:00 +0000</pubDate><author>info@1password.com (1Password)</author><guid>https://blog.1password.com/how-do-hackers-steal-passwords/</guid><description> <img src='https://blog.1password.com/posts/2022/how-do-hackers-steal-passwords/header.png' class='webfeedsFeaturedVisual' alt='3 of the most common ways hackers steal passwords' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> You’ve probably <a href="https://youtu.be/SZQz9tkEHIg">watched at least one movie or TV show</a> where a hacker sneaks into someone’s house, finds a computer, and then guesses the password on the first try. They then declare, “I’m in!” before downloading reams of sensitive data. You may have asked yourself, “Is this really how criminals figure out people’s passwords?” The short answer is no. But hackers do have some tried-and-tested ways to obtain passwords. In fact, <a href="https://www.techtarget.com/searchsecurity/news/252520686/Verizon-DBIR-Stolen-credentials-led-to-nearly-50-of-attacks">almost half of all data breaches involve stolen credentials</a>. Here, we’ll explain the most common techniques hackers use, and what you can do to protect yourself. <h2 id="1-social-engineering-and-phishing">1. Social engineering and phishing</h2> <a href="https://blog.1password.com/what-is-social-engineering-hacking-101/">Social engineering</a> is a form of manipulation. Attackers trick people into sharing their passwords, payment details, or other sensitive information by posing as someone trustworthy or authoritative. Criminals will use this tactic over the phone, in an email or text message, or a DM on social media – anywhere that you could feasibly be contacted by the person or company they’re posing as. To save time and money, hackers will often target people en masse using contact information that’s been leaked in previous data breaches and compiled in large databases. These details let them cast a large net and “phish” for more information by sending hundreds, thousands, or possibly millions of fake emails or text messages each day, or making a similar number of scam phone calls. <blockquote> If they send a phony email or text message, they’ll often urge you to open a malicious link. </blockquote> A criminal may pose as the IT department, a customer service representative, support agent, or even a potential romantic interest. If they send a phony email or text message, they’ll often urge you to open a malicious link. This could lead to a seemingly authentic site that’s designed to trick you into entering your username or password, which then gives the attacker what they need to access your real account. Or, they might call and try to persuade you to say your username and password or some other private data out loud. Sometimes, a criminal will target a large company or service, rather than individual customers. They’ll use similar techniques to fool an employee into providing access to internal resources that contain passwords or other private data. Regardless of their story or angle, the attacker’s goal is to trick a person into providing account credentials or other confidential information. <h2 id="2-password-leaks-and-credential-stuffing">2. Password leaks and credential stuffing</h2> Hackers rarely sit at their computers and laboriously try different passwords to break into someone&rsquo;s account. Why? Because it&rsquo;s time consuming, and most services will lock them out after a few unsuccessful login attempts. Instead, they&rsquo;ll try passwords that have already leaked online. Imagine that account credentials for the fictional site crescentmoonbagels.com leaked online, including a user called John Dough. Most people use the same password for everything, so cybercriminals know there&rsquo;s a good chance that John Dough&rsquo;s leaked password can also be used to access his other online accounts. Criminals will use various tools to comb through databases of leaked passwords and check if any of the credentials can be used to access other accounts. This technique is called <a href="https://blog.1password.com/how-1password-keeps-you-safe-from-cyber-attacks/">credential stuffing</a>, and is far more effective than simply guessing random passwords. <h2 id="3-dictionary-attacks-and-cracking-hashed-passwords">3. Dictionary attacks and cracking hashed passwords</h2> A dictionary attack is an attempt to crack a password-protected account, device, or network by testing common words, phrases, or previously leaked-passwords from a predefined list. Rather than try every possible password combination, like A A A , A A B , and so on, criminals will focus on a subset of solutions that they think will have a higher chance of success. These lists could include words from the dictionary, passwords that have leaked in the past, or combinations tailored for a specific organization or region. For example, if a criminal was trying to break into an account owned by someone in Manhattan, they might focus on passwords that include New York references. An attacker could use a dictionary attack to enter possible passwords in a login field. But this is unlikely, because as we’ve already established, most websites and apps will lock you out after a few unsuccessful login attempts. <blockquote> A criminal could use a dictionary attack to run popular and predictable passwords through commonly used hashing algorithms. </blockquote> Instead, an attacker will often use a dictionary attack to crack leaked passwords that have been hashed. When you create a new online account, the app or website&rsquo;s creator will often protect your password by hashing it. That means each login credential has been run through a one-way algorithm. For example, the password 1 2 3 4 5 could be hashed into something like 8 2 7 c c b 0 e e a 8 a 7 0 6 c 4 c 3 4 a 1 6 8 9 1 f 8 4 e 7 b . If a company hashed their users passwords, and a criminal were to somehow break into their servers, they would find a database of gibberish rather than usable passwords. It’s difficult but sometimes possible for criminals to crack a hashed password. For example, a hacker could use a dictionary attack to run popular and predictable passwords through commonly used hashing algorithms, and see if the hashed result is in their leaked database. There are even “lookup tables” that contain common passwords and their hashed results, so hackers can simply check if any of the hashed passwords in the lookup table match the ones they&rsquo;ve managed to obtain via a data breach. <h2 id="other-possible-hacker-techniques">Other possible hacker techniques</h2> We’ve covered the most common tactics, but there are other ways that a hacker could try to steal your passwords and other private information. <ul> <li> Malware. Attackers create and deploy malware for different purposes, like locking up systems or destroying specific files. In theory, a criminal could create “keylogging” malware that’s able to track what you type on a keyboard and steal your usernames and passwords. </li> <li> Shoulder surfing. An opportunistic criminal could try looking over your shoulder to steal a glance at your company login credentials, or a security code sent to your phone via text. This is unlikely, however, because an attacker would have to spend time and money traveling to your location. </li> <li> Extortion. Criminals will sometimes use extortion to blackmail people into giving them information. These messages might claim to have sensitive information or content that they threaten to forward to friends, family, or coworkers unless you give them what they ask. Attackers are usually after a cash or cryptocurrency payment in these scenarios, but they could theoretically ask for a valuable account password instead. </li> </ul> <h2 id="how-a-password-manager-keeps-you-safe">How a password manager keeps you safe</h2> Hackers have many tricks and techniques to try to crack your account. But with a password manager like <a href="https://1password.com/pricing/">1Password</a>, you can stay one step ahead and protect everything that’s important in your digital life, including your passwords. <h3 id="create-strong-unique-usernames-and-passwords">Create strong, unique usernames and passwords</h3> A password manager will help you create random, unique usernames and passwords for all your online accounts. Having strong credentials for each account protects them from <a href="https://blog.1password.com/what-is-a-brute-force-attack-and-whats-the-best-defense/">brute-force attacks</a> and ensures that an attacker can’t use a leaked set of your logins to access any other accounts in your name. <h3 id="avoid-fraudulent-login-fields">Avoid fraudulent login fields</h3> When you create or update a password with a password manager, the website URL will be saved alongside your account credentials. That way, the password manager knows when and where to autofill your login information. Now, imagine that you accidentally clicked on a malicious link, or visited a scam website designed to steal your information. You would immediately notice that your password manager wasn’t offering to autofill your password because the URL doesn’t match. This would push you to take a closer look, realize that you’re on a fake site, and then close the tab before entering your password. <h3 id="use-two-factor-authentication-2fa">Use two-factor authentication (2FA)</h3> You should turn on <a href="https://1password.com/features/two-factor-authentication/">two-factor authentication (2FA)</a> everywhere it’s offered to add a second layer of security to your accounts. Why? Let’s say you fall for a social engineering attack and reveal the username and password for one of your online accounts. With 2FA enabled, the attacker wouldn’t be able to log in to the account unless they also had access to the place where you retrieve your one-time codes. You can use 1Password <a href="https://support.1password.com/one-time-passwords/">as an authenticator for sites and apps that support 2FA</a>. That means you don’t have to waste time opening your email or a standalone authentication app to sign in to your online accounts. 1Password will also autofill these codes in any browser, saving you precious time each day. <h3 id="know-when-you-need-to-update-your-passwords">Know when you need to update your passwords</h3> 1Password’s <a href="https://watchtower.1password.com/">Watchtower</a> will flag any weak or reused passwords that are currently saved in your vaults, and prompt you to change them to something strong and unique. In addition, Watchtower will let you know if any of your accounts show up in a known data breach, giving you the chance to update the affected passwords before an attacker can exploit them. <h2 id="other-ways-to-protect-yourself">Other ways to protect yourself</h2> Here are a couple of other tips to protect your passwords: <ul> <li> Stay alert. If you suspect you’re being targeted, pause for a moment and assess the situation. Do you recognize the sender of the email? Would your bank ever ask for your private information over the phone? If it sounds too good to be true, trust your gut and check that the phone call, email, or text message is authentic. </li> <li> Keep everything updated. Keep your devices and software updated to ensure you have the most recent security features or additions. If automatic updates are an option, turn them on. </li> <li> Check alerts about unusual sign-in attempts. Many services will send you an email or push notification if they detect a suspicious sign-in attempt. Opening the alert on a trusted device will usually give you the option to block the attack, keeping your account and the associated data secure. You’ll then be able to change the account password before the attacker can try to gain access again. </li> </ul> <h2 id="the-bottom-line">The bottom line</h2> Keeping your passwords and other private information safe doesn’t need to be complicated. If you stay alert and use a password manager like <a href="https://1password.com/pricing/">1Password</a>, you can protect everything in your digital life without any fear or stress. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Ready to protect yourself?</h3> Keep all of your accounts secure with 1Password, the world’s most-trusted password manager. Get started today with a free 14-day trial. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>Meet Josh Gorman, Senior HR Program Specialist at 1Password</title><link>https://blog.1password.com/meet-josh-gorman/</link><pubDate>Fri, 23 Sep 2022 00:00:00 +0000</pubDate><author>info@1password.com (1Password)</author><guid>https://blog.1password.com/meet-josh-gorman/</guid><description> <img src='https://blog.1password.com/posts/2022/meet-josh-gorman/header.png' class='webfeedsFeaturedVisual' alt='Meet Josh Gorman, Senior HR Program Specialist at 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Have you ever wondered what it&rsquo;s like to work at <a href="https://1password.com/">1Password</a>? Or wanted to know the career paths that other people followed before taking a job here? You&rsquo;re not alone! In this blog series, we&rsquo;re sharing what it&rsquo;s really like to work at 1Password. To do this, we sat down and talked to team members from across our more than 800-strong organization, including engineering, human resources, and customer support. You&rsquo;ll learn about the journeys that each person took to 1Password, as well as their their current role and day-to-day responsibilities. Today, we&rsquo;re chatting with Josh Gorman, Senior HR Program Specialist at 1Password! Why did you join 1Password, and how did you end up here? It was a long, winding journey full of starts and stops. But I think a better story is my journey from when I started. I was hired in customer support and spent my first month doing that role. But my manager recognized my skill set and helped me onto the path I’m on now. I quickly started teaching our new team members and then moved to a role specifically for education in customer support. Later, HR asked me to join them as Learning &amp; Discovery support for the whole company. <img src='https://blog.1password.com/posts/2022/meet-josh-gorman/joshgorman1.png' alt='A photo of Josh Gorman (right) when he was working in 1Password&#39;s customer support team' title='A photo of Josh Gorman (right) when he was working in 1Password&#39;s customer support team' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 1Password recognizes your gifts, and accepts who you are and who you want to be. It has allowed me to flourish and be more comfortable with my own skill sets. What’s your current role, and what are your day-to-day responsibilities? Titles don’t always tell you the whole story. At the moment, my title is Sr. HR Program Specialist supporting Learning and Discovery, but my work lies in connecting and supporting people with their learning goals. Those goals could be related to their role, 1Password, their mental health, or their personal goals. What&rsquo;s your favorite part of your role? I’ve always been a teacher. I spent 17 years teaching in a college and then three years helping kids, teenagers, and adults learn about emerging technology like 3D printing, electronics, and programming. The thing that still excites me about my role is that light bulb moment my students (now internal team members) get when everything falls into place, they understand, and feel empowered. <blockquote> &ldquo;It’s a supportive and friendly space where people can flourish.&quot; </blockquote> That’s why we call it Learning and Discovery here, not Learning and Development. I want to inspire, make people feel more in control, and help them discover what the next best thing for them is. How would you describe your team’s culture to someone who was applying for a role on that team? In HR, we are dedicated to supporting everyone at the company. We care not only about our own team, but we care for all. It’s a supportive and friendly space where people can flourish. <img src='https://blog.1password.com/posts/2022/meet-josh-gorman/joshgorman2.png' alt='A screenshot of Josh Gorman on a Zoom call, while his adorable cat snuggles up on his shoulder' title='A screenshot of Josh Gorman on a Zoom call, while his adorable cat snuggles up on his shoulder' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Quick! You’re boarding a plane and you can only bring one item on your trip. What is the one thing you can’t live without? I’m not just a teacher – I was also an IT technician before joining 1Password. So I would need my iPad Pro. It lets me connect, write my notes, draw and paint, play a game or two, and relax when I’m off work. Editor&rsquo;s note: This interview has been lightly edited for clarity and brevity. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Want to work for 1Password?</h3> Browse our current job openings to see if there’s an opportunity that matches your career goals. <a href="https://1password.com/jobs/?utm_ref=blog" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> View our open positions </a> </div> </section></description></item><item><title>New 1Password research reveals the risks of login fatigue</title><link>https://blog.1password.com/report-login-fatigue-research/</link><pubDate>Thu, 15 Sep 2022 00:00:00 +0000</pubDate><author>info@1password.com (Stacey Harris)</author><guid>https://blog.1password.com/report-login-fatigue-research/</guid><description> <img src='https://blog.1password.com/posts/2022/report-login-fatigue-research/header.png' class='webfeedsFeaturedVisual' alt='New 1Password research reveals the risks of login fatigue' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> For many workers, accessing the tools required to do their jobs is a hassle. This ‘login fatigue’ could be putting your business at risk as employees find less secure workarounds to complete tasks, or, in some cases, give up on a task altogether. To better understand login fatigue and the risks it poses, 1Password surveyed 2,000 adults in Canada and the U.S. These were all full-time employees at companies with more than 250 workers, and who primarily used a computer to do their job. We expected login fatigue to be a source of frustration. What we found is an escalating and far more complex problem, with wide-ranging effects on worker productivity, security, and mental health. <h2 id="key-findings">Key findings</h2> <ul> <li> Fatigue and frustration: Nearly half of employees (44%) say that the process of logging in and out at work harms their mood or reduces productivity. </li> <li> Incomplete work product: 26% of workers have given up on doing something at work to avoid the hassle of logging in. </li> <li> Missing meetings: 62% of employees miss parts of meetings on a regular basis because of login issues. </li> <li> Login overload: 41% of employees say having to remember multiple logins heightens their stress levels and strains their mental health. </li> <li> Skipping out on security: 38% of workers have procrastinated, delegated, or skipped setting up work-related security apps. </li> <li> Helpless against hackers: 44% of workers are paranoid of being hacked or scammed. And with good reason: 42% have had their online accounts compromised before. </li> </ul> <h2 id="read-the-full-report">Read the full report</h2> To learn more about login fatigue and its impact on modern businesses, <a href="https://1password.com/resources/2022-universal-sign-on-research-report?utm_ref=resources">check out the full report</a>. It delves deeper into what’s causing the problem, how it’s affecting workers, and steps you can take right now to mitigate the issues. <h2 id="what-you-can-do-today">What you can do today</h2> An enterprise password manager solves many of the login frustrations plaguing employees. 1Password reduces the cognitive load on workers by giving them access to all their online accounts with a single password. A password manager can even autofill their account information, so logging in is as simple as a click or a tap. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Secure your business without slowing it down</h3> Trusted by over 115,000 businesses, 1Password is the best way to protect your organization’s secrets. Try 1Password with a 14-day free trial today! <a href="https://1password.com/business-pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Get started </a> </div> </section></description></item><item><title>Automate provisioning in 1Password with Google Workspace</title><link>https://blog.1password.com/1password-google-workspace/</link><pubDate>Tue, 13 Sep 2022 00:00:00 +0000</pubDate><author>info@1password.com (Jeff Gumke)</author><guid>https://blog.1password.com/1password-google-workspace/</guid><description> <img src='https://blog.1password.com/posts/2022/1password-google-workspace/header.png' class='webfeedsFeaturedVisual' alt='Automate provisioning in 1Password with Google Workspace' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 1Password Business customers can now <a href="https://support.1password.com/scim-google-workspace/">connect 1Password to Google Workspace</a> to automate provisioning and deprovisioning tasks, saving valuable IT resources and strengthening your security posture in the process. Manually provisioning and deprovisioning users isn’t the most valuable use of your IT team’s time. And because it’s a manual process, it’s also prone to mistakes and oversights that can create security vulnerabilities. The <a href="https://support.1password.com/scim/">1Password SCIM bridge</a> makes it easy to automate provisioning and deprovisioning in 1Password by connecting your identity provider – in this case Google Workspace – to your 1Password account. Once the connection is established, you can automate tasks like creating users and groups, controlling access to groups, and suspending deprovisioned users. The new Google Workspace integration enables automated user provisioning (to provision or deprovision all users at once) and group provisioning (to provision or deprovision a predefined group of users). Once you’ve connected Google Workspace to your 1Password account, you can: <ul> <li>Update names, emails, and other user attributes in 1Password from Google Workspace.</li> <li>Add, suspend, delete, or reactivate users in Google Workspace to also add, suspend, delete, or reactivate them in 1Password.</li> <li>Sync groups from Google Workspace to 1Password.</li> </ul> Note that the integration is continuous, so if you update users or groups in Google Workspace, those changes are automatically reflected in 1Password. <h2 id="connect-1password-to-your-identity-provider-with-the-1password-scim-bridge">Connect 1Password to your identity provider with the 1Password SCIM bridge</h2> Fast-growing companies can onboard dozens of new employees every week, and IT teams often spend hours setting up new accounts for those employees and ensuring the proper access controls. When you connect your identity provider to the 1Password SCIM bridge, much of that manual work can be automated – not only during onboarding, but offboarding, too. When an employee leaves the company, automated deprovisioning ensures that those employees don&rsquo;t retain access to company resources they should no longer have access to. (Among IT and DevOps workers alone, 1Password research revealed that <a href="https://1passwordstatic.com/files/resources/research-report-risks-of-mismanaging-corporate-secrets.pdf">77 percent of those workers still have access to their former employer’s infrastructure secrets</a>.) In addition to Google Workspace, the 1Password SCIM bridge integrates with most other major identity providers, including: <ul> <li>Azure Active Directory</li> <li>JumpCloud</li> <li>Okta</li> <li>OneLogin</li> <li>Rippling</li> </ul> 1Password Business customers can <a href="https://support.1password.com/scim-google-workspace/">connect Google Workspace to 1Password</a> right now. Once you set up and deploy SCIM bridge, simply create a Google service account and key, then configure your SCIM bridge. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get started with 1Password SCIM Bridge and Google Workspace</h3> Learn how to connect Google Workspace to 1Password SCIM bridge to automate common administrative tasks. <a href="https://support.1password.com/scim-google-workspace/?utm_ref=blog" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Get started </a> </div> </section></description></item><item><title>6 cybersecurity tips for teachers to share with their students</title><link>https://blog.1password.com/teachers-cybersecurity-tips-students/</link><pubDate>Mon, 12 Sep 2022 00:00:00 +0000</pubDate><author>info@1password.com (Stacey Harris)</author><guid>https://blog.1password.com/teachers-cybersecurity-tips-students/</guid><description> <img src='https://blog.1password.com/posts/2022/teachers-cybersecurity-tips-students/header.png' class='webfeedsFeaturedVisual' alt='6 cybersecurity tips for teachers to share with their students' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Much of online education directed at students focuses on internet safety and privacy – and rightfully so. But it’s important that equal attention be directed towards teaching the next generation <a href="https://blog.1password.com/talking-to-kids-online-safety/">how to keep their accounts and identities safe online</a>. That starts with helping them know how to spot the most common scams and threats, and sharing what preventative measures they can use to reduce their risk. The first week of school is the perfect time to introduce students to online security. As they get acquainted with school devices and set up new accounts it’s a great time to talk about risks and how they can be proactive about avoiding them. But security should be an ongoing conversation. Invite your students to approach you with any questions they have about security – if you don’t know the answer you can always find out together with your student. <blockquote> Security should be an ongoing conversation. </blockquote> Create a positive space for students so they feel safe sharing threats they’ve encountered, and even scams they might have fallen for. Talking about how they faced or avoided these challenges can be a learning opportunity for the whole class. <h2 id="identifying-common-threats">Identifying common threats</h2> There’s no shortage of scams on the internet. Making students aware of what to watch out for helps protect them as they navigate digital spaces. Some of the most common threats include: <h3 id="social-engineering">Social engineering</h3> Social engineering manipulates people into sharing their secrets, like passwords, logins, and payment information. An attacker leverages human psychology and people’s emotions – like fear, trust, and anxiety – to deceive victims and steal their information. We’ve previously talked about the different types of social engineering attacks in <a href="https://blog.1password.com/what-is-social-engineering-hacking-101/">our Hacking 101 series</a>. <h3 id="phishing-scams">Phishing scams</h3> Phishing is a social engineering attack that involves sending fraudulent communications, usually emails or text messages, to trick the recipient into sharing sensitive data or information. To learn more about phishing and how to protect against these attacks, <a href="https://blog.1password.com/what-is-phishing-and-how-can-you-protect-your-business/">check out the “What is phishing?” post</a> on our blog. <h3 id="password-attacks">Password attacks</h3> There are billions of stolen passwords floating around the internet from past data breaches. Reusing passwords, or using easily guessable passwords, leaves people vulnerable to <a href="https://blog.1password.com/what-is-a-brute-force-attack-and-whats-the-best-defense/">brute force attacks</a>. A brute force attack tries to guess a person’s login information by trying various combinations. Having strong, unique passwords for each account greatly diminishes the risk of a password attack succeeding. <h3 id="malware">Malware</h3> Malware is a malicious software that can be used to steal data or corrupt software. Common malware includes viruses, ransomware, and spyware. Some malware looks like a legitimate app, which can result in students accidentally downloading it onto their device. Encourage your students to avoid downloading unfamiliar software or plugins, especially on their school devices. <h2 id="6-security-tips-to-teach-your-students">6 security tips to teach your students</h2> <h3 id="keep-devices-and-apps-updated">Keep devices and apps updated</h3> While device updates take time, it’s important they’re done sooner rather than later as many are security updates patching known exploits. So, whether it’s a school issued laptop or a personal smartphone, your students should update their devices as soon as possible. Switching on automatic updates is a good idea as they won’t miss important updates and they won’t have to remember to keep checking for available updates. <h3 id="use-caution-when-choosing-apps">Use caution when choosing apps</h3> There’s an app for everything, but not all apps are made equal. When it comes to functionality, privacy, or security, some apps leave a lot to be desired. Firstly, encourage your students to stick to software from the App Store/Play Store/Mac App Store wherever possible, as Apple/Google/Microsoft vet what&rsquo;s added to them. <blockquote> Teach your students to check who developed an app before they download it. </blockquote> Secondly, teach your students to check who developed an app before they download it. If an app is by a well-known company, it’s probably trustworthy, whereas if you&rsquo;ve never heard of the developer, it helps to do a bit more research before downloading. <h3 id="be-mindful-of-what-is-shared-online">Be mindful of what is shared online</h3> Online privacy and security go hand in hand. Privacy is about protecting your students’ identity, while security is about protecting their data. By encouraging strong privacy controls in your students' online life, they can significantly reduce the risk of their data being compromised. <h3 id="use-a-password-manager">Use a password manager</h3> While we encourage young people to share, passwords aren’t included in that adage. Every account should have a unique, strong password protecting it. A <a href="https://1password.com/">password manager</a> like 1Password remembers all the passwords so your students can focus on remembering their lessons! <h3 id="enable-multi-factor-authentication">Enable multi-factor authentication</h3> Many websites and apps encourage two steps of verification to sign in these days. The password is something they know, and the multi-factor authentication (MFA) relies on something they have – typically a device or app that provides a time-sensitive code to verify the sign-in. By turning on MFA for all accounts, your students will be able to stay more secure than just using a password. 1Password <a href="https://blog.1password.com/multi-factor-authentication-in-1password/">acts as an authenticator</a>, and stores and recalls codes whenever they’re needed. <h3 id="be-aware-of-the-physical-element-of-security">Be aware of the physical element of security</h3> When it comes to protecting yourself online, there’s also the important step of physically securing your devices. Encourage your students to lock their devices – laptops, smartphones, tablets, etc. – when they leave them unattended. Otherwise, anyone can access whatever is unlocked on their device. On that note: Teach your students to be careful who they share their devices with. They might trust their parents, but loaning a device to an acquaintance they don’t know well or letting someone “look something up quickly” could have consequences. <blockquote> Don&rsquo;t forget to follow your own advice! </blockquote> Helping your students identify common security threats and how they can protect against them will set them up for success. But don&rsquo;t forget to follow your own advice, and keep yourself protected as well! <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Secure your school or college with 1Password</h3> Keep your team secure without slowing them down. Choose 1Password Business to gain complete control over passwords and other sensitive business information. <a href="https://1password.com/business-pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>Incident response: how to prevent and respond to data breaches</title><link>https://blog.1password.com/incident-response-prevent-and-respond/</link><pubDate>Fri, 09 Sep 2022 00:00:00 +0000</pubDate><author>info@1password.com (Andrew Zangre)</author><guid>https://blog.1password.com/incident-response-prevent-and-respond/</guid><description> <img src='https://blog.1password.com/posts/2022/incident-response-prevent-and-respond/header.png' class='webfeedsFeaturedVisual' alt='Incident response: how to prevent and respond to data breaches' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> A well-thought-out incident response plan is no longer recommended – it’s critical. With the rate that cyber attacks are increasing – putting <a href="https://blog.1password.com/small-talk-customer-data-privacy/">customer privacy</a> at risk and <a href="https://blog.1password.com/small-talk-cyberattacks/">forcing some businesses to close</a> – it’s never been more important to educate your team on the risks, and help prepare your organization for the worst case scenario. Most businesses <a href="https://venturebeat.com/security/report-63-of-c-suite-execs-do-not-have-an-incident-response-plan/">don’t have a plan in place for when a security breach occurs</a>. That’s a costly oversight given that, according to the same research, the majority of large U.S. businesses have experienced some form of cyber attack before. An effective incident response plan brings people, processes, and technology together to reduce the chances of a breach, and minimize the damage of any that do occur. No matter what type of business you operate, putting this plan in place is critical to creating a strong, proactive cybersecurity strategy. 1Password is excited to share two new resources to help with navigating the modern threats that businesses face. The <a href="https://1password.com/resources/data-breach-prevention-checklist/">data breach prevention checklist</a> and <a href="https://1password.com/resources/incident-response-guide/">incident response guide</a> cover the steps your team should take before, during, and after any security event. With these tips in mind, you can create an approach that suits your business, helping you keep your data (and customers) safe in an ever-changing threat landscape. <h2 id="data-breach-prevention-checklist">Data breach prevention checklist</h2> From the tools you choose to use, to how your team works, it’s important to be proactive about securing all of your business’ vulnerabilities and risks. Our <a href="https://1password.com/resources/data-breach-prevention-checklist/">data breach prevention checklist</a> covers some of the steps you should take to start building your company’s digital defenses. Some will likely be familiar, while others may be new or change how you think about incident response. Every business is unique, so review what makes sense for yours and get to work implementing it. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Want even more advice? 1Password Security Specialist Joseph Ojelade recently hosted a talk about what a targeted data breach attack is, and how you can take a proactive approach to fortifying your cybersecurity defenses. He also included tips on how to mitigate human error and how to build a security awareness training program. You can <a href="https://1password.com/webinars">watch Joseph’s anatomy of a data breach talk on demand</a> any time. </div> </aside> <h2 id="creating-an-effective-incident-response-plan">Creating an effective incident response plan</h2> A detailed incident response playbook will be your best friend if your company ever experiences a data breach. This playbook should clearly summarize the steps your team needs to take if an incident is reported or suspected. That could be a customer noticing something strange on your website, a monitoring tool flagging abnormal activity in your network, or something else. Staying calm and following the right procedure will help mitigate the problem, ensure you notify and involve relevant people early, address the underlying security vulnerabilities, and strengthen your business against future threats. With help from the 1Password Security Team, we’ve assembled an <a href="https://1password.com/resources/incident-response-guide/">incident response guide</a> that explains what to do if you ever experience a breach. It breaks down the common stages in incident response, as well as people and tools that could play a major role. Your plan will be slightly different – based on your company structure, your available resources, and other factors – but you can use our guide as a starting point to develop policies and procedures that are most effective for your team. <h2 id="how-employees-can-help-prevent-and-respond-to-incidents">How employees can help prevent and respond to incidents</h2> Cybersecurity isn’t just “an IT problem.” Your employees are an extension of your security team that can help raise red flags and identify suspicious activity. They’re also your single best defense against data breaches, provided you give them the tools and support needed to practice safe online habits. In addition to these two new guides, you should also check out: <ul> <li>Our <a href="https://1password.com/resources/creating-a-culture-of-security/?utm_ref=resources">guide to creating a culture of security</a>, which will naturally result in a safer company overall.</li> <li>Our <a href="https://1password.com/resources/how-to-avoid-a-data-breach/">guide that explains how to avoid a data breach</a>.</li> <li>The <a href="https://www.verizon.com/business/resources/reports/dbir/">Verizon Data Breach Investigations Report</a>, which details why a password manager can help address your single largest vulnerability.</li> </ul> Cyber threats are getting sneakier by the day, moving the goalposts for you and your security team. You should be realistic about the risks and prepared for anything. If you don’t have an incident response strategy yet, today’s the perfect day to start creating one.</description></item><item><title>Sign your Git commits with 1Password</title><link>https://blog.1password.com/git-commit-signing/</link><pubDate>Thu, 08 Sep 2022 00:00:00 +0000</pubDate><author>info@1password.com (Marc Mackenbach)</author><guid>https://blog.1password.com/git-commit-signing/</guid><description> <img src='https://blog.1password.com/posts/2022/git-commit-signing/header.png' class='webfeedsFeaturedVisual' alt='Sign your Git commits with 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> So 1Password CEO Jeff Shiner just committed code to one of my GitHub repositories. That&rsquo;s strange. While he&rsquo;s a developer at heart, I don&rsquo;t think he gets much time to code these days. What’s going on here? <img src='https://blog.1password.com/posts/2022/git-commit-signing/example_commit.jpg' alt='Screenshot of a Git commit from Jeff Shiner.' title='Screenshot of a Git commit from Jeff Shiner.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> As you might have guessed, this didn&rsquo;t actually come from Jeff Shiner. In fact, anyone can spoof a Git committer or author name with just a few terminal commands and pretend to be someone else: <pre tabindex="0"><code class="language-$" data-lang="$">$ git config user.email &quot;jeff.shiner@1password.com&quot; $ git commit -m “Add tractor autopilot mode.” </code></pre>This can make for a fun prank but is also a security liability. If you don&rsquo;t know who is pushing code to your repositories, how will you know if your codebase is being hijacked by someone pretending to be a coworker? The answer is, you won&rsquo;t know who is actually committing code unless your team signs their commits. This means using a cryptographic key pair to add a digital signature to each commit that verifies your identity. Once you sign, GitHub adds a handy &ldquo;verified&rdquo; badge to each commit. Goodbye fake Jeff. <img src='https://blog.1password.com/posts/2022/git-commit-signing/example_commits.jpg' alt='Screenshot of one signed and one unsigned Git commit.' title='Screenshot of one signed and one unsigned Git commit.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Before now, signing was mostly done by generating GPG keys and associating them with your Git username and email. But if you&rsquo;ve ever set this up, you probably remember the dull pain of trying to figure it out. That time could be much better spent actually building something… like an autonomous tractor. Well, fret no longer because verifying commits just got WAY easier. We&rsquo;re excited to announce that 1Password now allows you to set up and use SSH keys to sign Git commits. And with <a href="https://github.blog/changelog/2022-08-23-ssh-commit-verification-now-supported/">GitHub supporting SSH key signing</a> as well, you can get that verified badge next to your username in seconds. No GPG keys required. Check out this 60-second demo to see it in action: <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/BMFvhl0WRFQ" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> This should help more teams adopt signature verification into their workflows. Dealing with GPG can be troublesome at best. While secure when used properly, GPG is an archaic technology that relies on a web of trust for decentralized verification. But this functionality is often not used by developers and therefore adds unnecessary complexity without much security benefit. On the other hand, loads of developers already use SSH keys to push code to GitHub. Now they can use SSH keys to sign their code as well. And the best part? 1Password makes creating new keys a breeze whether you’re using 1Password on your desktop, or creating and filling new keys directly into GitHub with 1Password in your browser. It just works. If you&rsquo;ve previously used GPG keys to sign your Git Commits, the mechanics of using SSH keys will be the same (you can keep using the -S flag for commits and the -s flag for tags). However, setting things up is different. Here&rsquo;s a quick preview of the process: <ol> <li>Start by updating to Git 2.34.0 or later.</li> <li>Navigate to <a href="https://github.com/settings/keys">https://github.com/settings/keys</a></li> <li>Select “New SSH Key”</li> <li>Select “Signing Key”</li> <li>Navigate to the “Key” box and select the 1Password logo</li> <li>Select “Create SSH Key”, fill in a title and then select “Create and Fill”</li> <li>Select “Add SSH Key” and you’re all set!</li> </ol> <img src='https://blog.1password.com/posts/2022/git-commit-signing/createsshkey.png' alt='Web browser window pointed to github.com, displaying the screen to add a new SSH key. In the key field, 1Password offers to create a new SSH key.' title='Web browser window pointed to github.com, displaying the screen to add a new SSH key. In the key field, 1Password offers to create a new SSH key.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> In less than 10 seconds, you have created a new SSH key to be used for signing commits. Now, you can proceed to 1Password on your desktop to configure your .gitconfig file to sign with that new SSH key. Just open the latest version of 1Password 8 for Windows, Mac, or Linux, navigate to the key you just created, and select the “Configure” option in the banner displayed on top. <img src='https://blog.1password.com/posts/2022/git-commit-signing/1Passwordsshkeys.png' alt='1Password for Mac displaying two SSH keys, and the item details view for one of the keys.' title='1Password for Mac displaying two SSH keys, and the item details view for one of the keys.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> This will open a window with a snippet that you can add to your .gitconfig file. Select &ldquo;Edit Automatically&rdquo; and 1Password will update your .gitconfig file for you with a single click. Or, if you need a more advanced configuration, you can copy the snippet and do things manually. Your key is now ready to sign Git commits. <img src='https://blog.1password.com/posts/2022/git-commit-signing/1Passwordgitconfig.png' alt='1Password for Mac window displaying a popup modal to configure git commit signing, with options to edit automatically or copy the displayed snippet.' title='1Password for Mac window displaying a popup modal to configure git commit signing, with options to edit automatically or copy the displayed snippet.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Now when you commit code, 1Password will use your new SSH Key to sign. All you need to do is scan your fingerprint. And once you push to GitHub, you&rsquo;ll see that <a href="https://docs.github.com/en/authentication/managing-commit-signature-verification/displaying-verification-statuses-for-all-of-your-commits">beautiful green &ldquo;verified&rdquo; badge</a> on the timeline. (There&rsquo;s something nice about GitHub validating your existence.) <img src='https://blog.1password.com/posts/2022/git-commit-signing/examplecommitverified.jpg' alt='Screenshot of one signed and one unsigned Git commit, with an overlay confirming that the commit was signed with the committer&#39;s verified signature.' title='Screenshot of one signed and one unsigned Git commit, with an overlay confirming that the commit was signed with the committer&#39;s verified signature.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Signing commits adds a layer of protection for your codebase and, ultimately, your customers. This is especially true if your team actively <a href="https://docs.github.com/en/authentication/managing-commit-signature-verification/displaying-verification-statuses-for-all-of-your-commits">enforces signature verification</a> to prevent unsigned commits from being pushed to your repositories. Now is the time to make it happen. Follow the steps above, or visit our <a href="https://developer.1password.com/docs/ssh/git-commit-signing">developer documentation</a> for a detailed guide that can help with more advanced implementations, then sign away!</description></item><item><title>Why schools and colleges should invest in a password manager</title><link>https://blog.1password.com/schools-colleges-password-manager/</link><pubDate>Mon, 05 Sep 2022 00:00:00 +0000</pubDate><author>info@1password.com (1Password)</author><guid>https://blog.1password.com/schools-colleges-password-manager/</guid><description> <img src='https://blog.1password.com/posts/2022/why-schools-colleges-password-manager/header.png' class='webfeedsFeaturedVisual' alt='Why schools and colleges should invest in a password manager' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Schools and colleges are increasingly using technology to deliver engaging classes, track student progress, and more. But as the classroom shifts online, it’s never been more important for educators to practice good security habits. Schools and colleges are increasingly using technology to deliver engaging classes, track student progress, and more. But as the classroom shifts online, it’s never been more important for educators to practice good security habits. <a href="https://blog.1password.com/data-breach-101-stay-safe-online/">Data breaches</a> are on the rise – ransomware attacks cost schools and colleges an estimated <a href="https://www.comparitech.com/blog/information-security/school-ransomware-attacks/">$3.56 billion in 2021 alone</a>. Like any other business, educational institutions need to protect their private information. A password manager may seem like a luxury when budgets are tight, but there are many reasons to invest in one. Here, we’ll explain how it can make your teachers, lecturers, and administration staff more secure and productive, saving you time, money, and stress in the long run. <h2 id="your-staff-will-never-forget-a-password-again">Your staff will never forget a password again</h2> We’re all familiar with the time-consuming process of <a href="https://blog.1password.com/how-to-reset-password/">forgetting and resetting passwords</a>. If you’re surrounded by a class of restless students, this can throw an entire lesson off track. With a password manager like 1Password, you and everyone you work with will never forget a password again. That means no more frantic calls to the IT department (if you have one!) or a last-minute scramble to figure out how to run a class without using Microsoft PowerPoint or Google Slides. Annoying password resets don’t just apply to teaching tools. Your school or college likely has staff that need to remember passwords for payroll, budget planning, and other behind-the-scenes business software. With a password manager, you can make it simple for everyone – regardless of their role or technological expertise – to create, remember, and securely share passwords for everything they use at work. <h2 id="itll-save-you-and-your-team-time">It’ll save you and your team time</h2> A password manager doesn’t just prevent headaches and disrupted workflows – it will also save everyone time. For example, 1Password will offer to <a href="https://1password.com/features/autofill/">autofill everything in your vaults</a>, including passwords, addresses, and credit cards. This will shave off precious seconds that would normally be spent typing or trying to recall information. A few seconds may not seem like much, but it adds up across tens or hundreds of staff members, over the many days, weeks, months, and years your school is running. <h2 id="itll-make-your-team-more-secure-and-save-you-money">It&rsquo;ll make your team more secure (and save you money)</h2> Data breaches are expensive, and schools and universities aren’t immune to them. According to K-12 Cybersecurity Resource Center, schools were hit with a record-breaking <a href="https://thehill.com/policy/cybersecurity/553506-school-districts-struggle-to-defend-against-rising-ransomware-attacks/">408 cyberattacks in 2020</a>, up 18 percent from 2019. These attacks can shut an institution down for days, disrupting the whole calendar year and costing <a href="https://www.comparitech.com/blog/information-security/school-ransomware-attacks/">millions of dollars</a>. Many ransomware attackers will also demand <a href="https://thehill.com/policy/cybersecurity/553506-school-districts-struggle-to-defend-against-rising-ransomware-attacks/">extortionate amounts of money</a> to undo their damage or return stolen data. Investing in a password manager therefore makes financial sense compared to the potential cost of a school or college-wide hack. A password manager like 1Password makes it simple for everyone to protect their accounts with strong, unique passwords. Everyone in your team will also know when a service or tool they use has been compromised, so they can change any of their affected passwords before a criminal is able to exploit them. <h2 id="itll-keep-student-information-safe-without-needing-a-big-it-department">It’ll keep student information safe (without needing a big IT department)</h2> It&rsquo;s not just your team&rsquo;s data that needs protecting – you also have a responsibility to look after the data of every student who enrolls at your school or college. For example, your staff might have access to databases that contain at least some student data or information. With a password manager like 1Password, you can secure staff accounts and everything they have access to, including these critical resources. If your educational institution has a small IT or security department, a password manager will empower people to develop good habits and make secure decisions on their own. 1Password also gives administrators a suite of tools to keep a firm handle on everything, including an <a href="https://blog.1password.com/announcing-insights/">Insights dashboard</a>, <a href="https://support.1password.com/create-share-vaults-teams/">custom vault structures</a> and user groups, <a href="https://support.1password.com/breach-report/">domain breach reports</a>, and more. <h2 id="itll-make-it-easy-for-staff-to-stay-secure-on-and-off-the-clock">It’ll make it easy for staff to stay secure on and off the clock</h2> Security threats don&rsquo;t end when you wrap up work for the day. With 1Password Business, every employee gets a <a href="https://1password.com/personal/">1Password Families</a> account that covers up to five people in their household. This will help your staff build secure habits more quickly, and ensure their work and personal lives are given the same level of protection. Every family account has its own login and set of vaults, so staff won&rsquo;t mix up their personal and work-related passwords. It will also help them learn 1Password faster, get into the habit of storing and sharing passwords securely, and empower them to secure their entire digital lives. <h2 id="itll-boost-peace-of-mind">It’ll boost peace of mind</h2> Marking assignments, passing inspections, and hosting extracurricular clubs – working at a school or college is stressful enough. You and your team don’t need the threat of data breaches and ransomware attacks on top of everything else. With 1Password, you can simplify security and give your staff one less problem to worry about each day. It will make everyone&rsquo;s lives a little more straightforward, and nurture a culture of security that will make your institution harder for attackers to infiltrate. Ready to take your school or college&rsquo;s security to the next level? <a href="https://start.1password.com/sign-up/business?l=en">Sign up for a free trial of 1Password Business today</a>. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">1Password vs. the competition</h3> Find out why 1Password is the best in the market with our [password manager comparison](https://1password.com/comparison/)! <a href="https://1password.com/comparison/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Compare password managers </a> </div> </section></description></item><item><title>Hacking 101: What is pretexting?</title><link>https://blog.1password.com/what-is-pretexting/</link><pubDate>Wed, 31 Aug 2022 00:00:00 +0000</pubDate><author>info@1password.com (Emily Chioconi)</author><guid>https://blog.1password.com/what-is-pretexting/</guid><description> <img src='https://blog.1password.com/posts/2022/what-is-pretexting/header.png' class='webfeedsFeaturedVisual' alt='Hacking 101: What is pretexting?' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Ever heard of pretexting? And no, we&rsquo;re not talking about when you first carefully draft a risky text message before sending it! Pretexting is a sneaky and highly effective form of social engineering that attackers use to dupe people into sharing their personal information. If you spend a lot of time on the internet, you’ve probably encountered it in some form many times before. Suspicious texts, calls, and emails trying to trick you into sharing your data have become an all-too-common part of our daily lives. Some of these attempts may seem silly, obvious, and easy to dismiss, but a growing number of attackers are learning to create more sophisticated and convincing stories. We’re all still susceptible to becoming a victim of social engineering, including pretexting, so it’s important to understand how this tactic works in order to stay secure. <h2 id="what-is-pretexting">What is pretexting?</h2> Pretexting is a type of <a href="https://blog.1password.com/what-is-social-engineering-hacking-101/">social engineering attack</a> that involves a criminal creating a story, or pretext, that manipulates their target into sharing personal data like passwords, credit cards, and logins. The attacker will come up with a scenario beforehand that seems believable and can exploit your trust in a person, company, or service. For instance, maybe the automatic payment for your streaming service failed to go through so a customer service rep is following up, or your bank is giving you a call to investigate unusual activity on your account. These scenarios being real isn’t completely outside the realm of possibility and they can be more believable if the attacker casts themself in the story as a character you can trust. These scams can vary – an attacker may limit the scope to one target, or cast a wide net hoping a few people take the bait. For example, they might research one target online beforehand, or use data they&rsquo;ve obtained through a data breach to create a customized scenario. Or they might create a general scenario and send it to many people, via email or text message, hoping that it will be accurate and relevant enough to at least some of them. <h2 id="how-do-you-protect-yourself-from-pretexting">How do you protect yourself from pretexting?</h2> There’s one important skill you can develop to avoid pretexting scams: awareness. If you know pretexting is a possibility and stay up to date with common techniques, you’ll have the best possible chance of spotting a phony story. Here are some other steps you can take to prevent an attack: <ul> <li>Stop and assess. If you’re being targeted, there’s always time to pause for a moment and assess the situation, regardless of what an attacker might say. Being pressured to make a decision, like sharing sensitive data, is a common pretexting tactic.</li> <li>Question everything. How were you contacted? Are you being asked to share private information? Does it seem too good to be true?</li> <li>Always verify. If you’re unsure, there’s no harm in doing a little bit of research on the source. like calling a company to confirm details or emailing someone directly. For example, if someone is claiming to be a rep from your bank, you can always hang up, call the bank&rsquo;s official number and ask them to verify what you just read or heard. Follow your gut – if it turns out to be legitimate, you only spent a few extra minutes being safe.</li> <li>Stay on top of updates. Do your best to keep your devices, apps, and other software up to date. If automatic updates are an option, turn them on.</li> <li>Use two-factor authentication. If you’re given the option, turn on <a href="https://blog.1password.com/password-manager/#what-is-two-factor-authentication">two-factor authentication (2FA)</a> to add a second layer of security to your accounts. This extra verification method means that even in the worst case scenario, if a pretexting attack is successful and someone else has your password, they won&rsquo;t be able to sign in to your accounts unless they also have access to the place where you store your verification codes.</li> </ul> <h2 id="add-more-protection-with-a-password-manager">Add more protection with a password manager</h2> Adopting a password manager like 1Password is another great way to protect yourself against pretexting and other kinds of social engineering. For example, most password managers will save the relevant website URL alongside your username and password – that way, it knows when to offer to autofill your credentials. Now, imagine a criminal sent you an email with a link to a fake website that looked authentic at first glance. you would immediately notice that your password manager wasn’t offering to autofill your username and password. Taking a closer look at the URL, you would realize that you were on a fake site, alerting you to an attack. In addition, a password manager like 1Password will: <ul> <li>Tell you where you can enable two-factor authentication.</li> <li>Notify you if any of your passwords have appeared in a data breach.</li> <li>Alert you to weak or reused passwords.</li> <li>Alert you to security problems with the websites you use so you can keep all your accounts safe.</li> </ul> <h2 id="knowing-is-half-the-battle">Knowing is half the battle</h2> We&rsquo;re all human with natural tendencies to trust other people, cooperate with authorities, or make a quick decision when put under pressure. It can be overwhelming to consider all of the potential online threats, including the many stories that a criminal might concoct for a social engineering scam. But you can keep it simple. If you educate yourself, stay alert, and take advantage of the right tools, being secure online really is possible. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Ready to protect yourself?</h3> Keep all of your accounts secure with 1Password, the world’s most-trusted password manager. Get started today with a free 14-day trial. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>Adding the Save in 1Password button to your website just got way easier</title><link>https://blog.1password.com/easier-to-add-save-in-1password-button/</link><pubDate>Thu, 25 Aug 2022 00:00:00 +0000</pubDate><author>info@1password.com (Matt O'Leary)</author><guid>https://blog.1password.com/easier-to-add-save-in-1password-button/</guid><description> <img src='https://blog.1password.com/posts/2022/easier-to-add-save-in-1password-button/header.png' class='webfeedsFeaturedVisual' alt='Adding the Save in 1Password button to your website just got way easier' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Have you ever wanted to put a <a href="https://developer.1password.com/docs/add-1password-button-website/#:~:text=When%20you%20add%20the%20Save,used%20to%20save%20API%20keys">Save in 1Password button</a> on your website? You can now add the integration to your website without anyone from 1Password building, approving, or getting involved with the process. Adding the Save in 1Password button allows your website visitors to easily save their sign-in details, credit cards, and other private information to their vaults with a single click. Read on to learn more about the update and how some of our partners have integrated the new button on their websites. <h2 id="why-you-should-add-a-save-in-1password-button-to-your-website">Why you should add a Save in 1Password button to your website</h2> The Save in 1Password button has many benefits – both for your business and your customers. This integration is both secure and convenient – helping make it easy for your customers to save their information and then autofill that saved information the next time they visit your site. Adding the Save in 1Password button can also help to drive sales and improve your customer’s journey. It’ll also save your organization time and money, as you&rsquo;ll have fewer people forgetting their passwords and requesting help from your customer support team. Simplify your organization’s end customer experience and <a href="https://developer.1password.com/docs/add-1password-button-website/">integrate the Save in 1Password button</a> today. <h2 id="adding-the-button-is-easier-than-ever">Adding the button is easier than ever</h2> We know you’re busy, and when working with an integration, time spent adding and experimenting with something new isn’t time you have. That’s why we worked hard to make sure that Save in 1Password 2.0 removed the friction and wait time that were part of its previous implementation. With this update you’ll no longer need our assistance or approvals to add the Save in 1Password button to your website. You can now self-serve and install the button on your own by <a href="https://developer.1password.com/docs/add-1password-button-website/">following the instructions in our developer portal</a>. Of course, we&rsquo;re still happy to help if you have any questions or encounter any problems. <h2 id="partners-using-save-in-1password">Partners using Save in 1Password</h2> Some of our partners have already incorporated the Save in 1Password button on their websites, making it easier for customers to complete tasks quickly and securely. Here are a handful that currently provide services in the U.S.: <h3 id="rho">Rho</h3> <a href="https://www.rho.co/">Rho</a> is an automated, integrated platform with everything a finance leader needs to boost productivity, save money, and free up time for growth. With corporate cards, AP automation, banking, treasury and more built-in, Rho is one place to run your entire finance operation. Rho customers who also use 1Password can now see the Save in 1Password drop-down in their <a href="https://help.rho.co/hc/en-us/articles/7553022054683-1Password-Integration-Overview-Setup">card details page</a>. This means they can save their payment card details with a single click and autofill it the next time they’re making an online business purchase. Rho was able to set up and deploy the Save in 1Password button in a matter of weeks, entirely on their own, providing their customers with a safe and convenient online experience for their virtual cards. As part of an exclusive offer from Rho, 1Password customers new to Rho can <a href="https://rhocom.grsm.io/1password_rho">earn a $500 cash rewards bonus after spending $10,000 within the first month of opening their account</a>. <a href="#fn:1" class="footnote-ref" role="doc-noteref">1</a> <img src='https://blog.1password.com/posts/2022/easier-to-add-save-in-1password-button/rho.gif' alt='Animated depiction of saving Rho card details in 1Password' title='Animated depiction of saving Rho card details in 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h3 id="ramp">Ramp</h3> <a href="https://ramp.com/">Ramp</a> provides the next generation of finance tools – from corporate cards and expense management to bill payments and accounting integrations – helping 7,000+ businesses control spend, save time, and automate busy work. With 1Password&rsquo;s integration with Ramp, customers can spin up unlimited virtual cards, save them all in 1Password with a single click, and easily surface those details whenever an online purchase is made. 1Password customers new to Ramp <a href="https://ramp.com/1password?partner_promo=1password-500">can get $500 when they sign up</a>. <video class="round shadow" style="display: block; margin: auto; padding: 0;"autoplay='true'muted='true'loop="loop" playsinline="" width="100%" alt='Video showing a Ramp virtual card being saved in 1Password and autofilled on the QuickBooks website' controls> <source src="https://blog.1password.com/posts/2022/easier-to-add-save-in-1password-button/ramp.mp4" type="video/mp4" /> </video> <h3 id="tillful">Tillful</h3> <a href="https://www.tillful.com/">Tillful</a> helps small business owners build strong business credit quicker and stay on top of their financial health. The platform includes business credit scoring solutions, a secured business credit-building credit card, funding, and other custom-matched financial management services. Customers who are also 1Password users will see the Save in 1Password drop-down when they use their payment card for the first time, enabling them to save their details with the click of a button. Using the updated Save in 1Password integration, Tillful was able to add the button to their website in just a few weeks. Now Tillful customers can easily save all their unique payment details right in 1Password – the safest place to keep them - through one click. 1Password customers new to Tillful can get 5,000 bonus Tillful Points when signing up for the <a href="https://www.tillful.com/card-1password/?utm_source=partner-referral&amp;utm_medium=1password-promotions&amp;utm_campaign=tillful-card">Tillful Business Credit Card</a> (subject to approval and spending of $1K within the first 30 days). <video class="round shadow" style="display: block; margin: auto; padding: 0;"autoplay='true'muted='true'loop="loop" playsinline="" width="100%" alt='Animating depicting a Tillful card being saved in 1Password' controls> <source src="https://blog.1password.com/posts/2022/easier-to-add-save-in-1password-button/tillful.mp4" type="video/mp4" /> </video> <h3 id="privacy">Privacy</h3> <a href="https://privacy.com/">Privacy</a> is a virtual card provider that protects customers’ online payments by keeping their credit or debit card information private. You only have to provide your banking information to Privacy once, and then you can securely create virtual cards for all of your online purchasing needs, including: <ul> <li>Cards that can only be used at a designated merchant</li> <li>Cards that automatically close after a single transaction</li> <li>Cards with spending limits that prevent overcharging and unwarranted fees</li> </ul> With the 1Password integration, Privacy customers can create and save Privacy Cards directly from their 1Password dashboard when they are prompted to enter card numbers on retailer websites. All cards created in 1Password have the same security benefits as traditional Privacy Cards, and users can also set the same spending limits and indicate if a purchase is a one-off, monthly, or annual charge. Thanks to the Save in 1Password button, users can easily save all of this information directly in 1Password and recall it whenever they need to. Privacy is free to use and also has two premium tiers, Pro and Teams, that come with additional features and payment tools. 1Password customers new to Privacy can take advantage of an exclusive offer to get three months of Privacy Pro for free – <a href="https://privacy.com/1password">get started at Privacy.com</a>. <blockquote> &ldquo;So stoked about this. Two incredibly practical and useful tools joining forces. Love to see it, Privacy and 1Password.&rdquo; – 1Password and Privacy customer testimonial </blockquote> <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/Czu26pJKMaw" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h2 id="the-future-of-save-in-1password">The future of Save in 1Password</h2> We&rsquo;re excited about the potential of the Save in 1Password button, and how companies in every industry can use it to help their customers. From retail to travel, customers are searching for seamless but secure ways to save and use their personal information online. By enabling customers to autofill their saved information – like login credentials, credit cards, passport details, airline reward numbers, and more – you’re reducing customer friction and speeding up the check-out process. In the future, we hope to see even more businesses try our improved integration and make it easier for their customers to save and autofill everything that’s important to them. One of our upcoming integrations for Save in 1Password is by <a href="https://stytch.com/">Stytch</a>, an authentication platform for developers that has recently launched a Passwords solution. Stytch is currently working to integrate the Save in 1Password functionality into their SDK to support the future of passwordless. We’re excited for the future launch of Stytch’s integration solution as part of our work towards the future of authentication. Check out our <a href="https://developer.1password.com/docs/add-1password-button-website/">integration documents</a> to learn more about the Save in 1Password button and how you can add it to your website. If you’re interested in becoming an integration partner for the Save in 1Password button, or another integration, contact our team today at <a href="tech-partnerships@agilebits.com">tech-partnerships@agilebits.com</a> to get started! <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Secure your business without slowing it down</h3> Trusted by over 115,000 businesses, 1Password is the best way to protect your organization’s secrets. Try 1Password with a 14-day free trial today! <a href="https://start.1password.com/sign-up/business?l=en" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Get started </a> </div> </section> <section class="footnotes" role="doc-endnotes"> <hr> <ol> <li id="fn:1" role="doc-endnote"> Terms &amp; Conditions: To qualify for the $500 cash rewards bonus, a total of at least $10,000 in net purchases must be posted to your account within 1 month from the date your account is opened. The bonus cash rewards will show as statement credit within 1 - 2 billing periods after they are earned. Cash advances and balance transfers do not apply for purposes of this offer and may affect the credit line available for this offer. Cash advances of any kind, balance transfers, cash equivalents such as money orders and prepaid gift cards, casino gaming chips, wire transfers, off-track wagers, lottery tickets, or bets or wagers transmitted over the internet, fees or interest posted to a linked account, including but not limited to returned payment fees, late fees, and monthly or annual fees, do not earn cash rewards. Refer to the Rho Corporate Card Program (<a href="https://www.rho.co/corporate-cards">https://www.rho.co/corporate-cards</a>) and Addendum to the Rho Terms of Service (<a href="https://www.rho.co/terms-of-service">https://www.rho.co/terms-of-service</a>) for details.This bonus offer is limited to new accounts only. Existing accounts do not qualify for this bonus offer.&#160;<a href="#fnref:1" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a> </li> </ol> </section></description></item><item><title>Shift left: How developers can take ownership of security</title><link>https://blog.1password.com/shift-left-developer-ownership-security/</link><pubDate>Tue, 23 Aug 2022 00:00:00 +0000</pubDate><author>info@1password.com (Tony Myers)</author><guid>https://blog.1password.com/shift-left-developer-ownership-security/</guid><description> <img src='https://blog.1password.com/posts/2022/shift-left-developer-ownership-security/header.png' class='webfeedsFeaturedVisual' alt='Shift left: How developers can take ownership of security' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> In a perfect world, software developers would not only have an innate understanding of security but be able to create bulletproof code from the get-go. I have been working across the software development lifecycle for over 25 years, so I can say with confidence that we don&rsquo;t live in a perfect world. In 2021, a survey of DevOps and IT professionals revealed that <a href="https://1passwordstatic.com/files/resources/research-report-risks-of-mismanaging-corporate-secrets.pdf">roughly 80% of companies admit to not managing their infrastructure secrets well</a>. With the myriad of secrets that software teams manage, it becomes a herculean task to keep track of all of those secrets at a granular level. As a result, developers often store secrets in plaintext files and other formats to make them easily accessible – but if they’re accessible to devs, they’re also accessible to attackers. Unattended secrets such as database credentials and API keys open a security backdoor, and the payoffs for bad actors are bigger than ever. According to 1Password’s “<a href="https://1password.com/resources/risks-of-mismanaging-corporate-secrets/">Hiding in plain sight</a>” report, organizations that experience secrets leakage lose an average of $1.2 million in revenue. Developers often assume that security is in someone else’s domain – but it’s developers who create the code. Devs should have a more active role in security management. That means being proactive about security and preventing vulnerabilities from being introduced from line 1 into production. In this article, we&rsquo;ll talk about this “shift-left philosophy” and how developers can take a more active role in application security. <h2 id="what-does-shift-left-mean">What does shift left mean?</h2> The diagram below shows the traditional software development lifecycle from initial planning to production and beyond. Traditionally, DevOps teams apply security in production. But developers don’t need to wait until an application goes through a last-minute security review. <img src='https://blog.1password.com/posts/2022/shift-left-developer-ownership-security/shiftleft.jpeg' alt='Diagram of each step of the shift left process, with security wedged between the deployment and maintenance phases' title='Diagram of each step of the shift left process, with security wedged between the deployment and maintenance phases' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Instead, they can treat security as a first principle, partnering with DevOps and SecOps teams to implement security measures very early in the software development lifecycle. By doing so, devs can catch potential vulnerabilities and security issues before they have a chance to cause problems further down the line. For example, consider testing, QA, and performance activities. Traditionally, devs would finish their basic unit tests and serve code up to some other group for more extensive testing, who would volley it back with whatever issues they find. This dev-tennis would continue until an acceptable quality threshold is passed, ultimately slowing down any momentum through wasted time and effort. Shifting left empowers the developer to test through automation so they can get immediate feedback, resulting in faster delivery and a higher-quality product. This doesn&rsquo;t mean that security is still a one-time concern. Moving to the left means applying security at every step of the development process, even after production. <h2 id="how-to-shift-your-application-security-to-the-left">How to shift your application security to the left</h2> When devs try to move to reactive security and embrace the shift-left paradigm, software like <a href="https://1password.com/developers/">1Password Developer Tools</a> can help us take more ownership of security – without compromising efficiency. Regardless of the tools you choose, here are some practical steps you can take to get started. <h3 id="eliminate-plaintext-secrets-in-your-code">Eliminate plaintext secrets in your code</h3> Occasionally, containers ship with unchecked vulnerabilities. Sometimes they’re malicious, and sometimes they’re just accidents, but regardless it exposes secrets hardcoded into code or plaintext configuration files. That’s a giant cyberattack opening, and it leaves the entire application vulnerable. Instead of hardcoding secrets, devs can store them securely in encrypted vaults and <a href="https://blog.1password.com/delete-your-example-env-file/">access them in their code with references that are replaced at runtime</a>. There are plenty of tools that can manage those secrets directly in the terminal or IDE of the dedicated security professional, so that the developers can’t introduce those vulnerabilities in the first place. When you go about choosing the secret management tool for your application, make sure it checks a few boxes: <ul> <li>It conforms to AES-GCM encryption standards.</li> <li>It interfaces with your IDE so developers know straight away which placeholder to use, never tempting them to put the secret in the code in plaintext.</li> <li>It isn’t easily accessible by team members who aren’t versed in these security risks.</li> </ul> <h3 id="ensure-parity-between-environments">Ensure parity between environments</h3> Likeness between different environments is critical as it ensures that your apps work similarly in all environments, including the final production release and the earliest prototypes. Without parity, you can’t ensure that the app can work in every context, and you can’t ensure the application’s overall quality. For developers, ensuring parity means building test environments as closely as possible to what&rsquo;s on production so their testing scripts are compatible with both contexts. Secrets management helps drive better testing by increasing parity between environments and enabling secure access to the application infrastructure and related microservices. It grants testers and developers secure access only to the portions of the infrastructure they need to know, helping them conduct better tests. <h3 id="modernize-your-ssh-workflows">Modernize your SSH workflows</h3> Developers often use SSH keys to push code to GitHub, access servers, and more. So why is it such a pain to set up new keys? (If you’ve ever forgotten your passphrase or accidentally pasted your private key into a client instead of your public key, you know what I mean.) It doesn’t have to be such a pain. When setting up your secret automation workflow, find a tool that lets you easily <a href="https://blog.1password.com/1password-ssh-agent/">generate, store, and use SSH keys</a> without making you run <code>ssh-keygen</code> commands manually or storing unencrypted versions of those keys on disc. A trustworthy secret management tool is going to sync your SSH keys across devices and lock them behind two-factor authentication. <h3 id="automate-infrastructure-secrets-in-production">Automate infrastructure secrets in production</h3> These obviously aren’t the only three vulnerabilities that developers can cause. A reactive organization would just roll with the punches, patching attack vectors as they’re discovered, or worse yet, exploited. But a proactive organization will ask, “How can I instill best practices in the developers to prevent problems before they materialize?” Take Coca-Cola, one of the world’s largest companies. Despite their massive size, encompassing thousands of employees and vendors, they manage to keep their secret recipe secret! How is that? Well, they’ve automated a significant part of their process, meaning that no one person has to oversee everything. Complex algorithms and functions run the manufacturing process, ordering secret packages (to which they’ve given the placeholder names of “Merchandise 1”, “Merchandise 2”, and so on) and mixing them properly. Just like that famous example, your developers are crafting a winning product with secret ingredients – so let them pass the delicate security procedures to automated tools! Then, they’ll be able to collaborate on code without worrying that the sensitive credentials will somehow leak through the CI environment. The vendors, the executives, and the floor workers at Coca-Cola have an unspoken contract with each other that guarantees the security of their secrets and the quality of their product. Similarly, you can have a straightforward “contract” between the devs, the DevOps crew, and the security professionals: Agree to give all the sensitive information automated placeholders so everybody can collaborate without needing access to the secrets themselves. Another common attack vector is finding data unencrypted in transit. How can we make sure that if an intrusion occurs, the attackers would only be able to access encrypted bits of unreadable information? This is another solved problem. The solution is generating, encrypting, and managing keys on the client. This way, those secrets are never left unsecured while being passed between client and server. Look for a tool that supports Transport Layer Security (TLS) by default, and preferably adds a custom layer of encryption on top, all computed client-side. <h2 id="shifting-left--proactive-security">Shifting left = proactive security</h2> Shifting left means implementing security measures earlier in the software development lifecycle. But this alone isn&rsquo;t enough. Companies must transition from a reactive to a proactive security paradigm to truly shift left. If developers are to truly take ownership of security, writing secure code from the get-go is the first step. Security professionals must think more like planners, catching issues before they ever really exist.</description></item><item><title>What is doxing, and how do you protect yourself from it?</title><link>https://blog.1password.com/what-is-doxing/</link><pubDate>Mon, 22 Aug 2022 00:00:00 +0000</pubDate><author>info@1password.com (1Password)</author><guid>https://blog.1password.com/what-is-doxing/</guid><description> <img src='https://blog.1password.com/posts/2022/what-is-doxing/header.png' class='webfeedsFeaturedVisual' alt='What is doxing, and how do you protect yourself from it?' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> If you’ve spent a lot of time on the internet, you’ve probably heard the term “doxing” before. You may know that it has something to do with online bullying, harassment, and crime, but still have questions about exactly what it means. If so, you’re not alone. Here, we’re going to explain what doxing is, how it works, and how you can protect your sensitive data. <h2 id="what-does-doxing-mean">What does doxing mean?</h2> Doxing is an abbreviated form of “dropping dox”, an <a href="https://www.theatlantic.com/technology/archive/2014/03/doxing-an-etymology/284283/">old revenge tactic</a> created by the hacking community <a href="https://www.theatlantic.com/technology/archive/2014/03/doxing-an-etymology/284283/">in the 1990s</a>. Hackers would find and release documents – known as “dox” or docs – about previously-anonymous rivals, revealing their true identities and exposing them to authorities who might have been trying to track them down. Doxing has since evolved into <a href="https://www.nytimes.com/2017/08/30/technology/doxxing-protests.html">a more mainstream type of online harassment</a>. It usually involves uncovering and compiling someone’s personal information without their knowledge or permission — such as their real name, address, job, or phone number — and sharing it publicly on the internet. Many people are increasing the amount of time they spend online and, as a consequence, the amount of information they’re revealing about themselves. For example, your social media pages might have posts with photos, geotags, and other identifying information attached to them. <blockquote> &ldquo;Doxing has since evolved into a more mainstream type of online harassment.&quot; </blockquote> There are also internet service providers, data brokers, and other companies that want to collect and trade data about you. These records might not be public, but there&rsquo;s a chance that a company with access to them could be breached, exposing that information to opportunistic bullies and trolls. The bottom line is that if someone wants to harass you, they can often find and follow the digital ‘footprints’ you’ve left online, piece together your personal information, and share it without your consent. <h2 id="who-is-at-risk-of-doxing">Who is at risk of doxing?</h2> In the past, internet trolls and bullies would often focus their efforts on public figures, celebrities, and people with a large following or status online. The average person wasn’t usually at risk of having their personal information collected and shared publicly. But doxing is no longer limited to celebrities, journalists, social media influencers, and politicians. The internet playing a larger role in our lives has led to a rise in the number and types of people being doxed. Anyone can potentially be a victim of doxing — all it takes is someone who dislikes or disagrees with you enough to spend the time to search out, compile, and release your private information in the hopes that you’ll get fired, publicly shamed, or harassed. <h2 id="doxing-for-social-engineering">Doxing for social engineering</h2> The end goal of doxing isn’t always to release someone’s private information onto the internet. Sometimes a criminal will dox a target in order to hack or break into their online accounts. In these instances, an attacker will still search for ‘breadcrumbs’ of your personal information. But rather than exposing them to the public, they might keep these facts and try to use them to access some of your online accounts. <blockquote> &ldquo;The attacker might use what they’ve learned to try to guess your usernames and passwords.&quot; </blockquote> For example, the attacker might use what they’ve learned to try to guess your usernames and passwords, answer <a href="https://blog.1password.com/orange-facile-glossary-and-other-questions-answered/">security questions</a>, or persuade someone via a phone call, email, or live chat that they’re the account owner. <h2 id="what-tactics-are-used-to-dox-someone">What tactics are used to dox someone?</h2> You might not have realized or stopped to consider how much of a footprint you’re leaving online, or how much of your personal identity is already on the internet. Doxers can collect ‘breadcrumbs’ from all over the internet, then use those details to invade a person’s privacy and reveal information without their consent. There are many tactics doxers might use to discover information about you. For example, they could look through your social media profiles, as well as the friends and followers connected to them. They might try to pin down your IP address to reveal your physical location, launch phishing campaigns, or even look through public records. <h2 id="how-to-protect-yourself-against-doxing">How to protect yourself against doxing</h2> The best way to protect yourself against doxing is to be conscious of the information you’re sharing online. If you haven’t already done so, take some time to review and prune what you’ve posted previously, as this will help protect what you want to remain private. There are a number of other actions you can take to minimize your online footprint and avoid leaving ‘breadcrumbs.’ Here are a few steps you can take: 1) Be mindful of what you post on public social media accounts. To protect yourself, consider making some of your accounts private, or using tools and settings to control who can see what on your page. Many people who use social media want a single, recognizable username for all their accounts. This can make professional profiles, personal brands, and content easier to find, share, and follow. But for all your other accounts, consider using <a href="https://blog.1password.com/when-to-use-random-usernames-online/">random, unique usernames</a>. If you use the same username for everything, it makes it easier for doxers to collect information from each account and put it together. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Need help creating a random username? Try our <a href="https://1password.com/username-generator/">free username generator</a>. Then save the username in 1Password, so you don’t forget it! </div> </aside> 2) Avoid third-party login options. Websites will often try to use &ldquo;sign in with&rdquo; services to request information that you&rsquo;ve shared with another company or platform. This means that your personal information is being shared and compiled by more companies, which could one day be breached and exposed to trolls. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Can’t remember whether you created an account with a traditional password or “sign-in with” service? <a href="https://blog.1password.com/sign-in-with-anything-browser-beta/">1Password will now remember for you</a>. </div> </aside> 3) Review your apps’ permissions to check what’s being shared and publicly accessible. Apps will often ask for all sorts of personal information, like your phone&rsquo;s address book, photos, or location. Think carefully about these requests (does a recipe app really need to know your age?) and, where possible, minimize the permissions that you&rsquo;ve already given to the apps on your devices. Many of your online accounts likely contain a lot of information that you want to keep private. The best way to keep this data secure is by protecting your accounts with strong, unique passwords. A password manager like 1Password will help you create secure, distinctive passwords to guard each of your online accounts from potential attackers. <a href="https://watchtower.1password.com/">1Password’s Watchtower</a> will also alert you if any of your passwords are affected by a data breach, so you can change them before a doxer tries to gain access to one of your accounts. <h2 id="staying-safe-online">Staying safe online</h2> Doxing is on the rise, and the tactics that bullies are using to collect people&rsquo;s information are always changing. But that doesn&rsquo;t mean there&rsquo;s nothing you can do to protect yourself. Take the time to review what you’ve previously shared online and be mindful of the breadcrumbs you might be leaving on the internet each day. Using a password manager like 1Password will also help you remain vigilant and protect your passwords, addresses, and other private information from criminals, bullies, and trolls. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Ready to protect yourself?</h3> Keep all of your accounts secure with 1Password, the world’s most-trusted password manager. Get started today with a free 14-day trial. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>Meet Mark-Shane Scale, Team Lead for Customer Support at 1Password</title><link>https://blog.1password.com/meet-mark-shane-scale/</link><pubDate>Thu, 18 Aug 2022 00:00:00 +0000</pubDate><author>info@1password.com (1Password)</author><guid>https://blog.1password.com/meet-mark-shane-scale/</guid><description> <img src='https://blog.1password.com/posts/2022/meet-mark-shane-scale/header.png' class='webfeedsFeaturedVisual' alt='Meet Mark-Shane Scale, Team Lead for Customer Support at 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Have you ever wondered what it&rsquo;s like to work at <a href="https://1password.com/">1Password</a>? Or wanted to know the career paths that other people followed before taking a job here? You&rsquo;re not alone! In this blog series, we&rsquo;re sharing what it&rsquo;s really like to work at 1Password. To do this, we sat down and talked to team members from across our more than 800-strong organization, including engineering, human resources, and customer support. You&rsquo;ll learn about the journeys that each person took to 1Password, as well as their their current role and day-to-day responsibilities. Today, we&rsquo;re chatting with Mark-Shane Scale, Team Lead for Customer Support at 1Password! Why did you join 1Password, and how did you end up here? <img src='https://blog.1password.com/posts/2022/meet-mark-shane-scale/markshanescale1.jpg' alt='A photo of Mark-Shane Scale in a restaurant, wearing a 1Password t-shirt and cap' title='A photo of Mark-Shane Scale in a restaurant, wearing a 1Password t-shirt and cap' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> In February 2019, I attended a job fair at a small Canadian city mall. Armed with my resume and cover letter, I was set on talking to three businesses, and I wanted one to be a technology company. That day, I met a hiring manager and one of the founders of 1Password. I knew nothing about 1Password until I saw the company listed at the job fair, so I went up and asked some questions. The more I learned about 1Password at the job fair, including its ethics towards employees and customers, the more I was attracted to working there. What’s your current role, and what are your day-to-day responsibilities? I recently became a team lead but my previous responsibilities as a customer support specialist involved: <ul> <li>Helping newer members of the team learn how to speak to our customers and address their problems and concerns.</li> <li>Answering complex questions from our customers via email with compassion and empathy. That included giving solutions to problems or issues customers may have been facing.</li> <li>Actively helping other team members by answering their questions. Reporting major issues customers were facing and their suggestions for future features.</li> <li>Reading computer-generated reports, referring to company documents, and asking questions to find all the information needed to give customers correct instructions and information about problems they were facing.</li> </ul> What attracted you to the company? First, it had been a dream of mine to work in technology. Another attraction was that I got the opportunity to do what I love – helping others – via email, as opposed to phone or video support. It means I don’t have to be conscious about how I look or sound, or whether I’ve fumbled over my words. Instead, I can take my time and double check my assumptions before replying. <blockquote> &ldquo;I like the challenge of asking questions and then putting the answers together, almost like completing a puzzle.&quot; </blockquote> When I applied, 1Password had an office in a small city in Ontario. I had just moved to that part of the province, so I was looking forward to getting to know folks there who lived there too. While the pandemic affected this, I’m now grateful that I’ve had the opportunity to work from home. I love that 1Password offers the flexibility of remote work and also lets me choose the best time I can work based on my own schedule. What is your favorite part of your role? My favorite part of my job is troubleshooting. I like trying to answer customer problems in as few email exchanges as possible by asking questions and using “if/then” statements. I like the challenge of asking questions and then putting the answers together, almost like completing a puzzle. What keeps you motivated in your role? If I can troubleshoot and keep customers happy, I’m happy. I love when a customer submits a glowing review of my support, and get a thrill when they send a reply thanking me and confirming that their problem is now resolved. I’m also so happy with the benefits of working at 1Password, and the many amazing online events I can attend <a href="https://blog.1password.com/agconf9-adventures-on-the-high-seas/">like AGConf</a> - our annual conference - and other virtual social events. Editor&rsquo;s note: This interview has been lightly edited for clarity and brevity. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Want to work for 1Password?</h3> Browse our current job openings to see if there’s an opportunity that matches your career goals. <a href="https://1password.com/jobs/?utm_ref=blog" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> View our open positions </a> </div> </section></description></item><item><title>1Password named one of Forbes Cloud 100</title><link>https://blog.1password.com/1password-forbes-cloud-100/</link><pubDate>Wed, 10 Aug 2022 00:00:00 +0000</pubDate><author>info@1password.com (Emily Chioconi)</author><guid>https://blog.1password.com/1password-forbes-cloud-100/</guid><description> <img src='https://blog.1password.com/posts/2022/1password-forbes-cloud-100/header.png' class='webfeedsFeaturedVisual' alt='1Password named one of Forbes Cloud 100' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We’re thrilled to announce that 1Password has been included in the <a href="https://www.forbes.com/lists/cloud100/?sh=66c6aa357d9c">Forbes 2022 Cloud 100</a>, the definitive ranking of the top 100 private cloud companies in the world! <h2 id="were-on-cloud-nine">We’re on cloud nine</h2> The Cloud 100 reviews hundreds of cloud organizations each year. Companies are ranked across four factors: market leadership, estimated valuation, operating metrics, and people &amp; culture. <blockquote> “The companies of the Cloud 100 list represent the best and brightest private companies in this fast-growing sector. Every year, it gets more difficult to make this list – meaning even more elite company for those who do.” - Alex Konrad, senior editor at Forbes </blockquote> Coming in at number 66 on the list, 1Password is the first Canadian company to be chosen for the Cloud 100 since 2019! Not bad, eh? This is quite the honor for 1Password, and we couldn’t be prouder. The cloud helps us make the digital world simpler and safer for everyone, delivering better experiences to more customers. <h2 id="1password-and-the-cloud">1Password and the cloud</h2> Phones, laptops, tablets – no matter what device you’re using, everything you’ve stored in 1Password is at your fingertips. Security has never been easier, and a large part of that is thanks to the cloud, giving 1Password customers – from families to businesses alike – the ability to: <ul> <li>Store passwords, infrastructure secrets, documents, and more across all devices</li> <li>Easily sync updates to items for your whole team or family</li> <li>Update vault access and permissions for anyone</li> <li>Securely share items stored in 1Password with anyone, even if they don’t use 1Password</li> <li>Get insights on potential security risks with suggested next steps, all in one place</li> </ul> <h2 id="reaching-new-heights">Reaching new heights</h2> Thanks to the cloud-based infrastructure powering 1Password, we’ve been able to release better ways to help make the secure choice the easy choice, including: <ul> <li><a href="https://1password.com/products/">The all-new 1Password 8</a></li> <li><a href="https://blog.1password.com/psst-item-sharing/">Item sharing</a></li> <li><a href="https://blog.1password.com/announcing-insights/">Insights</a></li> <li><a href="https://blog.1password.com/developers-deserve-great-ux/">Developer Tools</a></li> <li><a href="https://blog.1password.com/introducing-secrets-automation/">Secrets Automation</a></li> <li><a href="https://blog.1password.com/introducing-events-api/">Events API</a></li> </ul> As we grow, we’re going to keep putting our focus on human-centric security, making it easier for you to protect your data while seamlessly integrating your work and personal life. Over the years, cloud computing has become an integral piece of what makes 1Password convenient, reliable, and, best of all, easy to use. It’s part of why millions of customers and over 100,000 businesses trust 1Password to keep their data both secure and accessible. <h2 id="the-skys-the-limit">The sky’s the limit</h2> At 1Password, our mission has always been to ease the tension between security and convenience. We&rsquo;re committed to providing a password manager that makes staying safe online accessible for everyone, and continuing to invest in the cloud is a crucial part of that. Thank you to Forbes for this fantastic distinction – we’re shouting it cloud and proud. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Secure your team with 1Password Business</h3> Keep your team secure without slowing them down. Choose 1Password Business to gain complete control over passwords and other sensitive business information. <a href="https://1password.com/business-pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>Say hello to 1Password 8 for iOS and Android</title><link>https://blog.1password.com/1password-8-ios-android/</link><pubDate>Tue, 09 Aug 2022 00:00:00 +0000</pubDate><author>info@1password.com (Michael Fey)</author><guid>https://blog.1password.com/1password-8-ios-android/</guid><description> <img src='https://blog.1password.com/posts/2022/1password-8-ios-android/header.png' class='webfeedsFeaturedVisual' alt='Say hello to 1Password 8 for iOS and Android' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Sometimes I forget to marvel at what we, as an industry, have built in the past 30 years. I have this little device in my pocket, and a slightly larger version on my nightstand. With either one, I can video chat with a friend in the UK, access my medical records, or check in for a vet appointment. I can track my workouts or reserve a table at my favorite restaurant. I can buy movie tickets, concert tickets, and plane tickets. I can watch videos uploaded by creators from around the globe and learn how to do almost anything. Heck, I can even pair up a controller and play some pretty awesome games. All from the device in my pocket. Unless I was tethered to my desk, I couldn&rsquo;t do any of that when our founders – Dave, Sara, Roustem, and Natalia – built the first version of 1Password in 2006. The smartphone and tablet as we know them didn&rsquo;t yet exist. But today, when I pull out my phone or grab my iPad, a world of possibilities opens to me. That&rsquo;s the world for which we built 1Password 8. The one in which most internet traffic goes through our phones and tablets. The one in which most people are juggling dozens, if not hundreds, of logins to access everything they need for work and life. The world where you use your phone for everything. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/Qe_BNU7qkOA" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> This is 1Password 8 for <a href="https://apps.apple.com/app/id1511601750?mt=8">iOS</a> and <a href="https://play.google.com/store/apps/details?id=com.onepassword.android">Android</a>. It&rsquo;s a brand-new experience designed to bring a little order to a hyper-connected world. Where did I save my medical records? What&rsquo;s my bank account number? Do I need to worry about that data breach I heard about yesterday? And, of course, what the heck is my password? <h2 id="built-for-speed">Built for speed</h2> <img src='https://blog.1password.com/posts/2022/1password-8-ios-android/1Password8_home_screen.png' alt='iPhone and Android phone side-by-side, displaying the new 1Password 8 home screen and customization options with various sections toggled.' title='iPhone and Android phone side-by-side, displaying the new 1Password 8 home screen and customization options with various sections toggled.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> When we began work on 1Password 8 for iOS and Android, we went straight to customers to find out what they were trying to accomplish in 1Password. Armed with that knowledge, we then dove into making it as fast and easy as possible to achieve those tasks. Speed is everything on mobile, and 1Password 8 delivers. It starts with your new home screen. And I mean it when I say it’s your home screen. When you open 1Password, you can hide, unhide, or reorder what you see here. You can even pin specific fields from your items to this screen for instantaneous access. I have my kids' Screen Time passcode pinned to my home screen so I can show it in Large Type with a tap. No two people are alike – and now, no two 1Passwords are alike. The new design also incorporates an updated, always-available navigation bar so you can: <ul> <li>Quickly access your home screen. Here you&rsquo;ll find your favorites, recent items, or anything else you want fast access to.</li> <li>Access all items across all your accounts. All your vaults, all your tags. It&rsquo;s all here.</li> <li>Search everything. When you tap the search button, the search field is immediately focused. Just start typing to find what you&rsquo;re looking for.</li> <li>Boost your security. Get one-tap access to the all-new Watchtower experience for mobile.</li> </ul> Of course, 1Password is more than just an app. If we’re doing things right, it feels like an extension of iOS and Android, putting the things you’ve stored in 1Password right at your fingertips, right when you need them. Maybe you’re autofilling the one-time code when you log into your banking app, or your payment card info on Amazon. Everywhere you need it, the autofill experience is now faster and more precise. Payment cards, addresses, identities – autofill whatever you need, when you need it, on both iOS (with the <a href="https://support.1password.com/getting-started-safari-ios/">Safari extension</a>) and Android. <h2 id="built-for-peace-of-mind">Built for peace of mind</h2> <img src='https://blog.1password.com/posts/2022/1password-8-ios-android/Watchtower_dashboard_weak_passwords.png' alt='iPhone and Android phone side-by-side displaying the Watchtower dashboard with shareable security score and list of items with weak passwords.' title='iPhone and Android phone side-by-side displaying the Watchtower dashboard with shareable security score and list of items with weak passwords.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> There&rsquo;s nothing like knowing – not guessing, but knowing – that you&rsquo;re protected. With the all-new Watchtower experience for mobile, that peace of mind is just a tap away. <a href="https://watchtower.1password.com/">Watchtower</a> is your security sentinel, letting you know when you need to take action and making it easier to do so. If your credentials are involved in a data breach, you’ll see an alert in Watchtower and in the item itself. Tap it to take steps to protect yourself (like changing your password). Those actionable alerts now extend to your security score, which gives you a bird’s-eye view of your overall security. Watchtower continually evaluates key security data points (locally, on your device) to calculate your score, and shows you where you can take action to improve your security. Your score incorporates things like weak passwords, inactive two-factor authentication, compromised passwords, and others. You can also share your score directly from Watchtower by copying it or tweeting it. Watch out, though – this can get addictive fast. I’ve been known to spend idle minutes knocking down security issues in my own vaults to get my score just a little bit higher. We also made security questions easier. Questions like “What’s your mother’s maiden name?” or “What was the name of your childhood pet?” are designed to enhance security, but they can also be a pain. If the question is too obscure, it’s hard to remember the answer. Too common and it’s easy to find that info if an attacker looks hard enough. Now you can generate random answers to security questions as easily as you generate a password. Just add a security question field to any item, and let 1Password generate an answer for you. Better security, no more guesswork. Of course, you still get all the other security-boosting features you’ve come to expect from 1Password. That includes the ability to securely share items – <a href="https://blog.1password.com/1password-file-document-sharing/">yep, files and documents too</a> – with anyone, even if they don’t use 1Password. <h2 id="built-for-you">Built for you</h2> <img src='https://blog.1password.com/posts/2022/1password-8-ios-android/1Password8_home_screen_variation.png' alt='iPhone and Android phone side-by-side displaying the 1Password 8 home screen with pinned fields and customizable sections in various configurations.' title='iPhone and Android phone side-by-side displaying the 1Password 8 home screen with pinned fields and customizable sections in various configurations.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Nothing is as personal as these little rectangles in our pockets, so with 1Password 8 we wanted to create something that you could shape to your needs. Enter the customizable new home screen. You might want fast access to your favorites and pinned fields, whereas I might prefer to see a list of frequently used and recently created items. It&rsquo;s your 1Password, so it&rsquo;s your call. What are pinned fields? The easiest way to make 1Password truly yours. You can pin any field in a 1Password item directly to your home screen, so you always have instant access to, say, your bank’s routing number or the one-time code for your Twitter login. To customize your home screen, scroll to the bottom of the screen and select &ldquo;Customize&rdquo; then select or deselect sections to show or hide them (respectively). Drag-and-drop sections to choose the order in which they appear. <img src='https://blog.1password.com/posts/2022/1password-8-ios-android/1Password8_work_travel_collections.png' alt='iPhone and Android phone side-by-side displaying work and travel collections' title='iPhone and Android phone side-by-side displaying work and travel collections' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://support.1password.com/collections/">Collections</a> have come to iOS and Android, too. Collections are an easy way to create a custom group of vaults for easier context switching. Maybe you want to create a collection of personal, work, and travel vaults, or create collections that separate shared vaults with private ones. Again, it&rsquo;s up to you. Just tap the vault icon at the top of the screen and select &ldquo;Manage Collections&rdquo; to set it up. 1Password also respects your device’s appearance settings, so if you dwell on the dark side all day long with Dark Mode, 1Password will embrace the darkness right along with you. 😎 <h2 id="download-1password-8-for-ios-and-android">Download 1Password 8 for iOS and Android</h2> I can’t emphasize the new part of “all-new” enough. 1Password 8 is more than an upgrade: It’s a brand new experience, and you can download it now from the App Store and Google Play Store. 1Password 7 will not automatically upgrade to 1Password 8. <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Migrating from 1Password 7 to 1Password 8</h3> If you're using 1Password without a subscription and would like some guidance [migrating to 1Password 8](https://support.1password.com/migrate-1password-account/), 1Password Support is standing by to lend a hand. <a href="mailto:support@1password.com" class="c-call-to-action-box__link-href" data-event-category="CTA" data-event-action="call-to-action-button"> Contact 1Password Support </a> </div> </section> Once you download the app and start exploring, you&rsquo;ll also find little flourishes throughout: new icons and typography, detailed item views, and new indicators next to shared items so you can see what&rsquo;s shared and what’s private at a glance. Regardless of how you set up your 1Password, you&rsquo;ll be getting the most advanced version of 1Password we&rsquo;ve ever built, completely recreated for a mobile-first world. PS: I want to give a huge shout-out to the <a href="https://1password.community">1Password community</a>. The feedback from Early Access testers and other contributors has been invaluable. Thank you. But we’re not done yet. We’re still listening, so if you’d like to share your thoughts, stop by the community and say hi. <div class="c-call-to-action"> <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Download 1Password 8 for iOS</h3> Get the all-new 1Password 8 for iPhone and iPad. It's everything you need for a worry-free digital life on the go. <a href="https://apps.apple.com/app/id1511601750?mt=8" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Download on the App Store </a> </div> </section> <section class="c-call-to-action-box c-call-to-action-box--purple"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Download 1Password 8 for Android</h3> Protection has evolved. Get the all-new 1Password 8 for Android phones and tablets. <a href="https://play.google.com/store/apps/details?id=com.onepassword.android" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--purple" data-event-category="CTA" data-event-action="call-to-action-button"> Download on the Play Store </a> </div> </section> </div></description></item><item><title>How great usability tripled Duke University's password manager adoption</title><link>https://blog.1password.com/duke-university-password-manager-adoption/</link><pubDate>Thu, 04 Aug 2022 00:00:00 +0000</pubDate><author>info@1password.com (Rob Boone)</author><guid>https://blog.1password.com/duke-university-password-manager-adoption/</guid><description> <img src='https://blog.1password.com/posts/2022/duke-university-password-manager-adoption/header.png' class='webfeedsFeaturedVisual' alt='How great usability tripled Duke University's password manager adoption' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Duke University is one of the most storied and prestigious learning institutions in the United States. Duke and its healthcare arm, Duke University Health System, are home to tens of thousands of students and employees. With so many coming and going from the Duke campus every day – and accessing Duke’s many state-of-the-art services within its digital network – security is a top priority for Duke’s Office of Information Technology (OIT). And like any IT department head, IT Security Office senior manager Nick Tripp knows that password security is the backbone of a sound security approach. &ldquo;Password managers make life easier, more secure. We&rsquo;re all aware that the main problem with passwords is it&rsquo;s hard for users to create strong passwords,” Tripp says. The trick, though, is getting everyone to use their password manager to generate and store strong passwords. Having adopted a 1Password competitor years ago, many on campus simply didn’t use it. And even those that did struggled to integrate it into their daily workflows. “We discovered groups weren’t doing [password management] properly. At least five groups were logging into the same account and just using one vault,” Tripp says. “We discovered that most people were just using their personal accounts. They weren’t necessarily storing Duke data. If they were, it was all mixed together. We had very few IT support groups using it in a coordinated way.” <h2 id="maximizing-adoption-with-1passwords-legendary-ease-of-use">Maximizing adoption with 1Password’s legendary ease of use</h2> Tripp knew there was a better way, because he personally used 1Password. He could attest to the ease of use thanks to the “native apps, the user experience, and the integration between those two,” Tripp says. &ldquo;I personally use it for all of my own accounts and had a <a href="https://1password.com/personal/">1Password Families</a> account prior to this. That&rsquo;s shared between me, my wife, my two kids, and my mother-in-law to make sure that good password hygiene is happening.&rdquo; And he wasn’t the only one. Tripp explored other password management options “for the sake of due diligence, but enough people used 1Password personally that we knew what the best option was.” If Duke was going to shore up its password management, a change was in order. &ldquo;We got approval from both CISOs [of Duke University and Duke University Health System]. Then we got approval from our CIO and IT advisory committee, and similar governing bodies.” <h2 id="great-security-starts-with-a-great-user-experience">Great security starts with a great user experience</h2> The results were more than Tripp had hoped for. “We’ve seen significant uptake from staff and students. We tripled enrollment during the migration from our previous password manager,” he says. And because IT finds it easier to manage, the implementation is more focused and deliberate. “My team and the Health Security Office are doing training and onboarding groups. We’ll spend an hour initially and come back and do 30-minute sessions as needed. We’ve found that once people understand the concepts, which doesn’t take long, it’s a really smooth transition. I’d chalk that up to the user experience in 1Password, which we clearly think is superior to every other product we’ve looked at,” Tripp says. They also created shared docs and knowledge base articles internally, he says, “and honestly, most of that is just linking out to your existing documentation and online learning.” The focus on strong cross-platform support also helps, because everyone gets the same experience on every device. “We have a lot of Mac users, but we&rsquo;re also very diverse in terms of computing. Lot of Windows devices, too, and a lot of other orgs like Engineering use Linux,” Tripp says. A win for usability is a boon for security. &ldquo;We have more people than ever doing password management – by a lot – which is a win for security overall,” Tripp says. And what if he had to go back to the old way of doing things? It’s a non-starter, he says. &ldquo;I have about 2000 individual items for me personally, and I maybe know three of those passwords.&rdquo; <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">See 1Password in action</h3> Join us for a live demo of 1Password Business to learn more about the end user experience, integrations, and secure sharing. <a href="https://1password.com/webinars/1password-business-demo/?utm_ref=blog" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Register now </a> </div> </section></description></item><item><title>How the 1Password CLI makes DNS management easier</title><link>https://blog.1password.com/1password-cli-easier-dns-management/</link><pubDate>Wed, 03 Aug 2022 00:00:00 +0000</pubDate><author>info@1password.com (Jack Platten)</author><guid>https://blog.1password.com/1password-cli-easier-dns-management/</guid><description> <img src='https://blog.1password.com/posts/2022/1password-cli-easier-dns-management/header.png' class='webfeedsFeaturedVisual' alt='How the 1Password CLI makes DNS management easier' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> I own a lot of domains, and keeping track of where all of them are pointing can be more than a little tricky. I found a tool that helps me keep everything in sync with a single point of truth. After mixing in the 1Password command-line tool, I had everything I need to keep my domains up to date and pointing where I want them, without having to worry about my credentials being stored unsafely. For creatives and online professionals, we’ve all been there. We think of an idea or concept and say: “Oh, that’s a good domain name”, click, repeat. Eventually, you end up with your domain registrar looking a little something like this. <img src="https://blog.1password.com/posts/2022/1password-cli-easier-dns-management/dns_management_table.png" alt="Example domain management table with placeholder domains and columns for website, email, renew status, lock status, WHOIS status, market price, and expiration date" title="Example domain management table with placeholder domains and columns for website, email, renew status, lock status, WHOIS status, market price, and expiration date" class="c-featured-image"/> Not only do I have it bad here, I’ve got three other name registrars chock full with domains between them. I’ve been managing them mostly by moving them into a single nameserver provider, but for various reasons, I keep a few on a separate nameserver provider. I’m constantly seeking a better way of managing them and a few weeks ago, a friend of mine pointed me in the direction of <a href="https://stackexchange.github.io/dnscontrol/">DNSControl</a>. This was the magic I was looking for, as now I can write all of my DNS settings in a single domain-specific language, and push them to my various nameserver locations. This has made managing this registration mess much easier, as I no longer have to toggle between Cloudflare / Linode / Porkbun to configure various domains. I can configure a new domain in my <a href="https://www.fastmail.com/">Fastmail</a> account and use it for <a href="https://1password.com/fastmail/">Masked Email</a> with only a few lines of DNSControl’s domain-specific language. It’s changed the way I buy (and then forget about) domains. Of course, for DNSControl to work, you need some API keys. DNSControl uses a <code>creds.json</code> file, so initially my repository just had this in the folder, excluded by <code>.gitignore</code>. <img src="https://blog.1password.com/posts/2022/1password-cli-easier-dns-management/creds_json.png" alt="Code editor displaying code for creds.json file with Bind, Cloudflare, and Linode variables, including API token" title="Code editor displaying code for creds.json file with Bind, Cloudflare, and Linode variables, including API token" class="c-featured-image"/> This was great when I was just working on my laptop, but as I use multiple devices, one of the nice things about DNSControl is it’s a single executable. So no matter whether I’m on macOS or Windows, I just need the single executable to manage my DNS entries. Then, I started to think about my options. Since this is a private repository on my GitHub account, I could have just committed the credentials to the repo, but that just feels wrong, even if there was minimal risk of my credentials getting anywhere. I work at 1Password and here, poor security hygiene isn’t an option. DNSControl has the ability to import environment variables into the credentials file, but that still requires managing the secrets between my devices as well. Additionally, if my device were potentially compromised, any other software running on my device would be able to access the environment variable and steal the secret. <h2 id="enter-cli">Enter CLI</h2> I remembered that we have an app for that! I hadn’t messed around much with the <a href="https://1password.com/downloads/command-line/">1Password command-line tool</a> prior to getting started with this project, but I was able to wrap my head around it quickly. Templating my file was easy (and even easier with our new <a href="https://github.com/1Password/op-vscode">Visual Studio Code extension</a>). I initially created a template file that I could then use <code>op inject</code> with and output a <code>creds.json</code> file. This was great, but I was still writing secrets to disk in plaintext. I wasn’t committing them to Git, but they were still existing on my hard drive, and I didn’t want secrets stored anywhere in plaintext, so I wasn’t quite done yet. <h2 id="contributing-to-the-community">Contributing to the community</h2> This is where the fun part really starts. DNSControl currently has a method of running a shell script that would print to <code>stdout</code> a properly formatted JSON file containing the credentials, and if I only worked on one operating system, that likely would have worked well enough for me. I switch between my Windows desktop and my MacBook, though, and there&rsquo;s no good way to have a single script that works in both PowerShell and fish. I didn&rsquo;t want to keep multiple scripts in sync if I were to add an additional provider. I took a quick look at where the code was for running the credential file, and with only a bit of work and reading through documentation, I was able to add the ability to run any arbitrary command, rather than just execute a script. Now I can run <code>dnscontrol push --creds “!op inject -i creds.json” </code> to inject my credentials into my template file, return it on <code>stdout</code> and make the changes to my domains, all without my credentials ever touching the disk. And it works on all my computers, as long as I have both the DNSControl executable as well as the 1Password command-line tool installed. We want everyone to be secure, no matter how you choose to store your secrets, and no matter where you use those secrets. Encouraging the wider ecosystem to allow for options of getting credentials into scripts and tools safely helps everyone.</description></item><item><title>Join us for 1Password’s Security Summer Camp</title><link>https://blog.1password.com/security-summer-camp/</link><pubDate>Mon, 01 Aug 2022 00:00:00 +0000</pubDate><author>info@1password.com (Alex Ash)</author><guid>https://blog.1password.com/security-summer-camp/</guid><description> <img src='https://blog.1password.com/posts/2022/security-summer-camp/header.png' class='webfeedsFeaturedVisual' alt='Join us for 1Password’s Security Summer Camp' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Feeling a bit lost in the woods when it comes to cybersecurity? Up your security skills at 1Password’s Security Summer Camp. Learn from our security summer camp counselors about attacker&rsquo;s motivations, how and why data breaches occur, and best practices for how you can protect your organization from unwanted threats. Join us August 1st at 4PM PT / 7PM ET for a Twitter Spaces event and then August 2nd – 4th at 9AM PT / 12PM ET for a daily 1-hour webinar – we promise it won’t be too in-tents for summer! To learn more about the week’s events, check out the camp activities in this post – or visit <a href="https://www.1passwordsummercamp.com/">Security Summer Camp</a> to learn more. <h2 id="security-summer-camp-twitter-spaces-event-">Security Summer Camp: Twitter Spaces event 🔥🪵</h2> Have you ever wanted to share your security horror stories around a campfire? We’ve got you covered with our Security Summer Camp kick-off Twitter Spaces event. Join 1Password hosts Michael Fey (Roo), VP of Engineering, and Andrew Beyer, Browser Experience Lead, around the virtual campfire on August 1st at 7PM ET for this fun event that will include: <ul> <li>Cybersecurity stories from the 1Password speakers, including 1Password co-founder Dave Teare</li> <li>Listeners sharing the craziest cybersecurity story they’ve ever heard</li> </ul> Make sure you’re following <a href="https://twitter.com/1Password">@1Password</a> on Twitter so you don’t miss this live conversation and the chance to share your own story. <h2 id="the-anatomy-of-a-data-breach-how-at-risk-are-you-really-">The anatomy of a data breach: how at risk are you really? 🐻🍯</h2> You may not be at risk of a bear attack during our virtual camp, but as cybersecurity threats continue to evolve it can be difficult to assess your risk in the digital landscape. Join camp counselor (and 1Password Security Specialist) Joseph Ojelade on August 2nd at 12PM ET to learn: <ul> <li>The various stages of what happens before, during, and after a data breach</li> <li>The difference between prevention and intervention when it comes to protecting your organization</li> <li>Actionable tips on how to ensure you’re practicing good security hygiene, both at home and at work</li> </ul> <h2 id="how-and-why-hackers-hack-and-how-to-defend-your-organization-">How and why hackers hack, and how to defend your organization 🌿🦟</h2> Sometimes cybersecurity threats are a lot like poison ivy – you just don&rsquo;t know what to look out for. On August 3rd at 12PM ET, join Roger Grimes, a 34-year cybersecurity veteran, to find out: <ul> <li>Attackers’ motivations and how today’s real-world mix of malware and human-directed attacks, like ransomware, happen</li> <li>Why hacking doesn’t have to be super technical to be successful</li> <li>Best practices that could significantly lower your risk to cybersecurity threats</li> </ul> <h2 id="building-an-identity-and-access-management-system-that-secures-more-">Building an identity and access management system that secures more ⛺️🔒</h2> The 1Password team of Graham Jackson, Lauren Gregg, and Alex Hoffmann are excited to show you how 1Password features can help strengthen your identity and access management system. In their talk on August 4th at 12PM ET, you’ll learn about: <ul> <li>How to get improved visibility and security for password-based logins with Insights from 1Password</li> <li>The benefits of enforced access controls for the use and sharing of passwords and other sensitive information</li> <li>Unlocking 1Password with your identity provider via SSO in an exclusive sneak peek of our upcoming feature</li> </ul> The advantage of a virtual camp is we’re pretty sure your Wi-Fi will be better! So join us for <a href="https://www.1passwordsummercamp.com/">Security Summer Camp</a> to get all of the fun camp without any of the wild animals or noisy bunk mates – and we’ll do our best to keep the bugs to a minimum, too. Grab your paddle and join us as we take a trip down the security rapids. 🛶 Not sure if you can make it to all camp activities? Register anyway and we’ll send you the recordings when camp ends. And if this week&rsquo;s camp activities don’t scratch your security itch, <a href="https://www.1passwordsummerschool.com/">check out our Security Summer School event</a> from last year. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Join 1Password Security Summer Camp</h3> Protect yourself with top tips from our security camp counselors in this week-long virtual event. <a href="https://www.1passwordsummerschool.com/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Registration is now open </a> </div> </section></description></item><item><title>Hardware security keys: What are they, and should you use one?</title><link>https://blog.1password.com/hardware-security-keys-explained/</link><pubDate>Wed, 27 Jul 2022 00:00:00 +0000</pubDate><author>info@1password.com (Nick Summers)</author><guid>https://blog.1password.com/hardware-security-keys-explained/</guid><description> <img src='https://blog.1password.com/posts/2022/hardware-security-keys-explained/header.png' class='webfeedsFeaturedVisual' alt='Hardware security keys: What are they, and should you use one?' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Have you ever seen someone plug a USB dongle into their device in order to sign in to something? Or worked for a company that required you to use one whenever you unlocked your laptop, or logged in to an important account? These authenticators are called hardware security keys. Some people will also refer to them as just security keys, or two-factor security keys. Here, we&rsquo;ll break down what these dongles are and how they make it harder for criminals to gain access to your devices and accounts. <h2 id="what-is-a-hardware-security-key">What is a hardware security key?</h2> A hardware security key is a way to prove that you or someone you trust – and not a criminal – is trying to access or sign in to something. They’re known as a “<a href="https://proofid.com/blog/knowledge-factors-possession-factors-inherence-factors/">possession factor</a>” because they prove you physically own something used to authenticate your account. Security keys are a form of second or multi-factor authentication (MFA). This means that when you log in with your normal credentials – which could be a four-digit pin code on your phone, or a username and password on a website – you&rsquo;ll be asked to provide your security key, too. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Want to stay secure online? Create a unique username with 1Password&rsquo;s free <a href="https://1password.com/username-generator/">Username Generator</a>! </div> </aside> Not all devices and services support these keys. But the situation is improving all the time. You can also use security keys with many <a href="https://help.okta.com/en-us/Content/Topics/Security/mfa/yubikey.htm">single sign-on services like Okta</a> and password managers <a href="https://support.1password.com/security-key/">including 1Password</a> (more on that later). <h2 id="the-benefits-of-using-a-hardware-security-key">The benefits of using a hardware security key</h2> You might be wondering: “Okay, it&rsquo;s a second form of authentication – how exactly does that keep out criminals?” Think of it this way: Imagine you&rsquo;re the ruler of a castle. And you want to make sure that only your most loyal knights are allowed inside. You could create a password for the front gate, but what if one of your enemies overhears it? To be on the safe side, you could give your knights a brooch. Then you could tell your guard at the front gate to only allow people through who know the password and possess the brooch. Of course, it&rsquo;s not a completely perfect system. It’s possible an assassin could overhear the password and steal a brooch from one of your knights. But it&rsquo;s very unlikely, which makes the system far more secure than just using a password. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Learn more about MFA and hardware security keys in <a href="https://www.youtube.com/watch?v=3OjzJSnkh5Q">our Hello CISO YouTube series</a>! </div> </aside> Hardware security keys are a lot like the brooch – a physical item used to authenticate your account in addition to a password. But they aren&rsquo;t the only form of multi-factor authentication (MFA) available. Instead of providing a physical key, you might be familiar with other MFA options, like having a one-time code sent via email, text message, or an authentication app like Authy. But a security key could be considered more secure than most of these methods. Why? Because it&rsquo;s a physical object. A criminal is unlikely to target you specifically, find out where you work or live, travel to that location (or send someone on their behalf) and try to steal your key. The process is simply too expensive and time consuming, especially when they can use other tactics like <a href="https://blog.1password.com/what-is-social-engineering-hacking-101/">social engineering</a>. <h2 id="the-downsides-of-hardware-security-keys">The downsides of hardware security keys</h2> Nothing is perfect. If you&rsquo;re thinking of using a hardware security key, you should also be aware of the drawbacks and plan accordingly: <ul> <li> Hardware security keys cost money. Physical security keys are generally affordable, but they aren’t free. Still, buying one is arguably a small price to pay for securing your digital life. Many companies will also offer their employees free or heavily-discounted security keys to use at work. </li> <li> You have to take your key with you. Most of them are small, but it&rsquo;s one more thing to keep in your bag, on a keychain, or stuffed in a pocket. </li> <li> You can misplace or lose a physical security key. Many services will let you authenticate another way – like entering a recovery code – if you forget, lose, or destroy your hardware security key. Nevertheless, it&rsquo;s never fun to arrive at the office and realize that you’ve left your authenticator at home. </li> <li> Some keys only work with specific devices. There are all sorts of security keys that support USB-A, USB-C, lightning, NFC, or a combination of all four. Make sure you choose a key that works with all your devices, or consider using multiple keys that cover everything you own. </li> </ul> <h2 id="using-a-hardware-security-key-with-1password">Using a hardware security key with 1Password</h2> Should you use a hardware security key to protect your 1Password account? That&rsquo;s up to you. 1Password is already <a href="https://support.1password.com/1password-security/">secure by design</a>. All of your passwords and other saved items are protected by two things: your 1Password account password and your <a href="https://blog.1password.com/what-the-secret-key-does/">Secret Key</a>. Only you know your account password, and your Secret Key is generated locally during setup. The two are combined on-device to encrypt your vault data and are never shared with 1Password. We have many protections in place to stop criminals from accessing our servers. But even if a thief somehow slipped through, they would only have access to a bunch of encrypted gibberish. All of the data would be worthless without both your account password and Secret Key. But if you would like an extra layer of protection, you can <a href="https://support.1password.com/security-key/">secure everything in your private vaults with a security key too</a>. This means you&rsquo;ll be asked to authenticate with the key when you sign in to your 1Password account. <h2 id="the-bottom-line">The bottom line</h2> Hardware security keys are an excellent form of multi-factor authentication. You might want to use one for all of your devices and online accounts, or only for a select group that you think should have a higher level of security. Not ready to take the plunge? You can still secure your digital life by using a password manager. 1Password will help you create, store, and autofill strong passwords for all your online accounts. Our security model also ensures that only you can access everything that you&rsquo;ve saved in your private vaults – so you can be rest assured that you’ve put your safety first. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Ready to protect yourself?</h3> Keep all of your accounts secure with 1Password, the world’s most-trusted password manager. Get started today with a free 14-day trial. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>Meet Sean Foster, HR Program Specialist at 1Password</title><link>https://blog.1password.com/meet-sean-foster/</link><pubDate>Fri, 22 Jul 2022 00:00:00 +0000</pubDate><author>info@1password.com (1Password)</author><guid>https://blog.1password.com/meet-sean-foster/</guid><description> <img src='https://blog.1password.com/posts/2022/meet-sean-foster/header.png' class='webfeedsFeaturedVisual' alt='Meet Sean Foster, HR Program Specialist at 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Have you ever wondered what it&rsquo;s like to work at <a href="https://1password.com/">1Password</a>? Or wanted to know the career paths that other people followed before taking a job here? You&rsquo;re not alone! In this blog series, we&rsquo;re sharing what it&rsquo;s really like to work at 1Password. To do this, we sat down and talked to team members from across our more than 600-strong organization, including engineering, human resources, and customer support. You&rsquo;ll learn about the journeys that each person took to 1Password, as well as their their current role and day-to-day responsibilities. Today, we&rsquo;re chatting with Sean Foster, HR Program Specialist at 1Password! Why did you join 1Password, and how did you end up here? <img src='https://blog.1password.com/posts/2022/meet-sean-foster/sean.jpg' alt='A photo of Sean looking surprised in front of a starry background' title='A photo of Sean looking surprised in front of a starry background' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Before, I was working in the IT department at a TV production company with Andrew Costen. He eventually left that company and went on to work at 1Password - an app he introduced and converted me to! I was immediately a fan of the product. A year or two later, I was looking for work and a friend who was already at 1Password put in a good word for me, which led to an interview. I found myself having a sushi lunch interview with CEO Jeff Shiner a couple of days later, and answering tickets from 1Password customers another day or two after that. What’s your current role, and what are your day-to-day responsibilities? I’ve worn a few hats at 1Password, but I’m currently an HR Program Specialist and split my time between Onboarding and Engagement. I work with new employees and try to help them feel as comfortable as I can while they settle in. When I’m not doing that, I focus on engagement surveys that ask employees how they’re feeling, their thoughts on virtual events, and more! What attracted you to the company? I was already a fan of 1Password, so talking to customers about an app I was truly a champion of – and not having to pretend – sounded great. <blockquote> &ldquo;I’ve always felt taken care of by 1Password.&quot; </blockquote> The work from home lifestyle also seemed like a positive change after a few years of commuting into an office. I don’t think I could go back to that at this point! What is your favorite part of your role? I love meeting new team members as they start their journey at 1Password and doing what I can to convey the vibe of the company, and what makes us uniquely us. I’ve always felt taken care of by 1Password, including its founders and CEO. I want to pay that forward to new members of the 1Password team. How would you describe your team’s culture to someone who was applying for a role on that team? A team of innovation, collaboration and ideas! HR Programs is constantly seeking ways to make the lives of employees easier and less stressful – and we embody that as a team as well. We all help each other out, cover for each other when we can, and collaborate on projects. What keeps you motivated in your role? <img src='https://blog.1password.com/posts/2022/meet-sean-foster/sean2.jpg' alt='A photo of Sean eating a celebratory slice of cake, surrounded by other 1Password employees' title='A photo of Sean eating a celebratory slice of cake, surrounded by other 1Password employees' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> I consider myself an ambassador for 1Password. And I would honestly feel like I was letting down Sara Teare, one of our founders. (who specifically wanted me in an onboarding type role), if I didn’t give it my all. I want to do what I can to make the onboarding experience at 1Password a superior one, and try to embody what it means to work at 1Password as I make that first impression on folks. Any fun personal plans for 2022? How are you planning to use your paid time off (PTO)? I don’t have anything planned yet, but I’ve been daydreaming about three different options recently. I’m thinking about an Alaskan cruise, a trip to Japan, or a visit to Turkey. Until then, I really really like taking Fridays off – especially during the summer – so I’ll be giving myself a large number of three-day weekends over the next few months. Quick! You’re boarding a plane and you can only bring one item on your trip. What is the one thing you can’t live without? My iPhone. 😅 Editor&rsquo;s note: This interview has been lightly edited for clarity and brevity. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Want to work for 1Password?</h3> Browse our current job openings to see if there’s an opportunity that matches your career goals. <a href="https://1password.com/jobs/?utm_ref=blog" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> View our open positions </a> </div> </section></description></item><item><title>Tip: Never forget or lose an old password with 1Password's item history</title><link>https://blog.1password.com/never-lose-old-passwords/</link><pubDate>Thu, 21 Jul 2022 00:00:00 +0000</pubDate><author>info@1password.com (Emily Chioconi)</author><guid>https://blog.1password.com/never-lose-old-passwords/</guid><description> <img src='https://blog.1password.com/posts/2022/tip-never-forget-old-passwords/header.png' class='webfeedsFeaturedVisual' alt='Tip: Never forget or lose an old password with 1Password's item history' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Addresses, credit card numbers, software licenses, and more. There&rsquo;s a lot you need to keep track of to manage your online world. Modern life can be messy, and it means we’re all likely to make a mistake at some point. You might use 1Password to update a weak password, only to realize you still need the old one for a different website. Or you accidentally opened the wrong item in 1Password and replaced a set of important security questions and answers. Maybe a family member updated the password to your streaming service but forgot to click save, and now you still need the old login. Accidents happen! In situations like these, it’s easy to think, &ldquo;Uh oh, what now?&rdquo; Don&rsquo;t panic – you haven&rsquo;t lost access to any of your favorite accounts. And you won&rsquo;t have to go through the tedious process of resetting the password. 1Password remembers the history of every item saved in your vaults. If you need to see the older version of any item, you can easily review older versions of it – including passwords, credit cards, and addresses. Even if you’ve archived or deleted an item, you can still select “restore” and bring it back to one of your vaults. Ready to get that old item back? Learn how to <a href="https://support.1password.com/item-history/">revert to a previous version of an item or restore an archived or recently deleted item</a>. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get started with 1Password Families</h3> Use 1Password Families to protect your accounts and share important passwords with the people you trust and care about. <a href="https://1password.com/personal/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>12 productivity hacks from the 1Password team</title><link>https://blog.1password.com/productivity-hacks-from-1password/</link><pubDate>Wed, 20 Jul 2022 00:00:00 +0000</pubDate><author>info@1password.com (Andrew Zangre)</author><guid>https://blog.1password.com/productivity-hacks-from-1password/</guid><description> <img src='https://blog.1password.com/posts/2022/productivity-hacks-from-1password/header.png' class='webfeedsFeaturedVisual' alt='12 productivity hacks from the 1Password team' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> “Hey, did you read about (blank)?” Keeping up with the barrage of news is just one of our many daily distractions from work. Toss in our personal obligations and other stressors – all fighting for space in our minds – and making a dent in the to-do list is often harder than we expect. For many, a healthy work-life balance is increasingly difficult to maintain (or find in the first place). Your life is far more than your work, but work still has to get done. So figuring out how to stay productive is crucial for both you and your team’s success. Just a few tiny habits or perspective shifts can make a world of difference and help keep you on task without feeling overwhelmed. If you need some inspiration, our team is excited to share a bit about what works for us! Experiment with some of these tips for yourself and find out what works for you. <h2 id="mental-health-is-top-priority-always">Mental health is top priority (always)</h2> Thankfully, mental health is becoming <a href="https://time.com/6189818/workplace-mental-health-policies/">less of a taboo topic at work</a> – a shift that is well overdue. Along with more candid conversations on the subject is the growing agreement that productivity should never (ever) take precedence over your wellbeing and mental health. Regardless of your workload or fast-approaching deadlines, it’s essential to stay honest with yourself and your employer about how you’re feeling. <a href="https://blog.1password.com/remote-work-mental-health/">Self-care is crucial</a>, especially with the ever-shifting circumstances around work (remote work, <a href="https://blog.1password.com/webcam-security-zoom/">Zoom fatigue</a>, etc.). If you’re not finding this balance possible right now, bring it up with your employer in a respectful way as soon as possible. See if you can find a compromise that works for everyone, such as adjusting your responsibilities or work hours. In some cases, time off or a job change might be the ideal path. <h2 id="productivity-tips-from-the-1password-team">Productivity tips from the 1Password team</h2> With that in mind, here are some friendly pieces of advice from the 1Password team that enable them to do their best work while also feeling their best. 1. Use a checklist “Put stuff in a checklist for that sweet, sweet dopamine hit when you get to mark it as done.” - Emily, Content 2. Switch up your surroundings “I’ve always found that a change of space is a change of mind. When dealing with a hard problem or one that I’ve been dreading to carry out, temporarily working from the kitchen or outdoors does wonders to ‘unlock’ my productivity.” - Graham, Provisioning 3. Optimize your workspace and posture “Take some time to dial in the ergonomics of your workstation. Is your chair too high? Should your monitor be farther away? Do you need a foot or wrist rest? Fixing these issues won’t just improve your health – they’ll make you a more comfortable and productive worker in the long run.” - Nick, Content 4. Reflect and reassess your priorities “Sometimes it’s important to simply step back and reflect – you see things differently, and sometimes something that feels urgent is not urgent and resolves itself.” - Katya, People 5. Lean on your calendar “I use my calendar for absolutely everything (at work and at home). If it isn’t in my calendar, it doesn’t exist. Having a collective view of how I spend my time helps me prioritize the things that matter most. It also helps me set boundaries and be aware of when I’m stretching myself too thin.” - Julian, Finance 6. Play DJ “Find a song or playlist that really pumps you up. I did it once with <a href="https://www.youtube.com/watch?v=qOAiw54saOw&amp;feature=youtu.be">‘I Am Yours’</a> by Andy Grammer and I was so zoned into my work that it was the most productive I’ve ever been. I hit goals for myself that I have yet to beat again. Also, don’t forget to set an alarm that reminds you to take a break!” - Amy, Customer Support 7. Space out your workday “I&rsquo;m a huge fan of the <a href="https://www.themuse.com/advice/take-it-from-someone-who-hates-productivity-hacksthe-pomodoro-technique-actually-works#:~:text=The%20Pomodoro%20Technique%20is%20a,are%20referred%20to%20as%20pomodoros.">Pomodoro method</a>. Sometimes I look up &ldquo;Pomodoro timer&rdquo; on YouTube and find a <a href="https://www.youtube.com/watch?v=9CL34BQxmEs">preset timer with lo-fi music in the background</a> to help while I’m doing deep work like documentation.” - Nicole, Marketing 8. Turn off the noise “Turn off notifications (email, Slack, etc.), put your phone in a different room, and have it muted so you don’t go check it when you hear it buzz. It also helps to notify coworkers that you’re going to be unreachable for a few hours while you’re working on something so they don’t have the urge to bother you and can get any urgent needs out of the way. Also, quality noise-canceling headphones are worth it.” - Stacey, Content 9. Measure your tasks “I love using a flexible app like Notion as my task manager. I can keep meeting notes and tasks in the same database, and add hyperlinks and tasks to other meetings. One of my favorite tips is creating an ‘energy column’ for each task or meeting, so I can indicate before or after how much effort an action should take/took. Was it 🔋, 🔋🔋, or even a full 🔋🔋🔋🔋? Then I can start planning my week around them.” - Josh, HR. 10. Sort your conversations “Organize your Slack! I have all of my channels and conversations categorized depending on the area. It helps to visualize my requests and see what&rsquo;s urgent versus what can be checked later. For example, I usually only check my Topics section a few times a day, since it’s less important than some of my team-related channels.” - Nicole, Marketing 11. Spell out your goals “I set daily and weekly goals at the start of each week. This helps me to protect my time and stay focused without feeling like I’m juggling too much and not getting to what’s more important.” - Julian, Finance 12. Hit pause “When I feel my attention or mood slipping, I don’t wait for it to get worse. Unless I’m on an extremely sensitive deadline, no task is worth getting frustrated or bummed about. I walk my dog, call a friend, eat some dark chocolate, and come back when I’m in a better place. I’m happy to work an extra few minutes later in the day if necessary, and even tight deadlines can be negotiable sometimes if you’re honest with your boss, team, or customers. Your health is non-negotiable.” - Andrew, Content <h2 id="how-1password-can-play-a-role">How 1Password can play a role</h2> There are countless ways to find your productivity rhythm. Just like your <a href="https://blog.1password.com/work-from-home-setups/">home desk setup</a>, it’s a personal journey that <a href="https://blog.1password.com/how-to-stay-inspired-working-from-home/">may call for creativity</a> – and celebration when things go right! If you’re looking for a specific tool to boost your productivity, try a password manager like 1Password. It can streamline your daily routines and reduce the stress of losing and resetting passwords all the time. It’ll also make you a more <a href="https://1password.com/resources/creating-a-culture-of-security/">active contributor to your company’s security</a>. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Try free for 14 days</h3> Want to keep your entire team secure without slowing them down? Try 1Password Teams or [1Password Business](https://1password.com/business/)! <a href="https://1password.com/business-pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section> It can be tricky to balance security, productivity, and your mental health – especially in today’s world, where online threats are constantly evolving. Keep an open mind and try some different approaches – with a collaborative, empathetic spirit – and you’ll find a way to keep all these priorities in check, wherever your career takes you.</description></item><item><title>New 1Password SIEM integration with Sumo Logic and Panther</title><link>https://blog.1password.com/1password-siem-integration-sumologic-panther/</link><pubDate>Tue, 12 Jul 2022 00:00:00 +0000</pubDate><author>info@1password.com (Matt O'Leary)</author><guid>https://blog.1password.com/1password-siem-integration-sumologic-panther/</guid><description> <img src='https://blog.1password.com/posts/2022/1password-SIEM-integration-sumologic-panther/header.png' class='webfeedsFeaturedVisual' alt='New 1Password SIEM integration with Sumo Logic and Panther' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Reduce the time your team spends investigating security issues by using a customizable dashboard that shows your organization&rsquo;s entire security posture. With the new Sumo Logic and Panther integrations for 1Password, you can monitor potential risks around company data or credentials stored within 1Password. Now, as a <a href="https://1password.com/business/">1Password Business</a> customer, managing all your <a href="https://1password.com/security/">1Password security</a> reports with your security information and event management (SIEM) system can be done in one central location. <h2 id="1passwords-events-api-as-a-reporting-bridge">1Password’s Events API as a reporting bridge</h2> As the cost of a data breach increases each year, <a href="https://www.ibm.com/security/data-breach">hitting $4.24 million in 2021</a>, businesses can no longer afford to set and forget their security protocols. To minimize risk it’s important to keep track of your organization&rsquo;s security and address risks on a regular basis. With a dashboard related to events like failed sign-in info and item usage, along with security recommendations, 1Password is the easiest way to monitor and manage your organization&rsquo;s secrets while still securing employees. Sumo Logic and Panther are both SIEM systems that collect, aggregate, search, and monitor company data, and also notify you of any potential risks or attacks. They help reduce the time your team needs to spend investigating security and operational issues. Using the <a href="https://support.1password.com/events-reporting/">1Password Events API</a>, Sumo Logic and Panther can now stream 1Password data into their own application for customers to use for dashboarding and analysis. It’s now a single place for you to assess security risks and create solutions to mitigate them. <h2 id="everything-security-related-all-in-one-place">Everything security related, all in one place</h2> Customize your dashboard, see everything in one place, save yourself time. With these new SIEM integrations, Sumo Logic and Panther customers will be able to track everything security-related in a single location. Enable your team to work smarter and faster while keeping your information secure. The integrations let you: <ul> <li>Track sign-in events. Be notified when there are both successful and failed login attempts.</li> <li>Monitor item usage. Find out which users accessed or modified what items, and when.</li> <li>Threat intel notifications. Discover any potential security risks or attacks with suggestions on how to handle them.</li> </ul> View your 1Password security reporting in Sumo Logic and Panther, reducing the time spent jumping between different dashboards. Integrating with Sumo Logic and Panther is simple and secure, and can give your team everything they need to monitor your organization’s security health. <h2 id="getting-started">Getting started</h2> These SIEM integrations are available to anyone with a 1Password Business account and a Sumo Logic and/or Panther account. Not a 1Password Business or Teams customer? <a href="https://start.1password.com/sign-up/business?l=en/?utm_ref=blog">Try it free for 14 days</a>! If you’re already a customer of both 1Password and Sumo Logic or Panther, then you can <a href="https://support.1password.com/events-reporting/">get started and connect them</a> from the integrations directory in your 1Password Business account. Once you’ve integrated your SIEM partner with 1Password, check out <a href="https://support.1password.com/events-reporting/">1Password Support</a> to start enabling features. Interested in becoming an integration partner with 1Password? Email <a href="mailto:tech-partnerships@agilebits.com">tech-partnerships@agilebits.com</a> to get started. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Secure your business without slowing it down</h3> Trusted by over 100,000 businesses, 1Password is the best way to protect your organization's secrets. <a href="https://start.1password.com/sign-up/business?l=en/?utm_ref=blog" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try 1Password free </a> </div> </section></description></item><item><title>Brick by brick: why Docusaurus is a powerful documentation framework</title><link>https://blog.1password.com/docusaurus-documentation-framework/</link><pubDate>Mon, 04 Jul 2022 00:00:00 +0000</pubDate><author>info@1password.com (Jody Heavener)</author><guid>https://blog.1password.com/docusaurus-documentation-framework/</guid><description> <img src='https://blog.1password.com/posts/2022/docusaurus-documentation-framework/header.png' class='webfeedsFeaturedVisual' alt='Brick by brick: why Docusaurus is a powerful documentation framework' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> At 2022’s AGConf (1Password’s annual employee conference), every employee received a goodie box to celebrate the event and the company’s successes over the past year. Our theme this year was “space”, so the goodie box included a kit for a Lego rocket ship (very appropriate considering our own CEO is a <a href="https://twitter.com/jeffreyshiner/status/978497319283834880">Lego aficionado</a>). Building the spaceship brought me back to when I was younger and played endlessly with those little bricks. For me, though, it wasn’t so much about building the specific items in a kit. Sure, I absolutely loved putting together the houses and planes and cars, but what I was most fascinated by was how I could use tiny bricks to expand my creation and build anything I could dream up. The possibilities were endless, my imagination ran wild, and sometimes – usually through through dumb luck – I built something way cooler than what the kit offered in the first place. Late last year, I started exploring the React-based documentation framework <a href="https://docusaurus.io/">Docusaurus</a>, and spent a good chunk of time going through the documentation. (Surprise! They use their own product!) I got pretty familiar with how it works under the hood, and the ways in which it can be expanded on. It&rsquo;s also got a <a href="https://docusaurus.io/community/support">bustling community</a>, which is unsurprising since it’s entirely open source. When I joined 1Password earlier this year, where I would be driving the effort to stand up a <a href="https://developer.1password.com/">developer portal</a> for our new developer offerings, I was excited to learn that we’d chosen Docusaurus v2 as the framework to power it all. I’ve had a chance to really dig in since then, learning as much as I could about this powerful little static site generator. And it occurred to me recently that, with the way they’ve set it up, I’m reminded of those Lego creations: at its core it’s really just a bunch of individual pieces cleverly interlocked to create something far greater. It’s also built on a foundation designed to be entirely extensible. So I’d like to look at how Docusaurus is put together, and why it’s so great for <a href="https://developer.1password.com/">the 1Password developer portal</a>. <h2 id="plugins-all-the-way-down">Plugins all the way down</h2> <blockquote> Plugins are the building blocks of features in a Docusaurus 2 site. Each plugin handles its own individual feature. </blockquote> Docusaurus has handy plugin <a href="https://docusaurus.io/docs/api/plugin-methods/lifecycle-apis">lifecycle APIs</a>. When you start up the development server or generate a static bundle, each plugin kicks in and traverses through every stage of the lifecycle. With it, you can pull in data across all plugins simultaneously, register routes, validate configuration, and inject HTML tags, among many other things. Docusaurus leverages these same APIs to build up the overall user-facing functionality of the framework through their own collection of <a href="https://docusaurus.io/docs/api/plugins">plugins</a>. Consider the primary use case for Docusaurus: documentation. The <a href="https://docusaurus.io/docs/api/plugins/@docusaurus/plugin-content-docs">@docusaurus/plugin-content-docs plugin</a> powers this central feature for the framework. Its more immediate functionality comes from using the <code>loadContent</code> method to look for potentially localized and versioned sets of documentation on the filesystem, and <code>contentLoaded</code> to provide the structured route data for the core to register and produce HTML files. It also extends Docusaurus’ CLI to allow for tagging a new docs version, and even tells the dev server which files to watch, and in turn run the lifecycles again. The documentation plugin is obviously a huge part of Docusaurus, but they don’t stop there. Everything from the docs, to <a href="https://docusaurus.io/docs/api/plugins/@docusaurus/plugin-content-blog">blogging</a> and <a href="https://docusaurus.io/docs/api/plugins/@docusaurus/plugin-content-pages">individual pages</a>, all the way down to setting up <a href="https://docusaurus.io/docs/api/plugins/@docusaurus/plugin-google-analytics">Google Analytics</a> and <a href="https://docusaurus.io/docs/api/plugins/@docusaurus/plugin-sitemap">generating sitemaps</a> are all powered by plugins. So, why is this important? If you’ll allow me to borrow my Lego analogy again: Docusaurus’ plugin APIs mean that, while they provide you with a kit you can set up and build something really cool with, they’ve also provided you with the ability to extend the framework in any direction to build something to suit your exact needs (at least as far as static sites go). Great examples of this can be found on their <a href="https://docusaurus.io/community/resources#community-plugins">community plugins</a> page, where others have built plugins for <a href="https://github.com/easyops-cn/docusaurus-search-local">offline/local search</a> (we even use this today), adding <a href="https://github.com/rlamana/docusaurus-plugin-sass">SASS styles loading</a>, and <a href="https://github.com/rohit-gohri/redocusaurus">consuming OpenAPI specs</a> to generate full API documentation pages. And it couldn’t be easier to roll your own. Let’s say you wanted to load in some Google Fonts. Here’s what a plugin that does this by using the <code>injectHtmlTags</code> method might look like: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript">module.exports = function pluginGoogleFonts(context, options) { return { name: &#34;plugin-google-fonts&#34;, injectHtmlTags: () =&gt; ({ // Tell the browser we&#39;re going to be loading resources from these origins headTags: [ { tagName: &#34;link&#34;, attributes: { rel: &#34;preconnect&#34;, href: &#34;https://fonts.googleapis.com&#34;, }, }, { tagName: &#34;link&#34;, attributes: { rel: &#34;preconnect&#34;, href: &#34;https://fonts.gstatic.com&#34;, crossorigin: &#34;anonymous&#34;, }, }, // Load the Lobster font { tagName: &#34;link&#34;, attributes: { rel: &#34;stylesheet&#34;, href: &#34;https://fonts.googleapis.com/css2?family=Lobster&amp;display=swap&#34;, }, }, ], }) } }; </code></pre></div>With this plugin in place, you can now freely use the Lobster font in your CSS. If you wanted to take it a step further and package this plugin up for distribution, you could even allow it to take an array of font names and weights as options to make it truly dynamic. In the future, as we expand our developer portal, you’re likely to see us build plugins for things like importing and rendering <a href="https://blog.1password.com/categories/developers/">developer blog posts</a>, highlighting integrations built by our developer community, and a whole lot more. <h2 id="need-to-customize-it-swizzle-away">Need to customize it? Swizzle away.</h2> Plugins aren’t limited to just extending functionality, either. They’re what also delivers the look of the framework. Using the <code>getThemePath</code> method your plugin can tell Docusaurus where to find the React components that make up a theme, selectively overriding components from an existing theme or building your own theme from the ground up. One of the neatest features of Docusaurus is the ability to <a href="https://docusaurus.io/docs/swizzling">Swizzle a component</a>. <blockquote> [Swizzling] comes from Objective-C and Swift-UI: method swizzling is the process of changing the implementation of an existing selector (method). For Docusaurus, component swizzling means providing an alternative component that takes precedence over the component provided by the theme. </blockquote> What does this mean in practice? Well, our developer portal currently uses the default <a href="https://docusaurus.io/docs/next/api/themes/@docusaurus/theme-classic">Classic theme</a>, but if you check out our footer you’ll notice that it looks nothing like the footer in that theme. We wanted ours to share a consistent look with the one on <a href="https://1password.com/">1Password.com</a>, so we swizzled the existing Footer component by running the following command: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell">npm run swizzle @docusaurus/theme-classic Footer -- --eject </code></pre></div>This cloned the component out of the Docusaurus package and into our workspace. Now we&rsquo;ve got full agency over the look and feel of the site’s footer, while still being able to rely on the rest of the theme’s components, which also includes future updates. We’re going to be swizzling a fair bit this year as the developer portal evolves. <img src='https://blog.1password.com/posts/2022/docusaurus-documentation-framework/1password_developer_portal_footer.png' alt='1Password.com footer next to default Docusaurus classic theme footer' title='1Password.com footer next to default Docusaurus classic theme footer' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The framework ships with the Classic theme, and out of the box it does a fantastic job. As of April 2022 the theme selection is fairly limited for v2 of Docusaurus, with only the Classic theme and some extensions to it available. More are coming, though. One that I’m particularly looking forward to, a <a href="https://tailwindcss.com/">Tailwind</a>-powered theme, is also a great example of why I appreciate that they’re an open source project: it started as a <a href="https://github.com/facebook/docusaurus/issues/2961">community request</a>, grew in popularity, and over time evolved into <a href="https://github.com/facebook/docusaurus/issues/2961#issuecomment-1035892969">part of the roadmap</a>. <h2 id="markup-or-markdown---how-about-both">Markup or Markdown - how about both?</h2> As with every static site generator, it’s expected that Docusaurus would support Markdown - and they took it a step further, using <a href="https://docusaurus.io/docs/markdown-features/react">MDX</a> to parse content. MDX allows you to write JSX (React components) alongside your Markdown, allowing seamless native integration with the rest of the React app, which eventually gets all compiled down to HTML. This concept of static site generators interlacing Markdown with another syntax to extend the capabilities of its documentation is not new, but what gets me excited is the power that JSX affords us. You’re not limited to static HTML or shortcodes. Instead you get the full power of JSX components, meaning it’s possible to build fully styled, rich components that you can embed right in your content. MDX also supports <a href="https://github.com/remarkjs/remark">Remark</a> and <a href="https://github.com/rehypejs/rehype">Rehype</a> plugins, allowing you to augment the syntax and replace content on the fly. What can we do with this? Docusaurus demonstrates this well by creating its own plugins for <a href="https://github.com/elviswolcott/remark-admonitions">admonitions</a>, <a href="https://github.com/facebook/docusaurus/blob/main/packages/docusaurus-mdx-loader/src/remark/toc/index.ts">table of contents</a> generation, and creating <a href="https://github.com/facebook/docusaurus/blob/main/packages/docusaurus-mdx-loader/src/remark/headings/index.ts">heading links</a>. There’s already a huge collection of plugins available for both Remark and Rehype, but if you need something a little more tailored to your specific use case creating <a href="https://docusaurus.io/docs/next/markdown-features/plugins#creating-new-rehyperemark-plugins">these types of plugins</a> is really straightforward, too. Consider this 13-liner that defaults Markdown code blocks to using Shell highlighting: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript">const visit = require(&#34;unist-util-visit&#34;); module.exports = function pluginRemarkShellCode(context, options) { return (tree) =&gt; { visit(tree, (node) =&gt; { // If the node is a code block, but the language is not set if (node.type === &#34;code&#34; &amp;&amp; !node.lang) { // Set it to Shell node.lang = &#34;shell&#34;; } }); }; }; </code></pre></div>Using <a href="https://www.npmjs.com/package/unist-util-visit">unist-util-visit</a> we can iterate across all nodes and their children to selectively modify the properties or contents of any node that matches our criteria. Now our Markdown files only need to specify language for those code blocks that aren&rsquo;t using Shell. <h2 id="fully-open-source">Fully Open Source</h2> I’ve been heads down in Docusaurus for quite some time now, and it’s proven to be incredibly robust. But beyond the framework itself, I’ve also really appreciated the community behind it. From contributing my <a href="https://github.com/facebook/docusaurus/pulls?q=is%3Apr+author%3Ajodyheavener+sort%3Aupdated-desc+">own PRs</a> to the core, to getting help from team members themselves and other eager developers in their <a href="https://discord.com/invite/docusaurus">Discord server</a>, it’s been a pleasure creating with this extraordinary tool. Go check out the <a href="https://developer.1password.com/">1Password developer portal</a>, built with Docusaurus. I’m looking forward to showing off the cool things we’ve got planned for it down the road as we use these building blocks to create something really, really cool.</description></item><item><title>“Sign in with” anything – and save it in 1Password</title><link>https://blog.1password.com/sign-in-with-anything-browser-beta/</link><pubDate>Wed, 29 Jun 2022 00:00:00 +0000</pubDate><author>info@1password.com (Mitch Cohen)</author><guid>https://blog.1password.com/sign-in-with-anything-browser-beta/</guid><description> <img src='https://blog.1password.com/posts/2022/sign-in-with-anything-browser-beta/header.png' class='webfeedsFeaturedVisual' alt='“Sign in with” anything – and save it in 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> With so many ways to sign in to apps and services, there’s even more to keep track of. That’s why we’re introducing the ability to save and fill new kinds of logins in 1Password. Signing in to websites used to be as easy as filling in a username and a password. But lately, it’s started to feel more like a multiple choice exam. So many of us stare at login screens and wonder if we need to: a) “sign in with Google” b) “continue with Facebook” c) none of the above? “Sign in with…” buttons are becoming more popular, and it’s easy to see why. They let you reuse an account you already have, instead of creating a new one with a unique password for every site. <img src='https://blog.1password.com/posts/2022/sign-in-with-anything-browser-beta/uso-1.png' alt='The sign in page for a popular website showing many different sign in options.' title='The sign in page for a popular website showing many different sign in options.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> But as convenient as these options are, they&rsquo;re not hassle-free. They still involve too many steps, clicks, and, yes – passwords. And it’s so easy to get lost in the sea of choices and forget which account or provider you used for which website. <h2 id="no-password-no-problem">No password? No problem.</h2> When we announced our <a href="https://www.future.1password.com/">vision of the future</a>, we introduced the concept of Universal Sign On. What that means to us is that logging in should be effortless, whether you use a password, your Facebook account, or anything else. Today we’re starting with a familiar kind of sign-in service (also known as social logins or SSO). When you visit a site and click a button like “Sign in with Google”, 1Password will remember your choice and offer to save it for you. And when you return to the site, 1Password will seamlessly authenticate you with your Google account. <img src='https://blog.1password.com/posts/2022/sign-in-with-anything-browser-beta/uso-2.gif' alt='After signing in with a Google account, 1Password offers to remember this sign in choice for future visits.' title='After signing in with a Google account, 1Password offers to remember this sign in choice for future visits.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> It’s as easy as it sounds. Sign in however you prefer and let 1Password take care of the details. <h2 id="join-the-1password-browser-beta">Join the 1Password browser beta</h2> Today’s beta supports signing in to sites with Google, Facebook, and Apple, and we&rsquo;ll be adding support for more providers and sign-in methods going forward. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> ➡ <a href="https://1password.com/downloads/chrome-os/#beta-downloads">Get the 1Password browser beta</a> </div> </aside> We’d also love for you to <a href="https://docs.google.com/forms/d/e/1FAIpQLSdqXy77pJUF3vT8ohKqkJNVne5AH4iQ7KR8n11P7quAeWHF4g/viewform">fill out our survey</a>. Even if you don’t use the beta, it’s an opportunity to share what you’d like to see in the future. Your feedback helps drive everything we do. The journey to Universal Sign On has begun, and we can’t wait for you to join us. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Try the 1Password browser beta</h3> Download our browser beta and never forget whether you signed up with a password or social login service again. <a href="https://1password.com/downloads/chrome-os/#beta-downloads" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Download the beta </a> </div> </section></description></item><item><title>Now you can securely share 1Password files and documents with anyone</title><link>https://blog.1password.com/1password-file-document-sharing/</link><pubDate>Tue, 28 Jun 2022 00:00:00 +0000</pubDate><author>info@1password.com (Jasper Patterson)</author><guid>https://blog.1password.com/1password-file-document-sharing/</guid><description> <img src='https://blog.1password.com/posts/2022/1password-file-document-sharing/header.png' class='webfeedsFeaturedVisual' alt='Now you can securely share 1Password files and documents with anyone' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> In October, we introduced a new way for 1Password customers to <a href="https://blog.1password.com/psst-item-sharing/">securely share virtually anything in their 1Password vault with anyone</a> – even if the recipient doesn’t use 1Password. Now we can remove that &ldquo;virtually&rdquo; bit. Item sharing now supports sharing documents (the Document item type in 1Password) and files (files attached to any other 1Password item, like logins, <a href="https://1password.com/features/secure-notes/">secure notes</a>, and credit cards). 📄🙌 <h2 id="what-is-1password-item-sharing">What is 1Password item sharing?</h2> Item sharing with 1Password is the easiest way to share anything in your <a href="https://1password.com/resources/guides/create-and-manage-shared-vaults/">1Password vault</a> with anyone else. Let&rsquo;s say I want to share my bank account information with my partner. To do that, I first open the item in 1Password. Then I navigate to the item menu and select &ldquo;Share.&rdquo; <img src="https://blog.1password.com/posts/2022/1password-file-document-sharing/Sharing_bank_account.png" alt="Sharing menu for a bank account in 1Password" title="Sharing menu for a bank account in 1Password" class="c-featured-image"/> When I do, I&rsquo;ll see two options. I can set an expiration date for the sharing link I&rsquo;m about to generate, and I can choose to share it with anyone with the link, or only with people I specify. (If I restrict sharing to only people I specify, they&rsquo;ll need to verify their email address with a one-time code to view the item.) I can also toggle an option to make the link self-destruct after it&rsquo;s been viewed for the first time. When I select the &ldquo;Get Link to Share&rdquo; button, I then have the option to copy the share link I just generated. I can share that link wherever I wish – in an email or a chat, for example. <img src="https://blog.1password.com/posts/2022/1password-file-document-sharing/Recipient_view_shared_bank_account.png" alt="Recipient view of bank account shared with 1Password" title="Recipient view of bank account shared with 1Password" class="c-featured-image"/> When my recipient clicks the link, they&rsquo;ll see each field for that item – for a bank account, that may be the account number and routing number, possibly a PIN if I&rsquo;ve added one – in their web browser. They can copy each field individually, or save a copy of the item in their own 1Password account. That last bit&rsquo;s optional, though: recipients need not be 1Password customers to view a shared link. To recap: open the item in 1Password, share it, and send it. Easy. Want to see it in action? <a href="https://share.1password.com/s#xzfwdqmSxo2keFbYN8NaKUFlMstYTK5KLVBlkG1pBO4">We shared something with you to give you a sneak peek</a>. <h2 id="how-to-share-documents-and-files-with-1password">How to share documents and files with 1Password</h2> <img src="https://blog.1password.com/posts/2022/1password-file-document-sharing/Shared_document.png" alt="Sharing menu for a document in 1Password" title="Sharing menu for a document in 1Password" class="c-featured-image"/> Now, I can also follow the process outlined above to share <a href="https://support.1password.com/files/">a document I&rsquo;ve stored in 1Password</a>. <img src="https://blog.1password.com/posts/2022/1password-file-document-sharing/Recipient_view_bank_account_attachment.png" alt="Recipient view of a bank account with attachment shared with 1Password" title="Recipient view of a bank account with attachment shared with 1Password" class="c-featured-image"/> Or, I can attach a file to any other item type and that file will be available to the recipient just like all the other item fields. You can share images, Excel files, a plain text file of your grandmother&rsquo;s super secret banana bread recipe – whatever you&rsquo;d like. <h2 id="share-anything-with-anyone-securely">Share anything with anyone, securely</h2> Why is item sharing in 1Password such a big deal? We need to share sensitive stuff with other people all the time. When we do, we often share it in the most convenient way: <a href="https://1password.com/resources/the-family-password-paradigm/">through email or chat</a>, or by putting it in a <a href="https://1password.com/resources/risks-of-mismanaging-corporate-secrets/">spreadsheet or shared doc</a>. That, to put it mildly, is not secure. So why not make the easiest way to share the most secure way to share? With 1Password item sharing, you can still share those secrets in the apps and channels you already use, but with the knowledge that the item you share isn&rsquo;t actually hosted on that platform. Instead, you&rsquo;re sharing a secure link to the item, stored safely in 1Password. Turns out we aren’t alone in our desire for more secure sharing options. Since the launch of item sharing, more than 1 million items have been safely shared with 1Password. 🎉🤯 <h2 id="more-improvements-to-item-sharing">More improvements to item sharing</h2> Document and file sharing aren&rsquo;t the only improvements to come to item sharing. We&rsquo;ve also added these other enhancements: <ul> <li>Recipients will now see the item shared in their preferred language (based on their web browser settings)</li> <li>If the recipient&rsquo;s email address matches the domain used by the sharer, the recipient will now see an invitation to join the sharer&rsquo;s team in 1Password</li> <li>Senders can now share items with an entire domain while still requiring recipients to verify their email address</li> <li>Admins can limit item sharing verification to a predefined list of domains</li> <li>Admins can toggle email verification requirements for recipients</li> <li>Admins can specify the maximum and default duration of shared links</li> <li>Admins can require that items shared be limited to a single view</li> <li>You can now copy the original share link from 1Password by viewing the item&rsquo;s sharing history</li> <li>Visual improvements like new icons</li> <li>Workflow improvements like item templates</li> <li>Support for Large Type</li> </ul> Item sharing is available now in <a href="https://1password.com/products/">1Password 8</a>. (Note that for <a href="https://1password.com/business/">1Password Business</a> customers, file sharing is disabled by default. <a href="https://support.1password.com/manage-item-sharing/">Admins can enable the feature</a> to allow file sharing on a per-account basis.) Happy sharing! <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get the newest generation of the world&#39;s most-loved password manager</h3> Securely share documents, files, logins, and anything else you've stored in 1Password with 1Password 8. <a href="https://1password.com/downloads/?utm_ref=blog" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Download 1Password 8 </a> </div> </section></description></item><item><title>WWDC22: Everything that caught our attention</title><link>https://blog.1password.com/wwdc22-roundup/</link><pubDate>Fri, 24 Jun 2022 00:00:00 +0000</pubDate><author>info@1password.com (Chris Brown)</author><guid>https://blog.1password.com/wwdc22-roundup/</guid><description> <img src='https://blog.1password.com/posts/2022/wwdc-2022-roundup/header.png' class='webfeedsFeaturedVisual' alt='WWDC22: Everything that caught our attention' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Each June, Apple hosts a week-long Worldwide Developers Conference (WWDC) to showcase exciting features for their upcoming OS releases, help developers learn new APIs, unveil fresh hardware, and more. This year’s WWDC followed a similar formula with previews of dramatic changes to the iPhone lock screen, improvements to how apps using SwiftUI can handle navigation, and the reveal of a redesigned MacBook Air powered by a new M2 processor. When WWDC rolls around, we like to set aside time to brainstorm new ways to improve the 1Password experience for our customers. Before the week was over we were able to put together some exciting ideas to really elevate 1Password on iOS and macOS. <h2 id="log-in-with-passkeys">Log in with Passkeys</h2> Earlier this month, we announced that we had joined the FIDO Alliance along with companies like Apple to help build the future of authentication. This year, Apple revealed Passkeys which will leverage the WebAuthn protocol. We’re excited to see how this space develops and will continue to work with the Alliance to create safer, simpler, and faster login solutions for everyone. <h2 id="customizable-lock-screen-and-focus-filters">Customizable Lock Screen and Focus filters</h2> During its keynote event, Apple showed off a reimagined iPhone and iPad Lock Screen. When iOS 16 launches later this year, users will be able to add widgets, use customized fonts, intelligently place photo subjects in the foreground, and even have different configurations for various Focus modes. This will allow us to display information about your vaults or items without asking you to unlock your device. For example, you could glance at a widget to quickly tell if 1Password is currently locked or unlocked. <video class="round shadow" style="display: block; margin: auto; padding: 0;"loop="loop" playsinline="" width="100%" alt='' controls> <source src="https://blog.1password.com/posts/2022/wwdc-2022-roundup/lock_screen_widget_demo.mp4" type="video/mp4" /> </video> Example of a potential Lock Screen widget showing when 1Password is locked or unlocked. Beyond the Lock Screen, Apple is also giving developers the option to filter content based on which Focus mode is currently active. This means we can show certain vaults when Focus is set to Work and others when it is set to Personal. <video class="round shadow" style="display: block; margin: auto; padding: 0;"loop="loop" playsinline="" width="100%" alt='' controls> <source src="https://blog.1password.com/posts/2022/wwdc-2022-roundup/focus_mode_demo.mp4" type="video/mp4" /> </video> Focus filters allow us to show only relevant items when users are at work or home. <h2 id="programmatically-launch-safari-extensions">Programmatically launch Safari extensions</h2> Last year, Apple introduced Safari web extensions for iOS and iPadOS, allowing us to launch <a href="https://blog.1password.com/1password-for-safari/">1Password for Safari</a> on Apple&rsquo;s mobile devices. At WWDC22, we learned that we now have the ability to programmatically open the <a href="https://1password.com/resources/guides/1password-for-google-chrome/">1Password extension</a> window. This means we can automatically open 1Password when you need it and save you some extra taps. <h2 id="welcome-improvements-to-messages">Welcome improvements to Messages</h2> iOS 16 will also bring some welcome features to the Messages app. Users will finally be able to edit, delete, and mark messages as unread. Deleting a message might sound useful when you want to temporarily share something like your WiFi password, but remember that 1Password’s <a href="https://blog.1password.com/psst-item-sharing/">Item Sharing</a> is an even more convenient and secure solution. <video class="round shadow" style="display: block; margin: auto; padding: 0;"loop="loop" playsinline="" width="100%" alt='' controls> <source src="https://blog.1password.com/posts/2022/wwdc-2022-roundup/messages_features.mp4" type="video/mp4" /> </video> <h2 id="redesigned-macbook-air-with-m2-processor">Redesigned MacBook Air with M2 processor</h2> <a href="https://1password.com/mac/">1Password for Mac</a> has already been updated to run natively on Apple’s M1 chips and we’re excited to see how it will perform on the M2, which was officially unveiled during the WWDC22 keynote event The first device that will use this new processor is the redesigned MacBook Air. In addition to the M2 chip, it features a design that closely resembles the most recent MacBook Pros with MagSafe charging, two Thunderbolt ports, a high-impedance headphone jack and two new finishes, Midnight and Starlight, to go along with the familiar Silver and Space Gray. <img src='https://blog.1password.com/posts/2022/wwdc-2022-roundup/macbookair.jpg' alt='Four MacBook Air laptops in silver, space grey, starlight, and midnight colors.' title='Four MacBook Air laptops in silver, space grey, starlight, and midnight colors.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="multitask-with-stage-manager">Multitask with Stage Manager</h2> Macs running macOS Ventura and M1-powered iPads using iPadOS 16 will be able to automatically organize apps and windows in a single view using the new Stage Manager. This will allow users to easily switch between apps with a simple click or tap. <img src='https://blog.1password.com/posts/2022/wwdc-2022-roundup/stagemanager.jpg' alt='An iPad showing two windowed apps and Stage Manager on the left-hand side of the screen.' title='An iPad showing two windowed apps and Stage Manager on the left-hand side of the screen.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> If you’re one of the lucky few testing <a href="https://1password.com/products/">1Password 8</a> for iOS and iPadOS, you may have seen that we now support opening items in a second window. For users with older devices that do not support Stage Manager, this is a fantastic way to view and edit items in 1Password at the same time. <video class="round shadow" style="display: block; margin: auto; padding: 0;"loop="loop" playsinline="" width="100%" alt='' controls> <source src="https://blog.1password.com/posts/2022/wwdc-2022-roundup/open-in-new-window.mp4" type="video/mp4" /> </video> Open an item in a new window to view items side by side. <h2 id="a-new-regex-type-and-builder">A new Regex type and builder</h2> Regular expressions (regex) are very powerful—and often very cryptic—search patterns that allow you to find very complex combinations of words or characters in text. To even the most seasoned programmer a regular expression can be a headache to write. Thankfully, the latest version of the Swift language has a dedicated type for creating a regex that allows the compiler to help validate the expression. <pre tabindex="0"><code class="language-lang-swift" data-lang="lang-swift">let example = &quot;Hello, world. Welcome to WWDC22.&quot; let regexLiteral = /Hello, (.+?). Welcome to WWDC(\d+)./ if let result = try regexLiteral.wholeMatch(in: example) { print(&quot;Name: \(result.1)&quot;) // &quot;Name: world&quot; print(&quot;Year: 20\(result.2)&quot;) // &quot;Year: 2022&quot; } </code></pre>In addition to literals, Apple introduced a more human-readable friendly way to create complex regular expressions. <pre tabindex="0"><code class="language-lang-swift" data-lang="lang-swift">let word = OneOrMore(.word) let emailPattern = Regex { Capture { ZeroOrMore { word &quot;.&quot; } word } &quot;@&quot; Capture { word OneOrMore { &quot;.&quot; word } } } let text = &quot;My email is my.name@example.com.&quot; if let match = text.firstMatch(of: emailPattern) { let (wholeMatch, name, domain) = match.output // wholeMatch is &quot;my.name@example.com&quot; // name is &quot;my.name&quot; // domain is &quot;example.com&quot; } </code></pre>These new features will allow us to more easily create search patterns for complex situations, like scanning credit card information into 1Password. <video class="round shadow" style="display: block; margin: auto; padding: 0;"loop="loop" playsinline="" width="100%" alt='' controls> <source src="https://blog.1password.com/posts/2022/wwdc-2022-roundup/credit_card_demo.mp4" type="video/mp4" /> </video> Using the new Regex type to search for credit card information. <h2 id="wrapping-it-up">Wrapping it up</h2> WWDC was a great opportunity for us to learn about what Apple has been working on and how we can use these announcements to build a simpler, smarter, and more secure 1Password. We’ll be heads down and working hard over the next few months to ensure 1Password is the best it can be on iOS 16, iPadOS 16, and macOS Ventura when they debut later this year.</description></item><item><title>Meet Katie Davis, Senior Developer at 1Password</title><link>https://blog.1password.com/meet-katie-davis/</link><pubDate>Thu, 23 Jun 2022 00:00:00 +0000</pubDate><author>info@1password.com (1Password)</author><guid>https://blog.1password.com/meet-katie-davis/</guid><description> <img src='https://blog.1password.com/posts/2022/meet-katie-davis/header.png' class='webfeedsFeaturedVisual' alt='Meet Katie Davis, Senior Developer at 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Have you ever wondered what it&rsquo;s like to work at <a href="https://1password.com/">1Password</a>? Or wanted to know the career paths that other people followed before taking a job here? You&rsquo;re not alone! In this new blog series, we&rsquo;re sharing what it&rsquo;s really like to work at 1Password. To do this, we sat down and talked to team members from across our more than 600-strong organization, including engineering, human resources, and customer support. You&rsquo;ll learn about the journeys that each person took to 1Password, as well as their their current role and day-to-day responsibilities. First up is Katie Davis, Senior Developer at 1Password! Why did you join 1Password, and how did you end up here? I joined after hearing from a friend who had recently been hired that the culture was incredible, and that I should apply. I had used 1Password personally and professionally for years, so it was an easy sell. I was coming from a larger company and drawn to 1Password’s size and growth rate - it seemed like a place where I could make a positive impact as a developer. I applied online and was quickly won over by the warmth and curiosity of the folks interviewing me. What’s your current role, and what are your day-to-day responsibilities? I’m currently a Senior Developer on our Design System Tooling team! This team is brand new at 1Password, so the scope of my responsibilities change frequently. Right now I’m working on the research and development for how our new design system will work, as well as the implementation of design tokens and components. <blockquote> &ldquo;I can’t think of a time where the work I’ve done as a developer was more wholesome.&quot; </blockquote> I get involved outside of my team with code reviews, interviewing, and dipping into conversations about front-end development at 1Password. What is your favorite part of your role? The autonomy that comes with it. My experience at 1Password has been that the folks you work with trust you to make great decisions for the product and features you’re working on. It leads to a lot of pride and ownership of the work you produce. What keeps you motivated in your role? Knowing that by working on tools that enhance our developer experience at 1Password, we can focus our efforts on creating better experiences for our customers. I love the idea of making my colleagues' jobs easier or better, so they can focus their brain power on providing a delightful user experience for folks who wanna keep their information safe on the internet! I can’t think of a time where the work I’ve done as a developer was more wholesome. Any fun personal plans for 2022? How are you planning to use your paid time off (PTO)? Right now the thing I’m most excited about – outside of work – is the summer. I can’t wait to spend a lot of time on Toronto island with my pals, or hosting dinner parties outside. I’m very grateful for the flexibility of remote work, because it enables me to soak up the sun whenever my brain needs it – which after winter in Canada is very much needed! Editor&rsquo;s note: This interview has been lightly edited for clarity and brevity. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Want to work for 1Password?</h3> Browse our current job openings to see if there’s an opportunity that matches your career goals. <a href="https://1password.com/jobs/?utm_ref=blog" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> View our open positions </a> </div> </section></description></item><item><title>Introducing 1Password for Visual Studio Code</title><link>https://blog.1password.com/1password-visual-studio-code/</link><pubDate>Wed, 22 Jun 2022 00:00:00 +0000</pubDate><author>info@1password.com (Jody Heavener)</author><guid>https://blog.1password.com/1password-visual-studio-code/</guid><description> <img src='https://blog.1password.com/posts/2022/1password-visual-studio-code/header.png' class='webfeedsFeaturedVisual' alt='Introducing 1Password for Visual Studio Code' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> In writing software, we’re used to embedding secrets and other configurable values right in the codebase. They might be Stripe keys to power your online shop, webhooks for a custom Slack bot, a Docker username and password for a CI config, AWS credentials, or an API token and host to set up 1Password <a href="https://developer.1password.com/docs/connect/">Connect</a>. Secrets are used everywhere in our code. Sometimes, though, we forget when we’ve been using real secrets in our work. Maybe there’s a leftover token you dropped in to build that one feature, or maybe you didn’t delete the <code>.env</code> file you set up to test drive the app. Now you’ve got to rotate your secrets because you accidentally committed and pushed sensitive values for the whole world to see. Yikes. We’ve all been there. That’s why I’m delighted that I get to announce the launch of the all-new <a href="https://developer.1password.com/docs/vscode/">1Password for VS Code extension</a>. <h2 id="go-ahead-commit-your-secrets-references">Go ahead, commit your <del>secrets</del> references</h2> With <a href="https://1password.com/products/secrets/">1Password Secrets Automation</a>, the 1Password Developer Products team introduced the concept of <a href="https://developer.1password.com/docs/cli/secrets-reference-syntax/">secret references</a>. It starts by storing a sensitive value, such as an API credential or client ID, in 1Password. That item and the field you&rsquo;d like to get the value from can then be retrieved through a special <code>op://</code> URL scheme that 1Password&rsquo;s tooling knows how to parse. It’s made up of three parts: vault, item, and field. This is known as a “secret reference”. <img src="https://blog.1password.com/posts/2022/1password-visual-studio-code/sr_light.png" alt="1Password Secret Reference example consisting of vault, item, and field" title="1Password Secret Reference example consisting of vault, item, and field" class="c-featured-image light"/> <img src="https://blog.1password.com/posts/2022/1password-visual-studio-code/sr_dark.png" alt="1Password Secret Reference example consisting of vault, item, and field" title="1Password Secret Reference example consisting of vault, item, and field" class="c-featured-image dark"/> Now, instead of using a real value in your configs, environment variable files, or anywhere else in the codebase, just drop in the secret reference in VS Code. When you do, you can rest easy knowing that the real value will never accidentally make its way into your codebase. The best part? Through our <a href="https://developer.1password.com/">suite of tools and integrations</a>, you can work with references in both local and deployed environments. To help make sure you&rsquo;re not accidentally leaving secrets in your code, you can move them over to 1Password with just a couple clicks. The extension uses a series of <a href="https://developer.1password.com/docs/vscode/#secret-detection">secret detection</a> techniques to look for values that might be sensitive. With these matches, it makes inline suggestions to store them in 1Password, automatically replacing them with secret references. <video class="round shadow" style="display: block; margin: auto; padding: 0;"loop="loop" playsinline="" width="100%" alt='' controls> <source src="https://blog.1password.com/posts/2022/1password-visual-studio-code/Secret_Detection.mp4" type="video/mp4" /> </video> Secret reference integration doesn’t stop there. You can hover a reference to inspect the item and field details, click it to open the item in the desktop app, and even <a href="https://developer.1password.com/docs/vscode/#inspect-and-preview-secret-references">preview the real values</a> of an entire file full of references. Beyond secret detection suggestions, 1Password for VS Code makes it easy to <a href="https://developer.1password.com/docs/vscode/#get-values-from-1password">retrieve items</a> for use in your code, as well as <a href="https://developer.1password.com/docs/vscode/#save-in-1password">store any bits of code</a> you’d like in 1Password. If you’ve got multiple values you want stored in the same item – perhaps a username, password, and email – it supports that as well. Just select each value and run the “Save in 1Password” command. <video class="round shadow" style="display: block; margin: auto; padding: 0;"loop="loop" playsinline="" width="100%" alt='' controls> <source src="https://blog.1password.com/posts/2022/1password-visual-studio-code/Save_in_1Password.mp4" type="video/mp4" /> </video> <h2 id="built-using-tools-available-to-everyone">Built using tools available to everyone</h2> I’ll let you in on a little secret: we didn’t plan to build this extension. It wasn’t requested by our developer community, and wasn’t part of any roadmap. Instead this extension began as a side project for myself. I wanted to scratch my own itch and integrate 1Password more closely into my development workflow, and to generally <a href="https://developer.1password.com/">learn more about developing with 1Password</a>. So you can imagine my excitement when, after a quick demo at an internal call, I was invited to polish it up and get it slated for release. To my delight, after demoing the extension and then going on vacation, <a href="https://www.youtube.com/watch?v=hghKTE_pUaQ">Dave posted a video</a> of the presentation from his <a href="https://blog.1password.com/1password-cli-2_0/">CLI launch blog post</a> and it was met with some pretty wild enthusiasm from the developer community. There was even some love for it at our <a href="https://www.reddit.com/r/1Password/comments/ui9exd/comment/i7fyfp9/">1Password 8 for Mac Reddit AMA</a>: <img src="https://blog.1password.com/posts/2022/1password-visual-studio-code/reddit_ama.png" alt="Reddit comment from user arnebr asking if the VS Code plugin will be live soon" title="Reddit comment from user arnebr asking if the VS Code plugin will be live soon" class="c-featured-image"/> Although not a goal from the outset, an interesting aspect of this project is that it’s built using only tools available to the public – there’s nothing internal or proprietary powering the features of the extension. We’ve even <a href="https://github.com/1Password/op-vscode">open-sourced the whole project on our GitHub</a>, so if you want to help iterate on it or report an issue, that’s a great place to start. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> VS Code extensions run in a Node environment, and we wanted to interact with the new CLI. So we built and open-sourced an entirely new package for doing exactly this: <a href="https://github.com/1Password/op-js">op-js</a>. It wraps the CLI with a simple-to-use JavaScript interface and ships with TypeScript declarations, making 60+ commands, including those that support biometrics unlock, available to your Node-based application. </div> </aside> Ultimately my hope is that this extension demonstrates some of the neat ways you can extend the power of 1Password by building your own integrations, whether it be for yourself or others. And you should <a href="https://blog.1password.com/developers-deserve-great-ux/">have fun doing it</a>. We’re in early days here, with plenty more developer offerings coming down the line. I’d love to hear what you think, and we’ll be iterating on the extension as feedback rolls in. Learn more about <a href="https://developer.1password.com/docs/vscode/">1Password for VS Code</a> and our other developer tools by checking out our <a href="https://developer.1password.com/">developer portal</a>. While you’re there, consider joining our <a href="https://1password-devs.slack.com/join/shared_invite/zt-15k6lhima-GRb5Ga~fo7mjS9xPzDaF2A#/shared-invite/email">Developer Slack workspace</a>, where you’ll find myself and others on the Developer Products team who are eager to hear how you’re incorporating 1Password into your development workflow. And if you’re building something cool, be sure to tag it <a href="https://twitter.com/hashtag/buildwith1password?f=live">#BuildWith1Password</a>! Finally, we owe a tremendous debt of gratitude to <a href="https://www.linkedin.com/in/mikeselander/">Mike Selander</a>, <a href="https://www.linkedin.com/in/chrisdunnbirch/">Chris Dunn-Birch</a>, <a href="https://www.linkedin.com/in/florisvdg/">Floris van der Grinten</a>, the incredibly helpful folks over in the <a href="https://github.com/1Password/op-vscode/blob/main/CONTRIBUTING.md#acknowledgments">VS Code Extension community</a>, and so many more for providing endless help and guidance while working on this project. Thank you!</description></item><item><title>Announcing Insights from 1Password</title><link>https://blog.1password.com/announcing-insights/</link><pubDate>Tue, 21 Jun 2022 00:00:00 +0000</pubDate><author>info@1password.com (Peter Merkulov)</author><guid>https://blog.1password.com/announcing-insights/</guid><description> <img src='https://blog.1password.com/posts/2022/announcing-insights-from-1password/header.png' class='webfeedsFeaturedVisual' alt='Announcing Insights from 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> IT and security professionals rely on one thing above all else to minimize risk: information. Today, we&rsquo;re announcing a brand new way for 1Password Business customers to view their account security posture with unprecedented visibility into password health, data breaches, and team usage. Say hello to <a href="https://support.1password.com/insights/">Insights from 1Password</a>, a new way to monitor and mitigate security risks across your business. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/jDupEdGUuS8" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> The Insights dashboard consolidates information already available in places like the Team report, domain breach report, and Watchtower reports in one glanceable dashboard. Open the detailed view of a particular section to see and act on the insights presented in the dashboard view. Dive deeper still by accessing the complete report to get the full picture. Use Insights to get ahead of potential security risks and take action on those risks with suggested next steps, all in one place – because you can’t protect what you can’t see. <h2 id="illuminating-and-eliminating-risk">Illuminating and eliminating risk</h2> Imagine you&rsquo;re a small business owner, tasked not only with running your business but also protecting it. You know that every reused password increases your risk of a security incident, so you put a strict policy in place prohibiting reuse. But how do you know that guideline is being followed? Now imagine you&rsquo;re an IT manager who uses the <a href="https://1password.com/business/domain-breach-report/">domain breach report</a> built into 1Password to monitor potential breaches – and you just realized that half a dozen people in Sales are using compromised credentials to log into their CRM. What&rsquo;s the fastest way to resolve the situation? Finally, imagine you&rsquo;re a Security Manager who needs to report on broad risk factors every quarter. What information do you need? Where do you find it? And how do you export it all? <h2 id="your-new-security-dashboard">Your new security dashboard</h2> <img src="https://blog.1password.com/posts/2022/announcing-insights-from-1password/insights_dashboard1.png" alt="1Password Insights dashboard" title="1Password Insights dashboard" class="c-featured-image"/> Insights from 1Password gives you a single place to: <ul> <li>Understand security risks across your workforce.</li> <li>Act on those insights to mitigate risk.</li> <li>Communicate those risks and share security insights easily.</li> </ul> Your insights dashboard is divided into three sections with high-level security data for breach checks, password health, and team usage. Drilling down into each section provides a detailed report on that data with suggested actions to mitigate risk and improve your security posture. <h2 id="act-on-domain-breaches">Act on domain breaches</h2> <img src="https://blog.1password.com/posts/2022/announcing-insights-from-1password/data_breaches2.png" alt="Breach checks in 1Password Insights" title="Breach checks in 1Password Insights" class="c-featured-image"/> The breach checks section provides information on breaches of company-owned domains. Just like the domain breach report, this section integrates with the Have I Been Pwned database (just like <a href="https://watchtower.1password.com/">Watchtower</a>) to check for potential breaches. If a breach is detected, you can select the relevant card to see more details, like who&rsquo;s been affected and the date of the breach. In the left sidebar, you&rsquo;ll see a suggested action. Selecting &ldquo;Notify everyone affected&rdquo; will open a new window. From there, you can type in a quick message and select &ldquo;Send notification email&rdquo; to notify everyone affected by the breach in one go – all without leaving your insights dashboard. If anyone affected by the breach isn&rsquo;t using 1Password, you can send a message inviting them to set up their 1Password account and change their login credentials. <h2 id="monitor-password-health">Monitor password health</h2> <img src="https://blog.1password.com/posts/2022/announcing-insights-from-1password/password_health1.png" alt="Checking password health in 1Password Insights" title="Checking password health in 1Password Insights" class="c-featured-image"/> The second section of your dashboard aggregates 1Password Watchtower data so you can easily identify vaults containing weak, reused, or compromised passwords. Notice something amiss? Open the detailed view to see the full range of risks across shared vaults with a new business Watchtower report. Use the suggested action to send a quick message to affected vault owners with instructions on how to update the affected items. If you have access to the business Watchtower report and the affected vault, you can open the relevant items directly in Watchtower. Need to share that data? Export your Watchtower reports in CSV format, print them, or use the individual share links in 1Password. <h2 id="monitor-shadow-it-and-other-risks">Monitor shadow IT and other risks</h2> <img src="https://blog.1password.com/posts/2022/announcing-insights-from-1password/team_usage1.png" alt="Team usage stats in 1Password Insights" title="Team usage stats in 1Password Insights" class="c-featured-image"/> The third section of your dashboard includes information on 1Password usage across the company. Here you can see who has (or hasn&rsquo;t) been using 1Password to generate strong passwords and who isn&rsquo;t yet using their private vault. You can also see who hasn&rsquo;t yet redeemed their personal 1Password Families account – and send them reminders to help them stay secure at home and build a strong security mindset. Together, these features help you keep eyes on <a href="https://blog.1password.com/remote-work-shadow-it/">shadow IT</a> — if your colleagues aren’t storing credentials in 1Password, that’s a strong signal that they may be creating accounts the security team doesn’t know about. <h2 id="reporting-on-risk">Reporting on risk</h2> <img src="https://blog.1password.com/posts/2022/announcing-insights-from-1password/business_watchtower_report1.png" alt="Watchtower report in 1Password Insights" title="Watchtower report in 1Password Insights" class="c-featured-image"/> As a security professional, you’re not just tasked with mitigating risk: You often need to communicate those risks to leadership so everyone has a better understanding of where the company stands at any given time. That’s why we&rsquo;ve armed those professionals with detailed reporting tools so they can share the insights found in their dashboard, making quarterly status reports and audit requirements simple. <h2 id="preserving-privacy">Preserving privacy</h2> Insights from 1Password is, above all, from 1Password – which means we&rsquo;ve taken every precaution to ensure that all the insights curated on your dashboard meet <a href="https://1password.com/legal/privacy/">our rigorous standards for privacy</a>. We don&rsquo;t have access to sensitive information like your team&rsquo;s password health. As always, we can&rsquo;t see your data, which means we can&rsquo;t use it, share it, or sell it. <h2 id="get-started">Get started</h2> Insights from 1Password is available now to <a href="https://support.1password.com/groups/">1Password Business customers who belong to an Owners or Security group</a>. Ready to take a deeper dive into all the new insights at your disposal? <a href="https://1password.com/webinars/">Join us for a walkthrough</a> on July 12, 2022 at 12 PM ET / 9 AM PT. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get to know Insights from 1Password</h3> Register to see Insights from 1Password in action on July 12, 2022 at 12 PM ET / 9 AM PT. <a href="https://1password.com/webinars" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Register now </a> </div> </section></description></item><item><title>What is a Distributed Denial-of-Service (DDoS) attack?</title><link>https://blog.1password.com/what-is-a-ddos-attack/</link><pubDate>Thu, 16 Jun 2022 00:00:00 +0000</pubDate><author>info@1password.com (Emily Chioconi)</author><guid>https://blog.1password.com/what-is-a-ddos-attack/</guid><description> <img src='https://blog.1password.com/posts/2022/what-is-a-ddos-attack/header.png' class='webfeedsFeaturedVisual' alt='What is a Distributed Denial-of-Service (DDoS) attack?' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> If you don&rsquo;t work in IT or security, there&rsquo;s no need to fret about every detail of every online danger. Nevertheless, it&rsquo;s worth having awareness of the strategies and techniques that criminals are using to achieve their goals online. In this explainer, we&rsquo;ll be breaking down DDoS attacks to help you understand the basics and how you can be affected. <h2 id="what-is-a-distributed-denial-of-service-ddos-attack">What is a distributed-denial-of-service (DDoS) attack?</h2> A DDoS attack is a method that criminals use to overwhelm an online service, like a website, by bombarding it with fake internet traffic from multiple different locations. The sheer amount of traffic prevents real users from accessing the targeted sites or online services. <h2 id="am-i-at-risk-of-a-ddos-attack">Am I at risk of a DDoS Attack?</h2> The average person isn’t likely to be on the receiving end of a DDoS attack. However, you could be one of the users unable to access an online service because of one, or even own one of the devices being used to perpetuate an attack. If you’re running a business – big or small – you’re much more likely to be the target of a DDoS attack, and being aware of the potential risks is a great place to start when considering your security. <h2 id="how-do-ddos-attacks-work">How do DDoS attacks work?</h2> To carry out a DDoS attack, several internet-connected devices work together to attack one target, like a website or online service. It’s like thousands of people trying to call the same phone number at the same time – the line becomes busy, and no one can get through. An attack could be organized by a single criminal, or a group who shares the same goal. These criminals usually pull this off by taking advantage of a device’s security vulnerabilities and installing malware called a bot. Once enough devices are infected, they can form a group called a botnet. The attacker then instructs the botnet to overwhelm the target’s online services with more connection requests than can be handled. <h2 id="why-do-ddos-attacks-happen">Why do DDoS attacks happen?</h2> The motivations behind a DDoS attack vary, but generally, the goal is to cause disruption. A criminal could be interested in hacktivism, financial gain through extortion, or simply having “fun” by exploiting cybersecurity vulnerabilities. For businesses, DDoS attacks can result in disruption of services, lost business, and damaged reputations. <h2 id="can-ddos-attacks-be-prevented">Can DDoS attacks be prevented?</h2> For businesses: DDoS attacks can be hard to detect because they often look like normal technical problems, like slow network performance. You can&rsquo;t predict and perfectly prevent every kind of DDoS attack, but you should be mindful and take proactive measures. To reduce the likelihood of becoming a target – or to make a swift recovery if you do experience an attack – take the time to <a href="https://cloudsecurityalliance.org/blog/2021/06/04/7-simple-but-effective-tactics-to-protect-your-website-against-ddos-attacks-in-2021/">understand the available tactics to protect yourself</a> and work together with your IT and security teams to prepare. For individuals: You&rsquo;re unlikely to be the target of a DDoS attack, but that doesn&rsquo;t mean you shouldn&rsquo;t be taking measures to protect your devices from being used as part of a botnet or for other malicious purposes. Consider brushing up on the <a href="https://1password.com/resources/beginners-guide-to-cybersecurity/">basics of cybersecurity</a>, tightening up your <a href="https://blog.1password.com/secure-home-wifi-network/">Wi-Fi network</a>, and using a password manager like 1Password to help you monitor your digital safety. <h2 id="the-more-you-know">The more you know</h2> Just like with any kind of cybercrime, it’s important to be aware of your potential vulnerabilities, the opportunities for exploitation, and any other possible risks you face. Whether you’re running a business or you’re just an average internet user, you should always take steps to protect yourself. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Ready to protect yourself?</h3> Keep all of your accounts secure with 1Password, the world’s most-trusted password manager. Get started today with a free 14-day trial. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>Small Talk: mindfulness when surfing the web at work</title><link>https://blog.1password.com/small-talk-mindfulness-when-surfing-the-web/</link><pubDate>Fri, 10 Jun 2022 00:00:00 +0000</pubDate><author>info@1password.com (Andrew Zangre)</author><guid>https://blog.1password.com/small-talk-mindfulness-when-surfing-the-web/</guid><description> <img src='https://blog.1password.com/posts/2022/small-talk-mindfulness-when-surfing-the-web/header.png' class='webfeedsFeaturedVisual' alt='Small Talk: mindfulness when surfing the web at work' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Two decades ago, the web was a casual escape dominated by message boards, AOL Instant Messenger, and <a href="https://homestarrunner.com/main">Homestar Runner</a>. Only some people used it for work. Fast forward 20 years, and countless jobs require that you use the internet in some way. This has made it easier than ever to take a quick break, open a new tab, and do some personal surfing – blurring the line between work and leisure. While on the clock, it’s crucial that you and your employees use the internet wisely. Everyone needs a break, and watching the occasional funny video can actually be a healthy habit. But that doesn’t mean you can be careless, either. Everyone on your team should know how to browse wisely, securely, and respectfully while working or using company devices. Some basic online awareness can also be one of the most effective plays in <a href="https://1password.com/resources/ultimate-guide-to-securing-your-small-business/?utm_ref=resources">small business security</a>, while keeping your team mindful participants in a web-friendly workplace. <h2 id="we-be-surfin">We be surfin’</h2> Have you ever paused work to read an online movie review? Or used your phone to check social media notifications from the restroom? <a href="https://www.pcmag.com/news/who-uses-their-phone-on-the-toilet-most-of-us">You’re far from alone</a>. Some might even <a href="https://www.wsj.com/articles/your-co-worker-is-on-zillow-real-estate-porn-11647448641">find their dream home</a> in between meetings, thanks to the always-available internet. This behavior is only increasing as more companies experiment with remote and hybrid work. Our previously separate internet lives are being woven together: Millions of employees now <a href="https://www.techradar.com/news/over-half-of-employees-using-own-devices-and-software-to-work-from-home">use their own computer for work</a>, or have permission to use their work-issued laptop for personal use. And many have installed work apps like Slack or Microsoft Teams on their phone, which means their job comes with them to the grocery store, the movie theater, and on hikes (whenever they have signal). Casual, work-time web browsing is so popular – and so normal – that it’s been given a name: cyberloafing. Despite the negative (and delicious-sounding) name, cyberloafing has been linked to higher levels of employee satisfaction and <a href="https://www.fastcompany.com/90455798/this-is-why-surfing-the-web-can-make-you-more-productive-at-work">even productivity</a>. It’s a prime example of how “work” has changed, and keeps changing: Regular breaks should be encouraged for <a href="https://blog.1password.com/remote-work-mental-health/">good mental health</a>, and the internet – even though we’re using it all day long – is often the first choice as a distraction. It’s even more enticing if you work from home, without pesky co-workers or managers walking by and seeing that <a href="https://twitter.com/dog_feelings?lang=en">Thoughts of Dog Twitter feed</a> on your screen. <h2 id="how-employees-can-surf-safely-and-respectfully">How employees can surf safely (and respectfully)</h2> The overlap between work and the internet isn’t shrinking any time soon. If you’re a small business leader, it’s never been more important to give team members some guidelines for staying safe and respectful online. It’s something that affects both security and HR, as it will ensure employees don’t do anything inappropriate, illegal, or dangerous online. Not sure where to start? Here are a few ideas on what to include in your internet usage policy: Do: <ul> <li>Create strong, unique passwords for every online account and web service</li> <li>Visit sites you know by manually typing in the URL</li> <li>Inspect links to ensure they’re sending you to a trustworthy site</li> <li>Watch for warnings from your browser about potentially unsafe pages</li> <li>Stick to HTTPS when possible, and consider enabling HTTPS-only mode when browsers allow</li> </ul> Don’t: <ul> <li>Download or stream anything illegal or suspicious while on work devices or networks</li> <li>Connect to untrustworthy public Wi-Fi networks</li> <li>Click on pop-up ads or open links in unsolicited emails</li> <li>Fill out random forms around the web</li> <li>Disable your browser’s security features in order to view or download something</li> </ul> Every business is different and yours likely has its own culture and philosophies around using the web and time management. Beyond some ground level, security-minded tips, you’ll need to talk to your leadership team (if you have one) and decide the extent of what’s allowed and what isn’t. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> 1Password is a fully remote team who love sharing random web oddities with each other. We’re clearly pro-loafing to an extent, but we know this won’t be the case for everyone! </div> </aside> The key is to make sure your team is aware of your stance. Depending on your policies, you may want to mention that <a href="https://blog.1password.com/what-incognito-private-browsing-mode-does/">Incognito Mode</a> doesn’t entirely hide their browsing history, or that IT teams can read what they’re writing <a href="https://www.nytimes.com/wirecutter/blog/how-your-boss-can-spy-on-you/">in emails or messaging apps</a>. Also, remind them that content they consume during work hours could be seen or overheard <a href="https://blog.1password.com/webcam-security-zoom/">during video calls and meetings</a>. That’s a lot to keep track of! But you can sum it up for team members with a single piece of advice: Just think a little extra about what you’re doing on the web while at work. <h2 id="lighting-the-way-to-mindful-habits">Lighting the way to mindful habits</h2> If you run a small business, don’t ignore the issue and pretend your employees aren’t web surfing. You also shouldn’t punish them for doing so. The better plan: Make sure they’re <a href="https://www.pbs.org/newshour/economy/making-sense/column-why-bosses-should-let-employees-surf-the-web-at-work">doing it mindfully</a>, and <a href="https://www.bbc.com/worklife/article/20200206-cyberloafing-the-line-between-rejuvenating-and-wasting-time">in moderation</a>. You can nurture these habits by equipping team members with the right education and tools. That way they can navigate the web securely on their own – or with minimal assistance and oversight from IT. If you haven’t done so already, create an online security handbook that covers your employee internet and device protocols. Make these guidelines part of your onboarding and reinforce ideal habits with additional training sessions and educational materials. Make sure your IT/security team has an open-door policy so employees feel comfortable asking questions and coming forward with any potential mistakes or web-related concerns. When employees factor security into their daily routines, it naturally creates a strong defense against <a href="https://www.verizon.com/business/resources/reports/dbir/">the most prominent source of cyber attacks</a>: human error. This is what the term “<a href="https://blog.1password.com/security-culture-explained/">culture of security</a>” is all about. Focusing on human-centric security, with mindful habits across your workforce, is just as important as choosing the right security software. Strong leadership and thoughtful messaging go a long way. You can take it further by putting the right tools in your employees’ hands: devices approved by your IT department, privacy-centric browsers, and a password manager that helps them manage their accounts and other sensitive information. For example, 1Password can help everyone on your team stay <a href="https://blog.1password.com/small-talk-balancing-productivity/">both productive and secure</a> on the web. It will suggest strong passwords for new accounts and <a href="https://1password.com/features/autofill/">autofill</a> them on all your devices and browsers. 1Password will also make a note of the URL each password is meant to be used on, so you won’t accidentally share your credentials on a scam site. <h2 id="stay-alert-without-looking-over-their-shoulders">Stay alert without looking over their shoulders</h2> As your team grows, so does the possibility of some online snafus. It’s important to keep tabs on your company’s digital defenses, but you need to strike a balance – monitoring employees too closely will lead to a <a href="https://www.theguardian.com/technology/2022/apr/27/remote-work-software-home-surveillance-computer-monitoring-pandemic">culture of surveillance</a> that creates stress and resentment. The trick is to find tools that let you monitor your overall level of security without being overly invasive. For example, with <a href="https://1password.com/business/domain-breach-report/">domain breach reports</a> in <a href="https://1password.com/business/">1Password Business</a> and Teams, you can quickly check if any company email address has been affected by a known data breach. If anything comes up, you can tell the affected employees to update their account details or, if necessary, deactivate the associated accounts. 1Password Business customers can also view an <a href="https://support.1password.com/activity-log/">Activity Log</a> to see what noteworthy actions have been taken by team members. This will help ensure that the right people and devices are being given access to company passwords and other data. <h2 id="keep-your-team-prepared-for-anything">Keep your team prepared for anything</h2> The web is like a living organism, changing and evolving in real time. New sites and services are launching each day that influence our online routines. And as your employees’ web surfing changes, cybercriminals will keep adjusting their tactics accordingly. The bottom line: You can’t account for every future scenario in a single sheet of instructions. Instead, focus on giving your employees the skills to spot and avoid issues, and know that their decisions on the web can affect everyone around them – as well as your customers. Foster a safe and respectful culture, and help them sharpen or update their online habits on an ongoing basis. And make sure they know who they can talk to within your company when any questions arise. Thanks for reading! You are free to resume your loafing. 🍞</description></item><item><title>Go ahead, delete your .env.example file</title><link>https://blog.1password.com/delete-your-example-env-file/</link><pubDate>Wed, 08 Jun 2022 00:00:00 +0000</pubDate><author>info@1password.com (Simon Barendse)</author><guid>https://blog.1password.com/delete-your-example-env-file/</guid><description> <img src='https://blog.1password.com/posts/2022/delete-your-example-env-file/header.png' class='webfeedsFeaturedVisual' alt='Go ahead, delete your .env.example file' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> When we develop software, it’s common practice for engineers to require system configuration in order to run a program. We specify instructions on how to set up your own local environment in a .env.example file or README.md file. For every project that we work on and for every configuration change of those projects, we need to do manual work to keep our local environments up to date so they continue to work. Often, this is a struggle. Also, aren’t we all sick of hearing “it works on my machine”? Why are we creating and maintaining this configuration manually? The reason: our required configuration contains sensitive values that should be kept secret. For this reason, the environment file that’s consumed by our applications is added to the .gitignore file, in order to avoid it being synced to source control. To date, there is no common practice to collaborate on and share these sensitive values securely and effectively. We’re either sharing the values insecurely (via email and other messaging apps), or adding to the hassle of configuring our environments by doing our own encryption inside source control using tools like GPG (do you also always forget which command to use?). Or, we manually copy sensitive values, for example by pairing with a colleague that already has the sensitive value on their machine. Why can’t we have a way to collaborate on configuration both effectively and securely? With the launch of <a href="https://1password.com/developers/">1Password Developer Tools</a>, let’s take a closer peek at an alternative way to collaborate on configuration to remove the hassle – and securely store and synchronize the sensitive values that we should keep secret. <h2 id="a-new-way-to-collaborate-on-environment-configuration">A new way to collaborate on environment configuration</h2> Instead of keeping the environment configuration out of source control, why don’t we just remove the sensitive values, so that we can enjoy all the benefits of collaboration that source control provides us? This is exactly what 1Password now allows you to do. You store the sensitive values in 1Password and replace those same values in your environment configuration with references to where these values are stored in 1Password. <a href="https://1password.com/downloads/command-line/">1Password CLI</a> loads these values from 1Password when and where you need them. Since the environment configuration no longer contains sensitive data, you can check it into source control, collaborate on it using pull requests and every developer working on the project automatically receives the configuration they need when they check out a version of your source code. <img src='https://blog.1password.com/posts/2022/delete-your-example-env-file/stripe_integration.png' alt='Github commit page authored by Simon Barendse to push changes to .env file including Striple publishable key and secret key.' title='Github commit page authored by Simon Barendse to push changes to .env file including Striple publishable key and secret key.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="accelerate-onboarding">Accelerate onboarding</h2> When new folks join the team or start working on a new project, there’s no longer a requirement to configure a local environment. Their manager can add them to the 1Password <a href="https://support.1password.com/custom-groups/">user group</a> for the team they just joined, which grants them access to the secrets they need to do their job. Instead of spending their first day struggling to get their environment configured, all the new developer needs to do is clone the repository and they’re good to go. <img src='https://blog.1password.com/posts/2022/delete-your-example-env-file/gitcloning.gif' alt='Video showing a repository being cloned.' title='Video showing a repository being cloned.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Let’s go a step further and automate access provisioning through the 1Password CLI so the new team member doesn’t need to be manually added to the user group by the manager. For example, one can grant access automatically when teammates are added to the GitHub project for which they require these secrets. <h2 id="remove-interruptions-from-your-day-to-day">Remove interruptions from your day-to-day</h2> When environment configuration is managed manually, your development workflow is interrupted when a colleague merges a change that requires configuration. Then, you have to redirect your attention to reproducing the environment of your colleague to fix your build, before you can continue developing another feature, costing the team valuable time. <img src='https://blog.1password.com/posts/2022/delete-your-example-env-file/environment_variables.png' alt='List of user environment variables with their name and corresponding value.' title='List of user environment variables with their name and corresponding value.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Using the new workflow enabled by 1Password, you no longer need to manually synchronize your environment to keep up with the state of the code-base. When your teammate makes a change to the codebase that requires a configuration change, they commit the required config change in the environment file together with the code changes. When you pull these new changes, you’re good to go. All the configuration is synchronized through source control and you never have a broken environment anymore. 🚀 The file you’re using to configure the program when you’re developing the feature is the exact same file that you’ll check into source control and share with your colleagues. This ensures that the configuration is reproducible and complete. There’s no longer an additional .env.example or README.md file that you’ll need to separately update (and can forget to do) to inform your colleagues about the necessary changes. <h2 id="achieve-devprod-parity">Achieve Dev/Prod parity</h2> To prevent errors occuring in production that weren’t present during development, the <a href="https://12factor.net/dev-prod-parity">dev/prod parity factor</a> of the twelve factor app states you should keep development, staging and production as similar as possible. For security, secrets should vary between the different environments. As traditional <code>.env</code> files contain the plaintext secrets, they aren&rsquo;t kept in source control. And to protect the production environment, access to the secret values is typically restricted to a smaller group (e.g. Operations or Sr. Devs). When (other) developers make changes to the application code that require a configuration change, they cannot edit the environment file that specifies the configuration the application requires in production. This friction can lead to missing configuration in production, which causes the application to not work properly, or not work at all in production. 1Password secret references allow to use a single configuration file for all environments. And because the configuration file no longer contains the secrets, all developers working on the application are allowed to access it and can write and review the configuration, without requiring access to the secrets themselves. The operation team uses the same configuration file for production as the developers do during development. They use the specification the developers have created to pass the intended credentials to the application. The configuration file serves as a shared contract between developers and operation engineers. <pre tabindex="0"><code>DB_USER = op://my-project-$env/database/username DB_PASSWORD = op://my-project-$env/database/password STRIPE_PUBLISHABLE_KEY = op://my-project-$env/stripe/publishable-key STRIPE_SECRET_KEY = op://my-project-$env/stripe/secret-key </code></pre><a href="https://blog.1password.com/developers-deserve-great-ux/">Developers deserve great ux, too</a>. They run the application with the required secrets with a touch of their fingerprint on their local workstation. In production, the operations team will use <a href="https://developer.1password.com/docs/connect/">1Password Connect</a> as a back-end to get optimal low-latency and control in their infrastructure. <h2 id="improve-security">Improve security</h2> Did you notice that throughout this new workflow the environment file on your system never has the plaintext secrets? The 1Password CLI passes the secrets to just the process running your application, adding to the security of your workflow. The secrets are only kept in memory and never written to disk. For secrets protecting our development environments, because there was such a hassle synchronizing updates with all devs working on the project, we have come to accept that we (almost) never rotate these secrets. In too many cases, former teammates <a href="https://1password.com/resources/2021-state-of-secure-access-report/">can still access these environments</a>. Because this new way of collaborating on the environment configuration removes the manual steps required to synchronize changes, we can now rotate secrets as many times as we&rsquo;d like without interrupting the developers working with these secrets. Note that this is especially important to do for development workflows that connect to production infrastructure, which tend to be more sensitive. Think for example about configuration for operations and configuration for infrastructure as code projects. <h2 id="get-started-using-1password-environment-configuration-in-your-projects-today">Get started using 1Password environment configuration in your projects today</h2> We’re curious what you think about this new way of collaborating on development environment configuration. How will you be using this? And where should we go with this next? <a href="https://1password.community/categories/cli">Let us know in the community</a>! Collaboration on environment configuration is just one of the many improvements we’re creating to make developers’ daily lives easier and more secure. Keep an eye out for more updates and <a href="https://1password.com/dev-subscribe/">subscribe to our developer newsletter</a> to be notified of new developments. To upgrade your team&rsquo;s productivity and security today, <a href="https://developer.1password.com/docs/cli/secrets-environment-variables/">get started with environment configuration using 1Password</a>.</description></item><item><title>We’ve joined the FIDO Alliance to build a better future for authentication</title><link>https://blog.1password.com/1password-is-joining-the-fido-alliance/</link><pubDate>Fri, 03 Jun 2022 00:00:00 +0000</pubDate><author>info@1password.com (Jeff Shiner)</author><guid>https://blog.1password.com/1password-is-joining-the-fido-alliance/</guid><description> <img src='https://blog.1password.com/posts/2022/1password-is-joining-the-fido-alliance/header.png' class='webfeedsFeaturedVisual' alt='We’ve joined the FIDO Alliance to build a better future for authentication' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> I’m happy to announce that 1Password has joined the <a href="https://fidoalliance.org/">FIDO Alliance</a> to help build safer, simpler, and faster login solutions for everyone. In fact, we’re already on our way … keep reading for a sneak peek at the future of authentication in 1Password. <h2 id="passwordless-were-ready-when-you-are">Passwordless: we’re ready when you are</h2> When it comes to online security, people are often at their most vulnerable when logging in to accounts. That’s <a href="https://1password.com/resources/guides/why-1password-is-worth-paying-for/">why 1Password</a> has spent the better part of two decades making that process safer, easier, and more convenient for our customers. As technology advances, new methods of authenticating – including passwordless – continue to appear. By joining the FIDO Alliance, we’re taking an active role in shaping what comes next. As more services adopt passwordless approaches for authentication, 1Password will be ready to ensure our customers can log in securely without worrying about what technology is under the hood. This is an important step toward <a href="https://www.future.1password.com/">our vision</a> of a future where signing in is no longer complicated. Where your password manager doesn’t just remember your password, it remembers whether or not you even used one for that account. The best part? That future is closer than you think. <h2 id="a-sneak-peek-at-passwordless-support-in-1password">A sneak peek at passwordless support in 1Password</h2> Our team is always looking for ways to leverage the latest research and innovations to keep you safer. Today, we’d like to give you a sneak peek at a new feature we’ve been working on behind the scenes – one we’re really excited about. In time, you’ll be able to use your 1Password desktop application as a WebAuthn device. WebAuthn is a secure protocol jointly developed by the FIDO Alliance and World Wide Web Consortium. It uses strong public-key cryptography to make passwordless logins easy and universal. The typical downside of WebAuthn is that it requires dedicated hardware, which can be lost, stolen, or just not at hand when you need it. We’ve addressed this shortcoming by integrating your private keys directly into 1Password. Here’s what it looks like in action: <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/lYFxfchhR1g" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> While it’s still early days for this functionality, we’re working hard to bring it to you as quickly as we can - be sure to <a href="https://1password.com/downloads/">download 1Password 8</a> to be among the first to try it when it&rsquo;s ready! By joining the FIDO Alliance, we can advocate for wider adoption of these technologies and help everyone reap the benefits. What has always mattered most to us is making it easy for our customers to get their work done, with the peace of mind that comes from knowing they aren’t trading away their security or privacy along the way.</description></item><item><title>Strong unique voices: Celebrating and honoring Pride Month</title><link>https://blog.1password.com/strong-unique-voices-celebrating-pride/</link><pubDate>Thu, 02 Jun 2022 00:00:00 +0000</pubDate><author>info@1password.com (Jeff Shiner)</author><guid>https://blog.1password.com/strong-unique-voices-celebrating-pride/</guid><description> <img src='https://blog.1password.com/posts/2022/strong-unique-voices-celebrating-pride/header.png' class='webfeedsFeaturedVisual' alt='Strong unique voices: Celebrating and honoring Pride Month' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Pride Month is about coming together to honor, celebrate, and show support for the LGBTQ+ community. A number of our 1Password team members are part of the LGBTQ+ community, and it’s important to me personally, and to us as a company, to be allies and create space for everyone to be their truest selves. While we’re celebrating Pride this month, showing support for LGBTQ+ year round is important to us. Which is why we created a number of programs to champion equity and diversity on an ongoing basis at 1Password. Alongside my colleagues and team this month, I’m taking the step to make my pronouns more visible across my social channels as well as internally across Slack and Zoom. I do this to normalize the use of sharing pronouns in advance of meeting new team members and colleagues, and to ensure that no 1Password team members feel they are alone in declaring who they are at work. We’ll be hosting a number of learning sessions that will be led by speakers and organizations who are part of the LGBTQ+ community. These talks and seminars will focus both on educating our team on being supportive allies, and also providing useful information for those who identify as part of the community. <h2 id="how-were-celebrating-pride">How we’re celebrating pride</h2> Kicking off our celebration will be a keynote by <a href="https://twitter.com/CheddarGawjus">Cheddar Gorgeous</a>, a gender-divergent drag artist and producer. We also have <a href="https://www.queerevents.ca/">Queer Events</a> hosting two workshops for our Customer Service team, so they have the right tools to support all of our customers. To help our 1Password culture continue to encourage and exemplify a safe space for everyone, we invited <a href="https://www.cglcc.ca/">Canada’s LGBT+ Chamber of Commerce</a> to speak to our team about creating a welcoming and accessible workplace. We’re also hosting a Pride-related financial wellness webinar that will provide information on how the Pride community can overcome unique financial challenges they may face because of their identity. Pride is about more than just an opportunity for education – it’s also a time for celebration. We want our team to have some fun this month, so we organized some exciting events including Drag Queen Trivia, hosted by <a href="https://www.withconfetti.com/product/virtual-drag-queen-trivia">Confetti</a>, and a Pride-themed trivia game hosted by <a href="https://barnonegames.com/pride-month-virtual-trivia">BarNone</a>. <img src="https://blog.1password.com/posts/2022/strong-unique-voices-celebrating-pride/pride-quote-1.png" alt="Quotation from a 1Password employee—To me, Pride is a sense of belonging and community and being accepted for who you are. It’s acknowledging the past that led us here and the future of equity we continue to seek globally. Pride reminds us that we matter." title="Quotation from a 1Password employee—To me, Pride is a sense of belonging and community and being accepted for who you are. It’s acknowledging the past that led us here and the future of equity we continue to seek globally. Pride reminds us that we matter." class="c-featured-image"/> <h2 id="supporting-the-pride-community">Supporting the Pride community</h2> There are so many amazing organizations working to improve and support the LGBTQ+ community. This year we’ll be donating to <a href="https://www.thetrevorproject.org/">The Trevor Project</a>, a suicide prevention and crisis intervention organization for LGBTQ+ youth. We’ll also be donating to <a href="https://pflagcanada.ca/">Pflag Canada</a>, a nonprofit organization which brings together family and friends of LGBTQ+ people to help themselves and their extended family understand and accept LGBTQ+ family members. At 1Password we use an internal rewards system called Bonusly. With Bonusly each employee is given an allowance of dollars that they can give to other employees for doing a good job, or to show support. This month we’re encouraging everyone at 1Password to use some of their Bonusly allowance to support the Trevor Project and the <a href="https://www.aclu.org/">ACLU</a>. <h2 id="addressing-equality-all-year-long">Addressing equality all year long</h2> While we’re looking forward to celebrating Pride throughout the month of June, addressing equality is a year-round commitment. In the past year, we’ve worked to formalize our DEIB (Diversity, Equity, Inclusion, and Belonging) initiatives. This started with myself and my C-Suite attending a multi-day course run by <a href="https://www.thereadyset.co/">ReadySet</a>, a firm specializing in helping work environments become more human-centric and inclusive. We also launched a program, Strong, Unique Voices (SUV), meant to amplify the voices of our strong, unique team members. Each month, we aim to celebrate a key cultural movement and provide education – from talks and seminars to recommending relevant podcasts, books, television shows, and documentaries. While Pride is our focus for June, support for the LGBTQ+ community continues year round, as does the support for other minority groups. <img src="https://blog.1password.com/posts/2022/strong-unique-voices-celebrating-pride/pride-quote-2.png" alt="Quotation from a 1Password employee— Celebrating Pride with 1Password is very special to me. I am appreciated for my work, but also as a whole person for the first time in my career." title="Quotation from a 1Password employee— Celebrating Pride with 1Password is very special to me. I am appreciated for my work, but also as a whole person for the first time in my career." class="c-featured-image"/> <h2 id="growing-a-diverse-team">Growing a diverse team</h2> For the past few years our 1Password team has nearly tripled in size, and we’re looking to continue growing. It’s important to us that our teams growth reflects and includes talent across all races, ages, abilities, ethnicities, sexual orientations, and gender identities – just like the customers we serve. To help with this, we’re working with <a href="https://powertofly.com/">Power to Fly</a>, North America’s largest diversity job board, to find underrepresented talent. We want everyone who comes into contact with 1Password to feel welcome. To improve the interview experience, we ask all of our candidates to share their pronouns with us before our first meeting. We also encourage employees, if they’re comfortable, to make their pronouns visible on our internal platforms like Slack and Zoom. While June is Pride Month and we’re focusing on education and fun to celebrate, we know there’s more to do. We are committed to fostering a culture that not only promotes equality, but understands that there will always be new things to learn and new ways to recognize minority groups within 1Password. We’re committed to humanizing cybersecurity, and to do that we need to lift up everyone together.</description></item><item><title>1Password 8 🤩 Power to the Macs ~ from Dave's newsletter</title><link>https://blog.1password.com/dave-newsletter-may-2022/</link><pubDate>Thu, 26 May 2022 00:00:00 +0000</pubDate><author>info@1password.com (Dave Teare)</author><guid>https://blog.1password.com/dave-newsletter-may-2022/</guid><description> <img src='https://blog.1password.com/posts/2022/may-newsletter/header.png' class='webfeedsFeaturedVisual' alt='1Password 8 🤩 Power to the Macs ~ from Dave's newsletter' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Hello everyone, 👋 I hope you’re doing well and enjoying weather as nice as we have here in Canada. It’s gardening season and I have big plans to make sure I (once again!) win my tomato competition with my neighbour. I’m on a winning streak and am planting twice as many this year to guarantee victory. 😃 <a href="https://1password.com/products/">1Password 8</a> has scored some big wins as well. Let’s take a look. <h2 id="1password-8-for-mac-is-here">1Password 8 for Mac is here!</h2> Mac is where it all began. Way back in 2006, Roustem and I coded the first version of 1Password on our shiny new PowerBook G4s. The love and support we received from the Mac community was tremendous and launched us to where we are today. 🥰 Every year since we’ve pushed hard to create the best experience possible on Mac, and I’m thrilled to announce that 1Password 8 for Mac extends that tradition. 😍 <img src='https://blog.1password.com/posts/2022/may-newsletter/1password-8-mac.png' alt='1Password 8 for Mac showing a number of saved items including an Amazon account' title='1Password 8 for Mac showing a number of saved items including an Amazon account' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 1Password 8 integrates deeper and tighter with macOS than ever to bring you the most modern, productive, and secure version of 1Password yet. 🙌 <a href="https://blog.1password.com/1password-8-for-mac/">1Password 8 for Mac announcement post</a> There were too many amazing features to fit into a single announcement post so we also created a showcase dedicated to 1Password 8 for Mac. I included 90 screenshots and the team created an absolutely incredible video as well so <a href="https://1password.com/mac/">click on through</a> and enjoy. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/DVQnBzrDT88" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> If you already have a 1Password membership, or if you belong to a team or family account, it’s easy to upgrade to 1Password 8. To get started, <a href="https://1password.com/downloads/mac/">download 1Password 8</a> and install it. If you are still using iCloud or Dropbox or WLAN Sync, you will need to <a href="https://support.1password.com/upgrade-mac/">migrate over your data</a> to use the new release. You can trade in your license for 50% off your first three years by launching 1Password 7 and clicking the upgrade link. Thank you for supporting us all these years and a double thank you to our nearly 40,000 beta family members who helped make this the best launch in the history of 1Password. We couldn’t have done it without you. 🤗 Oh, I almost forgot: Mitch and Roo are hosting a live Get to Know 1Password 8 for Mac demo. Come join me and <a href="https://1password.com/webinars">watch it live on on May 24th</a>. <h2 id="linux-turns-1-">Linux turns 1 🎂</h2> It was one year ago today that we welcomed 1Password for Linux to the family. Since then we’ve had seven big updates with hundreds of improvements. For their first birthday I thought it would be fun to take a look back at the highlights and new features we’ve brought to Linux over the last year. <a href="https://blog.1password.com/1password-linux-first-birthday/">Happy birthday, 1Password for Linux! 🎉🥳</a> <img src='https://blog.1password.com/posts/2022/may-newsletter/linux-watchtower.png' alt='Watchtower in 1Password for Linux with security score at the top and tiles for compromised websites, weak passwords, and inactive two-factor authentication below' title='Watchtower in 1Password for Linux with security score at the top and tiles for compromised websites, weak passwords, and inactive two-factor authentication below' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> I’m amazed to see what the team created over the first year and I’m looking forward to see what they create for all our users going forward. It’s been 17 years now but it still feels like we’re just getting started. 🤘 Please keep in touch! Stop by <a href="https://1password.community">our forums</a> to chat, reply to this email, or reach out to me <a href="https://twitter.com/dteare">@dteare</a> or <a href="https://twitter.com/1password">@1Password</a> on Twitter. Until next time, take care and stay safe out there. 😘 ++dave; <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Dave&#39;s Newsletter</h3> I wrote this letter for my newsletter subscribers and am sharing it here in case you missed it. Sign up and I'll send these directly to your inbox about once a month. 🤗 <a href="https://1password.com/newsletter/" class="c-call-to-action-box__link-href" data-event-category="CTA" data-event-action="call-to-action-button"> Sign up to my newsletter </a> </div> </section> P.S. My garlic that I planted last year to over winter has been tremendously successful. If you’re in the southern hemisphere, it’s about time to plant yours. P.P.S. I’m still struggling with blight on many of my crops. I haven’t found an effective defence yet. Any help would be appreciated. 🤗</description></item><item><title>Quest for the Lost Console – a game by 1Password and Gen.G</title><link>https://blog.1password.com/gen-g-quest-for-the-lost-console/</link><pubDate>Tue, 24 May 2022 00:00:00 +0000</pubDate><author>info@1password.com (Kayla Tycholiz)</author><guid>https://blog.1password.com/gen-g-quest-for-the-lost-console/</guid><description> <img src='https://blog.1password.com/posts/2022/gen-g-quest-for-the-lost-console/header.png' class='webfeedsFeaturedVisual' alt='Quest for the Lost Console – a game by 1Password and Gen.G' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> “You find yourself in front of an old mansion. The grand prize, a coveted console, is hidden somewhere deep inside. To complete your quest you&rsquo;ll have to move from room to room and overcome complex puzzles and obstacles. Looking around you see your competitors – you&rsquo;re all here for glory and the grand prize. But you aren&rsquo;t afraid of a little hard work. Armed with determination, skill, and grit you step forward with confidence – this prize is yours for the taking…” Intrigued? That&rsquo;s the introduction to Quest for the Lost Console, a browser-based game we created in partnership with <a href="https://geng.gg/">Gen.G</a>, a top esports organization that competes in League of Legends, Valorant, PUBG, and more. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/1IRiPtFpMlk" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h2 id="quest-for-the-lost-console">Quest for the Lost Console</h2> Quest for the Lost Console is free to play and available in your web browser. We’ll release new puzzles over the next three weeks to test your creative thinking and perseverance. But don&rsquo;t worry if you get stumped – top video game streamers including Stanz, Goofywise, and Luxx will share hints for each puzzle to help you advance in your quest. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Want an edge over the competition? Listen to episode 96 of our <a href="https://randombutmemorable.simplecast.com/">Random but Memorable</a> podcast on May 31st – you might just hear something useful (in addition to the usual great content!)😉 </div> </aside> As you solve each puzzle, you’ll be entered into fun prize giveaways! You’ll have a chance to win PlayStation 5’s, Amazon gift cards, exclusive Quest for the Lost Console merchandise, and 1Password Families memberships. Ready to test your puzzle-solving skills? The first two challenges are already live – <a href="https://1passwordconsolequest.gg/">start your Quest for the Lost Console today</a>! <h2 id="security-and-gaming">Security and gaming</h2> Here at 1Password, we want to help make the online world a safer place for everyone – including the millions of people who love playing video games. As the industry grows, so does the risk to game accounts, which is why it’s important to <a href="https://blog.1password.com/protect-gaming-accounts-scammers/">protect your gaming accounts from scammers</a>. We&rsquo;ve also written a guide that explains <a href="https://blog.1password.com/gaming-money-spend-safely/">how to safely spend money on new releases and in-game content</a> like battle passes, outfits, and characters. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get 50% off your first year of 1Password</h3> To celebrate Quest for the Lost Console and our partnership with Gen.G we’re offering new customers 50% off their first year of 1Password. <a href="https://1password.com/business-pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>Automated provisioning with 1Password and Rippling</title><link>https://blog.1password.com/1password-rippling-automated-provisioning/</link><pubDate>Thu, 19 May 2022 00:00:00 +0000</pubDate><author>info@1password.com (Matt O'Leary)</author><guid>https://blog.1password.com/1password-rippling-automated-provisioning/</guid><description> <img src='https://blog.1password.com/posts/2022/1password-rippling-automated-provisioning/header.png' class='webfeedsFeaturedVisual' alt='Automated provisioning with 1Password and Rippling' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Streamline your organization&rsquo;s processes by managing all of your permissions in one place. The <a href="https://support.1password.com/scim-rippling/">1Password SCIM bridge and Rippling integration</a> makes it easy for you to provision and deprovision users, manage group memberships, and secure your business. Protecting your organization’s data and secrets with 1Password, while working seamlessly within Rippling, will help reduce the demands on your IT team so they can focus on other priorities. <h2 id="1password-and-rippling">1Password and Rippling</h2> Smaller businesses are <a href="https://www.forbes.com/sites/edwardsegal/2022/03/30/cyber-criminals/?sh=4cee97ce52ae">three times more likely to be the target of cyberattacks</a>. Unlike larger corporations, small and medium-sized businesses often don&rsquo;t have the resources required to effectively combat security threats. 1Password helps businesses protect against password reuse, reduces the frequency of password resets, and lets administrators manage who has access to what business secrets. <a href="https://www.rippling.com/">Rippling</a> is an employee management tool that simplifies and combines HR and IT into one platform – allowing administrators to manage payroll, distribute important documents, and set up employees with apps and devices. By deploying the 1Password SCIM bridge, Rippling customers are combining the convenience and productivity of an all-in-one platform with 1Password’s human-centric approach to security. Admins are able to easily automate tasks and manage 1Password access from Rippling, freeing up time from work that would typically require IT and HR to support. <h2 id="automated-provisioning-made-easy">Automated provisioning made easy</h2> Enable your team to move faster while staying secure. With the 1Password and Rippling integration, you have control over who has access to what information. And, you can now automate common administrative tasks, reinforcing security while reducing the burden of manual requests. This enables your team to move faster while staying secure. The integration lets you: <ul> <li>Create users. Users created in Rippling will also be created in 1Password.</li> <li>Update user attributes. Changing user attributes in your directory will change the mapped attributes in 1Password.</li> <li>Deactivate users. Deactivating a user or disabling the user’s access to 1Password in Rippling will also suspend the user in 1Password.</li> <li>Sync group memberships. 1Password groups are available in Rippling, and any changes you make to group memberships sync to 1Password automatically.</li> <li>Use Teams and Departments. You can use your Rippling Teams and Departments to add and remove users from 1Password groups.</li> </ul> Each task is done within Rippling and synchronized to 1Password, removing the duplication of admin efforts. Integrating 1Password with Rippling is simple, secure, and gives your team access to everything they need from the moment they’re provisioned. <h2 id="getting-started">Getting started</h2> The Rippling integration is available to anyone with both a 1Password and a Rippling account. <ul> <li>For existing Rippling customers, new to 1Password, <a href="https://www.rippling.com/app-shop/app/1-password">get 25% off your first year of 1Password Business or 1Password Teams</a>.</li> </ul> And if you’re already a customer of both 1Password and Rippling, then you can <a href="https://support.1password.com/scim-deploy-rippling/">get started and connect the two</a> in your account settings. Once you’ve integrated Rippling with 1Password, check out <a href="https://support.1password.com/scim-rippling/">1Password Support</a> to start enabling features. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get 25% off your first year of 1Password</h3> To celebrate our partnership, Rippling customers new to 1Password can get 25% off their first year of [1Password Business](https://1password.com/business/) or 1Password Teams. <a href="https://www.rippling.com/app-shop/app/1-password" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>Happy birthday, 1Password for Linux! 🎉🥳</title><link>https://blog.1password.com/1password-linux-first-birthday/</link><pubDate>Wed, 18 May 2022 00:00:00 +0000</pubDate><author>info@1password.com (Dave Teare)</author><guid>https://blog.1password.com/1password-linux-first-birthday/</guid><description> <img src='https://blog.1password.com/posts/2022/1password-linux-first-birthday/header.png' class='webfeedsFeaturedVisual' alt='Happy birthday, 1Password for Linux! 🎉🥳' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 1Password for Linux turns one today. 🎂 One year ago today, <a href="https://blog.1password.com/welcoming-linux-to-the-1password-family/">we welcomed Linux to the 1Password family</a>, knocking out the single most-requested feature in the history of 1Password and fulfilling a years-long personal goal. Since then 1Password for Linux has learned many new tricks and for their birthday and I thought we’d celebrate with a year-in-review post that covers their greatest achievements. Let’s see what 1Password for Linux has been up to. <h2 id="quick-access">Quick Access</h2> Quick Access is all-new, and it puts 1Password right at your fingertips. Just tap the Ctrl + Shift + Space keyboard shortcut, start typing, and any items in your <a href="https://1password.com/resources/guides/create-and-manage-shared-vaults/">1Password vaults</a> that match your query are instantly available. Quick Access is smart, too. It’ll automatically highlight items for apps you have open when you launch it and prioritize items based on previous searches, so it’ll get even smarter over time. <img src="https://blog.1password.com/posts/2022/1password-linux-first-birthday/quickaccess.png" alt="1Password for Linux Quick Access window with searched items shown" title="1Password for Linux Quick Access window with searched items shown" class="c-featured-image"/> <h2 id="customizable-appearance">Customizable appearance</h2> You can also customize your sidebar to include Categories or hide Tags – or hide it altogether for an even cleaner view. When the sidebar is hidden, you can bring your mouse near the left-most edge to temporarily reveal it. <img src="https://blog.1password.com/posts/2022/1password-linux-first-birthday/spotify.png" alt="1Password for Linux window with Spotify item shown and hidden sidebar" title="1Password for Linux window with Spotify item shown and hidden sidebar" class="c-featured-image"/> <h2 id="security-improvements">Security improvements</h2> Linux users can now securely share items with anyone outside of your family or company accounts. In fact, you can share them with anyone… even if they don’t use 1Password, <a href="https://support.1password.com/share-items/">just by sharing a link</a>. <img src="https://blog.1password.com/posts/2022/1password-linux-first-birthday/secure-sharing.png" alt="1Password for Linux with Carbonmade item shown and secure sharing options visible" title="1Password for Linux with Carbonmade item shown and secure sharing options visible" class="c-featured-image"/> We’ve also added the ability to use security keys like Yubikey or Titan as your second factor when adding new accounts or reauthorizing devices, as well as adding your two-factor authentication secrets to an item by scanning QR codes. (To do that, add a one-time password, then select the QR code icon to scan an image on your screen or clipboard.) <h2 id="watchtower">Watchtower</h2> The <a href="https://watchtower.1password.com/">Watchtower</a> Dashboard has been updated with an even more gorgeous design. There&rsquo;s also a new sharable Watchtower score – and I can attest to how satisfying it is to peck away at potential security issues and watch your score climb. 📈 <img src="https://blog.1password.com/posts/2022/1password-linux-first-birthday/watchtower.png" alt="Watchtower in 1Password for Linux with security score at the top and tiles for compromised websites, weak passwords, and inactive two-factor authentication below" title="Watchtower in 1Password for Linux with security score at the top and tiles for compromised websites, weak passwords, and inactive two-factor authentication below" class="c-featured-image"/> Watchtower learned some new tricks as well, and will now display an alert for unsecured websites that have a more secure option available. And when you see a banner for an item that contains a compromised, vulnerable, or weak password, you can click a banner button to go right to the website to change the password. You can also dismiss alerts entirely when needed. <h2 id="new-tools-for-developers">New tools for developers</h2> This might just be my favorite addition: 1Password now includes <a href="https://blog.1password.com/1password-ssh-agent/">full support for SSH keys</a>. It’s the easiest and most secure way to manage SSH keys and Git in your daily workflow, and <a href="https://blog.1password.com/1password-ssh-changed-how-i-work/">it&rsquo;s changing the way many of us work</a>. <img src="https://blog.1password.com/posts/2022/1password-linux-first-birthday/ssh.png" alt="Firefox window open on Github.com and 1Password autofilling an SSH key" title="Firefox window open on Github.com and 1Password autofilling an SSH key" class="c-featured-image"/> 1Password for Linux also <a href="https://blog.1password.com/1password-cli-2_0/">integrates with the 1Password CLI</a>, enabling you to use biometric unlock so you easily integrate 1Password into your scripts and workflows. <img src="https://blog.1password.com/posts/2022/1password-linux-first-birthday/cli.png" alt="Ubuntu terminal with 1Password commands for signing in and creating a 1Password vault" title="Ubuntu terminal with 1Password commands for signing in and creating a 1Password vault" class="c-featured-image"/> <h2 id="and-so-much-more">And so much more</h2> In total, the <a href="https://releases.1password.com/linux/">release notes</a> show a whopping 687 improvements to 1Password for Linux since its release. I can’t include them all here – though I would if I could 😉 – but here are a few of my favorites: <ul> <li>Add custom icons to your items</li> <li>Open items in new windows</li> <li>Navigate quickly with back and forward buttons</li> <li>Delete tags directly from the sidebar</li> <li>Access items you’ve removed in the new Recently Deleted section</li> <li>Create vaults directly within 1Password</li> <li>Focus in on the vaults you need when you need them using Collections</li> <li>Create new items using our new item catalog</li> <li>Export items, including files</li> </ul> <h2 id="still-free-for-open-source">Still free for Open Source</h2> As much as things have changed, our commitment to open source projects remains stronger than ever. We’re continued sponsoring open source projects, are now a <a href="https://foundation.rust-lang.org/news/2022-03-08-member-spotlight-1password/">proud sponsor of the Rust foundation</a>, and continued providing <a href="https://github.com/1Password/1password-teams-open-source">open source teams everywhere free 1Password accounts</a>. <h2 id="happy-birthday-1password-for-linux-">Happy birthday 1Password for Linux! 🎉🎊</h2> No one is more surprised than me that it’s already been a year since we released 1Password for Linux… or at the number of improvements we’ve managed to squeeze into that year! And the part that really makes my heart sing is that with <a href="https://1password.com/products/">1Password 8</a> for Mac and 1Password 8 for Windows now launched, I get a consistent, and consistently delightful, 1Password experience across all my desktop environments. 😍 So happy birthday! Here’s to many more. 🍻 <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Download 1Password for Linux</h3> Follow the instructions to install 1Password on Ubuntu, Debian, Fedora, and many other Linux distributions. <a href="https://1password.com/downloads/linux/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Download </a> </div> </section></description></item><item><title>1Password 8 for Android is now in Early Access! 🎉</title><link>https://blog.1password.com/1password-8-android-early-access/</link><pubDate>Tue, 17 May 2022 00:00:00 +0000</pubDate><author>info@1password.com (Michael Fey)</author><guid>https://blog.1password.com/1password-8-android-early-access/</guid><description> <img src='https://blog.1password.com/posts/2022/1password-8-android-early-access/header.png' class='webfeedsFeaturedVisual' alt='1Password 8 for Android is now in Early Access! 🎉' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> It’s your turn, Android folks! The newest generation of 1Password is now available in Early Access – so put on your explorer hats, help us track down those bugs, and let the feedback flow.🕵️‍♀️ This early preview represents one of the most monumental updates we&rsquo;ve ever created for Android, and it&rsquo;s all about two things that make Android such a great mobile OS: fun and extensibility. It&rsquo;s 1Password to the Core, and it makes the most of everything Google&rsquo;s latest mobile operating system has to offer. If you’re already sold, then by all means, head over <a href="https://play.google.com/store/apps/details?id=com.onepassword.android">to the Play Store and install it right now</a>. Happy testing — and don’t forget <a href="https://1password.community/categories/android-beta">to report those bugs</a>! There’s a lot of goodness below the fold, so if you’d like to take a quick tour first, let’s dive in… <h2 id="modern-design">Modern design</h2> <img src="https://blog.1password.com/posts/2022/1password-8-android-early-access/overview.png" alt="Multiple Android phones displayed in a grid with various 1Password 8 for Android screens shown" title="Multiple Android phones displayed in a grid with various 1Password 8 for Android screens shown" class="c-featured-image"/> Every aspect of <a href="https://1password.com/products/">1Password 8</a> for Android has been redesigned for a more cohesive experience across every platform you might use. Jumping over from Windows, macOS, Linux, or even iOS? You&rsquo;ll feel right at home regardless, because this doesn&rsquo;t just look like the same 1Password &hellip; it is the same 1Password. As I mentioned in the <a href="https://blog.1password.com/1password-8-ios-early-access/">iOS Early Access post</a>, we&rsquo;ve spent a lot of time unifying our design language to bring you a familiar but fresh 1Password experience, whatever device you&rsquo;re using. The new designs of 1Password 8 on Android feel distinctly like 1Password, but also distinctly like an Android app – because it is. <h2 id="powered-by-a-modern-core">Powered by a modern Core</h2> Both of our new mobile apps are <a href="https://blog.1password.com/1password-8-the-story-so-far/">powered by the same, all-new 1Password Core</a>. Utilizing the same foundation that powers <a href="https://1password.com/mac/">1Password for Mac</a>, Windows, and Linux allowed us to put many of the delightful touches and powerful functionality from the desktop experience in the palm of your hand. 🤯 Written primarily in Rust, a secure systems programming language famous for its performance and safety, the 1Password Core provides a more stable, more performant, and more secure experience than ever before. This unified backend delivers the same performance and feature set across every 1Password app, from search results to the password generator to item editing. It&rsquo;s all consistent, smooth, and so. dang. fast. <h2 id="the-new-home-for-your-digital-life">The new home for your digital life</h2> <img src="https://blog.1password.com/posts/2022/1password-8-android-early-access/customise-home.png" alt="Two Android phone screens side-by-side displaying the home tab customization and finalized home tab screen" title="Two Android phone screens side-by-side displaying the home tab customization and finalized home tab screen" class="c-featured-image"/> There’s a wealth of new capabilities in this app, like the fact that you can <a href="https://1password.com/features/autofill/">autofill</a> many different item types, like payment cards. But my favorite by far is the new, customizable Home tab. The ability to tailor your user experience is a huge part of what makes Android such a popular operating system, and we’re bringing that same concept into everyone’s favorite security app. No one uses 1Password in precisely the same way, which is why we are maximizing the customizability of this screen so you can set it up just the way you like it. Want to put Watchtower front and center? Move it to the top. Want fast access to frequently used items, vaults, or categories? You can do that. Want to hide tags altogether? It&rsquo;s all up to you. Just scroll to the bottom of the Home tab, tap 🏠 Customize Home and make it yours. We’ve also added another completely brand new feature to 1Password for this update: the ability to pin individual fields to the home screen! Simply navigate to an item, tap on nearly any field, and choose “Pin to Home.” I’ve set up two pinned fields myself: my Amazon Video PIN for when I’m renting or buying some cinematic masterpiece, and my Wi-Fi password for when I need to tell a guest how to join my network. Because this is Early Access, we&rsquo;re not quite finished with the Home tab experience just yet. We have tons of ideas about how to give you more control with Smart Tiles, but we also want to hear what you want to see in your Home tab – so <a href="https://1password.community/categories/android-beta">drop by the forums</a> and let us know what you think. <h2 id="effortless-security-in-true-1password-style">Effortless security in true 1Password style</h2> <img src="https://blog.1password.com/posts/2022/1password-8-android-early-access/watchtower.png" alt="3 1Password Watchtower screens displaying an item entry with reused password banner, Watchtower security dashboard with security score, and list of items sorted by password strength" title="3 1Password Watchtower screens displaying an item entry with reused password banner, Watchtower security dashboard with security score, and list of items sorted by password strength" class="c-featured-image"/> <a href="https://watchtower.1password.com/">Watchtower</a> has been notifying you of potentially compromised logins for years, but we&rsquo;ve always wanted to bring the full power of Watchtower&rsquo;s desktop experience to mobile – so that&rsquo;s just what we did. Watchtower now features a full security dashboard, so you can get a bird&rsquo;s-eye view of your security health and take fast action when you need to. That means not only giving you the security insights you&rsquo;ve come to expect from Watchtower, but also giving you the ability to act on those insights with less effort. Take it for a spin and you&rsquo;ll see what I mean. <h2 id="the-classics">The classics</h2> <img src="https://blog.1password.com/posts/2022/1password-8-android-early-access/the-classics.png" alt="4 1Password 8 for Android screens displaying sign-in page and search functionality in light mode, and Settings screen and item entry for Google login in dark mode" title="4 1Password 8 for Android screens displaying sign-in page and search functionality in light mode, and Settings screen and item entry for Google login in dark mode" class="c-featured-image"/> As much as we’ve changed in 1Password 8, the greatest hits are still here. You can still <a href="https://1password.com/resources/guides/using-biometrics-fingerprint-as-password/">unlock with your fingerprint</a>, autofill your passwords into apps and websites, and more. And of course, the industry-leading security that you’ve come to know and trust continues to underpin everything we do. I would recommend popping over to the Settings tab and checking out all of the options available to you to set up 1Password just the way you like it. <h2 id="more-to-come">More to come</h2> As I mentioned above, today’s preview is just our first look at 1Password 8 on Android, and while it represents a massive lift by our design and development teams, we’ve got more in the pipeline. In the coming months, we&rsquo;ll be adding support for account management, in-app purchases, signup improvements, <a href="https://blog.1password.com/psst-item-sharing/">secure item sharing</a>, and an essential settings walkthrough. Ready to take 1Password 8 for Android Early Access for a spin? You can run it side-by-side with 1Password 7: <ol> <li>Search for <a href="https://play.google.com/store/apps/details?id=com.onepassword.android">“1Password 8” in the Play Store</a> from your Android device.</li> <li>Tap “Install.”</li> <li>Start testing!</li> </ol> <h2 id="keep-that-feedback-coming">Keep that feedback coming</h2> As all 1Password apps are, 1Password 8 for Android is a collaboration between 1Password and our customers. We&rsquo;re active on the beta forums, so if you have thoughts, ideas, or suggestions, <a href="https://1password.community/categories/android-beta">stop by the community and share your thoughts</a>. And don&rsquo;t forget: As you continue testing 1Password 8, you can provide feedback directly to us by returning to 1Password 8 (Early Access) in the Play Store and tapping the &ldquo;Private feedback to developer&rdquo; option, or by leaving a review directly in that listing like you would for any other app. Now, enough talk – explorers want to explore! Enjoy, and I&rsquo;ll see you in the forums. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Test 1Password 8 for Android</h3> Install 1Password 8 for Android on your test device. <a href="https://play.google.com/store/apps/details?id=com.onepassword.android" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Join the beta </a> </div> </section></description></item><item><title>How to protect your gaming accounts from scammers</title><link>https://blog.1password.com/protect-gaming-accounts-scammers/</link><pubDate>Mon, 16 May 2022 00:00:00 +0000</pubDate><author>info@1password.com (Stacey Harris)</author><guid>https://blog.1password.com/protect-gaming-accounts-scammers/</guid><description> <img src='https://blog.1password.com/posts/2022/protect-gaming-accounts-scammers/header.png' class='webfeedsFeaturedVisual' alt='How to protect your gaming accounts from scammers' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> It&rsquo;s been more than a year since the PlayStation 5, Xbox Series X and Xbox Series S hit store shelves. These releases, combined with the ongoing pandemic, have led to <a href="https://www.nielsen.com/us/en/insights/article/2020/3-2-1-go-video-gaming-is-at-an-all-time-high-during-covid-19/">an unprecedented number of people turning to gaming</a> to spend their free time. But with that increase comes more interest from scammers hoping to take advantage of unsuspecting customers. <a href="https://www.prnewswire.com/news-releases/us-consumer-video-game-spending-totaled-60-4-billion-in-2021--301462631.html">People spent more than $60.4 billion on video games in the U.S.</a> last year – an 8% increase over 2020. The first lockdown saw a <a href="https://usa.kaspersky.com/about/press-releases/2020_gaming-related-web-attacks-increased-by-more-than-50-in-april">54% increase in gaming-related phishing attacks</a>. But it’s not just the money that makes gaming attractive to criminals – it&rsquo;s also the wide variety of information that can be stolen and exchanged for real-world dollars. Criminals who target <a href="https://blog.1password.com/gaming-money-spend-safely/">gaming</a> can steal in-game currency, in-game loot, or even sell entire accounts. Some convert game items like skins or rare items to cash on Ebay, or use stolen currency to purchase and sell expensive items. That’s why it’s more important than ever to secure your game accounts. <h2 id="level-up-your-security">Level up your security</h2> You should be following basic security measures, like using strong and unique passwords, for all of your accounts. That includes online games, subscription services, and payment methods. <a href="https://watchtower.1password.com/">1Password’s Watchtower</a> can detect weak, reused, or compromised passwords and let you know if <a href="https://1password.com/features/two-factor-authentication/">two-factor authentication</a> (2FA) is an option. Note: you should always <a href="https://support.1password.com/one-time-passwords/">enable 2FA for an extra layer of security</a>. If you’re looking to sell or give away an old console, make sure to clear the history of all of your accounts to prevent accidentally giving someone access to your information. Think carefully about who has access to your console, and whether you&rsquo;re comfortable with them using your profile and store account. Let&rsquo;s say you&rsquo;ve just moved into a flat with total strangers, and decide to connect your PlayStation 4 to the living room TV. Until you&rsquo;re familiar with your new cohabitants, it&rsquo;s probably a good idea to set a passcode for your PS4 profile and sign out after each session. <h2 id="ditch-the-defaults--go-custom">Ditch the defaults – go custom</h2> The default settings on your console and PC aren’t necessarily the most secure. Check your account settings to make sure your accounts are as secure as possible. Here are a few examples of security settings that are often available but need to be activated manually: <ul> <li>Enable PIN codes for multiple accounts</li> <li>Remove the ability to sign in automatically</li> <li>Require a password for any digital store purchases</li> <li>Make entering a password mandatory for changes to settings</li> <li>Get notifications when a purchase is made</li> <li>Add security questions – but generate a random memorable answer with – 1Password rather than using actual information</li> <li>Turn on multi-factor authentication</li> </ul> These additional security steps will make your account more secure against anyone trying to gain access. Most game companies have a resource page with additional security features – find that page and get your account up to snuff. <h2 id="scammers-favorite-game-phishing">Scammers' favorite game: phishing</h2> <a href="https://blog.1password.com/what-is-phishing-and-how-can-you-protect-your-business/">Phishing scams</a> offering free in-game currency have become increasingly common in the gaming industry. As <a href="https://www.malwarebytes.com/blog/news/2020/10/fifa-21-game-scams-watch-out-for-unsporting-conduct">Malwarebytes Lab explains</a>, the popular FIFA series is often targeted by criminals due to its complex in-game economy, which includes a combination of currencies earned in-game and bought using real-world money. Many players are desperate to accumulate both in order to buy better footballers for their fictional teams, which leads them to scam sites offering too-good-to-be-true deals. The popular game Fortnite has also had <a href="https://variety.com/2018/gaming/news/fortnite-scams-rampant-on-social-media-youtube-1203007016/">a number of successful phishing scams</a>, exploiting young players' limited access to real-world currency. We recommend you enable 2FA for your game account to reduce the impact if you’re caught up in one of these scams. This way, even if scammers get your login credentials, they won’t have the second factor of authentication needed to sign in. But the easiest way to avoid these types of phishing scams is to resist the temptation to cheat. Few games have cheat codes for free currency and items – and <a href="https://gamerant.com/unlock-tony-hawks-pro-skater-1-2-cheats/">if they do it’s likely well known, public information</a>. Trying to get free in-game currency or items is just not worth the risk of losing your entire account. <h2 id="download-games-from-verified-sources-only">Download games from verified sources only</h2> Many of today’s games are free to download, which has created a rampant market of fake download links for games and content expansions. Apex Legends is available to play on Windows, PlayStation, and Xbox platforms, but <a href="https://www.bleepingcomputer.com/news/security/apex-legends-fans-targeted-with-malware-and-scam-campaigns/">scammers released a fake link to play the game on mobile</a> which amassed over 100,000 clicks in under a week. When you download files from an unverified source you’re opening yourself up to malware. To prevent downloading fake free games, or content drops, always make sure you’re getting your games from reputable sources. Carefully check the URL before entering sensitive information or clicking the download link. Now is a great time to go back and make sure that all of your accounts are as secure as they can be – whether that’s setting up <a href="https://1password.com/password-generator/">new, more memorable and secure passwords</a>, using 1Password, or setting up two-factor authentication. It also means playing games in good faith – don’t try to get ahead by doing something illegal. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get started with 1Password Families</h3> Use 1Password Families to protect your accounts and share important passwords with the people you trust and care about. <a href="https://1password.com/personal/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>How to stay safe online as a journalist</title><link>https://blog.1password.com/guide-journalist-stay-safe-online/</link><pubDate>Fri, 06 May 2022 00:00:00 +0000</pubDate><author>info@1password.com (Nick Summers)</author><guid>https://blog.1password.com/guide-journalist-stay-safe-online/</guid></item><item><title>How to improve your Watchtower score in 1Password</title><link>https://blog.1password.com/improve-watchtower-score-1password/</link><pubDate>Thu, 05 May 2022 00:00:00 +0000</pubDate><author>info@1password.com (Kerry DeVito)</author><guid>https://blog.1password.com/improve-watchtower-score-1password/</guid><description> <img src='https://blog.1password.com/posts/2022/improve-watchtower-score-1password/header.png' class='webfeedsFeaturedVisual' alt='How to improve your Watchtower score in 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Happy World Password Day! The idea behind World Password Day is simple: to promote the use of strong, unique passwords to keep your accounts protected and your browsing safe. For those of you wondering how best to celebrate the day, we’ve got a challenge for you: how high can you get your 1Password Watchtower score? While a high Watchtower score won’t give you access to better loan rates, it will give you peace of mind. Not to mention some bragging rights, too. <h2 id="level-up-your-watchtower-score">Level up your Watchtower score</h2> Think of the Watchtower dashboard as your online security HQ – a 24/7, always-on command center where you can review and resolve potential vulnerabilities. To view your Watchtower report and score, simply navigate to the Watchtower tab in 1Password. Improving your score is easy. With the new Watchtower dashboard in <a href="https://1password.com/products/">1Password 8</a>, you can quickly see what needs your attention. <img src='https://blog.1password.com/posts/2022/improve-watchtower-score-1password/watchtower-mac.png' alt='The Watchtower section in 1Password 8 for Mac, showing a security score of 1179' title='The Watchtower section in 1Password 8 for Mac, showing a security score of 1179' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> To give you a head start, we’ve outlined some actions below that you may see flagged in your dashboard – resolve these and watch your Watchtower score climb. <h3 id="change-weak-and-re-used-passwords">Change weak and re-used passwords</h3> Watchtower will flag and bring any weak or reused passwords to your attention on the dashboard. Create a strong, unique password for any flagged accounts using the <a href="https://1password.com/password-generator/">1Password Strong Password Generator</a>. <h3 id="change-passwords-that-have-appeared-in-a-data-breach">Change passwords that have appeared in a data breach</h3> Watchtower integrates with <a href="https://haveibeenpwned.com/">Have I Been Pnwed</a> to alert you if any of your login credentials are involved in a data breach. You should secure your logins marked as “Compromised” by changing your passwords as soon as possible. <h3 id="enable-2fa-where-its-offered--and-save-in-1password">Enable 2FA where it’s offered – and save in 1Password</h3> The two-factor authentication (2FA) notification will appear on login items that support 2FA but haven’t had it enabled yet. For a speedier workflow, we recommend <a href="https://support.1password.com/one-time-passwords/">managing two-factor authentication in 1Password</a> rather than using another authenticator app. <h3 id="update-http-sites-to-https">Update HTTP sites to HTTPS</h3> Websites will be marked as “Unsecured” when the URL saved in 1Password starts with HTTP. Any time you enter passwords (or other sensitive information for that matter) on an unsecured website, they remain unencrypted and therefore vulnerable to interception. HTTPS is the encrypted version of the HTTP protocol, and you can resolve these alerts by simply clicking “Use HTTPS” in the Watchtower banner to ensure you’re using a secure connection. <h3 id="take-action-on-expiring-items">Take action on expiring items</h3> <a href="https://1password.com/resources/guides/saving-credit-cards-and-addresses/">1Password can help you keep your credit cards</a>, memberships, licenses, and passports up to date. The “Expiring Soon” alert will appear for items that are, of course, about to expire. Take whatever action is required to keep these items from expiring and leaving you in a lurch. <h2 id="share-your-score">Share your score</h2> The more vulnerabilities you fix, the more your score will grow. With 1Password 8, you can share your score on social media or with friends and family to encourage others to take action and secure their accounts. From the Watchtower tab in the app, select “Share My Score” – you can copy the link or share directly to Twitter. If you don’t have a 1Password account yet, sign up to see where your online security habits need a boost. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get $20 off 1Password Families</h3> Get $20 off your first year of 1Password Families when you sign up today! <a href="https://start.1password.com/sign-up/family?c=WPD2022" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Sign up for 1Password Families </a> </div> </section></description></item><item><title>Spend smarter and more safely when gaming online</title><link>https://blog.1password.com/gaming-money-spend-safely/</link><pubDate>Wed, 04 May 2022 00:00:00 +0000</pubDate><author>info@1password.com (Stacey Harris)</author><guid>https://blog.1password.com/gaming-money-spend-safely/</guid><description> <img src='https://blog.1password.com/posts/2022/gaming-money-spend-safely/header.png' class='webfeedsFeaturedVisual' alt='Spend smarter and more safely when gaming online' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> As microtransactions in gaming increase and more money is exchanged online, it’s become more important than ever to secure your financial and personal information. In 2021, there was an <a href="https://www.prnewswire.com/news-releases/us-consumer-video-game-spending-totaled-60-4-billion-in-2021--301462631.html">8 percent increase in spending on video games</a>, including subscriptions and in-game purchases across mobile, console, and PCs. That means people spent over $60.4 billion on video games in the U.S. last year. This growth is contributing to an <a href="https://threatpost.com/gamer-juicy-target-for-hackers/159507/">uptick in scams</a> looking to take advantage of gamers' poorly protected financial information. <h2 id="the-cost-of-convenience">The cost of convenience</h2> To avoid interrupting the gaming experience, game makers have made it easy to save payment details. Of course, adding credit card information to your account makes it accessible to anyone who logs into your account – legally or not. With an increase in attacks acquiring login credentials, it’s more important than ever to protect your game account. <h2 id="lock-your-accounts-down">Lock your accounts down</h2> Criminals aren’t the only ones with sticky fingers; a quick Google search shows many cases where children are spending their parents’ money without permission. One Canadian teenager racked up over $8,000 on his dad&rsquo;s credit card while playing FIFA, and the children of former NBA player <a href="https://www.cbssports.com/nba/news/nba-star-index-lebron-james-writing-tale-of-two-halves-jamal-murray-tyler-herro-seizing-postseason-stage/">Kendrick Perkins spent over $16,000 on Fortnite</a>. Luckily for parents, many games have parental controls so you can prevent purchases, set spending limits in advance, receive notifications when purchases are made, or require parental authorization before a transaction goes through. And should the worst happen, it’s worth asking for the money back. Many games and game platforms have robust processes to deal with precisely these kinds of scenarios and will refund accidental purchases without forcing you to jump through too many hoops. <h2 id="use-payment-methods-that-hand-back-control">Use payment methods that hand back control</h2> If you’re in the United States, an excellent option for online gaming, particularly with children in the mix, is to use Privacy Cards. <a href="https://support.1password.com/privacy-cards/">Privacy Cards</a> are virtual payment cards that represent your real credit card without revealing any of its actual details. Privacy cards can be locked to a particular vendor and let you set payment limits either monthly or for the total lifetime of the card. You could, for example, set a card limit corresponding to the cost of a season pass so the kids can stay up to date in their favorite battle royale game without draining your bank account. Or you could set them up with a small monthly allowance for their favorite game to spend as they choose – a great opportunity to teach kids to think about budgeting. It’s also a great way to help you manage your own spending. If that gaming account is ever compromised and your virtual card details are exposed, you can simply cancel your Privacy card rather than your actual credit card – a far more convenient option. <h2 id="beware-of-fleeceware">Beware of fleeceware</h2> Removing credit card information from your account not only protects you from attackers who may hack your account and take your information directly, but it also protects you from fleeceware apps. These are apps that take advantage of users by initially offering something for free before charging outrageous monthly fees. This is particularly prevalent in third-party games that offer skins, wallpapers, and game mods during a “free trial” before they start to discreetly charge subscription fees – as was the case with <a href="https://threatpost.com/minecraft-apps-google-play-fleece-players/161125/">seven Android apps fleecing Minecraft players</a> with exorbitant monthly subscription costs. Children are particularly susceptible to fleeceware and online spending scams, and it’s up to adults to help curb their exposure to these risks. There are a few ways to combat fleeceware, including not giving apps access to your payment information, not using free trial period apps, or using a virtual card number with a limited spend when signing up for “free” apps. You can check what apps you’re subscribed to in your phone’s subscriptions settings. With <a href="https://1password.com/pricing/">1Password</a> you can continue making payments conveniently without having to manually type out your card details every time you make a purchase, or saving your card details in your game account. You can <a href="https://1password.com/resources/guides/saving-credit-cards-and-addresses/">save your credit card details in 1Password</a> and, when you’re ready to make a purchase, 1Password will <a href="https://1password.com/features/autofill/">autofill</a> the correct information. <h2 id="keep-your-financial-information-secure">Keep your financial information secure</h2> There will always be a risk when putting your financial information online, but with a bit of foresight you can often <a href="https://blog.1password.com/protect-gaming-accounts-scammers/">make gaming accounts more secure</a> by digging into the settings and controls, using smarter payment methods, and locking your financial information away in 1Password. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get started with 1Password Families</h3> Use 1Password Families to protect your accounts and share important passwords with the people you trust and care about. <a href="https://1password.com/personal/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>1Password 8 for Mac is here! 🎉🙌</title><link>https://blog.1password.com/1password-8-for-mac/</link><pubDate>Tue, 03 May 2022 00:00:00 +0000</pubDate><author>info@1password.com (Dave Teare)</author><guid>https://blog.1password.com/1password-8-for-mac/</guid><description> <img src='https://blog.1password.com/posts/2022/1password-8-for-mac/header.png' class='webfeedsFeaturedVisual' alt='1Password 8 for Mac is here! 🎉🙌' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Today I have the honour of introducing the most powerful and capable 1Password ever. Wrapped in a gorgeous new design and blazingly fast, 1Password 8 is our love letter to Mac users everywhere. 💌 Mac is where it all began. Way back in 2006, <a href="https://twitter.com/roustem">Roustem</a> and I coded the first version of 1Password on our shiny new PowerBook G4s. The love and support we received from the Mac community was tremendous and launched us to where we are today. 🥰 17 years later, the pressure was on to create the best Mac app possible and I’m thrilled to say that the team delivered. 1Password 8 integrates deeper and tighter with macOS than ever to bring you the most modern, productive, and secure version of 1Password yet. 🙌 <h2 id="modern-sleek-design">Modern, sleek design</h2> We created an entirely new design language, code-named Knox, to unleash the power and productivity we’ve been dreaming of – all while preserving the heart and soul of 1Password. 😍 <img src="https://blog.1password.com/posts/2022/1password-8-for-mac/1password-unlocked-hero.png" alt="The main 1Password app, unlocked, revealing the gorgeous new design, including a new vibrant sidebar, item list, with my Amazon item details showing." title="The main 1Password app, unlocked, revealing the gorgeous new design, including a new vibrant sidebar, item list, with my Amazon item details showing." class="c-featured-image light"/> <img src="https://blog.1password.com/posts/2022/1password-8-for-mac/1password-unlocked-hero-dark.png" alt="The main 1Password app, unlocked, revealing the gorgeous new design, including a new vibrant sidebar, item list, with my Amazon item details showing." title="The main 1Password app, unlocked, revealing the gorgeous new design, including a new vibrant sidebar, item list, with my Amazon item details showing." class="c-featured-image dark"/> I absolutely adore our new design language. From the vibrant sidebar and unified toolbar to the typography and iconography, everything has been redesigned and recreated to feel right at home on macOS. With 1Password 8, you can enjoy a fluid, consistent experience everywhere. The new design language extends seamlessly into <a href="https://1password.com/resources/guides/1password-for-safari/">1Password for Safari</a>. <img src='https://blog.1password.com/posts/2022/1password-8-for-mac/1password-safari-popup.png' alt='1Password in Safari with the lovely popup open revealing the login for World Central Kitchen, ready to be autofilled.' title='1Password in Safari with the lovely popup open revealing the login for World Central Kitchen, ready to be autofilled.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <img src='https://blog.1password.com/posts/2022/1password-8-for-mac/1password-safari-popup-dark.png' alt='1Password in Safari with the lovely popup open revealing the login for World Central Kitchen, ready to be autofilled.' title='1Password in Safari with the lovely popup open revealing the login for World Central Kitchen, ready to be autofilled.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> It’s simply beautiful! But as <a href="https://www.youtube.com/watch?v=5Hkq1ihlX5I">Steve so eloquently said</a>, design is not what it looks like. Design is how it works. The real delight comes from the new features that this design unleashes. 🚀 <h2 id="next-step-productivity">Next step productivity</h2> I often hear that we’re in the security business, but I’ve always seen our super power as being productivity. We make the secure way, the easy way. 1Password 8 takes productivity to the next level with improved workflows and deeper integrations with macOS. It all starts with Quick Access. <img src="https://blog.1password.com/posts/2022/1password-8-for-mac/quick-access.png" alt="1Password Quick Access window open, awaiting your command." title="1Password Quick Access window open, awaiting your command." class="c-featured-image light"/> <img src="https://blog.1password.com/posts/2022/1password-8-for-mac/quick-access-dark.png" alt="1Password Quick Access window open, awaiting your command." title="1Password Quick Access window open, awaiting your command." class="c-featured-image dark"/> Inspired by tools like Spotlight and Alfred, Quick Access is a floating panel that is always available, giving you access to all of your 1Password data, wherever you need it. Quick Access is fully keyboard-optimized, and it&rsquo;s smart, too, suggesting the most relevant logins for the active application. <img src='https://blog.1password.com/posts/2022/1password-8-for-mac/safari-with-quick-access.png' alt='1Password Quick Access window open with Safari in the background, with fill suggestions for the active tab.' title='1Password Quick Access window open with Safari in the background, with fill suggestions for the active tab.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <img src='https://blog.1password.com/posts/2022/1password-8-for-mac/safari-with-quick-access-dark.png' alt='1Password Quick Access window open with Safari in the background, with fill suggestions for the active tab.' title='1Password Quick Access window open with Safari in the background, with fill suggestions for the active tab.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Quick Access is just one of the ways 1Password 8 will supercharge your productivity. And it’s fast. It’s hard to be productive when waiting for things to load, so we tuned every workflow to be super efficient. From unlock to search to filling, everything is quick and snappy. <h2 id="next-step-security--privacy">Next step security &amp; privacy</h2> 1Password 8 comes with the security and privacy guarantees you’ve come to expect from 1Password, along with new tools to keep you safer online. The new Watchtower Dashboard makes it super simple to get a pulse on your security and see where you need to improve. <img src="https://blog.1password.com/posts/2022/1password-8-for-mac/watchtower-actionable-security-advice.png" alt="1Password with the Watchtower Dashboard showing, including a Security Score and actions for improving your security health." title="1Password with the Watchtower Dashboard showing, including a Security Score and actions for improving your security health." class="c-featured-image light"/> <img src="https://blog.1password.com/posts/2022/1password-8-for-mac/watchtower-actionable-security-advice-dark.png" alt="1Password with the Watchtower Dashboard showing, including a Security Score and actions for improving your security health." title="1Password with the Watchtower Dashboard showing, including a Security Score and actions for improving your security health." class="c-featured-image dark"/> Watchtower uses on-device analysis to calculate password strength and detect vulnerable passwords, giving you actionable and personalized advice while preserving your privacy. All of your information is protected behind the best security design we’ve ever had. And when it’s time to unlock, use Touch ID or Apple Watch for a terrific passwordless experience. <img src='https://blog.1password.com/posts/2022/1password-8-for-mac/1password-locked-touch-id.png' alt='1Password lock window, with Touch ID activated.' title='1Password lock window, with Touch ID activated.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <img src='https://blog.1password.com/posts/2022/1password-8-for-mac/1password-locked-touch-id-dark.png' alt='1Password lock window, with Touch ID activated.' title='1Password lock window, with Touch ID activated.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="oh-and-one-more-thing">Oh, and one more thing…</h2> Nearly two decades ago we set out to create the most complete and deeply integrated password manager for Mac users. And today we&rsquo;re thrilled to announce a new feature that raises that bar: you can now fill anywhere on your Mac. We call it <a href="https://1password.com/features/how-to-use-universal-autofill-on-mac/">Universal Autofill</a>, and you have to see it to believe it. <img src='https://blog.1password.com/posts/2022/1password-8-for-mac/universal-autofill-zoom.gif' alt='An animated gif showing 1Password filling the Zoom app&#39;s login screen, including username, password, and one-time 2FA code.' title='An animated gif showing 1Password filling the Zoom app&#39;s login screen, including username, password, and one-time 2FA code.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <img src='https://blog.1password.com/posts/2022/1password-8-for-mac/universal-autofill-zoom-dark.gif' alt='An animated gif showing 1Password filling the Zoom app&#39;s login screen, including username, password, and one-time 2FA code.' title='An animated gif showing 1Password filling the Zoom app&#39;s login screen, including username, password, and one-time 2FA code.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> This is actually real! 1Password can now fill into Mac apps like Zoom, Spotify, and the App Store, and also other places like Terminal and system prompts. 🤯 We leverage the incredible accessibility frameworks provided by Apple to analyze the app structure. We then use the same brain that powers 1Password in your browser to accurately and securely fill fields and log you in. Universal Autofill handles everything for you, including one-time 2FA codes. It even presses the Return key for you. All this is just a (customizable!) keystroke away. <h3 id="getting-started">Getting started</h3> I can&rsquo;t wait for you to try it! Use our 1-click installer to get a release that&rsquo;s optimized for your Mac, whether it&rsquo;s Apple Silicon or Intel. <a href="https://downloads.1password.com/mac/1Password.zip">Download 1Password 8 for Mac</a> 1Password 8 requires a 1Password membership. If you&rsquo;re already subscribed, just download the new app and it will automatically migrate your accounts over. For more information, see our <a href="https://support.1password.com/upgrade-mac/">upgrade guide</a>. We loved creating this new experience for you and we&rsquo;re excited to hear what you think. We have many ways to get in touch: <ul> <li>Twitter Space tonight (May 3rd) at 8PM ET / 5PM PT</li> <li><a href="https://www.reddit.com/r/1Password/">AMA</a> this Thursday (May 5th) at 12PM ET / 9AM PT</li> <li><a href="https://www.producthunt.com/products/1password#1password-8-for-mac">Product Hunt</a> and our <a href="https://1password.community/categories/1password-for-mac">1Password for Mac community</a></li> <li><a href="https://twitter.com/1password">@1Password</a> on Twitter or me directly <a href="https://twitter.com/dteare">@dteare</a></li> <li><a href="https://1password.com/webinars">Live demo</a> on May 17th at 12PM ET / 9AM PT</li> </ul> I also wanted to give a special shout out to our 40,000 beta family members who have helped review and test 1Password 8 over the last nine months. This release is so much better as a direct result of you and your dedication. Thank you for helping us make 1Password the best it can be. ❤️ <img src='https://blog.1password.com/posts/2022/1password-8-for-mac/footer.png' alt='1Password and Apple logos in space, orbiting around one another in the shape of an 8.' title='1Password and Apple logos in space, orbiting around one another in the shape of an 8.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Enjoy the new release, take care, and stay safe out there. 🙏🏻</description></item><item><title>Small Talk: the small business recovery journey</title><link>https://blog.1password.com/small-talk-smb-recovery-journey/</link><pubDate>Mon, 02 May 2022 00:00:00 +0000</pubDate><author>info@1password.com (Andrew Zangre)</author><guid>https://blog.1password.com/small-talk-smb-recovery-journey/</guid><description> <img src='https://blog.1password.com/posts/2022/small-talk-smb-recovery-journey/header.png' class='webfeedsFeaturedVisual' alt='Small Talk: the small business recovery journey' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> It’s a tough time for small business owners and their employees. Surging operational costs and supply chain issues are colliding with a rate of inflation <a href="https://www.reuters.com/business/us-consumer-prices-accelerate-february-weekly-jobless-claims-rise-2022-03-10/">that’s limiting how much consumers are willing and able to spend</a>. And as the pandemic continues, there could be more legal and economic hurdles on the way. Startups and <a href="https://blog.1password.com/small-talk-beyond-the-office/">other small businesses</a> are fighting to keep their doors open, or to open them in the first place. If your team is struggling, cybersecurity may not seem like the highest priority. But investing in the right tools and processes is critical to keep employees productive and your business protected. Any upfront costs are nothing when compared to the potential price of a data breach. Most businesses that are attacked <a href="https://blog.1password.com/small-talk-cyberattacks/">don’t get a second chance to improve their defenses</a>, either. In the small business comeback story, secure-minded habits like better password management will be a critical plot point. Since <a href="https://www.forbes.com/sites/forbeshumanresourcescouncil/2021/07/07/attack-the-root-cause-of-cyber-threats-one-employee-at-a-time/?sh=4a3546db77ae">most cyber attacks involve “human error”</a> – like weak or reused passwords on different accounts – simple investments like a password manager can greatly reduce your risks, by making safe habits easier for employees. Putting this safest foot forward will keep the recovery journey and your company’s continued growth moving in the right direction. <h2 id="small-teams-were-hit-hard">Small teams were hit hard</h2> When the pandemic began, many small businesses suddenly lost their cash flow. Restaurants, retail shops, and <a href="https://www.cnbc.com/2021/04/09/small-business-closures-tick-back-toward-covid-pandemic-highs.html">many others were forced to close temporarily – or for good</a>. Then came inflation and <a href="https://www.wsj.com/articles/worried-inflation-suppy-chains-small-business-11645463508">supply chain issues</a> that made balancing the books even tougher. More than two years later, many small and medium-sized businesses (SMBs) are still trying to catch up from inconsistent sales during the lockdowns, and making adjustments where needed. And each day, more are facing closure after doing everything in their power to stay afloat. Running a business is challenging enough in a so-called “normal” year, but right now, every small business owner must feel like they’re playing on Extra Hard Mode without a pause button. Like sharks in the water, cybercriminals have seen these challenges as opportunities. Cyber attacks <a href="https://www.forbes.com/sites/edwardsegal/2022/03/30/cyber-criminals/?sh=31446e5d52ae">rose 600 percent during the pandemic</a>, with <a href="https://markets.businessinsider.com/news/stocks/cybercriminals-narrow-their-focus-on-smbs-according-to-the-acronis-cyberthreats-report-mid-year-update-1030688981">70 percent targeting SMBs</a>. It’s no coincidence: Small teams are simply less likely to devote resources to security or put processes in place, such as training for new employees. Nearly half actually <a href="https://www.techrepublic.com/article/companies-are-relaxing-cybersecurity-during-the-pandemic-to-boost-productivity/">loosened their security protocols</a> to stay productive during the pandemic (which was … unfortunate timing). One breach is often one too many: 60 percent of attacked SMBs close within six months. Even if it’s not fatal to your business, a single security incident can mean serious financial fallout and a major blow to customer trust, <a href="https://edition.cnn.com/2022/03/25/economy/consumer-sentiment-march-2022/index.html">which is already on wobbly ground in general</a>. <h2 id="why-password-managers-are-a-crucial-companion">Why password managers are a crucial companion</h2> Now more than ever, growing businesses need to be smart and intentional with their budgets. Many proposed expenses are luxuries that can wait. But some investments are simply a must – and in today’s connected world, <a href="https://1password.com/resources/ultimate-guide-to-securing-your-small-business/">steps to protect your data</a> are increasingly crucial. The majority of business-related cyber attacks can be traced back to <a href="https://www.verizon.com/business/resources/reports/dbir/">something a person did</a>, like using a weak password. Not a technology gap or other infrastructure issues. So the best security improvements come from improving your employees’ habits. Empowering your team with the right training and tools is the single greatest ROI in cybersecurity, no matter if you’re a law firm or a lingerie store. A password manager like 1Password is an ideal starting point to build a winning <a href="https://1password.com/resources/creating-a-culture-of-security/">culture of security</a>, where online safety is just second nature. It empowers your team members to protect all of their online accounts with strong, unique passwords – and quickly update any passwords that <a href="https://watchtower.1password.com/">might be affected by a breach</a>. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Secure your team with 1Password Business</h3> Keep your team secure without slowing them down. Choose 1Password Business to gain complete control over passwords and other sensitive business information. <a href="https://1password.com/business-pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section> There are also ways to improve your security without spending a dime. If your company has an IT team, sit with them and explain some of the changes you can make for free. For example, educating your employees about how to spot a <a href="https://blog.1password.com/what-is-phishing-and-how-can-you-protect-your-business/">phishing email</a> and other red flags. Free resources like <a href="https://www.1password.university/learn">1Password University</a> can help you and your team become more aware and security-conscious, both inside and outside of work. <h2 id="coming-back-stronger-smarter-and-more-secure">Coming back stronger, smarter, and more secure</h2> Inflation may still be rising, and the pandemic’s twists and turns may not be over quite yet. But there are reasons to be hopeful, with <a href="https://www.reuters.com/business/us-private-payrolls-increase-solidly-february-adp-2022-03-02/">steady job growth</a> and cooped-up consumers itching to get out and live their lives. Some governments are trying their best to accelerate the recovery, too. For example, the United States has pledged to spend <a href="https://www.wsj.com/articles/u-s-to-spend-10-billion-to-boost-small-businesses-11641637801">$10 billion on helping small businesses</a>. Nobody can say for sure, but this summer could deliver the burst of momentum that owners have been waiting for. The world of work is changing at a caffeinated pace. It’s an ideal time to reboot your processes and how you think about your operation as a whole. That includes what to prioritize in your company culture (and what not to). Not much is certain – nor has it ever been. But as the global economy continues its climb, cybersecurity will be a keen investment in any scenario. Secure team practices and keeping an eye on tomorrow’s threats will help your business thrive, regardless of the economic and technological challenges that come next.</description></item><item><title>An update on our recent service disruption</title><link>https://blog.1password.com/update-on-our-recent-service-disruption/</link><pubDate>Fri, 29 Apr 2022 00:00:00 +0000</pubDate><author>info@1password.com (Pedro Canahuati)</author><guid>https://blog.1password.com/update-on-our-recent-service-disruption/</guid><description> <img src='https://blog.1password.com/posts/2022/update-on-our-recent-service-disruption/header.png' class='webfeedsFeaturedVisual' alt='An update on our recent service disruption' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> On April 27th, 1Password experienced a brief service outage owing to an internal code issue – it was not a security incident, and customer data was not affected in any way. 1Password is designed to protect your information at all costs, with local copies of vault data always available on your devices – even without a connection to the 1Password service or the internet itself. As a result, your passwords and other vault items remain safe and sound. We’re sorry for any disruption this outage may have caused and deeply appreciate your patience during our investigation. Service has been fully restored, and we can now share further details about what happened and how we&rsquo;re working to avoid similar situations in the future. <h2 id="what-happened">What happened?</h2> On April 27th, our scheduled maintenance included an upgrade to our database aimed at improving performance. Although the upgrade itself was successful, the improvement had unintended consequences. It revealed that certain queries weren’t optimized for the new performance characteristics of the database, leading to unexpected behavior that ultimately destabilized the system. This behavior only occurred under specific circumstances that didn&rsquo;t emerge in our test environments. As a result, we saw a temporary service disruption that impacted syncing data across devices, access to 1Password.com administrative interfaces, new account signups, and performance of the 1Password Connect server. Our team quickly identified the underlying issue and deployed a fix. After additional testing, we can confirm that all systems are back to normal. <h2 id="what-did-we-do">What did we do?</h2> Last year, we identified some performance improvements we could gain from upgrading our databases to the latest MySQL version. We spent months running tests to ensure that all our services, code, and infrastructure could be smoothly transitioned to support the newer MySQL version. Finally, as the day arrived for us to upgrade, we had a solid plan and executed the transition during a scheduled maintenance window. On the morning of April 27th, as we entered a period of heavier traffic, we noticed a large number of database connections remaining open, with queries not completing efficiently. We spent some time debugging and theorized that the increased connections were due to inefficient SQL queries resulting in lock contention. This eventually led to us bumping up against connection limits. We immediately scaled down the service that keeps data in sync between devices to alleviate some of the load and allow our services to recover. With our new hypothesis in play, we optimized the queries, built new versions of our services, and deployed them to our production environment. We then scaled our database instances above what we had initially provisioned to account for the increased load we would see as the sync service caught up. We closely monitored service health and stability over the next 24 hours as we prepared for the next day&rsquo;s peak load. By April 28th, everything was still running smoothly. Although we saw an initial increase in connections as sync requests resumed, things quickly stabilized and we were able to confirm that the fixes were working as expected. <h2 id="what-happens-next">What happens next?</h2> We care deeply about our customers, their data, and their experience, so we take any service disruption like this very seriously. As part of our plan to avoid similar incidents in the future, our immediate next steps are to spend more time analyzing the data we collected to ensure we have a full understanding of the underlying causes of this incident. This analysis will contribute to a refinement of our testing procedures and capacity planning to ensure we properly account for these scenarios. We take the integrity of your data and the stability of our systems very seriously and will continue to work hard every day to earn the trust you&rsquo;ve placed in us.</description></item><item><title>Where to store your 1Password Emergency Kit</title><link>https://blog.1password.com/where-to-store-your-emergency-kit/</link><pubDate>Fri, 29 Apr 2022 00:00:00 +0000</pubDate><author>info@1password.com (Andrew Zangre)</author><guid>https://blog.1password.com/where-to-store-your-emergency-kit/</guid><description> <img src='https://blog.1password.com/posts/2022/where-to-store-emergency-kit/header.png' class='webfeedsFeaturedVisual' alt='Where to store your 1Password Emergency Kit' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> In case of emergency – that is, forgetting your login for 1Password, or someone else needing to get in – the <a href="https://support.1password.com/emergency-kit/">1Password Emergency Kit</a> can truly save the day. This short and sweet document keeps all the necessary details for getting into your account in one place. But you shouldn’t need to break glass to retrieve it (which is a huge pain to clean up, not to mention dangerous). Here’s how to keep your Emergency Kit both safe and accessible. <h2 id="what-is-the-emergency-kit">What is the Emergency Kit</h2> We’re not talking about a flashlight and a pocket knife. The 1Password Emergency Kit is a simple document that you should know about and look after if you use 1Password to store your passwords and other sensitive details or documents. Here’s why: To best protect your secrets, every item you save in 1Password is fully encrypted. Your account password and a randomly generated <a href="https://support.1password.com/secret-key-security/">Secret Key</a> are both required to decrypt your data – and only you have the Secret Key. That means we couldn’t look at your passwords if we tried – nor could an attacker. This approach to encryption is great for security, but it also means that if you ever forget your account password, our <a href="https://support.1password.com/">Support team</a> can’t access it for you. The Emergency Kit groups your account info – including your Secret Key – on a downloadable and printable one-page PDF. It also includes the email address used to create your 1Password account and an optional space to fill in your account password. <a href="https://support.1password.com/sign-in-troubleshooting/">If you get locked out</a> or want to grant somebody else access to your account, the Kit will come in handy. It’s an important document that every 1Password user should know about and protect. Download a copy now if you haven’t already, then figure out the best place to store it. <h2 id="theres-no-right-answer">There’s no right answer</h2> Now then: Where do you keep this thing, once you download it? The truth is there’s no one-size-fits-all solution. But we do have a few tips that you should keep in mind. You’ll want to keep your Emergency Kit in a place that’s secure, but also convenient and retrievable for you or the people who may need access to your account. Burying it on a desert island, then, is less than ideal. But so is hanging it up on the lunchroom’s bulletin board. You have to strike a balance that factors in your personal circumstances, how many copies you might want out there, and what simply feels right. Here are a few ways to consider storing your 1Password Emergency Kit so it’s both safe and accessible. <h2 id="physical-storage">Physical storage</h2> Remember printers? (For younger readers, you may have seen one in a tech museum next to floppy disks and the Atari 2600.) You can use a printer at home or at a local print shop or library to create a physical copy of your Emergency Kit, which fits neatly on a single page. Multiple copies are also an option, especially if you travel often or want a distant loved one to have access. You could keep a printed version of your Emergency Kit in: <ul> <li>A fire-resistant safe, tucked away in your home or one that a friend or family member lives in. Just be sure to keep the key or combination in a safe, private place.</li> <li>A locked drawer, with a key that’s always on you or the person who you want to have emergency access.</li> <li>A safety deposit or bank deposit box. You can keep the key for this box on a personal keychain. You could also leave an extra key in your will for a loved one. These boxes do present an added risk of <a href="https://www.nytimes.com/2019/07/19/business/safe-deposit-box-theft.html">tampering or theft</a>, so keep that in mind if you choose this option.</li> <li>Your will, as an attachment and with your preferred recipient or recipients clearly indicated.</li> <li>The hands of your spouse or a family member, with instructions on when and how to use it if they ever need to access your 1Password account. Make sure they know to keep it protected themselves, and not out in the open!</li> </ul> Keep in mind that if you use the optional space to write your account password on a printed Emergency Kit, it’s an added vulnerability if someone gets hold of the document. If you decide to print multiple copies of the Kit, you might want to fill in the password on those you plan to keep in more secure locations, and leave it off elsewhere. You can always cut off the part with your account password and keep it in your wallet or somewhere else, to keep the information separate! <h2 id="digital-storage">Digital storage</h2> If you want to save the trees, or just prefer a paperless lifestyle, you can stick with a digital copy or copies. After you’ve registered your 1Password account, you can download the Emergency Kit file and store it in one of several places for when you or your loved ones need it. You might want to consider: <ul> <li>An encrypted USB drive kept on a keychain or in a bag or wallet that’s with you at all times. It may be best to have two different USB drives, in case one crashes, breaks, or is lost.</li> <li>A folder stored in a cloud-based storage service such as Google Drive, that only you and potentially your selected loved ones can access. Remember that cloud storage does have the added risk of a potential cyber attack, if someone breaches the associated email address or other logins.</li> <li>A password-protected folder on your desktop. You’ll need a password you can remember outside of 1Password to keep this protected – try a <a href="https://blog.1password.com/tip-memorable-password-wifi-tv-apps/">memorable password</a> that uses a few unrelated words strung together!</li> </ul> <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Did you know? You can now create and use a <a href="https://blog.1password.com/introducing-1password-recovery-codes/">recovery code</a> to self-recover your 1Password account should you lose your Secret Key or forget your account password. You can consider keeping your recovery code in the same places suggested for Emergency Kit storage. </div> </aside> <h2 id="a-combination-of-the-two">A combination of the two</h2> As the saying goes, “<a href="https://www.youtube.com/watch?v=OawrlVoQqSs">¿por que no los dos?</a>” When you receive access to your 1Password Emergency Kit, you could make multiple copies and store them in both physical and digital locations. Just keep in mind the specific risks or disadvantages of each. <h2 id="its-up-to-you">It’s up to you</h2> There’s no wrong way to eat a Reese’s. And there’s no single, 1Password-recommended place to store your Emergency Kit. Keep it safe but bear in mind that it will do you no good if you – or your loved ones, when necessary – can’t access it in some way. Consider your personal circumstances and the options at your disposal. Think about the security risks associated with each location and what you’re willing – or not willing – to compromise. Once you’ve considered everything, pick the storage plan that works best for you. Once you’ve safely stored your Emergency Kit, plan out some routine checks so that you know it’s still secure and accessible, accounting for potentially corrupted files or wear and tear on a paper copy. And don’t hesitate to change locations if you rethink your preferences, your circumstances change, or you decide a location is no longer appropriate. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Read our beginner&#39;s guide to cybersecurity</h3> Want to learn more about how to stay safe online? Read our beginner’s guide to cybersecurity, which covers passwords, software, hardware, connectivity, and more! <a href="https://1password.com/resources/beginners-guide-to-cybersecurity/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Read the guide </a> </div> </section></description></item><item><title>1Password for SSH changed the way I work</title><link>https://blog.1password.com/1password-ssh-changed-how-i-work/</link><pubDate>Thu, 28 Apr 2022 00:00:00 +0000</pubDate><author>info@1password.com (K.J. Valencik)</author><guid>https://blog.1password.com/1password-ssh-changed-how-i-work/</guid><description> <img src='https://blog.1password.com/posts/2022/1password-ssh-changed-how-i-work/header.png' class='webfeedsFeaturedVisual' alt='1Password for SSH changed the way I work' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://blog.1password.com/1password-ssh-agent/">1Password for SSH</a> was shared with the world last month. I have been using it since it was available for internal beta. I knew it would improve my endpoint security. I didn’t expect it to change <del>the way I generated, stored and used SSH keys</del> the way I work. Let me take a step back. The first time I used SSH, I connected my college’s <a href="https://www.csee.umbc.edu/courses/undergraduate/341/fall04/hood/notes/ssh/">global lab linux server</a> with <a href="https://www.putty.org/">PuTTY</a>. I used a username and password to authenticate and never really appreciated <a href="https://datatracker.ietf.org/doc/html/rfc4253">the magic that made it all work</a>. It was a step away from the familiar world of FTP and RDP. SSH later became an integral part of my developer experience when my job switched from <a href="https://subversion.apache.org/">Subversion</a> to <a href="https://lwn.net/Articles/165127/">Git</a>. I was a Jr. Developer at the time and struggled to generate an SSH key. Another developer on the team generated an RSA key pair for me and shared it on a thumb drive. It was some years later before I realized <a href="https://www.freebsd.org/news/2012-compromise/">this was less than ideal</a>. Eventually, I fell into a routine. I would get a new laptop, generate a private key – sometimes I would even use a <a href="https://www.ssh.com/academy/ssh/passphrase">passphrase</a> – and upload the new key to all the services I used (GitHub, VPS, etc.). I used the one-key-per-device pattern and repeated the process for my phone and other devices. Occasionally, I’d pull a device from cold storage for something I forgot about. The problem was that each SSH key represented one of my devices; it had no purpose attached to it. I used the same keys for work, open source contributions, file servers and a lot more. When I unlocked a key for one use, I unlocked it for all uses. 1Password for SSH has entered the chat The <a href="https://developer.1password.com/docs/ssh/">1Password SSH Agent</a> has a stricter authorization model than the OpenSSH Agent<a href="#fn:1" class="footnote-ref" role="doc-noteref">1</a> defaults<a href="#fn:2" class="footnote-ref" role="doc-noteref">2</a>. Instead of a key either being available or unavailable, a key has an authorized session. An authorized session consists of the key pair and either a terminal session or application. I wanted to be able to deliberately authorize a set of actions for my current context (e.g., work or open source). Thus, a new way of working. I generated a new key pair for each of my use cases. <a href="https://support.1password.com/getting-started-browser/">1Password in the browser</a> made this really easy by autofilling the new key in the GitHub and Gitlab public key forms. Now, when it’s time to get to work, I open my terminal and run a git fetch. 1Password prompts for my fingerprint and I approve the usage of my Work SSH key. <img src='https://blog.1password.com/posts/2022/1password-ssh-changed-how-i-work/1Password_SSH_authorization_focused.png' alt='Focused 1Password for Mac Touch ID authentication window displaying the text &#39;1Password is trying to allow iTerm2 to use the key Work SSH key for SSH&#39;' title='Focused 1Password for Mac Touch ID authentication window displaying the text &#39;1Password is trying to allow iTerm2 to use the key Work SSH key for SSH&#39;' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> I’m not prompted again while actively using my laptop. When it’s time to switch to an <a href="https://github.com/neon-bindings/neon">open source project</a>, I’m seamlessly prompted for my GitHub key. <img src='https://blog.1password.com/posts/2022/1password-ssh-changed-how-i-work/1Password_SSH_unfocused.png' alt='Unfocused 1Password for Mac Touch ID authentication window displaying the text &#39;1Password is trying to allow iTerm2 to use the key GitHub SSH key for SSH&#39;' title='Unfocused 1Password for Mac Touch ID authentication window displaying the text &#39;1Password is trying to allow iTerm2 to use the key GitHub SSH key for SSH&#39;' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> A little later, when I need to update my blog, I pop open a new terminal tab and start an SSH session. I forward my SSH Agent with <code>ssh -A</code> so that I can perform a <code>git pull</code> while I’m there<a href="#fn:3" class="footnote-ref" role="doc-noteref">3</a>. When I’m done, I <code>exit </code>the terminal session, deauthorizing it from the 1Password SSH Agent. Now, generating SSH keys is no longer part of my new device flow! All of my SSH keys are saved in 1Password and synchronized across my devices. <img src='https://blog.1password.com/posts/2022/1password-ssh-changed-how-i-work/SSH_key_item_in_1Password.png' alt='Item with the title &#39;Work SSH Key&#39; in 1Password' title='Item with the title &#39;Work SSH Key&#39; in 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> I’m really excited for Git’s recent addition of <a href="https://github.com/git/git/blob/master/Documentation/RelNotes/2.34.0.txt">commit signing with SSH keys</a>. It already <a href="https://git-scm.com/docs/git-config#Documentation/git-config.txt-gpgformat">works with 1Password SSH</a> and I can’t wait for <a href="https://github.com/community/community/discussions/7744">GitHub</a> and <a href="https://gitlab.com/gitlab-org/gitlab/-/issues/343879">Gitlab</a> to support verification! <section class="footnotes" role="doc-endnotes"> <hr> <ol> <li id="fn:1" role="doc-endnote"> <a href="https://www.openssh.com/agent-restrict.html">SSH agent restriction</a> looks really cool!&#160;<a href="#fnref:1" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a> </li> <li id="fn:2" role="doc-endnote"> Similar functionality is available with <code>ssh-add -c</code>.&#160;<a href="#fnref:2" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a> </li> <li id="fn:3" role="doc-endnote"> Eventually I’ll get around setting up a <a href="https://docs.github.com/en/actions">GitHub Action</a>. At least, that’s what I tell myself.&#160;<a href="#fnref:3" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a> </li> </ol> </section></description></item><item><title>Tip: Use passphrases when you need a secure but easy-to-type password</title><link>https://blog.1password.com/tip-memorable-password-wifi-tv-apps/</link><pubDate>Mon, 25 Apr 2022 00:00:00 +0000</pubDate><author>info@1password.com (Emily Chioconi)</author><guid>https://blog.1password.com/tip-memorable-password-wifi-tv-apps/</guid><description> <img src='https://blog.1password.com/posts/2022/tip-memorable-passwords-wifi-tv-apps/header.png' class='webfeedsFeaturedVisual' alt='Tip: Use passphrases when you need a secure but easy-to-type password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> While 1Password is usually there to <a href="https://1password.com/features/autofill/">autofill</a> your passwords, sometimes you still have to manually type them in. We’ve all had the experience of connecting to Wi-Fi on a new device, setting up a gaming console, or signing in to a streaming service on our TVs. When these moments come up, typing in a password like n 1 } C 9 _ X &gt; V - ^ A 5 h c ] z 8 ! u C X B ] b c 3 j T R W x &#43; C s is not a fun experience, regardless of how secure it may be. So what&rsquo;s the answer? Enter Memorable Passwords (also known as <a href="https://en.wikipedia.org/wiki/Passphrase">passphrases</a>). These are created by combining a handful of real but unrelated words. A passphrase could be b a l l - o r a n g e - m o o n - c a r - p i l o t , for instance. As long as each word is random, the complete passphrase can be just as difficult for an attacker to crack as a password that contains characters, letters, and symbols. With Memorable Passwords, 1Password can generate passwords that, while still distinctive and random, are easier to remember. Memorizing and typing something like s t e r n - p a t r o n - m a i l m e n - d e g r e a s e is a practical way to maintain your security while making entering a password manually a lot simpler. <aside class="c-technical-aside-box c-technical-aside-box--background" aria-labelledby="how-to-create-and-save-a-memorable-password-in-1password"> <h2 class="c-technical-aside-box__title" id="how-to-create-and-save-a-memorable-password-in-1password"> How to create and save a Memorable Password in 1Password </h2> <div class="c-technical-aside-box__description"> To create a new Memorable Password for an item in 1Password, follow these steps: <ol> <li>Select the item, then choose Edit.</li> <li>Select the password field, then choose Create a New Password.</li> <li>In the type field, select Memorable Password from the dropdown.</li> <li>Choose the desired amount of words for your password.</li> <li>Select if you’d like capitalization and full words.</li> <li>Pick which separator to use from the dropdown menu.</li> <li>Choose Save.</li> </ol> </div> </aside> For more information about generating passwords with 1Password, check out our support article: <a href="https://support.1password.com/generate-website-password/">Use the password generator to change and strengthen your passwords</a>. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get started with 1Password Families</h3> Use 1Password Families to protect your accounts and share important passwords with the people you trust and care about. <a href="https://1password.com/personal/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>Building communities for developers – an interview with Jeremiah Peschka of Stack Overflow</title><link>https://blog.1password.com/stack-overflow-developers-interview/</link><pubDate>Wed, 20 Apr 2022 00:00:00 +0000</pubDate><author>info@1password.com (Stacey Harris)</author><guid>https://blog.1password.com/stack-overflow-developers-interview/</guid><description> <img src='https://blog.1password.com/posts/2022/stack-overflow-developers-interview/header.png' class='webfeedsFeaturedVisual' alt='Building communities for developers – an interview with Jeremiah Peschka of Stack Overflow' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Michael Fey, VP of Engineering at 1Password, recently interviewed Jeremiah Peschka, staff software developer at <a href="https://stackoverflow.com/">Stack Overflow</a>, on our <a href="https://randombutmemorable.simplecast.com/">Random But Memorable</a> podcast. Stack Overflow is an extensive online community where you can get answers to all your technical questions. Michael and Jeremiah dive into why building communities for developers is so important and how code is reshaping our world. Check out the highlights below, or <a href="https://randombutmemorable.simplecast.com/episodes/puzzle-solving-developer-community">listen to the full interview</a>. <div class="c-simplecast-embed"> <iframe class="c-simplecast-embed__iframe" title="1Password Random but Memorable Podcast" width="100%" frameborder="no" scrolling="no" seamless src="https://player.simplecast.com/4d4c2599-bc2a-44c6-834a-fa501b183489?dark=false"></iframe> </div> Michael Fey: I&rsquo;m sure most of our listeners are aware of what Stack Overflow is and have taken code snippets and shipped it out to production systems, but for those who might not know, can you give us a quick overview? Jeremiah Peschka: Stack Overflow is the finest repository of copy and paste snippets you can find. It’s where users can ask questions and get answers to questions. We have a lot of different sites where there are different communities – like sci-fi, cooking, and woodworking – where you can focus on more than just general code. You can dig into detailed hobbies you have, or detailed code like dba.stackexchange, or Server Fault. MF: With 55% of developers visiting Stack Overflow every day and 80% visiting at least once a week, what kinds of real world impacts have the public and private forums had? JP: So there&rsquo;s a private version of Stack Overflow – <a href="https://stackoverflow.co/business-pricing/">Stack Overflow for Teams</a> – but we also have our own private Stack install and that has replaced asking questions in the chat. Instead, I go to our internal Stack Overflow and search for it there. Sometimes I&rsquo;ll find an article and if there are edits I can go and look at how it has changed over time and I can look at comments that other people have left. It&rsquo;s a really good way for people to edit over time and add a lot more context as we change and grow. It allows for a lot of collaboration. <blockquote> &ldquo;We make it easy to get answers to questions.&quot; </blockquote> If I don&rsquo;t find something, I will ask a question on the internal site. If it&rsquo;s not about Stack Overflow&rsquo;s internal code, I can ask on the public site and then I can post that link internally in chat and also put it on Twitter and say: &ldquo;Lazy web, help me solve my problems. Coding is hard today.&rdquo; MF: Stack Overflow is one of those sites that has really stood the test of time. It continues to be a community that self perpetuates and continues to grow and be valuable and held in high regard within the wider developer community. What do you think has led to that longevity? What is the secret sauce at Stack Overflow that saved it from being a fad? JP: At Stack Overflow we make it easy to get answers to questions. Anyone can ask and answer questions and that’s what&rsquo;s made it really helpful. It&rsquo;s a fun community where you can collaborate with other people and help build better answers to questions or even rephrase questions and make questions better. MF: Why do you think it&rsquo;s important to foster and build communities in the dev space and what do you see as the obvious benefits? JP: One big thing is it&rsquo;s a force multiplier. If I were to ask you in private “how do I do X with 1Password”, you could give me a great answer, but it goes no further. However, if I ask “how do I do X with 1Password” on Stack Overflow, it means I get that same great answer, but everybody else also gets to see it, and they can also contribute to the conversation. It makes everything accessible to as many people as possible. It also makes the onboarding of really complex ideas a lot easier. Documentation only gets you so far because when you&rsquo;ve written your own code you know all of your own assumptions, so why should you write them down? <blockquote> &ldquo;The best answers I&rsquo;ve ever found and the best ones I&rsquo;ve provided are about taking someone on the journey with you.&quot; </blockquote> Stack Overflow helps people write better questions. We encourage you to tell us what you&rsquo;ve done, what you&rsquo;ve tried, and all the assumptions you have. And so by writing all that stuff down in the question, it helps onboard people into that knowledge space that you&rsquo;re in. And likewise, the best answers I&rsquo;ve found are onboarding people into that solution. That&rsquo;s a less obvious benefit, but it&rsquo;s a way to bring people with you and share your expertise. The best answers I&rsquo;ve ever found and the best ones I&rsquo;ve provided are about taking someone on the journey with you. It&rsquo;s about saying, &lsquo;I understand where you are over there in the hinterlands of suffering, come towards the richness of the valley of success.&rsquo; MF: I want to spin over to the security side of things. It feels like security and secure coding practices have more of the mind share these days in the development community. Are you also seeing that trend and how is Stack Overflow helping those in the security space? JP: People are really incorporating security into how they think about programs and how we build things today. It’s so important and you can no longer rely on a well configured firewall and a password form to protect your users' data. Security is really, really hard. Part of the reason why that discussion is coming up is because a lot of security revolves around understanding the nuance of what you&rsquo;re working with in a really deep way. One of the ways Stack Overflow helps is by making it easier to find this kind of content. It lets us have that conversation around nuance and the better ideas tend to rise to the top. It also lets people put in caveats and point out nuances others need to be aware of. Stack Overflow helps developers understand some of those issues and nuances and bring that back into their own projects. MF: Since the start of the pandemic, with the increase in remote work, the number of cybersecurity questions has soared on Stack Overflow. Is that something you’re continuing to see and do you think the pandemic contributed to the rise, or was this trend already in progress? JP: People were becoming more and more aware that security is really important and that it&rsquo;s very hard to secure an application that was never designed to be secured. That’s part of what&rsquo;s driving it. As an industry, we’re becoming more aware that these applications should be secured by default. When everyone worked in an office their laptops and desktops were locked down and very tightly controlled by a security department or IT, or controlled by asset tags and everything else. Suddenly, when everyone started working from home, you have people working from their computer that is eight years old that they bought at Costco and it has who knows what on it and that&rsquo;s now expected to connect to the <a href="https://blog.1password.com/how-a-vpn-works/">VPN</a> and perform just fine. <blockquote> &ldquo;We were suddenly thrust into a world where we have to be more thoughtful about how we approach security.&quot; </blockquote> Now you have these untrusted devices connecting to the network and internal applications that were never intended to run on untrusted devices. So we were suddenly thrust into a world where we have to be more thoughtful about how we approach security. There’s definitely more awareness about security now. I did some research with our data people and the trend did definitely go up at the beginning of the pandemic and it&rsquo;s continued to be relatively high. It seems like people are continuing to think about how to secure applications. MF: That&rsquo;s good to hear. Do you feel code is reshaping our world in 2022? And if so, how? JP: Code is making it easier for people to work with data and to understand the world around them. When I was in graduate school I attended Oregon Programming Languages Summer School and one of the speakers was Andy Gordon who worked at Microsoft Research at the time. He brought up that Excel, in his mind, is the most used programming tool in the world. Code isn&rsquo;t just programs in Java or C#, but it&rsquo;s also things like Excel, SQL, and R. All these tools make it easier for people to understand the world. Excel and R in particular have so much built-in functionality where you can say: &ldquo;I want you to run this kind of analysis on this table and put it in a chart for me”. With more people writing code, these tools have to get better, or they’ll be replaced. Excel, R, Tableau, and all these commercial products must have more features than the competitors because that&rsquo;s why we buy them. At the very least they have to be more useful than the other programs. The more people are using these tools means it&rsquo;s going to drive more change and produce richer tools that help us understand the world even more. <blockquote> &ldquo;Code gives us so many interesting ways to look at the software we have around us and how that software interacts.&quot; </blockquote> Code gives us so many interesting ways to look at the software we have around us and how that software interacts. Code really is reshaping our world. Easy access to stuff like Excel democratizes our ability to understand what&rsquo;s going on around us. We can have concentrated communities – whether it&rsquo;s via a collection of tags on Stack Overflow, specialized Stack Overflow websites like dba.stackexchange, or a Stack Overflow collective (a focused set of tags). You can go into these communities and interact with a group of people who are trying to either master that technology or help others master that technology. This ultimately drives forward excellence in how we&rsquo;re interacting with the data and the world around us. MF: Your take on Excel and the democratization of this really spun this answer on its side for me because of course that type of scripting is programming/ coding. It&rsquo;s not compiling and running, or building apps from scratch, but it’s still coding. Where do we, as developers and stewards in these communities, need to do better? What needs to happen to reduce some of the pain points and make our work more impactful? JP: One of the things that comes up that we can do better at as developers is to remember that code is written at a certain point in time, which also includes the author&rsquo;s mental state, and that it&rsquo;s also written under a set of constraints. Understanding all of that before you start trying to help someone, or at least assuming the sort of the best possible scenario, is really important when you&rsquo;re trying to help. You don&rsquo;t know what they&rsquo;re doing, you don&rsquo;t know what they&rsquo;re thinking. You have to understand the nuances. Really digging into the problem space and asking: what is this? What am I looking at? What are all of the tricky parts about it? Should I write down every assumption I have about this subject and then validate those? <blockquote> &ldquo;You should talk to security people early.&quot; </blockquote> It&rsquo;s not like you need to do big design up front where you produce a 600 page specification, but you do need to understand what needs to be implemented and what the actual thorny bits of the thing you have to implement are. Some of that boils down to finding who are impacted, and then to start asking hard questions. Once you understand what people are actually trying to do you might realize there&rsquo;s already code out there that solves this problem. I personally really like to borrow or buy code before I write it myself because odds are somebody else has thought about it more thoroughly than I have. Writing good code is really hard to do and writing secure good code is really, really hard. My last thought on this is that you should talk to security people early. I ask them &ldquo;Hey, we&rsquo;re building X. What should I be terrified of?&rdquo; And that usually leads to really interesting conversations. <blockquote> &ldquo;I meet up with one of our security engineers every five or six weeks just to find out what&rsquo;s worrying him.&quot; </blockquote> I meet up with one of our security engineers every five or six weeks just to find out what&rsquo;s worrying him. I tell him what we&rsquo;re working on and most of the time he says: &ldquo;you don&rsquo;t need to worry about whatever you&rsquo;re doing. That sounds reasonable”. But having those conversations frequently reminds the security people that you exist and they can help you and it&rsquo;s also a reminder that they&rsquo;re not a blocker to what you&rsquo;re trying to do. MF: Having that be part of your workflow, where you’re integrated with a security team or security individuals, is a boon to the overall health of whatever it is you&rsquo;re building, it really can&rsquo;t be overstated. JP: It really can&rsquo;t. The most interesting part about this is getting to talk to people who know things that I don&rsquo;t. I&rsquo;m unlikely to become a security wizard, but I can talk to security people and understand a little bit more of what I need to do so that I don&rsquo;t have to have a bad conversation with security people. MF: Where can people go to find more about you and about Stack Overflow? What cool things does Stack Overflow have that people might not know about that they should go sign up for and have their company start paying for? JP: To find out more about Stack Overflow, people can head over to <a href="https://stackoverflow.com/">stackoverflow.com</a>. You can ask questions. You can go to stackexchange.com to find out what a bunch of the different sites that we have available are. If you want to ask questions about Stack Overflow, we even have a site <a href="https://meta.stackoverflow.com/">meta.stackoverflow.com</a> where you can talk about Stack Overflow using Stack Overflow. If you would like to have Stack Overflow for your team, we have <a href="https://stackoverflow.co/business-pricing/">Stack Overflow for Teams</a>, there&rsquo;s Stack Overflow Enterprise if you would like an entire Stack Overflow all of your own. And then there&rsquo;s <a href="https://stackoverflow.co/collectives/">Stack Overflow Collectives</a>, which is targeted at a set of tags. To find out more about me, you can find me at <a href="https://www.facility9.com/">facility9.com</a>. MF: JP, this has been an absolute pleasure to have you on today. Thank you so much for coming by. Take it easy. JP: Thank you so much for chatting with me. Take care. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Subscribe to Random but Memorable</h3> Listen to the latest security news, tips and advice to level up your privacy game, as well as guest interviews with leaders from the security community. <a href="https://randombutmemorable.simplecast.com/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Subscribe to our podcast </a> </div> </section></description></item><item><title>How to convince your friends, family, and peers to start using a password manager</title><link>https://blog.1password.com/convince-friends-family-password-manager/</link><pubDate>Mon, 18 Apr 2022 00:00:00 +0000</pubDate><author>info@1password.com (Stacey Harris)</author><guid>https://blog.1password.com/convince-friends-family-password-manager/</guid><description> <img src='https://blog.1password.com/posts/2022/convince-friends-family-password-manager/header.png' class='webfeedsFeaturedVisual' alt='How to convince your friends, family, and peers to start using a password manager' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> One of the many values of 1Password is that we make it faster and easier to use strong, unique passwords everywhere online. That&rsquo;s great if you already have a good handle on why password strength matters for online security. But we know that not everyone does. If you’re ever in a position of needing to explain the benefits of using a <a href="https://blog.1password.com/password-manager/">password manager</a> – whether to a friend, family member, boss, or colleague – this post is for you. We hope this helps you share the value of stronger online security. <h2 id="online-threats-are-on-the-rise">Online threats are on the rise</h2> A great place to start is with the problem a <a href="https://blog.1password.com/are-password-managers-safe/">password manager</a> solves. We try not to be scaremongers, but at the same time, everyone should know that the internet can be risky to use. For all that it adds to our everyday lives, there are also innumerable threats in the shape of criminals, hackers, and con artists who want access to your personal information. Stealing passwords and logins is fundamental to their work. Websites and the companies that operate them are frequently hacked. This leads to data breaches and the theft of important data – like email addresses and passwords, the information needed to sign in to their site. A few data points to help quantify the scale of the risk: <ul> <li>The first quarter of 2020 saw 2,935 reported data breaches. (<a href="https://www.securitymagazine.com/articles/94076-the-top-10-data-breaches-of-2020">Security Magazine</a>)</li> <li>The third quarter of 2020 saw 8.3 billion pieces of data exposed by breaches. (<a href="https://www.securitymagazine.com/articles/94076-the-top-10-data-breaches-of-2020">Security Magazine</a>)</li> <li>In January 2019, 2.7 billion email and password pairs were shared in what is known as Collection No. 1. (<a href="https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/">as discovered by friend of 1Password, Troy Hunt</a>)</li> </ul> <h2 id="one-breach-can-open-many-doors">One breach can open many doors</h2> With an increase in the rise of threats, some people still aren’t worried if a site they use has been breached. Common arguments you might hear are: The breach was on a website they haven’t used in ages, or it’s a website that doesn’t store any personal or important information. After all, many of us create accounts to read free articles, it’s no big deal if those accounts get breached, right? Wrong. Every breach needs to be taken seriously and the password for a breached website should be updated as soon as possible. The <a href="https://www.verizon.com/business/resources/reports/dbir/">2021 Verizon Data Breach report</a> found that 85 percent of data breaches are caused by a human element – like weak or <a href="https://blog.1password.com/how-to-protect-yourself-from-password-reuse-attacks/">reused passwords</a>. With <a href="https://www.forbes.com/sites/forbestechcouncil/2021/04/20/why-is-passwordless-authentication-met-with-reluctance/?sh=6478b26866d0">so many people reusing passwords</a> there’s a good chance your friends, family, and coworkers have repeated the same password (or a similar one) for multiple websites. <blockquote> Every breach needs to be taken seriously. </blockquote> Criminals use stolen login credentials to try signing in to other services that do have important and personal information – like online shops and email accounts. This is viable precisely because millions of people reuse passwords. So, while the breached site may seem insignificant in terms of the value of the data exposed, the real value comes in the stolen passwords that are likely reused somewhere else. Some people even think they’re using unique passwords for every account by adding slight variations to one password. For example, using a password like B a n k N a m e 1 2 3 ! ! for one account and S t o r e N a m e 1 2 3 ! ! for another account. This might seem like a unique password because it’s different, but hackers can predict these sight variations and will test them during their brute-force attacks. <h2 id="1password-makes-passwords-easy">1Password makes passwords easy</h2> The answer to these threats, and others, is to encourage everyone to use truly unique passwords for every account and website they use. That’s where 1Password comes in. Yes, 1Password costs a few dollars a month, but that&rsquo;s a small price to pay for the peace of mind that comes with using good passwords everywhere. We don’t provide a free service, because free services mean compromises in quality, privacy, or both – not a good look for a <a href="https://1password.com/password-manager/">password manager</a>, in our opinion. A 1Password Families account helps you and the important people in your life form, and use safe password habits. And, if you’re trying to convince your company to adopt a password management system, you should check out our <a href="https://1password.com/resources/creating-a-culture-of-security/?utm_ref=resources">guide to creating a culture of security</a>. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Find out why 1Password is the best in the market with our <a href="https://1password.com/comparison/">password manager comparison</a>! </div> </aside> <h2 id="its-ok-to-start-small">It’s OK to start small</h2> Nowadays, <a href="https://tech.co/password-managers/how-many-passwords-average-person#:~:text=According%20to%20one%20NordPass%20study%2C%20the%20average%20person%20has%20100%20passwords.">the average person has 100 passwords</a> to remember. Changing all passwords to be unique may seem like an overwhelming task when trying to convince someone to improve their security. If that&rsquo;s the case, remind them that changing even one weak password is much better than changing none. Their main email account is a great place to start, followed by any sites where payment details are stored. And fear not – if you’re worried about becoming tech support for those you’ve convinced to try 1Password, don’t. If your friends have any questions as they learn to use 1Password, our <a href="https://support.1password.com/">wonderful support team</a> and <a href="https://1password.community/">support community forum</a> is available around the clock. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get started with 1Password Families</h3> Use 1Password Families to protect your accounts and share important passwords with the people you trust and care about. <a href="https://1password.com/personal/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>Is it safe to write down your passwords?</title><link>https://blog.1password.com/safe-write-down-your-passwords/</link><pubDate>Fri, 15 Apr 2022 00:00:00 +0000</pubDate><author>info@1password.com (Nick Summers)</author><guid>https://blog.1password.com/safe-write-down-your-passwords/</guid><description> <img src='https://blog.1password.com/posts/2022/safe-write-down-your-passwords/header.png' class='webfeedsFeaturedVisual' alt='Is it safe to write down your passwords?' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Very few people can memorize all of their passwords – especially if they’re using unique ones for each account. Many solve this problem by embracing a <a href="https://blog.1password.com/password-manager/">password manager</a> like 1Password, while others turn to pen and paper. The latter could be a tiny notebook, a whiteboard on their office wall, or an array of sticky notes attached to their PC monitor. We hear two questions a lot: Is it safe to record your passwords in an analog format? And, what are the benefits of switching to a password manager? The short answer to the first question is … yes, pen and paper can be a secure way to manage your passwords. But that doesn&rsquo;t mean it&rsquo;s the best way to protect your accounts and stay safe online. Read on to learn why. <h2 id="is-it-really-that-bad-if-i-write-down-my-passwords">Is it really that bad if I write down my passwords?</h2> Grabbing a pen and writing down your passwords isn&rsquo;t necessarily insecure. It depends on where you keep the object (your notebook, whiteboard, etc.) that contains your passwords, and the likelihood that a criminal will stumble upon it. For example, let&rsquo;s say you have a dedicated password notebook that never leaves your home office. It&rsquo;s unlikely that a cybercriminal will: <ol> <li>Decide to target you specifically</li> <li>Discover where you live</li> <li>Travel to your home, or pay someone to travel on their behalf</li> <li>Find a way to break into your home</li> <li>Locate your notebook</li> <li>Escape and flee the crime scene without being spotted or caught by law enforcement</li> </ol> Why? Because such a heist is neither cheaper nor time effective. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Aside: That’s why it’s okay to keep a copy of your 1Password <a href="https://support.1password.com/emergency-kit/">Emergency Kit</a>, which contains a copy of your account password and Secret Key, somewhere in your home! </div> </aside> Instead, most criminals will use a range of tactics that don&rsquo;t require them to leave their computer. They&rsquo;ll try to sign in to your accounts with common passwords like 1 2 3 4 5 6 and q w e r t y . If that doesn&rsquo;t work, they might check if any of your passwords have leaked online as part of a data breach. Or try to trick you into sharing your account details with a fake <a href="https://blog.1password.com/what-is-phishing-and-how-can-you-protect-your-business/">phishing email</a>. So a notebook is pretty safe, right? Well, consider this: What happens when you leave your home? If you carry a password notebook in public, there&rsquo;s a slightly higher chance that its contents will be seen by a criminal. Someone in a cafe could theoretically look over your shoulder and memorize one of your passwords, for example. You could also lose your notebook, allowing it to fall into the hands of a stranger, and thus giving them the virtual keys to all your online accounts. <h2 id="the-real-problem-with-writing-your-passwords-down">The real problem with writing your passwords down</h2> There&rsquo;s an even bigger issue with “analog” password management: It&rsquo;s a really inconvenient way to record, retrieve, and use strong passwords. And when we say &ldquo;strong,&rdquo; we mean the kind that would be almost impossible for a criminal to crack with a <a href="https://blog.1password.com/what-is-a-brute-force-attack-and-whats-the-best-defense/">brute-force attack</a>. The reality is that very few people want to write down 100 different passwords like M # A ] E ? v X W Q @ E s 8 E i G J d = . (So boring.) Even fewer have the time or patience to type them out every time they want to sign in to one of their accounts. Instead, most people either: <ul> <li>Use short passwords</li> <li>Reuse the same password, or just a handful of different passwords, for all of their accounts.</li> </ul> Short passwords might be faster to type out, but they&rsquo;re also easier for a criminal to crack with a brute-force attack. If the password is common or predictable, like n i c k s u m m e r s 1 2 3 or f a c e b o o k , a criminal can also discover it with a dictionary attack, which focuses on recognizable words and passwords recovered from past data breaches. Reusing the same password isn&rsquo;t a good idea either. It may be convenient – you only have to write it down once, and don&rsquo;t have to leaf through dozens of pages to find what you need – but it also makes you vulnerable if that one password is ever exposed in a data breach. Imagine you signed up for a new social network called CoffeePals. Then, six months later, the service was breached and every user&rsquo;s email address and password was leaked online. If you use the same credentials for everything, a criminal might be able to use your leaked CoffeePals password to access some of your other accounts. So here&rsquo;s the bottom line: Jotting down your passwords isn&rsquo;t necessarily insecure, provided you ensure that no one else has access to the place or object where you&rsquo;re storing them. But, physical media makes it difficult to use strong, unique passwords – which is why it&rsquo;s not the best way to keep your data and accounts safe. <h2 id="why-a-password-manager-is-better-than-writing-down-your-passwords">Why a password manager is better than writing down your passwords</h2> By now you might be thinking: Okay, I&rsquo;m ready to ditch all of the password-related sticky notes on my PC monitor. What should I be doing instead? The simplest way to create, remember, and use strong passwords is with a password manager like 1Password. Here are just eight of the many reasons why it&rsquo;s worth making the switch: <ul> <li>It will generate strong, unique passwords for you. 1Password suggests credentials that are incredibly difficult for a criminal to guess or crack with a brute force attack.</li> <li>It can store an unlimited number of passwords. You can run out of paper, but you&rsquo;ll never run out of storage with a password manager like 1Password.</li> <li>It will type out your passwords for you. 1Password lets you sign in to sites and fill forms securely with a single click.</li> <li>Your passwords are always by your side. 1Password works on all of your devices and every major web browser – so you can access your passwords anywhere, anytime.</li> <li>It&rsquo;s safe to use. 1Password’s security model is carefully designed to not rely on any single point of failure. To decrypt your data, a criminal would need your account password, an additional encryption ingredient known as the Secret Key, and the encrypted vault data itself. (Learn more about <a href="https://support.1password.com/1password-security/">our security model</a>.)</li> <li>If you lose a device, it doesn&rsquo;t mean you&rsquo;ve lost your passwords. Dropped your phone in the toilet? You can always set up and sign in to 1Password on another device. A notebook, meanwhile, is gone forever unless you&rsquo;re prepared to make multiple physical copies.</li> <li>1Password can store and <a href="https://1password.com/features/autofill/">autofill</a> more than just passwords. It also handles credit and debit card numbers, addresses, passport information, and so much more.</li> <li>It will tell you when any of your passwords need changing. 1Password&rsquo;s built-in <a href="https://watchtower.1password.com/">Watchtower</a> will highlight weak and reused passwords, and alert you if any of your credentials appear in a known data breach.</li> </ul> <h2 id="so-long-paper">So long, paper</h2> Yes, it&rsquo;s possible to use a whiteboard, sticky notes, or a notebook securely. But that doesn&rsquo;t mean any of them are the best way to record and retrieve your passwords. If you feel like you&rsquo;ve outgrown the physical medium, you&rsquo;re not alone. 1Password is for people who want to sign in and protect their online accounts without any hassle. If you&rsquo;re one of these people, make the switch and sign up for a <a href="https://start.1password.com/sign-up?l=en">free 1Password trial today</a>. You won&rsquo;t regret it. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Read our beginner&#39;s guide to cybersecurity</h3> Want to learn more about how to stay safe online? Read our beginner’s guide to cybersecurity, which covers passwords, software, hardware, connectivity, and more! <a href="https://1password.com/resources/beginners-guide-to-cybersecurity/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Read the guide </a> </div> </section></description></item><item><title>1Password 8 for iOS is now in Early Access! 🎉</title><link>https://blog.1password.com/1password-8-ios-early-access/</link><pubDate>Wed, 13 Apr 2022 00:00:00 +0000</pubDate><author>info@1password.com (Michael Fey)</author><guid>https://blog.1password.com/1password-8-ios-early-access/</guid><description> <img src='https://blog.1password.com/posts/2022/1password-8-ios-early-access/header.png' class='webfeedsFeaturedVisual' alt='1Password 8 for iOS is now in Early Access! 🎉' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Update: Our TestFlight program for 1Password 8 for iOS filled up fast! We’re making room for new testers every week, so check back often to sign up. I have been waiting to publish a post with this title for a long time. With <a href="https://1password.com/product/">1Password 8 for Linux and Windows</a> out in the world – and the <a href="https://blog.1password.com/1password-8-for-mac-is-now-in-early-access/">Mac version in beta</a> – many folks have justifiably been asking, “but what about iOS? When do I get to see that? The answer to that question is: today! We are lifting the Early Access curtain on our brand new iOS app – and it is gorgeous. I’ve written a whole post about why you’ll love this update and why you should check it out, but maybe you don’t need that. Maybe <a href="https://testflight.apple.com/join/fzDLkIVK">all you need is the TestFlight link</a>. If that’s the case, happy testing – <a href="https://1password.community/categories/1password-ios-beta-builds">and don’t forget to report those bugs</a>! It’s worth noting that <a href="https://1password.com/mac/">1Password 8</a> is a separate app from 1Password 7, and you’ll need to join this TestFlight crew even if you’re already a 1Password for iOS tester. If you’d like to take a quick tour before testing, I’m happy to oblige. Let’s explore, shall we? <h2 id="next-gen-design">Next-gen design</h2> <img src='https://blog.1password.com/posts/2022/1password-8-ios-early-access/overview.jpg' alt='Photo of multiple iPhones displaying various 1Password 8 for iOS screens' title='Photo of multiple iPhones displaying various 1Password 8 for iOS screens' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> When we began work on 1Password 8 for iOS, we started with a fresh canvas and then filled it with all the things that makes 1Password great, backed by over a decade of experience shipping amazing apps for iOS. Over the last couple years we’ve been making a concerted effort to unify our design language. We built a user interface that’s cohesive across all our apps, but also makes you feel right at home on the platform where you’re using it. The updated designs result in a modern take on 1Password that is both familiar and fresh. <h2 id="not-just-a-pretty-face">Not just a pretty face</h2> <img src='https://blog.1password.com/posts/2022/1password-8-ios-early-access/dark-mode.jpg' alt='Three iPhones displaying 1Password 8 settings options, Home tab, and setup screen in dark mode' title='Three iPhones displaying 1Password 8 settings options, Home tab, and setup screen in dark mode' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> If you’ve been following along with <a href="https://blog.1password.com/1password-8-the-story-so-far/">the development story of our new apps</a>, you know that 1Password 8 for iOS is powered by our next generation 1Password Core; the full capabilities of a desktop-class 1Password app are in the palm of your hand! Written primarily with SwiftUI and Rust, a secure systems programming language famous for its performance and safety, 1Password is more stable, more performant, and more secure than ever before. The Core also provides a very tangible benefit to everyone who uses our new 1Password apps: predictability. A Core-powered 1Password app behaves the same no matter what platform you’re using. Everything from your search results to the password generator has been unified. Even more complicated aspects of our apps – like item recovery and our incredible new item editor – are handled by the Core. New features, like the ability to <a href="https://blog.1password.com/1password-ssh-agent/">create and edit SSH keys</a>, which recently debuted in our desktop apps, can also be found in 1Password for iOS thanks to the Core. <h2 id="many-firsts">Many firsts</h2> <img src='https://blog.1password.com/posts/2022/1password-8-ios-early-access/customise-home.jpg' alt='iPhones side-by-side displaying the “Customize Home” screen and finished Home tab with title: “Appleseed Family”' title='iPhones side-by-side displaying the “Customize Home” screen and finished Home tab with title: “Appleseed Family”' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> There’s a lot to discover in this new app, but let me just touch on a few of my favorites. Number 1: A personalized Home tab. All of us have slightly different use cases for our favorite security app, and the new Home tab enables you to set it up just the way you like it. Simply scroll to the bottom of the list, tap on the 🏠 Customize Home button, and you’re off to the races. Are you a heavy user of tags and want to see them at the top all the time? Go for it. Would you prefer to never see the archive? No problem, just turn it off. We have a lot of ideas about the type of information we can make available to you on this screen, so let us know <a href="https://1password.community/categories/1password-ios-beta-builds">in the forums</a> what you’d like to see. <img src='https://blog.1password.com/posts/2022/1password-8-ios-early-access/ipad.jpg' alt='iPad displaying horizontal three-column 1Password 8 for iOS screen' title='iPad displaying horizontal three-column 1Password 8 for iOS screen' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Number 2: 1Password for iPad. 1Password 8 on iPad is next-level. With a gorgeous layout that takes full advantage of the screen real estate, this is the iPad app I’ve always wanted us to build. You can tailor the sidebar exactly the way you want it, just like the Home tab on iPhone. The best part is 1Password 8 for iPad scales gracefully to your device – from the expansive iPad Pro or the svelte iPad Mini – and to take advantage of iPad’s multitasking views like Split View or Slide Over. <img src='https://blog.1password.com/posts/2022/1password-8-ios-early-access/watchtower.jpg' alt='Five iPhones displaying various 1Password Watchtower screens: Watchtower Dashboard, two screens with 1Password items displaying “Reused Password” notification, one screen displaying “Reused Passwords” filter in search results, and one screen displaying “Vulnerable Passwords” filter in search results' title='Five iPhones displaying various 1Password Watchtower screens: Watchtower Dashboard, two screens with 1Password items displaying “Reused Password” notification, one screen displaying “Reused Passwords” filter in search results, and one screen displaying “Vulnerable Passwords” filter in search results' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Number 3: Watchtower. Watchtower tells you about <a href="https://watchtower.1password.com/">password breaches</a> and other security problems with the items you have saved in 1Password. Until now, only fragments of Watchtower have been available on iOS. We’ve always wanted to deliver a complete Watchtower experience to our iOS customers and I’m happy to report that 1Password 8 does just that. Featuring a full Watchtower dashboard, it gives you an at-a-glance view of your online security health. Better yet, it allows you to dig in and fix the issues, all from the comfort of your couch, your bed, or wherever you find yourself with a few extra minutes and some security issues to resolve. <h2 id="the-classics">The classics</h2> As much as we’ve changed in 1Password 8, the greatest hits are still here. You can still unlock with Touch ID or Face ID, fill your passwords into apps and websites using <a href="https://1password.com/features/autofill/">Password AutoFill</a>, and use our <a href="https://blog.1password.com/1password-for-safari/">browser extension in Safari</a>. And of course, the industry-leading security that you’ve come to know and trust continues to underpin everything we do. I would recommend popping over to the Settings tab and checking out all of the options available to you to set up 1Password just the way you like it. <h2 id="more-to-come">More to come</h2> <img src='https://blog.1password.com/posts/2022/1password-8-ios-early-access/new-design.jpg' alt='Four iPhone screens displaying the new design of 1Password 8 for iOS in multiple views' title='Four iPhone screens displaying the new design of 1Password 8 for iOS in multiple views' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Today’s launch represents a massive lift by our design and development teams. There are a few things that did not make the cut, but we’ll be adding them in before stable release later this year. Keep an eye out for item sharing, additional Home tab content, Apple Watch support, account management, and an essential settings walkthrough. <h2 id="get-involved">Get involved</h2> As I mentioned above, 1Password 8 is a brand new app with a <a href="https://testflight.apple.com/join/fzDLkIVK">TestFlight program</a> all its own. We’ll be publishing updates every week, and posting about the updates to the <a href="https://1password.community/categories/1password-ios-beta-builds">community forum</a>. As always, we can’t make them great without your help, so please: download the app, dig in deep, and tell us what you think. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Try the Early Access</h3> Want an early peek at 1Password 8 for iOS? Download the Early Access version on your iPhone and iPad today. <a href="https://testflight.apple.com/join/fzDLkIVK/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Download 1Password 8 for iOS </a> </div> </section></description></item><item><title>How Y42 quickly onboards new team members with 1Password</title><link>https://blog.1password.com/y42-1password-case-study/</link><pubDate>Tue, 12 Apr 2022 00:00:00 +0000</pubDate><author>info@1password.com (Rob Boone)</author><guid>https://blog.1password.com/y42-1password-case-study/</guid><description> <img src='https://blog.1password.com/posts/2022/y42-1password-case-study/header.png' class='webfeedsFeaturedVisual' alt='How Y42 quickly onboards new team members with 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Full-stack data platform <a href="https://www.y42.com">Y42</a> is growing fast. The company kicked off 2021 with 15 employees. By February 2022, they were closing in on 100 team members. Hai Nguyen Mau, VP of Operations at Y42, is tasked with designing and refining the systems that allow everyone to get their work done – both securely and efficiently. He loves how simple 1Password makes it. “We need to make sure everyone has the right credentials, and 1Password is part of our infrastructure for doing that. It’s turned out to be a superpower,” Hai says. Y42 uses 1Password to: <ul> <li>Scale company onboarding so more people can be brought on quickly and securely</li> <li>Ensure secure usage of company and customer data across a growing team</li> <li>Make sure everyone has fast, easy access to the logins they need – and only the logins they need</li> </ul> <h2 id="how-y42-structures-1password-vaults-to-simplify-onboarding">How Y42 structures 1Password vaults to simplify onboarding</h2> Hai takes advantage of 1Password’s granular permission settings to streamline onboarding. Ensuring proper permissions starts by giving each team its own vault. First, he created a hierarchical company structure and assigned each level a vault. There’s a company-wide vault (Level 1), a vault for Marketing (Level 2), and a vault for Growth Marketing (Level 3), for example, plus vaults that are shared across teams. Hai then placed team members into groups which automatically grant access to vaults (i.e. access levels) appropriate for their job role. “Because privileges are set per group, we just put the new person in a group and they automatically have access to what they need,” he says. The process has dramatically simplified the onboarding process. “It’s super user-friendly,” Hai says. “I had almost no trouble onboarding during our growth phase. We had to onboard five, six, seven people at a time — all of them new to all of the apps that we use — and it was never a problem.” <h2 id="maximizing-adoption-with-education">Maximizing adoption with education</h2> There are so many ways 1Password saves Hai time, and he wanted to make sure everyone else in the company was taking full advantage of them. He held micro-workshops on all the tips and tricks he’d learned on his own and from 1Password’s onboarding specialists – things like <a href="https://support.1password.com/touch-id-mac/">Touch ID</a> and <a href="https://support.1password.com/one-time-passwords/">two-factor authentication</a>. “We put all that info into a knowledge base” to streamline future onboards, Hai says. <h2 id="scaling-faster-with-1password">Scaling faster with 1Password</h2> Y42 recently rolled out Okta’s single sign-on (SSO) solution company-wide. As part of the knowledge base, Hai created an internal post titled “How to become 10x more productive within Okta using 1Password.” “We use both tools to authenticate… We realized we can connect teams and identities to 1Password and auto-deploy groups.” Still, Hai’s not finished with the 1Password deployment - he plans to scale the company’s use of 1Password as they grow. “We’re deploying 1Password <a href="https://blog.1password.com/introducing-secrets-automation/">Secrets Automation</a> to our DevOps teams right now, and integrating 1Password into our infrastructure. So we’re using 1Password to its fullest extent.” In the future, Y42 plans to hire an IT security manager to handle compliance. “1Password will support us in getting SOC2 and ISO27001 [compliance] done,” Hai explains. <h2 id="streamlining-workflows-securely-with-touch-id">Streamlining workflows securely with Touch ID</h2> It’s hard to measure the impact of great security, Hai says. “It’s the absence of something bad happening.” Still, the difference that 1Password has made is felt across the company. The biggest changes have been “the [reduced] complexity of team setups, how we distribute credentials, and the speed of onboarding,” Hai says. But the most noticeable impact is streamlined workflows. “My favorite feature is Touch ID,” Hai says. “If you’re working and you’re in a flow, you don’t want to be distracted, and going somewhere to authenticate takes you out of your flow. 1Password helps you stay in the zone. That’s how seamless it is.” Ultimately, though, Hai likes to think about the big picture and focus on his primary goal: secure growth. “Using 1Password was a huge enabler for us to get to this stage. It’s helped us grow and onboard this many people without the feeling of not knowing what people are doing or how secure we are. That’s not an option, because we’re handling a lot of customer data. I don’t know how I would’ve done it without [1Password].” <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Secure your team with 1Password Business</h3> Keep your team secure without slowing them down. Choose 1Password Business to gain complete control over passwords and other sensitive business information. <a href="https://1password.com/business-pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>How to keep your home Wi-Fi network secure</title><link>https://blog.1password.com/secure-home-wifi-network/</link><pubDate>Fri, 08 Apr 2022 00:00:00 +0000</pubDate><author>info@1password.com (Emily Chioconi)</author><guid>https://blog.1password.com/secure-home-wifi-network/</guid><description> <img src='https://blog.1password.com/posts/2022/home-wifi-network-protect-hack/header.png' class='webfeedsFeaturedVisual' alt='How to keep your home Wi-Fi network secure' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> From smartphones to smart fridges, the <a href="https://www.forbes.com/sites/bernardmarr/2021/12/13/the-5-biggest-internet-of-things-iot-trends-in-2022/?sh=24d78fc65aba">Internet of Things</a> is producing more and more devices that are meant to be connected to a Wi-Fi network. The average household was expected to own <a href="https://findstack.com/internet-of-things-statistics/#:~:text=It%20is%20expected%20that%20every,with%20our%20homes%20and%20businesses.">50 connected devices in 2021</a>, up from just 10 devices the year before. With so many gadgets living on your home network, it&rsquo;s never been more important to ramp up your Wi-Fi security. <h2 id="the-basics-of-home-wi-fi-security">The basics of home Wi-Fi security</h2> Many of the steps required to fortify your home network involve adjusting some settings. Every router and Internet Service Provider (ISP) will have some variation in the way you can access and change these settings, but you should be able to easily find the information you need on your ISP’s website. If you can&rsquo;t find the instructions online, contact your ISP directly or reach out to the manufacturer of your router. <h3 id="1-change-the-default-name-and-password-of-your-wi-fi-network">1. Change the default name and password of your Wi-Fi network</h3> One of the simplest ways to protect your internet connection is to change the default name and password for your Wi-Fi network. Your ISP or the router manufacturer will assign a preset name to your network, called a Service Set IDentifier (SSID). These preset names <a href="https://www.lifewire.com/is-your-wireless-networks-name-a-security-risk-2487658">make it easy for hackers to look up or crack the default password</a> assigned to your network. Don&rsquo;t pick a name with any identifiable information - try a <a href="https://1password.com/username-generator/">username generator</a> for something completely random. Your Wi-Fi password should also be <a href="https://1password.com/password-generator/">strong, unique, and completely random</a>. <h3 id="2-turn-on-wi-fi-network-encryption">2. Turn on Wi-Fi network encryption</h3> The latest and most secure kind of wireless encryption is called Wi-Fi protected Access 3, or <a href="https://www.howtogeek.com/782993/whats-the-best-wi-fi-encryption-to-use-in-2022/">WPA3</a>. This protocol further protects your Wi-Fi network from unauthorized access by scrambling your data and making it inaccessible to hackers who don’t have your password. WPA3 has been around since 2018, so most current wireless routers come with this kind of encryption. If your router is older and doesn’t support WPA3, it’s a good time to upgrade to a newer model. <h3 id="3-keep-your-router-up-to-date">3. Keep your router up to date</h3> Just like any of your devices, your home router needs to be patched and updated occasionally. If you can, turn on automatic updates or periodically check for new security patches. You should also protect your router with a strong, unique password, which is required to change many of the settings mentioned. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Learn more tips for <a href="https://blog.1password.com/5-quick-tips-for-smart-home-security/">keeping your smart home devices secure!</a> </div> </aside> <h3 id="4-use-a-firewall">4. Use a firewall</h3> A firewall is like a barrier between the internet and your Wi-Fi network. All of the incoming and outgoing data moving between the internet and your home network is first scanned by the firewall to protect your security, preventing malicious activity from reaching you. Luckily, most routers come with built-in firewall protection, but it sometimes needs to be enabled in your router’s settings. <h3 id="5-turn-off-universal-plug-and-play-upnp">5. Turn off Universal Plug and Play (UPnP)</h3> <a href="https://www.lifewire.com/universal-plug-and-play-4153001">Universal Plug and Play (UPnP)</a> lets devices on the same network, like printers and computers, find each other and automatically connect without having to manually authenticate anything. While convenient, there’s a problem: UPnP can’t distinguish between a safe device and one infected with malware. UPnP is usually automatically enabled, so it’s best to turn this off in your router’s settings. <h3 id="6-disable-remote-access">6. Disable remote access</h3> Some routers let you connect to your admin account remotely. That means you can tweak settings even when you’re well outside the range of your router or home Wi-Fi network. Most people have no use for this feature, and it’s an easy way to beef up your security. Turning this off means a cybercriminal would need to be in range of your home network before even attempting to hijack it. <h3 id="7-set-up-a-guest-wi-fi-network">7. Set up a guest Wi-Fi network</h3> Often have friends and family over? If they connect to your Wi-Fi, setting up a guest network is crucial. This separate network can be created in your router’s settings, and will stop anyone from exposing you by using an infected device or accidentally downloading a virus while on your Wi-Fi. The guest network will act as a new access point to your router, keeping your home network and all the devices connected to it separate. You can also set up a guest Wi-Fi network to keep some of your own devices separate. Some Internet of Things (IoT) hardware is less secure than a computer or smartphone, and much more vulnerable to hacking. You can use a guest network to connect devices that don’t house as much sensitive data, like smart appliances. If an attacker found a way to hack one of your IoT devices, they would only have access to the guest network – not the one that your laptop, phone, and other personal data is connected to. <h3 id="8-turn-off-wi-fi-protected-setup-wps">8. Turn off Wi-Fi Protected Setup (WPS)</h3> Wi-Fi Protected Setup (WPS) is designed to simplify connecting to a Wi-Fi network – which, unfortunately, makes it easier to hack. With WPS, anyone can connect using a short <a href="https://www.digitalcitizen.life/simple-questions-what-wps-wi-fi-protected-setup/#ftoc-heading-3">PIN</a> or by pushing a physical button (<a href="https://www.digitalcitizen.life/simple-questions-what-wps-wi-fi-protected-setup/#ftoc-heading-2">Push-Button-Connect</a>), rather than a password. Ultimately, these options are only slightly more convenient, and much, much easier for an attacker to exploit. While it’s unlikely that someone will break into your home and press the WPS button on your router, an eight-digit PIN won&rsquo;t take long for a hacker to crack with a <a href="https://blog.1password.com/what-is-a-brute-force-attack-and-whats-the-best-defense/">brute-force attack</a>. If you want to keep your network as secure as possible, it&rsquo;s best to turn off WPS altogether. WPS is usually enabled by default, so make sure to disable this as soon as you can. <h2 id="no-more-mr-wi-fi">No more Mr. Wi-Fi</h2> As smart devices become even more of a staple in your home, it&rsquo;s time to get tough with your Wi-Fi security. IoT gadgets can be fun and incredibly useful, but if you’re not keeping an eye on how and what you’re connecting, you’re putting yourself at risk. Investing the time in fortifying your home Wi-Fi network will give you the convenience, safety, and peace of mind you need to get the most out of an increasingly connected world. Editor&rsquo;s Note: This article was updated on 12/15/2022. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Level up your cybersecurity</h3> Want to learn more about how to stay safe online? Read our beginner’s guide to security, which covers passwords, software, hardware, connectivity, and more! <a href="https://1password.com/resources/beginners-guide-to-cybersecurity/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Read the guide </a> </div> </section></description></item><item><title>QR codes: what are the security implications?</title><link>https://blog.1password.com/qr-codes-cybersecurity-risks/</link><pubDate>Thu, 07 Apr 2022 00:00:00 +0000</pubDate><author>info@1password.com (Stacey Harris)</author><guid>https://blog.1password.com/qr-codes-cybersecurity-risks/</guid><description> <img src='https://blog.1password.com/posts/2022/qr-codes-cybersecurity-risks/header.png' class='webfeedsFeaturedVisual' alt='QR codes: what are the security implications?' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> From restaurant menus to sporting tickets, using a QR code has become a regular part of life for many. They’ve been widely used in some countries for years, and <a href="https://www.statista.com/statistics/199328/qr-code-scanners-by-age/">during the pandemic they finally hit mass adoption in North America and the UK</a>. But as QR codes grow in popularity, so do the security risks. It’s important to understand these risks and what you can do to avoid them, so you’re prepared the next time you encounter one in the wild. <h2 id="why-qr-codes-are-on-the-rise">Why QR codes are on the rise</h2> <a href="https://www.britannica.com/technology/QR-Code">QR codes were first invented in 1994</a> for tracking automotive parts during manufacturing, and slowly began to spread into parts of everyday life. In China, <a href="https://money.cnn.com/2017/09/08/technology/china-qr-codes/index.html">contactless payments driven by QR codes have been the norm</a> for a long time, with many businesses not even accepting credit cards or cash. However, the QR code initially struggled to gain traction in the Western market. But when the pandemic hit in 2020, there was a clear benefit to touchless technology. Suddenly it wasn’t just an option, but the preferred choice for consumers. This shift towards a more contactless experience helped accelerate the adoption of QR codes in regions where it had previously been lagging. QR codes have made everyday life more convenient – from ordering food and drinks at a restaurant, to finding out nutritional information on labels at the grocery store. Heck, they’re even used on the web to set up two-factor authentication (2FA). That’s why, even as pandemic restrictions ease in the West, QR codes have stuck around, and are unlikely to disappear completely. <h2 id="how-criminals-use-qr-codes-for-scams">How criminals use QR codes for scams</h2> The rising popularity of QR codes has made them an <a href="https://threatpost.com/qr-codes-cyberattack-usage-spikes/165526/">increasingly attractive target for criminals</a>. The biggest risk with using these codes is that you can never be sure where they link to until you’ve already scanned it. Scammers are counting on people to blindly use a QR code without thinking of the risks or consequences. For example, a <a href="https://www.pcmag.com/opinions/coinbases-mystery-qr-code-super-bowl-ad-is-a-security-nightmare">Coinbase Superbowl ad</a> consisted of just a QR code bouncing around the TV screen with no context or branding. That ad generated enough traffic to crash their website during the one-minute ad spot. This means enough people whipped out their phones and scanned a QR code they knew nothing about to crash Coinbase’s website. Thankfully, Coinbase is a legitimate company, and their QR code linked to their website – but what if it didn’t? Another way criminals take advantage is by physically sticking a new QR code over the top of an existing one. Paying your bill or parking meter with a QR code sounds convenient, but if it’s in a public space, you should be mindful that a criminal could have tampered with it. A replaced QR code could intercept payments, or even copy your card details so a criminal can use them at a later time. It might even direct you to an entirely new website that automatically downloads malware onto your device. Most people don’t realize that QR codes can do more than just link to a website. They can: <ul> <li>Download apps or malware</li> <li>Share your physical location</li> <li>Trigger a phone call which shares your caller ID information</li> <li>Create a preloaded text message, which will share information with an unknown number if you hit send</li> <li>Add contacts to your phone made to look like credit card companies, priming you for a social engineering scam</li> </ul> Many of these options have useful applications – but like anything, they can be co-opted by criminals. <h2 id="how-you-can-protect-yourself">How you can protect yourself</h2> Fortunately, there are ways to protect yourself while using QR codes. Below are a few steps you can take to reduce the risk, while still enjoying the conveniences that QR codes offer. <ul> <li>Only scan QR codes from sources you trust.</li> <li>Make sure the website a QR code sends you to is the website you intended to visit before entering any personal information.</li> <li>Don’t sacrifice security for convenience. If you’re unsure about the QR code, take the time to search for the right link elsewhere.</li> <li>Turn on automatic updates for your phone. Most QR codes are accessed via mobile, so it’s important to keep your phone security up to date.</li> <li>If a QR code looks like it’s been tampered with, don’t scan it.</li> <li>Use a password manager like 1Password. 1Password only suggests autofilling your login information on the verified website you saved with your item.</li> </ul> QR codes are great for saving time, and are sometimes the best way to share information. But just like the web, you need to use your best judgment to stay safe and protect your personal information. So next time you see a QR code in the wild, make sure you pause and assess potential risks before you scan it. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Ready to protect yourself?</h3> Keep all of your accounts secure with 1Password, the world’s most-trusted password manager. Get started today with a free 14-day trial. <a href="https://1password.com/business-pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>Developers deserve great UX, too</title><link>https://blog.1password.com/developers-deserve-great-ux/</link><pubDate>Tue, 29 Mar 2022 00:00:00 +0000</pubDate><author>info@1password.com (Marc Mackenbach)</author><guid>https://blog.1password.com/developers-deserve-great-ux/</guid><description> <img src='https://blog.1password.com/posts/2022/developers-deserve-great-ux/header.png' class='webfeedsFeaturedVisual' alt='Developers deserve great UX, too' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> As a consumer, I&rsquo;m a bit spoiled. When I pick up my phone to check my messages in the morning, I scan my fingerprint to get instant access to everything I’ve added to my homescreen. It&rsquo;s my very own personalized magic portal to all my stuff. Even the apps themselves are (with some exceptions) built to delight. That&rsquo;s not the case for most tools that developers use every day. Once you leave the consumer ecosystem and get to work in a terminal or an IDE, the experience changes. Because of our technical know-how, we think we need complexity. But we&rsquo;re here to build the software that powers the world, not necessarily to remember an arcane command and copy access keys a million times every day. When you need to authenticate in your terminal or IDE, why can&rsquo;t you just use your fingerprint, watch, or face like we can do today in most consumer products? There&rsquo;s nothing I want more than to extend the magic that we take for granted as consumers to developers. And with last week&rsquo;s release of <a href="https://1password.com/developers/">1Password Developer Tools</a>, starting with <a href="https://blog.1password.com/1password-ssh-agent/">SSH</a> and <a href="https://blog.1password.com/1password-cli-2_0/">CLI 2.0</a>, we’re off to a great start. <h2 id="the-modern-developer-experience-isnt-so-modern">The modern developer experience isn&rsquo;t so modern</h2> My first development gig was building a web product for the Dutch Coffeecompany, in 2011. The way I interacted with SSH and Git back then is the same way we interact with SSH and Git today – 11 years later. While every developer starts their day with a &ldquo;git pull,&rdquo; we as an industry seem to have accepted that this workflow is riddled with complexity. Setting up SSH is a pain. I still have to Google the <code>ssh-keygen</code> command every time I want to use it. Even the most experienced developers do, because it&rsquo;s a complicated process. So much so that GitHub, GitLab, DigitalOcean, and others have an <a href="https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent">entire section of documentation</a> dedicated to it. And during that same setup process, I have to protect it with a strong passphrase (which I don&rsquo;t want to enter every time I use it) and load it into an SSH Agent. And do you know how many times I&rsquo;ve accidentally copied my private key into GitHub instead of my public key? More times than I&rsquo;d like to admit. Why can&rsquo;t this stuff just work like my phone? Why can&rsquo;t I just authenticate with a fingerprint or facial recognition and get back to work? I want better tools. I want that same kind of magic in my developer workflows. <h2 id="unnecessary-complexity-is-a-security-risk">Unnecessary complexity is a security risk</h2> Complicated workflows aren&rsquo;t just a pain, they&rsquo;re a security risk. There are so many choices you have to make during the <code>ssh-keygen</code> process. What key type, RSA or elliptic curve? And what bit length/key strength? Do I protect the key with a passphrase? It&rsquo;s easier not to use a passphrase, but that means I have to store the key as plaintext which is very insecure. So, passphrase. It needs to be simple enough for me to remember, so I can type it in every time I need to (which is also insecure; because it&rsquo;s a machine-to-machine secret, there&rsquo;s no reason for me to even know it, let alone type it in). But it should also be hard to guess, which means it&rsquo;ll be hard to remember. So I store it in 1Password, copy and paste it into my terminal every time I need to use it, and use SSH Agent &hellip; but that just gives blanket approval to any process to use any key. Now throw in the rest of my toolkit: testing tools, debugging tools, version control, and triggering CI/CD pipelines into my IDE. We made all these things to integrate all our workflows into one unified experience – but most of these tools still need a credential to authenticate! Which means we have to store credentials in environment variables or settings files – which, in turn, means that we&rsquo;re either needlessly exposing secrets or constantly breaking flow to authenticate. The problem is growing too, because the scope of who we consider to be a &ldquo;developer&rdquo; is growing. So many people use Git nowadays: designers, technical writers, managers, QA testers. GitHub alone has exceeded 73 million people using their platform to collaborate. So it&rsquo;s more important than ever that we eliminate this &ldquo;accepted complexity&rdquo; and make these tools easy and accessible to everyone. <h2 id="were-building-consumer-grade-experiences-for-developers">We&rsquo;re building consumer-grade experiences for developers</h2> <img src="https://blog.1password.com/posts/2022/developers-deserve-great-ux/1Password_SSH.gif" alt="Animated depiction of SSH key flow in 1Password" title="Animated depiction of SSH key flow in 1Password" class="c-featured-image"/> So that&rsquo;s why we&rsquo;re starting with the biggest thing that every developer uses: Git. With the built-in SSH support in <a href="https://1password.com/products/">1Password 8</a>, you can now generate a new SSH key with secure defaults, add it to GitHub, and push to a new git repo in less than a minute. All you have to do is authenticate with a fingerprint or your Apple Watch. But that&rsquo;s not all. If we&rsquo;re serious about making developers' daily lives easier and more secure, then we should also look at how developers can use 1Password from their terminal. Which is why after 6 months of work and 1,344 commits we released 1Password CLI 2.0, which includes 49 significant improvements and that same biometric authentication magic. This is why I was so excited to join 1Password: marrying brilliant UX with the carefully crafted developer tools that we built at <a href="https://blog.1password.com/secrethub-acquisition/">SecretHub</a>. By bringing consumer-grade experiences to developers, we&rsquo;re not only making their/our lives easier, we&rsquo;re securing an aspect of enterprise security that&rsquo;s been largely ignored to this point. We&rsquo;ll have a lot more to say about this, so if you&rsquo;re interested in what we&rsquo;re building, stay tuned for more updates on <a href="https://1password.com/developers/">Developer Tools</a>, including a deep(er) dive into SSH and the new CLI, the <a href="https://twitter.com/hashtag/buildwith1password">#BuildWith1Password</a> challenge, and a lot more. Better yet, <a href="https://1password.community/categories/ssh">join the community</a> to chat with other devs or <a href="https://1password.com/dev-subscribe/">sign up for our developer newsletter</a> – we&rsquo;ll send the latest news right to your inbox. See you there!</description></item><item><title>New and improved 1Password 8 features! 🤩 ~ from Dave's newsletter</title><link>https://blog.1password.com/dave-newsletter-march-2022/</link><pubDate>Tue, 22 Mar 2022 00:00:00 +0000</pubDate><author>info@1password.com (Dave Teare)</author><guid>https://blog.1password.com/dave-newsletter-march-2022/</guid><description> <img src='https://blog.1password.com/posts/2022/march-newsletter/header.png' class='webfeedsFeaturedVisual' alt='New and improved 1Password 8 features! 🤩 ~ from Dave's newsletter' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Hello everyone! I hope you and your family are safe and well. 🙏 Thankfully my family and I are, and with the snow starting to melt here in Canada, I’m excited to come out of hibernation and so happy to be out walking again. Our development teams were busy over the winter creating some great new things. What better way to spend the cold months than indoors with their machines to keep warm, eh? 🙂 We have a lot to cover so let’s jump right in. <h2 id="ssh-and-git-and-cli-oh-my">SSH and Git and CLI, oh my!</h2> Developers and designers and those in IT are going to love this section. If that’s not you, you may want to jump ahead while I geek out here. 😘 Roustem and I originally created 1Password as a development tool for our web consulting business. Being able to automatically fill logins, addresses, and credit cards was a huge boon to our productivity. I’m excited to announce that the team has built on these roots and have brought this magic into development workflows to make them easier and more secure. They started with SSH keys and made things so easy that I can now use 1Password to create a new SSH key, add it to GitHub, and push to a new git repo in 45 seconds. And best of all I didn’t have to change any of my tools and am able to authorize with Touch ID or my Apple Watch. 🤩 <img src='https://blog.1password.com/posts/2022/march-newsletter/ssh-watch.png' alt='Popup window for an SSH key that can be granted with an Apple Watch' title='Popup window for an SSH key that can be granted with an Apple Watch' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> You can read all about simplifying SSH and Git with 1Password here: <a href="https://blog.1password.com/1password-ssh-agent/">SSH and Git, meet 1Password</a> And they didn’t stop at managing SSH keys. Development teams require many other kinds of secrets, too. That’s where our new command-line interface tool <code>op</code> comes in. Integrate <code>op</code> into your workflows to securely load secrets from 1Password wherever you need them. Here’s me authorizing AWS to deploy my website to S3 using Touch ID. 😍 <img src='https://blog.1password.com/posts/2022/march-newsletter/authorize-cli.png' alt='Popup window authorizing CLI access via 1Password' title='Popup window authorizing CLI access via 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Using <code>op</code> allowed me to remove all my secrets from plain text RC files and environment variables. It’s really cool how it works and I needed an entirely separate post to show how the magic works. <a href="https://blog.1password.com/1password-cli-2_0/">Your CLI wish is our command</a> I’ve been using <code>op</code> and the new SSH features for several weeks now and they’ve greatly simplified my dev setup. And it’s more secure, too. Simply put, it’s magical. <h2 id="big-windows-updates">Big Windows updates</h2> <a href="https://1password.com/products/">1Password 8</a> for Windows just got a big update with lots of goodies to enjoy. We’ve seen over 213 changes and improvements since our announcement back in November. 🥰 The most visible change is the sidebar. You can now include categories, hide tags, and even hide the sidebar entirely to use in compact mode. <img src='https://blog.1password.com/posts/2022/march-newsletter/1password-8-windows.png' alt='1Password 8 for Windows showing an SSH item titled &#39;GitHub&#39;' title='1Password 8 for Windows showing an SSH item titled &#39;GitHub&#39;' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> There’s plenty to love so I wrote an entire post to detail the changes and included several gorgeous screenshots. <a href="https://blog.1password.com/1password-8.6-windows/">1Password 8.6 for Windows</a> 1Password for Linux has also seen a ton of improvements since the first release last Spring. It’s coming up on a full year and we’ll be celebrating their 1st Birthday in an upcoming newsletter. <h2 id="1password-8-for-mac-is-imminent">1Password 8 for Mac is imminent</h2> I’m thrilled to announce that 1Password 8 for Mac will be released soon. 🙌 In about two weeks from now we’ll be building our Release Candidate and if all goes well we will be launching 1Password 8 before the May flowers start blooming. 1Password 8 sports a completely new, modern design, enhanced productivity, and takes security and privacy further than ever. You can read all about it <a href="https://blog.1password.com/1password-8-for-mac-is-now-in-early-access/">here</a>. <img src='https://blog.1password.com/posts/2022/march-newsletter/1password-8-mac.png' alt='Quick Access on 1Password 8 Mac for Mac, showing multiple Apple accounts&#39;' title='Quick Access on 1Password 8 Mac for Mac, showing multiple Apple accounts&#39;' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> If you’d like to get a jump start on this new release, you can <a href="https://1password.com/downloads/windows/">download 1Password 8</a> and join our beta family here: <a href="https://1password.com/downloads/mac/#beta-downloads">Download 1Password 8 beta for Mac</a> 1Password 8 will require a subscription to our 1Password membership and will rely exclusively on 1Password.com (or .ca or .eu). If you are still using iCloud or Dropbox or WLAN Sync, now is a great time to migrate over your data so you’ll be ready for the new release. You can trade in your license for 50% off your first three years by launching 1Password 7 and clicking the upgrade link. Thank you to everyone for your feedback during the beta period. We’re gearing up for the biggest and best launch in the history of 1Password and we couldn’t have done it without you. 🤗 Be sure to also join the development team and I in our <a href="https://1password.community/categories/desktop-betas">beta support forum</a> to discuss your experiences and help us gear up for an amazing launch. 🤘 Alrighty, that’s it for me today. It’s time to go on a walk and enjoy this beautiful time of year. And I best check on my garlic that I planted before winter; it should be starting to sprout any day now. 🤞 Take care and stay safe out there. 🤗 ++dave; <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Dave&#39;s Newsletter</h3> I wrote this letter for my newsletter subscribers and am sharing it here in case you missed it. Sign up and I'll send these directly to your inbox about once a month. 🤗 <a href="https://1password.com/newsletter/" class="c-call-to-action-box__link-href" data-event-category="CTA" data-event-action="call-to-action-button"> Sign up to my newsletter </a> </div> </section> P.S. I send these newsletters when I find time to write them. I can be pokey at times but thankfully the team is more efficient than I am. Want to stay more in the know about upcoming events, announcements and research opportunities? <a href="http://start.1password.com/profile/email-subscriptions">Update your email preferences</a>.</description></item><item><title>What incognito and private browsing modes do and don't do</title><link>https://blog.1password.com/what-incognito-private-browsing-mode-does/</link><pubDate>Tue, 22 Mar 2022 00:00:00 +0000</pubDate><author>info@1password.com (Nick Summers)</author><guid>https://blog.1password.com/what-incognito-private-browsing-mode-does/</guid><description> <img src='https://blog.1password.com/posts/2022/what-incognito-private-browsing-mode-does/header.png' class='webfeedsFeaturedVisual' alt='What incognito and private browsing modes do and don't do' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> There are countless reasons why you might want to keep the websites you’re visiting a secret. For example, you could be planning a surprise vacation for your best friend, seeking out information that&rsquo;s meant to be banned in your country, or simply trying to minimize what advertisers know about you. In these situations, many people turn on their web browser&rsquo;s built-in <a href="https://support.mozilla.org/en-US/kb/private-browsing-use-firefox-without-history">private browsing</a> or <a href="https://support.google.com/chrome/answer/7440301?hl=en&amp;co=GENIE.Platform%3DAndroid">incognito mode</a>. Why? Because the names of these features suggest they&rsquo;ll turn you into a temporary ghost that can&rsquo;t be tracked by any person, employer, advertiser, or government. But they don&rsquo;t work like that. Private browsing and incognito modes can be useful, but they don&rsquo;t hide your activity from everyone. If you want to take back control of your privacy, it&rsquo;s important to know what these modes conceal, and who they conceal it from. Once you know their limitations, you can turn them on at a time that makes the most sense for you, and take other precautions to increase your privacy when necessary. <h2 id="what-private-browsing-and-incognito-modes-do">What private browsing and incognito modes do</h2> Every browser is different, but incognito and private browsing is usually split into standalone sessions. When you open a private browsing window – via your browser’s toolbar, entering a keyboard shortcut, or selecting the correct option under &lsquo;File’ – the session begins. The session continues if you open additional windows, and only ends once they’re all closed. At the end of the session, most browsers including Chrome, Edge, and Safari will delete the following data from your device: <ul> <li>Your browsing history</li> <li>Cookies and site data</li> <li>Information you&rsquo;ve typed into forms</li> </ul> Now that we&rsquo;ve covered the basics, we can untangle when private browsing and incognito modes can be useful, and why they don&rsquo;t grant you perfect anonymity. <h2 id="when-private-browsing-and-incognito-modes-might-be-useful">When private browsing and incognito modes might be useful</h2> There are a few reasons why you might want to use a private browsing or incognito mode. The first is to hide a portion of your browsing history from other people who use the same device. For example, let&rsquo;s say you have a family computer, and you want to throw a surprise birthday party for one of your children. To make it extra special, you want to order a huge cake and some colorful decorations for your home. That means doing a bit of secret internet shopping. Here&rsquo;s the problem: all the sites you visit will be recorded in your browsing history. They could then pop up as autocomplete suggestions the next time your child uses the family computer. But, if you turn on your browser’s incognito or private browsing mode, your sneaky shopping will be erased at the end of the session, making it easier to keep your little one’s party a secret. Another reason to use private browsing and modes is for quick account switching. By default, most privacy modes will log you out of sites like YouTube, Reddit, and eBay. That can be beneficial if you have multiple accounts for some of these platforms. For example, let&rsquo;s say you&rsquo;ve signed into Reddit with your &lsquo;main&rsquo; account in a &lsquo;normal&rsquo; browser window. Instead of logging out, you could open a private browsing window and immediately sign in with one of your alternate accounts. At the end of the session you wouldn’t have to sign out and log back into your &lsquo;main&rsquo; account – you can simply switch back to the &lsquo;normal&rsquo; browser window. <aside class="c-technical-aside-box c-technical-aside-box--background" aria-labelledby="how-to-turn-on-private-browsing-or-incognito-mode"> <h2 class="c-technical-aside-box__title" id="how-to-turn-on-private-browsing-or-incognito-mode"> How to turn on private browsing or incognito mode </h2> <div class="c-technical-aside-box__description"> Not sure how to open a new incognito window in your favorite browser? Here are some guides to help you get started. <ul> <li><a href="https://support.google.com/chrome/answer/95464?hl=en-GB&amp;co=GENIE.Platform%3DDesktop">Google Chrome</a></li> <li><a href="https://support.microsoft.com/en-us/microsoft-edge/browse-inprivate-in-microsoft-edge-cd2c9a48-0bc4-b98e-5e46-ac40c84e27e2">Microsoft Edge</a></li> <li><a href="https://support.apple.com/en-gb/guide/safari/ibrw1069/mac">Safari</a></li> <li><a href="https://support.mozilla.org/en-US/kb/private-browsing-use-firefox-without-history">Mozilla Firefox</a></li> <li><a href="https://support.brave.com/hc/en-us/articles/360017840332-What-is-a-Private-Window-">Brave</a></li> </ul> </div> </aside> <h2 id="what-private-browsing-and-incognito-modes-dont-do">What private browsing and incognito modes don&rsquo;t do</h2> It&rsquo;s important to remember that private browsing and incognito modes only delete data from your device. That means they don’t: <ul> <li> Hide your IP address. So a website might still know your general location. </li> <li> Change the requests or data packets that you&rsquo;re sending out via your internet service provider (ISP). That means your ISP could monitor your browsing habits, regardless of whether you&rsquo;re using a privacy browsing window. </li> <li> Guarantee that your browsing history will be hidden from whoever runs your school or office network. There&rsquo;s a good chance they can still find out what you were looking at during a private browsing session. </li> <li> Delete any files you downloaded during the private browsing session. You&rsquo;ll need to handle that yourself. </li> <li> Remove any bookmarks you made during the session. Again, it&rsquo;s on you to remove those. </li> <li> Affect any data you share while you&rsquo;re logged into services. If you log into YouTube while you&rsquo;re in a private browsing or incognito mode, for example, the platform will remember everything you watched and searched for. </li> <li> Delete any data that wasn&rsquo;t part of your private browsing session. That means it won&rsquo;t go back and delete all of your browsing history from previous sessions that didn&rsquo;t use a private browsing or incognito mode. </li> <li> Make it easier to find cheap flights and hotels. Online prices change all the time, and <a href="https://www.businessinsider.com/incognito-mode-wont-get-you-cheaper-airfare-2017-2?r=US&amp;IR=T">they’re not affected by whether you&rsquo;re using a private browsing or incognito mode</a>. </li> </ul> <h2 id="other-considerations-while-using-private-browsing-and-incognito-modes">Other considerations while using private browsing and incognito modes</h2> It might sound obvious, but it&rsquo;s important to remember that private browsing and incognito modes don&rsquo;t physically change or obfuscate what&rsquo;s on your screen. So if you&rsquo;re sitting in a busy coffee shop, the person next to you will still be able to see the sites you&rsquo;re visiting. Similarly, private browsing and incognito modes won&rsquo;t save you from a nosy team member who loves to look over your shoulder in the office. Private browsing and incognito modes aren&rsquo;t a perfect defense against cybercriminals, either. For example, if an attacker found a way to install malware on your device, or some nefarious code that records all of your keystrokes, they could still track what sites you were visiting during private browsing sessions. <h2 id="use-the-right-privacy-tools-at-the-right-time">Use the right privacy tools at the right time</h2> If you want to truly <a href="https://blog.1password.com/how-reclaim-your-online-privacy/">reclaim your privacy online</a>, you&rsquo;ll need to consider some extra steps. For example, <a href="https://blog.1password.com/how-a-vpn-works/">a virtual private network (VPN)</a> can protect your internet traffic and help you access geo-restricted content. There&rsquo;s also <a href="https://www.torproject.org/">The Onion Router (Tor)</a>, an open-source project that conceals your identity by routing your online activity through a series of &ldquo;relays&rsquo;' and &ldquo;nodes.&rdquo; <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Want to keep your home&rsquo;s Wi-Fi network secure? <a href="https://blog.1password.com/secure-home-wifi-network/">Read our guide</a>! </div> </aside> There&rsquo;s also <a href="https://blog.1password.com/how-reclaim-your-online-privacy/">a number of smaller changes you can make to reduce your digital footprint</a>. These include switching to a privacy-focused browser, <a href="https://1password.com/fastmail/">email provider</a>, or search engine, as well as reviewing the permissions you’ve given to apps on your phone. Does that mean private browsing and incognito modes are useless? Not at all. They&rsquo;re convenient and effective when you want to protect your internet history from other people who use the same device. Just don&rsquo;t fall into the trap of thinking these modes are an all-powerful invisibility cloak, capable of protecting your online activity from anyone and everyone. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Read our beginner&#39;s guide to cybersecurity</h3> Want to stay safe online? Read our beginner’s guide to cybersecurity, which covers passwords, software, hardware, connectivity, and more! <a href="https://1password.com/resources/beginners-guide-to-cybersecurity/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Read the guide </a> </div> </section></description></item><item><title>1Password 8.6 for Windows</title><link>https://blog.1password.com/1password-8.6-windows/</link><pubDate>Thu, 17 Mar 2022 00:00:00 +0000</pubDate><author>info@1password.com (Dave Teare)</author><guid>https://blog.1password.com/1password-8.6-windows/</guid><description> <img src='https://blog.1password.com/posts/2022/1password-8.6-windows/header.png' class='webfeedsFeaturedVisual' alt='1Password 8.6 for Windows' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> When we released <a href="https://blog.1password.com/1password-8-for-windows-is-here/">1Password 8 for Windows</a>, it marked the start of the next chapter for 1Password. And though Santa may have come and gone in the weeks since, we’ve still got a bag full of shiny new toys for our Windows customers. Earlier this week, we released 1Password 8.6 for Windows and Linux and a <a href="https://1password.com/downloads/mac/#beta-downloads">new beta for Mac</a>. And while the <a href="https://blog.1password.com/1password-ssh-agent/">new SSH agent</a> and <a href="https://blog.1password.com/1password-cli-2_0/">1Password CLI 2.0</a> rightfully stole the show, there are so many other goodies I wanted to highlight since <a href="https://1password.com/products/">1Password 8</a> for Windows launched in November. It’s only been four months since that release but 213 improvements have shipped since. 🤯 Let&rsquo;s review the hightlights. 😍 <h2 id="beautiful-er-sidebar">Beautiful-er sidebar</h2> Let&rsquo;s start with the sidebar as it contains some of the most visible changes. One of our biggest requested features was to bring Categories back to the sidebar and that is once again possible. 😍 <img src="https://blog.1password.com/posts/2022/1password-8.6-windows/categories-in-sidebar.png" alt="1Password with Categories included in the sidebar" title="1Password with Categories included in the sidebar" class="c-featured-image"/> You can bring Categories back to your sidebar from within the new Appearance settings. And while we were there we added the ability to hide tags, too. Speaking of, if you&rsquo;re a heavy tags user you&rsquo;ll appreciate the ability to delete your unused tags directly from your sidebar. You can also hide the sidebar entirely to create a more spacious experience for your items. <img src="https://blog.1password.com/posts/2022/1password-8.6-windows/1password-hero-collapsed-sidebar.png" alt="1Password with the sidebar collapsed, leaving more room for your items" title="1Password with the sidebar collapsed, leaving more room for your items" class="c-featured-image"/> You can restore the sidebar at any time to switch your focus, or keep it tucked away and drag your cursor to the left side of the window for quick access. <h2 id="quick-er-quick-access">Quick-er Quick Access</h2> New to 1Password 8, <a href="https://support.1password.com/quick-access/">Quick Access</a> is the fastest way to get to your 1Password items, no matter where you are or what you’re doing. Simply press Ctrl + Shift + Space anywhere on Windows to bring up <a href="https://1password.com/features/how-to-use-quick-access-in-1password-8/">Quick Access</a>, start typing, and find what you need instantly. November’s release also included Collections so you can group vaults together, showing only the vaults you need and hiding the ones you don’t. <img src="https://blog.1password.com/posts/2022/1password-8.6-windows/quick-access.png" alt="1Password Quick Access for Windows" title="1Password Quick Access for Windows" class="c-featured-image"/> Now you can access your Collections right from Quick Access, and it’ll remember your selected Collections even if you restart the app. You can also switch between up to nine Collections in a snap with Ctrl +1 (to go to your first Collection) through Ctrl + 9 on single user accounts. Quick Access also got smarter and more helpful. It can now detect more running applications, and will take those into account when suggesting items that you may want to access. Finally, if an app is open and you access its associated item in 1Password, that app is now brought to the foreground so you can get to it quickly. <h2 id="friendlier-windows-hello">Friendlier Windows Hello</h2> 1Password 8 used Windows Hello to enable passwordless unlocking. Now, if you have a supported <a href="https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-tpm">TPM 2.0-enabled PC</a>, Windows Hello can be enhanced to allow unlocking across app restarts and system reboots. 🙌 <img src="https://blog.1password.com/posts/2022/1password-8.6-windows/EnhancedWindowsHello.png" alt="1Password for Windows lock screen with Windows Hello integration" title="1Password for Windows lock screen with Windows Hello integration" class="c-featured-image"/> <h2 id="speedier-2fa-qr-codes">Speedier 2FA QR codes</h2> 1Password in the browser <a href="https://support.1password.com/one-time-passwords/">makes it easy to set up 2FA</a> by scanning the QR code that sites provide during setup. It will even fill the 2FA verification code automatically. The next time you log in to that site, 1Password will <a href="https://1password.com/features/autofill/">autofill</a> the time-based one-time password (TOTP), adding an extra layer of security to your usual username and password combo. Now you can also add a QR code from 1Password for Windows. As you’re editing an item in 1Password, select the inline icon to scan the QR code, save, and you’re done! Easy peasy. <img src='https://blog.1password.com/posts/2022/1password-8.6-windows/QRcode.png' alt='1Password item editing view with inline QR code scanning option' title='1Password item editing view with inline QR code scanning option' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> You can also add <a href="https://1password.com/features/two-factor-authentication/">two-factor authentication</a> secrets directly from their Watchtower banner notifications.😏 <h2 id="businessier-business">Businessier Business</h2> We also added support for corporate TLS interception so 1Password works seamlessly in a broader variety of network configurations. This was the top request from our business customers and I’m so happy we support this now. We&rsquo;ve been busy refining and polishing and while I can’t list all 213 improvements here you&rsquo;re welcome to view the full changelogs on <a href="https://releases.1password.com/windows/">releases.1password.com</a>. You should be prompted to update to 1Password 8.6 automatically – but if you’re as excited (and impatient) about these things as I am, you can also select “Check for updates” from the menu to start the update. Speaking of impatience, if you’d like to be among the first to get your hands on the shiny new features that we’re working on right now, head over to our forum to <a href="https://1password.community/discussion/121163/1password-8-for-windows-early-access">join the beta</a>. This release wouldn&rsquo;t be possible without such an amazing beta family. 🥰 Now, I’ve gotta get back to work on the next batch. Onward! 🖖🏻</description></item><item><title>Responding to the conflict in Ukraine</title><link>https://blog.1password.com/responding-to-the-conflict-in-ukraine/</link><pubDate>Tue, 15 Mar 2022 00:00:00 +0000</pubDate><author>info@1password.com (Jeff Shiner)</author><guid>https://blog.1password.com/responding-to-the-conflict-in-ukraine/</guid><description> <img src='https://blog.1password.com/posts/2022/responding-to-the-conflict-in-ukraine/header.png' class='webfeedsFeaturedVisual' alt='Responding to the conflict in Ukraine' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We are halting new account creation in Russia, along with renewal payments for existing customers in the region. <ul> <li>Effective immediately, we are halting the creation of new 1Password accounts and renewal payments from sanctioned regions.</li> <li>Affected accounts will become read-only at the end of their current billing period. Customers can continue to view and export everything in their account, but can no longer add or edit items.</li> <li>Customers outside of sanctioned regions remain unaffected.</li> </ul> 1Password has customers all over the world, and we’re proud that our product is being used internationally to keep people safe online. However, given the current events, we’re taking action to comply with international sanctions and to further our support of Ukraine. <a href="https://blog.1password.com/we-stand-with-ukraine/">Earlier this month</a>, we showed our support in a few different ways: pledging to match employee donations up to $50,000 USD, and standing with other Canadian business leaders in a letter to the Prime Minister in support of Ukraine. <h2 id="steps-were-taking">Steps we&rsquo;re taking</h2> We are halting new account creation in Russia, along with renewal payments for existing customers in the region. As a result of the ongoing sanctions, many payment providers – including ours – have stopped processing payments with a billing address in Russia. We’ve considered alternative payment methods but have ultimately decided against supporting them. In the end, we feel that taking these steps is the right thing to do. If you’re an existing customer in Russia, you can continue to use 1Password normally until the end of your current billing period, at which point your account will enter a read-only state. 1Password is designed in such a way that your data remains available to you even without an internet connection or active paid account, so even in this read-only state, you can still view and export everything in your account. This situation is evolving quickly. We’re doing our best to monitor it and adjust our response in accordance with international law and our own principles. We’re committed to supporting our customers no matter where they’re located. Please reach out to <a href="mailto:support@1password.com">support@1password.com</a> if you have further questions. We stand with peace.</description></item><item><title>SSH and Git, meet 1Password 🥰</title><link>https://blog.1password.com/1password-ssh-agent/</link><pubDate>Tue, 15 Mar 2022 00:00:00 +0000</pubDate><author>info@1password.com (Dave Teare)</author><guid>https://blog.1password.com/1password-ssh-agent/</guid><description> <img src='https://blog.1password.com/posts/2022/1password-ssh-agent/header.png' class='webfeedsFeaturedVisual' alt='SSH and Git, meet 1Password 🥰' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 1Password now includes full support for SSH keys, providing the easiest and most secure way for developers to manage SSH keys and use Git in their daily workflow. The magic of 1Password has always been making the secure thing to do the easy thing to do. Today I’m thrilled to announce that we’re bringing this magic to development teams everywhere with the all-new 1Password SSH Agent. 🦄 In today&rsquo;s release 1Password can now create new SSH keys, keep them organized, and make them securely available everywhere you need them with just a few clicks. Best of all, each feature was built for developers, by developers, so they fit perfectly in your existing workflows. Our private beta hit #1 on Hacker News last month so it seems we’re not the only ones that had this itch. 😍 <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/5EyrtO0Msgw" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h2 id="using-ssh-keys-is-now-as-easy-as-1-2-3">Using SSH keys is now as easy as 1, 2, 3&hellip;</h2> Many toolchains and workflows rely on SSH keys. Everything from <code>git</code> to <code>scp</code> to logging into remote servers require properly configured SSH keys before being able to get your work done.  It goes well beyond <code>ssh-keygen</code>, too. You need to protect the generated key, keep it backed up, and have it available when setting up new machines. Oh, and don’t forget to tell <code>ssh-add</code> to remember the passphrase in the keychain on your new machine. I think it’s <code>-K</code>. 1Password now takes care of all of this for you. Just follow these 3 steps: <ol> <li> Enable the SSH agent in 1Password &gt; Preferences &gt; Developer <img src='https://blog.1password.com/posts/2022/1password-ssh-agent/1PasswordSSHAgentcheckbox.png' alt='1Password SSH Agent preferences checkbox' title='1Password SSH Agent preferences checkbox' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> </li> <li> Configure ssh to use 1Password <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell">$ cat ~/.ssh/config Host * IdentityAgent &#34;~/.1password/agent.sock&#34; </code></pre></div></li> <li> Generate an SSH key in 1Password and add the public key to each service (e.g. GitHub, GitLab, etc). </li> </ol> That’s it! And yes – I know that third step sounds like <a href="https://www.reddit.com/r/funny/comments/eccj2/how_to_draw_an_owl/">draw the rest of the f**king owl</a>, but it’s truly just a couple of clicks. Let’s see just how easy it is by setting up a new <code>git</code> project. <h2 id="authorize-git-with-ease">Authorize Git with ease</h2> Joining a new project can be daunting. There are new people, new workflows, and a whole new codebase to learn. This is challenging enough, so the last thing you want to do is spend a day wrestling with SSH keys.  Thankfully, the magic of 1Password allows everyone on your team to get up to speed lightning quick. ⚡️ Two clicks and you’re done. Seriously, in under a minute you can create a brand new SSH key and an entirely new repo. 🤯 <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/hTwIsFKfjIs" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> Here we see 1Password making it a snap to log in to GitHub like it always has, and then proceed to: <ul> <li>Generate a new SSH key (either Ed25519 or RSA)</li> <li>Fill the public key directly where its needed</li> <li>Store the key securely, and</li> <li>Authorize access using Touch ID when <code>git</code> asks to sign a message</li> </ul> All that in 53 seconds. And I paused twice so I could zoom in and show you the details. 🙂 <h2 id="more-secure-than-ssh-agent">More secure than <code>ssh-agent</code></h2> The default <code>ssh-agent</code> allows any process on your system to sign messages with your private key. With the 1Password SSH Agent you authorize access explicitly, making things more secure and putting you in control. Most days start with <code>git pull</code> so let’s see how things will look while you’re enjoying your morning ☕️ or your Monster Energy Lo-Carb. 😈 When Git goes to pull from upstream, it will need access to your SSH key before it can connect to the server. 1Password will ask if you want to proceed and you can confirm with a fingerprint on Mac and Linux or with a smile on Windows. <img src="https://blog.1password.com/posts/2022/1password-ssh-agent/1PasswordCLITouchID.png" alt="1Password CLI Touch ID authorization" title="1Password CLI Touch ID authorization" class="c-featured-image"/> Once a process is authorized to use an SSH key, 1Password will sign messages using the key on behalf of the process. Only processes that you’ve explicitly authorized will have access, and the private portion of the key never leaves 1Password. <h2 id="safe-and-sound-all-within-1password">Safe and sound, all within 1Password</h2> Add your existing (modern) keys to 1Password or create new ones to replace your legacy ones, and easily find and organize them with the new dedicated category for SSH keys. And since they’re all in 1Password, your SSH keys will always be available on all of your devices.   <img src="https://blog.1password.com/posts/2022/1password-ssh-agent/1PasswordSSHkeyitem.png" alt="SSH key item in 1Password" title="SSH key item in 1Password" class="c-featured-image"/> <img src="https://blog.1password.com/posts/2022/1password-ssh-agent/CreateandfillSSHkey.png" alt="Create and fill SSH key popup on GitHub using 1Password in your browser" title="Create and fill SSH key popup on GitHub using 1Password in your browser" class="c-featured-image"/> <h2 id="available-today-in-1password-8">Available today in 1Password 8</h2> All of this and more is available today in <a href="https://1password.com/products/">1Password 8</a>. <ul> <li><a href="https://1password.com/downloads/windows">Download 1Password 8 for Windows</a></li> <li><a href="https://1password.com/downloads/mac/#beta-downloads">Download 1Password 8 for Mac (beta)</a></li> <li><a href="https://1password.com/downloads/linux">Download 1Password 8 for Linux</a></li> </ul> See the <a href="https://developer.1password.com/docs/ssh/">1Password for SSH &amp; Git</a> docs for more details, and please join us in our <a href="https://1password.community/categories/ssh">SSH forum</a> or poke me <a href="https://twitter.com/dteare">on Twitter</a> to share your experiences. Also be sure to stop by our <a href="https://www.reddit.com/r/1Password/comments/te7217/were_the_team_behind_1password_developer_tools/">AMA</a> on Thursday to meet the team behind these features. You’re also welcome to <a href="https://1password.com/webinars">join the devs for some command line and SSH demos</a> on March 30th. <h2 id="free-for-oss-teams">Free for OSS teams</h2> 1Password would not be possible without the incredible work of the open source software community. From Rust and Golang to React and Neon – and many more – we’re thankful for these free software projects and are committed to giving back. In that spirit and as our way of saying thanks, open source teams can get a free 1Password account simply by opening a pull request against the <a href="https://github.com/1Password/1password-teams-open-source">1Password for Open Source Projects</a> repo. These accounts also include <a href="https://1password.com/product/secrets/">unlimited use of Secrets Automation</a>. To date, more than 360 open source projects are using 1Password. <h2 id="oh-and-one-more-thing">Oh, and one more thing…</h2> SSH keys aren&rsquo;t the only secrets developers need for getting their work done. Developers need deployment keys, access tokens, bearer tokens, and many other secrets or they&rsquo;re stuck. And these secrets are literally keys to various kingdoms so they need to be kept secure. So what do you do? Sacrifice security and store them in plain text RC files? 😱 Abandon productivity and manually copy and paste them? 😩 Leave it for devops to worry about? 🤨 Not at all. Instead, integrate 1Password directly into your scripts and commands using <code>op</code>, a new CLI tool that makes accessing secrets from the command line as easy as it is in your browser. See <a href="https://blog.1password.com/1password-cli-2_0/">Your CLI wish is our command</a> for details and join the thousands of developers and IT admins who are using 1Password CLI to script their workflows with secrets from 1Password. Take care and stay safe out there. ❤️ <img src="https://blog.1password.com/posts/2022/1password-ssh-agent/1PasswordSSHkeyauthorization.png" alt="Popup window to authorize SSH key use in 1Password using an Apple Watch" title="Popup window to authorize SSH key use in 1Password using an Apple Watch" class="c-featured-image"/></description></item><item><title>Your CLI wish is our command 🪄💫</title><link>https://blog.1password.com/1password-cli-2_0/</link><pubDate>Tue, 15 Mar 2022 00:00:00 +0000</pubDate><author>info@1password.com (Dave Teare)</author><guid>https://blog.1password.com/1password-cli-2_0/</guid><description> <img src='https://blog.1password.com/posts/2022/1password-cli-2.0/header.png' class='webfeedsFeaturedVisual' alt='Your CLI wish is our command 🪄💫' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Our new <a href="https://1password.com/downloads/command-line/">command-line tool</a> makes authorizing with services and securing your development toolchains easier than ever. The magic of 1Password has always been making the secure thing to do the easy thing to do. Today I’m thrilled to announce that we’re bringing this magic to development teams everywhere with our new <a href="https://blog.1password.com/1password-ssh-agent/">1Password ssh agent</a> and <code>op</code> command-line tool. 🦄 Use <code>op</code> to level up your shell by seamlessly providing secrets to all the services and accounts you use in your workflow. Here we see <code>op</code> in action as we attempt to list our S3 buckets on AWS. <img src="https://blog.1password.com/posts/2022/1password-cli-2.0/1PasswordCLITouchIDauthorization.png" alt="Popup window authorizing terminal access to 1Password" title="Popup window authorizing terminal access to 1Password" class="c-featured-image"/> Did you see the magic? You need to look close as it’s easy to miss. 🕵🏻 You can catch a glimpse behind the curtain in the window title as <code>aws</code> is not being run directly. It has been aliased. <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell">$ alias aws=&#34;op run --env-file=$HOME/.config/op/aws-env -- aws&#34; </code></pre></div>Now when <code>aws</code> executes it does so from within an <code>op run</code> context. When it’s time to locate the access secrets <code>aws</code> does what it always does, but there is no (plain text) <code>~/.aws/credentials</code> RC file for it to use. It does, however, find some magical <code>$AWS_ACCESS_KEY_ID</code> and <code>$AWS_SECRET_ACCESS_KEY</code> <del>beans</del> environment variables. <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell">$ cat $HOME/.config/op/aws-env AWS_ACCESS_KEY_ID=op://development/aws/access_key_id AWS_SECRET_ACCESS_KEY=op://development/aws/secret_access_key </code></pre></div>These variables use the <a href="https://developer.1password.com/docs/cli/secrets-reference-syntax/">secret reference syntax</a> to specify that their values need to be loaded from 1Password. Inside the <code>Development</code> vault, within the <code>AWS</code> item, we see the fields <code>access_key_id</code> and <code>secret_access_key</code> have the secrets we’re looking for. <img src="https://blog.1password.com/posts/2022/1password-cli-2.0/1PasswordAWSitem.png" alt="1Password item for Amazon Web Services" title="1Password item for Amazon Web Services" class="c-featured-image"/> Behind the scenes 1Password finds this item and confirms that your shell program is authorized before giving the secrets to <code>op</code>, which in turn configures the ideal environment for <code>aws</code> to run within. Even after knowing how the magic works my mind is still blown about how cool this is. 🤯 Let’s see what else we can do with this sorcery. <h2 id="automatic-one-time-passwords">Automatic one-time passwords</h2> Many systems tried to overcome the inherent insecurity of plain text RC files by requiring you to enter a one-time password. While this improved security, it hurt productivity. Thankfully <code>op</code> gives you access to everything you need during development or when publishing new releases, including TOTP codes. Let’s see how this looks for publishing an NPM package. <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell">$ cat ~/.npmrc //registry.npmjs.org/:_authToken=$NPM_AUTH_TOKEN $ cat ~/.config/op/npm-env NPM_AUTH_TOKEN=npm_FDQkqhf78jAcledwxxxxxxxxxxxxxx3vXdSH $ alias npm=&#34;op run --env-file=$HOME/.config/op/npm-env -- npm&#34; $ $ npm publish --otp $(op item get npmjs --otp) </code></pre></div>1Password will ask you to confirm access before proceeding. And if you have an Apple Watch you’re able to publish to NPM or anywhere else directly from your wrist! 😎 <img src="https://blog.1password.com/posts/2022/1password-cli-2.0/1PasswordCLIAppleWatchauthorization.png" alt="Popup window authorizing 1Password CLI with Apple Watch" title="Popup window authorizing 1Password CLI with Apple Watch" class="c-featured-image"/> <h2 id="an-op-ide">An OP IDE</h2> IDEs are so powerful these days and with extensions you can do practically anything without switching apps. Manage your CI/CD pipelines and Docker containers, send Slack messages, browse Elasticsearch logs, or run deployment commands using the integrated Terminal. All of these need secrets to connect you before you can get your job done. With <code>op</code> you can overpower your development environment and unlock an endless world of possibilities. Here I am publishing my website, directly from within VSCode. 😍 <img src="https://blog.1password.com/posts/2022/1password-cli-2.0/1PasswordVSCodeauthorization.png" alt="Popup window authorizing 1Password access in VSCode" title="Popup window authorizing 1Password access in VSCode" class="c-featured-image"/> And that&rsquo;s just the tip of the iceberg. Check out Jody&rsquo;s <a href="https://www.youtube.com/watch?v=hghKTE_pUaQ">VSCode + 1Password extension demo</a> for some truly exceptional wizardry. 🧙🏼 <h2 id="co-op-mode">Co-op mode</h2> With <code>op</code> you can grab credentials from any vault you have access to. This is magical for personal projects and becomes legendary in team environments. Secret references can be committed to source control without worrying about leaking secret information, enabling everyone to share environment configuration files. Go even further by creating a vault for shared secrets and granting access to your entire team. They’ll automatically receive this vault during onboarding and won’t need to worry about where to find secrets or how to store them securely. This greatly simplifies setup and ensures developers get up to speed quickly. You can also easily revoke access when someone moves on to another project. Even better, everyone else will automatically get the new credentials after you rotate them, without any interruptions. 🥰 <h2 id="unleashed-in-1password-8">Unleashed in 1Password 8</h2> All of this and more is available today in <a href="https://1password.com/products/">1Password 8</a>. <ul> <li><a href="https://developer.1password.com/docs/cli/get-started/">Install the 1Password CLI</a></li> <li><a href="https://1password.com/downloads">Install 1Password 8</a></li> </ul> And be sure to check out our <a href="https://blog.1password.com/1password-ssh-agent/">SSH &amp; Git, meet 1Password 😎</a> companion post that brings the same simplicity to SSH keys and Git setup as <code>op</code> does to the command-line. We hope you enjoy using these new tools as much as we enjoyed creating them for you. Please let us know in the <a href="https://1password.community/categories/cli">CLI forum</a> or reach out to me directly <a href="https://twitter.com/dteare">on Twitter</a>. Also be sure to stop by our <a href="https://www.reddit.com/r/1Password/comments/te7217/were_the_team_behind_1password_developer_tools/">AMA</a> on Thursday to meet the team behind these features. Moreover you’re welcome to [join our devs for some command-line demos and 1Password ssh agent usage]https://1password.com/webinars) on March 30th. <h2 id="free-for-oss-teams">Free for OSS teams</h2> 1Password would not be possible without the incredible work of the open source software community. From Rust and Golang to React and Neon – and many more – we’re thankful for these free software projects and are committed to giving back. In that spirit and as our way of saying thanks, open source teams can get a free 1Password account simply by opening a pull request against our <a href="https://github.com/1Password/1password-teams-open-source">1Password for Open Source Projects</a> repo. These accounts also include <a href="https://1password.com/product/secrets/">unlimited use of Secrets Automation</a>. To date, more than 360 open source projects are using 1Password. <h2 id="share-your-creations-and-win-">Share your creations and win! 🙌</h2> We can’t wait to see what you create with <code>op</code>. The integration possibilities are endless and since <code>op</code> is a full-powered CLI, you’re able to go well beyond secret retrieval: <ol> <li>Invite and confirm new users 💌</li> <li>Integrate with your identity provider using <a href="https://support.1password.com/scim/">SCIM Bridge</a> 🌉</li> <li>Deploy secrets to production environments with <a href="https://1password.com/product/secrets/">Secrets Automation</a> 🔐</li> <li>Share items with your team or externally with <a href="https://developer.1password.com/docs/cli/reference/management-commands/item/">secure share links</a> 🤗</li> <li>Create, read, update, and delete items, vaults, or documents 🌈</li> </ol> Imagining these features linked together alongside some <a href="https://blog.1password.com/1password-ssh-agent/">1Password ssh agent</a> magic and other tools has me giddy with anticipation. It’s like Game of Thrones Season 4 all over again. 🙂 Please share your creations with us using <a href="https://twitter.com/hashtag/BuildWith1Password">#BuildWith1Password</a> and win some great prizes! We have an upcoming post dedicated to the contest and anything you create and share now will qualify. Oh, and if you have fun creating things and enjoy what we’re building here, be sure to say hi as <a href="https://1password.com/jobs/">we’re hiring</a>. 👋 Take care and stay safe out there. ❤️</description></item><item><title>How to manage your company's IT security without stressing out</title><link>https://blog.1password.com/managing-company-security-without-stress/</link><pubDate>Mon, 14 Mar 2022 00:00:00 +0000</pubDate><author>info@1password.com (Nick Summers)</author><guid>https://blog.1password.com/managing-company-security-without-stress/</guid><description> <img src='https://blog.1password.com/posts/2022/managing-company-security-without-stressing-out/header.jpg' class='webfeedsFeaturedVisual' alt='How to manage your company's IT security without stressing out' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Responsible for keeping your business secure? We know it can feel like a daunting task. After all, the average business has multiple employees using different devices with varying amounts of technological expertise. A single team member might use just one app to stay productive, while another may use 1,000. And they could work in a company-owned location, like an office, or hundreds of places around the world, including their own home. That&rsquo;s a lot to consider. If cybersecurity is leaving you tired, anxious or overwhelmed, you&rsquo;re not alone. In our <a href="https://blog.1password.com/state-of-access-report-burnout-breach/">first State of Access Report</a>, 84% of security professionals said they were currently feeling burned out. The truth is there&rsquo;s no quick fix that will make cybersecurity an easy or endlessly relaxing problem. If you start cutting corners, the likelihood of a breach will only increase. But there are some basic principles that can help you manage your company&rsquo;s digital defenses, and encourage other team members to make smart, secure decisions on their own. Together, they should make security a slightly more manageable part of your day. <h2 id="stop-and-take-stock">Stop and take stock</h2> First, you need to make sure that you have a firm understanding of your business. Ask yourself some basic questions like: <ul> <li>How many employees do we have?</li> <li>Is the company office-based, fully remote, or using a hybrid setup?</li> <li>What industry do we operate in?</li> <li>What countries or regions do we do business in?</li> </ul> Once you&rsquo;ve answered these, consider your company&rsquo;s culture and values. What&rsquo;s your team like? What principles guide how you do business? For example, if your company is committed to being carbon-neutral, that should influence how you approach cybersecurity. If you choose a different strategy that doesn&rsquo;t mesh with any of your team&rsquo;s values, it&rsquo;s only going to be harder and more stressful to implement. Finally, figure out what needs protecting. Every business has different amounts and types of data. And that information can be stored in all kinds of places, including the cloud. It might sound obvious, but completing this kind of &lsquo;digital inventory&rsquo; will make it easier to focus your efforts and not feel like you&rsquo;re working in a pitch-black forest. <h2 id="focus-on-health-and-wellness">Focus on health and wellness</h2> If you&rsquo;re a security professional, it&rsquo;s all-too-easy to get caught up in tools and workflows. Getting these right will make a difference to everyone&rsquo;s mental health, but they&rsquo;re not the only factors. You should also focus on the basics of employee wellbeing, like ensuring that everyone has a realistic workload, the option to take some time off, and hours that promote a healthy work-life balance. (That includes you, by the way!) These might not feel like important security policies, but they are. If everyone you work with is happy, well rested, and comfortable with the deadlines they&rsquo;re working toward each day, they&rsquo;ll be more likely to follow your company&rsquo;s security policies. You and your team will also make better, more secure decisions throughout the day, and have a better chance of spotting suspicious activity, like <a href="https://blog.1password.com/what-is-phishing-and-how-can-you-protect-your-business/">phishing emails</a>. <h2 id="craft-smart-security-policies">Craft smart security policies</h2> Every company needs a robust set of rules to protect their customers and business-related data. It might be tempting – and in the short-term, less stressful – to stop thinking about whether they&rsquo;re fit for purpose, or whether people in your team are actually following them. But remember: you can&rsquo;t afford to cut corners. A thoughtful and up-to-date security handbook is critical to keep your company secure. Such a document could take a while to write, but you&rsquo;ll likely feel more organized afterwards. If it&rsquo;s extensive and well-maintained, it will also reduce the number of questions you get from team members, giving you more time to focus on other tasks. But how do you write policies that don&rsquo;t anger or stress people out? It&rsquo;s all about balance. You can&rsquo;t compromise on your company&rsquo;s security, but you can write rules and guidelines in a way that&rsquo;s easier for everyone to understand and comply with. <blockquote> Concise, security-conscious rules will boost understanding and compliance. That means less stress for everyone, including you. </blockquote> For example, let&rsquo;s say a team member needs to update your website. But before they can press publish, they have to go through 72 security checkboxes. Some people will go through them diligently, but the vast majority are likely to just tick every box, regardless of whether they&rsquo;ve met the criteria. Ask yourself: could the same security checks be covered with fewer boxes? Concise, security-conscious rules will boost understanding and compliance. That means less stress for everyone, including you and anyone else responsible for enforcing them. <h2 id="onboarding">Onboarding</h2> It&rsquo;s hard to change bad habits, so focus on helping new hires establish good ones. Onboarding <a href="https://blog.1password.com/rolling-out-1password-tips-for-onboarding-your-team/">is a pivotal moment</a> where you can deliver up-to-date training and explain your company&rsquo;s overall approach to cybersecurity. If you deliver this information correctly, employees will understand what&rsquo;s expected of them and make the effort to stay secure. Good habits will eventually become second nature, reducing your company&rsquo;s overall risk and giving you peace of mind. During your onboarding, you should explain: <ul> <li>Your most important policies and why they&rsquo;re necessary</li> <li>Where to find your security handbook, which should answer common questions and be updated regularly</li> <li>Where and how to ask for help</li> <li>How to report suspicious activity</li> <li>Why your company doesn&rsquo;t punish people for coming forward and sharing the mistakes they&rsquo;ve made</li> </ul> <h2 id="build-a-culture-of-security">Build a culture of security</h2> Your company already has a deep-rooted culture that you should be mindful of and build your processes around. But if you want to make your job a little more manageable, you should complement it with <a href="https://blog.1password.com/remote-companies-culture-of-security/">a culture of security</a>. Why? Because it&rsquo;s impossible to perfectly control and monitor your business for security threats. Even the most sophisticated security stack will leave you with some blind spots. But if you have the right culture in place, everyone will have the knowledge and desire to make smart, secure decisions while they&rsquo;re at work. To build this culture without stressing out, you should: <ul> <li>Start at the top. Ensure your leadership team is on board and setting the right example for the rest of the company. If they&rsquo;re ignoring your security policies or making bad decisions, there&rsquo;s a higher chance that everyone else will ignore or reject your efforts.</li> <li>Offer regular training sessions. Host the same session at different times so that anyone, regardless of their working hours, can attend.</li> <li>If you have an IT department, ensure they&rsquo;re approachable. People should feel comfortable coming forward and asking your IT department for help, or suggesting ideas that could make the company more secure.</li> <li>Offer tools that make it easy for everyone to do the right thing. The right tools will empower employees to practice good security habits. For example, a password manager like 1Password allows everyone to protect all of their accounts with strong, unique credentials. Team members can create and update their passwords on their own, which will give them a greater sense of control, ownership, and responsibility.</li> </ul> For more tips on building a culture of security, <a href="https://1password.com/resources/creating-a-culture-of-security/">check out our guide</a>. <h2 id="visibility">Visibility</h2> It&rsquo;s important to keep tabs on sensitive company accounts and data. Otherwise, a criminal might access them without you or any of your team member&rsquo;s knowledge. But monitoring everything can feel like a difficult and mentally-taxing task. It&rsquo;s like someone has asked you to monitor every safe deposit box in a city…at the same time. The trick is to find tools that will work for you and your company. Ideally, they&rsquo;ll be easy to wrap your head around and, most importantly, allow you to monitor and protect assets effectively. For example, with 1Password Teams and <a href="https://1password.com/business/">1Password Business</a>, you can quickly check if any company email address has been affected by a known data breach. 1Password Business customers can also view an Activity Log to see what actions have been taken by team members. <blockquote> Embrace tools that align with your company’s existing culture and infrastructure. </blockquote> You should look for tools that let you perform this work without being overly invasive. You don&rsquo;t want to build a culture of surveillance at your company, <a href="https://blog.1password.com/why-security-scare-tactics-dont-work/">as this will stress everyone out and reduce their productivity</a>. Finally, embrace tools that align with your company&rsquo;s existing culture and infrastructure. For one, it will make them easier to implement and use. For another, it&rsquo;ll ensure they&rsquo;re better understood and accepted by the wider team. All of these factors will then help to make your company&rsquo;s cybersecurity a tad less stressful for everyone. <h2 id="offboarding">Offboarding</h2> The final piece to stress-free security is to focus on offboarding. Seriously! To keep your business secure, it’s important you monitor and control what everyone has access to. That includes current employees, but also the people who have recently handed in their notice. So think about your offboarding process. For example, you should have a checklist that you can work through to ensure that former employees can no longer access business accounts and data. A password manager like 1Password Teams and 1Password Business can simplify your offboarding. It&rsquo;s a secure and convenient way of both granting and revoking access to accounts. When someone decides to leave your company, you can simply shut down their 1Password account, and easily update the passwords they used to have access to. That way, even if the person memorized their passwords or wrote them down, they won’t be able to access anything. <h2 id="stay-calm-and-ask-for-help-when-you-need-it">Stay calm, and ask for help when you need it</h2> We can&rsquo;t promise that you&rsquo;ll never have a stressful day at work. But if you follow the principles outlined above, protecting your business should become a little more manageable for you and the people you work with. Finally, if you&rsquo;re ever feeling stumped or overwhelmed, don&rsquo;t be afraid to ask an external specialist for help. It&rsquo;s what they&rsquo;re there for. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Want to learn more?</h3> Read our first State of Access report to learn more about burnout and its growing impact on cybersecurity. It covers the effect of exhaustion on password choices, the use of shadow IT, and other potential risk factors. <a href="https://1password.com/resources/2021-state-of-secure-access-report/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Read the report </a> </div> </section></description></item><item><title>Talking to your kids about online safety</title><link>https://blog.1password.com/talking-to-kids-online-safety/</link><pubDate>Fri, 11 Mar 2022 00:00:00 +0000</pubDate><author>info@1password.com (Andrew Zangre)</author><guid>https://blog.1password.com/talking-to-kids-online-safety/</guid><description> <img src='https://blog.1password.com/posts/2022/talking-to-your-kids/header.png' class='webfeedsFeaturedVisual' alt='Talking to your kids about online safety' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Raising a family today means, for many parents, having kids who use the internet for entertainment, talking with friends, and schoolwork. Millions now have a smartphone <a href="https://www.theguardian.com/society/2020/jan/30/most-children-own-mobile-phone-by-age-of-seven-study-finds">around the time they lose their first tooth</a>. This creates <a href="https://www.pewresearch.org/internet/2020/07/28/parenting-children-in-the-age-of-screens/">new challenges for parents</a> who want to help their children navigate around mature content, misinformation, and other online risks. But kids need space to explore and learn about technology at their own pace. So don’t monitor or look over their shoulders at all times. Instead, give them advice on how to use the internet securely. Below are some tips on how to approach these conversations, and what specifics you should share with your children when it comes to online safety. <h2 id="approach-with-care-and-be-an-ally">Approach with care, and be an ally</h2> Some early guidance will set your child up for success – both in using technology and handling any problems. Have a relaxed but realistic conversation at a time and place where you’ll have their full attention. Remember that this isn’t meant to scare them away from technology, but to best prepare them for it and minimize their risks. It&rsquo;s not enough to give advice; you need to give the right advice. So take some time to educate yourself on the best cybersecurity tips, but also what young people are into online – which is always changing – and the associated risks. Make sure that you practice what you preach, too. If you follow your own advice, your children will be more likely to do the same. And remember: It’s never too early to have these talks. Roughly <a href="https://1password.com/resources/the-family-password-paradigm/">40 percent of parents</a> talk about online security with their preschool children (ages 3-4). If your kids are old enough to use the computer or watch shows on your tablet, then they’re ready for a chat about online safety. <h2 id="knowing-the-risks-is-half-the-battle">Knowing the risks is half the battle</h2> Children and young adults today don’t visit the internet so much as coexist with it. A speech in The Social Network described it well: “We lived on farms, then we lived in cities, and now we’re going to live on the internet!” Just like a city, there will always be places online that are dangerous. The trick is knowing how to spot and avoid them. Computer viruses have been around as long as personal computers. But as the internet has become a bigger and bigger part of our daily routines, cybercriminals have developed increasingly sneaky methods of attack. Antivirus software is a good place to start, but it’s not perfect. The more that our personal information is requested (or required) around the web, cybercriminals have more ways to steal it. Antivirus software is a good place to start, but it’s not perfect. It’s crucial that your children understand they should only share personal details with trustworthy sites or apps. An eye-popping contest submission might look exciting and authentic, but that doesn’t mean it’s legitimate. The same advice applies to emails and text messages – if your kid isn’t sure exactly who or where the message came from, they shouldn’t respond, download any attachments, or click on any links. They should be particularly skeptical of any language that urges them to do something quickly – it’s a common red flag, and could mean the message <a href="https://blog.1password.com/what-is-phishing-and-how-can-you-protect-your-business/">is a phishing attack</a>. <h2 id="the-importance-of-a-password-manager">The importance of a password manager</h2> <a href="https://www.verizon.com/business/resources/reports/dbir/">Most cyber attacks</a> are traced back to weak passwords and other common mistakes made on the web. You can help everyone in your household reduce their risk by embracing a password manager. <a href="https://support.1password.com/explore/personal/">1Password Families</a> lets anyone, regardless of their age and how tech-savvy they are, create and remember strong, unique passwords for all their accounts – both personal and shared. With 1Password, you can <a href="https://blog.1password.com/family-organizer-tips/">oversee your family’s shared passwords</a> and manage who has access to them. You can also help recover accounts if your kids are ever locked out, and quickly update any passwords that have appeared in data breaches. Helping your kids learn safe online habits until they’re second nature will set them up for success in the digital world. <a href="https://watchtower.1password.com/">1Password Watchtower</a> also has your family’s back. It will tell your kids whenever a site they use has been compromised, so they can update any affected passwords. 1Password also has a built-in <a href="https://1password.com/password-generator/">password generator</a> so they can create and automatically save new logins for these accounts all in the same place! <h2 id="social-media-safety">Social media safety</h2> Young people today hang out on social media more than any mall or movie theater. Last year, 63 percent of Americans aged 12-17 <a href="https://www.cnbc.com/2021/11/18/tiktok-usage-topped-instagram-in-2021-among-kids-12-to-17-forrester-.html">used TikTok on a weekly basis</a>, and 57 percent used Instagram. And <a href="https://www.bbc.com/news/technology-57670779">millions of even younger kids</a> are likely using the platforms, skirting around the required age limits. Social media is rife with unique risks, and its popularity shows no signs of slowing. As young people continue to explore this endless content, share their own posts, and connect with strangers, you need to teach your kids how to use social platforms responsibly and securely. For starters, explain to your kids that they shouldn’t share anything they wouldn’t want the world to see. They need to think carefully about each photo, video, or written post before pressing publish. They don’t want to accidentally say something that’s offensive, embarrassing, or could land them in legal trouble. With a few extra moments to think through a post, they may reconsider hitting send. If they’re particularly young, children should limit their posts to “friends only.” And they need to be mindful of who they accept as friends and followers. Your kids should ask themselves, “Is this someone I really trust to see my content or personal details?” Similarly, they should always be thinking, “Is this someone I should be connecting with?” before they comment on someone’s post or send a direct message. You can also show them how to block and report users who send suspicious or inappropriate messages. Remember: <a href="https://blog.1password.com/why-security-scare-tactics-dont-work/">Scare tactics aren’t the answer</a>. Kids will be kids, and in the digital age, will likely use social media to entertain and express themselves – whether you know about it or not. Empower them to use it safely by using strong passwords and being careful about what they share and who they share it with. <h2 id="basic-security-for-devices">Basic security for devices</h2> It’s not just online accounts that demand good password protection – computers, tablets, and smartphones require the same level of care. Kids need to be cautious when choosing to share their device passwords with other people. Underline the importance of privacy with your kids; even the strongest passwords are meaningless if they’re casually shared with friends, emailed to someone, or posted on social media. Building off that, encourage your children to keep a close eye on their computers and smartphones, and not let other people use or borrow them unsupervised. Accidentally leaving their phone at school is not just potentially expensive, but can also put their information at risk. If computers or other devices are acting strange or appear infected, your kids should stop using them immediately and bring it to your attention (or their teachers, if they’re being used in school). An IT expert can hopefully help resolve the issue with you, whether they work for the device’s manufacturer or a standalone service. Concern about a serious incident, such as stolen or reshared private data, <a href="https://www.justice.gov/criminal-ccips/reporting-computer-internet-related-or-intellectual-property-crime">may need to be reported</a>, too. <h2 id="what-to-do-if-situations-arise">What to do if situations arise</h2> If your kids learn to drive, they’ll probably hit a curb or two at some point. That’s just how it goes! On the internet, they’ll inevitably run into some stressful situations as well. Remain calm when they talk to you about their problems, so you don’t make a scary experience even harder for them. Much like their first fender bender, their digital dilemmas are each learning opportunities of their own. Create a judgment-free space for your kids to ask questions and discuss problems. You want them to feel comfortable bringing this stuff up at any time, rather than keep it quiet and try to solve issues themselves. Ask for details, thank them for being honest about it, and then come up with solutions together. You might decide the best course of action is to update one of their accounts, delete it entirely, or reach out to the company that manages the site, app, or game they’re using. Finally, if you run into any problems, show your kids and explain what happened. These are great learning opportunities for the both of you, and a chance to show that nobody’s perfect or immune when using technology. And there’s always more to learn and look out for, since technology – and its risks – are always evolving. The safe online habits your kids develop now will stick with them as they grow up and use more technology – in school, at work, and in their personal lives. So make sure they’re good ones!</description></item><item><title>Strengthening our investment in customer security with a $1 million bug bounty</title><link>https://blog.1password.com/increasing-our-bug-bounty-investment/</link><pubDate>Thu, 10 Mar 2022 00:00:00 +0000</pubDate><author>info@1password.com (Emily Chioconi)</author><guid>https://blog.1password.com/increasing-our-bug-bounty-investment/</guid><description> <img src='https://blog.1password.com/posts/2022/increasing-our-bug-bounty-investment/header.png' class='webfeedsFeaturedVisual' alt='Strengthening our investment in customer security with a $1 million bug bounty' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> At 1Password, we’re committed to providing an industry-leading security platform for both businesses and families. That’s why today, we’re announcing that we’ve increased our top bug bounty reward with <a href="https://bugcrowd.com/agilebits">Bugcrowd</a> to $1 million. With this investment, we’re further bolstering our ongoing efforts to keep 1Password customers as secure as possible. <h2 id="what-is-bugcrowd">What is Bugcrowd?</h2> Testing software for security vulnerabilities, commonly called penetration testing, is typically handled through specialized firms. Bugcrowd provides a platform where multiple security researchers can come together to offer a crowdsourced investigation. Bugcrowd makes it possible for companies like 1Password to work with tens of thousands of security researchers and ethical hackers on an ongoing basis. The bug bounty program lets 1Password reward these security researchers for helping fortify our defenses and protect our customers against evolving threats. <h2 id="1password-and-bugcrowd">1Password and Bugcrowd</h2> Since 2017, 1Password has worked with Bugcrowd to reward researchers who identify potential vulnerabilities. Simply put, when a researcher finds something we’ve overlooked, we want to hear from them and reward them for their efforts. Bugcrowd acts as an additional layer of scrutiny on top of our existing security audits and ongoing internal assessments. To date, we’ve paid out $103,000 to Bugcrowd researchers, averaging $900 per reward. While all the detected bugs have been minor and didn’t pose a threat to sensitive customer data, we were able to resolve them quickly and reduce the risk of attacks. After nearly 800 attempts from researchers, the total payout showcases 1Password’s relentless commitment to protecting our customers. <h2 id="our-ongoing-efforts-to-keep-your-data-safe">Our ongoing efforts to keep your data safe</h2> As part of our day-to-day operations, we regularly engage external security experts and white hat hackers to find blind spots and strengthen the 1Password platform. These efforts include: <ul> <li>Conducting more than a dozen external penetration tests annually, the results of which are <a href="https://support.1password.com/security-assessments/">released in full to the public</a>.</li> <li>Staffing protocols that ensure security-directed developers are always a part of product development teams.</li> <li>Security Ambassador Program to continuously train and develop security expertise within development teams.</li> <li>Eyes of the Month program that rewards the employees who report the most notable security issue of the month, surfacing bugs that can only be found by those familiar with the subject matter and creating awareness across the company.</li> <li>Internal testing and review programs designed to strengthen the 1Password’s culture of privacy and security.</li> </ul> We’re hoping to build on these existing initiatives by further investing in our bug bounty program and attracting more outside expertise to make our systems as secure as possible. Enlisting the collective intelligence of thousands of researchers helps 1Password consistently deliver a reliable, secure product that makes online safety accessible to anyone. <h2 id="our-commitment-to-human-centric-security">Our commitment to human-centric security</h2> The busier we get, the more we favor simple solutions over secure ones. But protecting our privacy and personal information shouldn’t be so difficult. No one should have to choose between security and convenience, and with 1Password, they don’t have to. Our new investment in an industry-leading bug bounty program lets us cover more ground as we pursue our mission to help people navigate the digital world without fear or friction.</description></item><item><title>How a password manager fits into a digital minimalist lifestyle</title><link>https://blog.1password.com/password-manager-digital-minimalist-lifestyle/</link><pubDate>Wed, 09 Mar 2022 00:00:00 +0000</pubDate><author>info@1password.com (Stacey Harris)</author><guid>https://blog.1password.com/password-manager-digital-minimalist-lifestyle/</guid><description> <img src='https://blog.1password.com/posts/2022/password-manager-digital-minimalist-lifestyle/header.png' class='webfeedsFeaturedVisual' alt='How a password manager fits into a digital minimalist lifestyle' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Getting a <a href="https://blog.1password.com/password-manager/">password manager</a> is the ultimate minimalist move – after all, reducing the number of passwords you need to remember down to one is pretty significant. When we’re talking about digital minimalism we’re referring to the idea of simplifying your digital life to help you focus on the things that are truly important to you. A password manager is an important tool in any digital minimalist&rsquo;s life and can help you achieve that organizational, zen-like happiness. <h2 id="why-digital-minimalism-is-important">Why digital minimalism is important</h2> Digital minimalism is about intentionally choosing the technology we use in order to improve our lives. This is important from both a security standpoint and a well-being standpoint. Security-wise, using a <a href="https://1password.com/password-manager/">password manager</a> means you can use strong, unique passwords for every account. 1Password also points out websites where you can enable 2FA, and highlights websites where a breach has occurred advising you to update your password on that site. From a well-being standpoint, not having to worry about managing and remembering so many digital tools, logins, programs, etc. means your focus can be directed on the things that are most important to you. So, here are our top tips on how to use a password manager as a digital minimalist. <h2 id="organize-your-vaults">Organize your vaults</h2> Putting all of your logins in one place makes it easier for you to find everything you need, when you need it. But in addition to putting everything in one place, it’s also important to organize everything you’re keeping in your password manager. 1Password makes it easy to arrange everything so it’s easily accessible. <a href="https://support.1password.com/favorites-tags/">Using categories for different items, tags for similar groupings, and favorites for quick access</a> makes finding whatever you need a breeze – it’s the digital equivalent of having a neatly organized cutlery drawer. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Find out why 1Password is the best in the market with our <a href="https://1password.com/comparison/">password manager comparison</a>! </div> </aside> <h2 id="archive-old-logins">Archive old logins</h2> After you’ve added everything to your password manager, you’ll probably notice that there are a lot of old, unused logins in the mix. Those items can make a vault feel cluttered, even if you’re using tags and favorites. Many minimalists try to live with only essential items, some even limiting the number of items they own overall. We’re not saying you should do that, but the principle of reviewing and eliminating what’s no longer important is worth thinking about. <blockquote> Ask yourself: Have you used the account in the past two years? </blockquote> While going through your items pause and ask yourself: Have you used the account in the past two years? Do you think you’ll use it in the next five years? If the answer to both is no you can, delete/close those old accounts and remove them from your password manager altogether – <a href="https://blog.1password.com/ghosts-passwords-past/">closing old accounts also helps reduce your risk exposure</a>. If you don’t want to close old accounts – or you can’t – 1Password also lets you <a href="https://support.1password.com/1password-com-items/">archive items</a>, taking them out of view from your vaults (you can always restore them if you need them later). <h2 id="add-more-than-logins">Add more than logins</h2> It can be easy when you’re setting up your 1Password account to just add your logins and be done with it, but why not add all of your identification? Health cards, drivers licenses, passports, credit cards. These are all items that you might not carry with you 24/7, but the one time you need it when you’re not home – like booking a last minute flight – you’ll wish you had access. No more messaging a family member to take a photo, or send you the number. Just easily access the information yourself and go about your day. It lets you complete tasks faster, freeing up your mind to focus on whatever is most important to you. <h2 id="sharing">Sharing</h2> How do you share passwords with friends and family – and how do they share with you? Do you have a Wi-Fi password written on a whiteboard at home that you share with guests? Does your friend text you their Netflix login? Is it a scrap of paper handed over and then immediately thrown away once you’ve logged in? <blockquote> When someone shares a password with you, just add it to your own vault. </blockquote> You might have other people’s passwords scattered across different sharing methods, and are often searching up past chats to re-enter a friend&rsquo;s streaming password. But as a digital minimalist knows, that’s no way to save passwords. Now, whenever someone shares a password with you it’s simple to just add it to your own vault. And you can also securely share virtually anything in your <a href="https://1password.com/resources/guides/create-and-manage-shared-vaults/">1Password vault</a> with anyone – even if they’re not using 1Password – <a href="https://blog.1password.com/psst-item-sharing/">with Psst!, our secure sharing tool</a>. <h2 id="reduce-your-physical-clutter">Reduce your physical clutter</h2> But using a password manager won’t just help you be a digital minimalist, it can also help reduce some of your physical clutter as well. You can save documents in 1Password – things like travel insurance documents, your will, or car registration documents. So not only can you get rid of the physical version, you’ll now also have access to the digital version wherever you are. If your policy doesn’t allow you to get rid of the physical version of these documents, it’s still a bit of peace of mind to know that you have a backup of these documents safely stored online. That’s why 1Password is an important tool for any digital minimalist – and a great first step in becoming one. We also recently shared a <a href="https://blog.1password.com/secure-yourself-digital-declutter-checklist/">digital declutter checklist</a> to help you pare down and organize your digital life while also making yourself more secure. So whether you’re trying to get focused, clear space, or sort out your online life, we hope that you’re using a password manager to keep yourself secure and organized. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Ready to protect yourself?</h3> Keep all of your accounts secure with 1Password, the world’s most-trusted password manager. Get started today with a free 14-day trial. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>Forgot your password? Learn how to reset and change passwords safely</title><link>https://blog.1password.com/how-to-reset-password/</link><pubDate>Mon, 07 Mar 2022 00:00:00 +0000</pubDate><author>info@1password.com (1Password)</author><guid>https://blog.1password.com/how-to-reset-password/</guid><description> <img src='https://blog.1password.com/posts/2022/how-to-reset-password/header.png' class='webfeedsFeaturedVisual' alt='Forgot your password? Learn how to reset and change passwords safely' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Creating and remembering strong, unique passwords can be a challenge, and resetting them when you forget can be annoying and time-consuming. But it doesn’t have to be this way. If you adopt a password manager like 1Password, you can instantly generate and safely store all your passwords in one place. <h2 id="the-problem-with-passwords">The problem with passwords</h2> With nearly everything online requiring an account these days, password security has never been more important. You can’t protect every account with your pet’s name or your mom’s birthday and expect them to remain safe. Instead, you need to use strong, unique passwords. But if you don&rsquo;t have a system for remembering them, it&rsquo;s easy to fall into a frustrating cycle of creating, forgetting, and constantly resetting them. Security breaches and password theft <a href="https://fortune.com/2021/10/06/data-breach-2021-2020-total-hacks/">are on the rise</a>, so it’s no surprise that many sites are demanding longer, more complex passwords with upper and lower case letters, and at least one number and special character. They’re tougher for cybercriminals to crack, but also harder for you to remember. Even if you could memorize the right combination of letters, numbers, and symbols for all your passwords, it’s easy to type them out incorrectly, especially when using a smaller keyboard on a phone or tablet. And if you enter the wrong password too many times, you might get locked out of the account. What’s worse than forgetting a password? The tedious process of resetting it. That can mean waiting for a confirmation email, following the relevant link, and then trying to pick another new password that fits the company’s requirements. It’s inconvenient, to say the least. <h2 id="the-answer-a-password-manager">The answer: a password manager</h2> The solution to the endless cycle of forgetting and resetting your login credentials? <a href="https://1password.com/">A password manager like 1Password</a>. It can generate and securely store strong passwords with just a few clicks, as well as the email addresses and usernames they&rsquo;re tied to. All you have to remember is the password for your 1Password account. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Want to stay secure online? Create a unique username with 1Password&rsquo;s free <a href="https://1password.com/username-generator/">Username Generator</a>! </div> </aside> <h2 id="access-your-passwords-anytime-on-any-device">Access your passwords anytime, on any device</h2> Both inside and outside the office, 1Password will keep your credentials secure and ensure you never forget them again. And unlike some password managers, you can easily retrieve them on any device or web browser. That includes: <ul> <li><a href="https://1password.com/downloads/mac/">macOS</a></li> <li><a href="https://1password.com/downloads/ios/">iOS</a></li> <li><a href="https://1password.com/downloads/windows/">Windows</a></li> <li><a href="https://1password.com/downloads/android/">Android</a></li> <li><a href="https://1password.com/downloads/linux/">Linux</a></li> <li><a href="https://1password.com/downloads/chrome-os/">ChromeOS</a></li> </ul> 1Password in the browser, meanwhile, <a href="https://1password.com/downloads/mac/#browsers">works on Chrome, Firefox, Edge, Brave, and Safari</a>. <h2 id="no-more-memorizing-forgetting-and-resetting-passwords">No more memorizing, forgetting, and resetting passwords</h2> Once you’ve set up your 1Password account, you can begin resetting and updating your existing passwords with stronger, more secure credentials. <a href="https://watchtower.1password.com/">1Password Watchtower</a> can show you which of your passwords are weak or reused on different accounts, so you can update them with something better. It will also monitor <a href="https://haveibeenpwned.com/">Have I Been Pwned</a> and tell you when any of your sensitive information has been exposed in a data breach. That way, you can reset the affected password quickly before any cybercriminal has a chance to exploit it. To update your passwords, find the “change password” section in whatever account you’re logged into and use the new, stronger option suggested by 1Password. Your password manager will then save and <a href="https://1password.com/features/autofill/">autofill</a> your new password every time you need to log in. 1Password will also tell you if the service supports <a href="https://support.1password.com/one-time-passwords/">two-factor authentication</a> (2FA). This extra layer of security protects your accounts from potential attackers who have managed to find or figure out your password. You can use 1Password to deliver these unique, one-time login codes, so you don&rsquo;t have to waste time downloading a dedicated authentication app or finding the relevant email or text message. <h2 id="1passwords-strong-password-generator">1Password&rsquo;s strong password generator</h2> If 1Password doesn’t pop up automatically while you’re changing a password, click the icon in your browser’s toolbar and <a href="https://support.1password.com/getting-started-browser/#create-a-custom-password">open the password generator</a>. It has settings that will help you meet any requirements, including the precise number of characters and whether it needs numbers or symbols. It can also create passphrases that are strong but easier to remember, as well as <a href="https://blog.1password.com/orange-facile-glossary-and-other-questions-answered/">random, unique answers to security questions</a> that avoid information a would-be attacker could find online. It might take a while to go through and replace all your logins with stronger passwords, but it will save you time in the future, as 1Password will now automatically enter your credentials for you every time you log in. <h2 id="simplify-your-life-with-1password">Simplify your life with 1Password</h2> If you’re fed up with constantly forgetting and resetting your account credentials, consider a password manager like 1Password. It can generate strong, unique passwords for all your accounts and autofill them at login, so you don’t have to worry about remembering each one. 1Password will store everything in one secure location, monitor your accounts for data breaches, help you set up 2FA where it’s available, and notify you of any weak or reused credentials that need to be updated. Together, all of this makes password management simple, safe, and efficient. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Ready to protect yourself?</h3> Keep all of your accounts secure with 1Password, the world’s most-trusted password manager. Get started today with a free 14-day trial. <a href="https://1password.com/business-pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>A message of solidarity for Ukraine</title><link>https://blog.1password.com/we-stand-with-ukraine/</link><pubDate>Thu, 03 Mar 2022 00:00:00 +0000</pubDate><author>info@1password.com (Jeff Shiner)</author><guid>https://blog.1password.com/we-stand-with-ukraine/</guid><description> <img src='https://blog.1password.com/posts/2022/we-stand-with-ukraine/header.svg' class='webfeedsFeaturedVisual' alt='A message of solidarity for Ukraine' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 1Password stands with the brave citizens and leaders of Ukraine who are defending their homes and our values. I am taking a stand, alongside the founders of 1Password – David Teare, Sara Teare, Roustem Karimov and Natalia Karimov – and 78 other Canadian business leaders, to urge the Government of Canada to continue taking bold action with the conflict in Ukraine. We signed an open letter to Prime Minister Justin Trudeau, Deputy Prime Minister Chrystia Freeland, and Minister of Foreign Affairs Mélanie Joly, which was published in The Globe and Mail this week to express our deep sorrow, concern, and recommended action steps. Thank you to Michael Katchen and Som Seif for organizing this letter. To help support the people of Ukraine, 1Password is matching donations made by our employees up to $50,000. We’re also offering support to our employees who are impacted by the conflict. I stand with peace. <img src="https://blog.1password.com/posts/2022/we-stand-with-ukraine/open-letter.jpg" alt="Open letter to the Government of Canada from Canadian business leaders." title="Open letter to the Government of Canada from Canadian business leaders." class="c-featured-image"/> <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">We&#39;re listening</h3> Questions? Reach out if you want to discuss the letter or our support of Ukraine during these difficult times. <a href="mailto:letschat@1password.com" class="c-call-to-action-box__link-href" data-event-category="CTA" data-event-action="call-to-action-button"> Let&#39;s chat </a> </div> </section></description></item><item><title>Save your Phantom wallet details in 1Password</title><link>https://blog.1password.com/phantom-crypto-wallet-1password/</link><pubDate>Wed, 23 Feb 2022 00:00:00 +0000</pubDate><author>info@1password.com (Matt O'Leary)</author><guid>https://blog.1password.com/phantom-crypto-wallet-1password/</guid><description> <img src='https://blog.1password.com/posts/2022/phantom-crypto-wallet-1password/header.svg' class='webfeedsFeaturedVisual' alt='Save your Phantom wallet details in 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We&rsquo;re making it easier for <a href="https://phantom.app/">Phantom</a> wallet owners to save their account password, secret recovery phrase, and wallet address in 1Password. Phantom is a digital wallet that lets you manage cryptocurrencies, tokens, and NFTs built on <a href="https://solana.com/">the Solana blockchain</a>. This is the first of many partnerships that we’ve been working on in the cryptocurrency space. It&rsquo;s always been our goal to make it easier for everyone, regardless of their technological proficiency, to protect everything that&rsquo;s important to them. And for an ever-growing group of people, everything includes digital assets. It all feeds into our mission <a href="https://blog.1password.com/future-of-1password/">to bring human-centric security to everyone</a>. Starting today, if you create a Phantom wallet in your browser – and have <a href="https://1password.com/pricing/">an active 1Password membership</a> – you&rsquo;ll see a <a href="https://blog.1password.com/save-in-1password-button-with-ramp/">Save in 1Password button</a>. Choosing this option will save everything you need to access your Phantom wallet and safely trade Solana-based tokens and collectibles. That includes: <ul> <li>Your Phantom wallet password</li> <li>Your wallet address (You need this to receive Solana from other people. It&rsquo;s also known as your public key)</li> <li>Your secret recovery phrase (This is tied to your private key, which is what actually gives you access to your assets)</li> </ul> <h2 id="why-were-doing-this">Why we&rsquo;re doing this</h2> Here at 1Password, we want to help secure everything that&rsquo;s important to you, including your <a href="https://blog.1password.com/how-to-use-1password-to-manage-cryptocurrency/">cryptocurrency wallets</a>. We believe your keys and recovery phrases deserve the same level of protection as your credit and debit card numbers, <a href="https://blog.1password.com/introducing-the-medical-record/">medical records</a>, and everything else you have stored inside 1Password. Know someone who thinks crypto is too complicated or overwhelming? So do we. Most people don&rsquo;t know what a recovery phrase is, or what will happen if they lose it. We know that getting started and securing your hard-earned investments should be simpler. That&rsquo;s where 1Password comes in. 1Password has <a href="https://blog.1password.com/how-to-use-1password-to-manage-cryptocurrency/">always been a place</a> to store wallet addresses, private keys, and login credentials for cryptocurrency exchanges. But with the Save in 1Password button, it&rsquo;s now easier than ever for Phantom wallet owners to gather and protect this information. We&rsquo;ve also created a new item type for cryptocurrencies in 1Password, with clearly-labeled fields for everything you might want to store. It&rsquo;s secure but also convenient, because you can retrieve anything you need on any device or web browser. <h2 id="whats-phantom">What&rsquo;s Phantom?</h2> Phantom is a free digital wallet that you can access through your web browser, or the team&rsquo;s recently-released iPhone app. It lets you store, buy, send, and receive assets that are managed on Solana&rsquo;s decentralized blockchain. These assets include the original Solana cryptocurrency – which is abbreviated as SOL – and other Solana-based tokens. You can also use Phantom&rsquo;s wallet to view the one-of-a-kind NFT artwork that you&rsquo;ve collected on the Solana blockchain. <h2 id="how-to-use-phantom-with-1password">How to use Phantom with 1Password</h2> To get started, make sure you’ve set up <a href="https://support.1password.com/getting-started-browser/">1Password in the browser</a>. Then visit the <a href="https://phantom.app/download">Phantom website</a> and download the wallet extension for your Chrome, Edge, Brave, or Firefox browser. Choose Create a New Wallet and use 1Password in the browser to create a strong, unique password for your Phantom account. <img src="https://blog.1password.com/posts/2022/phantom-crypto-wallet-1password/phantomscreenshot1.png" alt=" 1Password password generator in Phantom" title=" 1Password password generator in Phantom" class="c-featured-image"/> You&rsquo;ll then see your secret recovery phrase – composed of 12 random words – and the option to save all of your wallet details in 1Password. (You should never share your secret recovery phrase with another person, as it will give them full control over your wallet!) Everything will be stored in a brand new item type that we&rsquo;ve created just for cryptocurrencies and other digital assets. <img src="https://blog.1password.com/posts/2022/phantom-crypto-wallet-1password/phantomscreenshot2.png" alt=" Save in 1Password button in Phantom" title=" Save in 1Password button in Phantom" class="c-featured-image"/> And that&rsquo;s it! You&rsquo;re all done. The next time you need to log in to your Phantom wallet, 1Password will <a href="https://1password.com/features/autofill/">autofill</a> your password, regardless of which device or browser you&rsquo;re using. And if you ever need to access your encryption keys, you&rsquo;ll find them inside 1Password, safe and sound. <img src="https://blog.1password.com/posts/2022/phantom-crypto-wallet-1password/phantomscreenshot3.png" alt=" Phantom wallet item in 1Password" title=" Phantom wallet item in 1Password" class="c-featured-image"/> <h2 id="the-possibilities-of-cryptocurrency-the-security-of-1password">The possibilities of cryptocurrency. The security of 1Password.</h2> Buying and trading cryptocurrencies shouldn&rsquo;t be complicated. And you should never be forced to pick between convenience and security. With 1Password, you don&rsquo;t have to choose. We make sure your wallet details are secure, while giving you the freedom to access them whenever and wherever you like. With this peace of mind, you can focus on other things, like managing your personal portfolio, learning about new tokens, or deciding which digital collectible to buy or sell next. We&rsquo;re thrilled to be partnering with Phantom, and what it means for the future of 1Password. Whether you&rsquo;re a new or longtime crypto investor, there&rsquo;s a lot to be excited about. And if you’d like to be next to add the Save in 1Password button to your service, <a href="mailto:support+partnerships@1password.com">get in touch</a>! <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get started with Phantom</h3> Download the Phantom wallet for Chrome, Edge, Brave, or Firefox to create a new wallet and save your details in 1Password. <a href="https://phantom.app/download" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Get started </a> </div> </section></description></item><item><title>Webcam security in the age of Zoom</title><link>https://blog.1password.com/webcam-security-zoom/</link><pubDate>Fri, 18 Feb 2022 13:50:00 +0000</pubDate><author>info@1password.com (Andrew Zangre)</author><guid>https://blog.1password.com/webcam-security-zoom/</guid><description> <img src='https://blog.1password.com/posts/2022/webcam-security-zoom/header.png' class='webfeedsFeaturedVisual' alt='Webcam security in the age of Zoom' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The trusty webcam used to be a “nice to have” for the occasional job interview, virtual hangout, or simple YouTube recording. But that all changed when the pandemic started. In just a few months it became a daily tool for people around the world, from <a href="https://blog.1password.com/remote-companies-culture-of-security/">fully remote businesses</a> to families and friends kept apart in lockdown. Webcams now play such a large role in our lives that it can be easy to forget their potential risks. Many people don’t realize that cybercriminals can exploit laptop webcams, phone cameras, and standalone webcams if they’re used incorrectly. The exploding popularity of video calls and personal livestreams also means that more cameras are in use at any given time, creating more opportunities for attackers. Webcam usage is only going to rise as more of us work remotely, connect with loved ones on platforms like Zoom, and experiment with apps like Twitch and Instagram Live. So it’s important you take some precautions to keep out would-be attackers. <h2 id="how-attackers-target-your-webcams">How attackers target your webcams</h2> Webcam attacks can begin much like any other type of data breach. Attackers can gain access through malware or other malicious code that finds its way onto your devices. Many <a href="https://blog.1password.com/what-is-phishing-and-how-can-you-protect-your-business/">suspicious emails</a> and fake online forms are designed to trick you into downloading these files, which will give the attacker access to the internal or connected webcam. This type of attack has earned the name “camfecting.” With a successful camfecting attack, the attacker might gain control over webcam functionality. This can include: <ul> <li>Turning the camera on or off</li> <li>Looking through the webcam at the subject and their surroundings</li> <li>Capturing photos or videos</li> <li>Listening through the webcam microphone, if it has one</li> </ul> Similar attacks have been used on building security cameras to spy on businesses and their employees or customers. But by targeting an individual’s webcam, attackers can collect private information that is seen or discussed by the user. They can also use stolen video footage, screengrabs, or audio recordings for blackmail or ransom demands. As with most cybersecurity threats, webcam attacks are still evolving. Emerging technology like facial recognition is <a href="https://arstechnica.com/information-technology/2021/07/hackers-got-past-windows-hello-by-tricking-a-webcam/">creating a new avenue for attackers</a>. Also, <a href="https://www.businessinsider.com/work-from-home-sneek-webcam-picture-5-minutes-monitor-video-2020-3">employee tracking tools</a> – which became increasingly popular in the shift to <a href="https://blog.1password.com/categories/remote-work/">remote work</a> – can be hacked for bulk footage and data about a company’s employees. Along with the ethical questions about employee surveillance, employers need to be extra vigilant when using or considering this technology. <h2 id="steps-you-can-take-to-prevent-webcam-hacks">Steps you can take to prevent webcam hacks</h2> Keeping your webcam secure is a worthwhile effort as we continue with near-daily video calls on Zoom, Duo, Google Meet, and other platforms. Follow these steps to help keep you, your family, and your business safe: <ul> <li>Take time to adjust the camera settings on your various devices and browsers. Go through and limit webcam permissions to only those tools and sites that need it. Check out specific developer guides for more detailed steps (<a href="https://support.apple.com/en-kz/guide/mac-help/mchlf6d108da/mac">Mac</a>, <a href="https://support.apple.com/en-kz/guide/iphone/iph168c4bbd5/ios">iPhone</a>, <a href="https://support.microsoft.com/en-us/windows/manage-app-permissions-for-your-camera-in-windows-87ebc757-1f87-7bbf-84b5-0686afb6ca6b">Windows</a>, <a href="https://support.google.com/android/answer/9431959?hl=en">Android</a>, <a href="https://support.google.com/chrome/answer/2693767?hl=en&amp;co=GENIE.Platform%3DDesktop">Chrome</a>, <a href="https://support.mozilla.org/en-US/kb/how-manage-your-camera-and-microphone-permissions">Firefox</a>). Remember: You can always grant one-time access to sites and apps on a case-by-case basis. Just make sure you trust them before doing so!</li> <li>Keep a lookout for unusual activity on your camera’s indicator light. If it turns on unexpectedly, it can be a sign that someone’s gained access. If that happens, disable your webcam, scan your device for suspicious files, and consult an IT expert as soon as possible. Be aware that some attacks may be able to turn off the light or activate the camera without triggering the light.</li> <li>Consider a <a href="https://www.digitaltrends.com/computing/best-webcam-covers/">privacy cover</a> that can conceal your webcam’s lens when it’s not in use. You can use a piece of tape or sticky note for a similar effect. Laptop users should remove these covers when closing their laptop, as they <a href="https://www.techradar.com/news/macbook-display-could-be-cracked-by-camera-cover-apple-warns">can potentially damage the screen</a> if kept on.</li> <li>Run <a href="https://www.techradar.com/how-to/disable-webcam-free">antivirus and antimalware programs</a> as they can detect unauthorized webcam access and warn you about suspicious activity. They can also help block untrustworthy apps that would connect to webcams. A number of browsers and operating systems have built-in antivirus tools, but you should check if they provide coverage for webcam security and consider standalone tools if they don’t.</li> <li>Know what’s visible while your webcam is on – during and after work hours. For example, put any company documents away before starting your Twitch stream, and keep private personal items out of sight during work meetings.</li> </ul> <h2 id="using-video-software-correctly-and-securely">Using video software correctly and securely</h2> Securing your camera hardware is a major win. But what about the software that connects to it? There are best practices you should follow when using Zoom and other video conferencing apps. Protecting both your hardware and software will give you the best defense and peace of mind. Like any app or online account, strong password habits are a must with any software that uses your camera – whether on your laptop, phone, or tablet. Create long, complex passwords for these accounts, and make sure you don’t reuse these passwords elsewhere. This will make it much harder for cybercriminals to gain access, and minimize the risk to your other accounts if a single set of credentials are stolen. A password manager will make this a painless process. With 1Password, you can create, store, and securely share login details for the different video platforms you use – along with the rest of your apps and online services. It can also notify you if any of your favorite apps are breached, so you can update the affected passwords immediately. No person or business is off limits from a cyber attack – Zoom itself <a href="https://www.forbes.com/sites/daveywinder/2020/04/28/zoom-gets-stuffed-heres-how-hackers-got-hold-of-500000-passwords/?sh=64de69ca5cdc">suffered a major data breach in 2020</a>. So staying alert is crucial, as is putting the same level of effort into protecting each account. For video conferencing tools in particular, there’s also the matter of unwanted guests. It’s possible for people to join, disrupt, or spy on video meetings they weren’t invited to – a trend called “<a href="https://www.cnet.com/news/privacy/how-to-prevent-zoombombing-in-your-video-chats-in-4-easy-steps/">Zoombombing</a>.” This extra company may simply be out to annoy you and your fellow participants, but they can also listen in and overhear confidential information. Prevent this by making sure that your video meetings are set up as private/invite-only. Refer to a platform’s user guide for help with this, or your company’s IT team, if you have one. If someone asks to join during a call, double-check they’re someone you know. And if you do notice any uninvited guests sitting on a call or being disruptive, don’t be afraid to kick them out or mute them. <h2 id="its-okay-to-not-have-your-webcam-on">It’s okay to not have your webcam on</h2> Video calls have brought families, friends, companies, and their clientele together in a way that few could imagine just a couple years ago. But this doesn’t mean you have to keep your webcam on at all times, or use it in every possible situation. Sometimes, in fact, it’s better that you don’t. Looking at yourself on camera all day can be a mental drain. Like social media and other evolving technologies, it’s something we’re learning the risks of together – in real time. In a post-pandemic world filled with webcam calls, many have developed what’s been called “<a href="https://www.theguardian.com/fashion/2021/sep/01/i-believe-its-a-mental-health-issue-the-rise-of-zoom-dysmorphia">Zoom dysmorphia</a>.” This involves personal self-image issues and anxieties about how we appear in the distorted lenses of our webcams. It’s crucial that we all build a sustainable relationship with our webcams. We all want to feel like we’re in the same room with the people we’re speaking with, but it shouldn’t be at the expense of our long-term health. If you run a business, make it optional for team members to turn their cameras on during meetings. Maintaining <a href="https://blog.1password.com/remote-work-culture/">work culture</a> is crucial but businesses should strive toward a relaxed approach that puts employee wellbeing first. And disabling webcams more often could reduce the associated security risks, as an added benefit. In the age of Zoom, few people can live with their webcam permanently turned off. So find a balance that works for you. Turn it off when it’s not needed, or when you’re just not feeling like being on camera. And when you do have it on, take sensible precautions to ensure the wrong people don’t gain access.</description></item><item><title>Leaving your job? Here’s how to protect yourself and your employer’s data</title><link>https://blog.1password.com/leaving-your-job-cybersecurity-guide/</link><pubDate>Wed, 16 Feb 2022 00:00:00 +0000</pubDate><author>info@1password.com (Nick Summers)</author><guid>https://blog.1password.com/leaving-your-job-cybersecurity-guide/</guid><description> <img src='https://blog.1password.com/posts/2022/leaving-your-job-cybersecurity-guide/header.svg' class='webfeedsFeaturedVisual' alt='Leaving your job? Here’s how to protect yourself and your employer’s data' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The end is in sight. You&rsquo;ve decided to leave your job and have already handed in your notice. You&rsquo;re finishing up some final projects and, before too long, will be saying one last goodbye to your coworkers. Job (literally) done? Not quite. Before your last day, you need to decide what to do with all of your corporate accounts and devices. <h2 id="why-it-matters">Why it matters</h2> You might be thinking: &ldquo;Why do I need to do anything?&rdquo; After all, if you leave and something goes wrong, it&rsquo;s not like it’s your responsibility, right? Wrong. We all bear some responsibility when it comes to security, and figuring out the best, most secure action for all of your work-related hardware and passwords has its merits. <ul> <li> Taking the correct steps will help you maintain a good relationship with the company. Because who knows – you might want to work for them again someday. </li> <li> It will protect your former employer from data breaches. The average cost of a data breach rose to $4.24 million in 2021, according <a href="https://www.ibm.com/security/data-breach">to IBM&rsquo;s annual Cost of a Data Breach Report</a>. </li> <li> Your former co-workers will appreciate it. Wiping your devices and securely transferring important accounts will make their lives just a little bit easier. </li> <li> You won&rsquo;t accidentally take corporate data to a new employer. Taking secrets of any kind to another company can land you in all sorts of trouble. </li> <li> It will give you some peace of mind. You can move on knowing that you&rsquo;ve done everything possible to keep criminals out of your old work devices and accounts. </li> </ul> Now, let&rsquo;s dig into what you should be doing before your last day. <h2 id="check-your-employers-policies">Check your employer&rsquo;s policies</h2> Leaving a job in a secure manner should be a joint effort between you and your soon-to-be-former employer. For example, your company should have a plan in place for all departing team members. The process might be documented in an employee handbook, a Google Doc, or a platform like <a href="https://www.notion.so/">Notion</a> or <a href="https://www.atlassian.com/software/confluence">Confluence</a>, which give companies an easier way to organize and share important knowledge with team members. Some companies will also send instructions via email after you&rsquo;ve submitted your notice of resignation. If you can&rsquo;t find anything in your inbox, check that it wasn&rsquo;t sorted into a spam or junk folder by mistake. Found some instructions? Then follow them to the best of your ability, and reach out to your manager or IT department if you have any questions. Remember: the process should be a partnership, not something that you do entirely on your own. If you can&rsquo;t find any written guidance, talk to someone at your company and explain the situation. You should then draw up a plan together that looks something like this: <h2 id="tackle-your-accounts">Tackle your accounts</h2> The first step is to deal with your work-related accounts and credentials. The process will vary depending on whether your company uses: <ul> <li>A <a href="https://1password.com/resources/guides/why-you-should-have-sso/">single sign-on (SSO)</a> service like <a href="https://www.okta.com/">Okta</a>, <a href="https://jumpcloud.com/">JumpCloud</a> or <a href="https://www.rippling.com/">Rippling</a></li> <li>A password manager like <a href="https://1password.com/business/">1Password</a></li> <li><a href="https://blog.1password.com/1password-and-sso-a-perfect-match/">A combination of the two</a></li> <li>Neither</li> </ul> Let&rsquo;s start with the first three options. <h3 id="if-your-company-uses-sso-andor-a-password-manager">If your company uses SSO and/or a password manager</h3> The first step is to get a complete overview of your accounts. You can do this by logging in to your SSO dashboard, or by opening up your company password manager. If you have both, work through the accounts covered by your SSO provider first, then the credentials stored in your password manager. For each account, you&rsquo;ll want to take one of three actions. Before you commit to one, run it past your manager or an IT specialist at your company, so they&rsquo;re aware and can confirm it won&rsquo;t break any policies. 1. Transfer the account to a coworker. You might be the only person who knows the password to your company&rsquo;s Facebook page. Or have a license for an application that someone else might find useful. The easiest and most secure way to transfer an account is via an <a href="https://1password.com/enterprise/">enterprise password manager</a>. 1Password <a href="https://support.1password.com/create-share-vaults/">offers vaults</a>, for instance, that work like shareable folders – all you need to do is move the associated password into a vault that your colleague has access to. 2. Close the account. If your company uses SSO, you might be able to do this from your personal dashboard – otherwise you&rsquo;ll need to ask your IT administrator for help. Before pressing delete, check if the account contains any files or projects that should be passed on to one of your co-workers. For example, if you use Google Docs, look through your private documents and share the ones that other people might find useful. It will be easier and more convenient than trying to give multiple people access to your Google Workspace account. If you can&rsquo;t close your work-related accounts, ensure they&rsquo;re protected by strong, unique passwords and, where possible, <a href="https://support.1password.com/one-time-passwords/">two-factor authentication (2FA)</a>. Then sign out of them on every device that you own. Taking these steps will make it harder for cybercriminals to break into your old work accounts and access confidential information. 3. Hold on to accounts that are okay to use in a personal capacity. You might have one or two accounts that are tied to your job, but are safe to use long after you&rsquo;ve left. A web-based portal that lets you download old payslips, for example. Or a lifetime subscription to an app like Calm, Headspace, or Duolingo. Ask your employer if you&rsquo;re unsure what’s safe to hold onto. They&rsquo;ll appreciate your honesty and stop you from making a decision that could cause problems later on. If your company uses a password manager like 1Password, you should also sift through everything else that you’ve saved – like credit card numbers and important documents – and decide what to move, delete, and make a copy of. <h3 id="if-your-company-doesnt-use-sso-or-a-password-manager">If your company doesn&rsquo;t use SSO or a password manager</h3> Don&rsquo;t use SSO or a password manager at work? Then you&rsquo;ll need to rack your brain and draw up a list of accounts the old-fashioned way. (If you&rsquo;re struggling with this, imagine a typical day at work and note down all of the apps and services you would use before clocking off.) Once you have a full list, go through it and decide what to do with each account. Your options are the same as the ones you would have if your company used SSO and/or a password manager: transfer the account to a coworker, close the account down, and hold on to the account provided it&rsquo;s safe and appropriate to do so. Without a password manager, you&rsquo;ll need to find another way to safely transfer account credentials to someone else. Talk to your manager, or someone from the IT department, and come up with a solution together that will be both secure and convenient for everyone involved. <h2 id="hardware">Hardware</h2> Work-related hardware can be split into two categories: company-issued devices, and anything that you&rsquo;ve supplied yourself – an increasingly common policy that businesses refer to as Bring Your Own Device (BYOD). If your company has provided you with a PC, laptop, phone, or tablet, you should try to return it. First, check whether the device has any personal files that you want to keep. These could include a copy of your resume, or a headshot photo that was taken in the office. Just be careful not to transfer, share, or make a copy of any business-related data – because in many, many cases you&rsquo;ll be breaking the law. If you&rsquo;re not sure what&rsquo;s okay to keep, stop and ask your company for guidance. Because as the age-old saying goes, it&rsquo;s better to be safe than sorry. If they say yes, follow these guides to wipe or factory reset your devices: <ul> <li><a href="https://support.apple.com/en-gb/HT212030">macOS</a></li> <li><a href="https://support.microsoft.com/en-us/windows/give-your-pc-a-fresh-start-0ef73740-b927-549b-b7c9-e6f2b48d275e">Windows</a></li> <li><a href="https://linuxhint.com/completely_wipe_hard_drive_ubuntu/">Linux</a></li> <li><a href="https://support.apple.com/en-gb/HT201351">iOS and iPadOS</a></li> <li><a href="https://www.theverge.com/21419919/delete-data-android-phone-sell-trade-how-to">Android</a></li> </ul> If you don&rsquo;t have permission to <a href="https://blog.1password.com/selling-your-phone-or-computer-remember-to-wipe-all-of-your-data/">wipe your device</a>, ask your employer if it&rsquo;s okay to manually delete your work-related files and software. You should also consider whether any of this data should be copied and shared with a co-worker before it&rsquo;s removed from your own work device. Finally, return any keycards and key fobs that you used to enter company-owned facilities. If you can&rsquo;t give them back, dispose of them as securely as possible. For example, you should cut up your keycards before throwing them into the trash can, just like you would for an expired credit card. <h3 id="personal-devices-byod">Personal devices (BYOD)</h3> If you&rsquo;ve been using your own laptop or phone at work, it likely has a mixture of personal and business-related files. Go through your local storage and decide what if any data should be transferred to a colleague before your last day. Then do your best to remove any apps and project files that are related to your current job. You could wipe your device, but for most people this just isn&rsquo;t practical. If you&rsquo;re sensible and go through your files in a slow and systematic fashion, you&rsquo;ll be able to find and erase any work-related content that you shouldn’t retain ownership over after leaving. <h2 id="share-your-contact-details">Share your contact details</h2> You&rsquo;re now in good shape. But before you leave, make sure that you leave some contact details with your soon-to-be-former employer. It’s helpful for an IT admin should they have a security-related question or find an account that requires you to take action. Similarly, you should have a point of contact at the company. Why? We&rsquo;re all human and occasionally make mistakes. You might forget about an account that needs to be revoked by an IT admin. Or suddenly remember about a USB stick that you left in an office meeting room. If you have a point of contact, you can quickly notify them and fix the problem before a cybercriminal is able to find and exploit it. <h2 id="enjoy-your-last-few-days">Enjoy your last few days</h2> Closing accounts and erasing devices might not sound like a fun way to spend your last few days at work, but trust us, it&rsquo;s worth it. Follow this process and your soon-to-be-former employer will be incredibly grateful. It’ll minimize the possibility of a costly and embarrassing breach, and make life just a little bit easier for everyone you used to work with. It&rsquo;s not just a nice thing to do, it’s the right thing to do. In addition, it&rsquo;ll help you leave your job with some well-earned peace of mind. You&rsquo;ll move onto the next chapter of your life with a clear head, knowing that you&rsquo;ve followed best practices to secure your old work-related accounts and devices. That, in turn, will give you the best possible start for whatever you&rsquo;re planning to do next. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Read our beginner&#39;s guide to cybersecurity</h3> Want to learn more about how to stay secure at work? Read our beginner's guide, which covers passwords, software, hardware, connectivity, and more! <a href="https://1password.com/resources/beginners-guide-to-cybersecurity/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Read our guide </a> </div> </section></description></item><item><title>Do you really need to change your password every 90 days?</title><link>https://blog.1password.com/should-you-change-passwords-every-90-days/</link><pubDate>Tue, 15 Feb 2022 00:00:00 +0000</pubDate><author>info@1password.com (Nick Summers)</author><guid>https://blog.1password.com/should-you-change-passwords-every-90-days/</guid><description> <img src='https://blog.1password.com/posts/2022/should-you-change-passwords-every-90-days/header.png' class='webfeedsFeaturedVisual' alt='Do you really need to change your password every 90 days?' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> You power on your computer and open your inbox, ready for another day at work. But instead of some unread emails, you see a login screen with an all-too-familiar message: it&rsquo;s time to update your password. And it can&rsquo;t just be any password. It needs to be one you haven&rsquo;t used before, and it must include a number… and a special character… and be 8 characters long&hellip; Sound familiar? Many companies require their employees to change their password every 90 days. It&rsquo;s an inconvenient policy which leads people to ask: Is it really necessary? The short answer is no. Frequent password changes may have been a good idea in years gone by, but they&rsquo;re not necessary today. Read on to learn why. <h2 id="the-thinking-behind-mandatory-password-changes">The thinking behind mandatory password changes</h2> The idea behind forced password expiration is simple. If your credentials are always changing, it&rsquo;s harder for an attacker to know what they are at any given time. For example, a cybercriminal might stumble upon a list of leaked passwords. But if the leak is three months old, and you rotate your password every 90 days, the information will be out of date. The attacker can&rsquo;t use those credentials to get into your account. Periodic password changes also protect you against <a href="https://blog.1password.com/what-is-a-brute-force-attack-and-whats-the-best-defense/">brute-force attacks</a> – an approach that relies on trial and error. This includes dictionary attacks, which prioritize words, phrases, and character combinations that appear most often in passwords, like &ldquo;qwerty&rdquo; and &ldquo;1234567&rdquo;. If your credentials stay the same, a cybercriminal might be able to crack them provided they have enough computing power, time, and patience. But if they change every 90 days, the process becomes more difficult. <h2 id="okay-but-why-90-days">Okay, but why 90 days?</h2> Some companies choose 30 days as their password expiration policy. Others pick 90 or 180 days. But 90 days is the most common, and it&rsquo;s fair to ask &lsquo;why?&rsquo; To answer this question, we need to talk about <a href="https://blog.1password.com/hashing-fast-and-slow-gpus-and-1password/">password hashing</a>. Today, it&rsquo;s recommended that companies store passwords as hashes. That means your true password is scrambled using a secret process called a <a href="https://en.wikipedia.org/wiki/Cryptographic_hash_function">cryptographic hash function</a> (CHF). When you enter your password, the company runs it through the CHF and confirms the result matches the hashed password stored in their database. Hashing makes it trickier to perform a brute-force attack. First, the hacker needs time to figure out the hashing algorithm that&rsquo;s being used. Then they have to test possible passwords by running them through the algorithm and comparing the result to the hashed password accepted by the platform. The process becomes even more complicated if the company adds a random string of characters to each password before hashing them – <a href="https://blog.1password.com/a-salt-free-diet-is-bad-for-your-security/">a technique called salting</a>. There&rsquo;s no definitive answer for how long a brute-force attack will take. It depends on a number of factors, including the strength of the password and the computational power available to the cybercriminal. But for a long time, security specialists felt that 90 days was short enough to &ldquo;beat&rdquo; any hacker trying to brute-force a hashed password – without being too inconvenient for the account owner, who is ultimately responsible for updating the password. <h2 id="why-its-no-longer-required">Why it&rsquo;s no longer required</h2> Mandatory password updates are always inconvenient. After all, nobody likes to be interrupted when they&rsquo;re trying to get to the bottom of their to-do list. When prompted to change a password, people rarely choose one that&rsquo;s strong and unique. Instead, they opt for something more memorable by either: <ul> <li>Picking a new password that&rsquo;s obvious, like &ldquo;password123&rdquo;, or</li> <li>Choosing a password that&rsquo;s only slightly different to what they had before</li> </ul> Common passwords are easy to memorize but also simple for a hacker to guess. As the <a href="https://pages.nist.gov/800-63-FAQ/#q-b05">National Institute of Standards and Technology (NIST) explains</a>, making minor changes to an old password isn&rsquo;t helpful either: <blockquote> &ldquo;This practice provides a false sense of security if any of the previous (passwords) have been compromised, since attackers can apply these same common transformations.&rdquo; </blockquote> Yes, the account owner has updated their password, but they&rsquo;ve changed it to something that isn&rsquo;t particularly secure. It&rsquo;s like changing the lock on your front door, but replacing it with something that any thief could lock-pick in five minutes. <h2 id="the-cost-of-resetting-passwords">The cost of resetting passwords</h2> Here&rsquo;s another problem: if you don&rsquo;t have a password manager, it&rsquo;s easy to lose track of your constantly-updating passwords. Many people start asking themselves: Does this service use the password I came up with a month ago? Or the one before? Or the one before that? Some people write their passwords down to solve this problem. Or they make some incorrect guesses and ultimately have to ask their IT department for a password reset. According to Gartner Group, <a href="https://www.okta.com/blog/2019/08/how-much-are-password-resets-costing-your-company/">between 20% and 50% of all IT help desk calls are for password resets</a>. That&rsquo;s a lot of time that could be better spent on other projects. And as the age-old saying goes, time is money. Forrester Research estimates that <a href="https://www.onelogin.com/blog/is-password-reset-the-pebble-in-your-businesses-shoe">the labor cost of a single password reset is $70</a>. Now multiply that figure by the number of people who are likely to forget their password if they&rsquo;re forced to pick a new one every 90 days. Yeah, it’s an expensive issue. There&rsquo;s one more problem with password resets: once they’ve regained access, the account owner has to come up with another new password, which restarts the cycle and only makes it harder for them to remember which account is protected by which password. <h2 id="what-you-should-do-instead">What you should do instead</h2> The best way to protect yourself is with strong, unique passwords. These are difficult for cybercriminals to crack, and therefore don&rsquo;t need to be updated every 90 days. You only need to update them if they show up in a leak, or if you discover that the company, platform, or service guarding them has been compromised. Visit <a href="https://haveibeenpwned.com/">Have I Been Pwned</a> to quickly discover if any of your credentials need changing. If you&rsquo;re using 1Password, <a href="https://watchtower.1password.com/">Watchtower will check on your behalf</a> and notify you whenever there&rsquo;s a problem. Here <a href="https://1password.com/resources/9-principles-for-a-better-company-password-policy/">are some tips for creating strong and unique passwords</a>: <ul> <li> Don&rsquo;t use common passwords. That includes “123456”, “qwerty”, and “password”. Don&rsquo;t use common modifiers, either, like adding your date of birth to the end of an already-obvious password. </li> <li> Make your passwords fairly long. The longer the password, the harder it is for a cybercriminal to guess or crack with a brute-force attack. </li> <li> Don&rsquo;t worry too much about numbers and symbols. Special characters add to a password&rsquo;s complexity, but they&rsquo;re not essential. You can achieve a similar or greater level of complexity <a href="https://blog.1password.com/how-long-should-my-passwords-be/">by extending the length of the password instead</a>. </li> <li> Use passphrases. These are created by combining a handful of real but unrelated words, like “ball-orange-moon-car.” As long as each word is random, the complete phrase will be difficult for an attacker to crack but easier for you to remember than a typical password that’s strong and complex. </li> </ul> Our <a href="https://1password.com/password-generator/">free password generator</a> can help you create passwords that meet all of these criteria. If you want to add another level of security you could also <a href="https://blog.1password.com/when-to-use-random-usernames-online/">use a unique, randomly generated username</a> for each account. But how do you remember all of this information? <a href="https://1password.com/pricing/">That&rsquo;s where 1Password comes in</a>. Our app not only generates strong passwords as you need them, but also remembers and auto-fills them on your behalf. It can even serve as an authenticator for sites with two-factor authentication (2FA), adding an extra layer of security to your accounts. <h2 id="the-waiting-game">The waiting game</h2> It might be awhile before every company drops their password expiration policy. If yours hasn&rsquo;t yet - don&rsquo;t worry. With a password manager like 1Password, you can quickly create strong and unique passwords every time you&rsquo;re prompted to update an old one. You also have a secure place to store them and a full password history in case you ever need to check what you&rsquo;ve chosen before. No stress. No slowing down. And you&rsquo;ll never have to ask your IT department to reset one of your passwords again. Bliss. 1Password is the easiest way to comply with the &lsquo;90-day&rsquo; rule while you wait for your employer to realize the truth: mandatory password changes are no longer necessary, and should be replaced with a policy that simply demands strong, unique passwords. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Secure your business without slowing it down</h3> The 1Password Teams Starter Pack makes it easy for 10 people to create and use strong passwords at work. And all for one flat monthly price. <a href="https://1password.com/business-pricing/?utm_ref=blog" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>Small Talk: putting data privacy at the forefront with your customers</title><link>https://blog.1password.com/small-talk-customer-data-privacy/</link><pubDate>Fri, 11 Feb 2022 00:00:00 +0000</pubDate><author>info@1password.com (Andrew Zangre)</author><guid>https://blog.1password.com/small-talk-customer-data-privacy/</guid><description> <img src='https://blog.1password.com/posts/2022/small-talk-customer-data-privacy/header.png' class='webfeedsFeaturedVisual' alt='Small Talk: putting data privacy at the forefront with your customers' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Conversations about consumer data privacy grow louder each year, with the news headlines to match. Trust in the technology sector is <a href="https://venturebeat.com/2021/04/13/latest-edelman-survey-rates-trust-in-tech-at-a-21-year-low/">now at an all-time low</a> and customers are increasingly concerned about the <a href="https://www.fastcompany.com/90666500/kpmg-privacy-study">privacy of their personal information</a>. It’s become a serious topic that all business owners need to follow, not just security specialists and tech bloggers. For small businesses, there’s some good news: Customers are <a href="https://www.forbes.com/sites/pamdanziger/2021/06/06/brand-trust-is-built-on-the-cause-consumers-care-most-about-themselves/?sh=27f357e75f32">more likely to trust you than the larger brands</a>, according to a 2021 study by the Kearny Consumer Institute. But remember that trust needs to be earned. As more data is collected, both inside and outside of tech, privacy efforts are now critical – both ethically and legally. No matter your size, it’s never been more important to treat personal data with the respect it deserves. This includes data from paid customers as well as those who simply visit your website or sign up for your newsletter. Even the most trusted companies can be <a href="https://www.techrepublic.com/article/facebook-data-privacy-scandal-a-cheat-sheet/">careless with customer data</a>. It’s not just internal mishandling; businesses often forget that data becomes vulnerable to outside attack the moment it’s collected. You need to be intentional with personal data, regularly review your processes, and always be aware of the changing legal landscape. This involves the information you collect, how you collect it, and how you keep it secure. <h2 id="review-the-laws-and-get-the-right-people-involved">Review the laws and get the right people involved</h2> Consumer privacy laws are being created and updated all the time. It’s on you – and your company’s legal counsel, if you have one – to stay on top of these rules and make necessary adjustments to your tools and workflows. “A great deal of this is new territory and the rules are still being written,” says Lars Olsson, Senior Security Specialist at 1Password. “There’s a growing realization that privacy is a fundamental right, and how it gets discussed and thought about directly affects what we as individuals can expect out of all the technology we use.” Your company leadership and designated security specialists should review current laws that might apply to your business, while keeping up to date with new developments. If you’re new to data privacy, <a href="https://gdpr-info.eu/">GDPR</a> and <a href="https://oag.ca.gov/privacy/ccpa">CCPA</a> are the most well-known pieces of legislation, both of which went into effect in 2018. Laws are still emerging, though, at the country and state level. You can track current privacy legislation on these websites: <ul> <li><a href="https://unctad.org/page/data-protection-and-privacy-legislation-worldwide">UNCTAD</a> (by country)</li> <li><a href="https://iapp.org/resources/article/us-state-privacy-legislation-tracker/">IAPP</a> (by U.S. state)</li> </ul> Data privacy laws will impact all aspects of your business, from HR documentation to your company website. If you have an IT team, work closely with them to understand how data is collected and used across the organization, so you can adjust and clearly explain your processes. If you need any assistance or advice, you should also consider hiring a data collection specialist or data privacy lawyer. Once your budget and headcount allows it, you should think about hiring a dedicated, in-house specialist to cover security and consumer privacy issues. If it’s not within your budget, the next best thing is to train an existing employee on the basics. So if questions arise – either from employees or customers/visitors – someone’s ready to answer them. <h2 id="steps-you-can-take-to-be-a-privacy-first-business">Steps you can take to be a privacy-first business</h2> Once you’re familiar with privacy laws, you can make informed choices about how your small business should be operating. Here are some steps that 1Password’s Security team recommends: 1. Leverage existing tools that emphasize security, especially if you can’t hire a dedicated security/privacy team. For example, paid email services for employees may have a more vested interest in blocking malware and making sure inboxes are as safe as they can be. It’s worth your time to research the security histories of apps and service vendors you do business with, especially if your sensitive data will be shared with them. 2. Write a privacy policy and post it prominently <a href="https://1password.com/legal/privacy/">on your website</a>. Then link to it wherever it makes sense to do so. Most companies link to it in the footer of their site, alongside the terms of service. Visitors won’t often read your policy, but they’ll appreciate that it’s there, just in case they have any questions or concerns. And for those who do read it, it’s even more reassuring if you’re straightforward about what data you do and don’t collect, and what you do with that data. Don’t write your policy with dry, lawyerly language. Instead, use a friendly tone of voice and explanations that everyone will be able to understand. If you haven’t written one before, <a href="https://www.bbb.org/article/news-releases/21390-bbb-tip-writing-an-effective-privacy-policy-for-your-small-business-website">check out this guide</a> and collaborate with an attorney or privacy expert to get it just right. You can also use reputable privacy policy templates from the web as a starting point. 3. Always ask for consent when collecting Personally Identifiable Information (PII) from customers or website visitors, such as home addresses or credit cards numbers. And never use it for purposes other than what you explain in your privacy policy. 4. Create an internal <a href="https://1password.com/resources/creating-a-culture-of-security/?utm_ref=resources">culture of privacy</a> within your team. Incorporate data privacy protocols into training and everyday workflows so that employees start to think along the lines of protecting data privacy by default, and the common understanding becomes “this is standard practice.” 5. Minimize data collection and retention. If you don’t strictly need it, don’t collect it. And only keep it as long as you need it – “forever” isn’t a good answer. 6. Protect the data you do collect by properly securing company databases, especially those with customer and visitor data. There are free resources on the internet to help you learn more (for example, <a href="https://owasp.org/">OWASP</a>), but if you don’t have the time or inclination, hire a consultant to help. <h2 id="get-your-staff-aligned-with-your-privacy-policy">Get your staff aligned with your privacy policy</h2> New policies are pointless if nobody follows them. Comprehension and accountability across the entire workforce will ensure that consumer privacy is a core value, not just a marketing slogan. Plan some employee education around privacy laws and your company’s privacy policy. Make it part of your onboarding and reinforce it with regular reminders and training sessions. The latter should be tailored to each employee’s role – how they’ll personally engage with customer data and how to best use their tools with security in mind. Mistakes are inevitable. An employee might share private data over a Slack channel, for example. These are learning opportunities for your team. <a href="https://blog.1password.com/why-security-scare-tactics-dont-work/">Avoid using scare tactics</a>, and thank employees when they come forward and report a mistake they’ve made. Foster a culture of privacy and hire employees who can be active, respectful contributors. The <a href="https://blog.1password.com/small-talk-security-considerations/">principle of least privilege</a> will also help by minimizing who has access to what. If an employee does intentionally abuse customer or visitor data (for example, steals it, sells it, or manipulates it), you may need to take stronger disciplinary action. Upon review, determine the intent and severity of the incident and work with HR on the best path forward, while ensuring the data is restored and customers are kept safe. <h2 id="transparency-goes-a-long-way">Transparency goes a long way</h2> As you grow your business, you should have nothing to hide when it comes to your data practices. Nurture a transparent relationship with your customers and visitors so your success is built on a sturdy foundation of trust. Then continue to invest in that trust, just like you would with your product or workforce. With your privacy policy out in the open, you’ll need to routinely ensure that it’s accurate and honest. Review and update policies at least annually to keep them current with regulations and any company or process changes. “When changes are made to business practices that affect privacy, that should remind someone to change the policy as needed,” says Olsson. “The thing to avoid is having what you do be at odds with what you say you do, when it comes to privacy and customer data.” Don’t forget to prepare your customer support team for any privacy-related conversations with customers. This can involve a direct line to security specialists or a comprehensive reference guide on compliance and your company’s processes. This way, they can confidently answer questions or concerns so trust never takes a backseat to your company’s growth. You could even put together a data privacy FAQ or other resource on your website. “Be the company that, even as a small business, has obviously thought about – and cares about – not just their customers’ business, but also their privacy,” says Olsson. “These different steps add up to a feeling of trust among your website visitors and potential customers. And visitors who feel you’re trustworthy are more likely to become customers.” <h2 id="protect-your-business-protect-your-customers">Protect your business, protect your customers</h2> For today’s small businesses, collecting data is just part of the job. And any you collect, you’ll need to keep safe. Even customer information you collect and use ethically can be at risk if your company is breached. It’s crucial that employees know their role in protecting company information and, by extension, your customers. Mindful online habits are the first line of defense, since <a href="https://www.verizon.com/business/resources/reports/dbir/">most data breaches involve a human element</a> like weak or reused passwords. A <a href="https://1password.com/resources/get-serious-about-enterprise-password-management/?utm_ref=resources">password manager like 1Password</a> helps employees create strong, unique passwords for every account they use while keeping these passwords safe from unwanted access. Closing this security gap will minimize the chance of a cyber attack and, by extension, any leak of customer data. It’s a scary time for customers, with data as a new currency of sorts and everyone out to get it. Be respectful. Be honest. Stay alert. Earn the trust of your customers, and it will only grow stronger over time. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">The ultimate guide to small business security</h3> Cybersecurity is more crucial than ever. Learn the steps you can take today to protect your organization's data. <a href="https://1password.com/resources/ultimate-guide-to-securing-your-small-business/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Download the guide </a> </div> </section></description></item><item><title>Secure yourself with our digital declutter checklist</title><link>https://blog.1password.com/secure-yourself-digital-declutter-checklist/</link><pubDate>Thu, 10 Feb 2022 00:00:00 +0000</pubDate><author>info@1password.com (Stacey Harris)</author><guid>https://blog.1password.com/secure-yourself-digital-declutter-checklist/</guid><description> <img src='https://blog.1password.com/posts/2022/secure-yourself-digital-declutter-checklist/header.svg' class='webfeedsFeaturedVisual' alt='Secure yourself with our digital declutter checklist' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> A digital declutter helps you organize your life and has the added bonus of reducing your vulnerability to common threats. But knowing where to begin can be hard – most of us leave a larger <a href="https://blog.1password.com/clean-up-digital-footprint/">digital footprint</a> than we realize. We’ve created a checklist to help you clear away the clutter and reap the rewards of a clean digital state. We recently covered the benefits of a digital declutter on our podcast, <a href="https://randombutmemorable.simplecast.com">Random But Memorable</a>, so you can have a listen to that as well (skip ahead to 23:16 to jump right into the decluttering discussion). <div class="c-simplecast-embed"> <iframe class="c-simplecast-embed__iframe" title="1Password Random but Memorable Podcast" width="100%" frameborder="no" scrolling="no" seamless src="https://player.simplecast.com/f2c16dbf-93df-43cd-ba05-5c6929b5ebb6?dark=false"></iframe> </div> Read on for our top tips for tackling your digital clutter. <h2 id="the-benefits-of-a-digital-declutter">The benefits of a digital declutter</h2> Spotting online threats isn’t always easy – after all, their job is to deceive you. But, with a healthy polish of your online presence, you can reduce the likelihood of falling victim to a cyberattack. Here are a few hazards a digital declutter could help prevent: <ul> <li><a href="https://blog.1password.com/data-breach-101-stay-safe-online/">Data breaches</a>: By deleting old accounts or shoring up your account security with two-factor authentication, you lower the risk of breaches compromising your information.</li> <li><a href="https://blog.1password.com/what-is-phishing-and-how-can-you-protect-your-business/">Phishing</a>: If you clean up your email inbox, you get a better view of incoming emails – so when something phishy does make it into your inbox, it’s easier to spot.</li> <li><a href="https://blog.1password.com/family-scam-safety/">Hacks</a>: Every browser plugin/app/service you use increases what we call your “attack surface” – the number of ways a criminal can try to get at your data. By removing unneeded extensions and applications, you reduce your exposure risk.</li> </ul> Unlike physical objects, there is virtually no limit to the amount of digital ‘stuff’ you can accumulate. This can be quite overwhelming, so we’re breaking down some of the ways you can tackle your clutter. You don’t have to restructure your whole digital life all at once, though a digital declutter over time is likely to be more successful and less exhausting. <h2 id="1-organize-your-devices">1. Organize your devices</h2> Got half a dozen devices on the go at any given time? Phone, watch, tablet, laptop, TV, external storage, fridge – with so many devices, it’s hard to stay on top of the clutter that accumulates over time. A good place to start is making a list of all your devices, and then systematically complete the following actions for each device: ☑️ Delete apps and uninstall programs you don’t use anymore. ☑️ Make sure your device has the most recent software updates installed. ☑️ Turn on automatic updates. ☑️ Audit permissions on mobile apps, and on websites. ☑️ Remove optional device features that are often auto-installed. Pro tip: If you have old devices that no longer receive security updates, consider installing Linux, if possible, so you can continue to receive security patches. And lastly, if you have old devices you are no longer using, it&rsquo;s time to fully reset them before donating them to a good cause or safely disposing of them. The key is to get your devices in a healthy, functional state – then keep them that way. Just think of how much faster they’ll run after a declutter! <h2 id="2-review-your-web-browser">2. Review your web browser</h2> It can be easy to forget that web browsers do more than just serve as a gateway to your favorite websites. No matter which web browser you use, there’s a definite security and privacy benefit to reviewing your settings periodically. Here are the best ways to adjust your browser settings to make sure the time you spend online is safe, secure, and private. ☑️ Set a reminder to clear your cookies and browsing history on a regular basis. ☑️ Review extensions or plug-ins you use and delete any you don’t need anymore. ☑️ Use HTTPS/secure connections whenever possible. ☑️ Enable DNS over HTTPS if available. ☑️ Download more than one browser and use them for different tasks relative to privacy – for example use one browser for work, and another for personal time. Hot tip: Most of us give permission for apps to plug into our Twitter and Facebook accounts from time to time. It&rsquo;s a good idea to clear those out every so often, or at least pare them back to the essentials. <h2 id="3-clean-up-your-email">3. Clean up your email</h2> There’s no denying there is some level of stress associated with unread emails. So finding a way to reduce the amount of incoming emails, or how you’re handling email in general, can help remove the mental burden that email can often take up in your mind. Not to mention it’s actually a great way to reduce your exposure to phishing attacks. It’s what we like to call a win-win situation. ☑️ Delete old emails, or if you don’t have time, just archive them all – you retain access to them, but you get to start at inbox zero, giving you the time to reset your email rules as new emails come in on a daily basis. ☑️ Set up a system to handle new emails as they come in. ☑️ Unsubscribe from mailing lists you no longer care about. <h2 id="4-delete-old-accounts">4. Delete old accounts</h2> We’ve <a href="https://blog.1password.com/ghosts-passwords-past/">previously talked about the risks that old, unused accounts present</a>, so here’s our gentle reminder that a digital declutter isn’t complete without a review of your past. ☑️ Delete accounts you no longer use (you can do this by going through wherever you store your passwords and shutting down accounts you no longer use). ☑️ Remove sensitive information (like credit card numbers, date of birth, etc) from accounts you’re unable to delete but no longer actively use. <h2 id="5-organize-your-1password-account">5. Organize your 1Password account</h2> And, of course, a healthy clean up of your 1Password account will make sure that accessing your information is seamless. ☑️ <a href="https://support.1password.com/1password-com-items/">Archive old logins</a> (you can always restore if you need them). ☑️ <a href="https://support.1password.com/favorites-tags/">Use tags to group related items together</a> (eg. health, finance, gaming, etc.). ☑️ <a href="https://support.1password.com/favorites-tags/">Star favorite logins so they’re easier to access</a>. ☑️ <a href="https://support.1password.com/watchtower/">Identify items that offer 2FA, and then update accordingly</a>. ☑️ <a href="https://support.1password.com/watchtower/">Use Watchtower to find duplicate passwords</a>. ☑️ <a href="https://support.1password.com/watchtower/">Check Watchtower for any compromised passwords</a>. And that’s it. If you do a little bit of work on this each day, in no time you should reduce the amount of digital clutter you have – and by proxy, reduce your exposure to online threats. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Listen to Random But Memorable</h3> Subscribe to our podcast to hear the latest security news, tips and advice to up your privacy game, as well as guest interviews with leaders from the security community. <a href="https://randombutmemorable.simplecast.com/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Listen to the podcast </a> </div> </section></description></item><item><title>Hacking 101: What is social engineering?</title><link>https://blog.1password.com/what-is-social-engineering-hacking-101/</link><pubDate>Fri, 04 Feb 2022 00:00:00 +0000</pubDate><author>info@1password.com (Emily Chioconi)</author><guid>https://blog.1password.com/what-is-social-engineering-hacking-101/</guid><description> <img src='https://blog.1password.com/posts/2022/what-is-social-engineering/header.svg' class='webfeedsFeaturedVisual' alt='Hacking 101: What is social engineering?' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> For the average person, “traditional hacking” isn’t really an ever-present threat. It’s unlikely that a hacker will ever try to track you down, steal one of your devices, and bypass whatever you&rsquo;ve set up to protect your personal data. Social engineering, on the other hand, is an increasingly common security threat that you&rsquo;ve probably encountered many, many times before. Ever gotten a suspicious email claiming to be from a well-known company? A robotic voicemail asking for your information? Most of us have. While it might just seem like a nuisance you can ignore, social engineering is a very real threat you need to be prepared for. We’ve all been there. You get a ridiculous-looking email full of typos claiming to be from a service you don’t even use, asking you to log in and share your information. It might seem impossible that anyone could fall for such a blatant scam, but don’t let the obvious tricks lull you into a false sense of security. Social engineering techniques are always evolving, and because they involve a human element, we’re all susceptible to making a mistake. <h2 id="what-is-a-social-engineering-attack">What is a social engineering attack?</h2> Social engineering manipulates people into sharing sensitive data, like logins and payment information, usually via some form of technology. This technique doesn&rsquo;t require a supercomputer or fancy algorithms to crack a person&rsquo;s password. Instead, the attacker focuses on tricking the target – usually by posing as someone trustworthy – into handing over their private information. By leveraging human psychology and behavior, an attacker can capitalize on emotions like fear, trust, and anxiety and exploit human error to deceive victims. <h2 id="common-methods-used-in-social-engineering">Common methods used in social engineering</h2> It’s essential to know the most common techniques and telltale signs of social engineering attacks. When you know what to expect, it’s easier to spot these common methods and pause for a moment before taking any action that could compromise your data. <ul> <li> Phishing: Phishing is a social engineering attack that involves sending fraudulent communications, usually emails, to trick the recipient into sharing sensitive data or information. The technique is so prevalent that we now have terms for different types of phishing: <ul> <li>Vishing: Voice phishing via phone calls, often asking you for private information.</li> <li>Smishing: SMS or <a href="https://blog.1password.com/sms-phishing-tale/">text message phishing</a> containing malicious links.</li> <li>Spear phishing: Spear phishing targets and tailors the attack to a specific person or company.</li> <li>Whale phishing: Whale phishing specifically targets high-profile employees or “big fish,” like CEOs, to get sensitive data.</li> <li>Angler phishing: Angler phishing is a newer form of social engineering targeting social media users. The attacker pretends to be a customer service agent reaching out to customers in order to gain access to data like account credentials.</li> </ul> </li> <li> Pretexting: Pretexting is a type of social engineering attack where a hacker will create a situation or pretext, like pretending to be a customer service rep from the bank, in order to trick the victim into sharing sensitive information. </li> <li> Baiting: Baiting occurs when an attacker leaves behind a device, like a USB stick, to be found somewhere. It’s designed to install malware and other malicious files when the target inserts it into their computer. </li> <li> Tailgating or piggybacking: This social engineering technique happens when an attacker physically follows someone with access into a place they are not supposed to be. This could be as simple as holding the door open for someone at the office. </li> <li> Quid pro quo: With a quid pro quo attack, the social engineer will pretend to provide something, usually a service, in exchange for the target&rsquo;s help or data. For example, an attacker may call a victim pretending to be from the IT department to gain access to their computer. </li> <li> Scareware: Scareware is a type of malware meant to scare you into taking some kind of quick action, like immediately downloading software to remove a fake virus from your computer. </li> <li> Honey trap: In a honey trap, the attacker will act as though they are sexually or romantically interested in the victim in order access data or money. </li> <li> Water holing: Water holing takes advantage of the trust we give to sites we regularly visit. An attacker can look for vulnerabilities and infect a site with malware or recreate incredibly similar versions of the legitimate website to redirect victims to. This can lead to targets inadvertently downloading malware or ransomware, sharing personal information, or being targeted for subsequent <a href="https://blog.1password.com/what-is-phishing-and-how-can-you-protect-your-business/#how-to-protect-yourself-from-phishing">phishing attacks</a>. Water holing attacks are common in cases of large scale <a href="https://blog.1password.com/data-breach-101-stay-safe-online/">data breaches</a> of well-known organizations. </li> </ul> <h2 id="what-is-the-difference-between-social-engineering-and-reverse-social-engineering">What is the difference between social engineering and reverse social engineering?</h2> You may have seen the term “reverse social engineering” popping up lately. Reverse social engineering is a perfect example of the way hackers can adapt and evolve their techniques to cast a wider net and reach more victims. While many traditional social engineering attacks involve the attacker approaching the target, with reverse social engineering, the victim is meant to unknowingly approach the attacker, usually for assistance. For example, an attacker might pose as a support agent from a utility company or bank on social media. When the victim contacts the “support agent” for a customer service issue, the attacker can gain access to account details, payment information, and passwords under the guise of providing customer support. <h2 id="how-to-protect-yourself-from-social-engineering-attacks">How to protect yourself from social engineering attacks</h2> Being aware and educated about different types of social engineering methods is a large part of preventing attacks, but you can bolster your security further with a few more steps: <ol> <li>Stay in the loop. Hackers are always coming up with different ways to use existing social engineering methods or inventing new attacks. Stay up to date with common techniques and how they may be evolving. Subscribe to newsletters or podcasts, follow your favorite sources on social media, or set up Google alerts that will keep you caught up on online security.</li> <li>Slow down and assess. If you’re being targeted, regardless of the social engineering technique being used, there’s nothing stopping you from pausing for a moment to assess the situation. Do you recognize the text message sender? Would your bank ever ask you for private information over email? Does it sound too good to be true? There’s no harm in doing a little bit of research on the source, like calling a company to confirm details or typing a phone number into your preferred search engine. Follow your gut – if it turns out to be legitimate, you only spent a few extra minutes being safe.</li> <li>Keep everything updated. From your devices to your software, do your best to keep everything up to date. If automatic updates are an option, turn them on.</li> <li>Turn on two-factor authentication. If you’re given the option, turn on two-factor authentication (2FA) to add a second layer of security to your accounts, on top of your usual login details. This extra verification method means that even in the worst case scenario, if a social engineering attack is successful and someone else has your password, it’ll be much harder for them to gain access to your sensitive data.</li> </ol> <h2 id="protect-yourself-by-using-a-password-manager">Protect yourself by using a password manager</h2> The final step is to <a href="https://1password.com/business-pricing/?utm_ref=blog">use a password manager like 1Password</a>. Along with the convenience of creating strong passwords and letting you log in to sites with a single click, a <a href="https://1password.com/password-manager/">password manager</a> will add another layer of security to protect you from social engineering and other cybercrimes. For example, most password managers will save the website URL alongside your username and password so it knows when to <a href="https://1password.com/features/autofill/">autofill</a> your credentials. If you inadvertently visited a website targeted for a water holing attack, you’d immediately notice that your password manager wasn’t offering to autofill your username and password. Taking a closer look at the website URL, you’d realize that you were on a fake site, preventing your data from being compromised. In addition, using a password manager like 1Password helps you know where you can enable two-factor authentication, notifies you if any of your passwords have appeared in a data breach, and alerts you to weak or reused passwords. 1Password Watchtower also alerts you to security problems with the websites you use so you can keep all your accounts safe. Remember that anyone can fall victim to a social engineering attack. Human brains will always be susceptible to manipulation, no matter how smart or tech savvy you are. But if you stay alert, educate yourself on common tactics, and embrace the right tools, you can spot scams and stay safe online. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Ready to protect yourself?</h3> Keep all of your accounts secure with 1Password, the world’s most-trusted password manager. Get started today with a free 14-day trial. <a href="https://1password.com/business-pricing/?utm_ref=blog" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>Secure online payments and grow your business with Brex and 1Password</title><link>https://blog.1password.com/brex-1password/</link><pubDate>Tue, 25 Jan 2022 00:00:00 +0000</pubDate><author>info@1password.com (Andrew Beyer)</author><guid>https://blog.1password.com/brex-1password/</guid><description> <img src='https://blog.1password.com/posts/2022/brex-integration/header.png' class='webfeedsFeaturedVisual' alt='Secure online payments and grow your business with Brex and 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Brex and 1Password have partnered to make online payments secure and frictionless. 1Password customers can now use Brex virtual credit cards to check out online with just two clicks. <a href="https://www.brex.com/">Brex</a> is a powerful financial stack designed to serve the next generation of growing businesses, and now that power is accessible through 1Password in the browser. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/4F7MUfrDwhY" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> Growing businesses choose Brex because their all-in-one platform of financial software, services, and products makes it easy to control corporate spending and manage runway in one place. 1Password <a href="https://1password.com/teams/">Teams</a> and <a href="https://1password.com/business/">Business</a> customers can now connect their Brex account to 1Password for frictionless, secure online payments in just two clicks. With the new integration, Brex customers can <a href="https://1password.com/features/autofill/">autofill</a> their Brex corporate and vendor card information while checking out anywhere on the web – right from 1Password in the browser. Brex admins can also create and fill vendor cards during checkout. <h2 id="how-to-simplify-and-secure-online-payments-with-brex-and-1password">How to simplify and secure online payments with Brex and 1Password</h2> Imagine you&rsquo;re the owner of a growing business – perhaps a flourishing crypto/fintech startup called Block &amp; Key 🔑. You&rsquo;ve just raised your series A round and need to unblock employee spending while ensuring investor funds are spent securely. And you&rsquo;re a 1Password customer because you <a href="https://blog.1password.com/small-talk-cyberattacks/">know how important it is to protect your business and your workers online</a>. Naturally, you want to combine the convenience of both platforms to make secure online payments simple. <img src="https://blog.1password.com/posts/2022/brex-integration/Connect1PasswordwithBrex.png" alt="Connect 1Password with Brex" title="Connect 1Password with Brex" class="c-featured-image"/> Once your employees connect their Brex and 1Password accounts, a Brex vault is created in their 1Password account. They’ll then have access to their Brex <a href="https://www.brex.com/learn/fraud-security/how-virtual-credit-card-works/">corporate cards</a> (everyone) and <a href="https://www.brex.com/learn/cash-management/preventing-vendors-from-overcharging/">vendor cards</a> (admins only) through 1Password in the browser, which they can manage from their Brex dashboard. <img src="https://blog.1password.com/posts/2022/brex-integration/Brexautofillsuggestions.png" alt="Brex autofill suggestions" title="Brex autofill suggestions" class="c-featured-image"/> Those cards – and any updates made to them – are immediately available in your employees’ 1Password Brex vault. When they want to use one of those cards to buy the latest MacBook Pro, all they need to do is add the items to their cart on the supplier website and click into the relevant credit card field. 1Password will display all their available Brex cards and autofill the information for the card they select. Brex virtual cards can be created, stored, and used for payment anywhere on the web. <h2 id="the-admin-experience">The admin experience</h2> As a founder, controlling corporate spending is the surest way to preserve runway early on – but you also know employee productivity is critical to building your product. As a Brex admin, you can create virtual cards with pre-set spending limits when a new engineer joins the team, so your new team members can purchase the gear they need responsibly. Your admin privileges also give you the ability to create vendor cards for yourself at checkout, right from 1Password in the browser. When you do, you’ll see options for setting a spending limit, locking the card after a period of time, and documenting a reason for the card creation. <img src="https://blog.1password.com/posts/2022/brex-integration/CreateBrexvendorcard.png" alt="Create Brex vendor card" title="Create Brex vendor card" class="c-featured-image"/> The cards stored in your Brex account are automatically kept in sync with your Brex vault in 1Password, so they&rsquo;re always up to date. Your employees will never have to worry about using out-of-date or terminated cards during checkout. <h2 id="exclusive-offer-for-new-customers">Exclusive offer for new customers</h2> As a business owner, you can never have too much control over business spend – and now that control is at your fingertips wherever you browse the web. The new checkout experience is entirely frictionless (dare I say delightful?), which encourages employees to use corporate cards during checkout, giving you greater visibility into your overall financial health than ever before. As a thanks to our customers (fintech founders or otherwise 📈), <a href="https://www.brex.com/partners/1password/">1Password customers new to Brex will receive 35,000 rewards points when they sign up and spend $3,000</a> on their Brex card. And Brex customers new to 1Password will <a href="https://dashboard.brex.com/rewards?reward=1Password">receive a $100 credit on a 1Password Teams or Business account</a>. <h2 id="the-power-of-brex-the-security-of-1password-the-convenience-of-both">The power of Brex. The security of 1Password. The convenience of both.</h2> Growing businesses have enough on their plates. Let 1Password and Brex simplify finances and online security so you can focus on doing what you do best: innovating and growing your business. <a href="https://support.1password.com/brex/">1Password&rsquo;s integration with Brex is available right now</a> to 1Password Teams and Business customers based in the United States. <h2 id="join-us-for-a-live-demo">Join us for a live demo</h2> Want to see the new Brex integration in action? Join us for a hands-on demo on February 15 at 11 AM EST / 8AM PST to see for yourself how Brex and 1Password make online payments smart, simple, and secure. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Growing your business with 1Password and Brex</h3> Register for a quick demo and live Q&A to see 1Password’s Brex integration in action on February 15 at 11AM EST. <a href="https://1password.com/webinars" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Register now </a> </div> </section></description></item><item><title>Doing good in 2021 and beyond</title><link>https://blog.1password.com/doing-good-in-2021-and-beyond/</link><pubDate>Mon, 24 Jan 2022 00:00:00 +0000</pubDate><author>info@1password.com (Sara Teare)</author><guid>https://blog.1password.com/doing-good-in-2021-and-beyond/</guid></item><item><title>How single sign-on fits into your enterprise security framework</title><link>https://blog.1password.com/how-sso-fits-enterprise-security-framework/</link><pubDate>Fri, 21 Jan 2022 00:00:00 +0000</pubDate><author>info@1password.com (Rob Boone)</author><guid>https://blog.1password.com/how-sso-fits-enterprise-security-framework/</guid><description> <img src='https://blog.1password.com/posts/2022/how-sso-fits-enterprise-security-framework/header.svg' class='webfeedsFeaturedVisual' alt='How single sign-on fits into your enterprise security framework' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Single sign-on, or SSO, is a valuable addition to your enterprise security arsenal. It doesn’t protect against every threat, but it can reduce your attack surface, lower IT costs, and provide a better login experience for your employees. <h2 id="what-is-sso">What is SSO?</h2> Without <a href="https://1password.com/resources/guides/why-you-should-have-sso/">single sign-on</a>, employees typically create a unique login for each site and service they use at work. With SSO, employees sign onto their SSO platform with a single, strongly vetted identity. That single identity then gives them access to all the services within the SSO framework. Each SSO provider works a bit differently, but the basics are the same. Let’s use <a href="https://support.1password.com/scim-okta/">Okta</a> – a leader in enterprise SSO – as an example. Once deployed, employees can log into Okta to see a dashboard that lists all of the services they can access. They simply click the site or web app they want to launch from the list, and Okta launches the URL and logs them in automatically using SSO. That’s a very different experience from opening each site and entering login information manually. But this workflow has both upsides and downsides, as we&rsquo;ll see. <h2 id="what-are-the-benefits-of-sso">What are the benefits of SSO?</h2> SSO provides a wide range of benefits, from strengthening security to making it easier for employees to get their work done. <ul> <li> SSO reduces your attack surface. By consolidating the number of credentials employees need to keep track of, SSO reduces the number of entry points that IT needs to secure. More than 80 percent of hacking-related data breaches can be traced back to compromised credentials, <a href="https://www.verizon.com/business/resources/reports/dbir">according to Verizon&rsquo;s Data Breach Investigations Report</a>. The fewer the number of passwords in circulation, the better. </li> <li> SSO strengthens your minimum security requirements. With SSO, IT can focus on strengthening security at a single attack point. When they roll out a security policy for SSO, they enact that policy for all logins covered by that SSO framework. For example, they can require MFA for every service – all at once – with a single change to their SSO policy. </li> <li> SSO can reduce IT support costs. <a href="https://1password.com/resources/risks-of-mismanaging-corporate-secrets/">IT spends about 25 minutes per day, on average, handling password-related requests</a>. With fewer passwords in circulation, SSO can lighten that load. </li> <li> SSO provides a better experience for employees. Rather than opening up services individually, SSO makes signing in to multiple services easy, reducing the likelihood that employees will use weak or reused passwords. </li> <li> SSO provides a single source of truth. SSO creates a centralized directory of all employees in the company, which can dramatically simplify onboarding. With SSO, IT can configure different levels of access for different groups. Once new hires are placed in the proper group, they’ll inherit the policies of that group and get instant access to the services they&rsquo;ll need to do their job. </li> </ul> <h2 id="how-does-sso-work">How does SSO work?</h2> When you deploy SSO, you&rsquo;re delegating identity verification to your SSO provider. You can then use that strongly verified identity to apply various security policies on top of it. It’s a bit like gathering all your logins into a single castle, then building an alligator-filled moat around the castle. By delegating identity verification, you&rsquo;re not giving up control. Quite the opposite - with your SSO provider handling the verification process, your IT admins can focus on configuring the strength of that identity verification and adapting it to your needs. For example, you could configure identity verification to check for specific attributes. Perhaps the entire company works out of an office in New York City, and you want to ensure that anyone logging in via SSO is located in NYC. IT can do that by adding a geographic attribute to the identity verification process. Or, let’s say you use Lightweight Directory Access Protocol (LDAP) or Azure Active Directory (AAD) for employee directories. Your SSO provider may be able to check those directories to verify that someone is a member of a particular group during login. <h2 id="sso-and-shadow-it">SSO and shadow IT</h2> It&rsquo;s important to note that SSO doesn&rsquo;t solve all your security problems, just a subset of them. For instance, if a service isn&rsquo;t integrated into your SSO platform, employees can create an account on their own, bypassing SSO altogether. (And even if a site is supported by your SSO platform, employees can still create shadow accounts for that service.) This isn&rsquo;t a small problem. When employees create their own accounts outside of IT&rsquo;s purview, they leave behind a string of potential entry points for attackers that, by definition, are a blind spot for IT. These accounts are known as <a href="https://blog.1password.com/remote-work-shadow-it/">shadow IT</a>, and it&rsquo;s a widespread problem for security teams. In 2020, we found that a staggering <a href="https://blog.1password.com/challenges-of-shadow-it/">63.5% of workers had created at least one account in the previous 12 months that IT didn&rsquo;t know about</a>. Worse, a third of those who had created accounts reused memorable passwords. Just 2.6%created a unique password every time. It’s impossible for IT to know where these login credentials are stored. They may be in a spreadsheet in the cloud, or in plain text on a worker&rsquo;s phone. They&rsquo;re simply untraceable. <h2 id="sso-and-password-managers">SSO and password managers</h2> The average business user manages hundreds of passwords, and some won’t be accessible via your SSO provider. For those companies, <a href="https://1password.com/business/">an enterprise-ready password manager</a> makes it easy to generate strong, unique passwords. Like SSO, it&rsquo;s much more secure than trying to manage all those logins manually – and it’s more convenient than typing out dozens of passwords each day. If you&rsquo;ve installed 1Password in the browser, for example, you’ll see a suggested password when you create a new login. With a single click, you can save the new login to your 1Password account. The next time you visit that site, 1Password will automatically fill in the login details, including <a href="https://blog.1password.com/totp-for-1password-users/">time-based one-time passwords</a> (TOTP) for sites that support it. <blockquote> Enterprise password managers like 1Password also protect much more than passwords. </blockquote> Since all your login details are stored in your account, <a href="https://1password.com/password-manager/">password managers</a> make it virtually impossible to forget any of your credentials, which in turn reduces IT help desk tickets. As long as you remember your unique account password, you&rsquo;ll always have access to the sites and services you need to get things done. <a href="https://1password.com/enterprise/">Enterprise password managers</a> like 1Password also protect much more than passwords. 1Password makes <a href="https://blog.1password.com/risks-of-mismanaging-corporate-secrets/">secrets management</a> simple, whether those secrets are passwords, medical records, sensitive documents, or even the <a href="https://1password.com/products/secrets/">SSH keys and API tokens that developers use to gain access to digital infrastructure</a>. For these reasons, small businesses often start with a company-wide password manager and add in an SSO solution later. <a href="https://pages.bitglass.com/CD-FY19Q4theCloudAdoptionReportof2019_LP.html?&amp;utm_source=pr">64% of large firms utilize SSO, which is nearly 50% more than medium-sized companies, and more than twice that of small organizations</a>, according to cloud security firm Bitglass. <h2 id="sso-and-password-managers-a-comprehensive-security-suite">SSO and password managers: a comprehensive security suite</h2> The bottom line: SSO is an effective way for organizations to simplify the sign-in process and enforce blanket security protocols for everything within the SSO framework. For everything else, password managers eliminate the blind spots that shadow IT leaves in its wake and protect all of your sensitive information, whatever that may be. <a href="https://blog.1password.com/1password-and-sso-a-perfect-match/">Together, SSO and password managers form a strong foundation</a> for any enterprise security framework. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Want to learn more?</h3> Read our guide on the best ways to avoid a data breach. It explains how to build a culture of security and the benefits of using an enterprise password manager like 1Password. <a href="https://1password.com/resources/how-to-avoid-a-data-breach/?utm_ref=blog" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Read the guide </a> </div> </section></description></item><item><title>Bringing human-centric security to everyone</title><link>https://blog.1password.com/future-of-1password/</link><pubDate>Wed, 19 Jan 2022 00:00:00 +0000</pubDate><author>info@1password.com (Jeff Shiner)</author><guid>https://blog.1password.com/future-of-1password/</guid><description> <img src='https://blog.1password.com/posts/2022/future-of-1password/header.svg' class='webfeedsFeaturedVisual' alt='Bringing human-centric security to everyone' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> As our online lives become subject to new and evolving threats, we&rsquo;re doubling down on protecting the digital privacy and peace of mind of everyday people – at home and at work. <ul> <li>1Password has raised $620 million (USD) in the largest funding round ever for a Canadian company.</li> <li>Our latest round was led by <a href="https://www.iconiqcapital.com/growth">ICONIQ Growth</a>, with participation from other wonderful partners including <a href="https://www.accel.com/">Accel</a>, <a href="https://www.tigerglobal.com/">Tiger Global</a>, <a href="https://lsvp.com/">Lightspeed Venture Partners</a>, and <a href="https://www.backboneangels.com">Backbone Angels</a>.</li> </ul> I&rsquo;m delighted to announce that 1Password has raised $620 million in our latest investment round that values our company at $6.8 billion. This moment represents a lot of hard work by a lot of amazing people. Most days, I find myself too busy to truly reflect on all we&rsquo;ve accomplished over the past 17 years. I think back to our tiny Macworld booth, or the weeks we’d spend at the Cupertino Inn working on our latest iOS or Mac release. It feels like yesterday that I was excited to cross the 100-employee threshold, yet here we are just a few years later approaching 600. <img src='https://blog.1password.com/posts/2022/future-of-1password/macworld-2014.jpg' alt='The 1Password team at Macworld 2014.' title='The 1Password team at Macworld 2014.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="continuing-to-invest-in-our-future--and-yours">Continuing to invest in our future – and yours</h2> Admittedly, it seems peculiar for a consistently-profitable company to accept outside funding. But <a href="https://blog.1password.com/investing-in-our-future-again/">just like last time</a>, these partnerships make it possible for us to develop and scale human-centric security solutions for everyone. Technology moves quickly. For every benefit, there’s a new threat. And 1Password is now used by more people across more platforms than ever before. Simply keeping up would be challenging without the ability to ramp up our efforts quickly. But we don’t just want to keep up; our goal is to push the envelope and explore beyond the boundaries of traditional password management. With additional resources and advice from our investors, we’ve already accelerated our pace of development and brought powerful new capabilities to every 1Password customer – more quickly than we could have done on our own. Over the past year alone, we: <ul> <li>Launched <a href="https://blog.1password.com/psst-item-sharing/">Psst!</a>, a simple and secure way to share anything you have stored inside 1Password with anyone – even if they aren&rsquo;t using 1Password yet.</li> <li>Introduced the <a href="https://blog.1password.com/introducing-events-api/">Events API</a>, allowing IT teams to better correlate their 1Password insights with other data sources</li> <li>Released <a href="https://blog.1password.com/1password-for-safari/">1Password for Safari</a>, bringing the full power of our next-generation browser experience to customers using <a href="https://blog.1password.com/ready-for-macos-monterey/">macOS Monterey</a> and iOS 15.</li> <li>Joined forces with SecretHub to make <a href="https://blog.1password.com/introducing-secrets-automation/">Secrets Automation</a>, a new way for companies to secure, orchestrate, and manage their infrastructure secrets.</li> </ul> We&rsquo;ve also partnered with companies that make 1Password even more useful: <ul> <li>Our <a href="https://blog.1password.com/fastmail-masked-email/">Fastmail integration</a> allows you to create new, unique email addresses that keep your real email address private.</li> <li>We introduced the <a href="https://blog.1password.com/save-in-1password-button-with-ramp/">&lsquo;Save in 1Password&rsquo; button</a> through a partnership with Ramp, a platform that helps businesses manage expenses and corporate cards.</li> </ul> This year also marked our long-awaited <a href="https://blog.1password.com/welcoming-linux-to-the-1password-family/">Linux debut</a>, which doubled as the premiere of <a href="https://1password.com/products/">1Password 8</a>, the next generation of our app. As we continued to gather feedback and refine the apps through our public Early Access program, we were able to launch <a href="https://blog.1password.com/1password-8-for-windows-is-here/">1Password 8 on Windows</a> too, providing a vastly improved experience. Soon, we&rsquo;ll be ready to take the Early Access label off <a href="https://blog.1password.com/1password-8-for-mac-is-now-in-early-access/">1Password 8 for Mac</a> as well, bringing us back home to our most cherished platform, where it all began. It would be a cliche to tell you that this is just the beginning…so I’ll show you instead. For a glimpse at where we’re going next, visit <a href="https://www.future.1password.com/">future.1password.com</a>. <img src='https://blog.1password.com/posts/2022/future-of-1password/vision-preview.png' alt='Toward a simpler, safer life online' title='Toward a simpler, safer life online' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="meet-our-new-friends">Meet our new friends</h2> While we&rsquo;ve always had lofty ambitions, the remarkable growth we&rsquo;ve seen over the past two years in particular wouldn&rsquo;t have been possible without the guidance and support of our investment partners. For this latest funding round, it was important to us that our investors continue to be aligned with our values and culture. All of our partners understand the industry and share our philosophy of scaling sustainably. Over the past six months, 1Password’s founders, executive team, and I met with a number of promising investment firms, but we found ourselves gravitating toward <a href="https://www.linkedin.com/in/will-griffith-a51a9237">Will Griffith</a> and the wonderful folks at <a href="https://www.iconiqcapital.com/growth">ICONIQ</a>. We see eye to eye on many of the key ideas that inform our strategy, and have built a great relationship with the team through this process. That’s why we’ve invited Will to join our board of directors and look forward to plumbing the depths of his wisdom over the coming years. Alongside ICONIQ, we&rsquo;re fortunate to have a number of other partners participating in this round, including venture capital firms <a href="https://www.accel.com/">Accel</a>, <a href="https://www.tigerglobal.com/">Tiger Global</a>, <a href="https://lsvp.com/">Lightspeed Venture Partners</a>, <a href="https://salesforceventures.com/">Salesforce Ventures</a>, <a href="https://slack.com/fund">Slack Fund</a> and <a href="https://www.backboneangels.com">Backbone Angels</a>. They&rsquo;re joined by some of the brightest minds in business and entertainment, including corporate luminaries like <a href="https://www.linkedin.com/in/jeffweiner08/">Jeff Weiner</a>, <a href="https://www.linkedin.com/in/mary-barra/">Mary Barra</a>, and <a href="https://twitter.com/RobertIger">Bob Iger</a>, along with cultural icons including Ryan Reynolds, Scarlett Johansson, Pharrell Williams, and Rita Wilson to name just a few. I find it surreal that such an incredible group of people have chosen to become a part of our community. Their confidence in what we’re doing reminds me just how crucial our work has become. <h2 id="the-changing-landscape-of-security">The changing landscape of security</h2> Over the past few years, we’ve experienced more threats to our digital lives: data breaches, ransomware attacks, and identity theft are all on the rise. Data privacy is more difficult to maintain than it’s ever been. It&rsquo;s clear that to protect our customers for the long-haul, we have to take a more holistic view of online security. When it comes to protecting people on the internet, we know that technology can help, but we also know that the weakest link is often not the technology itself. In fact, <a href="https://www.verizon.com/about/news/verizon-2020-data-breach-investigations-report">85% of all company data breaches involve a human element</a>. And our first <a href="https://blog.1password.com/state-of-access-report-burnout-breach/">State of Access report</a> found that employees are a third less likely to follow their companies’ security guidelines when they&rsquo;re burned out (by, say, a global pandemic). That&rsquo;s why we&rsquo;re doubling down on empowering each person – no matter their level of technical proficiency – to easily navigate the digital world without fear or friction. <h2 id="a-human-centric-approach-to-security">A human-centric approach to security</h2> Security is hard work, but at 1Password we see it as a human challenge rather than a technological one. Our mission has always been to ease the tension between security and convenience, and the opportunity to deliver on this has never been greater. With each platform demanding its own passwords and protocols, workflows and websites, it’s no wonder we can’t keep everything straight. The busier we get, the more we favor simple solutions over secure ones. But protecting our privacy and personal information shouldn’t be so difficult; people – and the companies they work for – shouldn’t have to choose between security and convenience. With 1Password, they don’t have to. 1Password keeps businesses safe by protecting the individuals who work there. Company-wide adoption naturally leads to a <a href="https://blog.1password.com/security-culture-explained/">culture of security</a>, nurturing better habits for employees while strengthening a company’s security posture from within. Organizations drastically reduce the potential impact of data breaches, not to mention the risk of accidental leaks or vulnerabilities stemming from shadow IT. By defending the workforce at an individual level, 1Password empowers businesses with greater visibility, control, and peace of mind so they can feel confident that their customer data, intellectual property, and brand are secure. <h2 id="building-the-future-of-cybersecurity">Building the future of cybersecurity</h2> Growth is exciting, but it&rsquo;s also scary – for us as much as anyone else. But whenever I wonder about how funding or expanding the team will change things, I remember that we’ve always been motivated first and foremost by genuine care for our customers and their experience. That north star has never wavered, and it continues to guide every aspect of what we do. It inspires us every day, across every department and every person working to make 1Password better for you. Our path hasn&rsquo;t changed, but this latest investment helps us deliver on our promises more quickly. I can&rsquo;t wait to get there together. <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Toward a simpler, safer life online</h3> Visit our future vision site for a glimpse at what we’re exploring and our thoughts on the future of human-centric security. <a href="https://www.future.1password.com/" class="c-call-to-action-box__link-href" data-event-category="CTA" data-event-action="call-to-action-button"> A vision of the future with 1Password </a> </div> </section></description></item><item><title>My Collab Lab story: nurturing underrepresented developers in tech</title><link>https://blog.1password.com/my-story-mentoring-at-the-collab-lab/</link><pubDate>Tue, 18 Jan 2022 00:00:00 +0000</pubDate><author>info@1password.com (April Bowler)</author><guid>https://blog.1password.com/my-story-mentoring-at-the-collab-lab/</guid><description> <img src='https://blog.1password.com/posts/2022/my-story-mentoring-at-the-collab-lab/header.svg' class='webfeedsFeaturedVisual' alt='My Collab Lab story: nurturing underrepresented developers in tech' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The journey to becoming a developer has many paths. The most traditional is through attending a university and obtaining a computer science degree. However, many in the industry arrive via a different route. In particular, those who come from traditionally underrepresented groups often find themselves entering this space later in life and with vastly different experiences than those from university. But it can be tricky to enter the profession from an unconventional route because so many learning and training opportunities are restricted to university students. So where does this leave those who found their way into tech outside of the traditional path? <h2 id="introducing-the-collab-lab">Introducing The Collab Lab</h2> Luckily there are organizations like <a href="https://the-collab-lab.codes/">The Collab Lab</a> that are trying to help fill in this gap. The Collab Lab exists to help early-career developers, especially ones from underrepresented groups, learn the skills used every day on development teams. These include pair programming, code reviews, writing great PR descriptions, merging, and demoing work. As a developer who took an unconventional path, I was so excited to get involved with The Collab Lab and begin paying forward all the support and help I received along my journey. My first official experience with the organization was through the Career Lab, which gives participants the opportunity to spend two weeks learning how to improve their LinkedIn profiles, tips on how to present their experience (i.e. tell their story), as well as the option to participate in mock interviews. The latter has two parts – a “job fit” interview and a technical interview which includes a small take-home task. I volunteered to host the job fit interviews and was assigned to a couple of participants. I scheduled an hour for each of them and spent the first half in ‘interview’ mode before spending the second half providing feedback and answering questions. It was truly a lot of fun, and given that it’s so rare to get feedback in a real-world interview, the participants really appreciated the opportunity to practice in such a safe and low-pressure environment.   <h2 id="mentoring-the-summer-cohort">Mentoring the summer cohort</h2> My next experience was as a mentor for the summer cohort. I was assigned to a group along with two other mentors, one of which was the lead mentor who had volunteered with The Collab Lab before. Having three mentors for a team of four participants was helpful, as it offered different perspectives and spread out the responsibilities so that the time commitment from each mentor was reasonable.   The time commitment for a mentor is roughly five hours per week, but I found that most weeks didn’t require that full amount. The largest blocks of committed time were the 1-hour weekly sync calls, which occur on either Saturday or Sunday, and office hours which rotate through the mentors so they only occur once every three weeks.   While the group works on their project, the mentors keep an eye on the Slack channel and GitHub repo for discussions and questions that the participants might need some help with. We also provide a code review towards the end of the week. The participants pair-program with each other and peer review the other team’s work, so the mentor-led reviews are more about verifying that the acceptance criteria were met and offering suggestions on ways to make their code more readable or efficient. <blockquote> The participants walk away from the experience with a taste of what it’s like to work on a development team. </blockquote> During the final two weeks, the participants decide what they want the app to look and feel like and then work on implementing those design choices. This gives them the ability to apply the collaborative skills they’ve been working on for the last six weeks and to self-organize this block of work. At the final weekly sync, they do one last demo of the finished application and celebrate having successfully shipped it. The participants walk away from the experience with a taste of what it’s like to work on a development team. This gives them the knowledge to have informed conversations during job interviews, as well as the tools needed to hit the ground running when given that first opportunity. <h2 id="an-invaluable-experience">An invaluable experience</h2>   Throughout both of my experiences with The Collab Lab, I’ve been impressed by the level of information that’s provided to the volunteer mentors. The organization truly tries to value your time and provides the schedule, structure, and resources needed whenever they can so that all you have to do is show up and provide your knowledge and experience. They’re very open to suggestions for improvement and are always iterating to try and make the process even smoother. The bottom line: it’s been as great an experience as I hoped it would be. The commitment is low enough to not interfere with other responsibilities and the return value of watching the participants grow in their collaborative skills and confidence is high. I was given a similar experience early in my career, so I can attest to how helpful it is to have the process demystified.   I highly encourage other developers to become a mentor at The Collab Lab, as sharing your knowledge, experiences, and insight is so helpful to those just getting started.</description></item><item><title>How to keep your business secure during the Great Resignation</title><link>https://blog.1password.com/how-keep-business-secure-great-resignation/</link><pubDate>Mon, 17 Jan 2022 00:00:00 +0000</pubDate><author>info@1password.com (Nick Summers)</author><guid>https://blog.1password.com/how-keep-business-secure-great-resignation/</guid><description> <img src='https://blog.1password.com/posts/2022/how-keep-business-secure-great-resignation/header.svg' class='webfeedsFeaturedVisual' alt='How to keep your business secure during the Great Resignation' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Millions of workers <a href="https://www.cnbc.com/2021/11/12/consumer-sentiment-hits-10-year-low-while-workers-quit-jobs-in-record-numbers.html">are leaving their jobs</a> after enduring stay-at-home lockdowns and reflecting on what they need to be truly happy and healthy. While the &lsquo;<a href="https://www.bbc.com/worklife/article/20210629-the-great-resignation-how-employers-drove-workers-to-quit">Great Resignation</a>&rsquo; could have a positive impact on society, it also represents a security risk for businesses of all sizes. Because if your company doesn&rsquo;t keep tabs on its rapidly changing workforce, it could accidentally grant someone the wrong access and, in the worst-case scenario, give cybercriminals access to critical data. To safely navigate the Great Resignation, you need to focus on two key areas: provisioning and device management. <h2 id="why-provisioning-matters">Why provisioning matters</h2> &ldquo;Provisioning&rdquo; can refer <a href="https://www.techtarget.com/whatis/definition/provisioning">to many aspects of IT infrastructure</a>, but here we&rsquo;re talking about access to important files, accounts, and services. In 2021, almost every employee needed a combination of software and digital resources to do their job. Depending on your industry, that might have included apps, browser-based services, or files stored on a company-managed server. To keep your business secure, it’s important you monitor and control what everyone has access to. That includes current employees, but also the people who have recently decided to leave your company as part of the Great Resignation. <blockquote> In our <a href="https://1password.com/resources/2021-state-of-secure-access-report/">first State of Access study</a>, a quarter of respondents said they had tried to access a former work account after leaving a job – and over 80% of that group said they were successful. </blockquote> If you&rsquo;re unsure what people are using and don&rsquo;t have a way to revoke their access, there&rsquo;s a higher chance they&rsquo;ll leak sensitive information or make a mistake that lets a thief slip past your digital defenses. This scenario could happen during or after their time at your company, if they never lose access to your team&rsquo;s accounts and data. So what&rsquo;s the solution? Well, if you don&rsquo;t have a formal system for granting, revoking, and monitoring access, it&rsquo;s time to change that. Your own memory might be sufficient when you have just a handful of employees, but it won&rsquo;t be able to keep up with the volume of people who are likely to join and leave your company during the Great Resignation. Relying on access management tools, <a href="https://1password.com/business/">like a business password manager</a>, is the best way to limit this risk. <h2 id="the-role-of-a-password-manager">The role of a password manager</h2> An enterprise-ready <a href="https://1password.com/password-manager/">password manager</a> like 1Password gives you a secure and convenient way of granting people access to whatever accounts they need. With <a href="https://1password.com/teams/">1Password Teams</a> and <a href="https://1password.com/business/">1Password Business</a>, you can place credentials into labeled vaults (these act a bit like shared folders) and then organize employees into custom groups with varying levels of access. For example, you might have an employee group called Marketing that can access three vaults called Blog, Social Media, and Analytics. When a new product marketer joins your company, you can add them to the Marketing group and quickly give them access to the credentials they need to do their job. Just as importantly, you can be confident they don&rsquo;t have access to the Finance vaults, which would let them view sensitive financial documents. Password managers like 1Password are also useful when someone decides to leave your company – something that could happen more often during the Great Resignation. You can quickly and remotely shut down their 1Password account, and also update the passwords they used to have access to. That way, even if the ex-employee memorized their passwords or wrote them down, they won&rsquo;t be able to access anything. The best part? The rest of your team can access the new passwords right away. That means you don’t have to send out a company-wide email and pray everyone reads it before attempting to log into the associated accounts. Anyone who had access to the old credentials can see, share and <a href="https://1password.com/features/autofill/">autofill</a> the updated versions. <h2 id="when-to-use-identity-and-access-management-iam-software">When to use identity and access management (IAM) software</h2> A password manager is a great starting point for smaller teams. But if you&rsquo;re a multinational business with hundreds of employees, you should also consider an identity and access management solution (IAM) like <a href="https://www.okta.com/">Okta</a> or <a href="https://jumpcloud.com/">JumpCloud</a>. These give IT admins another way to control the apps and services that current and former employees are able to access. How does it work? Team members typically use <a href="https://1password.com/resources/guides/why-you-should-have-sso/">single sign-on (SSO)</a> which, as the name implies, allows them to sign in to multiple services using the same set of credentials. IT admins, meanwhile, usually have a dashboard which gives them an overview of their team and control the services that each person can and can&rsquo;t sign in to using SSO. Like a password manager, IAM is valuable because it gives you clarity over what everyone has access to and, just as importantly, what&rsquo;s outside their reach. It also creates a clear workflow that should be followed whenever someone joins or leaves your company. Onboarding a new hire? Consider their role and give them an appropriate level of access via SSO. Then, on their last day, return to your IAM service&rsquo;s dashboard and revoke their privileges. Many companies also <a href="https://blog.1password.com/1password-and-sso-a-perfect-match/">use SSO and a password manager together</a>. Because when you have 1Password, the logins that people make outside their SSO – and the login for the SSO, for that matter – are much stronger. <h2 id="taking-care-of-hardware">Taking care of hardware</h2> But software is only one half of the equation. If you want to keep your business secure during the Great Resignation, you also need to think about hardware. First, let&rsquo;s talk about company-issued devices. Does your business provide team members with a computer, phone, or tablet? If so, you need to keep track of them. They might contain confidential files, or be signed in to apps and web-based services that criminals would love to gain access to. When someone decides to leave your company, ensure they wipe their devices and give them back to the company. Otherwise, the soon-to-be-former employee might continue to use their company devices in a personal capacity. They could then make a mistake, like falling for a <a href="https://blog.1password.com/what-is-phishing-and-how-can-you-protect-your-business/">phishing email</a> or downloading malware, that allows a criminal to access your company&rsquo;s data. Larger businesses will also want to consider mobile device management (MDM) software like <a href="https://www.hexnode.com/mobile-device-management/">Hexnode</a> or <a href="https://www.miradore.com/">Miradore</a>. These allow IT admins to create policies that dictate what software can be installed and when components like the camera can be turned on. Many MDM solutions will also let administrators remotely lock and wipe devices if they&rsquo;re ever stolen or lost. These could also prove useful if a former employee forgets or ignores your request to give their company devices back. <blockquote> You can’t expect people to install MDM software on personal machines. </blockquote> You&rsquo;ll need to take a different approach with employee-owned hardware. Bring Your Own Device (BYOD) policies have grown in popularity as a way for companies to cut costs, support remote work, and empower staff to be productive with the hardware they&rsquo;re most familiar with. But you can&rsquo;t expect to install MDM software on personal machines. Similarly, it&rsquo;s unlikely that team members will want to wipe their personal computers when they leave your company. For these devices, you&rsquo;ll need to rely on access management – that&rsquo;s everything we covered before under password managers and IAM. You can revoke access by sunsetting their SSO profile and the account they used to sign in to your company password manager. <h2 id="culture">Culture</h2> Provisioning and device management will go a long way to keeping your business secure during the Great Resignation. But it&rsquo;s impossible to have perfect security, and if employees don&rsquo;t share your enthusiasm, they&rsquo;ll likely find workarounds that could leave your business vulnerable. That&rsquo;s why you also need to <a href="https://www.forbes.com/sites/forbestechcouncil/2021/08/02/how-to-build-a-culture-of-security/?sh=648ead233753">build a culture of security</a>. One that gives your team members the knowledge and desire to make smart, secure decisions both during and after their time at your company. Not sure where to begin? <a href="https://1password.com/resources/creating-a-culture-of-security/">Check out our guide to creating a culture of security</a>. Here&rsquo;s the short version: First, get buy-in from your leadership team, because they&rsquo;ll be critical to making significant and long-lasting changes. Then focus on employee education and training. Explain why your company&rsquo;s policies are important and provide tools that empower your staff to practice good security habits, like a password manager. Finally, listen to your employees. Reward them for speaking up and make sure they feel comfortable approaching your IT department. If you take these steps, there&rsquo;s a good chance that your team will adopt and embrace a culture of security. Staff will build habits that endure long after they&rsquo;ve handed in their notice. And, just as importantly, encourage other people to do the same. That new culture, combined with robust provisioning and device management, will put your company in the best position possible to stay secure during the Great Resignation. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Want to learn more?</h3> Read our first State of Access report to learn more about burnout and its growing impact on cybersecurity. It covers the effect of exhaustion on password choices, the use of shadow IT, and other potential risk factors. <a href="https://1password.com/resources/2021-state-of-secure-access-report/?utm_ref=blog" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Read the report </a> </div> </section></description></item><item><title>1Password’s 2021 year in review - everything you might have missed</title><link>https://blog.1password.com/2021-year-in-review/</link><pubDate>Fri, 14 Jan 2022 00:00:00 +0000</pubDate><author>info@1password.com (Jeff Shiner)</author><guid>https://blog.1password.com/2021-year-in-review/</guid><description> <img src='https://blog.1password.com/posts/2022/2021-year-in-review/header.svg' class='webfeedsFeaturedVisual' alt='1Password’s 2021 year in review - everything you might have missed' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> If year-end reviews have taught us anything, it’s that people love recaps that cram 12 months of growth and change into a five minute digestible read. Last year we worked hard to bring easy but secure password management to everyone – businesses and individuals alike. New apps, integrations, research, and partnerships – 2021 had it all. <a href="https://blog.1password.com/1password-wins-a-g2-best-software-award/">1Password was even named one of G2’s Best Software Products of 2021</a>. Here&rsquo;s a quick overview of everything our teams got up to: <h2 id="product-releases-and-updates">Product releases and updates</h2> Last year was the starting point for the next generation of 1Password. We launched <a href="https://blog.1password.com/welcoming-linux-to-the-1password-family/">our first Linux app</a>, which doubled as a world debut for 1Password 8 – an all new design optimized for peak productivity and unrivaled security. We also released <a href="https://blog.1password.com/1password-8-for-windows-is-here/">1Password 8 for Windows</a> – first in early access, then fully featured and ready for the world. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/SGSM2VcIsl4" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <a href="https://1password.com/products/">1Password 8</a> introduces a new design language, code-named Knox, and countless additions that make it faster and simpler to use, like Quick Access search. Apple devices also got in on the fun as we made <a href="https://blog.1password.com/1password-8-for-mac-is-now-in-early-access/">1Password 8 for Mac</a> available in early access, and we&rsquo;re hard at work on a version that&rsquo;s ready for all of our customers around the world. We’ve also improved 1Password on iOS and Android devices. For example, last year we brought the <a href="https://blog.1password.com/1password-for-safari/">desktop browser experience to Safari</a> with the release of iOS 15. 1Password in the browser got some love too, with improvements like biometric unlock, dark mode, and a new save experience, well, <a href="https://blog.1password.com/big-changes-to-1password-in-the-browser/">1Password in the browser is better than ever</a>. <h2 id="new-1password-features">New 1Password features</h2> We didn’t just improve the core look and feel of 1Password, we also made it easier to protect and securely share your personal information. Whether visiting a restaurant, movie theater, or checking in at an airport, having health information on hand became a staple of everyday life, which is why we introduced a new item type: the <a href="https://blog.1password.com/introducing-the-medical-record/">Medical Record</a>. Another high priority was making it easier for you to share passwords securely – even with people not using 1Password. Our new <a href="https://blog.1password.com/psst-item-sharing/">Password secure sharing tool (PSST!)</a> lets you share anything you keep in 1Password with anyone, anytime. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/fgcDdxvyJPE" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> We also wanted to help people protect their online privacy, so we created Masked Email <a href="https://1password.com/fastmail/">in partnership with Fastmail</a>. Now, anyone with a Fastmail account can generate and save random email addresses right in 1Password, keeping their true email address hidden from the services they use. <h2 id="new-features-for-1password-business-customers">New features for 1Password Business customers</h2> With improved management and enhanced monitoring, our <a href="https://blog.1password.com/improved-automated-provisioning/">updates to Automated Provisioning</a> make it easier than ever to secure employees at scale. And on that note – you can now integrate <a href="https://blog.1password.com/jumpcloud-1password-scim-bridge-launch/">1Password with JumpCloud</a>, our newest identity provider partner (<a href="https://support.1password.com/scim/">see our other partners</a>). We recognize that visibility is critical to security and IT teams, and so to support the growing shift to remote and hybrid work, we created the <a href="https://blog.1password.com/introducing-events-api/">Events API</a>. The Events API is a public REST API for <a href="https://1password.com/business/">1Password Business</a> customers that makes it easier to connect 1Password events with other data sources to gain a deeper understanding of how workers are using 1Password. Back in April, we also <a href="https://blog.1password.com/save-in-1password-button-with-ramp/">partnered with Ramp</a>, a corporate card and spend management platform to introduce the “Save in 1Password” button. It’s now easier than ever for Ramp customers to save payment cards and other details in 1Password. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get started with 1Password Business</h3> Productive businesses use 1Password to secure employees at scale. <a href="https://1password.com/business/?utm_ref=blog" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section> <h2 id="1password-secrets-automation">1Password Secrets Automation</h2> We’ve been keeping all kinds of secrets safe since 2005, like passwords, addresses and credit cards. But secrets keep evolving. Machines now have their own secrets that need to be protected, like API tokens, application keys, and private certificates. That’s why we <a href="https://blog.1password.com/secrethub-acquisition/">acquired SecretHub</a>, a secrets management company, in April 2021, and had our first release of <a href="https://blog.1password.com/introducing-secrets-automation/">Secrets Automation</a>. Secrets Automation is a single source of truth to secure, manage, and orchestrate all of your business secrets. 1Password doesn’t just store these secrets – it can deliver them whenever and wherever they’re needed. Now 1Password protects all of your company’s secrets – human and machine – in one place. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/ICMFanRt20A" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h2 id="1password-university">1Password University</h2> With so much going on in 2021, we knew we needed to find a way to help businesses master 1Password and online security. That’s why we launched 1Password University – a free online learning platform that helps people use 1Password and develop a deeper understanding of online security. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Learn with 1Password University</h3> Begin improving your knowledge and skills with our growing catalogue of free courses today. <a href="https://www.1password.university/learn/signin" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Register for 1Password University </a> </div> </section> <h2 id="what-you-watched-listened-to-and-read">What you watched, listened to, and read</h2> Security is constantly evolving, and we want to help you make sense of it. We surveyed companies and produced research that looked at burnout, <a href="https://blog.1password.com/digital-estate-planning-guide/">digital estate planning</a>, and more. Below we’ve listed some of our most popular thoughts and ideas from the past year: <ul> <li>Webinar: <a href="https://1password.com/webinars">Securing your hybrid workforce</a></li> <li>Report: <a href="https://1password.com/resources/2021-state-of-secure-access-report/">How employee burnout is emerging as the next frontier in cybersecurity</a></li> <li>Report: <a href="https://1password.com/resources/risks-of-mismanaging-corporate-secrets/">How secrets (mis)management is creating the next big cybersecurity threat</a></li> <li>Guide: <a href="https://1password.com/resources/how-to-avoid-a-data-breach/?utm_ref=resources">How to avoid a data breach</a></li> <li>Podcast: <a href="https://randombutmemorable.simplecast.com/episodes/another-masked-vigilante-fear">Interview with Karen Renaud – computer scientist, researcher, and professor</a></li> <li>Podcast: <a href="https://randombutmemorable.simplecast.com/episodes/email-alias-rabbit-hole">Interview with Ricardo Signes – CTO at Fastmail</a></li> <li>Blog: <a href="https://blog.1password.com/password-manager/">The ultimate guide to password managers</a></li> <li>Blog: <a href="https://blog.1password.com/small-talk-balancing-productivity/">Balancing workplace productivity and security for small businesses</a></li> </ul> Check out our full catalog of <a href="https://1password.com/webinars/">webinars</a>, <a href="https://1password.com/resources/">resources</a>, <a href="https://blog.1password.com/">blogs</a>, and <a href="https://randombutmemorable.simplecast.com/">podcasts</a> to see what else you might have missed. <h2 id="the-1password-team">The 1Password team</h2> This past year we worked hard to support our team so they can lead balanced and fulfilled lives – both at work and at home. A few things we did was create new, all-company wellness days (where we close our virtual doors around the globe) and gave every employee subscriptions to <a href="https://www.headspace.com/">Headspace</a> and <a href="https://www.youneedabudget.com/">You Need A Budget</a>. We also made a big investment in learning this year. Internally, we partnered with Hone to launch Management Unlocked, a program focused on manager training and skills development. We started diversity, equity, and inclusion sessions, which included a women in tech panel discussion and a webinar by <a href="https://www.outsaskatoon.ca/">OUTSaskatoon</a> about terms and identity. Our leadership team also partnered with Ready Set to enhance their learning and focus. Along with monthly Learning Nooks – webinars focused on learning and discovery – our team learned a lot. While we couldn’t take an in-person cruise for our annual AG Conference, we did have an exciting 3-day virtual cruise – complete with virtual excursions, famous guests, and a show-closing virtual talent show. And 2021 was a big year for growth – we added almost 200 new folks, including three new members to our executive team: <a href="https://1password.com/company/meet-the-team/akshay-bhargava/">Akshay Bhargava</a> (Chief Product Officer), <a href="https://1password.com/company/meet-the-team/raj-sarkar/">Raj Sarkar</a> (Chief Marketing Officer), and <a href="https://1password.com/company/meet-the-team/pedro-canahuati/">Pedro Canahuati</a> (Chief Technology Officer). <a href="https://blog.1password.com/1password-best-company-for-remote-workers/">1Password was named one of the top five large companies for remote workers by Quartz</a>. It’s an honor to be recognized not just for the quality of our work but also for how we take care of our team. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">And we’re still growing!</h3> If you’re passionate, curious, and kind – we’d love to talk to you. <a href="https://jobs.lever.co/1password" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> View open positions </a> </div> </section> <h2 id="investing-in-our-future">Investing in our future</h2> Finally, 2021 was the year we secured a <a href="https://blog.1password.com/investing-in-our-future-again/">second round of funding</a>. Here at 1Password, we want to help secure as many people and businesses as we can. We saw this second round as a great opportunity to work with smart people invested in our future to help guide us as we continue to grow. Our new partners include top executives from Shopify, Slack, Squarespace, Eventbrite, MessageBird, Google, Atlassian, and Ashton Kutcher’s Sound Ventures. To learn more about this next step you can <a href="https://blog.1password.com/investing-in-our-future-again/">read our announcement</a>. We’re so excited to keep pushing for better security for everyone. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/ZhXfzzA44xI" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h2 id="theres-more-to-come">There&rsquo;s more to come</h2> And that’s a wrap on 2021. It’s impossible to share just how much work went into this amazing year – from our dedicated teams working hard to improve 1Password, to you, our dedicated customers supporting us. There are no words to describe how it feels to have such amazing people believe in us. So all I’ll say is thank you. We’re excited about 2022 and will continue working hard to make sure your trust in us is well placed. Wishing you a healthy, happy, and secure 2022. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Subscribe to the 1Password newsletter</h3> Be the first to hear about 1Password news, tips, and announcements. <a href="https://1password.com/newsletter/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Sign up to our newsletter </a> </div> </section></description></item><item><title>Small Talk: why cybersecurity matters beyond the office</title><link>https://blog.1password.com/small-talk-beyond-the-office/</link><pubDate>Thu, 13 Jan 2022 00:00:00 +0000</pubDate><author>info@1password.com (Andrew Zangre)</author><guid>https://blog.1password.com/small-talk-beyond-the-office/</guid><description> <img src='https://blog.1password.com/posts/2022/small-talk-beyond-the-office/header.png' class='webfeedsFeaturedVisual' alt='Small Talk: why cybersecurity matters beyond the office' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Business security is often associated with larger companies where employees spend most of their time in front of computers. This stereotype can lead small business owners – especially ones outside the tech industry – to think they’ll never be targeted by hackers and don’t need to invest in security. It’s a mistake that cybercriminals are exploiting. Even without a traditional office environment or complex IT infrastructure, your growing business needs to <a href="https://blog.1password.com/small-talk-cyberattacks/">take security seriously</a>. If your team uses the web in any capacity, it’s critical they protect their accounts with strong, unique passwords. Stolen logins <a href="https://www.verizon.com/business/resources/reports/dbir/">are at the heart of most modern attacks</a>. But there are other vulnerabilities and threats to be aware of, some which might be specific to your industry or company structure. So staying informed is critical. <h2 id="most-businesses-are-online-businesses">Most businesses are “online businesses”</h2> Restaurants, law firms, and even doggy day spas are all connected to the web. You might advertise online, handle transactions electronically, or store customer data in the cloud. Even simple interactions with the internet can pose a threat if done insecurely. Something as mild as an <a href="https://blog.1password.com/small-talk-mindfulness-when-surfing-the-web/">employee surfing the web</a> at work or <a href="https://blog.1password.com/small-talk-balancing-productivity/">using a productivity app</a> on their personal device creates a potential pathway to sensitive information. E-commerce is a key example. Today, selling products or registering customers online is a major source of revenue for small businesses. It’s evolving from an option to a requirement, which is why most startups <a href="https://www.prnewswire.com/news-releases/28-of-small-businesses-dont-have-a-website-according-to-new-survey-data-301226897.html">have a company website at least</a>. But along the way, the shift created security threats for both businesses and customers. For instance, according to one study, <a href="https://qz.com/1329961/hackers-account-for-90-of-login-attempts-at-online-retailers/">90 percent of login attempts</a> on e-commerce sites are actually hackers using stolen data. The internet has revolutionized business, and our world in general. But for every convenience or nifty innovation, there’s a risk you need to be mindful of – that’s all part of the package deal. If you manage a small business, online safety is now as vital as accounting or branding. Done correctly, though, it can be a team effort and can give your customers some crucial peace of mind as well. Ready to improve your company&rsquo;s security? Start here: <ul> <li>Check out our <a href="https://1password.com/resources/">business resources</a> (like <a href="https://1password.com/resources/beginners-guide-to-cybersecurity/">our beginner’s guide to cybersecurity</a>).</li> <li>Talk with a <a href="https://www.g2.com/categories/cybersecurity-consulting">cybersecurity consultant</a> to help identify and solve your company’s challenges.</li> </ul> <h2 id="the-role-of-passwords-in-keeping-your-company-safe">The role of passwords in keeping your company safe</h2> No matter the industry (yes we’re still talking to you, doggy day spas), <a href="https://www.verizon.com/business/resources/reports/dbir/">most data breaches</a> are traced back to some human oversight – not an outdated computer or network glitch. For example, when an employee opens an unsafe link from an email or website, or uses weak and predictable passwords. If your team is working remotely or in various locations, you amplify these risks. Even with an expert IT team – which might not be anywhere in your plans – good security habits are the best way to prevent cyber attacks. Without these habits, no amount of expensive software will close your security gaps. You should nurture safe password habits by making them a part of <a href="https://1password.com/resources/creating-a-culture-of-security/?utm_ref=resources">your company culture</a>. Just like employees know to turn the lights off when they leave, they should follow basic security steps to strengthen their accounts. Whether for devices, work software, or personal online accounts, each login needs to have a long, random, and unique password. The <a href="https://1password.com/password-generator/">1Password Strong Password Generator</a> can be a trusty tool, and it’s free to use. Of course, creating these passwords is only half of the solution. What about remembering them? The thought can be enough to turn many employees off, so they use their same old passwords over and over. You can fix this with a teamwide password manager. 1Password gives employees a convenient way to generate and save unique passwords for all of their accounts. It’s more secure than scribbling them on paper or saving them wherever on their desktop – leaving them ripe for stealing. If your team uses shared devices – like a restaurant point of sale (POS) system, retail computer, or warehouse tablet – you need to ensure that everyone uses them securely. You might be using shared logins, or have separate accounts for each employee. Regardless, make sure you’re using strong, unique passwords wherever possible. Additional verification like <a href="https://support.1password.com/two-factor-authentication/">two-factor authentication</a> (2FA) can help ensure that users are who they say they are. You might even ask employees to sign confidentiality agreements or other privacy waivers during their training, when they’re brought into your “circle of trust.” <h2 id="create-a-security-strategy-that-fits-your-business">Create a security strategy that fits your business</h2> Different business models have their own set of security considerations. Troublesome activity can rear its head in both the digital and physical space, and put your business and its customers at risk. For example, Costco Wholesale – a major retailer with more than 800 locations – recently <a href="https://www.forbes.com/sites/leemathews/2021/11/12/costco-discloses-data-breach-after-finding-card-skimmer-at-one-of-its-stores/?sh=3756e69f49fc">reported a serious data breach</a> due to a credit card skimmer placed at one of its Canadian warehouses. The device reportedly helped an attacker steal customer payment information and make fraudulent charges on these accounts. Credit card skimmers – and <a href="https://www.pcmag.com/how-to/how-to-spot-and-avoid-credit-card-skimmers">the more modern shimmers</a>, which target chip cards from inside card readers – pose a risk to any business that accepts credit cards in person. There’s also a new trend of <a href="https://www.cpomagazine.com/cyber-security/new-magecart-credit-card-skimmer-capable-of-stealing-payment-information-on-multiple-ecommerce-platforms/">online card skimming</a> that hijacks payment windows on e-commerce sites, and presents customers with a fake payment form to fill out. So any amount of online sales needs to be monitored and regularly reviewed with security in mind. Every business is different, and you need to tailor your approach accordingly. If you don’t already have one, assign an individual or small team as the “security specialists” of your small business. These employees can take the lead on writing and sharing security guidelines with the rest of the team, checking for suspicious activity, and responding to incidents. This can mean asking employees to reset login information for compromised accounts, reaching out to banks or third-party vendors, and updating devices with the latest security patches. You should also take care when <a href="https://blog.1password.com/how-the-1password-security-team-evaluates-new-tools/">signing up for a new app or third-party service</a>. Make sure it’s a provider you can trust. Look into their security history and check what previous customers have said about them. After all, if the vendor is ever breached, your company’s data <a href="https://www.zdnet.com/article/third-party-data-breach-in-singapore-hits-healthcare-provider/">could be exposed</a>. If an incident does happen with any of your service providers, you should quickly change all of your associated passwords, check your bank statements for unauthorized transactions, and inform your team. <h2 id="start-protecting-your-small-business-today">Start protecting your small business today</h2> The biggest mistake you can make is ignoring the issue entirely. Cybersecurity affects every modern business, from the tech startups to the doggy day spas. Stay informed, take the first steps toward securing your team, and keep your business on the safe track. The threats may change, but your dedication to cybersecurity can be something that lasts.</description></item><item><title>Credential stuffing: How 1Password protects you against it</title><link>https://blog.1password.com/how-1password-keeps-you-safe-from-cyber-attacks/</link><pubDate>Mon, 10 Jan 2022 00:00:00 +0000</pubDate><author>info@1password.com (Marius Masalar)</author><guid>https://blog.1password.com/how-1password-keeps-you-safe-from-cyber-attacks/</guid><description> <img src='https://blog.1password.com/posts/2022/how-1password-keeps-your-account-data-safe-from-cyber-attacks/header.png' class='webfeedsFeaturedVisual' alt='Credential stuffing: How 1Password protects you against it' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Several layers of protection guard the data you store in 1Password, but is it enough to defend against cyberattacks like credential stuffing? Few things are scarier than getting an email about someone trying to log into one of your accounts. Doubly so when that account is for your <a href="https://1password.com/password-manager/">password manager</a>. The good news is that by using 1Password, you’re already protected against the most common type of cyberattack that triggers these emails: credential stuffing. <h2 id="what-is-credential-stuffing-and-how-does-it-work">What is credential stuffing, and how does it work?</h2> Modern cyberattacks rarely involve actual hacking. It’s become easier and more effective to simply use credentials stolen from data breaches without wasting time trying to crack individual passwords. Hackers use specialized software to make login attempts against popular web services using those stolen credentials on a massive scale. This type of attack is known as credential stuffing. By now, we’ve all learned that data breaches are a fact of life online. <a href="https://www.idtheftcenter.org/post/identity-theft-resource-center-to-share-latest-data-breach-analysis-with-u-s-senate-commerce-committee-number-of-data-breaches-in-2021-surpasses-all-of-2020/">In 2021, they were at least 17% more prevalent compared to 2020</a>, which means there are many more stolen or leaked credentials available for bad actors to use in their attempts. Adversaries are relying on the fact that many people re-use their passwords across multiple accounts. If a password from a relatively unimportant account – say your favourite site for sharing cat photos – is obtained through a <a href="https://blog.1password.com/data-breach-101-stay-safe-online/">data breach</a>, they can attempt to use that same username/password combination to access your social media accounts, work software, and even online banking. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Want to stay secure online? Create a unique username with 1Password&rsquo;s free <a href="https://1password.com/username-generator/">Username Generator</a>! </div> </aside> In general, credential stuffing attacks are like spam email: they operate on a huge scale but rarely produce results. Some estimates suggest credential stuffing results in successful account access only 2% of the time. But when you consider that a single data breach can contain 1 million user credentials, that still means 20,000 compromised accounts. <h2 id="how-1password-protects-against-credential-stuffing-attacks">How 1Password protects against credential stuffing attacks</h2> A successful credential stuffing attack relies on two things: <ol> <li>Access to stolen or leaked credentials from a data breach.</li> <li>People re-using their passwords across multiple sites.</li> </ol> As individuals, there isn’t much we can do to prevent our credentials being leaked or stolen when a service we use suffers a data breach. Luckily, we can address the second point easily by using 1Password to generate strong, unique passwords for each account we use. That way, even if an attacker uses stolen credentials to access one account, they can’t use that same password to gain access to anything else – because you’ve only used it in one place. Of course, that still leaves the question of your 1Password account itself; what happens if someone were to guess or obtain your account password? <a href="https://blog.1password.com/safe-write-down-your-passwords/">1Password’s security model</a> is carefully designed not to rely on any single point of failure, so the short answer is: <a href="https://blog.1password.com/what-if-1password-gets-hacked/">nothing</a>. Here’s how it works. Three things are required to decrypt your data: <ol> <li>Your account password (the artist formerly known as “Master Password”).</li> <li>An additional encryption ingredient known as the <a href="https://blog.1password.com/what-the-secret-key-does/">Secret Key</a>.</li> <li>The encrypted vault data itself.</li> </ol> Only you know your account password, and your Secret Key is generated locally during setup. The two are combined on-device to encrypt your vault data and are never sent to 1Password. Only the encrypted vault data lives on our servers, so neither 1Password nor an attacker who guesses or steals your account password would be able to access your vaults. When you sign in to your 1Password account, your information is further protected by a unique communication system that ensures neither your account password or Secret Key are ever sent over the network. Industry-standard Transport Layer Security (TLS) provides a first line of defence, but we’ve bolstered it with a custom protocol known as <a href="https://blog.1password.com/developers-how-we-use-srp-and-you-can-too/">Secure Remote Password</a> (SRP). With SRP, another encryption key generated on-device protects your information in transit even if someone manages to decrypt TLS. Furthermore, this encryption key is different for each session, so an attacker who manages to record one authentication session won’t be able to use that information to make an intrusion attempt. SRP also proves to the server that the 1Password app has a secret that can only be derived using the correct account password and Secret Key. Similarly, it proves to the 1Password app that the server has the correct verifier, which guarantees the connection is with the genuine 1Password server and not an impostor. Simply by using 1Password, you’re already going above and beyond to protect yourself. <h2 id="how-to-protect-yourself-from-credential-stuffing">How to protect yourself from credential stuffing</h2> Be proactive about your online safety by keeping these simple guidelines in mind: <ol> <li>Always use 1Password to generate strong, unique passwords for every account</li> <li>Make sure your account password for 1Password.com is sophisticated, memorable, and not used for anything else</li> <li>Close old accounts you don’t need anymore; with fewer accounts, you’re less likely to be involved in a data breach</li> </ol> 1Password also provides additional capabilities for those who want to further lock down their secrets: <ol> <li><a href="https://support.1password.com/one-time-passwords/">Set up two-factor authentication</a> for any accounts and websites that support it. This provides an additional layer of defense that can save you in the event that someone manages to obtain your password for those accounts, whether from a data breach or any other method.</li> <li>Let <a href="https://support.1password.com/watchtower/">Watchtower</a> act as your personal security guard, helping you identify weak or reused passwords and optionally monitoring your account for credentials that have been involved in a data breach. If any of your accounts are compromised in a breach, you’ll receive a notification so you can reset those passwords before anyone has a chance to abuse them. You can also use Watchtower to see which sites you haven’t activated two-factor authentication for yet.</li> </ol> Staying safe online doesn&rsquo;t have to be complicated or confusing. With 1Password, you benefit from better security without the hassle. <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get more security tips</h3> Subscribe to our business security newsletter and get advice on running a secure, productive workplace delivered directly to your inbox. <form method="POST" class="oneline" accept-charset="UTF-8" action="https://flow.1passwordservices.com/api/v1/lead" data-event-category="Newsletter" data-event-action="form-newsletter" id="newsletterForm"> <div id="hidden-fields"> <input type="hidden" name="formSubmitted" value="Newsletter"> <input type="hidden" name="formId" value="c100b28e-6493-493f-b325-6a7f8b3cbb89"> </div> <input type="email" class="c-call-to-action-box__newsletter-email" name="email" placeholder="" required /> <input class="c-call-to-action-box__newsletter-button" type="submit" value="Sign up"> </form> <div class="c-call-to-action-box__text"> By signing up you agree to receive emails about the latest 1Password announcements, product updates, and events. <a class="c-newsletter-signup-form__gdpr--link" href="https://www.1password.co/email-preferences.html">Unsubscribe</a> any time. You also agree to our <a class="c-newsletter-signup-form__gdpr--link" href="https://1password.com/legal/terms-of-service/">terms of service</a> and <a class="c-newsletter-signup-form__gdpr--link" href="https://1password.com/legal/privacy/">privacy policy</a>. </div> </div> </section></description></item><item><title>How to stay creatively inspired while working from home</title><link>https://blog.1password.com/how-to-stay-inspired-working-from-home/</link><pubDate>Fri, 07 Jan 2022 00:00:00 +0000</pubDate><author>info@1password.com (Nick Summers)</author><guid>https://blog.1password.com/how-to-stay-inspired-working-from-home/</guid><description> <img src='https://blog.1password.com/posts/2022/how-to-stay-inspired-working-from-home/header.png' class='webfeedsFeaturedVisual' alt='How to stay creatively inspired while working from home' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Creativity can be fickle. One day, your brain is full of bright ideas you&rsquo;re keen to jot down, develop, and share with others. The next day, you have nothing. Zilch. Not even a flicker of an idea. You suddenly feel like a world-class restaurant that&rsquo;s run out of ingredients. A key element of creativity is finding the odd jolt of inspiration. But discovering that spark can be tricky if you work from home. You don&rsquo;t have a normal commute, which for many is a chance to let your mind wander and experience random but inspirational moments. Similarly, you&rsquo;re not working in a busy office that&rsquo;s full of sights, sounds, and smells to draw from. But that doesn&rsquo;t mean you can&rsquo;t be just as creative while working remotely – you just need to make a conscious effort to surround yourself with sources of inspiration. These can be physical objects, online communities, or activities that encourage you to hit pause on work, turn off your devices, and clear your head. <h2 id="real-world-serendipity">Real-world serendipity</h2> <h3 id="recreate-the-commute">Recreate the commute</h3> You might not have an office to go to, but it&rsquo;s still worth putting your shoes on and doing a bit of exercise each day. It could be a quick walk around the block or a vigorous bike ride into town. And it doesn&rsquo;t matter if you complete your &lsquo;commute&rsquo; in the morning, on your lunch break, or after you&rsquo;ve finished work. If you&rsquo;re self employed, or able to set your own schedule, you might also prefer to &lsquo;commute&rsquo; at a time when everyone else is typically in the office. Experiment and find a routine that works best for you. <blockquote> A &lsquo;commute&rsquo; could expose you to people, weather, buildings, and places of natural beauty that you wouldn&rsquo;t have otherwise thought about. </blockquote> Stretching your legs <a href="https://www.nbcnews.com/better/health/why-walking-most-underrated-form-exercise-ncna797271">is great for your health</a> and will give your mind a chance to wander. Depending on the route, it could also expose you to people, weather, buildings, and places of natural beauty that you wouldn&rsquo;t have otherwise thought about. That in turn could lead to some new ideas that you can jot down and work on once you&rsquo;re back at home. <h3 id="visit-a-cafe">Visit a cafe</h3> Sitting in a coffee shop, diner, or restaurant can be an effective substitute for a traditional office. You&rsquo;ll see lots of different people and possibly overhear an interesting conversation (just remember to respect people&rsquo;s privacy!). Many creatives find they&rsquo;re more productive when surrounded by ambient noise – in this case, customer chatter mixed with clinking glasses, mugs, or cutlery. You can recreate this setting with <a href="https://youtu.be/BywDOO99Ia0">a coffee shop-inspired YouTube video</a> or <a href="https://open.spotify.com/playlist/3UEBkaOZDmX7RXxNNxYcBA?si=a5c0afacbd7a4ead">Spotify playlist</a>, though it&rsquo;s hard to top the real thing. Eating out every day can be expensive, so if you&rsquo;re looking for a cheaper alternative, try taking a packed lunch to your nearest park, beach, or lake – anywhere that other people are likely to meet up with friends or pass through. <h3 id="meet-with-other-people">Meet with other people</h3> Arrange an in-person catch-up with a friend, colleague, or family member – anyone that you enjoy bouncing ideas off. Alternatively, you can look for a group or club dedicated to your profession. Many cities have meetups for <a href="https://www.meetup.com/topics/photo/">budding photographers</a>, <a href="https://www.meetup.com/topics/film-makers/">filmmakers</a>, and <a href="https://www.meetup.com/topics/graphicdesign/">graphic designers</a>, for example. Listening to what other people are working on might help you come up with a new idea. In addition, these &lsquo;outsiders&rsquo; could have useful feedback and suggestions for the projects you&rsquo;re currently stuck on or stewing over. <h3 id="consider-a-co-working-space">Consider a co-working space</h3> If you&rsquo;re used to working in a traditional office, you might want to start using one again. A busy co-working space can provide the same hustle-and-bustle atmosphere as a popular cafe or coffee shop. Many people also find the process of leaving their home and entering another building helps to switch their brain into a more productive and creativity-focused mode. <blockquote> Many co-working spaces are designed with flexibility and spontaneous conversation in mind. </blockquote> The other major benefit is the potential to meet other people. Many co-working spaces are designed with flexibility and spontaneous conversation in mind. If you don&rsquo;t have an assigned desk, there&rsquo;s a good chance you&rsquo;ll be sitting next to different people each day. Some of them might be working in a similar field and would be happy to chat about creative projects. <h3 id="take-breaks-at-home">Take breaks at home</h3> If you&rsquo;re stuck or out of ideas, it&rsquo;s often better to walk away from your workstation and do something else. Water some plants, bake a delicious pie, or strum on a guitar for a while – anything that helps you to mentally reset and clear your mind. You don&rsquo;t want to relax for too long, otherwise you won&rsquo;t get anything done. But if you&rsquo;re really stuck, taking a short but meaningful break will make you more creative and productive in the long run. <h2 id="physical-objects">Physical objects</h2> <h3 id="use-a-paper-notebook">Use a paper notebook</h3> There are all sorts of note-taking apps that work great on a phone, PC, or tablet. But many people find old-fashioned paper is a better tool for quick thoughts, doodles, and diagrams that evolve into useful ideas. If you haven&rsquo;t used a notebook in a while, treat yourself to one by <a href="https://www.moleskine.com/en-us/">Moleskine</a>, <a href="https://www.leuchtturm1917.us/">Leuchtturm1917</a>, or <a href="https://fieldnotesbrand.com/">Field Notes</a>, and keep it close to wherever you normally work. Then, after a few weeks, flick through the pages and decide whether the format is having an effect on the volume and variety of ideas that you come up with. <h3 id="consider-some-physical-media">Consider some physical media</h3> You might have embraced the digital age and ditched your physical movies, albums, and video games. But if you work in a creative field, you might find inspiration in a beautifully-designed coffee table book, or from listening to one of your favorite vinyl records. There are many subscriptions that promise to send a different magazine, book, or record each month. These can shift your mindset and expose you to topics, stories, and ideas you might not have encountered or considered before. <h2 id="an-inspiring-digital-diet">An inspiring digital diet</h2> <h3 id="build-a-creativity-feed-on-social-media">Build a &lsquo;creativity feed&rsquo; on social media</h3> Open your favorite social media app on your phone: what do you see? For many, it&rsquo;s a disorganized mixture of friends, family members, celebrities and brands. You can think of it as an &lsquo;everything feed.&rsquo; To stay creative, you need a separate feed that&rsquo;s focused on your passion. One that won&rsquo;t distract you for hours, or require a half-hour of swiping to find something that&rsquo;s inspiring or relevant to your current project. You can do this in a few different ways. On Twitter, for example, you might want to create a List – a curated group of accounts that sits alongside your regular feed. But if you need more separation, you could just register for a second account instead. <blockquote> You need a separate feed that&rsquo;s focused on your passion. </blockquote> A &lsquo;creativity feed&rsquo; should be focused on quality over quantity. So consider your craft and the social network it&rsquo;s most associated with. If you&rsquo;re a graphic designer, for instance, <a href="https://dribbble.com/">Dribbble</a> and <a href="https://www.behance.net/">Behance</a> could be more useful than Twitter and Instagram. If you work in TV advertising, meanwhile, you might want to focus on YouTube and Vimeo instead. <h3 id="try-an-rss-reader">Try an RSS reader</h3> RSS feeds are one of the simplest ways to keep up with your favorite blogs and websites. Add them to your RSS reader of choice – something like <a href="https://feedly.com/">Feedly</a>, <a href="https://reederapp.com/">Reeder</a> or <a href="https://www.inoreader.com/">Inoreader</a> – and you&rsquo;ll be updated whenever they share something new. Many RSS readers will let you organize feeds into different folders, labels, or categories. So if you&rsquo;re a graphic designer, you could have separate inboxes for digital work, physical packaging, branding, and more – allowing you to drill down and focus on the medium you&rsquo;re currently working in. The advantage of an RSS reader is that it only shows what you&rsquo;ve already subscribed to. Unlike most social media platforms, you won&rsquo;t be bombarded with ads, promoted posts, or anything that isn&rsquo;t related to your passion or profession. That should make it easier to shut out distractions and find something that&rsquo;s inspiring or gives you a fresh perspective on the problem you&rsquo;re trying to tackle. <h3 id="find-and-join-an-online-community">Find and join an online community</h3> If you can&rsquo;t meet people in person, you should look for them online. Your ideal community might gather on social media, or a platform designed for smaller groups, like <a href="https://slack.com/">Slack</a> and <a href="https://discord.com/">Discord</a>. The aim is to find a group that can offer advice, mentorship, and ideas when you&rsquo;re stuck. Some communities also arrange calls where everyone works on their projects at the same time. That way, the entire group is encouraged to chip away at their respective problems and, with time, find a creative breakthrough. <h2 id="keep-experimenting">Keep experimenting</h2> These are just a handful of ideas to get you started. Everyone is different and there might be something else that gets your creative juices flowing. It could be practicing yoga in the morning, making an extra-special cup of coffee before work, or using <a href="https://todoist.com/productivity-methods/pomodoro-technique">the pomodoro technique</a> to come up with new ideas in short but highly-focused bursts of productivity. Keep experimenting and don&rsquo;t worry if you have a bad day, week or month. Research has shown that the average worker is only productive for three hours each day. You&rsquo;re not a machine and shouldn&rsquo;t expect to feel productive and creatively inspired all of the time. Finally, don&rsquo;t be afraid to ditch tactics and techniques that aren&rsquo;t delivering. Creativity isn&rsquo;t a science, after all – it&rsquo;s something unique to each person that requires nurturing.</description></item><item><title>Cybersecurity in the workplace: 15 tips to stay secure without burning out</title><link>https://blog.1password.com/stay-secure-without-burning-out-guide/</link><pubDate>Wed, 05 Jan 2022 00:00:00 +0000</pubDate><author>info@1password.com (Nick Summers)</author><guid>https://blog.1password.com/stay-secure-without-burning-out-guide/</guid><description> <img src='https://blog.1password.com/posts/2022/stay-secure-without-burning-out-guide/header.svg' class='webfeedsFeaturedVisual' alt='Cybersecurity in the workplace: 15 tips to stay secure without burning out' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Staying secure at work doesn&rsquo;t need to be complicated. Minimize stress and avoid burnout by following these simple cybersecurity tips. <h2 id="how-cybersecurity-and-burnout-are-related">How cybersecurity and burnout are related</h2> No-one wants to feel burned out at work. Battling physical or emotional exhaustion can impact your health, happiness, and any sense of professional fulfillment. That in turn can affect your productivity and the likelihood you’ll make an honest mistake that puts your company’s data at risk. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> <a href="https://blog.1password.com/state-of-access-report-burnout-breach/">Our first State of Access study</a> found that burned-out employees are 37% more likely than other workers to have poor practices when setting up work-related passwords. </div> </aside> While there are many factors that can lead to burnout, staying secure doesn&rsquo;t need to be one of them. Follow these 15 cybersecurity tips to protect yourself and your company from the vast majority of attacks: <h2 id="passwords">Passwords</h2> <h3 id="1-use-strong-unique-passwords">1. Use Strong, unique passwords.</h3> That means no common passwords like “123456,” “qwerty” and “password,” or anything that includes your name or date of birth. They should also be long – we recommend at least 16 characters. All of your passwords should be unique, too. You might <a href="https://blog.1password.com/1password-and-sso-a-perfect-match/">use Single-Sign On (SSO) at work</a>, which lets you log into multiple apps and services with the same credentials. It doesn’t matter, however, whether you need to remember 10 or 10,000 passwords – all of them still need to be strong and unique. If you use the same set of characters for everything, you’re putting your company at risk. Here’s why: imagine you signed up for a new social network. Then, six months later, it was breached and every user’s password was leaked onto the internet. If you use the same password for everything, a criminal could use your leaked credentials to access other accounts you own. Of course, no one can remember 100 different passwords – especially if they’re random strings like “UmxT9t4s8B6sVhr6mvSo.” The solution? <a href="https://1password.com/business-pricing/">Adopt a password manager like 1Password</a> that can do the creating and remembering for you. <h3 id="2-share-passwords-securely">2. Share passwords securely.</h3> Everyone has passwords that they need to share from time to time. It could be the office Wi-Fi password, a subscription to a trade publication, or the license key for a specific app. Don’t rely on post-it notes, insecure text messages, emails, spreadsheets, or random text documents for these – <a href="https://blog.1password.com/psst-item-sharing/">use a password manager instead</a>. It’s secure and convenient because everyone will know exactly where to find your shared credentials. <h3 id="3-use-two-factor-authenticationhttps1passwordcomfeaturestwo-factor-authentication-everywhere-its-offered">3. Use <a href="https://1password.com/features/two-factor-authentication/">two-factor authentication</a> everywhere it’s offered.</h3> <a href="https://1password.com/features/two-factor-authentication/">Two-factor authentication (2FA)</a> is an extra layer of security that protects your accounts from thieves who have managed to find or deduce one of your passwords. Here’s how it works: you can ask for a time-based one-time password (TOTP) to be sent any time someone tries to sign into your account – it could be via email, a dedicated authentication app, or text message (though we don’t recommend using SMS as it’s vulnerable to interception). Whoever is trying to sign-in will then be asked to submit the TOTP along with your password. It’s a great system because an attacker is unlikely to have access to both the password and the place where you retrieve your TOTPs. You can even use 1Password to store and deliver these special codes. It’s <a href="https://blog.1password.com/totp-and-1password/#totp-isnt-the-same-as-two-factor-security">not quite the same as 2FA</a> because your passwords and TOTPs are stored in the same place, but this approach still offers plenty of security benefits and reduces the friction of using 2FA. If a criminal found one of your passwords in a leak, for example, they wouldn’t be able to log in without the TOTP code that you have stored inside 1Password. <h2 id="hardware">Hardware</h2> <h3 id="4-keep-your-devices-up-to-date">4. Keep your devices up to date.</h3> Most operating systems give you the option to apply security updates automatically. As a general rule, you should only use hardware that can run the latest version of Windows, macOS, Linux, iOS, or Android. And don’t use an operating system that is no longer receiving security updates, like Windows 7 – especially if you’re planning to use the internet. <h3 id="5-protect-your-devices-with-a-strong-password-or-pin">5. Protect your devices with a strong password or PIN.</h3> That means your PIN can’t be “1111” or the year you were born (they’re simply too easy for a criminal to guess). Alternatively, use a biometric unlock method like Windows Hello or Face ID. Both are convenient without compromising your device’s overall security. <h3 id="6-consider-encrypting-your-hard-drives">6. Consider encrypting your hard drives.</h3> Full-disk encryption (FDE) protects your system’s entire hard drive, including the operating system. If an attacker stole your device, they would be asked to provide the encryption key – which typically comes in the form of a password – to complete the boot up process and access any data on the drive. To get started, follow the guides provided by <a href="https://support.apple.com/en-gb/guide/mac-help/mh11785/mac">Apple</a>, <a href="https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838">Microsoft</a> and <a href="https://help.ubuntu.com/community/Full_Disk_Encryption_Howto_2019">the Linux community</a>. <h3 id="7-dont-leave-your-devices-alone">7. Don’t leave your devices alone.</h3> Now that the world is opening back up again, don’t forget that you should be on your guard in cafes, hotel lobbies and other public spaces. You should never leave your devices unattended and if you need to get up momentarily – to greet someone or retrieve a coffee order, for example – you should lock them or take them with you, just in case. The same principle applies to the office. Lock your devices whenever you leave your desk, just to be on the safe side. You don’t want to give anyone the chance to read your emails, steal sensitive company data, or take a picture of the top-secret project you’re working on. <h3 id="8-turn-on-any-find-my-feature-thats-available">8. Turn on any ‘Find My’ feature that’s available.</h3> You might work for a company that uses Mobile Device Management (MDM) software to help them track down lost hardware. If not, consider enabling any ‘Find My’ service that’s available on your devices. As the name implies, it will help you pinpoint your laptop, tablet or phone if it ever goes missing. If you’re particularly forgetful, consider investing in some Bluetooth trackers – like <a href="https://www.thetileapp.com/en-us/">the ones made by Tile</a>, or <a href="https://www.apple.com/airtag/">Apple’s AirTags</a> – for other belongings that don’t have a Find My service built-in. <h3 id="9-keep-your-work-and-personal-life-separate">9. Keep your work and personal life separate.</h3> If you’ve been given a work computer, remember that it’s just that: a device for work. Don’t give it to your children to play Fortnite, or to an older relative who is desperate to check their emails. If you have permission to use your device outside of work, take special care to ensure your personal and corporate data is kept separate. <h2 id="connectivity">Connectivity</h2> <h3 id="10-protect-your-home-router">10. Protect your home router.</h3> If you work from home, remember that your home router needs to be patched and updated occasionally, just like your phone and computer. You should opt into automatic updates or periodically check for new security patches. You should also protect your router with strong, unique passwords. That includes the router password – which is required to change various settings – and the Wi-Fi network password. <h3 id="11-be-careful-when-connecting-to-public-wi-fi-networks">11. Be careful when connecting to public Wi-Fi networks.</h3> If you’ve updated your router and set a strong password, you can be confident that your home Wi-Fi network is pretty secure. And if you work in an office, you should be able to trust the building’s Wi-Fi. In public, however, it’s a different story. Some public Wi-Fi networks are secure, but a large number are not. Attackers can use the latter to snoop on your web traffic and use that information for any number of unsavory things ranging from account stealing to identity theft. But that doesn’t mean you should never use a public Wi-Fi network. You can protect yourself by using a <a href="https://blog.1password.com/how-a-vpn-works/">VPN</a> and avoiding Wi-Fi networks with suspicious names (it doesn’t take a security expert to know that “REALFreeAirportWIFI” probably isn’t legitimate). If you’re not sure, check with a nearby member of staff, or simply wait and connect somewhere else. <h2 id="software">Software</h2> <h3 id="12-think-about-segmentation-when-using-apps-like-slack-and-microsoft-teams">12. Think about segmentation when using apps like Slack and Microsoft Teams.</h3> The pandemic has forced more companies to experiment with apps like <a href="https://slack.com/">Slack</a>, <a href="https://www.microsoft.com/en-us/microsoft-teams/log-in">Microsoft Teams</a>, and <a href="https://discord.com/">Discord</a>. They’re incredibly powerful but need to be used responsibly. Stop and think before inviting someone into a new chat room, group, or channel. Do they really need access to a management-level discussion? And should that access be revoked after a period of time? It’s important to use groups and rooms, each with their own privacy settings, to keep information on a need-to-know basis. Otherwise, it’s more likely that sensitive information will leak or be accidentally shared with someone outside of your organization. <h3 id="13-ensure-strangers-cant-join-your-video-calls">13. Ensure strangers can’t join your video calls.</h3> You don’t want a random person sneaking into your company’s quarterly review meeting. If you’re using a platform like Zoom, <a href="https://blog.zoom.us/keep-uninvited-guests-out-of-your-zoom-meeting/">make sure the call is private and invite-only</a>. And if you have a shareable link, be careful where you post it. <h3 id="14-take-care-with-files-stored-in-the-cloud">14. Take care with files stored in the cloud.</h3> Many people use cloud-based platforms like Google Docs and Microsoft Office Online at work. If you need to share a project with someone else, be mindful of the privacy and permission settings you’ve chosen. If the file is sensitive, make sure that only invited people – rather than anyone with the correct link – can open it. <h3 id="15-watch-out-for-phishing-emails">15. Watch out for phishing emails.</h3> Cybercriminals will often impersonate a reputable company or person – a tactic known as phishing – and urge you to click on a link that seems legitimate, but actually sends you to a malicious site designed to steal your credentials or personal information. <a href="https://www.firmofthefuture.com/content/phishing-attacks-are-on-the-rise-heres-how-to-avoid-them/">Keep your eyes peeled for phishing attempts</a>. Check the sender’s email address (does it seem legitimate?) and whether you’ve received any messages from them before. Scan for typos and pay close attention to any language that suggests you need to take quick, drastic action. If anything seems amiss, reach out to the supposed sender another way and check the email was authentic. Simply using a <a href="https://1password.com/password-manager/">password manager</a> can help protect you against phishing attacks. Every time you save a password, 1Password makes a note of the website URL. If you visit a scam site, the URL won’t match and 1Password won’t offer to <a href="https://1password.com/features/autofill/">autofill</a> your account credentials. That way, you’ll never be tricked into logging into a scam site like paypa1.com with your genuine PayPal username and password. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Want to learn more?</h3> Read our first State of Access report to learn more about burnout and its growing impact on cybersecurity. It covers the effect of exhaustion on password choices, the use of shadow IT, and other potential risk factors. <a href="https://1password.com/resources/2021-state-of-secure-access-report/?utm_ref=blog" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Read the report </a> </div> </section></description></item><item><title>1Password treats 🎁🍪 to wrap up the year ~ from Dave's newsletter</title><link>https://blog.1password.com/1password-treats-to-wrap-up-the-year-from-daves-newsletter/</link><pubDate>Tue, 21 Dec 2021 00:00:00 +0000</pubDate><author>info@1password.com (Dave Teare)</author><guid>https://blog.1password.com/1password-treats-to-wrap-up-the-year-from-daves-newsletter/</guid><description> <img src='https://blog.1password.com/posts/2021/daves-newsletter-dec/header.png' class='webfeedsFeaturedVisual' alt='1Password treats 🎁🍪 to wrap up the year ~ from Dave's newsletter' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 2021 has been an incredible year! 🙌 Here&rsquo;s my last newsletter of 2️⃣0️⃣2️⃣1️⃣ to wrap up the year. 🤗 Hello everyone, 👋 I hope you and your family are safe and well. 🙏 I’m fortunate that my biggest concerns this year are stocking up on all the ingredients for our three family dinner celebrations and making sure everyone has something wrapped under the tree. I’m very thankful for that! We also have some presents for you. Let’s unwrap them together now, shall we? <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Dave&#39;s Newsletter</h3> I wrote this letter for my newsletter subscribers and am sharing it here in case you missed it. Sign up and I'll send these directly to your inbox about once a month. 🤗 <a href="https://1password.com/newsletter/" class="c-call-to-action-box__link-href" data-event-category="CTA" data-event-action="call-to-action-button"> Sign up to my newsletter </a> </div> </section> <h2 id="1password-8-for-mac-is-now-in-beta-">1Password 8 for Mac is now in beta 🎉</h2> I’m thrilled to announce that <a href="https://1password.com/products/">1Password 8</a> for Mac has officially entered beta. 🙌 I shared the early access with you earlier and the response was incredible. I was blown away by how many people reached out to discuss our latest baby. 🥰 Now that we’ve had a chance to polish things further we’re ready to invite all of you to our beta family and give it a go. Here’s the gorgeous design that will greet you. <img src='https://blog.1password.com/posts/2021/daves-newsletter-dec/1password8-mac-hero.png' alt='1Password 8 for Mac main app, unlocked, showing my items with my Cookie Run Kingdom login highlighted' title='1Password 8 for Mac main app, unlocked, showing my items with my Cookie Run Kingdom login highlighted' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> I really love our new design language and the incredible speed of 1Password 8. And the all-new Quick Access gives me access to everything I need, all from a quick ⌘⇧Space keyboard shortcut. 🔥 <img src='https://blog.1password.com/posts/2021/daves-newsletter-dec/1password8-mac-quick-access.png' alt='1Password Quick Access running on Mac' title='1Password Quick Access running on Mac' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> There’s a ton of new features in this release and you can start enjoying them now before the official launch. If you enjoy being on the cutting edge, download the beta here to get started. <a href="https://1password.com/downloads/mac/#beta-downloads">Download 1Password 8 beta for Mac</a> 1Password 8 will require a subscription to our 1Password membership and will rely exclusively on 1Password.com (or .ca🇨🇦 or .eu🇪🇺). If you are still using iCloud or Dropbox or WLAN Sync, now is a great time to migrate over your data so you’ll be ready for the new release. You can trade in your license for 50% off your first 3 years by launching 1Password 7 and clicking the upgrade link. Be sure to also join the development team and I in our <a href="https://1password.community/categories/desktop-betas">beta support forum</a> to discuss your experiences and help us gear up for an amazing launch next year. 🤘 <h2 id="movie-time-">Movie time 🎬</h2> December is a super busy month for me so I often find myself looking for something to watch to rest, especially after a long day of baking or playing hockey. One of the places I like to go when I need to rest my muscles but still have an active mind is <a href="https://1password.com/webinars/">our webinars page</a>. Our team has some great talks to curl up in front of the TV with. 🍿 <ul> <li><a href="https://vimeo.com/645011220/7c0e64aaa9">Get to know 1Password 8 for Windows</a></li> <li><a href="https://vimeo.com/593528421/4c038b3bca">1Password Business Demo</a></li> <li><a href="https://vimeo.com/617321704">Debunking Cybersecurity Myths</a></li> <li><a href="https://vimeo.com/579535506">Introduction to 1Password Secrets Automation</a></li> </ul> My favourite is our <a href="https://vimeo.com/646679546/b539890c32">Security Trends: Fireside Chat</a> on how we adapted to being fully remote, managing burnout, and creating a mentally healthy work environment. Those last points being especially important during the holiday season. 💝 <h2 id="1password-families-">1Password Families 🤗</h2> This time of year always gets me thinking of my family and how blessed I am to have them in my life. 💕 Once again this year everyone wants to host dinner themselves, so to make sure everyone stays happy we are having three dinners. It’s a lot of fun (and delicious!) so nobody complains. After dinner Sara and I will once again remind my parents why it’s so important for them to actively use our <a href="https://1password.com/personal/">1Password family account</a>. None of us are getting any younger so it’s important we have access to important accounts, medical histories, and the like. <img src='https://blog.1password.com/posts/2021/daves-newsletter-dec/families.png' alt='Illustration of 1Password for Families' title='Illustration of 1Password for Families' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> My mom is happily using our family account for her passwords now and doing great, but she often falls back to the old ways. To help get her thinking of more ways to use 1Password, I created a <a href="https://share.1password.com/s#iMLyp0cBqaY3lG6fXVBOUNzIjD8mUC0RHrZ8w1rVlTM">Cookie Run Kingdom tips &amp; tricks</a> secure note. Now when she gets stuck on a level in Cookie Run Kingdom, instead of messaging her I tell her about this secure note. It gets her excited to launch 1Password and I hope the rest will take care of itself. If you’re not on the family plan yet and looking for the perfect present for the holidays, upgrade to a families account and invite the people closest to you to join. Just <a href="mailto:support@1password.com">email us</a> and we’ll help get you setup. 🥰 I&rsquo;d love to hear your tips &amp; tricks that you use to get your family members excited about using 1Password. You can find me <a href="https://twitter.com/dteare">@dteare</a> on Twitter and <a href="https://1password.community">in our forums</a>. And yes, I’d equally love to hear your Cookie Run Kingdom strategies as Abby has me quite addicted to that game at this point. 😂 Until next time, take care and stay safe out there. 😘 ++dave; <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Dave&#39;s Newsletter</h3> Sign up to my newsletter and I'll send you notes like these directly to your inbox. 🤗 <a href="https://1password.com/newsletter/" class="c-call-to-action-box__link-href" data-event-category="CTA" data-event-action="call-to-action-button"> Sign up to my newsletter </a> </div> </section> <img src='https://blog.1password.com/posts/2021/daves-newsletter-dec/happy-snowperson.png' alt='Happy Snowperson illustration surrounded by presents' title='Happy Snowperson illustration surrounded by presents' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> P.S. Last month I <a href="https://share.1password.com/s#575ic_FhklIyCE0eangeHzZ8ioS8bnNm1ARMYf3PHFU">shared my pumpkin pie recipe</a> using our new item sharing service and I was delighted to see I struck a chord there. So many reached out to share their recipes and thank me for mine that I thought I’d share another. In the spirit of Cookie Run Kingdom I decided to share <a href="https://share.1password.com/s#_nZ68TzBPDll2sZThedQOEkNFBxPWPq23xCEww0sLcQ">my Gluten Free cookie recipe</a>. After all the care and attention I put into my pies you might be surprised how simple I kept this one. 😂 P.P.S. My new MacBook Pro is everything I dreamed it would be! Writing newsletters here has been an absolute delight. 😍</description></item><item><title>How fully remote companies can create a culture of security from day one</title><link>https://blog.1password.com/remote-companies-culture-of-security/</link><pubDate>Tue, 21 Dec 2021 00:00:00 +0000</pubDate><author>info@1password.com (Andrew Zangre)</author><guid>https://blog.1password.com/remote-companies-culture-of-security/</guid><description> <img src='https://blog.1password.com/posts/2021/remote-companies-culture-of-security/header.png' class='webfeedsFeaturedVisual' alt='How fully remote companies can create a culture of security from day one' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> In 2020, millions of businesses were <a href="https://blog.1password.com/remote-work-security-people/">thrust into remote work</a>. What started as necessity has revealed lasting benefits for both employers and employees, though. The model improved productivity and employee morale, while lowering operational costs. Between these benefits and the continued priority of worker safety, many startups are launching with a remote or hybrid approach from the outset. New businesses may find it easier to adopt this style of work because they don&rsquo;t have a team that&rsquo;s used to being in the office together, or to following processes that were never designed with a remote model in mind. This provides an advantage for cybersecurity, as well. With employees working from anywhere, security education and involvement are more crucial than ever. A <a href="https://1password.com/resources/culture-of-security/infographic-culture-of-security.pdf?utm_ref=resources">culture of security</a> can be a unifying force that makes safe online habits a source of pride, rather than a chore. The good news for startups is that it’s less work to create this from scratch than it is to transform an existing culture. It’s a privilege that fledgling businesses shouldn’t squander! If you’re growing a remote-first company or are just starting out, you can get security right the first time and minimize your risk of a <a href="https://1password.com/resources/how-to-avoid-a-data-breach/?utm_ref=resources">costly data breach</a>. <h2 id="an-overdue-focus-on-cybersecurity">An overdue focus on cybersecurity</h2> The “remote revolution” happened faster than anyone could have predicted, especially before the pandemic. And IT security is still catching up. Established businesses that made the shift had to rewrite their rulebooks, and unlearn old habits and processes. Unfortunately, a high number of companies <a href="https://www.techrepublic.com/article/companies-are-relaxing-cybersecurity-during-the-pandemic-to-boost-productivity/">relaxed their security protocols</a> to stay productive, creating a golden opportunity for cybercriminals. But awareness is spreading. More people are talking about data security at work, and <a href="https://venturebeat.com/2021/08/25/cybersecurity-startup-investments-more-than-doubled-in-h1-2021/">investments in cybersecurity startups are growing</a>. Modern concepts like the <a href="https://techcrunch.com/2021/10/21/starting-your-journey-to-zero-trust-adoption/">zero-trust model</a> are being adopted by companies big and small. Alongside these trends is a growing understanding that good security is about more than lofty infrastructure investments and hiring specialists with years of expertise. Training all employees and building a <a href="https://blog.1password.com/security-culture-explained/">culture of security</a> across the organization is a far more important defense against the vast majority of data breaches, which <a href="https://www.verizon.com/business/resources/reports/dbir/">involve a human element</a> like weak passwords and phishing emails. The secret is to make cybersecurity a shared responsibility and a natural part of your company’s operations, rather than a complex puzzle to solve. <h2 id="foster-a-culture-of-security-wherever-your-employees-work">Foster a culture of security, wherever your employees work</h2> As a fully distributed company since the beginning, 1Password has always embraced the <a href="https://www.forbes.com/sites/forbestechcouncil/2021/08/02/how-to-build-a-culture-of-security/?sh=5fd614843753">culture of security</a> concept. Employee security training starts at onboarding and is continuously strengthened through an easy-to-read handbook, <a href="https://blog.1password.com/introducing-1password-university/">1Password University</a> courses, and regular training on Zoom. Today, with working from home as the rule and not the exception, this mindset should be center stage for business decision-makers. <a href="https://blog.1password.com/why-security-scare-tactics-dont-work/">Don&rsquo;t resort to scare tactics</a>, as <a href="https://www.wsj.com/articles/why-companies-should-stop-scaring-employees-about-cybersecurity-11607364000">they don&rsquo;t work</a> and will stop your business from building a collaborative culture of security. This is especially true for fully remote companies. Don’t scold or punish employees for using unapproved productivity apps (also known as “<a href="https://blog.1password.com/remote-work-shadow-it/">shadow IT</a>”). Instead, teach employees how to use these apps in the safest way possible. It will protect your business better in the long run and empower remote employees to work in a way that’s best for them. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Worried about shadow IT? Learn how to control and reduce the risks associated with shadow IT in our <a href="https://www.1password.university/learn/course/external/view/elearning/443/humanizing-shadow-it-with-1password-and-kolide">free 1Password University course</a>. </div> </aside> In a culture of security, mindful habits are a part of everyone’s routine. In turn, security feels like a manageable responsibility – not something complicated that only an IT department can handle. The right tools can play a big role. Not sure where to start? Embrace an <a href="https://1password.com/resources/get-serious-about-enterprise-password-management/">enterprise password manager</a> like 1Password. It will give your distributed team a secure and convenient way to create, manage, and <a href="https://1password.com/features/secure-password-sharing/">share passwords</a> and other private information. This single technology investment, paired with proper training, will close your biggest security gap. Your team becomes an active contributor to company cybersecurity, while making their own lives easier in the process. <h2 id="the-benefits-of-a-security-first-mindset-when-working-remotely">The benefits of a security-first mindset when working remotely</h2> As a new remote company, you can bake these ideas into your workflows and employee training from the get-go. To do so: <ul> <li>Craft some thoughtful guidelines for safe online habits</li> <li>Build these policies into your onboarding and reinforce them with regular training</li> <li>Make sure remote workers know what security risks to look for and red flags they might encounter</li> <li>Assign or hire a dedicated security expert/team (if you don’t already have one) and facilitate any training that might be needed</li> <li>Facilitate a direct line of communication between employees and security experts to report suspicious activity or potential security snafus</li> </ul> Together, these steps can nurture a security-first mindset in each team member that joins your company. Our <a href="https://1password.com/resources/creating-a-culture-of-security/?utm_ref=resources">guide to creating a culture of security</a> explains more about what information to include, who to involve, and how to maximize adoption within your team. The sooner you foster this mindset, the better. Because your up-and-coming business <a href="https://blog.1password.com/small-talk-cyberattacks/">can’t afford to deal with the fallout of a serious data breach</a>. Not to mention you’re keeping your customers safe. 1Password helps employees contribute to your security culture and also take personal action with incident response. For example, our <a href="https://watchtower.1password.com/">Watchtower service</a> will alert employees if a site they use is breached, so they can immediately update the associated logins (or delete the accounts entirely). 1Password will also remind employees to strengthen any passwords that are either weak or reused on different accounts. By combining the right tools and teachings, your remote team’s security-first mindset will inform their daily routines both in and out of work. This culture of security will become a constant as your team scales and refines its processes. Wherever your employees are working from, this will help keep them, your company, and your customers safe.</description></item><item><title>5 reasons to stop using your web browser password manager</title><link>https://blog.1password.com/5-reasons-to-stop-using-your-web-browser-password-manager/</link><pubDate>Fri, 17 Dec 2021 00:00:00 +0000</pubDate><author>info@1password.com (Marius Masalar)</author><guid>https://blog.1password.com/5-reasons-to-stop-using-your-web-browser-password-manager/</guid></item><item><title>Small Talk: security considerations for your startup</title><link>https://blog.1password.com/small-talk-security-considerations/</link><pubDate>Wed, 15 Dec 2021 00:00:00 +0000</pubDate><author>info@1password.com (Andrew Zangre)</author><guid>https://blog.1password.com/small-talk-security-considerations/</guid><description> <img src='https://blog.1password.com/posts/2021/small-talk-security-considerations/header.png' class='webfeedsFeaturedVisual' alt='Small Talk: security considerations for your startup' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> As a startup, you might have branded swag well before a cybersecurity strategy. And it’s not hard to understand why. Printing stickers is easy. Knowing where to start with security – the who, what, how, and why – can feel a bit more daunting. But it doesn’t have to, and is far more important to your company’s future. Cybersecurity risks are growing by the day, especially for startups. <a href="https://www.zdnet.com/article/free-cybersecurity-tool-aims-to-help-smaller-businesses-stay-safer-online/">Almost half of smaller businesses</a> reported cybersecurity breaches or attacks over the last year, up from less than a third in the previous year. It’s an epidemic that forces <a href="https://www.inc.com/thomas-koulopoulos/the-biggest-risk-to-your-business-cant-be-eliminated-heres-how-you-can-survive-i.html">60 percent of affected businesses</a> to close within 6 months. Part of the problem is a lack of resources – small companies are often stretched thin, and IT hires aren’t always seen as a priority early on. But the larger issue is a lack of awareness. Startups often don’t know the extent of risks they face, their particular vulnerabilities, or that solutions don’t need to be expensive or complicated. If you’re leading a startup, and have a steady stream of Instagram posts but no cybersecurity plan, let’s fix that. The first step is building awareness so you can pass the baton of knowledge to your team and help nurture safe habits that protect your data. <h2 id="the-many-roads-to-your-business-data">The many roads to your business' data</h2> Love it or hate it, the internet is integral to modern business. You may offer a product or service that’s directly tied to it, like an enterprise chat app or a battle royale video game. Regardless, your business likely uses the internet to communicate – internally and with customers – perform certain tasks, and store information. If your business uses the web to store or share any kind of business data, you need to be mindful of cybercriminals. Even your employees’ web browsing is a risk factor. So if you think your data is safe and sound, you may need to reconsider. The remote work transformation tossed a bunch of gasoline onto the cybersecurity fire. With employees working anywhere and everywhere, each new device, app, and network they use could create the opening cybercriminals are looking for. In some cases, even personal and family web usage can open a backdoor to company data. Without the right strategy, this can be overwhelming for a startup to deal with. Devices, apps, routers, networks – there’s plenty to consider when it comes to securing your data. One compromised account can potentially expose your most sensitive data. To minimize those risks, make security a teamwide effort. If you don’t have one, create a small handbook or set of security policies that everyone can follow – like using strong, unique passwords for all their accounts. As you scale, you’ll want a dedicated security expert or team to help oversee these efforts. In the meantime, make it a collective responsibility with some clear messaging from the top. <a href="https://www.g2.com/categories/managed-security-services-mssp">Third-party security services</a> are available for different aspects of security as you go, or if you just need <a href="https://www.g2.com/categories/cybersecurity-consulting">cybersecurity consulting</a> in general. <h2 id="make-access-a-privilege-with-account-permissions">Make access a privilege with account permissions</h2> Any employee or business partner with access to your startup’s information needs to maintain long, complex credentials for their accounts. (The largest cause of data breaches is <a href="https://www.verizon.com/business/resources/reports/dbir/">weak and reused passwords</a>, after all.) Another major step is keeping this access on a “must-have” basis. This basic idea is nothing new. Years ago, security experts adopted the “<a href="https://blog.1password.com/guiding-principles-how-least-privilege-leads-to-more-security/">principle of least privilege</a>” (or PoLP) to describe a safer approach to access management. PoLP encouraged companies to limit all access – device, software, network, sensitive data – to those who need it. And to add new users on a case-by-case basis from there. Doing so limits your data’s exposure, and the number of accounts that are susceptible to being compromised. Recently, the term “<a href="https://www.forbes.com/sites/forbestechcouncil/2021/07/15/how-to-implement-a-zero-trust-model-of-cybersecurity-into-your-organization/?sh=28f45ce9680d">zero-trust model</a>” picked up where PoLP left off. Popularized by Microsoft, which used the model in their own security strategy, zero trust requires even those most trusted in an organization to reverify their identity when accessing a critical system or drive, or executing certain functions. This is done through multi-factor authentication (MFA) or another advanced verification method. Larger businesses will often use identity access management (IAM) tools like Okta to assist with PoLP or zero-trust authentication. As a startup, you might not have the budget or team size to justify these sorts of tools. But that doesn’t mean you can’t invest in the same principles. Use segmentation to control what people can see on apps like Slack, and set permissions on productivity tools such as Google Docs. For that added “zero-trust” layer, encourage employees to use <a href="https://support.1password.com/one-time-passwords/">two-factor authentication</a> (2FA), especially with your more critical data or systems. These security solutions don’t require much time or money to implement – and can save you from major headaches in the future. <h2 id="test-protect-and-monitor-your-digital-assets">Test, protect, and monitor your digital assets</h2> It’s a good idea to document and track your portfolio of digital assets, including devices, apps, and hard drives. <a href="https://www.g2.com/categories/asset-management-f3e79baa-6f93-4d40-b734-16e9b562fc14">Asset monitoring</a> and <a href="https://www.g2.com/categories/application-performance-monitoring-apm">application performance monitoring software</a> might come in handy for the task, especially as your <a href="https://blog.1password.com/clean-up-digital-footprint/">digital footprint</a> scales. The next step is taking care of any suspicious files or activity. <a href="https://www.g2.com/categories/antivirus">Antivirus software</a> can help detect and erase unwanted files or programs on devices and networks, whether they currently exist or appear in the future. Use tools like <a href="https://www.g2.com/categories/security-risk-analysis">security risk analysis software</a> to scan IT assets for problem areas and suggest updates for optimal protection. There’s no shortage of high-tech security tools out there. But the best defense is also the most obvious (and affordable). Wherever a login credential might be used – be it an employee’s laptop, your Wi-Fi networks, cloud storage folders, or software tools – make sure they’re up to par. Every registered user should create strong, unique passwords and keep them safely stored, to reduce the chances of an attacker gaining unwanted access. 1Password can assist with the whole process, from <a href="https://1password.com/password-generator/">generating passwords</a> to storing them and even <a href="https://support.1password.com/share-items/">safely sharing items</a> across your team. (Read how a <a href="https://1password.com/resources/creating-a-culture-of-security/?utm_ref=resources">culture of security</a> can help foster safe habits across your startup.) <a href="https://watchtower.1password.com/">1Password Watchtower</a> will also alert your employees if any site or service they use is compromised. Anyone with admin privileges can routinely create <a href="https://1password.com/business/domain-breach-report/">domain breach reports</a> that show any company email addresses affected by breaches around the web. You can also monitor your technology with other risk management and security tools like <a href="https://www.g2.com/categories/vulnerability-scanner">vulnerability scanner software</a>, which can help rectify potential issues and identify new vulnerabilities as they arise. Lastly, <a href="https://www.g2.com/categories/threat-intelligence">threat intelligence software</a> can be used to keep your finger on the pulse of emerging threats. Even with incredibly tight measures in place, you need to plan for all possibilities. Put together a detailed <a href="https://www.cisco.com/c/en/us/products/security/incident-response-plan.html#~how-to-create-a-plan">incident response plan</a> so your team can collectively investigate red flags and minimize the damage. <h2 id="check-your-list-check-it-twice">Check your list, check it twice</h2> Staying agile is a core part of #StartupLife, and cybersecurity is no exception. Security is never “done” as threats evolve along with your company’s own risk factors. Stay alert and don’t allow your startup to fall behind; attackers pounce quickly on any security gaps that open up. Each new app, user, and device should be audited and secured before use. Employees will need to stay vigilant when downloading personal apps or connecting their own devices and accounts at home, and create strong credentials wherever they’re needed. When updates are made available – for devices, software programs, what-have-you – they should be downloaded and installed immediately. Work with your employees to keep technology and accounts up to date. If you or your team are notified of any compromised sites or weak passwords they have in place, this information needs to be updated to eliminate possible pathways to your vulnerable data. If you have an IT team or an appointed “security specialist,” schedule regular meetings with them. Here you can review the health of your IT infrastructure, discuss any recent incidents, take note of emerging threats, and plan action items to bolster security. At least one person needs to keep up with the people and projects inside the business, and modify account privileges where necessary. When someone is promoted, for example, they generally need access to more passwords, projects, and chat rooms. It&rsquo;s equally important that administrators revoke access when a team member decides to leave the company, or wraps up their portion of work on a highly sensitive project. This is especially true for any IT workers themselves. A recent 1Password survey showed that <a href="https://1password.com/resources/risks-of-mismanaging-corporate-secrets/?utm_ref=resources">88 percent of developers and IT professionals working at startups</a> still have access to a former employer’s technical infrastructure or development environments. Here’s a checklist of items to go over with your team to cover security from all angles: <ul> <li>Fill or create IT/Security roles, or hire a managed services provider.</li> <li>Educate employees and stay up-to-date on potential threats.</li> <li>Take inventory of all assets (hardware and software).</li> <li>Test, scan, and update all assets, networks, and drives.</li> <li>Encrypt sensitive company data and drives.</li> <li>Create security guidelines and make them easily accessible to your team.</li> <li>Determine minimum access levels and add permissions only where necessary.</li> <li>Mandate that employees create strong, unique passwords for all devices and accounts.</li> <li>Enable threat detection and other asset monitoring.</li> <li>Create an incident response plan and train/test IT on readiness.</li> <li>Schedule regular updates for all assets and review of policies.</li> </ul> <h2 id="empower-employees-to-do-their-part-to-protect-your-company">Empower employees to do their part to protect your company</h2> Effective security is a true team effort. Just like your employees rock the company swag, they should be proud and fully invested in your security guidelines. With the right messaging, education, and tools, you can bake cybersecurity into your startup’s culture. Secure habits and things to look out for should be clearly spelled out, and easily accessible for all employees. A few guidelines to include: <ul> <li>Create strong, unique passwords for each account and device, including those not provided by the company.</li> <li>Update passwords immediately in the event of a data breach or other security incident.</li> <li>Only <a href="https://1password.com/features/secure-password-sharing/">share passwords</a> and other private information over secure channels (like 1Password).</li> <li>Don’t click on suspicious links in emails, fill out random forms on the web, or download untrustworthy files.</li> <li>Install software updates and security patches when made available.</li> </ul> To help educate employees and keep them engaged, include security training as part of onboarding and plan ongoing teamwide training sessions. This should include training on tools like 1Password that not only help them build secure habits but improve productivity and collaboration as well. Take advantage of <a href="https://blog.1password.com/introducing-1password-university/">1Password University</a> (which is completely free!) to build your team’s security knowledge and create an army of 1Password experts. A password manager like 1Password is not just the easiest consideration for your small business security, but can also be the most impactful, closing your most prominent security gap (weak and reused passwords). <a href="https://1password.com/business/">1Password Business</a> users also get <a href="https://support.1password.com/link-family/">free accounts for their families</a>. That means you can protect your team and their loved ones at home, and eliminate these backdoors to your company data. A culture of security will grow with your startup, and offer peace of mind as you reach milestone after milestone. So the considerations you make now are an investment that will last. Your logo may change – and you’ll need to reprint your hats, if so – but a security-first mindset will be a reliable companion in your startup’s journey, wherever it leads.</description></item><item><title>We donated $50,000 to Sustainable Ocean Alliance to help protect our oceans</title><link>https://blog.1password.com/supporting-sustainable-ocean-alliance/</link><pubDate>Mon, 13 Dec 2021 00:00:00 +0000</pubDate><author>info@1password.com (Jeannie De Guzman)</author><guid>https://blog.1password.com/supporting-sustainable-ocean-alliance/</guid><description> <img src='https://blog.1password.com/posts/2021/supporting-sustainable-ocean-alliance/header.svg' class='webfeedsFeaturedVisual' alt='We donated $50,000 to Sustainable Ocean Alliance to help protect our oceans' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Finding new ways to help the planet and the people around us is some of the most important work we do here at 1Password. At some point we started to wonder, what can we do to support the health of our oceans? As part of our continuing <a href="https://blog.1password.com/1password-for-good/">1Password for Good initiative</a>, we’ve decided to partner with the Sustainable Ocean Alliance to make a positive impact on our environment. <a href="https://www.soalliance.org/">Sustainable Ocean Alliance</a> (SOA) is a global community of over 6,000 youth, experts, and entrepreneurs based in 165 countries, all collaborating to solve the greatest challenges facing our ocean. They support solutions and projects that address the targets of <a href="https://sustainabledevelopment.un.org/sdg14">United Nations Sustainable Development Goal 14</a>: to conserve the ocean and sustainably use marine resources. SOA does this by providing funding, network access, mentorship, and other resources to startups and grassroots leaders around the globe who are working to improve ocean health. <h2 id="seas-the-day-">Seas the day 🌊</h2> Our donation of $50,000 supported 10 projects, with missions that range from creating a mangrove tree nursery to helping develop educational programs for youth and adults. All are working to restore and protect ocean ecosystems, preventing their destruction and subsequent consequences on marine life, habitats, and local communities. We are so proud to help the following projects achieve their missions: <ul> <li>Dive into Marine Science and ICC Day, Gambia</li> <li>AdvocaSEA Camp, Brunei</li> <li>Inspiring the Rising Generation of Ocean Advocates, United States of America</li> <li>Moving Towards Zero: Global Challenge Campaign, Spain, United States of America, Canada</li> <li>Empowering Ocean Communities in Thailand, Thailand</li> <li>Ocean Literacy Online Course for Educators, Brazil</li> <li>Green School Blue Future Curriculum, Honduras</li> <li>La Academia 2021, Peru</li> <li>&ldquo;The Engagement We Need for the Ocean We Want&rdquo;, Brazil</li> <li>Mangrove Week from Martinique to the Caribbean, Martinique</li> </ul> A closer look at a few of the projects we are supporting: <h2 id="shoring-up-mangrove-education-">Shoring up mangrove education 🏝️</h2> One project we’re excited to support is Mangrove Week, created by the NGO <a href="https://www.facebook.com/rootsofthesea">Roots of the Sea</a>. Mangroves are a unique ecosystem that is home to thousands of species, and they help stabilize shorelines to prevent coastal erosion. The threat to mangroves from pollution, climate change, and coastal development puts the biodiversity of the region at risk. Roots of the Sea was able to bring together Martiniquan and Caribbean youth to create a mangrove tree nursery (planting 50-75 mangroves) and they conducted a mangrove cleanup event. They are now working to establish a mangrove network across the Caribbean with other organizations and to bring the focus to mangroves beyond just one week each year. <h2 id="choose-zero-and-be-an-environmental-hero-">Choose zero and be an environmental hero ♻️</h2> The <a href="https://gozerowaste.app/en/">Go Zero Waste App</a> helps people overcome the barriers to leading a zero waste lifestyle. This exciting project organizes interactive challenges that promote sustainable habits and local trade. It does so by linking each action to earning points, saving waste, and providing rewards and incentives. By helping individuals decrease their consumption, and to start using sustainable products, the Go Zero Waste app will help reduce the amount of waste finding its way into landfills and oceans. Launching in Spain, the United States, and Canada – with campaigns co-created with companies, governments, and in collaboration with SOA – the Go Zero Waste App is primed to make a significant splash. <h2 id="the-sea-son-to-support-our-oceans-">The sea-son to support our oceans 🌎</h2> You, too, can help support SOA in their mission to connect groups and projects dedicated to restoration with mentorship and funding. You can <a href="https://www.soalliance.org/donation/">donate to SOA</a>, or <a href="https://www.soalliance.org/about/#cont-form">contact SOA to get involved</a>. Take your first step today – dip your toe in the water and help make a positive impact on our oceans. We believe protecting our oceans is an important responsibility and we are proud to be able to help support so many amazing initiatives. This ongoing effort will help create a healthy ecosystem, so we don’t have to be salty about the state of our oceans anymore. Thank you for your support in 1Password – it allows us to continue supporting causes that are important to us, and that impact everyone. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Donate to Sustainable Ocean Alliance</h3> Make a donation to help SOA find solutions to the ocean’s greatest challenges. <a href="https://www.soalliance.org/donation/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Donate now </a> </div> </section></description></item><item><title>Data breach 101: How you can stay safe online</title><link>https://blog.1password.com/data-breach-101-stay-safe-online/</link><pubDate>Fri, 10 Dec 2021 00:00:00 +0000</pubDate><author>info@1password.com (Emily Chioconi)</author><guid>https://blog.1password.com/data-breach-101-stay-safe-online/</guid><description> <img src='https://blog.1password.com/posts/2021/data-breach-101-stay-safe-online/header.png' class='webfeedsFeaturedVisual' alt='Data breach 101: How you can stay safe online' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> If you feel like you can’t go a week without hearing about yet another data breach on the news, you’re not experiencing déjà vu. <a href="https://fortune.com/2021/10/06/data-breach-2021-2020-total-hacks/">Data breaches are on the rise</a>, and massive organizations like <a href="https://www.businessinsider.com/solarwinds-hack-explained-government-agencies-cyber-security-2020-12?IR=T">Solar Winds</a> and <a href="https://www.npr.org/2021/04/09/986005820/after-data-breach-exposes-530-million-facebook-says-it-will-not-notify-users">Facebook</a> aren’t the only ones vulnerable to attack. From businesses to individuals, data breaches can affect anyone. For example, small and medium sized-businesses are now targeted by <a href="https://markets.businessinsider.com/news/stocks/cybercriminals-narrow-their-focus-on-smbs-according-to-the-acronis-cyberthreats-report-mid-year-update-1030688981">70% of cyber attacks</a>, and <a href="https://www.verizon.com/business/resources/infographics/dbir-statistics.pdf">58% of breaches</a> involve personal data. It might seem like a battle you just can’t win, but there are ways to minimize your risk and stay secure online. We’ll walk you through a simple data breach definition, <a href="https://blog.1password.com/how-to-protect-yourself-against-the-next-big-data-breach/">how to protect yourself from a data breach</a>, hacking and social engineering attacks, and what you need to do if your data is ever compromised. <h2 id="what-is-hacking">What is hacking?</h2> People often confuse the words &ldquo;hack&rdquo; and &ldquo;breach&rdquo; or use them interchangeably. So before we go any further, let&rsquo;s quickly clarify what they mean. Hacking is when someone, sometimes called a “black hat hacker,” aims to compromise a digital device and gain unauthorized access to the sensitive information stored on it. This might sound pretty straightforward, but there’s a bit more to it. While hacking refers to specific techniques like <a href="https://blog.1password.com/what-is-a-brute-force-attack-and-whats-the-best-defense/">brute-force attacks</a>, which rely on trial-and-error to crack someone&rsquo;s password, many people use &ldquo;hacking&rdquo; informally to describe a wide range of cybercrime. Hacking can often be used as a vague and broad term that, in reality, ends up encompassing several different types of scenarios and vulnerabilities you want to be aware of. <h2 id="what-is-a-data-breach">What is a data breach?</h2> A data breach is what happens as a result of hacking – someone with malicious intent has gained access to sensitive data, such as financial information or social security numbers. This data may be sold on the <a href="https://1password.com/features/dark-web-monitoring/">dark web</a>, held under ransom for payment, or leaked to the public. The cause of the breach can vary widely, so it’s important to understand the several types of vulnerabilities that hackers will try to exploit. <h2 id="common-types-of-data-breaches">Common types of data breaches</h2> In order to protect yourself or your business, it’s crucial to understand the different types of data breaches. If you know what to look out for, you can take precautions and minimize your risk. <ul> <li>Password attacks. Stolen passwords are one of the most common types of data breaches. Using easy, guessable passwords leaves you vulnerable to a brute-force attack, a trial-and-error hacking method used to guess your password. If you reuse passwords, many cybercriminals will also use previous breaches to gain access to your other accounts.</li> <li>Ransomware. Ransomware is a type of software that blocks access to files and data until a ransom is paid to the attacker(s).</li> <li>Malware. Malware is malicious software or viruses that can be sent to your device to exploit data, software, and hardware.</li> <li>Keystrokes. Keyloggers are a type of malware that attackers use to record what you type, like passwords and credit card numbers.</li> <li>Phishing. Phishing is a social engineering attack that involves sending fraudulent communications, usually emails or text messages, to trick the recipient into sharing sensitive data or information.</li> <li>Pretexting. Pretexting is another type of social engineering attack where a hacker will create a situation or pretext, like pretending to be a customer service rep from your bank, in order to trick the victim into sharing sensitive information.</li> <li>Physical exposure. This can range from losing your phone or laptop to writing down your passwords on a piece of paper that can be stolen.</li> </ul> Armed with this knowledge, you can now work towards prevention and preparation in the event of an incident. <h2 id="what-to-do-when-your-data-has-been-breached">What to do when your data has been breached</h2> When there’s news of a data breach, it&rsquo;s important to secure yourself or your business and change any affected credentials immediately. Not sure where to begin, or what you should be doing first? For individuals, we&rsquo;ve got a step-by-step guide that explains <a href="https://blog.1password.com/what-to-do-when-you-get-a-data-breach-notification/">what to do the moment you get a data breach notification in 1Password</a>, from how to change your password to taking advantage of Watchtower. For businesses, check out our guide &lsquo;<a href="https://1password.com/resources/how-to-avoid-a-data-breach/?utm_ref=resources">How to avoid a data breach</a>&rsquo; to minimize your risk and become a security-first organization. <h2 id="how-a-password-manager-can-help">How a password manager can help</h2> The reality is, data breaches occur – there&rsquo;s always a chance that someone will find a vulnerability in your system or use social engineering to gain access to something valuable. It could even lead to identity theft. That’s why preparing for the possibility of a data breach with the help of a <a href="https://blog.1password.com/password-manager/">password manager</a> is your safest bet. At home or in the office, a good password manager does more than create strong, unique passwords – it also helps you respond to data breaches. <a href="https://watchtower.1password.com/">1Password Watchtower</a> alerts you to security problems with the websites you use so you can keep all your accounts safe. It lets you know where you can enable <a href="https://1password.com/features/two-factor-authentication/">two-factor authentication</a>, notifies you if any of your passwords have appeared in a data breach, and alerts you to weak or reused passwords. If you&rsquo;re a 1Password Teams or <a href="https://1password.com/business/">1Password Business</a> customer, you can also use <a href="https://1password.com/business/domain-breach-report/">Domain Breach Reports</a> to see whether anyone with a company email address has been affected by a known data breach. Whatever your needs, with 1Password, staying secure online has never been easier. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Ready to protect yourself?</h3> Keep all of your accounts secure with 1Password, the world's most-trusted password manager. Get started today with a free 14-day trial. <a href="https://1password.com/business-pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>Burnout: The next great security threat at work</title><link>https://blog.1password.com/state-of-access-report-burnout-breach/</link><pubDate>Tue, 07 Dec 2021 00:00:00 +0000</pubDate><author>info@1password.com (Nick Summers)</author><guid>https://blog.1password.com/state-of-access-report-burnout-breach/</guid><description> <img src='https://blog.1password.com/posts/2021/state-of-access-report-burnout-breach/header.svg' class='webfeedsFeaturedVisual' alt='Burnout: The next great security threat at work' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Many companies feel like they&rsquo;ve successfully pivoted to remote and hybrid work. Team members have learned the tools and processes required to be successful outside the office, and IT departments have adjusted their security rules and policies accordingly. But now, nearly two years into the pandemic, another cybersecurity threat has emerged: <a href="https://blog.1password.com/stay-secure-without-burning-out-guide/">employee burnout</a>. Work-related exhaustion isn&rsquo;t a new phenomenon, but <a href="https://www.theguardian.com/society/2021/feb/05/pandemic-burnout-rise-uk-latest-covid-lockdowns-take-toll">it&rsquo;s been amplified by Covid-19</a>. And when it&rsquo;s left unaddressed, burnout can put companies at risk because it influences employees' habits and decision making. To understand the issue, 1Password surveyed 2,500 adults in the U.S. and Canada who are in full-time employment and spend most of their working hours in front of a computer. It&rsquo;s the focus of our first annual State of Access study, which explores the latest security threats, how workers feel about them, and what businesses should do to protect themselves. <h2 id="our-key-findings">Our key findings</h2> <ul> <li> Burnout is a huge problem across the U.S. and Canada. 80% of office workers and 84% of security specialists told us they’re feeling burned out. </li> <li> Burnout is tied to poor security habits. 20% of burned-out workers feel their company&rsquo;s security policies &ldquo;aren&rsquo;t worth the hassle,&rdquo; compared to 7% of workers who aren&rsquo;t burned out. </li> <li> Burnout impacts people&rsquo;s password choices. 12% of burned-out respondents use the same password or just a few different passwords for everything at work, compared to 7% of workers who aren&rsquo;t feeling mentally or physically exhausted. </li> <li> Burned-out workers are more likely to use shadow IT. Almost half (48%) of burned-out employees told us they were creating, downloading or using software at work that hadn&rsquo;t been approved by their company&rsquo;s IT department. </li> <li> Burnout, the great resignation, and security habits are all connected. Employees who are ready to resign are more likely to feel that convenience is more important than security at work. </li> <li> Ready-to-resign workers use more shadow IT. 49% of workers looking to switch jobs are using unapproved software, compared with 34% of those who are happy in their current job. </li> </ul> <h2 id="read-the-full-report">Read the full report</h2> If you want to learn more about burnout and its growing impact on cybersecurity, <a href="https://1password.com/resources/2021-state-of-secure-access-report/?utm_ref=blog">check out the full report</a>. It goes into greater detail about workers' password choices, their use of <a href="https://blog.1password.com/remote-work-shadow-it/">shadow IT</a>, and other potential risk factors at work, such as allowing friends and family to use a company-provided device. <h2 id="whats-the-solution">What&rsquo;s the solution?</h2> Our first State of Access study considers how technology, and specifically automation, could make it easier for workers to follow company rules and policies. It also asks what employees are looking for when they turn to unauthorized software. But these sections barely scratch the surface of the burnout problem. We hope our survey encourages companies to reflect on the wellness of their employees and the steps they could take to make everyone feel happier and healthier. That, in turn, will lead to teams that are not only productive and energized, but working together to keep your business secure. Not sure where to begin? 1Password CEO Jeff Shiner and CTO Pedro Canahuati will be discussing our latest study and what businesses can do about burnout <a href="https://1password.com/webinars">in a virtual fireside chat</a> on December 8th at 2PM ET/11AM PT. We hope to see you there.</description></item><item><title>Secret Key: What is it, and how does it protect you?</title><link>https://blog.1password.com/what-the-secret-key-does/</link><pubDate>Mon, 06 Dec 2021 00:00:00 +0000</pubDate><author>info@1password.com (Jeffrey Goldberg)</author><guid>https://blog.1password.com/what-the-secret-key-does/</guid><description> <img src='https://blog.1password.com/img/headers/security-header.svg' class='webfeedsFeaturedVisual' alt='Secret Key: What is it, and how does it protect you?' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> A unique feature of 1Password&rsquo;s security is the Secret Key, but its value is often misunderstood by users and security experts alike. Instead of thinking in terms of “is it like a second factor” or “is it like a key file” it&rsquo;s best to explain it in terms of what it actually does: It protects you if we were to be breached. <h2 id="what-is-the-secret-key">What is the Secret Key?</h2> The <a href="https://blog.1password.com/questions-about-using-1password-for-the-first-time/#what-is-a-secret-key">Secret Key</a> is central to what makes 1Password&rsquo;s security uniquely strong. It offers our users exceedingly strong protection if our servers were to be breached. However, its uniqueness makes it difficult to understand. Not only is it difficult to understand, it places an additional burden on users. Burdening users with an additional task that is hard to understand is really not our style. The fact that we do so should give some idea of just how important the Secret Key is for security. <h2 id="a-cracking-review">A cracking review</h2> Let&rsquo;s review what happens when some service gets breached. If you already know a bit about password cracking and hashing, just skip this section. Lots of things happen when a service gets breached, but let&rsquo;s review what it means for the password someone may use for that service. Suppose Molly (one of my dogs) signs up for the service Barkbook using the password <code>Squirrel!</code>. Molly, as some regular readers may recall, is obsessed with squirrels and really bad at picking passwords. When Molly first signs up, Barkbook will receive the password and store a hash of it. To keep the examples short, I am going to to pretend that Barkbook uses a very outdated password hashing scheme. Barkbook would store something like&hellip; <pre tabindex="0"><code>$1$NP8pjY13$Fb/z9cqyMwjysyTodjbec/ </code></pre>&hellip;which includes an indicator of the hashing scheme, the salt, and the hash. The hash is the <code>Fb/z9cqyMwjysyTodjbec/</code> part. Every time someone tries to log in as Molly, Barkbook would use the same hashing scheme with the stored salt to hash the received password. If the hash matches what is stored Barkbook will let the user in as Molly. Now suppose that Mr. Talk (the neighbor&rsquo;s cat, who is always up to no good as far as Molly is concerned) has breached Barkbook obtaining the database of password hashes. It&rsquo;s impossible to compute <code>Squirrel!</code> from <code>7Fb/z9cqyMwjysyTodjbec/</code> and the salt. So it would seem that this would not help Mr. Talk with his nefarious schemes. But Mr. Talk can make use of the hash. He can use it to test guesses at Molly&rsquo;s password. Mr. Talk might very well suspect that Molly&rsquo;s passwords are based on either the words &ldquo;rabbit&rdquo; or &ldquo;squirrel.&rdquo; Mr. Talk may also know that Barkbook requires an uppercase letter and a symbol in their passwords. Using this knowledge he can narrow the list of likely passwords to just a few thousand, or tens of thousands. It takes no time at all for Mr. Talk to compute the hashes of all of those likely passwords until he gets a match. <aside class="c-technical-aside-box c-technical-aside-box--background" aria-labelledby="arent-hashes-irreversible-technical-aside"> <h2 class="c-technical-aside-box__title" id="arent-hashes-irreversible-technical-aside"> Aren&#39;t hashes irreversible? (Technical aside) </h2> <div class="c-technical-aside-box__description"> A secure hash function is supposed to be irreversible. That is the hash itself gives you no useful information about the pre-image of the hash. (The pre-image of the hash in these cases is the password that was hashed.) And yet, we are saying that having the hash of a password can be very useful in learning the password. There is no contradiction because the definition of pre-image resistance is explicitly limited by the entropy of the pre-image. That is, it only only hard to guess the pre-image from the hash if the pre-image is hard to guess in the first place. </div> </aside> Because Mr. Talk has the hash, he doesn&rsquo;t need to test these by trying to log in through the Barkbook login page. Thus any limit that Barkbook has set on failed login attempts won&rsquo;t get in the way. Mr. Talk can make as many guesses as he wants as fast as his own machine can compute hashes of guesses. This is called an “offline attack” and there is software designed to automate the guessing and testing, and Mr. Talk knows how to use it. It will take Mr. Talk more time to configure the software than it will take it to try tens of millions guesses. <h2 id="1password-is-different">1Password is different</h2> There are <a href="https://blog.1password.com/1password-is-layerup-ed-with-modern-authentication/">lots of problems</a> with the typical password checking scheme. Not least of which is the fact that the password (in our previous example) is transmitted from Molly&rsquo;s computer to Barkbook each and every time she logs in. We at 1Password never want your <a href="https://blog.1password.com/cracking-challenge-update/">account password</a> transmitted to us, so we use a password authenticated key exchange (PAKE) to make sure that no secrets are transmitted when signing in. But that is a <a href="https://blog.1password.com/developers-how-we-use-srp-and-you-can-too/">whole other story</a>. The relevant part for today&rsquo;s discussion is that the PAKE still has the server store something that is like a password hash with respect to cracking. It isn&rsquo;t actually a hash, but for offline cracking purposes it behaves like one. That hash-like thing is called the SRP verifier. <h2 id="make-cracking-impossible-not-just-expensive">Make cracking impossible, not just expensive!</h2> There are things that Barkbook can do to make Mr. Talk&rsquo;s job harder. One thing is to make breaching harder. Because there are many ways that a service can be breached (including insider attacks) there are lots of different things about an organization&rsquo;s security that need to be looked at and hardened. Another thing that Barkbook can do to make things harder for Mr. Talk is to use a costly password hashing scheme. <a href="https://support.1password.com/pbkdf2/">We use PBKDF2</a> to harden your account password. But <a href="https://blog.1password.com/bcrypt-is-great-but-is-password-cracking-infeasible/">there are limits</a> on what that approach can buy you. Those are good things to do, as they reduce the chances of a breach and they buy users some time in changing passwords in the event of a breach. But they still leave our attacker, Mr. Talk, in a position to do a great deal of damage. <h2 id="enter-the-secret-key">Enter the Secret Key</h2> The 1Password Secret Key changes all of that. It makes the verifiers that we store on our servers completely useless for cracking purposes. Molly&rsquo;s 128-bit Secret Key gets combined with her rather weak password on her own machine. It&rsquo;s secret from us and our servers. Recall that no secrets are transmitted from Molly&rsquo;s 1Password client to our servers when Molly signs into her account. It isn&rsquo;t merely that we never store her Secret Key – we never even have the opportunity to acquire it. I have used, and will continue to use, the example of cracking the verifier, as that has a nice analogy to cracking password hashes on a traditional service like Barkbook. But what is at stake here is whether Mr. Talk, given access to what is stored on our servers, would have the capacity to decrypt Molly&rsquo;s data. Molly&rsquo;s 1Password Secret Key means that the answer is no. Mr. Talk would not be able to crack that <a href="https://blog.1password.com/why-we-moved-to-256-bit-aes-keys/#how-long-is-long-">even if he put every computer on Earth to work on the cracking and ran them for zillions of times the age of the universe</a>. I am happy to use words like &ldquo;never&rdquo; and &ldquo;impossible&rdquo; for that. The Secret Key means that nobody – Mr. Talk or otherwise – who gets a hold of the data on our servers could ever be able to crack it to decrypt anyone&rsquo;s data. This not only protects Molly from Mr. Talk, but from anyone, insider or out, who obtains data from our systems. <h2 id="responsible-planning">Responsible planning</h2> We certainly do not plan on being breached, but we must plan for it. As described above, your 1Password Secret Key keeps your secrets safe in the event of a breach even if the attacker has billons of super computers and zillions of ages of the universe to try to crack it. But this does even more. I believe it reduces the chances of a breach in the first place. If we didn&rsquo;t have the Secret Key built into 1Password, some user data on our servers would be decryptable if the attacker threw enough resources at cracking verifiers. But because the Secret Key makes such cracking futile, the encrypted data that we hold is far less valuable to an attacker. Why try to steal stuff that you can&rsquo;t crack or decrypt? When I first presented the idea of the Secret Key at PasswordsCon in 2015, I described it in terms of a principle of cowardice: We do not want the data we hold to be an attractive target. There is a certain degree of safety that comes from being an unattractive target. <img src='https://blog.1password.com/posts/2021/secret-key/moosejaw-truck.jpg' alt='Truck with &#39;Driver carries less than $50 and is fully naked&#39;' title='Truck with &#39;Driver carries less than $50 and is fully naked&#39;' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Unlike some of our competitors, our service has never been breached. There are many things one could attribute that to, including luck. But I believe that the 1Password Secret Key plays a role. Sure, attackers try, and we do defend against such attempts. That is the nature of running any service. But because Molly (and every other 1Password user) is protected by their 1Password Secret Key, Mr. Talk won&rsquo;t try quite as hard to breach our servers as he might otherwise. <h2 id="appendix-is-it-a-second-factor">Appendix: Is it a second factor?</h2> The Secret Key is not a second factor, and it can lead to confusion to think of it that way. <a href="https://www.consumerreports.org/password-managers/best-password-managers-review-digital-security-privacy-ease-of-use-a7337649384/">Consumer Reports said in an outstanding review of 1Password</a>: <blockquote> 1Password requires an <a href="https://blog.1password.com/toward-better-master-passwords/">account password</a> and a code available only through a device you’ve already used to access its service. If you don’t have the device handy, you have to use another long, complex secret code provided to you by 1Password. That can be a chore, but it enhances the security of the box containing all your credentials by requiring another authentication factor. </blockquote> I can&rsquo;t blame anyone for not understanding what the Secret Key is (and isn&rsquo;t). You just read about 1,400 words on an attempted explanation of the unique security properties it gives you and us. And it really is unlike anything most people have ever used. But it&rsquo;s useful to draw attention to two things they don&rsquo;t quite get right there. The first error is what might be implied by &ldquo;provided to you by 1Password.&rdquo; That suggests that we create your Secret Key and send that to you. That is not the case. We never have your Secret Key, even for a moment. Your Secret Key is created in your browser or in your 1Password client on your machine when you create your 1Password account. All of that happens entirely on your machine. It may not look like that is what is happening, but that is what is happening. The second misunderstanding is to call it &ldquo;another authentication factor.&rdquo; From the Molly&rsquo;s point of view it can certainly look like one. It is a second secret that she needs to be able to <a href="https://support.1password.com/auto-lock/">unlock 1Password</a> on a new device. It sure looks like a second factor at first glance. But as explained above, it is about decrypting the data stored on our servers. The remainder of this appendix to an already long article is going to get even more abstract. And so you may wish to stop reading here. And if what I say below muddies things instead of clarifying things, forget it. <h2 id="keeping-things-at-a-distance">Keeping things at a distance</h2> Molly may store the key to her toy box right with the box, but Patty (the other, brighter, dog in the house) knows better than to do that. Patty hides the key to her box of toys away from the box. Molly&rsquo;s system is weaker than Patty&rsquo;s because an attacker, Mr. Talk, who can get to Molly&rsquo;s box needs to expend little additional effort to obtain the key to that box. But an attacker who gets to Patty&rsquo;s toy box has to launch a separate attack to obtain the key to Patty&rsquo;s box. In each case, Mr. Talk needs to get both the box and the key. But when going after Molly&rsquo;s toys, he only needs to do one attack. An attack that will get one will easily get the other. But when he goes after Patty&rsquo;s toys he needs to perform two attacks. The particular security property that gives <a href="https://1password.com/features/two-factor-authentication/">two-factor authentication</a> its name is like that. The attacker must launch different attacks to obtain each of the factors. <aside class="c-technical-aside-box c-technical-aside-box--background" aria-labelledby="2fa-really-isnt-about-factors-technical-aside"> <h2 class="c-technical-aside-box__title" id="2fa-really-isnt-about-factors-technical-aside"> 2FA really isn&#39;t about factors (Technical aside) </h2> <div class="c-technical-aside-box__description"> Although 2FA is named for its second-factorness and its security is typically described in those terms, it is rarely among the most important security properties of it. In typical usage things that we call 2FA improve security because the long term secret is never transmitted and that what is transmitted is a one-time code. The second-factorness is rarely, so to speak, a major factor in the security of the system. I have presented on this on a number of occasions with a <a href="https://blog.1password.com/files/what-the-secret-key-does/goldberg-mfa.pdf">paper (PDF)</a>. Nonetheless, second-factorness does a good job at illustrating what I mean by distance between things that need to be acquired by an attacker to succeed in their attack. </div> </aside> In the case of the Secret Key, the distance is between the data stored on our system and your copies of your Secret Key. The attacker who obtains your encrypted data from our servers has zero chance of decrypting it unless they can also obtain your Secret Key from your systems. This distance between what is encrypted with the Secret Key and the Secret Key itself <a href="https://blog.1password.com/are-password-managers-safe/">is what makes you, and Molly, safe if our systems are breached</a>. And that same distance dramatically reduces the incentive an attacker would have for breaching our system.</description></item><item><title>When and why you should use different usernames online</title><link>https://blog.1password.com/when-to-use-random-usernames-online/</link><pubDate>Fri, 03 Dec 2021 00:00:00 +0000</pubDate><author>info@1password.com (Stacey Harris)</author><guid>https://blog.1password.com/when-to-use-random-usernames-online/</guid><description> <img src='https://blog.1password.com/posts/2021/when-to-use-random-usernames-online/header.svg' class='webfeedsFeaturedVisual' alt='When and why you should use different usernames online' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> You don’t reuse passwords, so why are you reusing your usernames? Using a unique username does more than just protect your privacy, it also has important security benefits. Below, we’ll explain what threats unique usernames protect you from, when you should use a unique username, and how to use a <a href="https://1password.com/username-generator/">username generator</a> to create them. <h2 id="the-dangers-of-repetitive-usernames">The dangers of repetitive usernames</h2> It&rsquo;s risky to use the same username for everything. Why? Because if it&rsquo;s visible to the public, or is exposed in a leak, cybercriminals don&rsquo;t have to worry about figuring it out when they try to access any of your other online accounts. With <a href="https://www.verizon.com/business/resources/reports/dbir/?CMP=OOH_SMB_OTH_22222_MC_20200501_NA_NM20200079_00001">more than 61 % of breaches involving credentials</a> used to authenticate a user, having both a unique password and a unique username makes any attempts to breach your account more difficult. Are you guilty of using a variation of your own name or adding some other personal identifying information – like your birth year – to make a new username unique? You’re not alone. However, using personal information in a username could leave you open to social engineering attacks intent on acquiring your credentials. When your usernames are public, it means your accounts can be linked across different services. You may want the same handle for your social media accounts, but that doesn’t mean you should be using it to log into your private bank account, too. By separating your information with different usernames, you make it more difficult for potential hackers to gather a complete profile of you. There’s power in knowing what services someone uses, even if a hacker can’t access them. Using random usernames helps protect you against phishing scams, <a href="https://blog.1password.com/how-1password-keeps-you-safe-from-cyber-attacks/">credential stuffing</a>, data leaks, and more. By using a unique username, any data of yours that may have been caught up in a leak will be rendered useless for accessing any of your other accounts. <h2 id="when-to-use-a-random-username">When to use a random username</h2> No, you don’t need a random username for every single account you own. Maybe you have a business where you need name recognition across accounts, or you want to make it easier for people to find you on Twitch, TikTok, and Instagram. There are many instances where having a random username isn’t necessary or feasible, and that’s okay. You won’t compromise your security by using the same username for a variety of accounts provided you’re using strong, unique passwords and <a href="https://blog.1password.com/totp-and-1password/">enabling 2FA</a> whenever possible. You should, however, use unique usernames for accounts where the username isn’t public, or you want an extra layer of security against potential threats. You might already have some accounts where you use a different username to keep your identity secret. Many services let users choose a username different from the email address associated with the account. Always do this when you’re given the option, because your email address is generally easier for a cybercriminal to find. You should strive to use a unique username whenever the option is available. <h2 id="random-username-generators">Random username generators</h2> When prompted for a username, many of us have a default go-to. Whether it’s a variation on your first or last name and a number, the handle you use for social media accounts, or a favourite character from a show – we’ve all got a username in our back pocket. Now, if you’re ready to take the secure step of using a unique username for every account, you have the added headache of coming up with something new. But never fear, you can use our <a href="https://1password.com/username-generator/">username generator</a> to create random usernames as well by selecting ‘memorable username’ in the options. If the service requires your username to be an email address, you don’t have to use the same one. We recently partnered with Fastmail to create <a href="https://blog.1password.com/fastmail-masked-email/">Masked Email</a> – unique, automatically generated email addresses that keep your real one private from the services you sign up for, while still sending emails to your main Fastmail account. It’s the perfect way to protect yourself from both spam and breaches. <h2 id="managing-unique-usernames">Managing unique usernames</h2> Creating unique usernames for every account will essentially double the amount of unique information you need to remember. That’s where a password manager comes in. 1Password will save and fill both your username and password so you don’t have to remember either – letting you create complicated, unique usernames and secure passwords for every account. While having unique, strong passwords and enabling 2FA are the best way to keep your account secure, using an online username generator is a great way to beef up your security with minimal effort – especially if you’re already using 1Password to <a href="https://1password.com/features/autofill/">autofill</a> your account information. You don’t reuse passwords, so why are you reusing your usernames? Try our <a href="https://1password.com/username-generator/">random username generator</a> today and add an extra layer of security to your account. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Create a secure username</h3> Want to stay secure online? Create a random username with 1Password's free Username Generator! <a href="https://1password.com/username-generator/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try 1Password&#39;s Username Generator </a> </div> </section></description></item><item><title>Coming together to make a difference</title><link>https://blog.1password.com/coming-together-to-make-a-difference/</link><pubDate>Thu, 02 Dec 2021 00:00:00 +0000</pubDate><author>info@1password.com (Marius Masalar)</author><guid>https://blog.1password.com/coming-together-to-make-a-difference/</guid><description> <img src='https://blog.1password.com/posts/2021/coming-together-to-make-a-difference/header.svg' class='webfeedsFeaturedVisual' alt='Coming together to make a difference' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Thanksgiving is the holiday so nice we do it twice – a quirk of having our North American team members distributed across the US and Canada! With your help, we raised over $51,000 USD this year to support Second Harvest, United Way Centraide, and Food Banks Canada in their efforts to make the holidays happy for everybody. Too often it feels like our ability to make an impact is limited, but during times like these it’s helpful to remember the compounding power of small gestures. You may think one person can’t move the needle much, but collectively we can effect real change. And we have. Between Canadian 🇨🇦 and US 🇺🇸 Thanksgiving, over 51,000 of you signed up to keep your loved ones safe with a 1Password Families account. By choosing to protect your family online, you’ve also chosen to help other families put food on the table this holiday season. <h2 id="-supporting-our-communities">🤝 Supporting Our Communities</h2> Over the past month, $1 from each of those sign-ups was donated to three notable organizations working hard to support our communities: <a href="https://secondharvest.ca/about/">Second Harvest</a> is creating an efficient food recovery network, reducing the environmental impact of food waste while ensuring that everyone - regardless of their economic situation - is able to feed themselves and their family. <a href="https://www.unitedway.ca/how-we-help/">United Way Centraide</a> works across Canada to make change locally, creating opportunities for everyone in our communities to live a better life by reducing poverty, supporting children and youth, and building vibrant neighbourhoods. <a href="https://foodbankscanada.ca/about-us/">Food Banks Canada</a> helps those across Canada living with food insecurity by working to relieve hunger, strengthen local capacity, and reduce the need for food banks. <h2 id="-food-for-thought">🍽️ Food for Thought</h2> As we rejoin our loved ones at the dinner table this holiday season, hundreds of other families nation-wide will be sitting down to enjoy food that you helped put on their tables. But your contribution is about more than just meals; $51,000 USD means less food waste, and the diversion of thousands of pounds of greenhouse gas emissions. Thanks to you, we’ve made a meaningful impact – for people and for the planet – during an especially trying time. This season, our hearts are as full as our plates – and that’s something we can all be thankful for.</description></item><item><title>Fortify your security with 1Password and JumpCloud</title><link>https://blog.1password.com/jumpcloud-1password-scim-bridge-launch/</link><pubDate>Wed, 01 Dec 2021 00:00:00 +0000</pubDate><author>info@1password.com (Matt O'Leary)</author><guid>https://blog.1password.com/jumpcloud-1password-scim-bridge-launch/</guid><description> <img src='https://blog.1password.com/posts/2021/jumpcloud-scim-bridge-integration/header.svg' class='webfeedsFeaturedVisual' alt='Fortify your security with 1Password and JumpCloud' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Starting today, we’re adding JumpCloud to the list of popular enterprise identity providers compatible with the 1Password SCIM bridge, making it easier for more teams to provision and manage their users. We’re thrilled to add JumpCloud’s easy-to-use and highly rated service to our growing list of integrations. Using <a href="https://jumpcloud.com/">JumpCloud</a> and <a href="https://1password.com/">1Password</a>, you can establish the oversight you need to fortify your security policies and protect your team. <blockquote> “Password management is a critical part of any company&rsquo;s security model, and we find that 1Password does it better than anyone else. The 1Password and JumpCloud integration allows us to have a complete Single Sign-On solution, and offers a very effective way of programmatically managing access.” – Reilly Scull, CTO at Macktez </blockquote> <h2 id="uninterrupted-workflow">Uninterrupted workflow</h2> The <a href="https://blog.1password.com/scim-bridge-release/">1Password SCIM bridge</a> helps you manage your teams at scale, bringing 1Password into the workflows you already know and trust. It lets you control the rollout of <a href="https://1password.com/business/">1Password Business</a> from your existing IDP (Identity Provider) system, so you can keep using the tools your team are familiar with. Integration with <a href="https://jumpcloud-support.force.com/support/s/article/Identity-Management-with-1Password">JumpCloud</a> gives you effortless control over the 1Password deployment process so you can: <ul> <li>Create users</li> <li>Grant and revoke permissions</li> <li>Update user attributes</li> <li>Deactivate users</li> <li>Establish/Provision groups</li> </ul> Together, 1Password and JumpCloud let you easily provision, update, and de-provision employee accounts. You can even replicate your existing directory structure with a single click, provisioning the same groups in 1Password so you can hit the ground running – all while helping you strengthen and enforce your security policies. <h2 id="effortless-management-and-control">Effortless management and control</h2> The 1Password <a href="https://support.1password.com/scim/">SCIM bridge</a> handles encryption and security while JumpCloud acts as a virtual directory in the cloud, synchronizing employee profiles across all your directories, including Active Directory (AD), LDAP, Google Apps directory, JumpCloud Cloud Directory, and HR directories. You can deploy the 1Password SCIM bridge with one click from multiple cloud providers, including DigitalOcean, or it can be self-hosted on your existing infrastructure so the encryption keys never leave your control. The SCIM bridge connects to your identity provider using the same multi-layered approach that secures all 1Password clients: <a href="https://support.1password.com/secure-remote-password/">Secure Remote Password (SRP)</a> and Transport Layer Security (TLS). <h2 id="automate-and-strengthen-security">Automate and strengthen security</h2> The 1Password SCIM bridge makes administration simple, helping you manage and automate all your access, password, and security policies. You can even pair the SCIM bridge with <a href="https://1password.com/business/advanced-protection/">1Password Advanced Protection</a> to further bolster your defenses, allowing you to: <ul> <li>Set Account <a href="https://1password.com/password-generator/">Password requirements</a></li> <li>Create firewall rules</li> <li>Require up-to-date apps</li> <li>Monitor sign-in attempts</li> </ul> For help with getting started, read <a href="https://support.1password.com/scim-jumpcloud/">how to set up and use the 1Password SCIM bridge to integrate with JumpCloud</a>.</description></item><item><title>Small Talk: balancing workplace productivity and security for small businesses</title><link>https://blog.1password.com/small-talk-balancing-productivity/</link><pubDate>Tue, 23 Nov 2021 00:00:00 +0000</pubDate><author>info@1password.com (Andrew Zangre)</author><guid>https://blog.1password.com/small-talk-balancing-productivity/</guid><description> <img src='https://blog.1password.com/posts/2021/small-talk-balancing-productivity/header.png' class='webfeedsFeaturedVisual' alt='Small Talk: balancing workplace productivity and security for small businesses' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Go, go, go, go. And then go some more. For countless small businesses, this is your reality. But breakneck productivity is not always the healthiest approach, and it often comes at the cost of security. You’re focused on building your business. You may be piling on assignments for employees, even outside of their expertise, just to hit your goals and stay competitive. So you may think focusing on improving security is either unnecessary or, worse, hindering production. If that sounds like you, consider this your polite slap on the wrist. 💁 You shouldn’t have to sacrifice workplace productivity in the name of security – even if your “workplace” is fully remote. Believe it or not, when your employees work securely, improved productivity often follows. Striking the right balance now, in the early stages, can create lasting change as you scale and greet new challenges – and successes – in your journey. Stay secure … and productive? 🤯 <h2 id="the-tunnel-vision-of-workplace-productivity">The tunnel vision of workplace productivity</h2> In recent years, a number of outdated philosophies have been rightfully reexamined, in and outside of work. Among these is the emphasis on productivity over, well, just about anything else. For example, a sensible work-life balance used to seem a rare perk. Now it’s (rightfully) expected. Our collective tunnel vision on productivity has been straining employees mentally and emotionally. Burnout was officially recognized as an <a href="https://www.cnbc.com/2021/09/23/the-future-of-work-is-here-employee-burnout-needs-to-go.html">occupational health hazard in 2019</a> by the World Health Organization. The <a href="https://blog.1password.com/remote-work-mental-health/">shift to remote work</a> added a complex new layer to worker mental health struggles, as employees tried to keep on task while their way of life transformed in real time. Small business owners were also put in an uncomfortable position. Accommodating the shift meant complete restructuring of processes, roles, and even entire business models. Most could not afford the luxury of pausing work to help complete the changes. This meant keeping employees engaged by any means necessary – such as loosening security protocols. <a href="https://www.techrepublic.com/article/companies-are-relaxing-cybersecurity-during-the-pandemic-to-boost-productivity/">Nearly half of SMBs</a> did so during the pandemic, basically inviting attackers to pounce. Most employees also took shortcuts with security, <a href="https://www.cpomagazine.com/cyber-security/most-employees-took-cybersecurity-shortcuts-during-the-remote-working-period-despite-understanding-the-risks/">even when knowing the risks</a>. And around half the workers that do so – for instance, downloading apps not approved by IT – say it’s in the pursuit of productivity. If it wasn’t apparent before, this underlines the problem in bold marker. Our productivity culture creates blind spots that can harm employees and threaten businesses as a whole, as well as their customers. Security is usually the first thing to go, when it should be the highest priority. That said, your small business team shouldn’t be expected to form safe habits without a degree of guidance. Leadership should set the right example – for both secure-minded processes and a healthy work-life balance – and it’s far easier to do so in a small business environment. <h2 id="where-time-actually-goes">Where time actually goes</h2> Here comes the irony. If your company’s output is lagging, your employees’ work rate is probably not to blame. Asking them to row faster will not fix the holes in your boat. For one thing, work is often sidetracked to deal with small technical issues. The more technology we use, the more inevitable complications arise. And for millions of small business employees, basic job functions now involve at least some computer usage, if not a handful of software platforms. Getting familiar with these technologies is one thing. Troubleshooting is another, and one that’s impossible to fully predict when it comes to productivity planning. The expertise and bandwidth of your IT team – and your employees’ relationship with them – factors into the equation. A recent 1Password survey showed that 30 percent of workers try to solve IT problems themselves, while 22 percent feel it’s too hard to get approval from IT. Remembering (and, when necessary, resetting) passwords is a constant battle when it comes to time management and general frustration levels. When employees aren’t empowered to handle these tasks, or given the tools to create and store strong passwords, it creates bottlenecks for IT, and encourages reusing old passwords, or creating weak ones. When the majority of business data breaches involve weak or reused credentials – and <a href="https://blog.1password.com/small-talk-cyberattacks/">60 percent of hacked SMBs close within 6 months</a> after a breach – this is a code-red situation. IT departments face their own set of struggles with workplace productivity. IT workers spend an average of 21 days per year on basic identity and access management (IAM) for the company. At the same time, they’re often leaned on too heavily for basic support like resetting passwords, especially at SMBs. The more they’re called upon for such tasks, the less time they have for more complex support requests. It’s a vicious cycle that causes delays for everyone, while creating security vulnerabilities across the organization. <h2 id="when-security-leads-productivity-follows">When security leads, productivity follows</h2> In a <a href="https://www.techrepublic.com/article/companies-are-relaxing-cybersecurity-during-the-pandemic-to-boost-productivity/">November 2020 interview with TechRepublic</a>, 1Password CXO Matt Davey summed it up nicely: “As WFH reconfigures our entire infrastructure, pitting security against productivity becomes less helpful,” said Davey. “Instead, we should think about IT becoming more of a trusted business partner. That means letting workers choose their tools and accommodating them – their stated goals of getting more done in the name of the business are what we all want, after all.” “At the same time, if you&rsquo;re putting more control into the hands of business users, you should also be teaching them how to do their work securely, so education becomes key.” At 1Password, we’re big believers in creating a <a href="https://1password.com/resources/culture-of-security/infographic-culture-of-security.pdf?utm_ref=1-for-business">culture of security</a>. The unnecessary tension between security and productivity is a key example of why. As cyber attacks grow more advanced and prevalent, a security-first mindset should be a core value for small business employees. Fostering safe online habits with your workforce is quite literally the most important security measure you can take – not to mention the most affordable. And empowering your team to work securely from the day they’re onboarded will naturally help them manage their time better. It will also eliminate headaches for IT and free up their own schedules. Our <a href="https://1password.com/resources/creating-a-culture-of-security/?utm_ref=resources">guide to creating a culture of security</a> lays out some basics for planning and implementing a security-first approach in how your employees do their jobs. A password manager like 1Password can be a huge piece of this paradigm shift. With password management as both your biggest security risk and one of the largest drains on productivity levels, the right tool for the job addresses the issue from both directions. In other words, the secure way for your employees to work can also be the easiest. So your growing business can find that sweet spot where productivity and security not only coexist, but thrive together. We love to see it. <h2 id="dont-let-urgency-hurt-your-employees">Don&rsquo;t let urgency hurt your employees</h2> Even before remote and hybrid work, our attitude toward productivity was due for a review. Expecting too much of your employees – especially when not offering tools or guidance on the best way of doing things – doesn’t help them and it doesn’t help you. As a small business leader, your employees’ needs should be top-of-mind, along with an informed strategy in how you help them do their jobs. Modeling work habits and values comes from the top down. So how you frame your messaging is huge – while ensuring employees know that productivity levels should never be at the expense of mental health. A culture of security is a winning model for boosting both security and productivity. Underneath that, a strong team culture as a whole will reverberate through all the rest. Not only is this easier to achieve within a small business, but also more critical. You’re all in this journey together, and employees should be consistently reminded of this in ways big and small. Make a point to show you’re listening to their needs and you care about their well-being and individual success. A unified team with positive perceptions of leadership will be more engaged. Employees will also be more dedicated to security in the workplace – whether that’s in the office or their living room – and feel greater ownership over their responsibilities, deadlines, and goals. As your company goes, goes, goes – you’ll need to adapt, adapt, adapt. Tools and processes should be reevaluated somewhat regularly based on what works, what doesn’t, and the new challenges that come with scale. But the right password manager is something that can grow with you. Whatever’s creeping around the corner, you can face it with both a secure and productive approach, without feeling like you or your team need to choose sides. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">The ultimate guide to small business security</h3> Cybersecurity is more crucial than ever. Learn the steps you can take today to protect your organization's data. <a href="https://1password.com/resources/ultimate-guide-to-securing-your-small-business/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Download the guide </a> </div> </section></description></item><item><title>How the pandemic made millennials rethink their digital legacies</title><link>https://blog.1password.com/wills-digital-estate-planning-millennials-survey/</link><pubDate>Thu, 18 Nov 2021 00:00:00 +0000</pubDate><author>info@1password.com (Nick Summers)</author><guid>https://blog.1password.com/wills-digital-estate-planning-millennials-survey/</guid><description> <img src='https://blog.1password.com/posts/2021/wills-digital-estate-planning-survey/header.svg' class='webfeedsFeaturedVisual' alt='How the pandemic made millennials rethink their digital legacies' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Before the pandemic, <a href="https://www.caring.com/about/news-room/nearly-6-in-10-u-s-adults-don-t-have-a-will/">most millennials didn&rsquo;t have a will</a>, let alone <a href="https://blog.1password.com/digital-estate-planning-guide/">a plan for handing over their digital accounts</a>. Why? Many simply don&rsquo;t know how to get started, or worry the process is too expensive, complicated, and time consuming. Others simply feel that it&rsquo;s not a pressing issue, especially if they&rsquo;re still healthy or don&rsquo;t have a lot of savings. The COVID-19 pandemic changed everything, however. It forced millions of millennials to reconsider their health, finances, and relationships, as well as what would happen if they were to suddenly pass away. But has this moment of reflection triggered a wave of new wills and digital estate plans, which include passwords and other online credentials? To find out, we conducted a survey with estate-planning experts <a href="https://www.willful.co/">Willful</a> and <a href="https://trustandwill.com/">Trust &amp; Will</a>. Some of the findings might surprise you. <h2 id="takeaways-from-the-us">Takeaways from the U.S.</h2> <ul> <li> 68% of millennials still don&rsquo;t have a will. However, the last two years have been a wake-up call. Almost three quarters (72%) of respondents who have a will said they created or updated it during the pandemic. </li> <li> The financial repercussions are real. In our survey, millennials said their loved ones would lose access to an average of $22,500 USD if they were to pass away without creating a will or handover plan. </li> <li> More than half (51%) of millennials said they would be responsible for carrying out their parents' wills. Despite this, only 36% know or have access to their parents' passwords for their online accounts. </li> <li> Many people still don&rsquo;t know the best way to manage or hand over their passwords. More than half (51%) of respondents said they memorized their password, while 25% kept them on a piece of paper and 20% stored them via a password manager like 1Password. </li> <li> Most millennials who share their passwords are using old-fashioned and potentially insecure methods. 41% of respondents said they had written out a list of their passwords, while 39% said they had shared them verbally. </li> <li> The situation is slowly improving. For example, 34% of respondents said the pandemic had encouraged them to chat with their parents about a digital handover in the past year. </li> </ul> <h2 id="read-the-full-reports">Read the full reports</h2> If you&rsquo;re curious to learn more, check out the full <a href="https://1passwordstatic.com/files/resources/end-of-life-estate-planning-report-us.pdf">U.S.</a> and <a href="https://1passwordstatic.com/files/resources/end-of-life-estate-planning-report-canada.pdf">Canada</a> reports, produced in partnership with Willful and Trust &amp; Will. Both shed more light on how millennials are approaching wills, password management, and digital estate planning. <h2 id="create-your-own-digital-estate-plan">Create your own digital estate plan</h2> Haven&rsquo;t made your own digital estate plan yet? No worries: <a href="https://blog.1password.com/digital-estate-planning-guide/">we&rsquo;ve got a step-by-step guide for that</a>. It breaks down the process of organizing your online accounts and crafting a handover plan that&rsquo;s secure, comprehensive, and easy for your loved ones to follow. In addition, we have guides that explain: <ul> <li><a href="https://blog.1password.com/how-to-hand-over-cryptocurrency/">How to pass on your hard-earned cryptocurrency</a></li> <li><a href="https://blog.1password.com/guide-to-inherited-digital-estate-plan/">What to do when you inherit someone else&rsquo;s digital estate plan</a></li> </ul> We hope these resources, combined with our latest reports, inspire more people to stop and think about their own will and digital legacy. Everyone&rsquo;s situation is different, so if you have any questions – or want to speak with someone about your existing will – we recommend contacting an estate-planning expert like Trust &amp; Will or Willful. They&rsquo;ll be more than happy to help.</description></item><item><title>1Password 8 for Windows is here! 🎉</title><link>https://blog.1password.com/1password-8-for-windows-is-here/</link><pubDate>Tue, 16 Nov 2021 00:00:00 +0000</pubDate><author>info@1password.com (Dave Teare)</author><guid>https://blog.1password.com/1password-8-for-windows-is-here/</guid><description> <img src='https://blog.1password.com/posts/2021/opw8-launch/header.png' class='webfeedsFeaturedVisual' alt='1Password 8 for Windows is here! 🎉' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Got a Windows PC? You can now enjoy the modern design, improved productivity, and enhanced security &amp; privacy of the all-new 1Password 8. 🥳 I’m so excited to share <a href="https://1password.com/products/">1Password 8</a> for Windows with you today. We went back to the drawing board and recreated every bit and every pixel to bring you the most modern, productive, and secure version of 1Password yet! Let’s start with the all-new lock screen. 🔐 <img src="https://blog.1password.com/posts/2021/opw8-launch/light-hero-locked.png" alt="1Password 8 lock screen on Windows 11" title="1Password 8 lock screen on Windows 11" class="c-featured-image"/> Sold already? Here&rsquo;s the download link. 🙂 <a href="https://downloads.1password.com/win/1PasswordSetup-latest.exe" class="call-to-action call-to-action--green " download> Download 1Password 8 for Windows </a> You can also hop on over to our <a href="https://blog.1password.com/1password-8-for-windows-dark-mode-edition/">1Password 8 for Windows: Dark Mode Edition</a> companion post to see this announcement and every screenshot in glorious dark mode. That&rsquo;s right, 1Password 8 fully supports dark mode! 😎 <h2 id="modern-design">Modern Design</h2> We set out to create a modern, first-class experience that feels right at home on Windows 11. To make this possible we created an entirely new 1Password design language, code-named Knox. Let’s open things up to see the beautiful design in its full glory. 😍 <img src="https://blog.1password.com/posts/2021/opw8-launch/light-hero-unlocked.png" alt="1Password app unlocked while running on Windows 11" title="1Password app unlocked while running on Windows 11" class="c-featured-image"/> Despite its simplicity, 1Password 8 is packed with features to help you organize your digital life. Create vaults directly from the sidebar, find recently deleted items, and focus in on the vaults and items you need with Collections. The new design carries throughout every aspect of the app and flows into the browser experience as well. <img src="https://blog.1password.com/posts/2021/opw8-launch/light-hero-browser-experience.png" alt="1Password running in Microsoft Edge" title="1Password running in Microsoft Edge" class="c-featured-image"/> With 1Password 8, you can enjoy a fluid, consistent experience no matter where you go or which theme (<a href="https://blog.1password.com/1password-8-for-windows-dark-mode-edition/">dark mode</a> or light mode) you enjoy. <h2 id="productivity">Productivity</h2> One of the places where the power of our new design language really shines is search. Press Ctrl + Shift + Space from anywhere on your PC to bring up Quick Access. <img src='https://blog.1password.com/posts/2021/opw8-launch/light-quick-access.png' alt='1Password Quick Access window' title='1Password Quick Access window' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> With <a href="https://1password.com/features/how-to-use-quick-access-in-1password-8/">Quick Access</a> you can find any item you need, without leaving the app you&rsquo;re working in. It supports all the advanced search options and is fully optimized for keyboard warriors. Quick Access is smart, too. It detects open apps and remembers items you use most frequently so you always get the most relevant suggestions. You&rsquo;ll be more productive than ever when logging into your Steam games. 😉 <img src='https://blog.1password.com/posts/2021/opw8-launch/light-quick-access-context-aware.png' alt='1Password Quick Access opened from within the Roblox app with the matching login suggestions showing' title='1Password Quick Access opened from within the Roblox app with the matching login suggestions showing' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Finding your items has never been quicker, and now creating them has never been easier. It all starts with a smart catalogue of suggested items to choose from, making it a snap to create what you need. <img src='https://blog.1password.com/posts/2021/opw8-launch/light-new-item-catalog.png' alt='Creating an item in 1Password using the new item catalogue.' title='Creating an item in 1Password using the new item catalogue.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The catalogue will help you find what you’re looking for and pre-fill details like the website address and title, so your newly created item is ready to <a href="https://1password.com/features/autofill/">autofill</a> in your browser. Speaking of which, the new 1Password experience in your browser takes productivity to the next level. 🚀 <section class="gallery"> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row2-column2"> <meta itemprop="contentUrl" content="/posts/2021/opw8-launch/light-browser-save-login.png" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2021/opw8-launch/light-browser-save-login-thumb.png" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row2-column2"> <meta itemprop="contentUrl" content="/posts/2021/opw8-launch/light-browser-create-masked-email.gif" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2021/opw8-launch/light-browser-create-masked-email-thumb.gif" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row4-column3"> <meta itemprop="contentUrl" content="/posts/2021/opw8-launch/light-browser-inline-signin.png" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2021/opw8-launch/light-browser-inline-signin-thumb.png" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row2-column4"> <meta itemprop="contentUrl" content="/posts/2021/opw8-launch/light-browser-suggested-password.png" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2021/opw8-launch/light-browser-suggested-password-thumb.png" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> </section> The new browser experience integrates seamlessly with the desktop app, using a secure connection to ensure a consistent lock state. It also brings support for passwordless to the browser with Windows Hello. And perhaps the biggest productivity booster of all: 1Password 8 is incredibly fast. 🏎️ It’s hard to be productive when waiting for things to load, so we tuned 1Password 8 to be super efficient using our <a href="https://dteare.medium.com/behind-the-scenes-of-1password-for-linux-d59b19143a23">Rust-powered core</a>. Everything is instant so you’re never waiting on a spinner. <h2 id="security--privacy">Security &amp; Privacy</h2> 1Password 8 comes with the security and privacy guarantees you’ve come to expect from 1Password and provides new tools to keep you safe online. The new Watchtower Dashboard makes it super simple to get a pulse on your security and see where you need to improve. <img src='https://blog.1password.com/posts/2021/opw8-launch/light-watchtower-dashboard.png' alt='Watchtower Dashboard showing the overall password strength and weak passwords that need attention.' title='Watchtower Dashboard showing the overall password strength and weak passwords that need attention.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Using on-device analysis to calculate password strength and detection of vulnerable passwords, Watchtower gives you actionable advice while preserving your privacy and security. Securely sharing items with others in your <a href="https://1password.com/personal/">1Password Families</a> and <a href="https://1password.com/business/">1Password Business</a> accounts is super easy, too. With shared vaults, items magically appear for everyone you grant access to and everything shared in this way will prominently show who has access. <img src='https://blog.1password.com/posts/2021/opw8-launch/light-item-sharing-details.png' alt='A shared item showing exactly who it is shared with, directly from within item details' title='A shared item showing exactly who it is shared with, directly from within item details' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Windows Hello is integrated directly into the lock screen to provide a passwordless unlock experience. And those with a <a href="https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-tpm">TPM 2.0</a>-enabled PC are in for a treat later this year when our enhanced support for Windows Hello will allow unlocking 1Password, even after app restarts and system reboots (join our <a href="https://1password.community/discussion/121163/1password-8-for-windows-early-access">beta family</a> to be the first to enjoy this once available). 🥳 <img src='https://blog.1password.com/posts/2021/opw8-launch/light-passwordless-windows-hello.png' alt='Windows Hello appearing on the lock screen for a passwordless unlock experience' title='Windows Hello appearing on the lock screen for a passwordless unlock experience' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Last but not least, 1Password 8 stands upon the most <a href="https://1password.com/security/">secure security design</a> we’ve ever had. And all the critical bits are done in <a href="https://www.rust-lang.org">Rust</a>, a systems programming language renowned for its security and safety. <h2 id="and-so-much-more">And so much more</h2> 1Password 8 is a massive release and there’s dozens of new features and improvements that won&rsquo;t fit here, such as: <ul> <li>Style your notes with Markdown</li> <li>Create new vaults directly within the app</li> <li>Restore recently deleted items and previous versions</li> <li>Navigate easily throughout the app with Quick Find</li> <li>Share items with anyone using a simple link</li> <li>&hellip;and so much more!</li> </ul> I originally wrote about these at length but had to trim them during the editing process. I really enjoyed what I wrote so I collected them into a gorgeous screenshot gallery at the end of this post. 🙂 <h2 id="getting-started">Getting started</h2> 1Password 8 is a 64-bit app that requires Windows 10 or Windows 11. <a href="https://downloads.1password.com/win/1PasswordSetup-latest.exe" class="call-to-action call-to-action--green " download> Download 1Password 8 for Windows </a> 1Password 8 is the best Windows app we’ve ever built and we can’t wait to hear what you think of it. Please stop by our <a href="https://1password.community/categories/1password-8-for-windows">1Password for Windows community</a> or reach out on Twitter <a href="https://twitter.com/1password">@1Password</a> or myself <a href="https://twitter.com/dteare">@dteare</a>. The development team and I will also be hosting an <a href="https://www.reddit.com/r/1Password/">AMA</a> this Thursday, November 18th at 1PM Eastern. We always have a lot of fun with these and I <a href="https://twitter.com/dteare/status/1441107414959288327">love giving out gold for questions</a>, along with bestowing the Ternion All-Powerful award upon the best question. 💪 If listening is more your style, our product director Mitch Cohen has you covered. Mitch is hosting our Twitter Space tonight at 8PM Eastern to talk all things Windows and 1Password 8. He&rsquo;s also hosting a <a href="https://1password.com/webinars">Get to Know 1Password 8 for Windows webinar</a> on Tuesday, November 23rd at 11AM Eastern. Stop on by! Enjoy, take care, and stay safe out there. 🙏🏻 ++dave; <section class="gallery"> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row4-column2"> <meta itemprop="contentUrl" content="/posts/2021/opw8-launch/light-account-menu.png" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2021/opw8-launch/light-account-menu-thumb.png" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column1"> <meta itemprop="contentUrl" content="/posts/2021/opw8-launch/light-collections.png" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2021/opw8-launch/light-collections-thumb.png" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column1"> <meta itemprop="contentUrl" content="/posts/2021/opw8-launch/light-new-vault.png" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2021/opw8-launch/light-new-vault-thumb.png" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column3"> <meta itemprop="contentUrl" content="/posts/2021/opw8-launch/light-quick-find.png" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2021/opw8-launch/light-quick-find-thumb.png" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column1"> <meta itemprop="contentUrl" content="/posts/2021/opw8-launch/light-nested-tags.png" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2021/opw8-launch/light-nested-tags-thumb.png" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column1"> <meta itemprop="contentUrl" content="/posts/2021/opw8-launch/light-categories.png" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2021/opw8-launch/light-categories-thumb.png" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column1"> <meta itemprop="contentUrl" content="/posts/2021/opw8-launch/light-move-item-select-vault.png" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2021/opw8-launch/light-move-item-select-vault-thumb.png" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column2"> <meta itemprop="contentUrl" content="/posts/2021/opw8-launch/light-move-item-confirm.png" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2021/opw8-launch/light-move-item-confirm-thumb.png" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column1"> <meta itemprop="contentUrl" content="/posts/2021/opw8-launch/light-new-item-search.png" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2021/opw8-launch/light-new-item-search-thumb.png" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column1"> <meta itemprop="contentUrl" content="/posts/2021/opw8-launch/light-create-item-netflix-use-shared-vault.png" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2021/opw8-launch/light-create-item-netflix-use-shared-vault-thumb.png" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column2"> <meta itemprop="contentUrl" content="/posts/2021/opw8-launch/light-new-item-crypto.png" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2021/opw8-launch/light-new-item-crypto-thumb.png" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column1"> <meta itemprop="contentUrl" content="/posts/2021/opw8-launch/light-new-item-travel-essentials.png" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2021/opw8-launch/light-new-item-travel-essentials-thumb.png" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column3"> <meta itemprop="contentUrl" content="/posts/2021/opw8-launch/light-quick-access-search.png" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2021/opw8-launch/light-quick-access-search-thumb.png" alt="Quick Access search in action." style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column1"> <meta itemprop="contentUrl" content="/posts/2021/opw8-launch/light-markdown.png" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2021/opw8-launch/light-markdown-thumb.png" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column1"> <meta itemprop="contentUrl" content="/posts/2021/opw8-launch/light-share-item.png" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2021/opw8-launch/light-share-item-thumb.png" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column1"> <meta itemprop="contentUrl" content="/posts/2021/opw8-launch/light-watchtower-banner-use-https.png" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2021/opw8-launch/light-watchtower-banner-use-https-thumb.png" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column1"> <meta itemprop="contentUrl" content="/posts/2021/opw8-launch/light-navigation.png" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2021/opw8-launch/light-navigation-thumb.png" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row2-column2"> <meta itemprop="contentUrl" content="/posts/2021/opw8-launch/light-security-key.png" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2021/opw8-launch/light-security-key-thumb.png" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column1"> <meta itemprop="contentUrl" content="/posts/2021/opw8-launch/light-restore-recently-deleted-item.png" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2021/opw8-launch/light-restore-recently-deleted-item-thumb.png" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column2"> <meta itemprop="contentUrl" content="/posts/2021/opw8-launch/light-browser-change-password.png" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2021/opw8-launch/light-browser-change-password-thumb.png" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column1"> <meta itemprop="contentUrl" content="/posts/2021/opw8-launch/light-edit-item.png" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2021/opw8-launch/light-edit-item-thumb.png" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column1"> <meta itemprop="contentUrl" content="/posts/2021/opw8-launch/light-edit-item-custom-icon.png" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2021/opw8-launch/light-edit-item-custom-icon-thumb.png" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column2"> <meta itemprop="contentUrl" content="/posts/2021/opw8-launch/light-advanced-search.png" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2021/opw8-launch/light-advanced-search-thumb.png" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column1"> <meta itemprop="contentUrl" content="/posts/2021/opw8-launch/light-watchtower-banner-compromised.png" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2021/opw8-launch/light-watchtower-banner-compromised-thumb.png" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row3-column3"> <meta itemprop="contentUrl" content="/posts/2021/opw8-launch/light-quick-access-item-actions.png" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2021/opw8-launch/light-quick-access-item-actions-thumb.png" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row2-column1"> <meta itemprop="contentUrl" content="/posts/2021/opw8-launch/light-large-type.png" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2021/opw8-launch/light-large-type-thumb.png" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column1"> <meta itemprop="contentUrl" content="/posts/2021/opw8-launch/light-watchtower-banner-2fa.png" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2021/opw8-launch/light-watchtower-banner-2fa-thumb.png" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column1"> <meta itemprop="contentUrl" content="/posts/2021/opw8-launch/light-browser-add-2fa-qrcode.png" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2021/opw8-launch/light-browser-add-2fa-qrcode-thumb.png" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column1"> <meta itemprop="contentUrl" content="/posts/2021/opw8-launch/light-keyboard-shortcuts.png" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2021/opw8-launch/light-keyboard-shortcuts-thumb.png" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row2-column3"> <meta itemprop="contentUrl" content="/posts/2021/opw8-launch/light-reveal-password.png" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2021/opw8-launch/light-reveal-password-thumb.png" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column1"> <meta itemprop="contentUrl" content="/posts/2021/opw8-launch/light-edit-item-password-generator.png" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2021/opw8-launch/light-edit-item-password-generator-thumb.png" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> </section> (click any image in this light mode gallery to see the full screenshot plus a detailed description and be sure to check out the <a href="https://blog.1password.com/1password-8-for-windows-dark-mode-edition/#screenshot-gallery">dark mode gallery</a> as well)</description></item><item><title>How does a VPN work, and do you need one?</title><link>https://blog.1password.com/how-a-vpn-works/</link><pubDate>Fri, 12 Nov 2021 00:00:00 +0000</pubDate><author>info@1password.com (Nick Summers)</author><guid>https://blog.1password.com/how-a-vpn-works/</guid><description> <img src='https://blog.1password.com/posts/2021/how-a-vpn-works/header.svg' class='webfeedsFeaturedVisual' alt='How does a VPN work, and do you need one?' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> A virtual private network (VPN) is a useful tool that protects your online activity by creating a secure &lsquo;tunnel&rsquo; that sits between your device and the site or service you&rsquo;re trying to access. These days, VPNs are everywhere. Many workers rely on them to access their email and corporate files while they&rsquo;re outside the office. Others use them to visit sites and watch content that isn&rsquo;t normally available in their country. Or to better protect their internet traffic while they&rsquo;re browsing the web on a public Wi-Fi network. Using a VPN is usually quite straightforward: launch the client, click connect. But understanding how one works is trickier. Tunneling? Encapsulation? These terms are hardly commonplace, unless you&rsquo;re an IT or security professional. Here, we&rsquo;ll break down the basics and answer a common question: is it always necessary to use a VPN while connected to the internet? <h2 id="the-basics-how-does-a-vpn-work">The basics: How does a VPN work?</h2> A VPN acts as a gatekeeper between your device and whatever you&rsquo;re trying to interact with – it could be a public website like <a href="https://1password.com/">1Password.com</a>, a streaming service, or some files stored on your company&rsquo;s private network. Normally, when you ask for a site like 1Password.com, your internet service provider (ISP) takes that request and returns with the data necessary to load the page in your browser. But with a VPN, your request is routed through a VPN-controlled server before it reaches the place where the website is stored. Consumer-focused VPN providers like <a href="https://www.expressvpn.com/">ExpressVPN</a> and <a href="https://nordvpn.com/nord-site/">NordVPN</a> have servers scattered all over the world. That&rsquo;s why someone in France can use a VPN to watch a show or movie that&rsquo;s only available in the United States. The VPN tricks the streaming service into thinking the request came from one of its servers, rather than the person based in France. A corporate VPN <a href="https://youtu.be/1mtSNVdC7tM">works in a slightly different way</a>. It acts as a gatekeeper between your device and everything stored on your company&rsquo;s private network. Instead of a site or streaming service, the final destination is a server or database that normally can&rsquo;t be accessed unless you&rsquo;re in the office. At this point, you&rsquo;re probably wondering: &ldquo;Okay, but how does a VPN actually protect your privacy and the data you&rsquo;re sending back and forth?&rdquo; That&rsquo;s where encapsulation and encryption come in. <h2 id="packets-tunneling-and-encapsulation">Packets, tunneling, and Encapsulation</h2> To understand VPNs, we have to talk about packets. When you send data over the internet, <a href="https://www.khanacademy.org/computing/computers-and-internet/xcae6f4a7ff015e7d:the-internet/xcae6f4a7ff015e7d:routing-with-redundancy/a/ip-packets">it&rsquo;s broken down into blocks called packets</a>. Each packet comes with a series of instructions, known as headers, that explain the source and destination, how they should be put back together, and more. VPNs use “tunneling” to protect these morsels of data while they&rsquo;re in transit. Each packet is placed inside another packet – a process called “encapsulation” – to mask what&rsquo;s inside. It’s a bit like putting a colorful bag of sweets inside another bag with zero branding. Or a small suitcase inside of a larger one. In a sea of similar data packets, a cybercriminal won&rsquo;t know what&rsquo;s worth targeting. But tunneling isn&rsquo;t enough. VPNs also use encryption to protect the data itself. Every packet you send is encrypted before it leaves your device and then decrypted once it reaches the VPN&rsquo;s servers. The same process is carried out in reverse. Data you&rsquo;ve requested – whether that&rsquo;s a site or company file – is encrypted by the VPN and finally decrypted once it reaches your device. <h2 id="how-does-vpn-encryption-work">How does VPN encryption work?</h2> VPNs leverage symmetric and asymmetric key encryption to protect your data from prying eyes. A “key” is similar to a secret code. Imagine that you and a friend want to share secret notes in a cafe. You agree beforehand to scramble the messages with a &ldquo;plus five&rdquo; rule, meaning that every letter should be swapped for one five places later in the alphabet. (So &ldquo;hello&rdquo; would become &ldquo;mjqqt,&rdquo; and vice versa.) In this example, you would be using symmetric encryption, because the same secret code or &ldquo;key&rdquo; is used to encrypt and decrypt each message. Asymmetric encryption relies on public and private keys. You can think of these like interlocking puzzle pieces, or a mailbox outside your house that&rsquo;s locked with a special key. Anyone can use your public key to encrypt a message, but only your private key – which, as the name implies, is private – can decrypt it. The advantage of asymmetric encryption is that you never have to share your private key over the internet. It stays on your device, which makes it awfully difficult for a cybercriminal to steal. VPNs use both symmetric and asymmetric encryption to protect your internet traffic. Why? Imagine that your data was protected with a single symmetric key. Whoever created the key would need to share it with the other party over the internet. And if a cybercriminal found it in transit, they could theoretically decrypt every data packet you sent. VPN providers avoid this in two ways. First, they create a new symmetric key every time you connect to the VPN, or start a new &ldquo;session.&rdquo; That way, if a thief somehow obtained the key, it would only expose the data from that specific session. (<a href="https://www.wired.com/2016/11/what-is-perfect-forward-secrecy/">This is sometimes known as Perfect Forward Secrecy</a>.) In addition, the symmetric key is securely shared using asymmetric encryption. A similar key exchange takes place when you text someone on a secure messaging app. <h2 id="vpn-protocols">VPN protocols</h2> VPNs use frameworks called &ldquo;protocols&rdquo; to authenticate the connection. The most common protocols include: <ul> <li><a href="https://en.wikipedia.org/wiki/OpenVPN">OpenVPN</a></li> <li><a href="https://en.wikipedia.org/wiki/Internet_Key_Exchange#Improvements_with_IKEv2">IKEv2</a> (Internet Key Exchange version 2)</li> <li><a href="https://en.wikipedia.org/wiki/WireGuard">WireGuard</a></li> <li><a href="https://www.expressvpn.com/lightway">Lightway</a></li> <li><a href="https://techrobot.com/what-is-softether/">SoftEther</a></li> <li><a href="https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol">PPTP</a> (Point-to-Point Tunneling Protocol)</li> <li><a href="https://en.wikipedia.org/wiki/Secure_Socket_Tunneling_Protocol">SSTP</a> (Secure Socket Tunneling Protocol)</li> <li><a href="https://en.wikipedia.org/wiki/Layer_2_Tunneling_Protocol">L2TP</a> (Layer 2 Tunneling Protocol)</li> </ul> Some VPN protocols are known for their speed, while others are focused on top-notch security. Both can be useful depending on what you&rsquo;re doing. If you&rsquo;re streaming a show, for example, you probably care more about the resolution of the video and making sure it doesn&rsquo;t stutter. Whereas if you&rsquo;re working on a project for work, you might not mind if it takes an extra minute to upload to your company&rsquo;s server. Many VPN companies accommodate for this by offering a few different protocols. Surfshark <a href="https://surfshark.com/blog/vpn-encryption">supports OpenVPN, IKEv2, and WireGuard</a>, for example. <h2 id="should-everyone-use-a-vpn">Should everyone use a VPN?</h2> Not everyone. Yes, a VPN can be an effective way to protect your internet traffic. It&rsquo;s also a clever workaround when you need to access geo-restricted content. But for some, a VPN could be unnecessary. You might have taken other precautions to protect yourself online, or simply want to prioritize the performance of your network connection. For example, a corporate VPN might be suitable if your company has a mix of remote and office-based workers. But as <a href="https://www.ncsc.gov.uk/collection/device-security-guidance/infrastructure/virtual-private-networks">the UK&rsquo;s National Cyber Security Centre explains</a>, the benefits of a VPN might be limited if you&rsquo;ve already adopted a zero-trust model. Zero trust is based on the &ldquo;never trust, always verify&rdquo; principle and uses a combination of technologies – typically <a href="https://1password.com/resources/guides/why-you-should-have-sso/">single sign-on (SSO)</a> and identity and access management (IAM) services – to verify employees and control the files, apps, and services they have access to. That allows companies of all sizes to protect their data without setting up and maintaining a complicated VPN. Here&rsquo;s how the U.S. National Institute of Standards and Technology (NIST) <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf">describes it</a>: &ldquo;Zero trust is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.&rdquo; Okay, but what about people who aren&rsquo;t at work? Again, it&rsquo;s a little complicated. As <a href="https://www.nytimes.com/2021/10/06/technology/personaltech/are-vpns-worth-it.html">The New York Times reports</a>, security on the web is slowly improving. More sites are adopting HTTPS, a web protocol that leverages a robust form of encryption called SSL or TLS. And that goes a long way towards making the web a more secure and privacy-respecting place. But that doesn&rsquo;t mean a VPN can&rsquo;t be useful. Some websites still don&rsquo;t support HTTPS, for example. And beyond the browser, it can be hard to tell which software is encrypting your data or relying on insecure protocols. A VPN can act as a safety net in these scenarios, protecting all of the traffic that your device is sending and receiving. HTTPS also doesn&rsquo;t help if you want to visit a website or stream a show that isn&rsquo;t available in your region. So if you live in a country with large amounts of censorship, or just want to watch Hulu outside the U.S., a VPN is still your best bet. <h2 id="the-bottom-line">The bottom line</h2> A VPN is an important layer of protection that can greatly improve your online privacy. But sometimes you might not need that privacy. Or simply feel that the hit to your internet connection speeds isn&rsquo;t worth it. When you turn on your PC or wake up your phone, take a moment to consider what you&rsquo;ll be doing online and whether a VPN is appropriate. That way, you can make sure that you&rsquo;re always striking the right balance and preserving your privacy when it matters the most.</description></item><item><title>How and why we built Masked Email with JMAP – an open API standard</title><link>https://blog.1password.com/making-masked-email-with-jmap/</link><pubDate>Thu, 11 Nov 2021 00:00:00 +0000</pubDate><author>info@1password.com (Madeline Hanley)</author><guid>https://blog.1password.com/making-masked-email-with-jmap/</guid><description> <img src='https://blog.1password.com/posts/2021/building-masked-email-with-jmap/header.svg' class='webfeedsFeaturedVisual' alt='How and why we built Masked Email with JMAP – an open API standard' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Our core values as a company center around our users’ privacy, security, and satisfaction. While developing <a href="https://blog.1password.com/fastmail-masked-email/">Masked Email</a> – our integration with Fastmail that lets users create new, unique email addresses without ever leaving the sign-up page – we needed a technology that brought all three values together. Enter JMAP: the developer-friendly, open API standard for modern mail clients. Below, we’ll introduce you to JMAP, explain why we chose it for <a href="https://1password.com/fastmail/">Masked Email</a>, describe how the integration works, and share how you can get started using JMAP in your own projects. I’ll be honest, I’d never heard of JMAP (<a href="https://jmap.io/index.html">JSON Meta Application Protocol</a>) before we started working on the proof of concept for Masked Email. I was amazed that I’d never heard of this standardized open protocol (<a href="https://datatracker.ietf.org/doc/html/rfc8620">RFC8620</a>) that can do so much – JMAP is faster than its predecessors, it’s an open standard, and it’s easy to use. The more I read about JMAP, the more I realized how antiquated the de-facto APIs that run our digital lives are. The parts of the internet you use every day run on technology from the 80s and 90s – let that sink in for a moment. Remember (or please imagine, young Gen Z) how slow things were in the 80s and 90s? Does the scratching, beeping sound of dial-up make you itch? It was slow, and if your older sister got a call from one of her friends, well… goodbye, internet. Ever noticed how email on your phone takes longer to load than other things on the mobile web? The <a href="https://youtu.be/8qCSK-aGSBA?t=11">side-by-side comparison of loading email on iPhones over JMAP versus over IMAP</a> highlights just how outdated email technology has become. If you’ve ever worked on legacy code, you’ll know how hard it is to add new features, or to just make things better. The languages and libraries you use every day have changed immensely since you started using them. <a href="https://reactjs.org/">React</a>, for example, was released in 2013, and the API docs today look nothing like they did then. By contrast, IMAP (Internet Message Access Protocol), the tech that helps bring you Gmail (and basically all mail), was basically finalized in <a href="https://datatracker.ietf.org/doc/html/rfc3501.html">RFC3501</a> in 2003 – 18 years ago. The top-grossing films that year were Finding Nemo, the first Pirates of the Caribbean, the third installment of The Lord of the Rings, and the second Matrix movie. A good year, but technology has progressed immensely since then – the iPhone didn’t even exist yet! All the things you can do with IMAP and CalDAV (the current standard for calendar sync), you can do more easily with JMAP. From a tech perspective, it feels very familiar. As the name suggests, JMAP is based on JSON and HTTP, some of the first concepts you learn as a developer. With JMAP, you can batch actions together to cut down on the number of requests going back and forth – a big part of why it’s faster. In plain terms: JMAP is made to sync information from where the data is stored (a server) to where you’re using or viewing it (a client), quickly. To take a closer look at what I’m talking about, let’s review <a href="https://github.com/fastmail/JMAP-Samples/blob/main/javascript/hello-world.js">some sample code from our Fastmail friends</a>. If we boil it down, the two core concepts of JMAP are the Session object and structured data exchange. <h2 id="the-session">The Session</h2> The <a href="https://jmap.io/spec-core.html#the-jmap-session-resource">Session object</a> is the first thing you grab when you authenticate. It tells you everything you need to know about the server, including the maximum supported file size, request, number of calls, which email accounts are connected to that larger account, and even the URL (<code>apiUrl</code>) you’ll need to request from to fetch and sync data via structured data exchange. Here’s how you authenticate to grab your own Session object in JavaScript. Let’s say you have a file called <code>jmap-session.js</code> with the code below: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript">const fetch = require(&#34;node-fetch&#34;); /* bail if we don&#39;t have our ENV set: */ if (!process.env.JMAP_USERNAME || !process.env.JMAP_PASSWORD) { console.log(&#34;Please set your JMAP_USERNAME and JMAP_PASSWORD&#34;); console.log( &#34;JMAP_USERNAME=username JMAP_PASSWORD=password node hello-world.js&#34; ); process.exit(1); } const hostname = process.env.JMAP_HOSTNAME || &#34;jmap.fastmail.com&#34;; /* your Fastmail email */ const username = process.env.JMAP_USERNAME; /* your Fastmail &#34;App Password&#34;, *not* your real password. Generate one by going to Settings &gt; Password &amp; Security &gt; App Passwords &gt; Enter your password and click Unlock, and then New App Password and follow the steps listed. More ➡️ https://www.fastmail.help/hc/en-us/articles/360058752854-App-passwords */ const password = process.env.JMAP_PASSWORD; const auth_url = `https://${hostname}/.well-known/jmap`; const auth_token = Buffer.from(`${username}:${password}`).toString(&#34;base64&#34;); const getSession = async () =&gt; { const response = await fetch(auth_url, { method: &#34;GET&#34;, headers: { &#34;Content-Type&#34;: &#34;application/json&#34;, Authorization: `basic ${auth_token}`, }, }); return response.json(); }; getSession().then((session) =&gt; { console.log(session); /* TODO(you) cool stuff with your email */ }); </code></pre></div>In your terminal, run the following using your Fastmail app password in the password input: <code>JMAP_USERNAME=nobody@fastmail.com JMAP_PASSWORD=4kJc7vuRVwyLKhKF node jmap-session.js</code> Here’s what the output should look like: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript">{ state: &#39;cyrus-218;p-10&#39;, uploadUrl: &#39;https://jmap.fastmail.com/jmap/upload/{accountId}/&#39;, accounts: { ue5494021: { isArchiveUser: false, isPersonal: true, isReadOnly: false, name: &#39;you@fastmail.com&#39;, accountCapabilities: [Object], userId: &#39;17597792&#39; } }, username: &#39;nobody@fastmail.com&#39;, apiUrl: &#39;https://jmap.fastmail.com/jmap/api/&#39;, eventSourceUrl: &#39;https://jmap.fastmail.com/jmap/event/&#39;, primaryAccounts: { &#39;urn:ietf:params:jmap:submission&#39;: &#39;ub0b940a2&#39;, &#39;urn:ietf:params:jmap:mail&#39;: &#39;ub0b940a2&#39;, &#39;urn:ietf:params:jmap:vacationresponse&#39;: &#39;ub0b940a2&#39;, &#39;urn:ietf:params:jmap:core&#39;: &#39;ub0b940a2&#39; }, capabilities: { &#39;urn:ietf:params:jmap:submission&#39;: {}, &#39;urn:ietf:params:jmap:mail&#39;: {}, &#39;urn:ietf:params:jmap:vacationresponse&#39;: {}, &#39;urn:ietf:params:jmap:core&#39;: { collationAlgorithms: [Array], maxObjectsInGet: 4096, maxSizeRequest: 10000000, maxSizeUpload: 250000000, maxConcurrentUpload: 10, maxCallsInRequest: 50, maxObjectsInSet: 4096, maxConcurrentRequests: 10 } }, downloadUrl: &#39;https://beta.fastmailusercontent.com/jmap/download/{accountId}/{blobId}/{name}?type={type}&#39; } </code></pre></div>There’s lots of useful information here, but for now let’s focus on <code>apiUrl</code> and <code>primaryAccounts</code>. Here’s where you can grab your account ID. Your account ID is the value at the key <code>urn:ietf:params:jmap:mail</code>. – in this case, ub0b940a2. You’ll need both your <code>apiURL</code> and account ID to do anything fun. <h2 id="structured-data-exchange">Structured Data exchange</h2> Now let’s talk JMAP API requests. The request and response type is always <code>application/json</code>. The body of every JMAP request, across the board, contains a <code>using</code> and a <code>methodCalls</code> property. The <code>using</code> property is where you put the capabilities you want to have access to with your request. <code>methodCalls</code> is a list of all the data you want to sync, delete, create, fetch, etc. Each method call item is an Invocation data type and it’s always a tuple with 3 items: the name of the method (query, for example), an object with arguments (i.e. the data you want to create/update/delete) based on the method, and the method call id- an arbitrary string that represents the method call. Say you want to edit your most recent email draft: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript">const mailboxQuery = async (api_url, account_id) =&gt; { const response = await fetch(api_url, { method: &#34;POST&#34;, headers: { &#34;Content-Type&#34;: &#34;application/json&#34;, /* Here let&#39;s say you already have an auth token */ Authorization: `basic ${auth_token}` }, body: JSON.stringify({ /* The using param is like the scope or capabilities you want access to. In this case, the core JMAP functionalities (you&#39;ll always want this one), and your mailbox. */ using: [&#34;urn:ietf:params:jmap:core&#34;, &#34;urn:ietf:params:jmap:mail&#34;], /* methodCalls are the items you want to sync with the server. These are processed in the order you give them- easy! */ methodCalls: [ /* Each methodCall is an Invocation data type- a wild tuple. An Invocation consists of a string- the name of the request (&#34;Mailbox/query&#34; here), an object with arguments, and another string- the method call id (&#34;a&#34;, in the example below). Here we&#39;re creating a mailbox query, asking for all of the emails in a user&#39;s drafts folder. */ [ &#34;Mailbox/query&#34;, { accountId: account_id, filter: { role: &#34;drafts&#34; } }, &#34;a&#34; ] ] }) }); const data = await response.json(); return await data[&#34;methodResponses&#34;][0][1][&#34;ids&#34;][0]; }; </code></pre></div>After grabbing the returned ID of your draft folder, you make a third request with the content of your draft email using the same basic format. This time, we’ll have two method calls: one to create the draft, and the other to initialize and send the email: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript">const draftResponse = async (api_url, account_id, draft_id) =&gt; { /* The content of your email! */ const message_body = &#34;Hi! \n\n&#34; + &#34;This email may not look like much, but I sent it with JMAP, a new protocol \n&#34; + &#34;designed to make it easier to manage email, contacts, calendars, and more of \n&#34; + &#34;your digital life in general. \n\n&#34; + &#34;Pretty cool, right? \n\n&#34; + &#34;-- \n&#34; + &#34;This email sent from my next-generation email system at Fastmail. \n&#34;; const draft_object = { from: [{ email: username }], /* A little to me, from me, for practice 🙂 */ to: [{ email: username }], /* The subject line in your email */ subject: &#34;Hello, world!&#34;, /* Yes, we&#39;re updating an existing draft */ keywords: { $draft: true }, mailboxIds: { [draft_id]: true }, bodyValues: { body: { value: message_body, charset: &#34;utf-8&#34; } }, /* We&#39;ll stick with plain text emails for now, but if you like HTML you can have a lot of fun with this */ textBody: [{ partId: &#34;body&#34;, type: &#34;text/plain&#34; }], }; const response = await fetch(api_url, { method: &#34;POST&#34;, headers: { &#34;Content-Type&#34;: &#34;application/json&#34;, Authorization: `basic ${auth_token}`, }, body: JSON.stringify({ using: [ &#34;urn:ietf:params:jmap:core&#34;, &#34;urn:ietf:params:jmap:mail&#34;, /* Now we&#39;re adding the submission capability to send the email */ &#34;urn:ietf:params:jmap:submission&#34;, ], methodCalls: [ /* Now we&#39;ve got 2 methodCalls */ [ /* One to update the draft email */ &#34;Email/set&#34;, { accountId: account_id, create: { draft: draft_object } }, &#34;a&#34;, ], [ /* And one to create and send the email */ &#34;EmailSubmission/set&#34;, { accountId: account_id, onSuccessDestroyEmail: [&#34;#sendIt&#34;], create: { sendIt: { emailId: &#34;#draft&#34; } }, }, &#34;b&#34;, ], ], }), }); const data = await response.json(); console.log(JSON.stringify(data)); }; </code></pre></div>And that’s it! To do the same thing in IMAP, you’d actually need to use both IMAP and SMTP (Simple Message Transfer Protocol); IMAP to receive email and SMTP to send it. Or, you can learn JMAP once and use it everywhere, for anything. <h2 id="jmap--masked-email">JMAP &amp; Masked Email</h2> JMAP has been designed to be used as a protocol on top of any kind of server/client communication, it&rsquo;s not just specific to email or Fastmail – for example, an API to mask your real email! We at 1Password got early access to the Masked Email API, and soon Fastmail will be opening it up to everyone so you can build your own Masked Email integration. <blockquote> &ldquo;We wanted to build our feature on open standards because anyone can use them and the potential audience for reuse is huge. OAuth was an obvious choice, but using JMAP was an exciting choice. Using it is more proof that the protocol has a lot of uses beyond just email, and we&rsquo;re excited to keep using it for new features.&rdquo; - Ricardo Signes, Fastmail CTO </blockquote> The Masked Email API follows the same format you see above. When the Fastmail team was done building the API, all we had to do was update the method calls to look like <a href="https://news.ycombinator.com/item?id=28682011">this snippet Fastmail CEO Bron Gondwana posted on Hacker News</a>: <img src='https://blog.1password.com/posts/2021/building-masked-email-with-jmap/hackernewssnippet.jpg' alt='Snippet shared by Bron Gondwana on Hacker News' title='Snippet shared by Bron Gondwana on Hacker News' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Naturally, our team did a ton of other development to realize Masked Email in 1Password, but the JMAP requests were the easiest part because they all followed the same core protocol that we were already familiar with. Because of its flexibility, speed, open standards, and ease of use, JMAP was the perfect tool for Fastmail to develop the Masked Email API, and we had a blast learning it. We believe technology should improve based on the needs of its users. If you build something with your Fastmail account and JMAP, we want to see it! <h2 id="ready-to-get-started">Ready to get started?</h2> Here are all the things we watched, read, and played around with to learn JMAP: <ul> <li>The official JMAP docs: <a href="https://jmap.io/index.html">https://jmap.io/index.html</a></li> <li>Fastmail’s JMAP-Samples GitHub repo: <a href="https://github.com/fastmail/JMAP-Samples">https://github.com/fastmail/JMAP-Samples</a></li> <li>Rik’s talk at last year’s Technical.ly Developers Conference: <a href="https://www.youtube.com/watch?v=5As3E8mXiMA">https://www.youtube.com/watch?v=5As3E8mXiMA</a></li> <li>Rik’s JMAP Crash Course on Topicbox: <a href="https://jmap.topicbox.com/groups/fastmail-dev-beta/T83594f41ca76f56c/jmap-crash-course">https://jmap.topicbox.com/groups/fastmail-dev-beta/T83594f41ca76f56c/jmap-crash-course</a></li> <li>Fastmail’s Digital Citizen podcast episode: Why Open Internet Standards Are So Important To Your Future with Bron Gondwana: <a href="https://www.fastmail.com/digitalcitizen/why-open-internet-standards-are-so-important-to-your-future-with-bron-gondwana/transcript/">https://www.fastmail.com/digitalcitizen/why-open-internet-standards-are-so-important-to-your-future-with-bron-gondwana/transcript/</a></li> </ul></description></item><item><title>Why security scare tactics aren't effective – and what to do instead</title><link>https://blog.1password.com/why-security-scare-tactics-dont-work/</link><pubDate>Fri, 05 Nov 2021 00:00:00 +0000</pubDate><author>info@1password.com (Harlie Hardage)</author><guid>https://blog.1password.com/why-security-scare-tactics-dont-work/</guid><description> <img src='https://blog.1password.com/img/headers/security-header.svg' class='webfeedsFeaturedVisual' alt='Why security scare tactics aren't effective – and what to do instead' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We hear a lot about the consequences of practicing poor security. And for a while, this was rightfully so. When the importance of cybersecurity was still emerging, many people didn’t understand what could happen if they weren’t following proper security procedures. But those days are long behind us, so it’s time to retire the scare tactics of the past. I like to call it “spooky security”. It’s when we try to scare people into submission or use fear mongering to force people into behaving more securely. <a href="https://www.wsj.com/articles/why-companies-should-stop-scaring-employees-about-cybersecurity-11607364000">It&rsquo;s not working</a>, and it&rsquo;s stopping businesses from building a healthy <a href="https://watchtower.1password.com/">security culture</a>. A strong culture of security includes individuals not only being aware of policies and procedures but also understanding security and the role they play in it. It also involves employees’ attitudes towards security and how that impacts their actions. If that attitude is fear and uncertainty, they’re less likely to take an active role. An organization with employees disengaged from security is bound to fail. Not convinced? Let’s compare the two approaches and the overall impact they can have on your organization’s security. <h2 id="scare-tactics-create-a-culture-of-fear-and-anxiety">Scare tactics create a culture of fear and anxiety</h2> Fear-based tactics will only invoke fear in the short term. Maybe you scare people into doing the right thing that afternoon, or for a few weeks. But long term, it’s just going to cause anxiety and affect employee productivity. They&rsquo;ll spend their time second-guessing their choices and will be more likely to make the wrong decision because they&rsquo;re so stressed out. But when employees are confident security advocates because they’re being supported and encouraged, they’ll want to actively participate in security. <h2 id="removing-roadblocks-vs-creating-obstacles">Removing roadblocks vs. creating obstacles</h2> Fear-based tactics focus on what you’re not allowed to do and introduce roadblocks to processes. It’s often second nature for security professionals to just say “no” to everything that doesn’t fit into their rigid view of security. There’s good intent here, but it’s often impractical. For example, how are employees supposed to create strong, unique, passwords for dozens of different accounts if you aren’t providing them with a password manager? Often, fear-based tactics only introduce the risk associated with bad actions and don&rsquo;t offer a solution. Positive security, meanwhile, focuses on those solutions by taking a human-centered approach to security. That means spending the time to fully understand how humans behave, their strengths and weaknesses, and creating a security program and environment that enables employees to succeed at security. Providing these resources and removing roadblocks for employees increases confidence, and who doesn’t feel good when their confidence is raised? Take time to understand where humans are bound to fail and need support. By doing so, you can make security easier to comply with and ensure everyone has a positive experience. <h2 id="your-security-staff-should-be-approachable">Your security staff should be approachable</h2> Yet another problem with fear-based security is a lack of communication and transparency on both sides. Often, there are two responses to fear tactics. Either it invokes fear and anxiety, or it creates skeptics who think threats are being exaggerated. Neither are good responses because they’re both ultimately going to lead to poor decision making. And both make employees feel like their employer or security team doesn’t trust them to do the right thing because so much time is spent talking about consequences. That lack of trust, coupled with the secrecy that fear often breeds, means that employees aren’t going to communicate and won’t be transparent when there are potential security issues. Here at 1Password, we fix this by offering available and approachable security personnel. This means ensuring employees know how to reach the security team and that when they do, that the security team is actually showing interest and doing their best to provide assistance. <h2 id="obligatory-training-vs-learning-opportunities">Obligatory training vs. learning opportunities</h2> Companies that use fear tactics often view training as an obligation for some sort of compliance requirement. Or, see it as a punishment to be endured when something goes wrong. If security training isn’t a regular part of your culture, the natural response to training will be that employees believe they’re in trouble or have done something wrong. Training will be viewed as a punishment and a requirement – not something fun, exciting or positive. It’s a negative experience that, again, can cause that stress and anxiety if employees think they’ve done something wrong. This is why consistent training is an extremely important part of a positive approach to security. It shows interest in employee development and helping them understand security. This doesn’t mean you shouldn’t offer training in response to a mistake or incident, but it does mean that individuals will feel less called out when these things occur because training already happens regularly, regardless of circumstances. In those cases, I encourage group or team training to learn from the situation without discussing the scenario specifically. This is for two reasons. First, the individual that made a mistake already feels bad that they messed up. Individual training sessions as a consequence can breed negative emotions towards security. And second, if one person made that mistake, it’s likely that anyone else could have done the same. Perhaps they just weren’t put in that certain situation or there were different environmental variables. It’s much better to use those incidents as a learning experience for the entire group instead of making one person feel like they’re being trained as a punishment. <h2 id="punishing-mistakes-vs-praising-self-accountability">Punishing mistakes vs. praising self accountability</h2> Fear-based security tactics are quick to shame people’s failures. Some companies publicly call out employees, dock their pay, or have “three strikes and you’re out” policies All these do is fuel anxiety. Shaming is the worst offender of fear-based tactics: it fails to recognize where the security team and employer could have done better and assumes that the person involved was purposefully negligent. Oftentimes, mistakes are caused because an employee was ill prepared to handle that situation. We’ve already talked about how we can try to prevent incidents in the first place by providing resources to employees, but when mistakes inevitably happen, use it as a learning experience for all employees and praise the reporting party. It often takes a lot of courage to acknowledge mistakes and share them with security. Praising people who speak up is one of my favorite positive approaches. For 1Password, we call it the ‘eyes of the month’ award. It’s given to employees who recognize and report security issues. It doesn’t have to be fancy, but goes a long way toward removing the fear and negative connotations surrounding reporting a security incident. Employees aren’t afraid to disclose issues because they’re more likely to get an award than a slap on the wrist. Of course, we don’t want these things to happen in the first place, but quick reporting leads to quick remediation and then we get to use the incident as a learning experience so it doesn’t happen again. So now maybe you’re thinking, “Fine, I’ll be more positive in the name of security. But what does this get us? What’s the end goal?” We want individuals to have this positive relationship with security so they’re motivated to become long-term, invested security advocates. And what does a company full of security advocates get us? That strong culture of security we discussed earlier. It makes the correct choice, the default choice, and suddenly security is the easy and exciting path to take. In organizations that empower and uplift their employees to become allies of security, the entire security program is much more likely to succeed.</description></item><item><title>You’ve inherited a digital estate plan: Now what?</title><link>https://blog.1password.com/guide-to-inherited-digital-estate-plan/</link><pubDate>Fri, 22 Oct 2021 00:00:00 +0000</pubDate><author>info@1password.com (Nick Summers)</author><guid>https://blog.1password.com/guide-to-inherited-digital-estate-plan/</guid><description> <img src='https://blog.1password.com/posts/2021/guide-to-inherited-digital-estate-plan/header.svg' class='webfeedsFeaturedVisual' alt='You’ve inherited a digital estate plan: Now what?' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> With each passing year, our digital lives grow in size and complexity. We open new accounts and place more value on the ones we log into and use every day. The trend has led to a rise in digital estate plans – a handover that ensures your friends and family members can take over your most precious accounts after you’ve gone. Creating a plan is one challenge; figuring out what to do with someone else’s is another. Maybe you’ve inherited one, or know a family member who plans to give you their accounts after they’ve passed away. Regardless, it’s important to have a strategy before logging into anything that was once owned by a loved one. <h2 id="step-1-list-the-accounts-in-order-of-priority">Step 1: List the accounts in order of priority</h2> The first step is to take stock of everything in your loved one’s <a href="https://blog.1password.com/digital-estate-planning-guide/">digital estate plan</a>. Grab a piece of paper or create a digital document and rank the accounts in order of priority. It might seem laborious, but this exercise will help you identify which accounts require your attention first, and just as importantly, the ones that don’t. But what should be “high priority?” In general, anything money-related should go near the top of your list. That includes bank accounts, personal investments, mortgages, cryptocurrencies, and private pensions. Otherwise, the order will depend on the person who created the digital estate plan. An Instagram account will likely rank higher if your loved one was a professional influencer, for instance. <h2 id="step-2-follow-any-written-instructions">Step 2: Follow any written instructions</h2> Some digital estate plans will come with instructions. If you discover any, the next step is to follow them to the best of your ability. You might find that some are impossible to carry out – for example, a company might have removed a feature that’s integral to the request. In these scenarios, you’ll need to pause and decide what would best honor the person and their original instruction. <h2 id="step-3-consider-making-an-announcement">Step 3: Consider making an announcement</h2> Many people find community on the internet. They make friends on Twitter, join multiple subreddits on Reddit, or become an active member of various Discord servers. If your loved one had any kind of online presence, you should consider logging into their accounts and making a public announcement. That way, everyone who was close to them will be aware of what’s happened. Use your list from step one to identify and prioritize the accounts that require an announcement. Finding the words can be difficult, so take your time and ask friends and family for help. Share only what you’re comfortable with and, if you’ve already made a decision, explain what will happen to each account moving forward. Give yourself a few hours, too, to answer questions and comments that may arise once you’ve made the announcement. <h2 id="step-4-decide-what-to-do-with-the-remaining-accounts">Step 4: Decide what to do with the remaining accounts</h2> If you weren’t given any instructions, or find that they only cover a subset of your loved one’s accounts, you’ll need to make some decisions on your own. Go through the accounts in priority order and consider the following actions: <ul> <li>Do nothing (for now).</li> <li>Convert into a memorial account.</li> <li>Transfer account data.</li> <li>Transfer ownership.</li> <li>Close account.</li> </ul> Can’t decide? Let’s go through each of the options in turn. <h2 id="do-nothing-for-now">Do nothing (for now)</h2> There may be some accounts that you want to leave untouched – at least for now. For example, the person who passed away might have had an IFTTT account filled with “recipes” that automate complex or time-consuming tasks. You wouldn’t want to edit or disable these recipes until you were absolutely sure how they worked and why they were originally created. Whatever you do, don’t rush into a decision. It’s better to wait and make a good one later. If you’re leaving an account up, you still have some work to do. First, you should add the account’s login credentials to a password manager like 1Password. It’ll make your life more convenient and serve as backup to your loved one’s digital estate plan. Secondly, you should check if the password is strong and unique. If it’s not, swap it for one that is. You should then share the new password with anyone else who needs to access the account. A shared vault inside 1Password is a secure and convenient way to do this. Finally, update any payment details associated with the account. You don’t want to lose access because your loved one’s bank account has been deactivated or run out of funds. <h2 id="convert-into-a-memorial-account">Convert into a memorial account</h2> Some platforms, such as <a href="https://www.facebook.com/help/1017717331640041/?helpref=hc_fnav">Facebook</a> and <a href="https://help.instagram.com/contact/452224988254813">Instagram</a>, will give you the option to memorialize their account. Activating this will tweak the profile page so it’s clear the original owner has passed away. On Instagram, for instance, the word “Remembering” will appear next to the person’s name. It respectfully spreads the word that your loved one has passed away and ensures their posts remain accessible to the people they were originally shared with. <h2 id="transfer-account-data">Transfer account data</h2> Even with a password manager, it can be inconvenient to run someone else’s account. For example, it might be tied to a specific email address or phone number that you have to monitor for important account updates. Oftentimes, it will be simpler to transfer any valuable data to another account that you control. Let’s say your loved one had a Dropbox account. You could download the files to your computer or transfer them to your own cloud storage account. Moving the files would ensure that you don’t have to alternate between two accounts. It could also save you money, because it’s generally cheaper to pay for a single account with a higher storage cap than two accounts with lower storage limits. If you’re going to merge accounts this way, come up with a plan for separating and filtering the data. You could make a folder for the inherited data, for instance, or use file tags to keep everything organized and searchable. <h2 id="transfer-ownership-to-someone-else">Transfer ownership to someone else</h2> Sifting through your inherited estate plan, you might realize that some accounts would be better off in the hands of someone else. An Amazon account packed with Kindle ebooks could be perfect for a younger relative who loves reading, for instance. Similarly, you might know someone with a <a href="https://blog.1password.com/protect-gaming-accounts-scammers/">gaming</a> PC who would appreciate a levelled-up Fortnite account with lots of character skins. Use your best judgment. Before you donate an account, think about the original owner and what they would have wanted. Then, consider how other people might react to a new account owner. Few will notice or care if you hand over an account required to unlock an electric bicycle. But people might be upset if you donate a public-facing account – such as a YouTube channel or SoundCloud page – that has a large, established following. <h2 id="close-the-account">Close the account</h2> The fifth and final option is to close the account completely. Some will simply be redundant (if you already have a Netflix account, you likely don’t need another one). But think long and hard before closing one of your loved one’s accounts, because once it’s gone, it will be harder if not impossible to recover. If you’re not 100 percent sure, it’s best to leave it alone for now. <h2 id="not-sure-what-to-do-ask-for-help">Not sure what to do? Ask for help.</h2> If you’re struggling to make a decision, reach out for advice. Friends and family members might be more familiar with a particular app or website, as well as the ramifications of closing or transferring an account. If the original owner worked with an estate planning expert, such as <a href="https://trustandwill.com/">Trust &amp; Will</a> and <a href="https://www.willful.co/">Willful</a>, you can also reach out to them for advice. <h2 id="step-5-regularly-review-your-digital-inheritance">Step 5: Regularly review your digital inheritance</h2> Once you’ve addressed every account, set a reminder to check back in and review the ones that are still in your possession. You’ll want to see if any questions or comments have been left on their public-facing pages, for instance. Similarly, it’s worth looking at emails in case they’ve received any important messages related to their accounts. These check-ins are a good opportunity to reassess the status of each account, too. You might have left an account untouched, but find 12 months later that you’re ready to deactivate or memorialize it. <h2 id="step-6-create-your-own-digital-estate-plan">Step 6: Create your own digital estate plan</h2> If you don’t have one already, create your own digital estate plan. Putting one together will ensure that your loved ones don’t struggle to access your accounts after you’ve passed away. If you’re not sure where to begin, read our guide or contact an estate planning expert like Trust &amp; Will or Willful. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get 25% off 1Password Families</h3> Organize your digital estate plan with 1Password Families. Sign up now and get 25% off your first year. <a href="https://start.1password.com/sign-up/family?c=1PBLOGS&amp;utm_medium=promo&amp;utm_source=blog&amp;utm_campaign=families" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Get 25% off </a> </div> </section></description></item><item><title>Cyber attacks: the risk your small business can't afford</title><link>https://blog.1password.com/small-talk-cyberattacks/</link><pubDate>Wed, 20 Oct 2021 00:00:00 +0000</pubDate><author>info@1password.com (Andrew Zangre)</author><guid>https://blog.1password.com/small-talk-cyberattacks/</guid><description> <img src='https://blog.1password.com/posts/2021/small-talk-cyberattacks/header.png' class='webfeedsFeaturedVisual' alt='Cyber attacks: the risk your small business can't afford' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> As we’ve all learned, often the hard way, amazing tech has introduced not-so-amazing risks: viruses, hacks, and leaks, to name a few. A <a href="https://blog.1password.com/data-breach-101-stay-safe-online/">data breach</a> or cyber attack can happen at any moment, to individuals or businesses of any size – and attackers do not discriminate. Many small and medium-sized businesses (<a href="https://blog.1password.com/small-talk-smb-recovery-journey/">SMBs</a>) may have the “it won’t happen to us” mentality. Smaller teams and tighter resources can lead to the indefinite delay of a security strategy, skipping over cyber insurance, and even a lack of awareness or response when attacks do happen. But as it turns out, SMBs are now targeted by <a href="https://markets.businessinsider.com/news/stocks/cybercriminals-narrow-their-focus-on-smbs-according-to-the-acronis-cyberthreats-report-mid-year-update-1030688981">70 percent of cyber attacks</a>, making them especially vulnerable. At the same time, a majority of small business owners say they <a href="https://www.cnbc.com/2021/08/10/main-street-overconfidence-small-businesses-dont-worry-about-hacking.html">aren’t concerned about a potential attack in the next 12 months</a>. To our friends in the SMB community, we want to offer a friendly nudge: You should prepare for anything, because an attack is something your growing business simply can’t afford. And improving your defenses can be as simple as managing your passwords better. (No, really!) <h2 id="small-business-big-risks">Small business, big risks</h2> A data breach can cost your business an average of $4.24 million, according to <a href="https://www.ibm.com/security/data-breach">IBM’s 2021 Cost of a Data Breach Report</a>. That’s a sizable hole to climb out of – and most SMBs simply aren’t able. Approximately 60 percent of hacked small and medium businesses <a href="https://www.inc.com/thomas-koulopoulos/the-biggest-risk-to-your-business-cant-be-eliminated-heres-how-you-can-survive-i.html">go out of business within 6 months of the incident</a>, with more folding at some point after or just never getting back to full health. Beyond the bottom line, cyber attacks pose a litany of risks for businesses and those involved with them: <ul> <li>Computers and databases with years of hard work and invaluable data can be instantly wiped clean.</li> <li>Employees and even customers are susceptible to fraud, identity theft, and blackmail if personal details are exposed.</li> <li>News of a breach – with or without customer data involved – can do irreparable damage to brand image and trust.</li> </ul> We understand the struggles of a growing business, and how difficult it can be to get buy-in toward an initiative like cybersecurity, let alone know where to start in doing it right. But for today’s businesses, the smallest incident can mean serious problems. So, like wearing a seatbelt or locking your doors, implementing security measures for your business is necessary to keep you, and your customers, safe. <h2 id="playing-catch-up">Playing catch-up</h2> The very definition of “work” was turned on its head in 2020, and hasn’t stopped changing. <a href="https://blog.1password.com/remote-work-tips/">Remote work</a> and hybrid work have businesses adjusting (and readjusting) their processes, policies, and org structures in real time. The mad scramble to keep employees engaged and productive caused <a href="https://www.techrepublic.com/article/companies-are-relaxing-cybersecurity-during-the-pandemic-to-boost-productivity/">46 percent of SMBs to relax their security protocols</a> during the pandemic. Employees and employers alike <a href="https://www.cpomagazine.com/cyber-security/most-employees-took-cybersecurity-shortcuts-during-the-remote-working-period-despite-understanding-the-risks/">took productivity shortcuts at the sacrifice of online safety</a>, even when aware of the risks. It’s been music to the cybercriminals' ears, with 2020 being a <a href="https://www.techrepublic.com/article/2020-sees-huge-increase-in-records-exposed-in-data-breaches/">record year for stolen records</a>. With so many smaller businesses just trying to stay afloat financially, and often operating at a loss, it’s understandable that tough choices need to be made. But too many growing companies are not giving security the attention it demands, or any at all – whether they don’t think it’s a priority, simply feel they aren’t at risk, or have tunnel vision toward productivity. But productivity and security don’t have to be mutually exclusive; on the contrary, improved security can actually boost productivity. As a smaller business, revamping your approach is far easier than for an enterprise, and there are cost-effective measures you can take to minimize your chances of a cyber attack. Now is the time to safeguard your data – the peace of mind will be worth more than you can measure. <h2 id="the-easiest-security-measure-is-also-the-most-effective">The easiest security measure is also the most effective</h2> Even the most seasoned IT pros can only do so much. The <a href="https://www.verizon.com/business/resources/reports/dbir/">largest cause of data breaches</a>, for any size business, is the “human element”; that is, employees using weak passwords, sharing data on unprotected channels, and so on. The right tools – with the right guidance – can make a major difference, and cultivate safer habits across your workforce. 1Password puts power in your employees’ hands to level-up their password game and be upstanding members in your <a href="https://1password.com/resources/culture-of-security/infographic-culture-of-security.pdf?utm_ref=resources">culture of security</a>. It also helps them share passwords and other sensitive data in the safest way possible. It’s the easiest, most cost-effective choice you can make to reduce your risk of a breach. It’s also the most secure; <a href="https://nymag.com/strategist/article/best-password-manager.html">just ask the experts</a>. What if a breach does happen, or your employees are using a site that’s been compromised? <a href="https://watchtower.1password.com/">1Password will notify you</a> so you can update those accounts ASAP, and render stolen information useless to whoever may have accessed it. Your IT team and employees can stay alert as well as protected, dousing security fires before they get out of control. 1Password doesn’t just make life easier for IT, it also improves speed and collaboration across your organization. <a href="https://www.globenewswire.com/news-release/2020/10/01/2102242/0/en/New-LastPass-Report-Finds-92-Percent-of-Businesses-Believe-Going-Passwordless-is-the-Future-for-their-Organization.html">A majority of workers</a> are frustrated with remembering long passwords for all their accounts, and <a href="https://1password.com/resources/creating-a-culture-of-security/?utm_ref=resources">66 percent of employees reuse passwords</a> even when knowing the risks. With 1Password, employees not only make safer choices, but get precious time back in their workday and with fewer frustrations. As you do expand your business, 1Password is a reliable foundation on which to build. No need to reconfigure or upgrade, just keep adding seats when new employees join. And by making 1Password part of your onboarding, you’ll ensure it gets used and helps nurture mindful habits across your workforce. <h2 id="introducing-small-talk-secure-and-scale-your-business">Introducing Small Talk: Secure and Scale Your Business</h2> Your safety matters to your employees, your customers, and your company’s future. It also matters to us! We want to help keep you and your team safe, as well as optimize your business for the future. We’re excited to introduce our new content series called Small Talk: Secure and Scale Your Business. In this series geared toward small and medium-size businesses, we’ll discuss different topics that are relevant to the unique challenges and experiences of a growing business, through blogs, shareable reports, webinars, and more. Your security and growth are more intertwined than you might realize – we’re here to help connect the dots. 1Password can help you improve your cybersecurity, productivity, collaboration, and resilience. A <a href="https://start.1password.com/sign-up/business?l=en">free trial of 1Password</a> can be an ideal starting point in your company’s next chapter. See why more than 100,000 businesses keep 1Password as a supporting character in their security and growth journey. Follow the <a href="https://blog.1password.com/">1Password blog</a>, as well as our <a href="https://twitter.com/1Password">Twitter</a>, to keep up with the Small Talk series, and then share whatever nuggets you find most relevant with your team. We’d love to hear your thoughts as well, and about what topics would be helpful in securing and scaling your business. Connect with us on Twitter or LinkedIn with any thoughts or questions, or just with a story about your business that may be valuable for someone out there. We hope this will strike up productive conversations and help your business thrive. Thanks for reading and we look forward to what’s coming!</description></item><item><title>Introducing 1Password University</title><link>https://blog.1password.com/introducing-1password-university/</link><pubDate>Tue, 19 Oct 2021 00:00:00 +0000</pubDate><author>info@1password.com (Jason Richards)</author><guid>https://blog.1password.com/introducing-1password-university/</guid><description> <img src='https://blog.1password.com/posts/2021/introducing-1password-university/header.svg' class='webfeedsFeaturedVisual' alt='Introducing 1Password University' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We’re excited to announce the launch of our free online learning platform, designed to help anyone develop a deeper understanding of online security, privacy, and staying safe on the internet. As our lives become increasingly digital and cybersecurity threats become more prevalent, it’s never been more important for everyone to understand how to stay safe online. But with the flurry of services, technologies, and advice floating around out there, it can be difficult to know how to put it all together. That’s why we’ve created <a href="https://www.1password.university/learn/register">1Password University</a>: your one-stop destination for free, online security resources – made for everyone. <h2 id="security-training-doesnt-have-to-be-boring">Security training doesn&rsquo;t have to be boring</h2> From one convenient hub, you can access a wealth of knowledge ranging from 1Password-specific tips and tricks, to deeper dives into the fascinating world of IT security concepts. Learn how to make the most of your 1Password account’s features, find out how to build a culture of security in your workplace, or discover why re-using the same password across multiple accounts puts you at risk. <img src='https://blog.1password.com/posts/2021/introducing-1password-university/homepage.png' alt='1Password University homepage.' title='1Password University homepage.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="made-for-everyone">Made for everyone</h2> <a href="https://www.1password.university/learn/register">1Password University</a> will teach you how to navigate the landscape of apps, sites, and services we all rely on without giving up your private information or putting your data at risk. Best of all, you don’t have to be a security aficionado – or even a 1Password user! – to benefit; anyone can jump in and learn something new for free. Each course and learning path has been carefully crafted to help answer more than just the what and how of a concept; we believe it’s critical to address the why behind these ideas to help learners truly understand their value. If you already use 1Password (by yourself or with loved ones), you’ll find courses on how to make the most of your membership. Meanwhile, Business and Teams customers can use 1Password University as a free way to augment their workplace security training with courses for admins and team members alike. <img src='https://blog.1password.com/posts/2021/introducing-1password-university/course-content.png' alt='Preview of content from one of the 1Password University courses.' title='Preview of content from one of the 1Password University courses.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="take-a-peek-inside">Take a peek inside&hellip;</h2> Here’s a look at a handful of the courses you can take in <a href="https://www.1password.university/learn/register">1Password University</a> today: Getting started with 1Password. Learn how to sign up, set up your account password and <a href="https://support.1password.com/emergency-kit/">Emergency Kit</a>, download the apps and browser extensions, and start upgrading your security with unique passwords, 2-factor authentication, and biometric unlocking. Security habits start at home. Help your family establish better online security habits. As more work, school, and life happens on the internet, it’s important to understand the risks and how to combat them. Discover how 1Password can help parents, couples, and caregivers protect their loved ones. Go beyond logins in 1Password. There’s a lot more to 1Password than simply storing login credentials. Discover the other kinds of items you can keep in your vaults, and learn how to enrich your saved items with custom fields, tags, links, and more. Implement <a href="https://1password.com/business/">1Password Business</a>. A guide for administrators looking to build a culture of security in the workplace. Learn best-practise tips for preparing your team, deploying 1Password effectively, and using the administrative tools at your disposal to support the rollout process. <h2 id="growing-with-you">Growing with you</h2> At 1Password, our mission has always been to help you stay protected, private, and productive online – whether you use 1Password or not. With the launch of 1Password University, we’re putting our 15 years of security expertise to work by creating fun, dynamic learning resources for people of all skill levels. And this is only the beginning. As we continue to build out the course catalogue, you’ll discover a growing collection of information ranging from the basics of passwords and security habits, all the way to advanced lessons about the more technical aspects of IT security, data privacy, and the technology behind it all. <h2 id="get-started">Get started</h2> Sign up for 1Password University today and start sharpening your security skills with free, expert-led courses made for everyone. <a href="https://www.1password.university/learn/register">Get started →</a></description></item><item><title>How the 1Password Security team evaluates new tools</title><link>https://blog.1password.com/how-the-1password-security-team-evaluates-new-tools/</link><pubDate>Mon, 18 Oct 2021 00:00:00 +0000</pubDate><author>info@1password.com (Megan Barker)</author><guid>https://blog.1password.com/how-the-1password-security-team-evaluates-new-tools/</guid><description> <img src='https://blog.1password.com/img/headers/security-header.svg' class='webfeedsFeaturedVisual' alt='How the 1Password Security team evaluates new tools' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The 1Password Security team is a crew of wonderful characters responsible for security, privacy, and compliance. We have three very high-level objectives: <ul> <li>to keep customer data safe</li> <li>to keep company/employee data safe</li> <li>to keep the product safe</li> </ul> And a lot of (slightly) smaller efforts go into meeting those larger goals. One important onging effort is the tool review, which is an in-depth analysis of a proposed app, tool, or service before it’s used internally. Today, I&rsquo;ll explore why we chose the tool review method, how we perform our reviews, and share a few things we’ve learned along the way. <h2 id="why-we-chose-the-tool-review-method">Why we chose the tool review method</h2> The in-depth review process isn&rsquo;t the only way to vet software. Some organizations submit a questionnaire to the developer, others choose their apps based upon reviews and industry recommendations. There’s also the blind faith approach (popular and not recommended). Back when 1Password was a small startup, we’d get excited to try the latest and greatest apps and services — we still do. But we quickly realized the new technology had access to information that was critical to us and our customers, and we needed to make sure we could trust it. Around the same time, team members from across the organization began to ask questions about the tools and services they wanted to use. <blockquote> “I want this third-party screenshot program but I don’t know if I can trust it or what to look for.” </blockquote> As a team, we knew we had to do something. We began to do general checks into the tools people wanted to use. After some trial and error, those general checks have evolved into a full tool review process. <h2 id="how-we-perform-tool-reviews">How we perform tool reviews</h2> When someone is interested in an app, tool, or service for themselves or their team, they file an issue in GitLab, our change control management software. Next, a member of the Security team gathers some information — in particular, we want to learn more about the sensitive data the tool will have access to. Once we have those details, we get to work. We start on the developer’s website. We look at readily-available documentation, like the privacy policy and terms of service. If we&rsquo;re lucky, they&rsquo;re easy to find, but often documents are scattered across the website (or websites, in some cases). We look for a contact email address — preferably in security or engineering — who can provide documents that often aren’t publicly available, like penetration test results and SOC2 reports. In addition, we search the National Institute of Standards and Technology&rsquo;s (NIST) <a href="https://nvd.nist.gov/vuln">vulnerability database</a> and good ol’ Google for past security breaches and general security practices that have been documented about the vendor. If it&rsquo;s a server-based product with a cloud storage component, we also run specific tests like <a href="https://www.ssllabs.com/ssltest/">SSL Labs’ server test</a>, to help us make an independent judgment of the developer’s security efforts. We perform threat modelling on the tool to determine what technical controls are available to protect sensitive data — whatever that data may be. We also try to obtain a test or sandboxed account so we can determine best practices for our IT team. Once we&rsquo;re satisfied, the tool is approved for use. If the developer or tool doesn’t pass muster, we deny it, explain why, and try to offer a viable alternative. <h2 id="what-weve-learned">What we&rsquo;ve learned</h2> Our tool review process has certainly matured over the years. Along the way, we&rsquo;ve learned (and are still learning) what’s important. <h2 id="ask-the-right-questions">Ask the right questions</h2> When we first started to conduct tool reviews, the security analysts who completed the reviews also answered security questionnaires submitted by potential customers vetting 1Password for use within their organizations. This intersection permitted us a discovery we might never have made. Those security questionnaires didn’t ask the right questions. Often enough, questions were so generic, there was almost no way the answers could help the organizations better understand our security and privacy practices. One questionnaire we received listed nearly ten different questions about our loading docks. What kind of security lights are installed in the loading dock area? How many cameras are installed around the loading docks? What kind of locks are used? I feel like Captain Obvious here, but we make apps. We don’t have a warehouse or storage facility (or an office, for the most part). We don’t have loading docks, or anything even remotely similar to loading docks. Long story short, it’s important to ask relevant questions of the developer or service. If they create security software, perhaps ask specifics about who has access to production data. If it&rsquo;s a third-party content writing service, ask if they perform background checks on their freelancers. <h2 id="perfection-is-rare">Perfection is rare</h2> When we examine penetration tests and SOC reports, we look at the overall picture and don’t expect a squeaky-clean result. We’re interested in the severity of any discovered issues and, maybe even more importantly, how the developer responded to those discoveries. Did the company insist that the severe issue found during the pen test wasn’t a problem? Sometimes developers will take a defensive stance and deny issues instead of promising to fix them. If you see this happen, I&rsquo;d suggest moving on to another, comparable tool. <h2 id="tool-reviews-for-all">Tool reviews for all</h2> We’ve also learned our review method works outside the world of business. Anyone can search (good ol’ Google again) the name of a website/developer and the word “security” to check for past reports. Privacy policies, by law, are more accessible, so give the developer’s policy a skim before you use or download their product. If you can’t find their privacy policy, that’s typically a red flag. Make sure the software is configured correctly. Take the time to go through the security settings and turn off (or on) appropriate options. If the app stores data, consider the value of the information it will have access to. Do a bit of a risk assessment. We don’t expect the general public to perform deep analysis on every app they download, but it’s important that everyone knows what to look for, especially they purchase software or services from unfamiliar sources. <h2 id="final-thoughts">Final thoughts</h2> We know we aren’t breaking new ground with our tool reviews. Maybe your company investigates potential apps and services the same way. If that’s the case, wonderful! What makes our reviews special, in my opinion, is the real reason we do them. From your Netflix password, to my salary, to plans for the next great feature, 1Password is responsible for the protection of countless secrets, yes. And we have objectives and goals and targets, yes. But for the <a href="https://1password.com/security/">1Password Security</a> team, it’s about more than responsibility and objectives — it’s about dedication; it&rsquo;s about passion. We believe safety comes before convenience. We maintain that everyone has the right to privacy. We value transparency. It’s a genuine desire to protect our product, our company, and our customers.</description></item><item><title>Psst! Now you can securely share 1Password items with anyone</title><link>https://blog.1password.com/psst-item-sharing/</link><pubDate>Tue, 12 Oct 2021 00:00:00 +0000</pubDate><author>info@1password.com (Akshay Bhargava)</author><guid>https://blog.1password.com/psst-item-sharing/</guid><description> <img src='https://blog.1password.com/posts/2021/psst-item-sharing/header.png' class='webfeedsFeaturedVisual' alt='Psst! Now you can securely share 1Password items with anyone' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 1Password customers can now securely share virtually anything in their 1Password vault with anyone – even if the recipient doesn’t use 1Password. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/fgcDdxvyJPE" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> Before I was Chief Product Officer at 1Password, I was a 1Password customer. Back then, I often shared items in my <a href="https://1password.com/resources/guides/create-and-manage-shared-vaults/">1Password vault</a> with friends and family who also use 1Password. I shared the Netflix login with my kids, I shared <a href="https://1password.com/features/secure-notes/">secure notes</a> about doctor’s visits and grocery lists with my wife, and I shared all kinds of things with my colleagues to get our work done securely. But sharing with anyone who doesn’t use 1Password wasn’t as easy. What if my in-laws came to visit and needed the Wi-Fi password? (They’re not 1Password customers, but rest assured, I’m working on that.) What if I needed to share a login with a contractor for a temporary project at work? Sure, I could copy those items from my 1Password vault and paste them somewhere: in an email, in a chat message. Or I could screenshot and send it as an image. Of course, doing so dramatically increases the risk that that data will be compromised in a breach. So we fixed that. Starting today, you can share virtually anything you have stored in 1Password with anyone. Yep, anyone. <h2 id="no-more-copying-and-pasting">No more copying and pasting</h2> <img src='https://blog.1password.com/posts/2021/psst-item-sharing/Itemsharingdetails.png' alt='Entering recipient emails with 1Password item sharing' title='Entering recipient emails with 1Password item sharing' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We call it Psst! (<a href="https://1password.com/features/secure-password-sharing/">Password secure sharing tool</a>). <a href="https://support.1password.com/cs/share-items/">Here&rsquo;s how it works</a>. Let’s say I want to share that Wi-Fi password with my in-laws. All I need to do is open the share menu and select “Share” to generate a link. By default, the link expires in seven days, but I can also choose to let it expire after 30 days, 14 days, one day, one hour, or after a single person views it. I can also choose to let anyone who has the link view the item, or I can restrict sharing to only the people whose email addresses I enter. Next, when I select “Get link to share,” I can send that link to my recipient(s) through any channel I choose. I can even share it directly through my operating system’s built-in share menu. To recap: I select “Share,” set my options, copy the link, and send it along. Simple as that! <h2 id="how-to-view-a-shared-1password-item">How to view a shared 1Password item</h2> <img src='https://blog.1password.com/posts/2021/psst-item-sharing/Shareditemwebview.png' alt='Recipient web view of 1Password shared item' title='Recipient web view of 1Password shared item' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> When my recipient opens the link in their web browser, they’ll see one of two things. If I’ve allowed anyone to view the link, they’ll be taken directly to a web view of the shared item. If I’ve specified the people I want to share with, they’ll be asked to input their email address. When they do, they’ll receive an email with a one-time verification code. Once they paste that code into the required field, they’ll see the web view of the shared item exactly as it exists in 1Password. That means that if I’ve added extra fields – notes, security questions, or anything else – to an item containing a username and password, the recipient will also see those fields. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Want to stay secure online? Create a <a href="https://blog.1password.com/when-to-use-random-usernames-online/">random username</a> with 1Password&rsquo;s <a href="https://1password.com/username-generator/">Username Generator</a>! </div> </aside> If they’re signed into their own 1Password account, they’ll even have an option to save a copy of the item directly to one of their own vaults. And if they don’t have a 1Password account yet, they can sign up directly from the shared item page. (It’s important to note that when you share an item in 1Password in this way, you’re not sharing the original item itself. Instead, you’re sharing a copy – a snapshot of the item as it existed at the moment it was shared. That means if you share a password with a contractor, the contractor can only view the item as it existed when you shared it. If you change the password after you share it, the contractor will not see the updated item, only the original copy.) <h2 id="complete-visibility-for-admins">Complete visibility for admins</h2> <img src='https://blog.1password.com/posts/2021/psst-item-sharing/Activitylogsharingdetails.png' alt='1Password Activity log item sharing details view ' title='1Password Activity log item sharing details view ' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We know that when it comes to security, <a href="https://blog.1password.com/introducing-events-api/">visibility is critical</a>. So when your team shares a 1Password item with an external contractor, or when Marketing shares a login with Finance, you get the same visibility into those shared items that you get with anything else that happens inside 1Password. When you open the <a href="https://support.1password.com/activity-log/">Activity Log</a> as an admin or owner, you&rsquo;ll see shared items alongside all other account activity. When you open the Sharing Details section for an individual shared item, you&rsquo;ll see: <ul> <li>The name of the shared item</li> <li>Who shared the item (along with their IP address)</li> <li>The date and time the item was shared</li> <li>When the shared link expires</li> <li>The email addresses of each recipient (if shared with specific people)</li> <li>How many times each recipient viewed the shared item (if shared with specific people)</li> <li>The IP addresses of the recipients who viewed the item</li> </ul> As always, <a href="https://support.1password.com/share-items-security/">admins and owners are in complete control</a>. <h2 id="making-the-secure-thing-to-do-the-easy-thing-to-do">Making the secure thing to do the easy thing to do</h2> Why does all this matter? Why build the option to securely share a 1Password item with anyone? There are two answers to that question. First: because you asked for it. We&rsquo;ve been busy <a href="https://blog.1password.com/welcoming-linux-to-the-1password-family/">knocking out long-requested features</a> this year, and this is one of them. Not everyone in the world uses 1Password (we&rsquo;re working on that too!), so Psst! simply ensures that you can safely share items in your 1Password vault with anyone, whether they&rsquo;re a customer or not. Second: People are going to use channels like email, spreadsheets, and chat to share sensitive info. They already are. We know that at home and at work, people are sharing secrets like passwords and API keys through insecure methods. <a href="https://1password.com/resources/the-family-password-paradigm/">76 percent of families reported sharing passwords</a> insecurely by writing them down or sharing them in a chat or spreadsheet, for example. At work, the problem is compounded by the vast amounts of data at stake, but insecure sharing remains common. According to 1Password research, <a href="https://1password.com/resources/risks-of-mismanaging-corporate-secrets/">48% of companies use a shared document or spreadsheet to store and manage enterprise secrets</a>. 59% of workers share secrets over email. 81% of IT and DevOps workers (VP and above) reuse secrets between projects. So if we’re already using those channels to share sensitive items, let’s make it secure to do so. Let’s make the easy thing to do the secure thing to do. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get the newest generation of the world&#39;s most-loved password manager</h3> Securely share documents, files, logins, and anything else you've stored in 1Password with 1Password 8. <a href="https://1password.com/downloads/?utm_ref=blog" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Download 1Password 8 </a> </div> </section></description></item><item><title>Making a difference this Thanksgiving</title><link>https://blog.1password.com/thanksgiving-2021/</link><pubDate>Mon, 11 Oct 2021 00:00:00 +0000</pubDate><author>info@1password.com (Marius Masalar)</author><guid>https://blog.1password.com/thanksgiving-2021/</guid><description> <img src='https://blog.1password.com/posts/2021/thanksgiving-2021/header.svg' class='webfeedsFeaturedVisual' alt='Making a difference this Thanksgiving' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Whether you’re spending time with family around the dinner table or on a video call, Thanksgiving is a time to reconnect with the people who matter most. While it hasn’t been the easiest year, now is a good time to reflect on what we’re grateful for. For you, it might be reuniting with loved ones (in-person or virtually), being in good health, and even simple things like that perfect slice of pumpkin pie. It’s an opportunity for us all to give thanks, but also to give back to our communities. Since Thanksgiving comes early here in Canada 🇨🇦, we&rsquo;re getting a head start on our efforts. <h2 id="-giving-back">🌽 Giving Back</h2> From now until November 25th, 1Password is donating $1 from every new 1Password Families sign-up to a few of our favourite causes: <a href="https://secondharvest.ca/about/">Second Harvest</a> is creating an efficient food recovery network, reducing the environmental impact of food waste while ensuring that everyone – regardless of their economic situation – is able to feed themselves and their family. <a href="https://www.unitedway.ca/how-we-help/">United Way Centraide</a> works across Canada to make change locally, creating opportunities for everyone in our communities to live a better life by reducing poverty, supporting children and youth, and building vibrant neighbourhoods. <a href="https://foodbankscanada.ca/about-us/">Food Banks Canada</a> helps those across Canada living with food insecurity by working to relieve hunger, strengthen local capacity, and reduce the need for food banks. <h2 id="-making-a-difference">💝 Making a Difference</h2> Last year, our customers helped raise $70,000 USD during our Thanksgiving campaign. It was one of many similar campaigns we ran as part of our ongoing <a href="https://blog.1password.com/1password-for-good/">1Password for Good</a> initiative. We were so blown away by your support that we decided to extend our sign-ups pledge until the end of the year. That turned into a $30,000 USD donation for two additional charities: <a href="https://www.ducks.ca/">Ducks Unlimited Canada</a>, which helps protect and restore wetlands, and <a href="https://kidshelpphone.ca/">Kids Help Phone</a>, a 24/7 service that offers professional counselling and support for young people in Canada. This year has continued to teach us that to protect the ones we love, we have to care for others too. It’s made us grateful for the little things that bring us together. If you’ve been considering 1Password Families, now is a great time to sign up for an account. Join us in helping thousands of families in need while protecting your loved ones online. With your help, we can make a difference this Thanksgiving. <section class="c-call-to-action-box c-call-to-action-box--yellow"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get started with 1Password Families</h3> This Thanksgiving, we're donating $1 from every new 1Password Families sign-up from now until November 25th. Sign up now and enjoy 14 days free. <a href="https://start.1password.com/sign-up/family?utm_campaign=thanksgiving2021" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--yellow" data-event-category="CTA" data-event-action="call-to-action-button"> Try 1Password </a> </div> </section></description></item><item><title>How to transfer crypto assets after you die</title><link>https://blog.1password.com/how-to-hand-over-cryptocurrency/</link><pubDate>Fri, 08 Oct 2021 00:00:00 +0000</pubDate><author>info@1password.com (Nick Summers)</author><guid>https://blog.1password.com/how-to-hand-over-cryptocurrency/</guid><description> <img src='https://blog.1password.com/posts/2021/how-to-hand-over-cryptocurrency/header.svg' class='webfeedsFeaturedVisual' alt='How to transfer crypto assets after you die' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> If you own any virtual currency, what will happen to it after you’ve passed away? Would your friends and family know what you owned? Or how to access the funds? If your answer to both of these questions is ‘no,’ consider <a href="https://blog.1password.com/digital-estate-planning-guide/">creating a handover plan</a>. Something your loved ones can follow without being crypto-experts or diving into unfamiliar message boards for assistance. Not sure where to begin? Just follow this guide. <h2 id="hot-or-cold">Hot or cold?</h2> First, understand what you’re trying to hand over. Cryptocurrencies are stored in one of two ways: hot or cold wallets. Many people hear the term ‘wallet’ and believe their funds are held inside, but that’s not the case. A cryptocurrency wallet simply contains the encryption keys required to access assets on a blockchain. It’s the blockchain — a digital ledger held by many people, rather than a single entity — that verifies every transaction and keeps track of who owns what. So if you want to give someone your assets, first figure out how to give them your keys. The handover process will depend on the type of wallet or wallets you own. Hot wallets are software-based and typically connected to the internet. Third-party exchanges such as <a href="https://www.coinbase.com/">Coinbase</a>, <a href="https://www.kraken.com/">Kraken</a>, and <a href="https://www.gemini.com/">Gemini</a> fall into this category, as well as mainstream finance apps that support cryptocurrency like <a href="https://www.paypal.com/us/webapps/mpp/home">PayPal</a> and Square’s <a href="https://cash.app/">Cash App</a>. Cold wallets, meanwhile, have a physical component. The most popular resemble USB drives and can connect to your favorite devices directly or via Bluetooth. Most people believe they’re safer than hot wallets because your private keys – the bits you’re never supposed to share publicly – are always kept offline, where they’re harder for cybercriminals to steal. It might sound small, but this difference in key storage has a massive impact on how you can and should transfer ownership. Let’s start with software wallets. <h2 id="hot-wallets">Hot wallets</h2> The first step is to check whether your preferred exchange or wallet developer has published any guidance on <a href="https://blog.1password.com/digital-estate-planning-guide/">digital estate planning</a>. Some companies, including <a href="https://help.coinbase.com/en/coinbase/managing-my-account/other/how-do-i-gain-access-to-a-deceased-family-members-coinbase-account">Coinbase</a> and <a href="https://support.kraken.com/hc/en-us/articles/360031279771-Is-it-possible-to-set-a-beneficiary-or-nominee">Kraken</a>, have support pages that address the issue. If yours doesn’t, it’s a good idea to reach out and ask. The company might have a formal process that isn’t on their website, or they may require something you haven’t considered or prepared yet. Every exchange is different, however most have a similar stance. The ones we checked don’t have a menu or settings page where you can list a preferred inheritor. Instead, they expect your loved one to contact them and supply a number of documents. Coinbase, for example, will ask for: <ul> <li>A death certificate</li> <li>A last will and testament, and/or probate documents</li> <li>Government-issued photo ID of the person or people named in the above documents</li> <li>A letter signed by the person or people named in the probate documents telling Coinbase what to do with the account balance</li> </ul> The easiest way to prepare these documents is with an attorney or estate planning expert like <a href="https://www.willful.co/">Willful</a> or <a href="https://trustandwill.com/">Trust &amp; Will</a>. Together, you can also build a digital estate plan that covers all of your most important accounts, not just the ones related to virtual currencies. There is another way to transfer access, however: you could simply hand over the credentials required to log into your hot or cold wallet. Of course, then it’s on you to protect those credentials in a robust way. “We don’t recommend our users share sensitive information like their password and <a href="https://1password.com/features/two-factor-authentication/">two-factor authentication</a> with others as it may put their information and assets at risk,” a spokesperson for KuCoin explained. “However it’s worth noting that users have the final say on it, and we can hardly stop them if they insist on doing so.” The safest way to transfer access by sharing credentials is with a password manager like 1Password. Alternatively, you could write the credentials down and leave them in a personal safe alongside your traditional will, or with the person or company that manages your will. <h2 id="cold-wallets">Cold wallets</h2> Hardware wallets require a different approach because your private keys are stored offline, rather than on a remote server. No one can access them – not even the wallet’s manufacturer – unless they have physical access and know the credentials protecting both the device and your keys. That means you’re solely responsible for managing access and preparing for the handover. You’ll often be asked to create a PIN code while setting up your hardware wallet. It’s similar to the code that you might set up for your phone, debit, or credit card. In addition, you’ll have a recovery phrase – some companies call it a recovery code or seed – that is composed of random words. It’s used to recover your private key, and therefore your digital assets, in the event that your wallet is lost. At minimum, you’ll need to hand over your recovery phrase, but we recommend adding the PIN code too, so your loved one doesn’t have to buy a new physical wallet. You should include them as part of your broader digital estate plan, if you have one. That might mean writing them into your will, which can be organized with an attorney or estate-planning expert, or sharing them via a password manager like 1Password. There’s one other way to transfer access – and it’s arguably the safest of them all. Trezor, which makes the One and Model T hardware wallets, offers a recovery option called <a href="https://trezor.io/shamir/">Shamir Backup</a>. It lets you create recovery ‘shares’ and dictate how many of them need to be combined in order to recover your private key. So if some shares are lost, your account can still be recovered with the remaining pieces. And if a hacker steals a single share, they won’t have enough information to pinch your keys or, by extension, your digital assets. If you go down this route, think long and hard about the ideal home for each share. You could give one to each of your family members, for instance. Or store one in a password manager like 1Password and another with your attorney or estate-planning expert. The choice is yours. <h2 id="provide-context">Provide context</h2> Drafting your will or storing your credentials in 1Password isn’t enough. Unless your loved one is an experienced cryptocurrency investor, they likely won’t know what to do with the information you leave them. Write a brief note that explains what you’re handing over and how it can be used to access your digital assets. If you’re a Coinbase user, explain how the site works and where to download the mobile app. If you own a <a href="https://www.ledger.com/">Ledger</a> or <a href="https://trezor.io/">Trezor</a> wallet, reveal its location and how to navigate the various menus. Then, give a brief rundown of your strategy. If you’ve invested in multiple cryptocoins, explain why. Do you think one has more potential than the others? And under what circumstances, if ever, were you planning to sell them? You should also explain your approach to wallets if you own more than one. Many people buy cryptocurrency through an exchange like Gemini, for example, before moving a portion to a hardware wallet for safe keeping. You can’t control what your loved ones will do with your assets. You can provide guidance, however, so they don’t lose them or do something they’ll later regret. <h2 id="ask-the-right-people-for-help">Ask the right people for help</h2> Your cryptocurrency holdings will likely change over time. You might buy a new hardware wallet, or open another hot wallet with an exchange that’s promising cheaper fees. It’s important, therefore, to come back every so often and think about what you need to change or add to your handover plan. It might also be worth having a ‘trial run’, so your loved one can familiarize themselves with the process and ask any questions that pop up. Finally, don’t be afraid to ask about your cryptocurrency handover – but it’s important to ask the right people. If you send a random tweet asking for help, you’re likely to attract cybercriminals who will offer bad advice and try to steal your assets. Instead, stick to two parties: the company behind your hardware or software wallet, and an expert in drafting wills and estate planning, like Trust &amp; Will or Willful. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get 25% off 1Password Families</h3> Organize your digital estate plan with 1Password Families. Sign up now and get 25% off your first year. <a href="https://start.1password.com/sign-up/family?c=1PBLOGS&amp;utm_medium=promo&amp;utm_source=blog&amp;utm_campaign=families" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Get 25% off </a> </div> </section></description></item><item><title>1Password and SSO - a perfect match</title><link>https://blog.1password.com/1password-and-sso-a-perfect-match/</link><pubDate>Fri, 01 Oct 2021 00:00:00 +0000</pubDate><author>info@1password.com (Megan Barker)</author><guid>https://blog.1password.com/1password-and-sso-a-perfect-match/</guid><description> <img src='https://blog.1password.com/img/headers/security-header.svg' class='webfeedsFeaturedVisual' alt='1Password and SSO - a perfect match' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We&rsquo;re often asked about single sign-on (SSO) solutions here at 1Password. We get questions like &lsquo;Can we use 1Password and SSO?&rsquo; and &lsquo;Why do we need 1Password if our organization uses SSO?&rsquo; I&rsquo;m about to cheat and answer (hopefully) every question at once: You absolutely can (and should) use 1Password alongside a <a href="https://1password.com/resources/guides/why-you-should-have-sso/">single sign-on</a> solution. Let&rsquo;s start with a brief overview of the fundamentals. SSO, identity access management (IAM) solutions, and <a href="https://blog.1password.com/how-to-choose-a-good-password-manager-for-your-business/">password managers</a> are often conflated because they have similar high-level protocols: one login provides access to multiple accounts. While SSO and password managers aren&rsquo;t the same — they aren&rsquo;t mutually exclusive, either. SSO solutions allow users to authenticate with one username and password and use the same login session to access other websites and services. 1Password, at its core, is a <a href="https://1password.com/password-manager/">password manager</a> that allows users to securely store, fill, and share (if they choose) credentials, personal information, and documents. Now, let&rsquo;s explore all this in more depth. <h2 id="cover-the-bases">Cover the bases</h2> SSO and 1Password make a great team and, when they work together, they go a long way toward risk reduction. I&rsquo;m a sports fan, so let&rsquo;s use a fun (maybe) analogy since I seem to be well on my way to another post littered with figurative language. Imagine your roster is stacked. You won the draft lottery the previous year and signed the league&rsquo;s top center/quarterback (choose your own adventure here) in the off season. You have a big advantage, but you let your guard down and play loose. Before you know it, your opponent scores and you lose the game. If only you had that two-way offensive defenseman/attacking defender&hellip; The point of my colorful parallel is that, while your attack surface may be reduced when you use SSO - people will have fewer passwords - it&rsquo;s definitely still vulnerable. Particularly because <a href="https://blog.1password.com/challenges-of-shadow-it/">shadow IT is real.</a> Beyond the accounts ITOps are aware of lie many they know nothing about. But when 1Password is implemented alongside an SSO, the logins created outside the SSO - and the login for the SSO, for that matter - are much stronger. The strength (or entropy) of passwords doesn&rsquo;t increase magically, though. 1Password has a built-in <a href="https://blog.1password.com/a-smarter-password-generator/">Smart Password Generator</a> that automatically suggests passwords for new accounts as they&rsquo;re created. <a href="https://support.1password.com/generate-website-password/">It&rsquo;ll do the same for existing accounts</a>, too, if people want to strengthen current passwords. And, as we know, strong passwords used throughout an organization help guard against a variety of things, including brute-force and password reuse attacks. Apart from the automatic suggestion of complex and unique passwords, each password created by the generator is saved automatically — <a href="https://blog.1password.com/are-password-managers-safe/">safe and secure</a>. Ah, what a fantastic segue. <h2 id="fill-the-gap">Fill the gap</h2> There are fewer passwords for your team to manage with SSO, and the passwords people do have need to be stored properly. Which brings me to another question we receive quite often that I didn&rsquo;t mention at the beginning. <blockquote> &ldquo;Isn&rsquo;t the data saved in 1Password protected by only one password, just like SSO?&rdquo; </blockquote> No. Decryption of 1Password data requires a combination of the 1Password account password and <a href="https://support.1password.com/secret-key-security/">Secret Key</a>. The <a href="https://support.1password.com/secret-key/">Secret Key</a> is an effectively uncrackable, high-entropy secret generated when an account is created. Even if someone were to guess an account password, the data is inaccessible without the corresponding Secret Key.** And 1Password security extends far beyond the encryption process. While <a href="https://watchtower.1password.com/">Watchtower</a> provides active protection, we&rsquo;ve added other features that help <a href="https://support.1password.com/1password-security/#features">prevent phishing, and protect from keyloggers and browser-based attacks.</a> Every single thing saved in 1Password is secured the same way — including that SSO login. SSO wasn&rsquo;t built to secure the data in the session it provides access to. It just wasn&rsquo;t. As with any great partnership, though, the parties involved complement each other, and 1Password fills that space. <h2 id="all-good-things">All good things</h2> Single sign-on solutions do exactly what they were created to do - securely identify users to mulitple websites with one login - wonderfully. But SSO as a whole is a bit of a one-trick pony. 1Password, however, is kind of a unicorn. Like a lot of password managers, 1Password allows people to safely store credentials, notes, and documents; generate secure passwords, and fill fields and forms with the information they&rsquo;ve stored. Those are just the basics. The SCIM bridge allows for easy deployment, permissions are highly customizable, and there&rsquo;s <a href="https://1password.com/products/secrets/">Secrets Automation</a>. But my favorite 1Password hallmark is its ability to follow me from one device to the next. I can generate a password on my MacBook Air, fill the password (that was saved automatically) on my iPhone a few minutes later, then find and edit the entry on my MacBook Pro or PC later in the day. The handoff process is always quick, seamless, and safe. 1Password also acts as an authenticator for sites with two-factor authentication. And what&rsquo;s required by many SSO solutions? Two-factor authentication. <h2 id="opposites-attract">Opposites attract&hellip;?</h2> Now, as much as this post is not about competition, but cooperation, I&rsquo;d be remiss if I neglected to address how privacy is handled, since it&rsquo;s an area SSO and 1Password overlap. When an item is stored in 1Password, there&rsquo;s no way for anyone, including those of us at 1Password, to know what the item is. And when you fill that item so you can log in to the most embarrassing fan site imaginable (choose your own adventure again), we don&rsquo;t know about it. The same can&rsquo;t be said for a single sign-on solution. SSO providers learn what you log in to and when. This may be fine for an organizational SSO - the company already knows what&rsquo;s in use - but it may not be the right call for absolutely everyone. Just something to consider if I still haven&rsquo;t swayed you from Camp Either/Or. <h2 id="fully-compatible">Fully compatible</h2> Even with the strength of a single sign-on solution in place, organizations have secrets. And 1Password is the best password manager to help create, manage, and protect those secrets. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Find out why 1Password is the best in the market with our <a href="https://1password.com/comparison/">password manager comparison</a>! </div> </aside> You may come across articles out there that pit SSO and password managers against one another, or try to convince people to use one solution or the other. Those posts are doing readers a disservice. SSO and password managers fill different roles. They work wonderfully together to mitigate risk, secure secrets, and provide versatility for many other business-related tasks. You don&rsquo;t need to - and, like I said before, shouldn&rsquo;t - choose between the two. They&rsquo;re a perfect match. ** An extremely condensed and simplified version. Please dive deeper in our <a href="https://1passwordstatic.com/files/security/1password-white-paper.pdf">white paper.</a> <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Create a secure username</h3> Want to stay secure online? Create a random username with 1Password's free Username Generator! <a href="https://1password.com/username-generator/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try 1Password&#39;s Username Generator </a> </div> </section></description></item><item><title>Protect your privacy with 1Password and Fastmail</title><link>https://blog.1password.com/fastmail-masked-email/</link><pubDate>Tue, 28 Sep 2021 00:00:00 +0000</pubDate><author>info@1password.com (Madeline Hanley)</author><guid>https://blog.1password.com/fastmail-masked-email/</guid><description> <img src='https://blog.1password.com/posts/2021/fastmail-integration/header.svg' class='webfeedsFeaturedVisual' alt='Protect your privacy with 1Password and Fastmail' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Last year, we made it easier to make secure payments online through direct integration with <a href="https://blog.1password.com/privacy-virtual-cards/">Privacy</a>. Now, we&rsquo;re doing the same for email. Announcing Masked Email – a 1Password and Fastmail integration. Create new, unique email addresses without ever leaving the sign-up page. Keep your real email address private from the apps or services that you sign up for – using a masked email address can protect you from breaches, and puts control of your inbox back in your hands. Taking control of your privacy and masking your email address is now as easy as generating a strong password. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/AAs1OUuDLVs" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h2 id="1password-and-fastmail--a-privacy-focused-partnership">1Password and Fastmail – a privacy-focused partnership</h2> At 1Password, we believe your data should be kept private and protected from prying eyes. Our friends at <a href="https://1password.com/fastmail/">Fastmail</a> wholeheartedly agree that <a href="https://blog.1password.com/how-reclaim-your-online-privacy/">privacy matters</a>, which is why we’re thrilled to integrate their privacy-focused email experience with 1Password. We’ve teamed up to create <a href="https://1password.com/fastmail/">Masked Email</a>, making it easier for you to separate your online identities and <a href="https://blog.1password.com/how-reclaim-your-online-privacy/">reclaim some of your online privacy</a>. <h2 id="masked-email--protect-your-identity-online">Masked Email – protect your identity online</h2> Whether you’re using 1Password on a desktop web browser, or with <a href="https://blog.1password.com/1password-for-safari/">Safari on iPhone</a>, Masked Email is now the best way to create unique email addresses on the fly. <ul> <li>Add an extra layer of security to all your accounts: Protect yourself from data breaches and spam with a unique email address for each account.</li> <li>Easily create email addresses on the fly: When you’re asked to enter an email address, 1Password will show you an option to create a new email instead. Now, creating and managing unique email addresses for every login is as easy as generating a strong password.</li> <li>Take control of your privacy: If you start receiving unwanted emails you can easily identify which services shared, leaked, or sold your email address. And, if you need to, you can simply switch it off from inside 1Password.</li> </ul> <img src='https://blog.1password.com/posts/2021/fastmail-integration/Blockincomingemails.png' alt='Block unwanted incoming emails with 1Password&#39;s Fastmail integration' title='Block unwanted incoming emails with 1Password&#39;s Fastmail integration' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 1Password syncs with Fastmail, so you receive mail at your new address right away. <h2 id="getting-started">Getting started</h2> The Masked Email integration is available globally to anyone with both a 1Password and a Fastmail account. <ul> <li>New to 1Password? Get 25 percent off your first year of 1Password Families when you <a href="https://start.1password.com/sign-up/family?c=FASTMAIL&amp;utm_medium=promo&amp;utm_source=blog&amp;utm_campaign=maskedemail">create your account</a>.</li> <li>1Password customers new to Fastmail get 25 percent off their first year. Fastmail lets you create custom email aliases and reclaim your email privacy. <a href="https://www.fastmail.com/signup1password/">Get started at Fastmail.com</a>.</li> </ul> And if you’re already a customer of both 1Password and Fastmail, then you can <a href="https://my.1password.com/integrations/fastmail/setup">connect your accounts</a> right now. Questions? <a href="https://support.1password.com/fastmail/">1Password Support</a> has the answers. Creating new email addresses has never been faster or more secure. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get 25% off your first year of 1Password</h3> To celebrate our partnership with Fastmail we’re offering new customers 25% off their first year of 1Password. Try the world’s most-loved password manager today. <a href="https://start.1password.com/sign-up/family?c=FASTMAIL&amp;utm_medium=promo&amp;utm_source=blog&amp;utm_campaign=maskedemail" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try 1Password today </a> </div> </section></description></item><item><title>How strong should your account password be? Here's what we learned</title><link>https://blog.1password.com/cracking-challenge-update/</link><pubDate>Mon, 27 Sep 2021 00:00:00 +0000</pubDate><author>info@1password.com (Jeffrey Goldberg)</author><guid>https://blog.1password.com/cracking-challenge-update/</guid><description> <img src='https://blog.1password.com/img/headers/security-header.svg' class='webfeedsFeaturedVisual' alt='How strong should your account password be? Here's what we learned' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> It&rsquo;s been a while since we ran our challenge, <a href="https://blog.1password.com/how-strong-should-your-master-password-be-for-world-password-day-wed-like-to-know/">How strong should your Master Password be?</a>, in which we gave out prizes to the first people who could figure out the passwords in carefully constructed challenges. The challenges were designed to simulate the threat to a user who has had their 1Password data stolen from their own machines (1Password data captured from our servers are protected by your <a href="https://support.1password.com/secret-key-security/">Secret Key</a> and so aren&rsquo;t subject to this sort of attack). After paying out a total of $30,720 USD, we have a better picture. The short answer is that it costs the <a href="https://1password.com/resources/how-passwords-are-cracked/">password cracker</a> about $6 USD for every 2³² (4.3 billion) guesses of a 1Password account password. An attacker, on average, only needs to try half of all the possible passwords, and had we not provided hints, it would have cost the attackers $4,300 USD to crack the three-word passwords in our challenge. This figure of $6 USD per 2³² guesses allows us to calculate the cracking costs for any known password strength. Given that passwords created by the <a href="https://1password.com/password-generator/">1Password password generator</a>, have precisely known strengths – unlike human-created ones – we know a four-word password created by our generator would cost about $76 million USD to crack. A four-word password that uses one randomly capitalized word, and randomly chosen numbers as separators between the words, raises the cost to about $100 billion USD. There are more examples listed toward the end of this article. At the risk of tiresome repetition, let me repeat two important things: <ol> <li>This kind of guessing attack is only possible if the attacker obtains your encrypted data from your device. Thanks to the <a href="https://support.1password.com/secret-key/">Secret Key</a>, what is stored on our servers cannot be attacked this way.</li> <li>The cracking cost is based on our use of 100,000 rounds of PBKDF2-H256 for processing account passwords. You shouldn&rsquo;t assume passwords used elsewhere are protected the same way.</li> </ol> <h2 id="setting-the-prize-wrong">Setting the prize (wrong)</h2> I initially underestimated both the amount of effort needed to crack the passwords and the amount of prize money needed to incentivize serious attempts. This underestimation resulted in the need to double the initial prize offering twice, and share a few hints. This was good news, as it means that 1Password account passwords are well protected, even on the users' own devices. Again, this kind of guessing attack isn&rsquo;t possible for data captured from us, as your account password gets blended with your Secret Key by the 1Password app. My miscalculation did mean that the contest ran much longer than originally expected, and we ended up quadrupling the prizes. But this is excellent news. It means that good-enough account passwords are within human reach. The even better news is that the additional cost didn&rsquo;t come from my salary! Perhaps some day I&rsquo;ll go over exactly how I underestimated the cost of the project in a future, more technical blog post that covers the pricing of GPUs over the years, opportunity costs, and risk and uncertainty pricing. But don&rsquo;t hold your breath considering that what you are reading now is long delayed. <h2 id="what-you-should-do">What you should do</h2> Our general advice about account password choice hasn&rsquo;t changed, but I&rsquo;m repeating it here because your account password (along with our slow hashing) is your only defense if your 1Password data is captured from your own device. Neither two-factor authentication (2FA) nor your Secret Key can protect you in that particular case. Your Secret Key will protect you if data is stolen from us, but if data is stolen from your own system, we have to assume the attacker gets the Secret Key with it. How you balance these four key points with your specific needs, habits, and use cases is something you&rsquo;ll have to decide for yourself. <h2 id="1-it-must-be-used-_only_-as-your-1password-account-password">1. It must be used only as your 1Password account password</h2> In the small handful of cases where we learned that someone&rsquo;s 1Password data was compromised, we discovered that the victim reused their account password for a less secure service, or had deliberately shared their credentials with someone only to regret it later. You may, however, opt to use the same account passwords for multiple 1Password accounts. <h2 id="2-it-should-be-the-strongest-that-you-can-reliably-and-comfortably-use">2. It should be the strongest that you can reliably and comfortably use</h2> You need to find the balance that works for you. Your account password needs to be something that you can reliably use several times a day on multiple devices. Keep in mind that the more you use it, the easier it will become to type and remember. Even if you set up biometric unlock, 1Password will occasionally prompt you for your account password to ensure you don&rsquo;t forget it. <h2 id="3-randomly-created-passwords-are-much-stronger-than-human-created-ones">3. Randomly created passwords are much stronger than human-created ones</h2> I encourage you to use <a href="https://1password.com/password-generator/">our password generator</a> to create your account password. Even with the same requirements, human-created passwords are much easier for attackers to guess than randomly-created passwords. A human tasked with creating, say, a 10-character password with numbers and mixed-case letters is more likely to create a password like Iloveyou12 than they are to create Wa7RoWTC18. Both meet the technical requirements, but humans do not pick uniformly from the set of about 420 quadrillion passwords that meet those requirements. That is some of those 420 quadrillion passwords are more likely to be picked than others. A good <a href="https://1password.com/password-generator/">password generator</a> does pick uniformly, meaning that each of those 420 quadrillion ten-character passwords is as likely to be picked as any other. Attackers very much tune which guesses they try first based on their extensive knowledge of human password choice. There really is no comparison between generated passwords and human-created ones. Literally. We have no reliable way to determine how strong human-created passwords are, so we can&rsquo;t make a proper comparison between human-created ones and those created by our Strong Password Generator.<a href="#fn:1" class="footnote-ref" role="doc-noteref">1</a> What we do know is that human-created passwords do get successfully cracked, while machine-generated ones do not. Although I will continue to preach the virtues of generated account passwords, your account password must be something you can reliably and comfortably use. <h2 id="4-have-a-backup">4. Have a backup</h2> Print a paper copy of your <a href="https://support.1password.com/emergency-kit/">Emergency Kit</a>, record your password on the paper, and store it in a safe place. This is especially important after you&rsquo;ve created your account password or changed it. If you have a 1Password Families or <a href="https://1password.com/business/">1Password Business</a> membership, designated members of that account will be able to help you restore access to your data if you forget your account password or lose your Secret Key. If others in your family or team are relying on you to perform such a recovery, your Emergency Kit should be printed out and easily accessible in case of an emergency. <h2 id="money-vs-time">Money vs. Time</h2> What we&rsquo;ve learned through the cracking contest doesn&rsquo;t change our advice, but it does allow us to put a price on cracking account passwords. I want to emphasize that we are not talking in terms of how long it would take an attacker to crack a password, but instead in terms of how much it would cost them in computing resources. What might take weeks for some attackers would take years for others. Because one attacker might dedicate two GPUs for 16 weeks working on a 40-bit password, while another might dedicate eight GPUs over four weeks, a better representation of the work an attacker has to do is to put it in terms of money. We designed the cracking contest to find out how much effort it would take (while there was still some time pressure for them to do it). Instead of saying &ldquo;for a 40-bit password it is between four and 16 weeks depending on what hardware the attacker uses&rdquo;, we say &ldquo;for a 40-bit password, it takes about $770 USD of effort in capital costs and running costs&rdquo;. Each additional bit doubles the cost, so if 40 bits takes $770 USD of effort, then 41 bits requires twice that, around $1,500 USD of effort; and 42 bits would double that again to about $3,000 USD. Our contest was also designed to be hard enough to attract experts. Experts have the tools, experience, and knowledge to crack things most efficiently. Some people new to password cracking vastly overestimated how much it would cost because they were looking at approaches that experts wouldn&rsquo;t use. So, with our of $6 USD for 2³² guesses given the password hashing scheme we use (100,000 iterations PBKDF2-H256), I present the following table. <h2 id="cracking-cost-for-different-generation-schemes">Cracking cost for different generation schemes</h2> One of the very cool things about <a href="https://1password.com/password-generator/">our password generator</a> is that we can compute the strength of a generated password precisely from settings given to the generator. Unlike human-created passwords, we don&rsquo;t have to look at the actual password and make estimates. If we combine the strength with our estimated cracking cost of $6 USD for every 2³² guesses, we can look at how different kinds of passwords from our generator would fare under the attack conditions from the contest.  The column headed &ldquo;generator settings&rdquo; describes the instructions to our password generator, though not all of these options may be available to users in all 1Password clients. <ul> <li>Wordlist (labeled &ldquo;word&rdquo;) passwords. These are made up of words picked randomly from a list of about 18,000 English language words less than nine characters long. These can have a constant separator between words, randomly chosen digits, or randomly chosen digits and symbols. One word may be randomly chosen to be made uppercase.</li> <li>Default <a href="https://blog.1password.com/a-smarter-password-generator/">Smart password</a>. These are like the wordlist passwords, but instead of English words they use groups of three letters. One of the five groups is capitalized, and the groups are separated by digits and symbols. There are about 9650 possible groups.</li> <li>characters (labeled &ldquo;char&rdquo;) that are made up of things like letters and digits. These may be lowercase only, requiring uppercase letters, or requiring digits.</li> </ul> Note, as always, that human created passwords will be far weaker than those created by our password generator. What we list here are the strengths of generated passwords. <div class="table-overflow"> <table> <thead> <tr> <th style="text-align:left">Generator settings</th> <th style="text-align:right">Bits</th> <th style="text-align:right">Cost (USD)</th> <th style="text-align:left">Example</th> </tr> </thead> <tbody> <tr> <td style="text-align:left">3 word, constant separator</td> <td style="text-align:right">42.45</td> <td style="text-align:right">4,200</td> <td style="text-align:left"><code>prithee-insured-buoyant</code></td> </tr> <tr> <td style="text-align:left">8 char, uppercase, lowercase, digits</td> <td style="text-align:right">45.62</td> <td style="text-align:right">38,000</td> <td style="text-align:left"><code>8NhJqHPY</code></td> </tr> <tr> <td style="text-align:left">3 word, digit separator</td> <td style="text-align:right">48.06</td> <td style="text-align:right">200,000</td> <td style="text-align:left"><code>swatch2forte1dill</code></td> </tr> <tr> <td style="text-align:left">9 char, uppercase, lowercase, digits</td> <td style="text-align:right">51.51</td> <td style="text-align:right">2,200,000</td> <td style="text-align:left"><code>siFc96vGw</code></td> </tr> <tr> <td style="text-align:left">4 word, constant separator</td> <td style="text-align:right">56.60</td> <td style="text-align:right">76,000,000</td> <td style="text-align:left"><code>align-caught-boycott-delete</code></td> </tr> <tr> <td style="text-align:left">10 char, uppercase, lowercase, digits</td> <td style="text-align:right">57.37</td> <td style="text-align:right">130,000,000</td> <td style="text-align:left"><code>rmrgKDAyeY</code></td> </tr> <tr> <td style="text-align:left">4 word, constant separator, capitalize one</td> <td style="text-align:right">58.60</td> <td style="text-align:right">310,000,000</td> <td style="text-align:left"><code>purdue-fondue-mull-SAUL</code></td> </tr> <tr> <td style="text-align:left">4 word, digit separator, capitalize one</td> <td style="text-align:right">67.02</td> <td style="text-align:right">100 billion</td> <td style="text-align:left"><code>thesis7wizen9eclipse2BOATMEN</code></td> </tr> <tr> <td style="text-align:left">12 char, uppercase, lowercase</td> <td style="text-align:right">67.02</td> <td style="text-align:right">100 billion</td> <td style="text-align:left"><code>fFgJxymYEsJak</code></td> </tr> <tr> <td style="text-align:left">5 word, constant separator</td> <td style="text-align:right">70.75</td> <td style="text-align:right">1.4 trillion</td> <td style="text-align:left"><code>passion-ken-omit-verso-tortoise</code></td> </tr> <tr> <td style="text-align:left">5 words, constant separator, capitalize one</td> <td style="text-align:right">73.07</td> <td style="text-align:right">6.9 trillion</td> <td style="text-align:left"><code>lady-chaise-PRISONER-mae-pocosin</code></td> </tr> <tr> <td style="text-align:left">Smart password</td> <td style="text-align:right">84.20</td> <td style="text-align:right">16 quadrillion</td> <td style="text-align:left"><code>kqh*jtg!vzk8CPR4zfe</code></td> </tr> </tbody> </table> </div> Keep in mind that the costs are in terms of dedicated effort to break your password. A cost of $4,200 USD (a three-word generated password with a constant separator)<a href="#fn:2" class="footnote-ref" role="doc-noteref">2</a> may be a sufficient deterrent even if you have much more than that in value in your data. This is because an attacker may have more attractive opportunities for the same amount of effort. But if you think you&rsquo;re likely to be specifically targeted, then $4,200 USD may not be enough for your needs. Changing to three words with digit separators ($230,000 USD) or four words ($76 million USD with constant separator, $26 billion USD with digit separator) is going to mean that an attacker is going to either give up or find cheaper ways (such as compromising your devices) than trying to crack your account password. Maybe the wordlist-based passwords aren&rsquo;t your thing. If the added length of them isn&rsquo;t worth the improved memorability, then consider character password generated passwords. You can get the same strength with much shorter passwords as long as these are generated in a truly random fashion. One thing I&rsquo;ve learned since we introduced the wordlist passwords is that some people love them and some people hate them. <h2 id="the-winners">The winners</h2> The first place winners identified themselves as they are known in the password cracking community as s3inlc, winxp5421, blazer, and hops. They expanded their team when they went after the second- and third-place prize. I, along with some colleagues, had the pleasure of meeting many of them at PasswordsCon in November 2018. Indeed, they used some of their winnings to make the trip to PasswordsCon. <h2 id="resources">Resources</h2> All of the computation from bits to costs are in the <a href="https://github.com/agilebits/crackme/tree/master/doc/Costs">docs/Costs</a> folder of the Github <a href="https://github.com/agilebits/crackme">repository for the contest</a>. That repository also contains all of the technical artifacts for the contest. We also offer a <a href="https://blog.1password.com/files/cracking-update/pwd_costs.csv">CSV file</a> containing bit strength for various password generation settings with our password generator. For guidance on what the column headers mean, see the <a href="https://github.com/agilebits/crackme/blob/master/doc/Costs/costs.Rmd">R Markdown source</a> in the GitHub repository. There are <a href="https://github.com/agilebits/crackme/blob/master/doc/PasswordsCon2020.pdf">slides</a> and <a href="https://youtu.be/2NJVhY0Z3ac">video</a> for my 2020 PasswordsCon presentation about this contest. Please join the <a href="https://1password.community/discussion/123369/1password-cracking-challenge-results">discussion on our forum</a>. There is a great deal more to say about this than can fit into this long-delayed blog post. <h2 id="timeline">Timeline</h2> If you want to feel like you were there as this progressed, it would be best to <a href="https://1password.community/discussion/89318/world-password-day-cracking-challenge">read the discussions as they were happening</a> on our forum, but I will give an abbreviated timeline here:  <dl> <dt>April 23, 2018</dt> <dd>Contest first announced in <a href="https://blog.1password.com/how-strong-should-your-master-password-be-for-world-password-day-wed-like-to-know/">How strong should your Master Password be?</a>,</dd> <dt>April 23, 2018</dt> <dd>Published <a href="https://github.com/agilebits/crackme">contest resources</a> on GitHub including the source code for how the challenges would be generated along with samples that people could test.</dd> <dt>April 27</dt> <dd>Bugcrowd enrollment opened up.</dd> <dt>May 2:</dt> <dd>Challenges generated. PGP signatures (signatures only) of challenges and solutions published.</dd> <dt>May 3</dt> <dd>Challenges published: The race begins.</dd> <dt>May 10–16</dt> <dd>It became clear that the participants we were hearing from were only managing about 250,000 guesses per second, and so the contest as originally stated was too hard for the prizes offered. Internally, we decided that if there were no winners by mid-June we would double the prizes.</dd> <dt>June 16</dt> <dd>We <a href="https://1password.community/discussion/comment/441734/#Comment_441734">doubled the prizes</a>.</dd> <dt>July 2</dt> <dd>Opened discussion on <a href="https://1password.community/discussion/comment/446813/#Comment_446813">offerings hints</a>.</dd> <dt>July 26</dt> <dd><a href="https://1password.community/discussion/comment/451417/#Comment_451417">Redoubled prize offerings</a>. Committed to giving away more than $30,000 USD.</dd> <dt>August 5</dt> <dd>Published <a href="https://1password.community/discussion/comment/453158/#Comment_453158">hint creation scheme</a>.</dd> <dt>August 23</dt> <dd>First <a href="https://1password.community/discussion/comment/456578/#Comment_456578">hints go live</a>.</dd> <dt>Late August – mid September</dt> <dd>By this time, we already had a fair sense of cracking costs. Public discussion of incentives help us understand that our incentives, even with the first hint, were too low.</dd> <dt>September 25</dt> <dd>Second <a href="https://1password.community/discussion/comment/462767/#Comment_462767">hint published</a>. Cracking is now four times easier than the original challenge and the prizes are four times the initial offering.</dd> <dt>October 14, 6:10 UTC</dt> <dd><a href="https://1password.community/discussion/comment/468110/#Comment_468110">First winning solution</a>.</dd> <dt>October 22:</dt> <dd>First data-driven <a href="https://1password.community/discussion/comment/470503/#Comment_470503">estimate of cracking costs</a> of approximately $6 USD for 2³² guesses. (Subsequent data from later wins merely increased confidence in this estimate.)</dd> <dt>November 7</dt> <dd><a href="https://1password.community/discussion/comment/473157/#Comment_473157">Second win</a>.</dd> <dt>November 11</dt> <dd><a href="https://1password.community/discussion/comment/473157/#Comment_473157">Third win</a>.</dd> <dt>Mid November</dt> <dd>Team that won first three prizes volunteers to leave fourth prize to other competitors.</dd> <dt>January 14, 2019</dt> <dd><a href="https://1password.community/discussion/comment/493866/#Comment_493866">Final winners</a>. These winners had a different setup than the other winners, but the report of their work was consistent with our earlier cost estimate.</dd> <dt>February 2019</dt> <dd>I start working on this blog post. By May 2019, blog post is &ldquo;90% done&rdquo;.</dd> <dt>Today</dt> <dd>This blog post is done.</dd> </dl> <section class="footnotes" role="doc-endnotes"> <hr> <ol> <li id="fn:1" role="doc-endnote"> The astute reader may have noticed that I&rsquo;ve just dumped on our password strength meter. The truth of the matter is that while there is no reliable way to guess at the strength of a human created password, some ways of estimating strength are better than others, and even if unreliable, these <a href="https://www.microsoft.com/en-us/research/publication/does-my-password-go-up-to-eleven-the-impact-of-password-meters-on-password-selection/">are useful guides</a> that help people pick better passwords.&#160;<a href="#fnref:1" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a> </li> <li id="fn:2" role="doc-endnote"> When talking about the contest challenge, I said that the cost was $4,300 USD, and now I say that it&rsquo;s $4,200 USD. This is because our wordlist has shed a few words over the past few years, and so a three-word password generated in 2018 is a fraction of a bit stronger than one generated today. We have more than made up for this by enabling randomly-chosen digits and symbol separators between words and for one random word to be capitalized.&#160;<a href="#fnref:2" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a> </li> </ol> </section></description></item><item><title>Keeping you at the center of 1Password</title><link>https://blog.1password.com/ux-keeping-you-at-the-center/</link><pubDate>Tue, 21 Sep 2021 00:00:00 +0000</pubDate><author>info@1password.com (Samaher Ramzan)</author><guid>https://blog.1password.com/ux-keeping-you-at-the-center/</guid><description> <img src='https://blog.1password.com/posts/2021/ux-keeping-you-at-the-center/header.svg' class='webfeedsFeaturedVisual' alt='Keeping you at the center of 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> At 1Password, we’re committed to a customer first, human-centered approach to inform our product roadmap and create award-winning experiences our users love. That commitment starts with a genuine curiosity about how and why people use our password manager. We need to understand our customers’ goals, needs and wants before we can improve the product and make a positive impact in their lives. When and how do people use 1Password? What problem is it solving for them? How can we make this experience better without making any compromises on our core values of security and privacy? To answer these questions we need research. User experience research. <h2 id="what-is-user-experience-research">What is user experience research?</h2> User experience research is an essential part of any product development process. It involves making structured, deliberate efforts to understand current and potential customers and their experiences. Product teams use these insights to make smarter decisions and design solutions with customer needs in mind. This results in the creation of inclusive, human-centered experiences, reduced uncertainty and lower development costs. In a nutshell, UX research involves defining a problem, forming good questions, gathering evidence and synthesizing findings into actionable insights which teams can implement. <h2 id="how-we-do-it-at-1password">How we do it at 1Password</h2> The insights gained from my work as a UX researcher empower teams to make informed decisions and increase compassion for our users. With any research study, I begin by understanding the questions we have, our hypotheses and assumptions, as well as any decisions we need to make at the end. From there, I set goals and objectives for the study. Next, I determine the scope, timeline and budget. With an understanding of these key ingredients, I can narrow down the study and choose the right approach. The correct method will depend on the nature of the question and when it came up in the design and development process. Are we looking to explore a new problem or direction? Are we looking to inform and improve designs? Or are we trying to evaluate and measure the performance of a design? These are a few questions I ask myself while creating a research plan. Common methods include interviews, usability testing, workshops, and surveys. In a recent study, I ran research sessions with people over a video call to evaluate their experience interacting with a new design concept. In these sessions, I asked designers and developers to observe and capture anything they found interesting. After going through our notes we summarized the findings into actionable takeaways so the team had a clear strategy and direction going forward. <img src='https://blog.1password.com/posts/2021/ux-keeping-you-at-the-center/UX-research-process.png' alt='Five key steps of any user experience research study' title='Five key steps of any user experience research study' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="user-experience-research-is-a-team-sport">User experience research is a team sport</h2> As a researcher, I love learning and creating opportunities for my team to learn with me. I do this by involving different team members in research activities. I also look to our customer-facing and data teams to further understand how and why people use our products. <blockquote> “UX research at 1Password is not only a known necessary partner to design and product &ndash; it&rsquo;s also a wealth for business opportunities and a boon to internal knowledge sharing. Their expertise in uncovering actionable insights has made it so much easier to design with clarity and certainty for our customers' experience and needs.” – Patricia Puno, Senior Product Designer </blockquote> It’s incredibly important for us to have this cross-team collaboration to understand a problem from different angles. Regularly connecting with our excellent customer support, success and data teams is one of my favourite ways to uncover issues and opportunities. I will often sit in on customer calls to learn about any questions they have and issues encountered while setting up their account. I also design workshops to brainstorm and identify key themes with our customer-facing teams. These conversations can provide a ton of insight into a particular problem. <h2 id="life-as-a-ux-researcher-at-1password">Life as a UX Researcher at 1Password</h2> I’ve been at 1Password for over a year but it never ceases to amaze me the extent to which everyone cares about our customers. For me, this makes being a UX researcher that much more meaningful. It’s an exciting time to be a UX researcher here as we celebrate a growing team, with challenging problems to explore and new discoveries to make. All the while developing the practise of UX research itself. It&rsquo;s important for me to have a pragmatic approach to investigating problems and user needs. People trust 1Password with their data, care deeply about their privacy and security and want to feel like 1Password was designed with them in mind. One of my biggest responsibilities as a UX researcher is guiding our product teams to design for real people. I accomplish this by incorporating two key elements in my work: privacy and inclusivity. <h2 id="privacy-driven">Privacy driven</h2> At 1Password, every decision is made with our customers' privacy and security in mind. In a previous post we explained <a href="https://blog.1password.com/what-we-dont-know-about-you/">what we do and don’t know about our customers</a>. Alongside a pragmatic approach, I carefully consider how to protect participants’ identities throughout the research process and when communicating insights with team members. I also work with our wonderful security and IT teams to rigorously review new UX research tools. We never do anything that impacts our commitment to customer privacy and security. <h2 id="inclusive-research">Inclusive research</h2> &lsquo;Whose voice are we missing?&rsquo; is a question I often ask myself. This ensures I’m always thinking about people who may not be represented and consider how I can reach out and include them so they’re able to shape the future of our products. Another important aspect is to prevent our team’s own biases from finding their way into the research. One way this is addressed is by proactively writing out any biases we may have before conducting studies. Highlighting biases and assumptions early on in the process ensures we aren’t conducting research to confirm our own biases. <h2 id="become-our-partner-">Become our partner ❤️</h2> People who use 1Password are our partners. We are designing for you and therefore want you to continue to be a part of our process. I want to learn from you, your needs and your goals. I want to hear all of your feedback and deep dive into how we can make 1Password better. Please <a href="https://docs.google.com/forms/d/e/1FAIpQLSdnk0yhhEAit70517xZAF8JllXo14EkYsGxctA5lr4VyiaTQg/viewform">sign up here</a> if you would like to get involved with our upcoming research studies. And if you have any questions, you can email us at any time using <a href="mailto:support@1password.com">support@1password.com</a>.</description></item><item><title>1Password for Safari is here for iOS 15, and it's life-changing</title><link>https://blog.1password.com/1password-for-safari/</link><pubDate>Mon, 20 Sep 2021 00:00:00 +0000</pubDate><author>info@1password.com (Andrew Beyer)</author><guid>https://blog.1password.com/1password-for-safari/</guid><description> <img src='https://blog.1password.com/posts/2021/1password-for-safari/header.png' class='webfeedsFeaturedVisual' alt='1Password for Safari is here for iOS 15, and it's life-changing' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Everything you love about 1Password is now available in Safari on iPhone and iPad. And it’s as incredible as you could possibly imagine. Ever since we first released <a href="https://blog.1password.com/1password-x-a-look-at-the-future-of-1password-in-the-browser/">1Password X</a> for desktop web browsers, we’ve dreamed of bringing its power to iPhone and iPad. With today&rsquo;s release of iOS 15, we&rsquo;ve done just that! 😍 <img src='https://blog.1password.com/posts/2021/1password-for-safari/ios_popover.png' alt='The 1Password for Safari popover open on an iPhone' title='The 1Password for Safari popover open on an iPhone' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> You have immediate access to all of 1Password directly in Safari. Fill with a tap, search all items, generate Smart Passwords, or even view your favorite shortbread recipe. Having your entire digital life available directly within Safari is life-changing. And that’s just the beginning. We brought in-page suggestions over from the desktop as well. <img src='https://blog.1password.com/posts/2021/1password-for-safari/ios_inline.png' alt='1Password in-page suggestions displayed on Twitter.com' title='1Password in-page suggestions displayed on Twitter.com' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> In-page suggestions allow you to access your items exactly where you need them. For sites that have complicated sign-in forms, we use our on-device machine learning to detect what’s happening and automatically fill the password for you. And if you use two-factor authentication, we automatically fill the codes, so you don&rsquo;t need to copy them to your clipboard. <video class="round shadow" style="display: block; margin: auto; padding: 0;"autoplay='true'muted='true'loop="loop" playsinline="" width="100%" alt='1Password filling across multiple pages on Github.com' controls> <source src="https://blog.1password.com/posts/2021/1password-for-safari/iphone_filling.webm" type="video/webm" /> </video> Using the web on iPhone has never been faster or more secure. 🔒 <h2 id="ipad-mighty-and-magical">iPad: Mighty and Magical</h2> iPad has a wonderful desktop-class browsing experience. Now it has the entire desktop 1Password experience as well. <img src='https://blog.1password.com/posts/2021/1password-for-safari/ipad_popover.png' alt='The 1Password for Safari popover open on an iPad' title='The 1Password for Safari popover open on an iPad' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> If you&rsquo;ve used 1Password in a desktop web browser, the iPad experience will be immediately familiar to you. Everything is where you expect it, and it works great with your finger, Apple Pencil, or your Magic Keyboard. 1Password turbocharges any iPad, even that cute mini one! 💜 <h2 id="and-so-much-more">And so much more…</h2> With today’s iOS and iPadOS releases, we brought a ton of features to these platforms we’ve only ever dreamed about. <ul> <li>Get contextual in-page filling suggestions as you browse the web</li> <li>Fill logins, credit cards, identities, emails, and addresses</li> <li>Automatically fill credentials across multiple pages</li> <li><a href="https://1password.com/features/autofill/">Autofill</a> two-factor authentication codes</li> <li>Scan QR codes for easy setup of two-factor authentication</li> <li>Use suggested <a href="https://blog.1password.com/a-smarter-password-generator/">Smart Passwords</a> that meet the requirements of any page</li> <li>Save logins and credit cards to 1Password straight from the page</li> <li><a href="https://blog.1password.com/privacy-virtual-cards/">Fill and save virtual credit cards with Privacy.com</a></li> <li>See Watchtower recommendations to improve your security score</li> <li>Unlock with Face ID and <a href="https://1password.com/mac/">Touch ID</a></li> </ul> <h2 id="available-now">Available now</h2> To get started on <a href="https://1password.com/resources/guides/1password-for-safari/">1Password for Safari</a>, upgrade your devices and stop by the <a href="https://apps.apple.com/us/app/1password-password-manager/id568903335">App Store</a> for the free update to 1Password. If you want to chat more, you can join us for a live <a href="https://twitter.com/i/spaces/1BdGYYZojagGX">Twitter Space</a> tonight at 8 PM Eastern, <a href="https://www.reddit.com/r/1Password">Reddit AMA</a> on Thursday, join us on <a href="https://1password.community/">our forum</a>, or give us a shout-out on <a href="https://twitter.com/1password">Twitter</a>. If you need something to watch during your update, check out our 1Password for iOS 15 announcement video. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/azLYkf0UR_w" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div></description></item><item><title>1Password named one of the top five large companies for remote workers by Quartz</title><link>https://blog.1password.com/1password-best-company-for-remote-workers/</link><pubDate>Wed, 08 Sep 2021 00:00:00 +0000</pubDate><author>info@1password.com (Lyndsey French)</author><guid>https://blog.1password.com/1password-best-company-for-remote-workers/</guid><description> <img src='https://blog.1password.com/posts/2021/quartz-award-announcement/header.png' class='webfeedsFeaturedVisual' alt='1Password named one of the top five large companies for remote workers by Quartz' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 1Password has been a remote company since we started more than 15 years ago. We’ve worked hard to <a href="https://blog.1password.com/remote-work-culture/">build and maintain a remote culture</a>, as we grew, that places value on a healthy work-life balance, transparent communication, and trust. That’s why we’re thrilled to announce that we’ve been included in <a href="https://qz.com/work/2053446/the-best-companies-for-working-from-home/">Quartz’s Best Companies for Remote Workers 2021</a>. <h2 id="making-remote-work-work">Making remote work, work</h2> At 1Password we’re big advocates of remote working – after all, it makes teams <a href="https://lp.buffer.com/state-of-remote-work-2020">happier</a> and <a href="https://www.inc.com/marcel-schwantes/new-study-reveals-why-working-from-home-makes-workers-more-productive.html">more productive</a>. But a distributed workforce comes with its own set of challenges, too – collaborating with more than 400 people across multiple time zones takes a lot of empathy, support, and trust. With so many people and projects to coordinate, communication is key. Open communication and transparent expectations are at the center of our <a href="https://blog.1password.com/remote-work-culture/">remote work culture</a>. Each team’s projects and workflows are tailored to the individual capabilities (and availability) of its employees. Employees can always engage with managers and each other on one or more collaboration tools, with the understanding of differing time zones and workflows. And any process or company updates are shared with the invitation for honest employee feedback, which our leadership team takes as seriously as feedback from our customers. Trust is everything. We do what we can to make employees feel valued and respected, and trust them to do their jobs however it best suits them. 1Password owes all of its success to our employees, and by offering a place where they can feel their best, their contributions have made us the most trusted password manager in the world. Achieving this while fully remote is something we’re particularly proud of, and we hope it’s evidence to other companies that remote work isn’t a compromise, but an opportunity. <h2 id="its-not-all-about-work">It’s not all about work</h2> While tools, processes, and productivity are important, we believe the most essential aspect of any remote workplace is culture. Without a healthy, inclusive culture, you can’t develop the kind of strong relationships that help get work done. We encourage the 1Password team to be outspoken, enjoy lively (and respectful) conversations, and make connections with their colleagues on interest-focused Slack channels and other social forums. It’s certainly harder to feel “part of a team” when they’re not across the hallway, but we’ve created as many spaces as possible to let employees be themselves and build their network. In all of our social channels, kindness and inclusivity are a common thread. We’ve built tolerance and compassion into our hiring requirements, and reinforce these values wherever possible. Empathy begins at the top; our founders not only promote and encourage mindfulness among the team, but also let employees know that their wellbeing comes first, always. Flexible scheduling and free <a href="https://blog.1password.com/mental-health-thanksgiving/">Headspace</a> accounts are just two elements of this. It’s never been more important to consider what employees might be dealing with in life and at home; productivity should never be at the expense of <a href="https://blog.1password.com/remote-work-mental-health/">mental health</a>. Bringing together a team this big and spread out is no easy feat. But it&rsquo;s well worth doing, and has created some of the most rewarding experiences in our team&rsquo;s history. Once a year we get the whole team together to catch up, celebrate our successes, and plan for the future. Of course, this year we had to do it remotely because of travel restrictions, but we still made the most of it – hosting a <a href="https://www.bizbash.com/event-tech-virtual/hybrid-virtual-event-production/article/21403833/what-event-planners-can-learn-from-this-successful-virtual-cruise-conference">virtual 1Password cruise</a>. <h2 id="the-future-of-remote-working">The future of remote working</h2> As remote work veterans, we’ve been able to build a company and culture that allows our team to fit work around their lives – and we’re well aware there’s always room for improvement, too. We believe the future of work allows employees to be flexible, comfortable, and productive. Quartz executive editor Heather Landy sums it up beautifully: <blockquote> The future of remote work hinges on how adaptive and innovative companies are willing to be. That’s why Quartz’s first-ever global list of the best companies for remote workers is so important. It showcases who is leading the way – across every time zone. These are companies that are making it easy for employees to work from anywhere, encouraging them to get away from work when they need to, and offering great perks and practices for remote workers so they can do it all. </blockquote> Thanks to Quartz for putting together this list and including 1Password – it’s an honor to have all the hard work recognized. You can find out more and <a href="https://qz.com/se/best-companies-for-remote-workers-2021/">see the full list here</a>. <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Come and be curious</h3> Read what some 1Password employees [have said about their experience](https://www.glassdoor.com/Overview/Working-at-1Password-EI_IE2984143.11,20.htm), and check out the current job openings to see if there’s an opportunity that matches your career goals. We’d love to hear from you! <a href="https://jobs.lever.co/1password" class="c-call-to-action-box__link-href" data-event-category="CTA" data-event-action="call-to-action-button"> Apply now </a> </div> </section></description></item><item><title>Privacy and the future of email – an interview with Ricardo Signes of Fastmail</title><link>https://blog.1password.com/fastmail-online-privacy/</link><pubDate>Tue, 07 Sep 2021 00:00:00 +0000</pubDate><author>info@1password.com (Stacey Harris)</author><guid>https://blog.1password.com/fastmail-online-privacy/</guid><description> <img src='https://blog.1password.com/posts/2021/rbm-fastmail/header.svg' class='webfeedsFeaturedVisual' alt='Privacy and the future of email – an interview with Ricardo Signes of Fastmail' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> What does the future of email look like? How can you be a better digital citizen? And, why is online privacy so important? We answered all these questions and more when we sat down with Ricardo Signes, Chief Technology Officer at Fastmail – a privacy focused email service with no tracking and no ads. Check out the highlights below, or <a href="https://randombutmemorable.simplecast.com/episodes/email-alias-rabbit-hole">listen to the full interview with Ricardo</a> on our podcast, Random but Memorable. Random But Memorable: Tell us a bit about Fastmail. Ricardo Signes: <a href="https://1password.com/fastmail/">Fastmail</a> – we provide email, contacts and calendar hosting. When someone asks me what we do I say we’re like hotmail, except our product is really, really good. We want the features that we build to make people feel good about using them – to make people enjoy the experience of reading their mail, writing their mail, and dealing with their calendar. <div class="c-simplecast-embed c-simplecast-embed--recast"> <iframe class="c-simplecast-embed__iframe" title="1Password Random but Memorable Podcast" width="100%" frameborder="no" scrolling="no" seamless src="https://player.simplecast.com/recast/0239a585-cf19-53b5-ad96-9362a4e24e2b?dark=false"></iframe> </div> RBM: What’s interesting about Fastmail is it’s a paid email service in a sea of free email providers – how is that received and how does that work? RS: I think it works great. A lot of people are used to the idea that email is free, but providing email isn’t free. The person providing the service has to spend money to create their product, so how are they getting the money back to recoup the cost? Most email service providers make their money by selling advertising, so their incentive is to make choices that optimize targeting and selling ads. When the only income for a company comes from people paying for the service, then the company’s incentive is to serve the customer and give the customer what they want. When you look at services that do this, not just email, but other places, you can see the results – you get a product that serves the user better. <div class="c-simplecast-embed c-simplecast-embed--recast"> <iframe class="c-simplecast-embed__iframe" title="1Password Random but Memorable Podcast" width="100%" frameborder="no" scrolling="no" seamless src="https://player.simplecast.com/recast/784d151d-2fc6-577b-9be2-e95ca3bf18d2?dark=false"></iframe> </div> RBM: So it’s the old adage of – if you’re not paying for the service, then you’re the thing being sold. I think that something a lot of people aren’t even aware of when you look at some of the big email service providers out there, between Yahoo!, Hotmail, and Google – those services don’t have your privacy in mind. Do you think there is a big awareness gap for customers RS: Yeah, the problem is a lack of mindfulness about privacy in general. Privacy needs to be something that we build into our thinking. Your email address is like your internet social security number, it’s like your credit card, and you’re just giving it out to people all the time – and you don’t think about the fact that behind the scenes all of your identities are put together using your email address, which has an impact on your overall privacy landscape. <div class="c-simplecast-embed c-simplecast-embed--recast"> <iframe class="c-simplecast-embed__iframe" title="1Password Random but Memorable Podcast" width="100%" frameborder="no" scrolling="no" seamless src="https://player.simplecast.com/recast/e9685c6a-b420-5ba5-a1ea-2f5aef158ee9?dark=false"></iframe> </div> RBM: What do you say to people who come back with the argument “I have nothing to hide? RS: Some amount of privacy is a fundamental human need – nobody thinks you’re a weirdo if you close your curtains at night! Privacy is not about having some deep, weird secrets you need to hide. Saying you have nothing to hide is focusing on the idea that there’s something weird going on, when in reality your whole life has privacy built into it. <div class="c-simplecast-embed c-simplecast-embed--recast"> <iframe class="c-simplecast-embed__iframe" title="1Password Random but Memorable Podcast" width="100%" frameborder="no" scrolling="no" seamless src="https://player.simplecast.com/recast/f98ed156-c1b6-56a7-8ee0-011991d05384?dark=false"></iframe> </div> RBM: What makes Fastmail unique in the privacy space? RS: When somebody is paying for Fastmail, our question is what can we do to make their experience better. Because we don’t think about the user being the product, we don’t monetize their information as something to make a profit on, and we have no incentive to go and circumvent their privacy. So if you want privacy, you know we have no motive to betray you. But if you don’t care about privacy – first of all care about privacy – but if you don’t care about privacy, if you’re thinking I guess privacy is nice, but what I really want is good service – you still end up getting a better choice when you look at something that’s built on a concept on wanting to have privacy – like Fastmail. <div class="c-simplecast-embed c-simplecast-embed--recast"> <iframe class="c-simplecast-embed__iframe" title="1Password Random but Memorable Podcast" width="100%" frameborder="no" scrolling="no" seamless src="https://player.simplecast.com/recast/7b8c8941-c55c-50ad-869f-01d02fdb1450?dark=false"></iframe> </div> RBM: I want to talk about the aliases feature because it’s super cool and definitely something that caught my eye. Can you talk a little bit about what they are and how they work? RS: Aliases are just another email address on your account that you can use for different occasions. For example, I have an alias on my account that goes to both my wife and me, I use a different alias for interacting with open source communities than I do for friends and family, and I even use a different alias for my bills. We should talk about email being like your credit card. If you give out your credit card everywhere and something goes wrong, you don’t know where your card was compromised. But, if you have a different credit card at every place you shop, when you start seeing fraudulent charges on the number you used with Gimbels, you know that Gimbels leaked your credit card data. You cancel that card, and everything else keeps working. So, if you start getting email sent to you at your Gimbels email address from other vendors, then you know Gimbels is sending your email address around. So, you can cancel that email alias and stop receiving unwanted emails. A lot of these things are little usability problems everywhere in life, but especially in email. Aliases, correctly applied, address a bunch of those problems. <div class="c-simplecast-embed c-simplecast-embed--recast"> <iframe class="c-simplecast-embed__iframe" title="1Password Random but Memorable Podcast" width="100%" frameborder="no" scrolling="no" seamless src="https://player.simplecast.com/recast/43b36328-6bce-5dc8-a216-d08062745168?dark=false"></iframe> </div> RBM: Given the legacy of email, what do you see as the future? RS: The first thing I should do is give a highly technical plug and mention <a href="https://blog.1password.com/making-masked-email-with-jmap/">JMAP</a>, which is an internet protocol we developed here at Fastmail, and it’s meant to replace a bunch of the old technology for email with things that are newer, simpler, and more powerful. JMAP is a free standard that anybody can implement, and it interoperates with existing email technology so we can start building new features on newer technology. Secondly, the future of email is better email. Firstly, breaking mail into different streams will make it better. Saying, here’s my pile of mail from my friends, here’s my mail from my family, here’s my work email. We need to find ways to let people effortlessly separate their mail. The other thing that needs to get better is tiny messages. Sometimes I get an email, and I just want to type “yes,” then hit send – but that makes me the weirdo! We need mechanisms that let us get the things we want out of instant messaging and Facebook-style reactions – to let us interact in a simple, efficient way that doesn’t feel like we’re subverting the idea of what email is. We’ve developed new technologies outside of email, but those technologies have their own problems. They’re offered in walled gardens that force you to only interact with people in that sphere of engagement – I chat with these friends on discord, and these friends on slack, and these people some other place. But email, I’m just on email. That’s the benefit we need to bring by folding these technologies together. <div class="c-simplecast-embed c-simplecast-embed--recast"> <iframe class="c-simplecast-embed__iframe" title="1Password Random but Memorable Podcast" width="100%" frameborder="no" scrolling="no" seamless src="https://player.simplecast.com/recast/910f5b54-45b9-5476-b01b-554f809ed3fe?dark=false"></iframe> </div> <div class="c-simplecast-embed c-simplecast-embed--recast"> <iframe class="c-simplecast-embed__iframe" title="1Password Random but Memorable Podcast" width="100%" frameborder="no" scrolling="no" seamless src="https://player.simplecast.com/recast/ae544c32-d28d-5897-95bf-4a0581b275c0?dark=false"></iframe> </div> RBM: Fastmail talks a lot about being good internet citizens – can you talk a little bit about what you mean by that? RS: Digital citizenship is a really interesting topic. When I was in third grade, we had a curriculum that included a class on citizenship, which teaches you how to be a good citizen. The topics that folded into good citizenship were: <ul> <li>How was society meant to work?</li> <li>Why did we mean for it to work that way?</li> <li>Was that a good idea?</li> <li>Have we made good or bad decisions?</li> <li>What should we do about it?</li> <li>How do we make it stay good or stop being bad?</li> </ul> Digital citizenship is the same set of questions, but it’s about the internet. It’s not just about your online life – it’s about your connected life. For Fastmail, our primary activities to make connected life better is by building tools that put people in charge of their own data to try and make our connected society better. The other is we take the connected technologies for this, and we give them away. We want other companies to be able to work together in the kind of interactions that we’re facilitating. We are working on our own podcast inside of Fastmail, which is called <a href="https://www.fastmail.com/digitalcitizen/">Digital Citizen</a>. It’s about these questions. <div class="c-simplecast-embed c-simplecast-embed--recast"> <iframe class="c-simplecast-embed__iframe" title="1Password Random but Memorable Podcast" width="100%" frameborder="no" scrolling="no" seamless src="https://player.simplecast.com/recast/4c8f0206-8b35-59af-bcd0-4d5e2815cffb?dark=false"></iframe> </div> RBM: Do you have anything we haven’t touched on that people should really know if they’re trying to stay safe online? RS: I think the first thing is to think about privacy. You don’t have to get obsessed. You don’t have to delete all your accounts. You don’t have to switch to burner phones and stop communicating with your family because they’re only on Facebook. Just think about what information you’re sharing, if you’re comfortable sharing it, and if those services even need that information. If we want to talk about email, it’s that your email address is your identity. Email is the way online services know who you are, and so you should think about how many identities you need. Most people need more than one – work, family, friends, bills, etc. Separating these identities beyond just privacy can help you lead a life in which you compartmentalize your concerns intentionally and have a way to think about how you’re dealing with these aspects of your life. <div class="c-simplecast-embed c-simplecast-embed--recast"> <iframe class="c-simplecast-embed__iframe" title="1Password Random but Memorable Podcast" width="100%" frameborder="no" scrolling="no" seamless src="https://player.simplecast.com/recast/5e5600c4-4ad6-5af4-81e2-50d7cad80de8?dark=false"></iframe> </div> We recently talked about why privacy matters and put together some practical tips to help you <a href="https://blog.1password.com/how-reclaim-your-online-privacy/">reclaim your privacy online</a>. This was a condensed interview; you can <a href="https://randombutmemorable.simplecast.com/episodes/email-alias-rabbit-hole">listen to the full interview with Ricardo Signes</a>, or <a href="https://randombutmemorable.simplecast.com/">tune in to other episodes of Random But Memorable</a> wherever you get your podcasts.</description></item><item><title>1Password 8: The Story So Far</title><link>https://blog.1password.com/1password-8-the-story-so-far/</link><pubDate>Thu, 12 Aug 2021 00:00:00 +0000</pubDate><author>info@1password.com (Michael Fey)</author><guid>https://blog.1password.com/1password-8-the-story-so-far/</guid><description> <img src='https://blog.1password.com/posts/2021/1password-8-so-far/header.png' class='webfeedsFeaturedVisual' alt='1Password 8: The Story So Far' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Greetings everyone! With the recent launch of our Early Access preview of 1Password 8 on macOS I wanted to take a few minutes to pull back the curtain on this software development project that is over two years in the making. Before we get into that, though, I think a bit of backstory is warranted. <h2 id="1password-7-6-5-4">1Password 7, 6, 5, 4…</h2> <img src='https://blog.1password.com/posts/2021/1password-8-so-far/1password-through-the-years.png' alt='1Password for Mac, through the years' title='1Password for Mac, through the years' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> With a fifteen year history, 1Password has seen a lot of changes across all our supported platforms, but the way we’ve built our apps has largely been the same over those years. The very first version of 1Password was built by Dave and Roustem as a weekend project to help them with their day jobs of building websites. They got tired of manually filling in usernames, passwords, and contact information to test the sites they were building and figured they could build a tool to automate that. This weekend project quickly took over their day job and spawned a whole company and industry. The first version of 1Password was a Mac app with a small team of four dedicated to it. When Apple announced the iPhone SDK that same team moved on to that platform and created the first version of 1Password for iPhone. At that time syncing your data across devices was largely relegated to using Dropbox to host an encrypted 1Password file that could be read and updated by any of your 1Password apps connected to your Dropbox account. Not long after, we expanded to include Windows and Android, hiring a developer for each of those platforms. They were given the file format specification, shown the Mac and iPhone apps, and given free-rein to create a 1Password app for their platforms. While that was happening, the original team went back to working on the Mac and iPhone apps. They added features, shipped updates, and continued on the path of making great software for Apple’s platforms. Meanwhile, the Android and Windows developers did the same, but in a manner that was very siloed from the other platform developers. As time went on and those teams grew, that separation and mode of working remained largely the same. When I was leading the iOS team and later both the Mac and iOS team, I would routinely find out about things the Windows and Android team had done when I read about it on our blog. If I saw a new feature or improvement I thought we should add to one of my team&rsquo;s apps I would do so, but in isolation from those other teams. This way of working wasn’t ideal, and it certainly wasn’t a bastion of cooperation and coordination. History repeated itself six years ago when we introduced our hosted service, 1Password.com. The first version of the client/server application programming interfaces (APIs) were first built and refined using <a href="https://1password.com/mac/">1Password for Mac</a>. Once things were stable they came to our iPhone app. We did a much better job documenting those APIs and file formats, but in the end we still delivered them to the Windows and Android teams, pointed them at what we’d built for the Apple apps, and sent them on their way to build it into their apps. Nonetheless, we shipped support for our new service across four platforms and things were good… for a while. <h2 id="the-1passwordcom-era">The 1Password.com Era</h2> One of the things that we were the most excited about with our own hosted service was that we were going to be able to move so much faster. We could build new features and roll them out across all our apps quickly, easily, and simultaneously. However, with four full stacks of client implementations of our server APIs, any changes needed to be coordinated across four teams. Four teams that were still operating independently. Each time our server team lead would come to the client leads and ask us how long until we could support some new feature, each of us said the same thing: “Now’s not a good time, we’re busy. Maybe in a few weeks?” And that estimate of a few weeks was different for each team. We kept advancing our apps with cool new features, but we weren’t advancing our service-based features. We were paralyzed. This continued until about three years ago when Jeff Shiner, our CEO, pulled all the leads together and effectively said, &ldquo;This is ridiculous. Can we do better?” <h2 id="doing-better--n">Doing Better 👉 ⌘N</h2> We began exploring options for consolidating the non-user interface portions of 1Password into a single codebase that we could insert into each of our apps. The goal was to replace those four separate technology stacks — each with their own idiosyncrasies, differences, and frankly, bugs — with something that allowed us to move faster, together. With a couple false starts and technology changes under our belts we finally caught our stride at the beginning of last year. A small team, using existing pieces of various apps and projects, put together a proof of concept of a brand new 1Password app running on top of what we now call the 1Password Core. On April 1st, 2020 we officially put our existing 1Password apps into maintenance mode, opened up our source code editors, and clicked File &gt; New Project… on five new 1Password apps. <h2 id="the-1password-core-era">The 1Password Core Era</h2> 1Password 8 has been an incredibly ambitious project for a number of reasons. Beyond “simply” recreating an entire 1Password client app backend in a shared library, we had other requirements: <ol> <li>We needed to create apps that look and feel like 1Password, but also look and feel at home on the platform where they’re running.</li> <li>Because we were starting from scratch we needed to get all our platforms moving together and coordinating from the start.</li> <li>We needed a design-led approach that was integrated with our development team much more tightly. The best software is built when the designers are sitting (virtually) right next to the developers in a collaborative environment.</li> <li>Inconsistencies both small and large had crept into our apps over time. From small things like password strength being different between platforms to larger things like differences in search results and entire missing features. We needed to drive consistency and cohesion through our apps in a programmatic way.</li> </ol> <h2 id="the-backend">The Backend</h2> As you may have read in some of our previous posts, we chose to write our shared backend library in Rust, a systems language known for its performance, security, and memory safety. It also ticked all the boxes for the platforms to which we were planning to deploy: macOS, iOS, Windows, Android, Linux, our browser extension, and our web app. Our Windows team had been working with Rust for a year before we started on the Core project which gave us a huge leg up. We also hired a large number of very talented Rust developers to help us achieve our goal. The goal was to put every feasible piece of 1Password into the Core library, stopping just short of the user interface. This approach has allowed us to consolidate everything from the communication with the 1Password.com server, to the database handling, to permissions enforcement, to our cryptographic routines, and more in one place. It’s also allowed us to drive the consistency of user experience we need. For example, when you search for something in 1Password 8, the code that matches your search terms to your items is exactly the same across each platform, ensuring your results don’t vary from app to app. <h2 id="the-1password-8-frontends">The 1Password 8 Frontends</h2> When we set about choosing our frontend languages we took it platform by platform, but we did have an overall goal of reducing the number of frontends for which we needed to develop which would enable us to move faster. <h2 id="linux">Linux</h2> Our first proof of concept was on Linux, using web technologies that borrowed heavily from our browser extension implementation. We had packaged this proof of concept using Electron. With myriad windowing toolkits on Linux we decided to continue with that approach because it gave us a way to deliver a high quality application regardless of each distribution’s windowing environment. <h2 id="windows">Windows</h2> On Windows we did consider writing an app using the native Windows UI toolkit, but given our history of Windows development and reviewing the types of rich user interface experiences we wanted to provide with 1Password going forward we decided to take the web UI approach there as well. <h2 id="android">Android</h2> To achieve our goal of creating an app that looked and felt like it belonged on Android devices we decided to use a native Android toolkit for our frontend. When we started the project we were hoping to use Jetpack Compose, but as it was still prerelease and lacking some key features we needed, we decided to stick with the Android View framework. Happily, in the time since we started this project, Jetpack Compose has gone stable and we&rsquo;ll be exploring how we can integrate it into our future work. <h2 id="ios">iOS</h2> Similar to Android, we knew that the best way to create an app that looked and felt like 1Password but also felt at home on the system was to use a native UI toolkit. We had two choices between UIKit and SwiftUI. SwiftUI was still early on in its lifespan, but in the spirit of skating to where the puck was going, we decided to go all in on Apple’s future-looking framework. We also knew that Apple was planning significant updates to SwiftUI that would most likely require us to increase the minimum supported version of this new app, but given the incredibly high adoption rates of new versions of iOS this wasn’t a significant concern. Using SwiftUI also gave us the opportunity to do something we’d never been able to do before: cover iOS and macOS with the same user interface code. <h2 id="macos">macOS</h2> The decision of how to build 1Password 8 for macOS was probably the most complicated one we had to make. Given our history of shipping great apps built using the native UI toolkit Apple provides, and the ability those toolkits give us to meet our goal of an app that feels at home on the system we knew wanted to continue that trend. We had a few goals that were at odds with each other: <ol> <li>Reduce the number of frontend languages and toolkits.</li> <li>Support as many versions of macOS as possible.</li> <li>Create an app that looked and felt at home on macOS.</li> </ol> We could support as many versions of macOS as we wanted using Apple’s AppKit framework, but that meant adding another frontend toolkit to the mix. We could go all in on SwiftUI, but that meant reducing the number of operating system versions we could support. We could go all in on the same approach we were using for Linux and Windows, but that made it very difficult to create an app that looked and felt at home on macOS. Ultimately we decided for a two-prong approach. We would build two Mac apps. One written in SwiftUI that targeted the latest operating systems and another using web UI that allowed us to cover older OSes. With all our frontend frameworks chosen we were off to the races! <h2 id="feature-teams">Feature Teams</h2> Our past approach to designing and building our apps, as I mentioned above, was much more piecemeal. A single designer would design a feature for a single platform and then move on to something else. With the power of the Core behind us and our trio of frontend frameworks in front of us, we wanted to take a much more unified approach to feature development. We came up with the concept of “feature teams” — ephemeral teams made up of a designer, three frontend developers, one or two Core developers, a project manager, a tech lead, and a member of the quality assurance team. Together this group takes a problem we’re looking to solve, defines the use cases and the scope of the project, wireframes possible solutions, and then dives into a full design and development cycle until the problems have been solved and the feature is complete. We’ve had a tremendous amount of success with this approach because it’s allowed us to move all our apps forward together at the same time, creating cohesive user interfaces across our client apps that deviate where necessary to fit in with the paradigms, design patterns, and form factors of the system on where they’re being deployed. <h2 id="design--development">Design &amp; Development</h2> While feature teams solved the problem of how to move together, we wanted to solve an ancillary problem at the same time which was how to create a design-led approach that connected our design team with our development team much more closely. Taking a chapter out of the design system playbook we decided to create a component library that would be matched across our frontends and design system. This allowed the designers to define reusable components that each of our frontends would implement and then use when building our features. <h2 id="cohesion">Cohesion</h2> The final requirement we had was one of consistency and cohesion across our apps. For that we turned to the concept of view models. We knew that the more we could use the Core to inform the user interfaces we were building, the more maintainable they would be in the long run. A good example of this is the new sidebar in 1Password 8. Early on we had the vaults in the sidebar grouped by Private and Shared. This led to some confusion during testing and we made the decision to change to single list of vaults. Because of how we had architected the interplay between the user interface and the Core, this change required no frontend changes at all. We changed the grouping in the Core and our frontends updated automatically. <h2 id="how-it-started">How It Started</h2> The first eleven months of development on our new apps went fairly well. We doubled the size of our development team while also making significant progress on five brand new 1Password apps covering iOS, Android, macOS, Windows, and Linux. Here’s how our apps looked in February of this year: <img src='https://blog.1password.com/posts/2021/1password-8-so-far/linux.png' alt='1Password 8 for Linux, early prerelease screenshot' title='1Password 8 for Linux, early prerelease screenshot' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <img src='https://blog.1password.com/posts/2021/1password-8-so-far/windows.png' alt='1Password 8 for Windows, early prerelease screenshot' title='1Password 8 for Windows, early prerelease screenshot' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <img src='https://blog.1password.com/posts/2021/1password-8-so-far/android.png' alt='1Password 8 for Android, early prerelease screenshot' title='1Password 8 for Android, early prerelease screenshot' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <img src='https://blog.1password.com/posts/2021/1password-8-so-far/iOS.png' alt='1Password 8 for iOS, early prerelease screenshot' title='1Password 8 for iOS, early prerelease screenshot' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <img src='https://blog.1password.com/posts/2021/1password-8-so-far/macOS.png' alt='1Password 8 for macOS, early prerelease screenshot' title='1Password 8 for macOS, early prerelease screenshot' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> However with a self-imposed ship date of September 2021, our timeline to bring these apps to stable was starting to look a bit tight. <h2 id="how-its-going">How It’s Going</h2> Earlier this year the leadership team sat down to review the remaining work and evaluate ways we could reduce our scope to ensure that we were able to meet our dates. We had already decided to defer a parallel project the previous fall to port our browser extension over to the Core backend, but we knew we had to cut more to bring focus to the needs of each of our apps. The largest and most obvious thing that we focused on was the fact that we were building not one, but two apps for macOS. Despite the fact that SwiftUI allowed us to share more code than ever between iOS and macOS, we still found ourselves building separate implementations of certain components and sometimes whole features to have them feel at home on their target OS. Ultimately we made the painful decision to stop work on the SwiftUI Mac app and focus our SwiftUI efforts on iOS, allowing the Electron app to cover all of our supported Mac operating systems. We could have started over with AppKit as the UI toolkit for our Mac app, but this would have put us significantly behind schedule and also would have added another frontend toolkit to maintain over the long term. This decision came with a big challenge, however, as we knew we still needed to deliver a top-tier user experience on macOS. Shortly after this decision was made, we also made another change in direction which was to ship 1Password for Linux to stable much sooner than any of our other new apps. Because this was our first ever Linux app there were fewer constraints around migrating from previous versions, supporting App Store purchases, and other efforts that were still needed for our other platforms. We rallied a portion of our team to polish the app for Linux. These efforts included adding in platform specific integrations such as GNOME Keyring and KDE Wallet support, X11 clipboard integration and clearing, and System tray icon support for staying unlocked while closed. The response to our first ever Linux app and our first ever app based on the new architecture was overwhelmingly positive. We were both bolstered and energized to move on and finish the rest of our apps. As of this writing we have 1Password available for all of our desktop platforms: Linux in stable, and Windows and macOS in Early Access. <h2 id="where-were-headed">Where We’re Headed</h2> Next up you’re going to see us complete the rollout of the remainder of our apps. We’ll be taking 1Password for Windows from Early Access to a stable launch, followed by the same for our app on macOS. You’re also going to see our brand new mobile apps launch to Early Access and then stable after that with iOS landing first followed by Android. Beyond that, though, is where the real fun begins for us and for you, our customers. With the incredibly strong foundation we&rsquo;re building we will finally be able to turn almost any &ldquo;what if…&rdquo; into &ldquo;let&rsquo;s do it&rdquo;. <h2 id="wrapping-it-up">Wrapping It Up</h2> 1Password 8 has been a huge undertaking so far, but one that is setting the stage for the next decade of success for our clients apps. We remain committed to creating top tier user experiences on all of our platforms. We can&rsquo;t wait for you to come along with us on this journey.</description></item><item><title>1Password 8 for Mac is now in Early Access! 🎉</title><link>https://blog.1password.com/1password-8-for-mac-is-now-in-early-access/</link><pubDate>Wed, 11 Aug 2021 00:00:00 +0000</pubDate><author>info@1password.com (Dave Teare)</author><guid>https://blog.1password.com/1password-8-for-mac-is-now-in-early-access/</guid><description> <img src='https://blog.1password.com/posts/2021/early-access-mac/header.jpg' class='webfeedsFeaturedVisual' alt='1Password 8 for Mac is now in Early Access! 🎉' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Earlier this year we released our new Linux app and soon after opened early access to 1Password 8 for Windows. Now it’s time for Mac to join in on the fun! 🎊 Mac has always held a special place in my heart. Roustem and I created the very first version of 1Password on our Mac PowerBooks way back in 2006. And our love has continued throughout our 15-year history. 🥰 When we set out to create 1Password 8 we wanted to create a familiar, unified experience while staying true to what makes each platform special. With 1Password 8, we’ve done exactly that. 1Password 8 is our best Mac app to date and today we’re <a href="https://1password.community/discussion/122136/1password-8-for-mac-beta">opening early access</a> so you can get in on the fun. <img src='https://blog.1password.com/posts/2021/early-access-mac/HeroUnlocked.png' alt='1Password app unlocked on Mac showing off its new design' title='1Password app unlocked on Mac showing off its new design' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Welcome aboard the next generation of <a href="https://1password.com/mac/">1Password for Mac</a>. 😍 Let&rsquo;s start at the top. Categories now sit atop your item list as a simple dropdown filter, giving the sidebar plenty of room to show all your vaults and their accounts. You’ll also notice an indicator next to each shared vault, making it easier to see which vaults are private and which are shared. No guesswork. And items show who they’re being shared with. <img src='https://blog.1password.com/posts/2021/early-access-mac/ItemSharing.png' alt='Screenshot of the Item Details window with a zoomed in highlight of who it&#39;s being shared with' title='Screenshot of the Item Details window with a zoomed in highlight of who it&#39;s being shared with' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Throughout the app you&rsquo;re in more control, with more contextual information available at all times. Try dragging-and-dropping an item from a personal vault to a shared vault. When you do, 1Password will show you who will gain access to the item so there&rsquo;s no doubt about what&rsquo;s happening. <img src='https://blog.1password.com/posts/2021/early-access-mac/MoveItemConfirmAccess.png' alt='Moving an item to a shared vault now shows a confirmation window highlighting who will have access once the move is completed.' title='Moving an item to a shared vault now shows a confirmation window highlighting who will have access once the move is completed.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> And for those of you that love Dark Mode you’re in for a treat! Flipping the switch is so relaxing on the eyes it&rsquo;s like beaming over to the beauty salon. 😎 <img src='https://blog.1password.com/posts/2021/early-access-mac/HeroUnlockedDarkMode.png' alt='Unlocked main 1Password window showing off Dark Mode' title='Unlocked main 1Password window showing off Dark Mode' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="next-gen-search">Next gen search</h2> The new design is not only gorgeous, it also makes it easier than ever to find what you’re looking for. Giving you what you need and then getting out of your way is one of our prime directives of 1Password. And with Quick Find you can quickly find your items, vaults, and tags. <img src='https://blog.1password.com/posts/2021/early-access-mac/QuickFind.png' alt='1Password with new Quick Find window open' title='1Password with new Quick Find window open' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> You can also focus in on your items using Collections. These are super helpful when you have multiple accounts or shared vaults. Customize which vaults and items you see depending on your current task. I personally use Collections to hide family vaults that I only need access to in case of emergency and don’t want to see every day. It’s also great for hiding production work accounts until I explicitly require them. <img src='https://blog.1password.com/posts/2021/early-access-mac/Collections.png' alt='Use Collections to focus in on the vaults and accounts you use most regularly' title='Use Collections to focus in on the vaults and accounts you use most regularly' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="next-gen-watchtower">Next gen Watchtower</h2> Watchtower is your situation room, giving you a comprehensive overview of your security health. Greatly improve your security by replacing passwords that need attention. Worf never had it so easy. 😀 <img src='https://blog.1password.com/posts/2021/early-access-mac/WatchtowerDashboard.png' alt='Watchtower Dashboard highlighting your password strength and which items need attention.' title='Watchtower Dashboard highlighting your password strength and which items need attention.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="next-gen-editing">Next gen editing</h2> Once you jump into an individual item to take care of any vulnerabilities Watchtower points out, you&rsquo;ll find a completely new editing experience, including a powerful new password generator, smart suggestions, and simpler file attachments. <img src='https://blog.1password.com/posts/2021/early-access-mac/EditItem.png' alt='New item editing screen with file attachments and new security questions section' title='New item editing screen with file attachments and new security questions section' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="next-gen-browsing">Next gen browsing</h2> 1Password 8 for Mac is even more powerful when paired with 1Password in your browser. When you need to log in to a site, fill a form, or enter payment information, <a href="https://1password.com/resources/guides/1password-for-safari/">1Password for Safari</a>, Chrome, Firefox, and Edge surface the relevant information and offer to fill it in for you. <img src='https://blog.1password.com/posts/2021/early-access-mac/SafariDisneyInlineMenu.png' alt='Safari login page for Disney&#43; with the 1Password inline menu open' title='Safari login page for Disney&#43; with the 1Password inline menu open' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Creating new accounts on websites is a breeze with automatically generated suggested passwords — and just look at the gorgeous and more powerful save window! 😍 <img src='https://blog.1password.com/posts/2021/early-access-mac/SafariInlineSaveLogin.png' alt='Sign up page on Redcross with a new login being saved in 1Password' title='Sign up page on Redcross with a new login being saved in 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="next-gen-performance">Next gen performance</h2> Our new 1Password apps are built in Rust, a secure systems programming language famous for its performance and safety. 🦀 You won’t see this change but you’ll feel it. The app is incredibly responsive across the board, from unlocking to adding accounts to searching your items — especially when combined with native support for Apple Silicon and all the speed improvements that brings. We’re talking breaking-the-warp-barrier speed. 🤘🏽 <h2 id="next-gen-security">Next gen security</h2> As always, your items are protected with strong end-to-end encryption so only you can see them. Along with your <a href="https://support.1password.com/secret-key/">Secret Key</a>, advanced MFA options, and <a href="https://blog.1password.com/developers-how-we-use-srp-and-you-can-too/">secure remote password</a>, your data has never been more secure. That starts at the lock screen, which now shows all your accounts. Along with Touch ID (and soon Face ID hopefully 🤞) for easy unlocking it’s never been easier to protect yourself, your family, and your entire company. <img src='https://blog.1password.com/posts/2021/early-access-mac/LockScreenCropped.png' alt='1Password lock screen showing multiple accounts and a button to activate TouchID' title='1Password lock screen showing multiple accounts and a button to activate TouchID' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="next-gen-data-recovery">Next gen data recovery</h2> No one likes to lose data (just ask Picard! 😂), so the next generation of 1Password gives you more power to recover data, starting with item drafts, the ability to restore recently deleted items, as well as being able to revert to previous versions of an item. And if you&rsquo;re a 1Password Families or Business customer, you can now give specific friends, colleagues, or family members the ability to recover your account should you forget your password. (They will still never have access to your data.) <h2 id="make-it-so-">Make it so 🚀</h2> You&rsquo;re welcome to come join us here in the future with our Early Access program. Head over to the forums to get started. <a href="https://1password.community/discussion/122136/1password-8-for-mac-beta">Join 1Password 8 for Mac Early Access</a> I hope you love 1Password 8 as much as we&rsquo;ve loved creating it. Please share your thoughts with us in the early access forum where the team and I will be hanging out, answering your questions, and incororating your feedback into the official release that is scheduled to be released later this year. Oh and be sure to mark your calendar for August 12th at noon Eastern when the team and I will be hosting an <a href="https://www.reddit.com/r/1Password/comments/p2dmpt/all_aboard_1password_8_for_mac_is_now_in_early/">Ask Me Anything</a> to discuss all things 1Password 8. I look forward to talking with you there as well as <a href="https://1password.community/">within our forums</a>. 🖖🏼 Welcome aboard. 🤗 <img src='https://blog.1password.com/posts/2021/early-access-mac/HeroLockScreenDarkMode.png' alt='1Password lock screen in dark mode' title='1Password lock screen in dark mode' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Encrypt and prosper. This is the way. 😀</description></item><item><title>Tech needs women: an interview with the women leading Fastmail</title><link>https://blog.1password.com/women-in-tech-fastmail/</link><pubDate>Tue, 10 Aug 2021 00:00:00 +0000</pubDate><author>info@1password.com (Stacey Harris)</author><guid>https://blog.1password.com/women-in-tech-fastmail/</guid><description> <img src='https://blog.1password.com/posts/2021/women-in-tech-fastmail/header.svg' class='webfeedsFeaturedVisual' alt='Tech needs women: an interview with the women leading Fastmail' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> As we discovered in our <a href="https://blog.1password.com/tech-needs-women-interview/">Women in Tech panel</a> earlier this year, it’s important to show women succeeding in male-dominated industries, like technology/security, and to talk about how men can help create space for others in the workplace. We’ve previously highlighted <a href="https://blog.1password.com/women-in-tech/">our women-led Security team</a> and now want to continue sharing stories about women in leadership by introducing you to two leaders that are helping create space for women and non-binary people in the tech industry. We talked to Helen Horstmann-Allen (Chief Operating Officer) and Nicola Nye (Chief of Staff) of <a href="https://1password.com/fastmail/">Fastmail</a>, a privacy-friendly email provider, about their interest in privacy-focused technology, challenges they’ve encountered in the industry, and their advice for women and non-binary folks working in or thinking about joining the tech industry. What’s your role at Fastmail? Helen: I came to Fastmail in 2015, when they acquired my email forwarding company, Pobox. As the Chief Operating Officer, I work to bring the best email experience to our customers. I also oversee product, support, and marketing. Internally, I lead business strategy, company culture, and people development, including hiring and onboarding. Nicola: As Fastmail&rsquo;s Chief of Staff, I build workplace culture and people development for the Australian team. But much of my time is spent leading projects across two continents, managing our legal and compliance work, and serving as our privacy officer. I wear a lot of hats! What made you pursue a career in tech? Helen: Being able to take action and solve problems quickly. If you&rsquo;re interested in creating something, your ability to build it in tech is unparalleled. The people who use technology, and the impact my work can have on their daily lives, is what keeps me here. Nicola: I love computer programming! It was a new area of study when I was in school and the possibilities felt endless. Now, my focus has broadened beyond software for its own sake to the social and political implications of technology – I&rsquo;m fascinated about how people use computers to problem-solve. Technology lets you reach the entire world; it provides replication at scale; it makes things available to an audience of thousands or millions – this gives incredible benefits, but it raises concerns too. How did you become interested in privacy-focused technology? Helen: I believe privacy is a basic human right, so when I got into technology it was just a basic assumption for me to protect the data privacy of people who use email. I think privacy drives the best customer experience and when I think about the kind of product I want to use, I want a product that respects me. My data should be for my eyes only. That&rsquo;s especially true when you talk about email, calendars, and contacts. Nicola: About 10-15 years ago, I was pretty disillusioned by the tech industry. It seemed that much of the startup era was about building software to solve nonexistent problems – funded either by advertising or burning large piles of investor&rsquo;s cash. I couldn&rsquo;t continue to work like that, and I nearly left the industry altogether. However, the problem wasn&rsquo;t the industry itself but finding a company that aligned with my values. I realized I had to find a company building products that put people first. I wanted to work somewhere I felt good about my job, somewhere I could help people and make the world a better place. How has the tech industry changed for women since you started in tech? Helen: Well, first of all, there are many more of us! I remember going to talks and classes when I was in college where less than 10 percent of the attendees were women. Before working at Fastmail, I ran my own company. Running my own business protected me from the toxic experiences many of my peers endured. A vast number of women who started when I did have since left tech. It doesn&rsquo;t matter how many women you bring into tech – when the negative experiences outweigh the positive ones they will leave. At Fastmail, we&rsquo;re changing the system, and adding women like me to leadership positions has been crucial. Articulating and sharing our company culture and values have helped us recruit more women and non-binary people, which has brought in more diverse perspectives. Nicola: People often ask me why I have pink hair. In my career, I&rsquo;ve worked in predominantly white, male environments. I felt a lot of pressure to fit in, take up less space, and not make waves. In doing so, I gave up some of my own identity. Now that I&rsquo;m older, wiser, and feeling a responsibility to those who come after me, I dye my hair pink. My hair color reminds me, and everyone around me, that I am proudly a woman in tech, despite the challenges. My pink hair is a celebration of female accomplishments in tech: It&rsquo;s a bold color and cannot be diminished! The tech industry has improved over time but still has a long way to go. Women with bright hair are not unusual in our industry and many of us have similar motivations for our coloring: It helps us claim our space. What challenges have you faced in this profession because of your gender – systemic, or not – and what advice do you have for overcoming it? Helen: The biggest challenge for me has always been opportunities missed, mentors unmet, connections unmade, the places I don&rsquo;t go, and the conversations I didn&rsquo;t join. Whether it&rsquo;s because of gross behavior on the part of a subset of men, or just the semi-aggressive questioning that implies you need to prove you deserve to be there or that you belong, it was easier to miss out and not fight every single fight. The energy women spend fighting battles is the energy our male peers get to put into networking, chasing opportunities, and opening doors. Creating your own opportunities can be exhausting. I try to be very mindful of the doors I can open for others now. I now recommend women consider being on boards. I have honed many of my leadership skills in my board work. Finally, I think we are so vulnerable to the voices that talk us down, including our own! I choose to treat myself the way others see me – intelligent, kind, funny, beautiful, a person who can solve every problem in their world. Don&rsquo;t do your critics' work for them – trust the voices of your supporters and people who care about you. Nicola: I have found that people used to discount my expertise, especially if there was a man nearby. Sometimes this manifests as being mansplained to or being ignored when I&rsquo;m interviewing with a colleague. It&rsquo;s also often seen as the responsibility of a woman, or a minority, to be the vocal advocate for diversity and inclusion initiatives in a workplace. Don&rsquo;t hire us to fix your culture – you&rsquo;ve already hired us into a job, now is not the time to lay a second (full-time) job onto us as well! My number-one tip is to give yourself permission to take up space. You&rsquo;ve earned it. You do have the expertise. Don&rsquo;t shrink because you can see it makes others uncomfortable. It&rsquo;s exhausting to advocate for yourself (and others) constantly, so my second tip is to get allies who know what to look for who can call out poor behavior or assumptions. Finally, give yourself permission to NOT do the diversity and inclusion work. It&rsquo;s enough that you&rsquo;re out there being awesome and handling daily friction without also having to hold others to account. How has Fastmail been able to build a team with women leaders? Helen: By promoting more women. We&rsquo;ve hired terrific women for management positions, and we promote women and non-binary people across our team at all levels. I like to help the people who work for me grow by offering them a job, giving them more responsibility, providing professional development, and being a mentor. Women and other underrepresented groups benefit from enthusiastic sponsors pushing them long before they think to ask! Nicola: Shout out to Helen, our COO! She&rsquo;s excellent at lifting people up where she sees capabilities. She also identified that the most powerful force for improving our team&rsquo;s productivity is core skills (sometimes known as soft skills). Fastmail has ended up with women in leadership roles because they can bring our team exactly what we need to succeed. Technology can be taught, but communication and people skills are what fosters effective teamwork. Women have had to develop those skills as a survival instinct to influence without authority, to drive consensus, and to deliver in hostile environments. What should be done to increase the number of women in leadership roles? Helen: The pathway to leadership is simple – push people towards new opportunities, perhaps before they see themselves as ready. Then, offer them the support they need to succeed in those opportunities. If you give women opportunities, they will succeed. Nicola: When hiring someone new to your team, ask this question to their references: &ldquo;In what area would this person undersell their strengths?&rdquo; I like to ask this question because women, queer folk, and people of color live in a society where they feel like they have to explain themselves constantly. We struggle with imposter syndrome; that&rsquo;s not our fault. What advice would you give to women who want to enter the tech industry? Helen: Don’t be afraid to connect with people and share what you’re going through. Seek out trusted, more seasoned career people in your life who will tell you what’s good, what’s expected, and what&rsquo;s toxic. I am grateful that people no longer give the advice that you need to stay in a job for two years “or it looks bad.” Don’t waste your life at a workplace that doesn’t value you. Nicola: Tech is so much fun! There are many women folk in tech and allies – get yourselves established with a network by asking around. Meetups make this a lot easier, along with hackathons or game jams and there are several conferences great for newcomers to tech, many of which will let you attend for free if you work as a volunteer. Women aren’t the only underrepresented group in tech – what can be done to make tech more diverse across race, class, and gender? Helen: First, much like poison concentrates up the food chain, privilege concentrates up the opportunity ladder. For example, if you screen applicants based on where they went to school, you’ll overlook qualified people from less privileged backgrounds. It is important to find different mechanisms that are less susceptible to bias. Second, when interviewing someone I try to create an environment that lets each applicant bring their best selves to the forefront. Some people don’t need any encouragement to brag about themselves – but lots of others do. Creating a welcoming atmosphere in your hiring process is good for everyone. Nicola: Hire women and other minorities. There&rsquo;re plenty of perfectly qualified and able women and queer folk out there. If you&rsquo;re trying to bring about a change in your culture, you can&rsquo;t hire someone who is an exact culture fit to what you have now if you don&rsquo;t already have substantial diversity in your company. These people explicitly don&rsquo;t look like who you already have in your company. Finally, make sure you’re prepared to give them the support they&rsquo;ll need to succeed. Just hiring people isn&rsquo;t enough; they need a welcoming and understanding environment where they can flourish. How can men, and those in privileged positions, become better allies to their marginalized co-workers? Helen: Being an ally often starts with listening to what less-privileged colleagues are telling you about their experience in a team. When you respond, think about whether you&rsquo;re trying to make them feel better or trying to make yourself feel better. If it feels hard to do or say the right thing, just listen. Become a better mentor and sponsor – a change that starts by cultivating gratitude. What help have people given you along your journey? Who are the people who gave you the opportunities that changed your life? In viewing your own life with gratitude, think about how you can give that gift to others. Nicola: Active listening. You&rsquo;ll hear things that hurt. You&rsquo;ll want to say, &ldquo;but I&rsquo;m not like that,&rdquo; – remember, it&rsquo;s not about you. Be prepared to call each other out with key phrases like: &ldquo;We don&rsquo;t do that here,&rdquo; &ldquo;Would you say that to me/a man,&rdquo; or even &ldquo;Why would you say that?&rdquo; Active sponsorship. Put your coworkers forward for training/conferences, whether as an attendee or encourage them to speak. Give them stretch projects. Help them find coaching or a mentor who can lift them up. Active empathy. Make it clear that you care about the users of your tech – &ldquo;Is this safe for marginalized people?&rdquo; and &ldquo;what harm might our tech cause if used improperly or properly?&rdquo; – and then extend the same degree of thought to your colleagues. Is there anything we haven’t touched on that you want to share? Helen: The first time I met someone at Fastmail, it was our CEO, Bron Gondwana. Bron traveled from Melbourne, Australia to Philadelphia to meet me. After our meetings, he asked if I wanted to join him for some sightseeing while he was in town. At the time, I had twin babies, who were just 18-months-old, and a 3-year old. I was nervous to tell him that I have three young children, and I could only meet at the playground or another kids' activity. I told him about my family, and he responded with enthusiasm and support that warmed my heart. Bron joined us at our local pumpkin festival, toted one of my twins on his shoulders, and helped our 3-year-old decorate a pumpkin. It&rsquo;s one of my most favorite memories. It told me a lot about the workplace culture I was joining. Our teams observe how we behave as leaders, what we share, and the stories we tell. People at your workplace want leaders who authentically embrace them for who they are. Nicola: To those women currently in technology: Sometimes we get so busy looking up to where we are going, seeking out mentors and colleagues, that we forget to look back to how far we&rsquo;ve come. You are already a role model to others. Just by working in this industry, you are already making a change. Great work!</description></item><item><title>Security culture explained</title><link>https://blog.1password.com/security-culture-explained/</link><pubDate>Tue, 03 Aug 2021 00:00:00 +0000</pubDate><author>info@1password.com (Megan Barker)</author><guid>https://blog.1password.com/security-culture-explained/</guid><description> <img src='https://blog.1password.com/img/headers/security-header.svg' class='webfeedsFeaturedVisual' alt='Security culture explained' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> If you&rsquo;re reading this, and you don&rsquo;t live under a rock, you know organizational security is important. But, these days, the term &lsquo;organizational security&rsquo; means so much more than it has in the past. It&rsquo;s not quite as simple as installing a highly-rated anti-virus solution on employees' computers and calling it a day. One can hire the best IT security people, purchase the most secure software, and procure the services with the safest and most private practices, and it&rsquo;s still not enough. As we&rsquo;ve learned, even <a href="https://blog.1password.com/how-ignoring-the-polp-and-password123-can-cost-you-4.4-million/">high-profile organizations with every resource at their disposal aren&rsquo;t immune to missteps.</a> What that organization, and many organizations just like it, lack is a true culture of security. <h2 id="a-_what_">A what?</h2> A culture of security is the collective habits of employees who engage in security defences, and actively help protect an organization. When everyone on your team, from entry-level folks to your CFO, has an interest in the safety of operational data, you&rsquo;ve created a security culture. As I said before, though, it&rsquo;s about so much more than computers and software. When most people think of security, they think of devices. We must lock down the devices! But security culture focuses on human behavior because it&rsquo;s just as important. Human error remains a leading cause of data breaches around the world. In other words, the companies affected can have their hardware security in place, but it&rsquo;s the human element that causes trouble in the end. So, how do we avoid the missteps? Most people want to do the right thing. In a security culture, you teach people the right thing so when they&rsquo;re faced with decisions, their default choice is the correct one. <h2 id="create-a-culture">Create a culture</h2> There are many things you can do to create a culture of security. Let&rsquo;s discuss just a few. When you build something, the first step typically involves preparation, or putting things down on paper. A culture of security is no different. To start, draft company policies. Get all team leaders - including those of the privacy, security, and HR teams - involved and give people the guidance they need. And make the policies reasonable. Guidelines that make your employees' job harder won&rsquo;t be effective, no matter how secure they may seem. For example, let&rsquo;s examine a standard <a href="https://1password.com/business/">corporate password</a> policy (this is real, by the way). Each 14-character-minimum password needs to be complex - a feat that&rsquo;s difficult enough for humans to achieve alone - and it can&rsquo;t be used more than once. Now, when you consider that <a href="https://digitalguardian.com/blog/uncovering-password-habits-are-users-password-security-habits-improving-infographic#:~:text=Password%20Overload%20is%20Real,user%20has%2090%20online%20accounts">the average US email address is associated with about 130 online accounts</a>, that&rsquo;s 130 complex, unique passwords. Oh, and you need to change them every 90 days or so. How can anyone comply with that? They record their passwords on paper, which is also against policy (I hope). Password policies are just one example, but it brings me nicely to the next point: Give people what they need to succeed. Productivity software and services that support more secure practices make security-related decisions easier (or unnecessary). 1Password, as a random example, is a secure password manager that would make password worries a thing of the past. Your team also needs training. Education instills confidence and changes habits for the better. Be open to conversations about how people want to learn. Empowered employees are much more likely to embrace the culture and practice mindful habits. After you create a culture of security, you need to sustain it, and employee recognition can help. Even an informal announcement about recent issues that have been brought to the attention of the security team can boost engagement and make people more enthusiastic about sharing what they find. This can also help maintain the lines of communication between the Security team and the rest of company, which is important. People need to feel encouraged to ask questions and voice concerns without judgement. Partnerships between Security team members and team leaders can be helpful, too. At 1Password, we&rsquo;ve created the Security Ambassador program which has a member of the <a href="https://1password.com/security/">1Password Security</a> team paired with a senior member of every major business group in the company. They meet weekly to relay information, and discuss any issues or questions. A program like this leads to better relations between the security team and the company as a whole, and issues and bugs are spotted sooner in their respective processes. But don&rsquo;t stop there! Continue to offer training and other learning opportunities, and keep documentation and resources handy and up to date so your culture can only grow and thrive. <h2 id="by-the-numbers">By the numbers</h2> The statistics surrounding this subject are murky at best. In 2014, IBM reported <a href="https://i.crn.com/sites/default/files/ckfinderimages/userfiles/images/crn/custom/IBMSecurityServices2014.PDF">human error was the cause of an astounding 95 percent of data breaches</a>. Last year, they <a href="https://www.ibm.com/security/digital-assets/cost-data-breach-report/#/">lowered their estimate</a> to 23 percent. <a href="https://www.verizon.com/business/resources/reports/dbir/">Verizon</a> placed it closer to 68% in 2024. Even if human error accounts for just one quarter of all data breaches, that&rsquo;s pretty significant — especially given it&rsquo;s something we can easily improve (relatively speaking). And that improvement can have more benefits than just organizational security. Open communication among teams and better morale are things you should aim for in general. When you create a culture of security, you greatly reduce your risk of being a statistic. Will everything be absolutely perfect, all the time? No. Strive for progress, not perfection. But reasonable policies, helpful tools, confidence, and education will help your team make the right decisions when things go wrong.</description></item><item><title>Investing in our future (again!)</title><link>https://blog.1password.com/investing-in-our-future-again/</link><pubDate>Tue, 27 Jul 2021 00:00:00 +0000</pubDate><author>info@1password.com (Jeff Shiner)</author><guid>https://blog.1password.com/investing-in-our-future-again/</guid><description> <img src='https://blog.1password.com/posts/2021/series-b-announcement/header.png' class='webfeedsFeaturedVisual' alt='Investing in our future (again!)' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> I have some fantastic news to share. Today <a href="https://www.prnewswire.com/news-releases/1password-valued-at-2-billion-in-latest-100m-investment-round-301342079.html">we’re announcing</a> a new investment round in 1Password. Our current investor Accel led this round and a number of incredible folks including Ashton Kutcher’s Sound Ventures and top executives from Shopify, Slack, Squarespace, Google, Eventbrite, MessageBird and Atlassian also came on board. That’s a pretty awesome list of partners, but why would we take a second round when we are still profitable? Let’s take a little trip back in time to roughly two years ago to find out. <h2 id="taking-that-first-funding-step">Taking that first funding step</h2> It was the summer of 2019 and founders Dave, Sara, Roustem, Natalia and I were discussing whether or not we should partner with Accel and take our first ever funding round. 1Password was successful, profitable and growing so we didn’t need the money. We also knew that we had something truly special and wanted to make sure we weren’t going to screw things up. At the same time 1Password needed to grow in order to help as many people as we wanted to, and we would need help and guidance to do so. Partnering with Accel would give us the mentoring we needed and the investment itself would ensure they were dedicated to our success and provide a nice financial cushion should we need it. And to be completely honest, it would reduce some risk for us personally as well. It was with some trepidation that we agreed to partner, ensuring we remained majority owners and in full control to guide our future, closing the round at the end of 2019. <h2 id="growing-and-growing-up">Growing and growing up</h2> Since then a huge number of exciting changes have taken place. As a company, we’ve hired a world-class executive team to help the founders and I lead 1Password forward, including: <ul> <li><a href="https://1password.com/company/meet-the-team/jeannie-de-guzman/">Jeannie De Guzman</a>, Chief Financial Officer</li> <li><a href="https://1password.com/company/meet-the-team/julian-teixeira/">Julian Teixeira</a>, Chief Revenue Officer</li> <li><a href="https://1password.com/company/meet-the-team/akshay-bhargava/">Akshay Bhargava</a>, Chief Product Officer</li> <li><a href="https://1password.com/company/meet-the-team/raj-sarkar/">Raj Sarkar</a>, Chief Marketing Officer</li> </ul> We’ve grown from 177 people to 473 awesome folks. This has allowed us to greatly expand what 1Password can do to help consumers and businesses alike including: <ul> <li><a href="https://blog.1password.com/introducing-secrets-automation/">Secrets Automation</a></li> <li><a href="https://blog.1password.com/welcoming-linux-to-the-1password-family/">1Password for Linux</a></li> <li><a href="https://blog.1password.com/introducing-events-api/">1Password Events</a></li> <li><a href="https://blog.1password.com/domain-breach-report-update/">1Password Breach Reports</a></li> <li><a href="https://blog.1password.com/privacy-virtual-cards/">Partnering with Privacy.com</a></li> <li><a href="https://blog.1password.com/save-in-1password-button-with-ramp/">Partnering with Ramp.com</a></li> <li>and much much more</li> </ul> Throughout this period Accel has been a true partner. They’ve always been there to help and guide us while not trying to change who we are as a company. I have to say that we couldn’t be happier with how it has all worked out 🤗. <h2 id="accel-reaches-out-again">Accel reaches out again</h2> Accel has similarly been thrilled by our growth and potential and reached out to me a couple of months ago looking to further invest in our future success. Initially I wasn’t open to the idea as we’re profitable and did not need the money. But investment rounds have some real benefits. They help spread the word that we are an enduring and successful company which attracts both customers and talent. So we gave it further thought and went back to what we valued most from the first round – having smart folks invested in our success who can help and guide us. That, and ensuring we could retain full control of our destiny. If we could accomplish the same here then it would truly make sense for us to proceed. <h2 id="our-new-partners">Our new partners</h2> We started thinking about who we’d want to help and guide us, and created a list of incredible tech leaders who built amazing companies and for whom we had a great deal of respect. We then reached out to see if they were interested in participating as investors in this round. To our delight, most of them were thrilled to participate and invest in 1Password, including: <ul> <li>Tobias Lütke, Founder and CEO and Harley Finkelstein, President of Shopify</li> <li>Stewart Butterfield, Founder and CEO of Slack</li> <li>Mike Cannon-Brookes and Scott Farquhar, Co-Founders and Co-CEOs of Atlassian</li> <li>Anthony Casalena, Founder and CEO of Squarespace</li> <li>Kevin Hartz, Co-founder and Chairman of Eventbrite</li> <li>Robert Vis, Founder and CEO of MessageBird</li> </ul> We also reached out to That 70s Show, Punk’d, and Two and a Half Men star, Ashton Kutcher. While Ashton might be best known for his acting, he also has extensive tech investment experience having launched Sound Ventures with Guy Oseary. They, similarly, were fans of what we are trying to build and joined as investors. Now that is truly an impressive list 🤩. I am thrilled that these leaders, people I’ve looked up to for many years, believe in us and are investing their money, time, and knowledge in our future. With Accel at the lead, these incredible investors included, we discussed an amount that made sure we stayed in full control, and the round was a go. <h2 id="furthering-our-partnership">Furthering our partnership</h2> Now, the first question I always get about the round is the numbers, and while those aren’t what matter most to us, they do matter, so here goes. 😊 This second round was an investment of $100 million at a $2 billion valuation, double what it was the last round. These numbers are a touch surreal if I am being honest, especially when I think back on how far we’ve come. But it also reminds me what got us this far and will continue to drive us forward is focusing on and listening to our customers. <h2 id="moving-forward">Moving forward</h2> Today marks one more step in the journey for 1Password, one that Dave, Sara, Roustem, Natalia and I are excited to share with you. With this latest funding round and experienced leaders at our side, we will continue to improve and grow the products our customers know and love. We’re humbled and thankful for all of you who have believed in us, supported us, challenged us, and continue to trust us. Thank you. ❤️ <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/ZhXfzzA44xI" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div></description></item><item><title>How to reclaim your privacy online</title><link>https://blog.1password.com/how-reclaim-your-online-privacy/</link><pubDate>Tue, 20 Jul 2021 00:00:00 +0000</pubDate><author>info@1password.com (Stacey Harris)</author><guid>https://blog.1password.com/how-reclaim-your-online-privacy/</guid><description> <img src='https://blog.1password.com/posts/2021/how-to-reclaim-online-privacy/header.svg' class='webfeedsFeaturedVisual' alt='How to reclaim your privacy online' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Have you ever been convinced that your devices are listening to what you’re saying? We’ve all been there. Despite popular belief, your gadgets aren’t eavesdropping – but they are tracking everything you’re doing online and creating a hyper-personalized mega profile that advertisers use for targeted marketing. Here are some of the easiest ways to reduce your <a href="https://blog.1password.com/clean-up-digital-footprint/">digital footprint</a> and take back control of your privacy online. <h2 id="privacy-vs-security-whats-the-difference">Privacy vs security: What&rsquo;s the difference?</h2> While privacy and security are often thought of as synonymous, or used interchangeably, there are actually distinct differences between the two. Security is about protecting your data from being accessed without your consent, whereas privacy is your ability to choose what information you share. Privacy is a bit like sending a message in an envelope versus a postcard that anyone can read. While security is like sending a message in a lockbox that no one else has the key to open. Privacy is almost always context-sensitive. If you’re talking to your doctor on the phone about a medical condition, for example, you’d probably choose to do so behind a closed door. While other conversations, you’d be happy to have in a public space. When it comes to online privacy, we’re talking about your ability to choose what information of yours is shared with the website, app, or service you’re using and third parties, like advertisers. <blockquote> Few businesses are mindful of only asking for the data they need. </blockquote> Most businesses need some information in order to provide their services, but too many collect more private information than they need and it’s often hard to know what kind of data they’re collecting. Few businesses are mindful of only asking for the data they need. Below we’ll break down a few services that we all use — web browsers, search engines, email providers and general apps — and how to reclaim your privacy by choosing more privacy-centric options. <h2 id="search-keyword-privacy">Search keyword: privacy</h2> Your search history reveals what you’re thinking, what you’re interested in, where you’re going, and what you’re planning – so when choosing a search engine make sure it’s one that values discretion. A privacy-focused search engine, like <a href="https://duckduckgo.com/">DuckDuckGo</a> or <a href="https://www.startpage.com/">Startpage</a>, only use the keywords provided to deliver search results, meaning everyone who uses the same search term will get the exact same result. By contrast, Google draws on a wealth of collected personal data about the searcher, in addition to the keywords provided, and delivers hyper-personalized results unique to each searcher. Privacy-focused search engines still make money through advertising, however the ads shown are selected based on the search terms entered, rather than your browser history, cookies, or past searches. That’s because privacy-focused search engines don’t track, or record those. Rather than quitting Google outright, you can be mindful about what information you’re sharing through search. Perhaps use Google to check sports scores, but use DuckDuckGo to check medical symptoms. The key here is to consider what information you’re comfortable sharing with Google and their third parties. <h2 id="choose-a-browser-that-prioritizes-data-privacy">Choose a browser that prioritizes data privacy</h2> When reviewing your online privacy you should also consider using a private browser like <a href="https://brave.com/">Brave</a>, DuckDuckGo, or <a href="https://www.mozilla.org/en-US/firefox/browsers/mobile/focus/">Firefox Focus</a> – as other web browsers, like Google Chrome, track far more about you. A private browser will delete your browsing history when your session ends and block trackers, like cookies, that are trying to collect information about your identity. While some trackers can be useful – like browsers remembering login information, shopping carts, language preferences, and more – they are also personal data hoarders. You may think that using <a href="https://blog.1password.com/what-incognito-private-browsing-mode-does/">incognito mode</a> in Google Chrome is the equivalent to using a private browser, but it’s not. While true that incognito mode doesn’t save your browsing history, cookies, or form fills on your device – it doesn’t prevent Google from sharing information with advertisers that was collected during an incognito session. That means you could still get targeted ads based on the websites you visited in incognito mode. <blockquote> By choosing a browser that is privacy focused you’re not only putting your privacy first, but web pages usually load faster. </blockquote> By choosing a browser that is privacy focused you’re not only putting your privacy first, but web pages usually load faster because they aren’t loading all those trackers – it’s a win-win situation. <h2 id="consider-a-privacy-first-email-provider">Consider a privacy-first email provider</h2> Like browsers, your email is connected to almost everything you do online. You use email to create new accounts, receive receipts, invitations to events, and it holds your important transactions like flight details, medical appointments, your contacts list, and so much more. It’s safe to say that email holds a lot of information about your life. If the idea of an email service provider knowing what’s going on in your email inbox (even if they say they don’t) and sending you targeted ads based on the information they collect makes you feel a bit icky, then you might want to look for a privacy-first email provider. Free email accounts are paid with your privacy. If you&rsquo;re not paying for email service, more often than not, you are not the customer, but the product. Advertisers pay for access to information about you. Email is also used to track people online and associate people to an account – almost every login requires an email address for the username. Email provider <a href="https://www.fastmail.com/1password/">Fastmail</a> lets you create unique email addresses for each account login you have. These email aliases let you keep your main address private – so you don’t have to give out your email address to strangers. This is a great way to increase your privacy and security online. Using an email provider focused on their product and your privacy is a great way to make sure your information remains yours and keep your email ad-free. If you want to learn more about email privacy and the benefits of unique email aliases, check out the <a href="https://randombutmemorable.simplecast.com/episodes/email-alias-rabbit-hole">latest episode of Random but Memorable</a>, where we spoke with Ricardo Signes, CTO of <a href="https://1password.com/fastmail/">Fastmail</a>. <h2 id="review-app-setings-and-permissions">Review app setings and permissions</h2> When was the last time you checked the privacy settings on your phone? You’d be surprised by how many services over-step in the information they acquire, versus what they actually need to provide their service. Take ten minutes and review your settings to see which apps have access to your location, camera, microphone, contacts, etc. If you like sharing on social media, go ahead and share those photos, but consider if apps need access to your camera, microphone, and photo library at all times. And if you find a navigation app useful, use it. But consider adjusting your settings to only track location data when you’re in the app. <blockquote> Protecting your privacy is about setting boundaries around the information you are comfortable sharing online. </blockquote> It’s also worth doing a clean-up on the number of apps that you keep on your phone. If it’s an app you no longer use, or use infrequently, consider deleting it from your phone. By limiting the number of apps you’re using, and what you’re sharing with the apps you do use, you’ll reduce your data footprint. Protecting your privacy is about setting boundaries around the information you are comfortable sharing online. By becoming more deliberate about which browser, search engine, email provider, and apps you share your most important information with, and by switching to privacy-focused alternatives, you can reclaim some of your online privacy. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Read our beginner&#39;s guide to cybersecurity</h3> Want to stay safe online? Read our beginner’s guide to cybersecurity, which covers passwords, software, hardware, connectivity, and more! <a href="https://1password.com/resources/beginners-guide-to-cybersecurity/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Read the guide </a> </div> </section></description></item><item><title>Together we’ve raised more than $75,000 for Let’s Encrypt</title><link>https://blog.1password.com/lets-encrypt-donation-wrap-up/</link><pubDate>Fri, 16 Jul 2021 00:00:00 +0000</pubDate><author>info@1password.com (Nick Summers)</author><guid>https://blog.1password.com/lets-encrypt-donation-wrap-up/</guid><description> <img src='https://blog.1password.com/posts/2021/lets-encrypt-donations-wrap-up/header.png' class='webfeedsFeaturedVisual' alt='Together we’ve raised more than $75,000 for Let’s Encrypt' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> A month ago, <a href="https://blog.1password.com/supporting-lets-encrypt/">we asked for your help</a> in supporting Let’s Encrypt, the world’s largest certificate authority. And boy, did you deliver. In just 17 days, you raised more than $28,000. The total came from more than 600 donors based in 28 different countries. We’re going to match everyone’s donations, as promised, and throw in an extra $22,000, bringing the campaign’s grand total to $78,141. That makes it the most successful fundraising campaign in Let’s Encrypt’s history. From everyone at 1Password and Let’s Encrypt: thank you. None of this would have been possible without your incredible support and generosity. <h2 id="how-your-donations-will-make-a-difference">How your donations will make a difference</h2> Let’s Encrypt relies entirely on charitable donations to operate. Your support ensures the team can continue to support website owners around the world by removing the cost and complexity associated with HTTPS encryption. When you visit a website like 1Password.com, you’ll see a padlock icon in the address bar, which represents HTTPS — Hypertext Transfer Protocol, <a href="https://www.wired.com/2016/04/hacker-lexicon-what-is-https-encryption/">with an extra S for Secure</a>. It’s a robust form of encryption that relies on something called an SSL/TLS certificate. In the vast majority of cases, these need to be signed by a trustworthy certificate authority like Let’s Encrypt. The money you’ve raised will allow Let’s Encrypt, which is part of the <a href="https://www.abetterinternet.org/">nonprofit Internet Security Research Group (ISRG)</a>, to continue offering SSL/TLS certificates that are free and convenient for website owners to obtain, configure and renew. <h2 id="building-a-more-secure-web">Building a more secure web</h2> Roughly 85 percent of websites now support HTTPS, thanks in part to Let’s Encrypt. The team issued its first certificate in 2015 and has grown into the largest certificate authority in the world, servicing 260 million website domains and tens of billions of HTTPS page loads every day. But the team isn’t stopping there. Thanks to your support, Let’s Encrypt can push ahead with its mission to make HTTPS truly ubiquitous. Together, we can close the gap and ensure every website is using an SSL/TLS certificate signed by a trustworthy authority. If you missed the fundraising campaign but would like to get involved, no problem — you can make a donation at any time <a href="https://letsencrypt.org/donate/">on the Let’s Encrypt website</a>. Every dollar will go a long way to making the web a more secure and privacy-respecting place for everyone. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Donate to Let’s Encrypt!</h3> Make a donation to help Let’s Encrypt make the internet a more secure place. <a href="https://letsencrypt.org/donate/?utm_medium=social&amp;utm_source=blog&amp;utm_campaign=donation" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Donate now </a> </div> </section></description></item><item><title>Introducing the 1Password Events API</title><link>https://blog.1password.com/introducing-events-api/</link><pubDate>Thu, 15 Jul 2021 00:00:00 +0000</pubDate><author>info@1password.com (Akshay Bhargava)</author><guid>https://blog.1password.com/introducing-events-api/</guid><description> <img src='https://blog.1password.com/img/headers/news-header.svg' class='webfeedsFeaturedVisual' alt='Introducing the 1Password Events API' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Visibility is critical to security and IT teams. If they can&rsquo;t see what&rsquo;s going on, they can&rsquo;t act. So today we&rsquo;re giving security and IT greater data visibility with <a href="https://support.1password.com/events-reporting/">Events API</a>, a public REST API for 1Password Business customers. In addition to the events that have always been available to admins, item usage and successful and failed sign-in attempts can now be routed to third-party platforms to create dashboards, alerts, and much more. With greater visibility, security and IT teams can now correlate 1Password events with other data sources to gain a deeper understanding of how workers are using 1Password. We’ve built the API with SOC (Security Operations Center) and SIEM (Security Information and Event Management) tools in mind – database tools which analyze and present time series event data with alerts, dashboards, visualization, and search. In fact, we’ve already created pre-built integrations with <a href="https://www.splunk.com/">Splunk</a> and <a href="https://www.elastic.co/">Elastic</a> (more on those in a minute). <h2 id="what-can-i-do-with-events-api">What can I do with Events API?</h2> With Events API streaming to a third-party tool, you can: <ul> <li>Take decisive action using deeper forensic analysis with data correlation and enrichment from multiple apps.</li> <li>Prevent attacks with proactive threat detection using custom, automated alerts.</li> <li>Get valuable insights into 1Password usage via data visualization.</li> </ul> <h2 id="what-events-does-events-api-include">What events does Events API include?</h2> 1Password already logs and provides access to some events: failed sign-in attempts, and the most recent instance of someone accessing each item in a vault. <a href="https://support.1password.com/reports/">All that is available as reports in 1Password Business</a>. <a href="https://support.1password.com/events-reporting/">Events API</a> broadens and deepens that access, providing events for both successful and failed sign-in attempts, and a historical log that details each and every time an item is used. <h2 id="how-does-it-work">How does it work?</h2> <a href="https://support.1password.com/events-api-reference/">The Events API works in much the same way other 1Password integrations do</a>. Admins and owners can access the Events API by generating an access token, either from the Integrations Hub or the command line interface (CLI). Once created, you can create your own scripts to ingest the events into a SIEM or analytics tool of your choice. Or, you can use one of our pre-built integrations with Splunk or Elastic. Of course, all this is done the 1Password way, with <a href="https://support.1password.com/events-reporting-security/">security as our top priority</a>. <h2 id="get-started-with-1password-for-splunk-and-elastic">Get started with 1Password for Splunk and Elastic</h2> Right now, each event included in the Events API returns the event itself (sign-in attempts and item usage) with contextual data. Many customers have been asking for this, and those customers can put the Events API to work right now (in fact, our beta partners have been doing so for months). But we’re not stopping there. This release is only the first step in empowering security teams with greater visibility and actionable insights – and the existing Splunk and Elastic integrations make that possible right now. As of today, you can use <a href="https://docs.splunk.com/Documentation/Splunk/8.2.0/Alert/Setupalertactions">Splunk triggers</a> to level up your threat detection, compliance, and breach investigation. Here are a few examples of what you could do with Splunk triggers and the Events API: <ul> <li>Receive an alert when a 1Password login exceeds set parameters</li> <li>Receive an alert when a secret is copied, shared, used on a site, or accessed on the last day of a worker’s employment</li> <li>Monitor usage of a particular item</li> <li>Automate access control monitoring and reporting</li> <li>Monitor user adoption</li> <li>Correlate 1Password events like logins and secret usage with suspicious or malicious events to aid investigation</li> </ul> <h2 id="more-to-come">More to come</h2> This is just the beginning for the Events API. In the near future, we plan to include more event types like changes to owner/admin groups and vault permissions (basically: audit events). And we’ll continue to build on this foundation with your feedback. If you build something amazing, or just want to bounce ideas off of us, we’d love to hear about it. Give us a shout on <a href="https://twitter.com/1password">Twitter @1Password</a>, or <a href="https://1password.community/">head over to the 1Password community</a> to share your ideas. You can get started today with the <a href="https://splunkbase.splunk.com/app/5632">Splunk</a> and <a href="https://github.com/1Password/events-api-elastic">Elastic</a> integrations. Or, you can <a href="https://github.com/1Password/events-api-generic">try out this small Python script</a> to see how to make calls to the API to fetch sign-in and item usage events.</description></item><item><title>1Password is ready for macOS Monterey</title><link>https://blog.1password.com/ready-for-macos-monterey/</link><pubDate>Wed, 14 Jul 2021 00:00:00 +0000</pubDate><author>info@1password.com (Michael Fey)</author><guid>https://blog.1password.com/ready-for-macos-monterey/</guid><description> <img src='https://blog.1password.com/posts/2021/macos-monterey-public-beta/header.svg' class='webfeedsFeaturedVisual' alt='1Password is ready for macOS Monterey' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> As a huge Apple fan I’m always looking forward to the next operating system updates, and Monterey is bringing some really <a href="https://www.wired.com/story/apple-macos-monterey-features/">cool new features</a>. FaceTime calls for everyone (with spatial audio!), a spacious new design in Safari, Quick Notes, Universal Control, and more. As a huge 1Password fan and 1Password developer I’m always looking forward to the next operating system updates to make sure everyone’s favorite password manager runs as smoothly as possible there. Our track record is quite good with out-of-the-box compatibility for Apple’s latest OSes over the past decade. So how’d we do this year? Our team members have been running the developer prerelease versions of Monterey since WWDC and 1Password has been running wonderfully. The best part? You can get on the prerelease bandwagon right now! Apple has <a href="https://beta.apple.com/sp/betaprogram/">released a public beta</a> of macOS Monterey ahead of its official release later this year. Installing a beta is always a tad risky. (If you’re not sure, we recommend holding off or installing it on a Mac that you don’t rely on every day.) We can say with confidence, however, that you won’t have any problems running 1Password on macOS Monterey. And if you’re running one of the newer Macs, 1Password has already been updated <a href="https://9to5mac.com/2021/03/09/1password-7-8-for-macos-now-runs-natively-on-apple-silicon-macs/">to run natively on Apple’s M1 processors</a>. <img src='https://blog.1password.com/posts/2021/macos-monterey-public-beta/montereydesktop.png' alt='1Password Mac app running on macOS Monterey' title='1Password Mac app running on macOS Monterey' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We’re also loving the way 1Password looks in the new Safari. <img src='https://blog.1password.com/posts/2021/macos-monterey-public-beta/montereysafari.png' alt='1Password running in Safari on macOS Monterey' title='1Password running in Safari on macOS Monterey' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> If you love beta software, you can easily start using ours today. In <a href="https://1password.com/mac/">1Password for Mac</a>, select 1Password in the menu bar and click the Preferences…menu. Then, navigate to the Updates tab and click on the ‘Include beta builds’ checkbox. Signing up for our beta program will give you access to features and improvements that our engineering team are still working on. (And trust us, we’re working on a lot at the moment.) <h2 id="theres-more-to-come">There&rsquo;s more to come</h2> Monterey is shaping up to be another great macOS release. Our team will continue to use the public beta to ensure 1Password is in the best possible shape once macOS Monterey becomes official and rolls out to eligible hardware worldwide. We’re taking the same approach with Apple’s iPhone and iPad, too. So when iOS 15 and iPadOS 15 drop later this year, your favorite password manager will be ready. See you in the fall!</description></item><item><title>Food allergies, brown M&Ms, and random passwords</title><link>https://blog.1password.com/generating-strong-passwords/</link><pubDate>Mon, 12 Jul 2021 00:00:00 +0000</pubDate><author>info@1password.com (Stephen Haywood)</author><guid>https://blog.1password.com/generating-strong-passwords/</guid><description> <img src='https://blog.1password.com/img/headers/security-header.svg' class='webfeedsFeaturedVisual' alt='Food allergies, brown M&Ms, and random passwords' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Simple, well-tested protocols prevent disasters. <h2 id="food-allergies">Food allergies</h2> My daughter has a life-threatening food allergy, so eating out is always a little scary. Over the years, we have learned which restaurants are &ldquo;safe&rdquo; for her and which are not. Those restaurants that are safe for her have one thing in common – an established protocol for dealing with food allergies. The typical protocol is something along these lines: <ol> <li>Inform the server of the food allergy and the specific allergen.</li> <li>The server informs the kitchen of the allergy.</li> <li>The manager makes the food or supervises the making of the food.</li> <li>Her food is brought out on a special plate or by the manager.</li> </ol> Having a documented protocol allows us to enforce adherence to the protocol, and the simplicity of the protocol allows us to easily spot violations. As an example, one restaurant we visited frequently would plate all allergy orders on yellow plates instead of their usual white. If my daughter&rsquo;s order came out on a white plate, we spoke to the manager, reminded them of their protocol, and sent the food back. <h2 id="brown-mms">Brown M&amp;Ms</h2> In the 1970s, Van Halen was touring the country with one of the largest stage productions at the time, and many venues had to make infrastructure upgrades to support the show. In order to ensure the safety of the band, crew, and audience, they provided a rider to their contract that included very detailed instructions on what infrastructure had to be in place for the show to happen. Buried in that rider was a clause that said there should be a bowl of M&amp;Ms placed backstage and there should be no brown M&amp;Ms in the bowl. It seems petty at first but, in reality, it was a simple way to ensure the venue had performed the safety-related items in the rider. If they walked backstage and found brown M&amp;Ms, they knew they had to check every other item in the rider to ensure the safety of the band, crew, and audience. <h2 id="random-passwords">Random passwords</h2> Generating random passwords is much like these two situations in that we have well-established protocols for generating random passwords – and if we fail to generate them correctly, we can bring harm to our users. The following protocol is generally accepted to produce strong random passwords: <ol> <li>Use a cryptographically-secure pseudorandom number generator (CSPRNG) to generate random numbers.</li> <li>Adjust those numbers to be within a specified range without introducing a <a href="https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/">modulo bias</a>.</li> <li>Use the adjusted numbers to pick a random character from your character set.</li> </ol> If you are generating passphrases, you would have a word list instead of a character set, but the algorithm is essentially the same. Again, the simplicity of the algorithm allows us to quickly identify violations and choose how to react. By looking at our open source <a href="https://github.com/1Password/spg">Strong Password Generator</a> Go module, you can see that 1Password follows this simple protocol. The module allows you to generate passwords and passphrases that meet a number of different requirements, but they all boil down to the same basic algorithm. To generate a password using a character set, we use the <code>Generate()</code> method in the <a href="https://github.com/1Password/spg/blob/master/char_gen.go">char_gen.go</a> file. <pre tabindex="0"><code> tokens := make([]Token, r.Length) for i := 0; i &lt; r.Length; i++ { c := chars[randomUint32n(uint32(len(chars)))] tokens[i] = Token{c, AtomType} } </code></pre>First, we create a list of tokens and then we populate the list of tokens by choosing random characters from the character set <code>chars</code>. After some additional checks to ensure we met any password policy requirements, that list of tokens becomes our password. The <code>randomUint32n</code> function is used to generate a random 32-bit unsigned integer within a specified range – in this case, the length of the character set. That function is found in the <a href="https://github.com/1Password/spg/blob/master/util.go">util.go</a> file. <pre tabindex="0"><code>func randomUint32n(n uint32) uint32 { if n &lt; 1 { panic(&quot;randomUint32n called with 0&quot;) } if n&amp;(n-1) == 0 { // n is power of two, can mask return randomUint32() &amp; (n - 1) } discard := uint32(math.MaxUint32 - math.MaxUint32%n) v := randomUint32() for v &gt;= discard { v = randomUint32() } return v % n } </code></pre>After making sure <code>n</code> is not zero (you cannot choose a random number between 0 and 0 after all), we then check to see if <code>n</code> is a power of 2. If so, there is no modulo bias to remove and we can safely return our random number modulo <code>n</code>. (In this case, we use a bit mask to perform the modulo function). If <code>n</code> is not a power of 2, then we must do a little extra work to get rid of the modulo bias before returning our number. Specifically, we are using rejection sampling to discard the biased numbers. In either case, we rely on the <code>crypto/rand</code> module in the Go standard libary to provide us with strong random numbers, which can be seen in the <code>randomUint32</code> function in the <a href="https://github.com/1Password/spg/blob/master/util.go">util.go</a> file. <pre tabindex="0"><code>func randomUint32() uint32 { b := make([]byte, 4) _, err := rand.Read(b) if err != nil { panic(&quot;PRNG gen error:&quot; + err.Error()) } return binary.BigEndian.Uint32(b) } </code></pre>By using easily understood, well-tested protocols for generating random passwords, 1Password can ensure we provide you with strong passwords for all of your accounts.</description></item><item><title>Finding a secure way to monitor the SCIM bridge</title><link>https://blog.1password.com/securely-monitoring-scim-bridges/</link><pubDate>Fri, 25 Jun 2021 00:00:00 +0000</pubDate><author>info@1password.com (De Ville Weppenaar)</author><guid>https://blog.1password.com/securely-monitoring-scim-bridges/</guid><description> <img src='https://blog.1password.com/img/headers/building-1password-header.svg' class='webfeedsFeaturedVisual' alt='Finding a secure way to monitor the SCIM bridge' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We know that many businesses use identity providers like Okta, Rippling and Azure Active Directory to control what their employees have access to. That’s why we built the <a href="https://support.1password.com/scim/">1Password SCIM bridge</a> — a way to connect these services with our <a href="https://1password.com/enterprise/">enterprise password manager</a>. It streamlines common administrator tasks, such as setting up new employees with a 1Password account and granting them access to specific groups. To sync everything up, all of our customers that want to leverage <a href="https://blog.1password.com/improved-automated-provisioning/">automated provisioning</a> deploy the SCIM bridge on one of their own servers. But that made us ask the question: what would happen if a SCIM bridge went down? Could we do more to help companies diagnose and fix the problem? To solve this issue, we decided to build health monitoring, a tool that administrators can use to quickly check on their SCIM bridge and narrow down any technical issues. We had a good idea of how this should work, but we&rsquo;re in the password management business, not the server monitoring business. Building a service from scratch would have been a poor use of our time, so we partnered with a company that’s an expert in server monitoring: <a href="https://www.checklyhq.com/?utm_source=1pblog&amp;utm_medium=blog&amp;utm_campaign=Building_1_password">Checkly</a>. <h2 id="protecting-customer-data">Protecting customer data</h2> The challenge with this partnership was ensuring that we didn’t compromise on our commitment to keeping customer information private. That meant limiting Checkly’s access to the absolute minimum needed to deliver a functional service. To achieve this balance we started with the following: <ul> <li>We use a random unique identifier to link accounts to Checkly checks.</li> <li>We added a second authentication token to the SCIM bridge that can only be used to hit its health check endpoint.</li> </ul> This means that all Checkly has access to is the domain name where the SCIM bridge resides and an authentication token that is only useful for health checks. Checkly does not even have the ability to notify customers directly about issues. Instead, Checkly notifies our server, which then has the responsibility of notifying the customer. Our health check endpoint is designed to return information about the different components that make up the SCIM bridge. Administrators can find this analysis by navigating to the domain or IP address where the SCIM bridge was deployed and submitting their bearer token. <img src='https://blog.1password.com/posts/2021/securely-monitoring-scim-bridges/provisioning-bridge-status.png' alt='Screenshot showing SCIM bridge health status' title='Screenshot showing SCIM bridge health status' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> They can also use 1Password in the browser to check on the status of their SCIM bridge deployment. <img src='https://blog.1password.com/posts/2021/securely-monitoring-scim-bridges/provisioning-card.png' alt='Screenshot showing health monitoring card detail' title='Screenshot showing health monitoring card detail' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> If a health check does not complete successfully, the administrator will get an email about it within minutes. The message will break down every component that encountered an error. In addition, the administrator is notified when Checkly was unable to reach the SCIM bridge and determine its current health status. This is useful when the monitoring domain was entered incorrectly or when there are other factors preventing Checkly from contacting the SCIM bridge. Another email is sent when the problem has been resolved. <h2 id="the-right-balance">The right balance</h2> With Checkly, we’ve developed a solution that helps customers keep their user provisioning workflow running smoothly. But more importantly, we built it in a way that protects and respects our customers’ privacy. That wasn’t the easy option. But we did it this way because it’s the right thing to do. It’s a perfect example of how we operate as a company — serving you, and improving our product, but never at the expense of privacy or security. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get started today</h3> Setting up user provisioning on your 1Password account only takes minutes. <a href="https://start.1password.com/provisioning/manage" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Get started </a> </div> </section></description></item><item><title>Secrets management: the next big security threat for businesses</title><link>https://blog.1password.com/risks-of-mismanaging-corporate-secrets/</link><pubDate>Tue, 22 Jun 2021 00:00:00 +0000</pubDate><author>info@1password.com (Andrew Zangre)</author><guid>https://blog.1password.com/risks-of-mismanaging-corporate-secrets/</guid><description> <img src='https://blog.1password.com/posts/2021/secrets-management-report/header.svg' class='webfeedsFeaturedVisual' alt='Secrets management: the next big security threat for businesses' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> With the recent launch of <a href="https://blog.1password.com/introducing-secrets-automation/">1Password Secrets Automation</a>, we were eager to learn more about current habits and feelings related to secrets management – good, bad, and everything in between – to help illustrate the problem and the risks involved. We surveyed 500 businesses on the topic, and today we’re excited to share our findings in a new report. Today&rsquo;s high-tech ecosystems involve thousands of vulnerable secrets, which are often spread out across multiple services with no visibility or auditability. To <a href="https://1password.com/files/1Password-How-To-Avoid-A-Data-Breach.pdf">avoid a data breach</a>, these need to be encrypted and delivered to machines and services safely; but as the report shows, there’s a long way to go. We’ve summarized some of the key takeaways below, or you can <a href="https://1password.com/resources/risks-of-mismanaging-corporate-secrets/">download the report</a> to read the complete findings. <h2 id="do-you-know-where-your-secrets-are">Do you know where your secrets are?</h2> Around 80 percent of IT and DevOps teams are not managing their secrets properly – think API keys, tokens, and certificates. These secrets let a database admin access a database, an app access another app, and so on. Secrets are the lifeblood of your growing infrastructure. And as you grow, develop, and deploy across your technology, you’re creating a long trail of insecure secrets that are stashed wherever it happens to be convenient. It’s far more complex than it used to be, even for non-tech companies. Reliance on more cloud applications is a major source of this new stress, according to our report. It’s a bigger problem than just managing them; many teams don’t even know where secrets are. Half of IT/Dev workers don’t know how many locations their company secrets are scattered across, with too many to count. <h2 id="productivity-pains">Productivity pains</h2> Growing complexities have turned secrets management into a daily stress and productivity drain. The majority of IT/DevOps leaders find their work is disrupted at least daily so they can track down or manage their company’s secrets, and a third say it’s the worst part of their day. Some individual workers are disrupted four-plus times a day. This stress can naturally lead to mismanagement of secrets, as well as larger issues with work quality and morale. Poor habits that form along the way put these secrets — and by extension, the company — at risk. <h2 id="poor-habits-cause-breaches">Poor habits cause breaches</h2> We call them “secrets” for a reason. But workers (and leaders, for that matter) are not protecting them like secrets. In fact, 60 percent of IT/DevOps organizations have experienced secrets leakage in some form. Paired with the stress of managing them properly, a lack of education around proper secrets management has allowed dangerous habits to form, including: <ul> <li>Reusing secrets across projects</li> <li>Using the same secrets in both production and testing/staging</li> <li>Storing secrets in shared or unsecured spreadsheets</li> <li>Sending secrets over email, chat, and text</li> <li>Former employees maintaining access to secrets</li> </ul> Our report shows the extent of these (mis)management habits, and the potential cost of breaches that can result. <h2 id="taking-control-of-your-secrets">Taking control of your secrets</h2> All of this secret sprawl leaves company systems and data more vulnerable than ever. But 70 percent of U.S. workers believe it falls solely on their company to protect work accounts from an attack. This has created quite the dilemma. An improved <a href="https://1password.com/resources/culture-of-security/infographic-culture-of-security.pdf?utm_ref=1-for-business">culture of security</a> should be a priority to help reverse this trend; workers need to do their part to keep secrets secure, and be mindful of best security practices in all they do. The right tool, along with improved education and awareness, can make the secure way to work also the easiest way. Just as 1Password helps employees manage their passwords, <a href="https://1password.com/products/secrets/">1Password Secrets Automation</a> helps protect infrastructure secrets and deliver them – securely – where they’re needed. We hope you’ll find some valuable insights in our report that you can share with your team and use to evaluate your own secrets management practices. Thanks for reading! <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Download the full report</h3> Infrastructure secrets are a major security liability for today’s businesses. Read the full report to find out why secrets (mis)management could be putting your company data at risk. <a href="https://1password.com/resources/risks-of-mismanaging-corporate-secrets/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Download </a> </div> </section></description></item><item><title>1Password is making the Juneteenth pledge</title><link>https://blog.1password.com/making-the-juneteenth-pledge/</link><pubDate>Thu, 17 Jun 2021 00:00:00 +0000</pubDate><author>info@1password.com (Jeff Shiner)</author><guid>https://blog.1password.com/making-the-juneteenth-pledge/</guid><description> <img src='https://blog.1password.com/posts/2021/1password-juneteenth/header.svg' class='webfeedsFeaturedVisual' alt='1Password is making the Juneteenth pledge' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> In summer 2020 a spotlight was placed on racial inequality and the institutionalized racism experienced daily by Black people around the world. The global Black Lives Matter protests highlighted just how important it is for people and organizations to raise their voices and take action with, and for, those who have been historically oppressed. Last year 1Password and its employees donated $85,214 to Black Lives Matter causes, including matching employee donations to help support causes important to our team. But while donations are important, we know there is so much more work to be done. As an individual, an employer, and a leader at a large organization it is my and others responsibility to help increase awareness around important issues that speak to our values. By taking <a href="https://juneteenthpledge.com/">the Juneteenth pledge</a> we at 1Password are taking another step forward in our commitment to improving the lives of our employees, our communities, and society as a whole. <h2 id="the-juneteenth-pledge">The Juneteenth pledge</h2> Last year was the first time I, like many others, became aware of Juneteenth, the oldest nationally celebrated commemoration of the ending of slavery in the United States. This important historical date in America’s history is often overlooked, and so I suppose it sadly isn’t surprising that as a Canadian I’d never heard of it either. But this lack of education about such an important, historical date is a failing – both locally and globally, and is something the Juneteenth pledge is working to rectify. The Juneteenth pledge calls on CEOs and companies worldwide to publicly observe, honour, and celebrate Juneteenth. While we missed Juneteenth last year, we want to make sure we are working to elevate this celebration of freedom every year going forward. <h2 id="a-day-for-action">A day for action</h2> Here at 1Password there are only two days of the year when everyone is off at the same time – Christmas and New Year’s Day. Juneteenth will be our third. While Juneteenth is <a href="https://www.npr.org/2021/06/15/1006934154/senate-unanimously-approves-a-bill-to-make-juneteenth-a-public-holiday">pending legislation to become an official US holiday</a>, we believe the celebration of emancipation of enslaved peoples should not be restricted to one geography. We want everyone at 1Password to have the opportunity to reflect and learn about racial inequality, so we’re making Juneteenth a paid holiday for our team of 400+ people, across the globe – our (virtual) offices will be closed on Friday, June 18, 2021. In an effort to educate and inspire action, we shared information on the history/heritage of the holiday and ways 1Password employees can make a difference in their communities. Making the Juneteenth pledge will look different for each company, but we&rsquo;re all committing to fundamental actions laid out on the <a href="https://juneteenthpledge.com/">Juneteenth Pledge website</a>: <ul> <li>Making Juneteenth a paid holiday for our employees.</li> <li>Identifying a relevant day in our international offices to recognize the emancipation of enslaved people.</li> <li>Encouraging other leaders in business to sign this pledge, and join in making Juneteenth a recognized paid holiday.</li> <li>Supporting our employee’s ability to learn, reflect, and encourage continuous self-development and respect for all cultures.</li> </ul> <h2 id="moving-forward-together">Moving forward, together</h2> We want to be clear – this isn’t about giving ourselves a pat on the back – we know we have plenty more work to do. At 1Password we’re consciously working on increasing the diversity of our team at all levels. We recognize that a talented team is a diverse group of people that embraces different perspectives and experiences. We encourage everyone at 1Password to challenge our ways of working so that we can all rise together and be an active force in driving change forward. By signing the Juneteenth pledge we want to set a positive example and encourage other leaders in the private sector to also recognize and acknowledge the importance of Juneteenth. As we look to the future we’re dedicated to continue building momentum around issues of diversity, equity, and inclusion at 1Password. <section class="c-call-to-action-box c-call-to-action-box--purple"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Make the Juneteenth Pledge</h3> Are you a leader or business owner? The time for change is now. <a href="https://juneteenthpledge.com/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--purple" data-event-category="CTA" data-event-action="call-to-action-button"> Sign the Pledge </a> </div> </section></description></item><item><title>1Password 8 for Windows is now in Early Access! 🎉</title><link>https://blog.1password.com/1password-8-for-windows-is-now-in-early-access/</link><pubDate>Tue, 15 Jun 2021 00:00:00 +0000</pubDate><author>info@1password.com (Dave Teare)</author><guid>https://blog.1password.com/1password-8-for-windows-is-now-in-early-access/</guid><description> <img src='https://blog.1password.com/posts/2021/early-access-windows/header.png' class='webfeedsFeaturedVisual' alt='1Password 8 for Windows is now in Early Access! 🎉' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We’re on a journey to reimagine everything 1Password can be on Windows. And you’re invited to join us! It seems like <a href="https://blog.1password.com/1password-7-for-windows-the-best-ever/">just yesterday</a> I unveiled 1Password 7 for Windows. At the time I said every bit and every pixel had been recreated from scratch to make 1Password the best it could be. It was a tremendously successful release. Fast forward 3 years to today and I’m excited to reveal that we’re doing it all over again. We’re gearing up for all-new 1Password apps on every platform. Each one will be better and faster, and each will push the envelope for what you’ve come to expect from 1Password. Today we’re <a href="https://1password.community/discussion/121163/1password-for-windows-early-access">opening early access</a> for the next generation of 1Password for Windows. And it&rsquo;s gorgeous! 😍 <img src='https://blog.1password.com/posts/2021/early-access-windows/HeroUnlocked.png' alt='1Password app unlocked on a Windows background showing off its new design' title='1Password app unlocked on a Windows background showing off its new design' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="next-level-design">Next level design</h2> Our designers and user experience specialists never stop iterating, polishing, and reimagining how 1Password can best help you get your work done. For the next 1Password for Windows we’re applying every lesson we learned to create a delightful experience. And a delightful experience is often a darkful experience. 😎 <img src='https://blog.1password.com/posts/2021/early-access-windows/HeroUnlockedDark.png' alt='1Password app unlocked on a Windows background showing off its new dark mode design' title='1Password app unlocked on a Windows background showing off its new dark mode design' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="next-level-organization">Next level organization</h2> With this latest iteration of 1Password for Windows we set out to simplify things so you can quickly find what you need. From a redesigned sidebar to new features like quick find and intelligent search results, you have the tools you need to stay on top of all of your items. <img src='https://blog.1password.com/posts/2021/early-access-windows/NextLevelOrganization.png' alt='1Password with new Quick Find window open' title='1Password with new Quick Find window open' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="next-level-sharing">Next level sharing</h2> Items now prominently show when they are being shared and it’s super clear who they’re being shared with. And when moving items you’ll see who will have access to the item before completing the move. <img src='https://blog.1password.com/posts/2021/early-access-windows/SharingDetailsAndMoveItem.png' alt='Screenshot of the item details screen with the location bar zoomed in showing who this item is being shared with' title='Screenshot of the item details screen with the location bar zoomed in showing who this item is being shared with' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="next-level-watchtower">Next level Watchtower</h2> The new Watchtower Dashboard makes it super easy to monitor and evaluate your password security health. Greatly improve your security by replacing passwords that need attention. <img src='https://blog.1password.com/posts/2021/early-access-windows/HeroWatchtowerDashboard.png' alt='Watchtower Dashboard highlighting your password strength and which items need attention.' title='Watchtower Dashboard highlighting your password strength and which items need attention.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="next-level-editing">Next level editing</h2> Editing is now easier than ever, thanks to improvements like smart suggestions and a new password generator. The item editor is more powerful, too. Attach files directly to your items so you have them close at hand. And with our new Security Questions feature you can generate secure answers to those pesky questions some websites require. <img src='https://blog.1password.com/posts/2021/early-access-windows/NextLevelEditing.png' alt='New item editing screen with file attachments and new security questions section' title='New item editing screen with file attachments and new security questions section' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="next-level-performance">Next level performance</h2> Our new 1Password apps are built in Rust, a secure systems programming language famous for its performance and safety. 🦀 You won’t see this change but you’ll feel it. The app is incredibly responsive across the board, from unlocking to adding accounts to searching your items. <h2 id="next-level-security">Next level security</h2> As always your items are protected with strong end-to-end encryption so only you can see them. Along with your <a href="https://support.1password.com/secret-key/">Secret Key</a>, advanced MFA options, and <a href="https://blog.1password.com/developers-how-we-use-srp-and-you-can-too/">Secure Remote Password</a>, your data is more secure than ever. And the lock screen now shows all your accounts. Along with Windows Hello for easy unlocking it’s never been easier to protect yourself, your family, and your entire company. <img src='https://blog.1password.com/posts/2021/early-access-windows/NextLevelSecurity.png' alt='1Password lock screen showing multiple accounts and a button to activate Windows Hello' title='1Password lock screen showing multiple accounts and a button to activate Windows Hello' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="next-level-data-loss-protection">Next level data loss protection</h2> The next generation of apps come with more protection against data loss than ever. You can restore recently deleted items as well as return to previous versions of an item in case of accidental edits or deletion. Oh, and with <a href="https://1password.com/personal/">1Password Families</a> and <a href="https://1password.com/business/">1Password Business</a> accounts you can assign people who will be able to recover your account in the event you forget your password. And the best part is recovery happens in a way that no one sees your private data. <h2 id="next-level-browsing">Next level browsing</h2> Let’s finish off with my favourite: the early access release integrates with our new <a href="https://support.1password.com/getting-started-browser/">1Password in the browser</a> to bring you our best experience, whether you use Edge, Brave, Firefox, or <a href="https://1password.com/resources/guides/1password-for-google-chrome/">Chrome</a>. <img src='https://blog.1password.com/posts/2021/early-access-windows/NextLevelBrowsingLogin.png' alt='1Password in the Browser displaying an inline menu on GitHub login page' title='1Password in the Browser displaying an inline menu on GitHub login page' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The inline menu gives you quick access to what you need exactly where you need it. It&rsquo;s incredible! 🤩 And saving is more powerful and never looked better. <img src='https://blog.1password.com/posts/2021/early-access-windows/NextLevelBrowsingSaveLoginRedCross.png' alt='1Password in the Browser running within Microsoft Edge showing off the new Save Login window' title='1Password in the Browser running within Microsoft Edge showing off the new Save Login window' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> And yes, 1Password is sporting a dark theme in that screenshot! Dark mode is supported throughout the app and browser so it looks incredible everywhere! 😍 <h2 id="try-now-with-early-access">Try now with Early Access</h2> With Early Access you can try the new 1Password for Windows before it is released. If you enjoy being on the bleeding edge, please join our new Early Access community and help us make this new app the best it can be: <a href="https://1password.community/discussion/121163/1password-for-windows-early-access">Early Access: 1Password for Windows</a> Here you will find instructions on how to install the new app and share feedback with our development team. And if you use other platforms in addition to Windows, you’re still welcome to join as this early access is compatible with our existing apps. We’ll also be releasing early access apps for all the other platforms over the coming months. It’s going to be an exciting year! 🤘 Take care and if you&rsquo;re as excited about this as we are, please give us some love on <a href="https://www.producthunt.com/products/1password#1password-8-for-windows">Product Hunt</a> and join our <a href="https://www.reddit.com/r/1Password/comments/o0f9cl/were_the_team_behind_the_next_generation_of/">AMA</a> on Thursday at noon eastern to, well&hellip;ask us anything. 🙂 Our entire team and I will be there to answer any questions that may be on your mind. 🤗 <img src='https://blog.1password.com/posts/2021/early-access-windows/HeroLockedDark.png' alt='1Password lock screen in dark mode' title='1Password lock screen in dark mode' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> This is the way. 🚀🖖🏼</description></item><item><title>Supporting Let’s Encrypt, the nonprofit making HTTPS free for all</title><link>https://blog.1password.com/supporting-lets-encrypt/</link><pubDate>Mon, 14 Jun 2021 00:00:00 +0000</pubDate><author>info@1password.com (Nick Summers)</author><guid>https://blog.1password.com/supporting-lets-encrypt/</guid><description> <img src='https://blog.1password.com/posts/2021/lets-encrypt-fundraiser/header.png' class='webfeedsFeaturedVisual' alt='Supporting Let’s Encrypt, the nonprofit making HTTPS free for all' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Today, we’re thrilled to be partnering with Let’s Encrypt, the world’s largest certificate authority. Part of the nonprofit <a href="https://www.abetterinternet.org/">Internet Security Research Group (ISRG)</a>, the team supports website owners by removing the cost and complexity normally associated with enabling HTTPS encryption. That, in turn, helps the web become a more secure and privacy-respecting place for everyone. We want Let’s Encrypt to continue this important work. That’s why we’re teaming up and supporting the nonprofit’s annual summer fundraising campaign. We’ll be matching the next $50,000 in supporter donations this month, and giving $20 1Password gift cards to the first 500 people who donate $50 or more. You can <a href="https://letsencrypt.org/donate/?utm_medium=social&amp;utm_source=blog&amp;utm_campaign=donation">donate here</a> to get involved and help eliminate weak, insecure website connections for good. <h2 id="how-lets-encrypt-makes-the-world-a-safer-place">How Let’s Encrypt makes the world a safer place</h2> If you open a new tab and navigate to <a href="https://1Password.com/">1Password.com</a>, you’ll notice a padlock icon in the address bar. Click on that symbol or the URL, and you’ll see the acronym “HTTPS.” Those five characters are a web protocol that leverages a robust form of encryption called SSL or TLS. Most people rarely think about HTTPS. However, it makes a huge contribution toward keeping everyone safe on the web. HTTPS only works if the site has an SSL/TLS certificate. Most of these need to be “signed” by a certificate authority like Let’s Encrypt. It’s the equivalent of a degree that’s been rubber-stamped by a reputable university. The difference here is that thanks to public and private encryption keys, your browser can check the SSL/TLS certificate and mathematically prove the identity of the authority and, by extension, the site you want to visit. Without a valid certificate, you can’t be sure that your browser’s connection to the site is secure. <h2 id="what-makes-lets-encrypt-special">What makes Let’s Encrypt special</h2> While there are many certificate authorities, Let’s Encrypt is one of a kind. It was set up in 2013 to provide free SSL/TLS certificates to any website owner who wanted to offer a HTTPS connection. The team issued its first certificate in 2015 and has since grown into the largest certificate authority in the world, servicing 260 million website domains and tens of billions of HTTPS page loads every day. To say it’s had an impact would be a massive understatement. Let’s Encrypt certificates aren’t just free — they’re also convenient to use. With a bit of software running on a web server, any website owner can painlessly obtain, configure and automatically renew a certificate. This headache-free experience is possible because of the ACME Protocol, which Let’s Encrypt has published as an open standard that anyone can adopt. Finally, Let’s Encrypt records every SSL/TLS certificate that it issues and revokes. That way, anyone can look at them and check that the authority is only issuing certificates to sites that truly deserve them. <h2 id="together-we-can-make-a-difference">Together, we can make a difference</h2> Roughly 85 percent of websites now support HTTPS, thanks in large part to Let’s Encrypt. It’s a large number, but one that begs the question: What about the remaining 15 percent? That seemingly small figure represents hundreds of millions of sites, each one posing a security and privacy risk to anyone who visits them. To make the web truly secure, HTTPS needs to be ubiquitous. And that means supporting teams like Let’s Encrypt that make it easier for sites to adopt the HTTPS protocol. Despite its huge impact, Let’s Encrypt is a tiny team that relies entirely on charitable donations to operate. Its work is only possible thanks to the generosity of people who want to make the web a more secure and privacy-respecting place. That’s why we’ve partnered up for the nonprofit’s annual summer fundraising campaign. If you can, please consider making a donation. Together, we can ensure that every website has HTTPS enabled and eliminate weak, insecure connections for good. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Donate to Let’s Encrypt!</h3> Make a donation to help Let’s Encrypt make the internet a more secure place. <a href="https://letsencrypt.org/donate/?utm_medium=social&amp;utm_source=blog&amp;utm_campaign=donation" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Donate now </a> </div> </section></description></item><item><title>WWDC21: Virtual Conference, Redux</title><link>https://blog.1password.com/wwdc21/</link><pubDate>Fri, 11 Jun 2021 00:00:00 +0000</pubDate><author>info@1password.com (Michael Fey)</author><guid>https://blog.1password.com/wwdc21/</guid><description> <img src='https://blog.1password.com/posts/2021/wwdc21/header.png' class='webfeedsFeaturedVisual' alt='WWDC21: Virtual Conference, Redux' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Apple’s second fully-remote Worldwide Developer Conference kicked off this week and, as always, our Apple development and design teams have been excitedly studying the documentation and sessions all week. For the last year and change, Apple has been perfecting the art of transforming their typical in-person keynotes into highly polished tours through their incredible campus and the future of software on their platform. Even though we’re all at home, Apple still manages to reach through the screen and pull us into the excitement and the possibilities that make WWDC one of our favorite developer events of the year. One of my most-loved things about WWDC is how we challenge ourselves to see just how quickly we can take the new technologies Apple is touting and apply them to 1Password. This year was no different. In fact, you may have already seen some of what our amazing Browser Experience team was able to do <a href="https://www.macrumors.com/2021/06/08/1password-teases-safari-on-ipados-15/">by the end of the day on Monday</a>. <h2 id="safari-web-extensions-on-ios-and-ipados">Safari Web Extensions on iOS and iPadOS</h2> I’ll be honest, this one caught me totally by surprise. We’ve been working on unifying our browser experience for the last couple years and with iOS 15 we’re taking a big leap forward with the launch of <a href="https://1password.com/resources/guides/1password-for-safari/">1Password for Safari</a> on iOS and iPadOS. Being able to bring some incredible features like virtual payment cards from Privacy, smart password creation, and our inline menu to iOS is really a dream come true. <img src='https://blog.1password.com/posts/2021/wwdc21/1password_on_ipad_small.png' alt='1Password in the browser on iPad' title='1Password in the browser on iPad' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="live-text--logins">Live Text 👉 Logins</h2> We all know someone who has sticky notes at the bottom of their monitor, or have been to venues with a Wi-Fi password on a whiteboard. With iOS 15, 1Password will be able to use the new Live Text feature along with data detectors to intelligently and automatically create Login items! We’ve been saying <a href="https://www.youtube.com/watch?v=mcly2-b1W20">“no more sticky notes”</a> for a long time; now you’ll have the tools you need to make that a reality. And yes, it’s just as magical in action as it sounds: <video class="round shadow" style="display: block; margin: auto; padding: 0;"loop="loop" playsinline="" width="100%" alt='' controls> <source src="https://blog.1password.com/posts/2021/wwdc21/live-text-in-1password-ios15.mp4" type="video/mp4" /> </video> <h2 id="drag-and-drop">Drag and Drop</h2> Support for drag and drop on Apple platforms has a rich history and it’s one we’ve always embraced in our apps. Coming this fall drag and drop will land in 1Password for iOS, enabling you to move your items around and fill your information into other apps on your iPhone or iPod touch. Not only do we love how it feels to drag and drop information between apps, but the security properties of it are just fantastic. <table> <thead> <tr> <th>Moving Items</th> <th>Dragging to Other Apps</th> </tr> </thead> <tbody> <tr> <td> <video class="round shadow" style="display: block; margin: auto; padding: 0;"loop="loop" playsinline="" width="100%" alt='' controls> <source src="https://blog.1password.com/posts/2021/wwdc21/drag-to-move.mp4" type="video/mp4" /> </video> </td> <td> <video class="round shadow" style="display: block; margin: auto; padding: 0;"loop="loop" playsinline="" width="100%" alt='' controls> <source src="https://blog.1password.com/posts/2021/wwdc21/drag-to-other-apps.mp4" type="video/mp4" /> </video> </td> </tr> </tbody> </table> <h2 id="quick-notes">Quick Notes</h2> I use the Notes app every single day. It‘s my todo list, blog post editor, bullet journal, and all around digital notebook. I love the idea of using Quick Notes to easily get content from my apps into Notes, and we wanted to make sure 1Password works there as well! <video class="round shadow" style="display: block; margin: auto; padding: 0;"loop="loop" playsinline="" width="100%" alt='' controls> <source src="https://blog.1password.com/posts/2021/wwdc21/quick-notes-in-1password-ios15.mp4" type="video/mp4" /> </video> <h2 id="home-screen-widgets-on-ipad">Home Screen Widgets on iPad</h2> I’m a big fan of widgets on iOS and was really pleased to see Apple bring Widgets to iPad in a form factor that really takes advantage of the screen real estate. Our awesome interns took it upon themselves to build out some proofs of concept for what a Watchtower widget and a one-time password widget could look like! <img src='https://blog.1password.com/posts/2021/wwdc21/widgets-on-ipad.png' alt='1Password widgets on iPad' title='1Password widgets on iPad' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="apple-passwords-import-and-export">Apple Passwords Import and Export</h2> Switching over to the Mac, Apple added a brand new Passwords section to System Preferences where you can access your passwords stored in iCloud Keychain. They also added the ability to export your passwords to a common format. <img src='https://blog.1password.com/posts/2021/wwdc21/monterey-passwords-1.png' alt='Passwords on macOS Monterey' title='Passwords on macOS Monterey' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <img src='https://blog.1password.com/posts/2021/wwdc21/monterey-passwords-2.png' alt='Password export on macOS Monterey' title='Password export on macOS Monterey' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> It’s a very simple CSV (comma separated value) file that contains the essentials for a collection of passwords: <code>Title</code>, <code>Website</code>, <code>Username</code>, and <code>Password</code>. This year the 1Password.com team got in on the WWDC excitement and added support for importing this new format! <img src='https://blog.1password.com/posts/2021/wwdc21/apple-password-import.png' alt='Import Apple Passwords on 1Password.com' title='Import Apple Passwords on 1Password.com' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We think the simplicity of this format is a really smart move, and to return the favor we are committing to adding the same export capability for Logins to 1Password over the next year. <h2 id="wrapping-it-up">Wrapping It Up</h2> WWDC21 has been a ton of fun for us this week. Not only did we get to play with a whole host of new APIs, but we were also a finalist for the Apple Design Awards! The next few months will be exciting ones for our developers and we’ll be ready when iOS 15 drops this fall. See you there!</description></item><item><title>How ignoring the PoLP and password123 can cost you $4.4 million</title><link>https://blog.1password.com/how-ignoring-the-polp-and-password123-can-cost-you-4.4-million/</link><pubDate>Tue, 08 Jun 2021 00:00:00 +0000</pubDate><author>info@1password.com (Megan Barker)</author><guid>https://blog.1password.com/how-ignoring-the-polp-and-password123-can-cost-you-4.4-million/</guid><description> <img src='https://blog.1password.com/img/headers/security-header.svg' class='webfeedsFeaturedVisual' alt='How ignoring the PoLP and password123 can cost you $4.4 million' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> If you&rsquo;ve heard the news in the last month or so, I&rsquo;m sure you know about the Colonial pipeline cyber attack that took place at the end of April. If you&rsquo;ve not heard about this, I&rsquo;ll summarize the story. On April 29, 2021, hackers gained access to the network of the largest fuel pipeline in the United States. The attack led to a ransom payment of $4.4 million and fuel shortages throughout the east coasts of the US and Canada. I work in cybersecurity so I understand the risks we face in this digital world. But when an organization of this scale is thwarted by the smallest security gap, I still think, &ldquo;How does that happen?&rdquo; On a purely technical level, I can tell you. The attackers - believed to be members of an infamous cybercrime group - hacked into the network through a <a href="https://blog.1password.com/how-a-vpn-works/">Virtual Private Network</a> (VPN). The VPN account that acted as the gateway for the attack wasn&rsquo;t in use at the time, but it was still active (we&rsquo;ll get to that in a minute). The password was the other problem. It was later found that the password for the VPN account had been compromised. The attackers discovered it in a group of breached passwords online. <h2 id="about-that-vpn">About that VPN</h2> Now, I know what you might think, and don&rsquo;t be so quick to blame the VPN itself. The use of a VPN wasn&rsquo;t the problem. Virtual Private Networks are certainly not foolproof but they aren&rsquo;t all inherently bad. Certainly you should rely more on TLS and encrypted DNS for protection, but VPNs can be useful and, in some situations, necessary. In the particular situation we&rsquo;re discussing, a VPN would allow hybrid workers to access the Colonial pipeline network as though they were physically on the network. No, it wasn&rsquo;t the VPN itself — it was the unused account that was still active. If you remember a few months ago, <a href="https://blog.1password.com/guiding-principles-how-least-privilege-leads-to-more-security/">we looked at the principle of least privilege (PoLP.)</a> The foundations of PoLP are to allow bare minimum access: <ul> <li>to the items needed</li> <li>where it&rsquo;s needed</li> <li>to who needs it</li> <li>for as long as needed</li> </ul> The IT folks in charge of the pipeline&rsquo;s network failed here. The VPN account clearly wasn&rsquo;t needed any longer, and it should&rsquo;ve been deactivated the moment that was the case. <h2 id="then-there-was-the-password">Then there was the password</h2> According to <a href="https://haveibeenpwned.com/Passwords">HaveIBeenPwned</a>, there are 613 million (and counting) hacked passwords freely available online. The title of this post is a hyperbolic example - I have no idea if the password was password123 - but it doesn&rsquo;t matter. What matters is that it wasn&rsquo;t unique. We can&rsquo;t control the security of every website we visit; every online account we have. But we can control the security of our passwords. Every time you or your employees set a reused password, your company and its resources are at risk. If your team members don&rsquo;t use a password manager like 1Password, you could find yourself and your organization in a situation like this one quite easily. Not only does 1Password help create passwords that are complicated, random, and unique, those passwords are saved and secured. Beyond that, our Watchtower integration with HaveIBeenPwned allows you to see if and when your <a href="https://support.1password.com/watchtower/#about-the-watchtower-categories">passwords appear in a breach</a> so you can change them immediately. How&rsquo;s that for foolproof? <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Find out why 1Password is the best in the market with our <a href="https://1password.com/comparison/">password manager comparison</a>! </div> </aside> <h2 id="so-whats-the-answer">So, what&rsquo;s the answer?</h2> I&rsquo;m left with my original question: How does an attack like this happen, beyond the technicalities? We live in a world where password breaches and cyber attacks happen every single day, yet everyone - from individuals to massive corporations - is vulnerable. The solution? The right tools and the right mindset. Even with the world’s best password manager, there needs to be a course of action. As Bruce Schneier once said, “Security is not a product, but a process.” Employ the principle of least privilege, change weak passwords, build a <a href="https://1password.com/resources/culture-of-security/infographic-culture-of-security.pdf">culture of security</a>, and keep the conversation going. Just don’t talk passwords. There’s <a href="https://support.1password.com/create-share-vaults-teams/#share-a-vault">a feature for that.</a></description></item><item><title>Together we’ve raised $50,000 for Freedom of the Press Foundation</title><link>https://blog.1password.com/freedom-press-foundation-donations-wrap-up/</link><pubDate>Tue, 01 Jun 2021 00:00:00 +0000</pubDate><author>info@1password.com (Dave Teare)</author><guid>https://blog.1password.com/freedom-press-foundation-donations-wrap-up/</guid></item><item><title>Static analysis and constant time comparisons</title><link>https://blog.1password.com/constant-time-comparisons/</link><pubDate>Fri, 28 May 2021 00:00:00 +0000</pubDate><author>info@1password.com (Rick Fillion)</author><guid>https://blog.1password.com/constant-time-comparisons/</guid><description> <img src='https://blog.1password.com/img/headers/building-1password-header.svg' class='webfeedsFeaturedVisual' alt='Static analysis and constant time comparisons' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> At 1Password, we regularly hire outside experts to check our source code and look for security vulnerabilities. A recent penetration test by Cure53 identified a case where the 1Password server wasn’t using a constant-time comparison when it should. The fix, while trivial, created an interesting challenge for us: How can we confidently say that we don’t have this issue elsewhere? This is the first in a series of new developer-written posts on our blog about Building 1Password, a behind-the-scenes look at what goes into making the app. You can expect these to be technical, nerdy, and frankly&hellip; not nearly as polished as what our crack marketing and content teams put out. <h2 id="what-are-we-trying-to-solve">What are we trying to solve?</h2> Before we get to the solution, let’s talk about the problem. It’s recommended that security-sensitive comparisons be done in a constant-time manner. In this case, the comparison was a token string that is sent to the user via email. The recipient uses this to effectively prove they received the email and control the email account. A constant-time approach ensures that the comparison always takes the same amount of time, regardless of the outcome. We use the Go programming language for our server, and Go has the <a href="https://pkg.go.dev/crypto/subtle">crypto/subtle</a> package which provides functions to do this. Fixing this is quite simple, you change something that looked like: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-go" data-lang="go">if user.VerificationToken != token </code></pre></div>To something like: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-go" data-lang="go">if subtle.ConstantTimeCompare([]byte(user.VerificationToken), []byte(token)) != 1 </code></pre></div>An identical timeframe for “true” and “false” comparisons minimizes what an attacker can learn from a request. At 1Password we try our best to stop attackers from learning anything about what’s going on inside our servers. One such piece of information is how long the server takes to validate your information. Sometimes we have concrete attacks in mind: we don’t want to leak information on whether you supplied the right or wrong session key. Sometimes we don’t have a concrete attack in mind - because we can’t always look in the minds of our attackers, or look into the future of how our codebase evolves. As a general rule though, we try to make sure that whenever we verify your information we apply constant time comparisons. So now we know why doing these comparisons in constant time is important, and how we might go about fixing this particular issue. As developers we&rsquo;re less interested in solving one specific problem so much as a whole class of problems. How can we ensure that we aren&rsquo;t making the same mistake elsewhere? We could manually check by searching for ‘user.VerificationToken’ references,’ but how do we ensure this mistake doesn’t happen again? <h2 id="building-a-solution">Building a solution</h2> To solve this problem, we used a custom static analysis tool that we now run as part of our continuous integration system so that every Merge Request is pushed to our GitLab instance. There are a plethora of great static analysis tools for Go, for example there&rsquo;s <a href="https://github.com/securego/gosec">securego/gosec</a> to help find security problems. Unfortunately, it can’t help us solve this particular problem. Luckily for us though, the Go <a href="https://pkg.go.dev/golang.org/x/tools/go/packages">packages</a> library comes with the tools for us to build a custom static analysis solution to this problem! The only tricky part was to determine how we were going to find these cases without inundating ourselves with false-positives. We decided that the best way to do so was to define which fields in a Go struct were not safe to compare in a non-constant-time manner. Go has just the thing to describe this: field tags. Using our previous example, this is what it&rsquo;d look like: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-go" data-lang="go">type User struct { VerificationToken string `db:&#34;verification_token&#34; security:&#34;nodirectequality&#34;` } </code></pre></div>The <code>VerificationToken</code> field on our <code>User</code> structure now has a <code>security</code> tag whose value is <code>nodirectequality</code>. Now it&rsquo;s just a matter of using the Go tools to build and walk the abstract syntax tree for a Go package and find violations of this rule. Sadly, we can&rsquo;t take a structure and find all times that a field was referenced in the codebase, so our search is the other way around and requires that we find every equality comparison in the codebase and look at the left and right sides to determine if either is a field marked as being forbidden. This gives us a tool that we can run as: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell">$ go-directequality-checker go.1password.io/b5/server/src/logic/action [SECURITY] Found raw comparison of field &#39;VerificationToken&#39;. Use constant time comparison function. /Users/rfillion/go/src/go.1password.io/b5/server/src/logic/action/recovery.go:174 user.VerificationToken != token { </code></pre></div>Once the tool was built, we just needed to annotate the relevant fields on our structures. In doing so, the tool identified two more cases that were not identified as part of the pentest, and best of all now that it&rsquo;s part of our CI pipeline we shouldn&rsquo;t be seeing this problem in the future. At least not with these fields. Assuming that they&rsquo;re used incorrectly in the way that we expect. <h2 id="limitations-of-this-approach">Limitations of this approach</h2> Which brings us to the part of this that&rsquo;s a little less fun: this solution doesn&rsquo;t technically solve the whole class of problems. It relies on us developers correctly identifying which fields deserve this designation. It also relies on code being structured in such a way that makes detecting this easy. It could easily be fooled by doing something like: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-go" data-lang="go">verificationToken := user.VerificationToken if verificationToken != token </code></pre></div>Since the left hand side of the &ldquo;if&rdquo; statement no longer references a specific field with annotations, the checker would no longer find it. We haven&rsquo;t yet thought of a way to solve the whole class of problems without banning direct equality entirely which isn&rsquo;t realistic. This solution allows us to paint it into a sufficiently small corner that allows us to feel pretty confident about it and gives us the tools we need to do deeper searches for offending code should other instances be found in the future. <h2 id="get-the-sources">Get the sources</h2> We&rsquo;ve open-sourced our checker tool so that you can either use it or look at how it works. You can find it on our <a href="https://github.com/1Password/go-directequality-checker">1Password/go-directequality-checker</a> github repo.</description></item><item><title>Big changes to 1Password in the browser: biometric unlock, dark mode, and a new save experience</title><link>https://blog.1password.com/big-changes-to-1password-in-the-browser/</link><pubDate>Wed, 26 May 2021 00:00:00 +0000</pubDate><author>info@1password.com (Andrew Beyer)</author><guid>https://blog.1password.com/big-changes-to-1password-in-the-browser/</guid><description> <img src='https://blog.1password.com/posts/2021/1password-in-the-browser/header.svg' class='webfeedsFeaturedVisual' alt='Big changes to 1Password in the browser: biometric unlock, dark mode, and a new save experience' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The browser experience has been the core of 1Password since the very beginning. We’re constantly rolling out improvements, and today I’m happy to announce some huge updates that take things to the next level. 🎉 <h2 id="touch-id-windows-hello-and-biometric-unlock-">Touch ID, Windows Hello, and biometric unlock 👉💻</h2> Our #1 requested feature has been <a href="https://1password.com/mac/">Touch ID</a> &amp; Windows Hello support. Now, if 1Password is locked and you have the desktop app installed, you can use <a href="https://1password.com/resources/guides/using-biometrics-fingerprint-as-password/">biometric authentication</a> to unlock faster than ever! <img src='https://blog.1password.com/posts/2021/1password-in-the-browser/browser_touch_id_unlock.gif' alt='Image showing 1Password in the browser unlocking with Touch ID on macOS' title='Image showing 1Password in the browser unlocking with Touch ID on macOS' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> No matter your flavor—Touch ID, Windows Hello, or <a href="https://blog.1password.com/welcoming-linux-to-the-1password-family/">biometrics on Linux</a>—you can now enjoy passwordless unlocking for 1Password in the browser. Yet another example of how apps help make the browser experience better. <h2 id="dark-mode-">Dark mode 🌒</h2> If you stay up into the wee hours of the night like I do, you likely favor websites and apps that do dark mode well. This update brings full support for dark mode to 1Password in the browser—and it’s never looked better. <img src='https://blog.1password.com/posts/2021/1password-in-the-browser/popup_dark.png' alt='Image showing a Discord login item in dark mode' title='Image showing a Discord login item in dark mode' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> And the pop-up isn’t the only piece that looks great in shades; our on-page suggestions also look right at home on both light and dark websites. <img src='https://blog.1password.com/posts/2021/1password-in-the-browser/inline_dark.png' alt='Image showing on-page login suggestions in dark mode' title='Image showing on-page login suggestions in dark mode' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="a-brand-new-save-experience-">A brand new save experience ✅</h2> Since it’s critical to use a different password for each of your accounts, we&rsquo;ve made it easier than ever to create, save, and update logins right in the browser. When the save window appears, you can instantly see everything that will be added to the new item. You can even adjust the contents and add tags to help you stay organized. In addition, our recently updated password generator will suggest passwords that fit the requirements of the website you’re on so you don’t have to worry about the details if you don’t want to. <img src='https://blog.1password.com/posts/2021/1password-in-the-browser/save_new_item.png' alt='Image showing the new save experience in 1Password in the browser' title='Image showing the new save experience in 1Password in the browser' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> This is even more awesome when updating an existing Login item. If you’re updating a login to use a strong, unique password, or changing your username (tip: create a secure one with our free <a href="https://1password.com/username-generator/">username generator</a>!), you can see exactly what will change in your login before saving. <img src='https://blog.1password.com/posts/2021/1password-in-the-browser/save_update_item.png' alt='Image showing the new update experience in 1Password in the browser' title='Image showing the new update experience in 1Password in the browser' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="get-the-latest-and-greatest-">Get the latest and greatest 💜</h2> If you’re already using 1Password in the browser (the extension formerly known as 1Password X), you’ll be automatically updated to version 2.0 when you next launch your browser. If you’re new to 1Password in the browser, I’d love to <a href="https://support.1password.com/getting-started-browser/">help you get started</a>. In addition to the highlights mentioned above, this release also contains 55 other fixes and improvements. For those who are curious, we have a brand new <a href="https://releases.1password.com/b5x/stable/#whats-new">releases page</a> that describes all the changes in this and previous updates. Altogether, this makes for the best browser password management experience ever made.</description></item><item><title>Raising the stakes: Doubling the rewards on our bug bounty program</title><link>https://blog.1password.com/bug-bounty-updates/</link><pubDate>Tue, 25 May 2021 00:00:00 +0000</pubDate><author>info@1password.com (Rick van Galen)</author><guid>https://blog.1password.com/bug-bounty-updates/</guid><description> <img src='https://blog.1password.com/img/headers/security-header.svg' class='webfeedsFeaturedVisual' alt='Raising the stakes: Doubling the rewards on our bug bounty program' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> At 1Password, we&rsquo;re always striving to make our products and services as secure as possible, and we couldn&rsquo;t do it without your help. To say thanks, we&rsquo;re increasing our bug bounty rewards. Since day one, we&rsquo;ve encouraged everyone to reach out to us with suggestions around how we could improve <a href="https://1password.com/security/">1Password security</a>. Though our team works hard every day to design and build the most secure password manager there is, that doesn&rsquo;t mean we don&rsquo;t have blind spots. That&rsquo;s why we&rsquo;ve worked with Bugcrowd since 2017 to be able to reward researchers who point us towards anything we might have missed. When a researcher finds something we&rsquo;ve overlooked, we want to hear from them, and reward them for their efforts. In the last few years we&rsquo;ve rewarded more than one hundred submissions to our Bugcrowd program, with an average reward payout of over $800 (USD). While our $100,000 (USD) top bounty remains unclaimed, we find enormous value in the reports we get at the other levels. The creativity on display in some of the reports, even if they&rsquo;re minor issues, is amazing. We&rsquo;re excited to announce today that we&rsquo;re doubling the maximum rewards for researchers at those levels. This means researchers can be rewarded up to $300 (USD) for small suggestions, and up to $30,000 (USD) for the highest priority bugs below the top bounty. <h2 id="ready-to-dive-in">Ready to dive in?</h2> 1Password <a href="https://1password.com/security/">has many layers of defense</a> to protect customer data from prying eyes at all times. As a result, even just taking a glance at the security of 1Password services requires a serious time investment. That&rsquo;s why we are also <a href="https://github.com/1Password/burp-1password-session-analyzer">open sourcing a tool</a> for security researchers to make it easier to dive in and start testing 1Password. This allows anyone familiar with Burp Suite – a tool commonly used to assess the security of web applications and APIs – to easily take a closer look. Want to get involved? Here&rsquo;s how: <ol> <li>Go to <a href="https://bugcrowd.com/user/sign_up">bugcrowd.com</a> and set up an account.</li> <li>Read the documentation on the <a href="https://bugcrowd.com/agilebits">1Password Bugcrowd profile</a></li> <li>Read the AgileBits Bugcrowd brief to find additional documentation on APIs, hints about the location of some of the flags, and other resources, as well as the Burp Suite plugin.</li> <li>Get started!</li> </ol></description></item><item><title>Welcoming Linux to the 1Password Family</title><link>https://blog.1password.com/welcoming-linux-to-the-1password-family/</link><pubDate>Tue, 18 May 2021 00:00:00 +0000</pubDate><author>info@1password.com (Dave Teare)</author><guid>https://blog.1password.com/welcoming-linux-to-the-1password-family/</guid><description> <img src='https://blog.1password.com/posts/2021/linux-launch/header.png' class='webfeedsFeaturedVisual' alt='Welcoming Linux to the 1Password Family' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The wait is over. <a href="https://support.1password.com/getting-started-linux/">1Password for Linux is officially here</a>. Linux support is far and away our most requested feature. Bringing the world’s most loved password manager to such a passionate community – and building on the incredible work of the open source community – is both humbling and exciting for all of us at 1Password. So today we’re rolling out the red carpet for our Linux friends. 🤗 I know many of you have been using <a href="https://support.1password.com/getting-started-browser/">1Password in your browser</a> to generate and store strong, unique passwords for a long time. And we&rsquo;re proud of how well that works. But nothing beats a full-featured desktop app that takes advantage of everything the operating system has to offer, especially if it can make the browser experience itself better (spoiler alert: it does). Let’s take a walk up the red carpet and see what awaits us. <h2 id="loaded-with-goodies">Loaded with goodies</h2> <img src='https://blog.1password.com/posts/2021/linux-launch/add_account-dark.png' alt='Dark themed 1Password lock screen running in Gnome desktop environment' title='Dark themed 1Password lock screen running in Gnome desktop environment' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We believe that <a href="https://blog.1password.com/1password-apps/">native apps with deep integration create a better experience</a>, so 1Password for Linux will feel right at home on your desktop, whichever flavor of Linux you choose. Out of the box, you&rsquo;ll find: <ul> <li>Automatic Dark Mode selection based on your GTK theme</li> <li>Open network locations (FTP, SSH, SMB)</li> <li>Integration with GNOME, KDE, and your favorite window manager</li> <li>System tray icon support for staying unlocked while closed</li> <li>Open and fill in your default browser</li> <li>X11 clipboard integration and clearing</li> <li>GNOME Keyring and KDE Wallet support</li> <li>Kernel keyring integration</li> <li>DBUS API support</li> <li>Command line API</li> <li>Integration with system lock and idle services</li> </ul> <img src='https://blog.1password.com/posts/2021/linux-launch/watchtower-light.png' alt='1Password Watchtower dashboard running in Gnome desktop environment' title='1Password Watchtower dashboard running in Gnome desktop environment' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 1Password for Linux also debuts with several features that are coming soon to <a href="https://1password.com/mac/">1Password for Mac</a>, Windows, iOS, and Android: <ul> <li>Secure file attachments</li> <li>Item archiving and deletion features for better document organization</li> <li>Watchtower Dashboard to monitor and evaluate your password security health</li> <li>New sharing details to see who has access to what</li> <li>Quick Find and intelligent search suggestions</li> <li>A beautiful new look and feel based on our new design language</li> </ul> <h2 id="unified-experience-and-passwordless-login">Unified experience and passwordless login</h2> When you go all-in on deep integration with the operating system, you get to do some awesome things… like using the Linux kernel keyring to establish a fully encrypted connection between 1Password for Linux and 1Password in the browser. That means when you unlock one you automatically unlock the other. 🙌🏼 <img src='https://blog.1password.com/posts/2021/linux-launch/biometrics.gif' alt='Gif showing 1Password being used in Firefox and unlocked via 1Password for Linux' title='Gif showing 1Password being used in Firefox and unlocked via 1Password for Linux' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Another example? Passwordless login. If you use your computer’s fingerprint sensor or a <a href="https://www.yubico.com/us/works-with-yubikey/catalog/1password/">Yubikey</a> to unlock your computer, you can now use those same methods to unlock 1Password for Linux. If it works in your distro, it’ll work in 1Password. <h2 id="linux-to-the-core">Linux to the core</h2> <img src='https://blog.1password.com/posts/2021/linux-launch/authentication.png' alt='1Password authentication prompt running in Gnome desktop environment' title='1Password authentication prompt running in Gnome desktop environment' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The backend and underlying logic for 1Password for Linux is written in Rust, a fast and secure open source systems programming language. Rust has seen widespread adoption in enterprise because of its strong security, and is even being proposed as an official language for the Linux kernel. The <a href="https://github.com/briansmith/ring">ring crypto</a> Rust crate powers the encryption in 1Password for Linux. Ring is easy to use, and just as important, hard to misuse, which allows us to deliver the uncompromising security you expect from 1Password. Finally, the user interface (UI) is written in React with Neon bindings to the Rust backend, which allows us to create a fast, beautiful interface while serving as much of the Linux community as possible. At launch, the following distros and app stores are supported: <ul> <li>Debian</li> <li>Ubuntu</li> <li>CentOS</li> <li>Fedora</li> <li>Arch Linux</li> <li>Red Hat Enterprise Linux</li> <li>Snap store</li> </ul> Using another distro? No worries: Just install 1Password for Linux from the .tar.gz package. <h2 id="giving-back-to-the-open-source-community">Giving back to the open source community</h2> 1Password for Linux would not be possible without the incredible work of the open source software community. From Rust and Ring to React and Neon – and many more – we’re thankful for these free software projects and committed to giving back. In that spirit, we sponsor a few open source projects like <a href="https://tokio.rs">Tokio</a> and <a href="https://rust-analyzer.github.io">rust-analyzer</a>. We&rsquo;ve also open-sourced several of the libraries we built to power 1Password for Linux, including an <a href="https://github.com/1password/electron-hardener">Electron hardener</a> and <a href="https://github.com/1password/electron-secure-defaults">secure defaults</a> package that, together, create a secure frontend foundation for 1Password. As our way of saying thanks, open source teams can get a free 1Password account simply by opening a pull request against our <a href="https://github.com/1Password/1password-teams-open-source">1Password for Open Source Projects</a> repo. Even better? That free account now includes <a href="https://1password.com/products/secrets/">unlimited use of Secrets Automation</a>. To date, we’ve provided more than 250 open source projects with free 1Password accounts. <h2 id="open-for-business">Open for Business</h2> With Linux joining the 1Password family, 1Password now works wherever you work. That means your HR team can spend all day in Windows and get the same consistent 1Password experience as your DevOps team who spend all day in an Ubuntu terminal. It all just works, everywhere. And of course – like all <a href="https://1password.com/business/">1Password Business</a> team members – your teams get free-as-in-beer <a href="https://1password.com/personal/">1Password Families accounts</a>, so they’ll get that same great experience at home on the kids’ iPad, too. I hope you enjoy <a href="https://1password.com/downloads/linux/">1Password for Linux</a> as much as we’ve enjoyed creating it. Please take it through its paces and let us know what you think. And who knows? Maybe 2021 will indeed be the year of Linux on the Desktop. 🐧🥳 Want to discuss the news with fellow Linux users? <a href="https://1password.community/categories/linux">Join the conversation on our forum</a>, stop by <a href="https://www.reddit.com/r/1Password/comments/ng9psn/were_the_creators_of_1password_for_linux_ask_us/">Reddit for our official AMA</a>, or <a href="https://1password.com/webinars">join our devs for a demo of 1Password for Linux</a>. <img src='https://blog.1password.com/posts/2021/linux-launch/apt-get-1password.png' alt='Ubuntu terminal displaying the command apt-get install 1password' title='Ubuntu terminal displaying the command apt-get install 1password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /></description></item><item><title>Digital estate planning: How to share digital accounts safely</title><link>https://blog.1password.com/digital-estate-planning-guide/</link><pubDate>Wed, 12 May 2021 00:00:00 +0000</pubDate><author>info@1password.com (Nick Summers)</author><guid>https://blog.1password.com/digital-estate-planning-guide/</guid><description> <img src='https://blog.1password.com/posts/2021/trust-will-digital-estate-plan/header.png' class='webfeedsFeaturedVisual' alt='Digital estate planning: How to share digital accounts safely' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We’re all familiar with wills. But have you considered your digital estate? By that, we mean all of your personal data, including any service that you log into online. Many people don’t realize they need a handover plan, which can create complications for their loved ones when they pass away. If you want to avoid any legal and technological headaches, follow this beginner’s guide, which we created in partnership with estate-planning expert <a href="https://trustandwill.com/">Trust &amp; Will</a>. “By creating a digital estate plan, you are protecting your online assets from risks like identity theft, hacking, and fraud,” Patrick Hicks, Head of Legal at Trust &amp; Will explained. <h2 id="what-is-digital-estate-planning">What is digital estate planning?</h2> Digital estate planning is like traditional estate planning – but focused on everything that makes up your digital life. The process involves taking stock of your assets, including online accounts, cryptocurrencies, and data stored on personal devices, hard drives, and cloud-based services. The next step is to make arrangements so that someone you trust can access your assets securely. A digital estate plan should also come with instructions that clearly explain what you would like to happen to everything you&rsquo;ve handed over. Contents <ul> <li><a href="#step-1-take-stock-of-your-data">Step 1: Take stock of your data</a></li> <li><a href="#step-2-consider-who-will-be-inheriting-your-data">Step 2: Consider who will be inheriting your data</a></li> <li><a href="#step-3-decide-how-to-hand-over-your-data">Step 3: Decide how to hand over your data</a></li> <li><a href="#step-4-think-about-two-factor-authentication">Step 4: Think about two-factor authentication</a></li> <li><a href="#step-5-consider-the-information-that-you-dont-normally-keep-in-a-password-manager">Step 5: Consider the information that you don’t normally keep in a password manager</a></li> <li><a href="#step-6-look-into-dead-mans-switches">Step 6: Look into dead man’s switches</a></li> <li><a href="#step-7-explain-your-setup-to-the-people-you-love-and-trust">Step 7: Explain your setup to the people you love and trust</a></li> <li><a href="#keep-coming-back-to-it">Keep coming back to it</a></li> </ul> <h2 id="how-to-create-a-digital-estate-plan">How to create a digital estate plan</h2> <h3 id="step-1-take-stock-of-your-data">Step 1: Take stock of your data</h3> First, you need to know the breadth and depth of your data trove. Figuring this out can be tricky if your logins are scattered around on sticky notes and spreadsheets. If you use a <a href="https://1password.com/password-manager/">password manager</a> like <a href="https://1password.com/personal/">1Password</a>, you can keep everything in one place and protect it all with a single password. Otherwise, you’re going to have to rack your brain and pull everything together the old-fashioned way. As you go through this process, make a note of the accounts that you consider the most important or valuable. These will probably fall into one of three buckets: money, crucial information, and ways to contact other people. You should end up with a list that covers some or all of the following: <ul> <li>Banking</li> <li>Any mortgages or deeds</li> <li>Government and tax-related services</li> <li>Student loans</li> <li>Pension</li> <li>Cloud storage</li> <li>Email</li> <li>Social media</li> <li>Domain names and websites</li> <li>Entertainment services, like Netflix and Spotify</li> <li>Productivity apps including 1Password</li> <li>Virtual currency, such as Bitcoin</li> </ul> Completing this exercise will give you some perspective on what you’re trying to hand over. It could also reveal some important accounts that you’ve forgotten about or rarely use. You might have a long-abandoned profile on MySpace or Bebo, for instance. Or racked up some points with an airline company that, due to the pandemic, you haven’t contacted or thought about in a while. <h3 id="step-2-consider-who-will-be-inheriting-your-data">Step 2: Consider who will be inheriting your data</h3> What makes sense to you could be confusing for someone else. A lot of people have never used a password manager, for instance. A relative might not be patient or tech-savvy enough to learn, either. Alternatively, you might have a family that is already familiar and onboard with using a password manager. Regardless, you should think about the person who will be receiving your data and the type of handover they’ll be able to follow. <h3 id="step-3-decide-how-to-hand-over-your-data">Step 3: Decide how to hand over your data</h3> There are many different ways to do this. If you use a password manager like 1Password, you could explain to your loved ones how to log into your account. The easiest way is to write some instructions and leave them in a personal safe, alongside your traditional will, or with whoever manages your will, such as an attorney or estate-planning company like Trust &amp; Will. Many password managers also have built-in sharing capabilities. 1Password has vaults, for instance, that work like shareable folders. If you go down this route, you won’t have to share the sensitive credentials required to log into your password manager. It will also give you more control over how much of your personal data is passed on. Alternatively, you can export your data. Or, if you don’t have a password manager, create a simple spreadsheet. Be warned: you’ll be storing everything in a file format that anyone can read. This option might be attractive if the intended recipient doesn’t have or want a password manager. The downside is that if the wrong person stumbles upon the file, they’ll immediately have access to all your digital accounts. Put the file on a drive or USB stick – preferably encrypted – and keep it somewhere secure, such as a personal safe. <h3 id="step-4-think-about-two-factor-authentication">Step 4: Think about two-factor authentication</h3> What’s better than a long and random password? A long and random password backed up by two-factor authentication (2FA). The latter is a second line of digital defence. Every time you log in, the service will ask for a time-sensitive code that needs to be retrieved from a particular device or app. It’s designed to ensure that you, and not a potential hacker who has somehow discovered your password, is trying to access your account. While effective, these one-time codes can be a stumbling block for friends and family trying to inherit your digital assets. The simplest solution? Use a password manager. Some, like 1Password, can deliver time-sensitive codes whenever you need them. So if you give someone instructions to log into your account, they’ll automatically inherit your 2FA codes, too. Another option is to bundle them with your passwords inside a shared vault or folder. If you don’t like these options, there are some alternatives. One-time passwords can be sent via text message, for instance. While not the most secure method – hackers have learned to intercept codes using <a href="https://www.wired.com/story/sim-swap-attack-defend-phone/">so-called ‘sim jacking’ attacks</a> – it’s an easy one for relatives to understand. There are a bunch of standalone authentication apps, too, such as <a href="https://authy.com/">Authy</a> and <a href="https://support.google.com/accounts/answer/1066447?co=GENIE.Platform%3DAndroid&amp;hl=en">Google Authenticator</a>. Some of these <a href="https://support.google.com/accounts/answer/1066447?co=GENIE.Platform%3DAndroid&amp;hl=en#zippy=%2Cset-up-google-authenticator-on-multiple-devices">can be set up on multiple devices</a>, meaning you don’t have to worry about whether your loved ones can unlock your phone. <h3 id="step-5-consider-the-information-that-you-dont-normally-keep-in-a-password-manager">Step 5: Consider the information that you don’t normally keep in a password manager</h3> Password managers are a convenient place to store <a href="https://blog.1password.com/storing-important-documents/">all kinds of sensitive information</a>. But most people have at least one or two passwords that they prefer to keep in their brain. The password for your laptop, perhaps, or the code required to unlock your safe. Will your loved ones need this information to inherit your digital estate? If so, think about the ways you might feel comfortable handing it over. You might want to include them in your physical will, or with the instructions to log into your password manager. <h3 id="step-6-look-into-dead-mans-switches">Step 6: Look into dead man’s switches</h3> Some services will automate the process of handing over data or access to your accounts. Google’s <a href="https://support.google.com/accounts/answer/3036546?hl=en">Inactive Account Manager</a>, for instance, lets you choose a custom length of time. If you don’t log into your account, the timer will eventually run out and an email will be sent to a list of pre-chosen contacts. These messages can be a simple alert or contain links to data that you’ve stored with Google, depending on your preference. For some, this method is preferable because it doesn’t require the recipient to have a password manager or understand 2FA codes. <h3 id="step-7-explain-your-setup-to-the-people-you-love-and-trust">Step 7: Explain your setup to the people you love and trust</h3> Finally, you need to sit down and talk to the people who will be inheriting your accounts. If you want to use a password manager for your handover, spend a day or two walking them through the process. If you’re going to leave some instructions in a safe, show them how to open it. These demonstrations will give them a chance to ask questions and raise concerns that you might not have considered. <h2 id="keep-coming-back-to-it">Keep coming back to it</h2> Our lives are always changing. You might buy a new phone, switch banks or invest in a digital currency for the first time. Technology is constantly evolving, too. More companies are thinking about security and adding two-factor authentication as an option. We’re adding new features to 1Password all the time, too. It’s important, therefore, to come back every so often and think about what, if anything, you need to change about your digital estate plan. You should also keep talking to your loved ones. They might forget where you’ll be leaving your handwritten instructions. Or how to access the shared vault that you’ve set up for them in 1Password. Others will benefit from a ‘trial run’ every so often. These conversations can be difficult, but if you’re honest and flexible with the people you care about, there’s no reason why your digital handover shouldn’t occur without a hitch. <aside class="c-technical-aside-box c-technical-aside-box--background" aria-labelledby="frequently-asked-questions-faqs"> <h2 class="c-technical-aside-box__title" id="frequently-asked-questions-faqs"> Frequently asked questions (FAQs) </h2> <div class="c-technical-aside-box__description"> <h3 id="how-do-i-set-up-a-digital-estate-plan">How do I set up a digital estate plan?</h3> That depends on who will be inheriting your data. You could leave instructions for accessing your 1Password account in a safe, or alongside your traditional will. But if the intended recipient has never used a password manager before, you might want to consider a different form of handover. <h3 id="how-do-you-write-an-estate-plan-for-digital-assets">How do you write an estate plan for digital assets?</h3> There isn&rsquo;t a &lsquo;correct&rsquo; way to do this. Find a format that works for you and the person who will be inheriting your data. You could use a simple text file, with sections for different asset types, or a handwritten note that explains the structure of your vaults in 1Password. <h3 id="what-is-a-simple-checklist-to-complete-when-using-digital-assets">What is a simple checklist to complete when using digital assets?</h3> Create a personalised checklist by writing down all of your digital assets, including online accounts. You can do this by working through the following categories: banking, government and tax-related services, student loans, pension, mortgages and deeds, social media, email, cryptocurrencies, personal websites and domains, cloud storage, and entertainment services. </div> </aside> <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get 25% off 1Password Families</h3> Organize your digital estate plan with 1Password Families. Sign up now and get 25% off your first year. <a href="https://start.1password.com/sign-up/family?c=1PBLOGS&amp;utm_medium=promo&amp;utm_source=blog&amp;utm_campaign=families" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Get 25% off </a> </div> </section></description></item><item><title>Secure your medical record with 1Password</title><link>https://blog.1password.com/introducing-the-medical-record/</link><pubDate>Tue, 11 May 2021 00:00:00 +0000</pubDate><author>info@1password.com (Megan Barker)</author><guid>https://blog.1password.com/introducing-the-medical-record/</guid><description> <img src='https://blog.1password.com/posts/2021/medical-records/header.svg' class='webfeedsFeaturedVisual' alt='Secure your medical record with 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> At 1Password, we&rsquo;ve always worked hard to help you secure your digital life. You can use our password manager to safely store and access logins, passwords, company credit cards, email addresses, and other identity information. It’s also a great place to keep copies of important documents – everything from birth certificates to real estate records – the list is endless. And today, that list got a little bit longer with the addition of a brand new item type with distinct fields to help you store and track health-related information. Introducing the Medical Record, available to all 1Password subscribers. Add a title, date, practitioner’s name, and anything else you want to save. We&rsquo;ve included some default data suggestions and, like other 1Password item types, you can add custom fields and remove others as you see fit. It’s all incredibly flexible and practical – and that was the goal. <img src='https://blog.1password.com/posts/2021/medical-records/medical-record.png' alt='Screenshot of an unedited Medical Record item' title='Screenshot of an unedited Medical Record item' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> New features and item types aren’t born out of think-tank brainstorm sessions in far-away company offices. We listen to our user base and then build software to help make their lives a little simpler. We believe this human approach changes the way our password manager is designed. And the new Medical Record is no exception. Our Customer Support team received countless user requests for a specific place in 1Password to keep COVID-19 vaccination information. We liked the concept, but didn’t want to stop there. We set out to create a new item type that was as versatile and accessible as possible, without compromising security. We want you to be able to pull out your phone during a doctor’s visit, quickly and easily search, and access your vaccination record, or any other medical information you’ve saved. We want you to be able to share certain details about your health (if you’re comfortable sharing them) with family members or loved ones, in the event of an emergency. We want to be there, to help make things a little easier right now, the best way we know how – with security and convenience in mind. It’s been a difficult fourteen-plus months, but there’s a light at the end of the tunnel. <section class="c-call-to-action-box c-call-to-action-box--purple"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get 25% off 1Password Families</h3> Secure your digital life with 1Password Families. Sign up now and get 25% off your first year. <a href="https://start.1password.com/sign-up/family?c=1PBLOGS&amp;utm_medium=promo&amp;utm_source=blog&amp;utm_campaign=families" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--purple" data-event-category="CTA" data-event-action="call-to-action-button"> Get 25% off </a> </div> </section></description></item><item><title>Why World Password Day is more relevant than ever</title><link>https://blog.1password.com/world-password-day-2021/</link><pubDate>Thu, 06 May 2021 00:00:00 +0000</pubDate><author>info@1password.com (Daniel Duke)</author><guid>https://blog.1password.com/world-password-day-2021/</guid><description> <img src='https://blog.1password.com/posts/2021/world-password-day-2021/header.svg' class='webfeedsFeaturedVisual' alt='Why World Password Day is more relevant than ever' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Cybercrime is on the rise, businesses have become the number one target, and data breaches are costing companies millions. With most breaches caused by weak, reused, or stolen credentials, it&rsquo;s time to talk about your passwords. <h2 id="times-have-changed-passwords-havent">Times have changed, passwords haven’t</h2> Businesses have relied on passwords for more than 70 years. Back then, and until the rise of enterprise software, there was little need for long, complex passwords. A pet’s name or a spouse’s birthday worked just fine. Fast forward a few decades, and it’s a different story. An estimated 81% of data breaches are now caused by compromised credentials. <h2 id="if-data-wasnt-valuable-hackers-wouldnt-hack-it">If data wasn’t valuable, hackers wouldn’t hack it</h2> The prevalence of cookies, trackers, and other data collection tools has boosted the volume and value of a company’s data assets. Even the smallest company has something to lose from a breach, the most precious being its reputation as a trusted place to do business. And without trust, sales suffer, customers leave, and market shares fall. The larger a company grows, the more it becomes a target and the more valuable its data becomes, both to the company collecting it and to hackers who steal it. Bad passwords (short, simple, predictable ones) and even complex ones that are reused across multiple applications can cause major havoc, <a href="https://www.ibm.com/uk-en/security/data-breach">racking up an average of $3.8 million in damage from a single event</a>. <h2 id="passwords-are-the-easiest-way-in">Passwords are the easiest way in</h2> Criminals armed with sophisticated password-guessing software and access to large, <a href="https://blog.1password.com/what-comb-means-for-you-and-your-business/">leaked data sets like COMB</a> can guess most eight-character passwords in as little as a few seconds, giving them access to invaluable troves of customer and company secrets. It’s no wonder that 300 million security incidents occured in 2020, and the numbers keep rising. COVID-19’s shelter-in-place mandates have only made these vulnerabilities worse. While company-owned desktop computers sat idle in dark offices, workers booted up their laptops and were greeted by an array of tempting personal productivity software that IT had no way to see or control. Despite heavy investments in SSO, IAM, MFA and other technologies to remove password risk, the growing use of Shadow IT and the realities of human nature made enforcement nearly impossible to control. <h2 id="were-all-fallible--and-thats-okay">We&rsquo;re all fallible – and that&rsquo;s okay</h2> Under pressure to meet deadlines and in the privacy of their own homes, information workers often find the simplest way to get work done, whether these methods are covered by IT’s security protocols and policies, or not. In addition, developers, who are moving fast to deliver new projects might forget to remove unencrypted secrets in their code, and their file sharing habits may slip in the heat of a hot delivery date. These aren’t problems that are going away as the world returns to “normal.” In 2020, companies cast a wide net for new talent, hiring the best candidates from every corner of the globe. So while many workers make their way back to the relative security of the office, many others are opting to work hybrid, continuing to collaborate and share information through Zoom, Slack, project management software, Google Docs, “unauthorized” developer tools, and other off-the-approved-list tools. Every bad password and unprotected secret is a weak link in your company’s foundation, because compromised credentials from one account can give hackers the information they need to access more important data elsewhere in the system. The SolarWinds breach, one of the largest and broadest hacks in history, was made possible by an intern, who set “solarwinds123” as their password. Adopting an <a href="https://1password.com/enterprise/">enterprise password manager</a> – the right one – can close these gaps, secure popular productivity software, and make the hybrid workplace a more productive and secure place to work. The success of this strategy depends largely on whether the one you select is easy to adopt and use, because if it isn’t easy, it won’t be used. <h2 id="choose-the-1-for-business">Choose the 1 for business</h2> 1Password solves the problems that arise from shadow IT, hybrid work, file sharing, and more, and it doesn’t slow your teams down. While many enterprise password managers make similar claims, 1Password proves its worth in more than 80,000 businesses worldwide because it’s so easy to use, it becomes an integral part of every business process. Every time an app is opened, 1Password is there to provide safe, instant access. Every time a sensitive file is created it goes into a vault to be shared with a select team on a need-to-know basis. And our new Secrets Automation lets developers secure, orchestrate, and manage infrastructure secrets like machine tokens, documents, and code within a core team, safe from prying eyes. 1Password works the way today’s businesses work, integrating with your existing platforms and programs across all devices, so productivity thrives, work flows, and secrets remain secret. With clear visibility and advanced reporting tools, IT is given a complete overview of each individual’s password compliance, alerts of breach attempts, and other critical security information. We protect users at home, too, with free 1Password Families accounts for every employee. <h2 id="how-were-celebrating-world-password-day">How we’re celebrating World Password Day</h2> We’re building on our 15-year heritage by listening to our customers and continually making our products stronger. So we can say with confidence that adopting 1Password is the first step in building a culture of security and closing many of the gaps that let intruders in. We’re developing new training, adding new platforms, and innovating powerful, scalable new features, giving you the freedom to think big and grow as fast as you like. In the process, we’ve ventured well beyond the traditional definition of password management. We just announced <a href="https://blog.1password.com/introducing-secrets-automation/">Secrets Automation</a>, helping businesses secure hardware, code, and other development secrets. And new initiatives are in the pipeline that we can’t wait to tell you about. So Happy World Password Day everyone! Your secrets are safe with us. 1Password is the 1 for business. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Join the webinar: How to Create a Culture of Security in Your Organization</h3> Tune in on Wednesday, May 26th at 8am PST/11am EST for a peek behind the curtain as Rob MacDonald, our head of product marketing, sits down with Security Training Expert, Harlie Hardage, to discuss how we build a culture of security. <a href="https://1password.zoom.us/webinar/register/1016200856465/WN_XvB6wSNfRq6EcAyDnpYEdg" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Register now </a> </div> </section></description></item><item><title>Going further to support journalists on World Press Freedom Day</title><link>https://blog.1password.com/world-press-freedom-day-2021/</link><pubDate>Mon, 03 May 2021 00:00:00 +0000</pubDate><author>info@1password.com (Nick Summers)</author><guid>https://blog.1password.com/world-press-freedom-day-2021/</guid></item><item><title>Hello from SecretHub</title><link>https://blog.1password.com/secrethub-acquisition/</link><pubDate>Wed, 14 Apr 2021 00:00:00 +0000</pubDate><author>info@1password.com (Marc Mackenbach)</author><guid>https://blog.1password.com/secrethub-acquisition/</guid><description> <img src='https://blog.1password.com/posts/2021/secrethub-acquisition/header.svg' class='webfeedsFeaturedVisual' alt='Hello from SecretHub' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> By now, you’ve heard the news. SecretHub, the company I founded in 2014, is joining 1Password. <a href="https://secrethub.io/blog/secrethub-joins-1password/">I’ve shared my thoughts and next steps with SecretHub customers</a> – without whom I wouldn’t be here – but today I want to address you, 1Password customers. I’ll start by saying this: Boy, it’s good to be here. Let me tell you why. <h2 id="the-secrethub-story">The SecretHub story</h2> The first product we built at SecretHub was a secure, end-to-end encrypted file syncing service. While working on that application, we ran into an interesting problem. Like everyone else, we were deploying more frequently than ever before, sometimes multiple times a day. And like every cloud application, our software needed a handful of credentials to access a database and a few APIs. But where to put those credentials? We had two options. We could put the secrets in our code (or somewhere else where they would be visible to a number of people) but that would leave them exposed. Or we could restrict access to one person (me) and manually input the credentials each time we deployed. Choosing security over speed, we opted for the manual route. I didn’t like having to choose between speed and security, so I started looking for solutions… only to realize that what I was looking for didn’t exist at the time. So, much like <a href="https://blog.1password.com/accel-partnership/">Dave Teare and Roustem Karimov built 1Password to solve their own password management problem way back in 2005</a>, we scratched our own itch and built the secrets management platform we desperately needed ourselves. SecretHub was born. <h2 id="building-for-developers">Building for developers</h2> Our mission was to bring great <a href="https://blog.1password.com/risks-of-mismanaging-corporate-secrets/">secrets management</a> to every business, of every size and every budget. To accomplish that, SecretHub needed a killer user experience, including a proper interface. That required more resources than we had at the time, so we focused instead on building a great tool for people who don’t particularly need an interface: software engineers. By focusing on developers, we could forego the visual experience and build great command-line tools. That focus allowed us to think like developers, and for the questions we were asking to evolve. How do you deliver a secret from a central store to the application itself in a way that requires almost no changes or implementation effort? How do you do it in a way that’s consistent across all your environments, whether it’s development or production, or whether you’re working locally or in CI/CD, or on AWS? Creating a consistent experience wasn’t just about usability; it also saved a ton of resources. By simplifying and standardizing, you free up a lot of time that IT would’ve otherwise spent doing training, integration, and maintenance. Not to mention drastically reducing incident response time. <h2 id="what-we-can-accomplish-together">What we can accomplish, together</h2> If you build a company that focuses on solving developer problems with simple, elegant command-line tools, but dream of having the resources to build a world-class user experience, who better to join forces with than 1Password? We’d been a <a href="https://1password.com/business/">1Password business</a> customer for years. We knew what 1Password was: an exceptional user experience built on an uncompromising security architecture. The technical bits all fit. More importantly, the philosophical stars aligned, too. 1Password believes that good security starts with making the most secure thing to do the easiest thing to do. Unfortunately, 96 percent of developers recognize that there’s a fundamental disconnect between security and productivity, according to a <a href="https://go.shiftleft.io/hubfs/Resources/Surveys/Developer%20Productivity%20and%20Security%20Survey/Developer%20Productivity%20&amp;%20Security%20Survey%20-%20June%202020.pdf">2020 ShiftLeft report</a>. And they’re right. There are always competing priorities, and security is usually the first thing to be cut in the pursuit of speed and agility. But by making it easier to do the secure thing than to do the insecure thing, you enhance security and eliminate bottlenecks. That’s what <a href="https://1password.com/products/secrets/">Secrets Automation</a> does. It enables organizations not just to move faster without compromising security, but to move faster precisely because you’re enhancing security. As someone who’s been in this game for a while, that’s exciting. It changes everything. Now, let’s get to work.</description></item><item><title>Introducing 1Password Secrets Automation</title><link>https://blog.1password.com/introducing-secrets-automation/</link><pubDate>Tue, 13 Apr 2021 00:00:00 +0000</pubDate><author>info@1password.com (Jeff Shiner)</author><guid>https://blog.1password.com/introducing-secrets-automation/</guid><description> <img src='https://blog.1password.com/posts/2021/secrets-automation-launch/header.svg' class='webfeedsFeaturedVisual' alt='Introducing 1Password Secrets Automation' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Secure, orchestrate, and manage your company’s infrastructure secrets with 1Password Secrets Automation. Today is a big day at 1Password. Today, we’re launching 1Password <a href="https://1password.com/products/secrets/">Secrets Automation</a>, a new way to secure, orchestrate, and manage your company’s infrastructure secrets. With the addition of Secrets Automation, 1Password can now protect all of your company’s secrets in one place. <h2 id="passwords-and-infrastructure-secrets-all-in-one-place">Passwords and infrastructure secrets, all in one place</h2> Since 2005, 1Password has been keeping secrets safe for humans like you and me: our passwords, our credit cards, our personal documents. Machines have secrets, too. These secrets give humans and machines access to other machines. They’re how a database admin accesses a database, or an app accesses another app. Secrets are the lifeblood of the growing organism that is your infrastructure. And that organism is growing faster than anyone could&rsquo;ve predicted. Every company is now, to some degree, a technology company. We&rsquo;re all shipping software at an incredible pace. And we&rsquo;re not doing it on a single cloud platform. We&rsquo;re multi-cloud. We&rsquo;re deploying continuously. We&rsquo;re using a ton of microservices. And we have more engineers touching ops than ever before. This explosion of entities – all of which need to communicate with one another – is creating an infrastructure that’s expanding quickly, and creating a long trail of insecure secrets that are stashed wherever it happens to be convenient. They’re in your CI/CD pipeline. They’re in (or next to) your source code. Secrets Automation protects those secrets just as 1Password protects your passwords. <h2 id="what-is-secrets-automation">What is Secrets Automation?</h2> Listening to our customers isn’t a slogan at 1Password. It’s what got us here. It’s how we work. When we asked our customers, they told us that they were already storing all their secrets – including infrastructure secrets – in 1Password. But they needed a way to get those secrets into their infrastructure to the machines and services that need them. We built Secrets Automation to directly address these challenges. It delivers your infrastructure secrets when and where they’re needed. With Secrets Automation, you’re getting: <ul> <li>The security of 1Password. Tokens, store credentials, and other secrets are fully encrypted, using the same security that makes 1Password the most trusted <a href="https://1password.com/enterprise/">enterprise password manager</a>.</li> <li>A single source of truth. With all of your secrets in one place, you gain complete visibility and auditability in a way that you can’t when secrets are spread out across multiple services.</li> <li>Granular access control. When access controls are too broad, companies have to resort to overly restrictive permission settings (which compromise productivity) or overly permissive settings (which compromise security).</li> <li>The usability of 1Password. A better experience means higher adoption, and higher adoption means better security. Developers deserve a good user experience, too.</li> <li>Integration with your existing tools. Secrets Automation integrates with HashiCorp Vault, Terraform, Kubernetes, and Ansible, with more integrations on the way. You’ll also find ready-to-use client libraries in Go, Node, and Python.</li> </ul> <h2 id="get-started-for-free-or-see-secrets-automation-in-action">Get started for free, or see Secrets Automation in action</h2> <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get started for free</h3> Secrets Automation is available right now, so you can [view the documentation](https://developer.1password.com/docs/connect/overview/) and get started today. <a href="https://developer.1password.com/docs/connect/overview/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Get started </a> </div> </section> For those who want to dive deeper into Secrets Automation, we recently hosted two webinars that are now available on demand. Webinar: Introduction to Secrets Automation 1Password Chief Product Officer Akshay Bhargava and Principal Product Manager Marc Mackenbach walk IT leaders and admins through the basics of Secrets Automation, followed by a live Q&amp;A. <a href="https://1password.com/webinars">Watch now &gt;</a> Webinar: Secrets Automation Technical Overview Senior Product Manager Carson Brown and 1Password developer Jillian Wilson host a technical overview of Secrets Automation for developers eager to take a peek behind the curtain. <a href="https://1password.com/webinars">Watch now &gt;</a></description></item><item><title>Introducing automated provisioning 2.0, featuring improved management and enhanced monitoring</title><link>https://blog.1password.com/improved-automated-provisioning/</link><pubDate>Tue, 06 Apr 2021 00:00:00 +0000</pubDate><author>info@1password.com (Connor Hicks)</author><guid>https://blog.1password.com/improved-automated-provisioning/</guid><description> <img src='https://blog.1password.com/posts/2021/scim-2.0/header.svg' class='webfeedsFeaturedVisual' alt='Introducing automated provisioning 2.0, featuring improved management and enhanced monitoring' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> It&rsquo;s now easier than ever to secure your employees at scale with our powerful new updates to <a href="https://support.1password.com/scim/">automated provisioning in 1Password</a>. We’ve redesigned the user experience to be more straightforward to navigate from initial setup to managing existing deployments. The SCIM bridge automates provisioning by securely connecting 1Password to your identity provider. 1Password integrates with Azure Active Directory, Okta, <a href="https://blog.1password.com/1password-rippling-automated-provisioning/">Rippling</a>, and OneLogin, allowing you to fold the management of your 1Password account into your existing workflows, using the systems you already trust. Once set up, you can use your identity provider to deploy 1Password, invite employees, grant them access to groups, and deprovision them when they leave. With the latest updates, administrators gain access to an assortment of new features and refinements including a streamlined setup flow, improved user interface, health monitoring, expanded security options, and better Let’s Encrypt support. Together, these updates further improve the experience of administering users at scale, all while retaining the same degree of security you’ve come to expect – the SCIM bridge continues to operate under your control, with your account’s encryption keys safely in your hands. <h2 id="save-time-and-hassle-with-our-revamped-interface">Save time and hassle with our revamped interface</h2> We’ve completely redesigned the setup flow to simplify every step of the process so you can get up and running more easily and in less time. Now, you can <a href="https://support.1password.com/scim/#step-2-deploy-the-scim-bridge">integrate with our supported Identity Providers</a> without incurring additional costs on your <a href="https://1password.com/business/">1Password Business</a> account. <img src='https://blog.1password.com/posts/2021/scim-2.0/provisioning-detail.png' alt='Screenshot showing provisioning dashboard' title='Screenshot showing provisioning dashboard' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The new Active tab in the integrations section of your account dashboard provides at-a-glance information about your managed groups and the health of your provisioning setup. Similarly, a revamped configuration screen makes it simpler than ever to access and modify managed groups, verify your settings, or adjust your SCIM bridge configuration through a more familiar interface. <img src='https://blog.1password.com/posts/2021/scim-2.0/provisoning-modal.png' alt='Screenshot showing provisioning dashboard with the manage groups modal open' title='Screenshot showing provisioning dashboard with the manage groups modal open' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="investigate-issues-more-effectively-with-health-monitoring">Investigate issues more effectively with health monitoring</h2> We recently partnered with <a href="https://www.checklyhq.com/?utm_source=web&amp;utm_medium=1p-blog&amp;utm_campaign=announcement">Checkly</a> to introduce optional <a href="https://support.1password.com/scim-security/#your-secure-information-is-not-shared">automated health checks</a> that can identify issues with the SCIM bridge and notify you within minutes if something isn’t working correctly. This health monitoring is available to you at no additional cost. <img src='https://blog.1password.com/posts/2021/scim-2.0/provisioning-card.png' alt='Screenshot showing health monitoring card detail' title='Screenshot showing health monitoring card detail' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="enable-two-factor-authentication-through-1password-advanced-protection">Enable two-factor authentication through 1Password Advanced Protection</h2> With <a href="https://support.1password.com/explore/advanced-protection/">1Password Advanced Protection</a> you can create security policies for your organization. Now, along with Master Password parameters, firewall rules, and up-to-date app requirements, you can enforce <a href="https://1password.com/features/two-factor-authentication/">two-factor authentication</a> while using automated provisioning, providing an extra layer of protection for your 1Password account. <h2 id="enhanced-support-for-lets-encrypt">Enhanced support for Let’s Encrypt</h2> With the release of 1Password SCIM bridge 2.0, we now support specifying a new domain name even when using Let’s Encrypt. We’ve also taken a careful look at our Let’s Encrypt certificate support and significantly improved its reliability; it’s now more resilient and can recover from various issues automatically. In addition, we’ve improved the initial setup and application startup processes to perform domain validation when a Let’s Encrypt certificate is required. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get started today</h3> For more information or to get support with user provisioning, visit the [1Password Support Community](https://1password.community/categories/scim-bridge) or the [1Password Support Site](https://support.1password.com/scim/). Alternatively, you can contact your Account Manager to find out more. <a href="https://start.1password.com/provisioning/manage" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Get started </a> </div> </section></description></item><item><title>Introducing the “Save in 1Password” button in partnership with Ramp</title><link>https://blog.1password.com/save-in-1password-button-with-ramp/</link><pubDate>Tue, 06 Apr 2021 00:00:00 +0000</pubDate><author>info@1password.com (Andrew Beyer)</author><guid>https://blog.1password.com/save-in-1password-button-with-ramp/</guid><description> <img src='https://blog.1password.com/posts/2021/save-in-1password-button-with-ramp/header.png' class='webfeedsFeaturedVisual' alt='Introducing the “Save in 1Password” button in partnership with Ramp' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We’re thrilled to be partnering with <a href="https://ramp.com/partners/1password">Ramp</a>, a corporate card and spend management platform, for the initial rollout of the “Save in 1Password” button. The new “Save in 1Password” button makes it easier than ever to save payment cards and other details in 1Password. <h2 id="what-is-it">What is it?</h2> Starting today, Ramp customers will see the “Save in 1Password” button when they sign into their Ramp dashboard. <img src='https://blog.1password.com/posts/2021/save-in-1password-button-with-ramp/1-dashboard.png' alt='Screenshot showing the the ramp dashboard with a virtual card for intuit quickbooks. The Save in 1Password button appears under the card.' title='Screenshot showing the the ramp dashboard with a virtual card for intuit quickbooks. The Save in 1Password button appears under the card.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> If they have 1Password installed, when they click the button, 1Password will offer to save their payment card details and, from then on, 1Password will automatically surface those payment card details whenever an online purchase is made. <img src='https://blog.1password.com/posts/2021/save-in-1password-button-with-ramp/4-autofill.png' alt='Screenshot showing 1Password suggesting the previously saved ramp card as a payment option when checking out on the Intuit website.' title='Screenshot showing 1Password suggesting the previously saved ramp card as a payment option when checking out on the Intuit website.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="launching-with-ramp">Launching with Ramp</h2> Ramp offers corporate cards and spend management tools to help mid-sized companies accelerate growth without compromising on their finances. If you’re a Ramp customer, the “Save in 1Password” button will let you quickly add your card details to 1Password so they’re at your fingertips the next time you’re making an important business purchase. And, of course, checking out with a Ramp card gives you total control over your corporate finances with smart limits, category controls, and more. <video class="round shadow" style="display: block; margin: auto; padding: 0;"loop="loop" playsinline="" width="100%" alt='' controls> <source src="https://blog.1password.com/posts/2021/save-in-1password-button-with-ramp/ramp-demo.mp4" type="video/mp4" /> </video> Through our partnership with Ramp, expanding how we work with financial services and products is just another step toward making 1Password the world’s most-trusted password manager. <blockquote> “1Password is always on a mission to simplify online security. Partnering with Ramp to make it easier to use and secure payment details is a fantastic example of this, creating an effortless experience for businesses. Security can be simple with the right tools and the right mindset.” </blockquote> – Jeff Shiner, 1Password CEO To celebrate our partnership, Ramp customers signing up for a new 1Password Teams or <a href="https://1password.com/business/">1Password Business</a> account can get a $100 credit applied to their account. <blockquote> “We&rsquo;re dedicated to building cutting-edge technology and incredible user experiences that maximize every dollar invested in a business. Our partnership with 1Password helps us continue to improve and deliver that experience. The &ldquo;Save in 1Password&rdquo; button further simplifies the process, letting companies focus on accelerating growth without compromising on their finances.” </blockquote> – Karim Atiyeh, Ramp Co-founder and CTO <h2 id="how-does-it-help-businesses-and-their-customers">How does it help businesses and their customers?</h2> More than 80,000 businesses trust 1Password with their data, and 99.4% of them store a payment card in their 1Password account, making that card the default payment method for business purchases. If you’re an online service like a bank, placing the “Save in 1Password” button on your website means that card could be yours. For customers, it just got even easier to save their details in 1Password with one click, keeping their data secure and accessible. No more waiting for a card to arrive in the mail, digging through their wallet, or missing out on rewards and benefits. Implementing the “Save in 1Password” button is as simple as adding a snippet of code to your website. Because 1Password is secure by design, so is the API that powers the button. Payment card data is never stored on 1Password servers, the transaction takes place solely on the customer’s device, and no unencrypted data is transmitted. <h2 id="looking-to-the-future">Looking to the future</h2> We’re so excited about the huge potential of the “Save in 1Password” button. It’s not just for banks – the button will also simplify membership cards, reward cards, and any other details you want to make it easy for your customers to store and access when they’re on your website and beyond. With all the possibilities, we’re looking forward to partnering with more businesses very soon. If you’d like to be next to add the “Save in 1Password” button to your website, <a href="mailto:support+partnerships@1password.com">get in touch</a>.</description></item><item><title>Privacy: one more reason to switch your business to 1Password</title><link>https://blog.1password.com/switch-to-1password-privacy/</link><pubDate>Tue, 16 Mar 2021 00:00:00 +0000</pubDate><author>info@1password.com (Nick Summers)</author><guid>https://blog.1password.com/switch-to-1password-privacy/</guid><description> <img src='https://blog.1password.com/posts/2021/switch-to-1password-privacy/header.svg' class='webfeedsFeaturedVisual' alt='Privacy: one more reason to switch your business to 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We know there are several <a href="https://blog.1password.com/how-to-choose-a-good-password-manager-for-your-business/">password managers</a> to choose from. They all have different names but promise to do the same thing: protect your employees’ accounts with complex, hard to guess passwords. So why choose 1Password for your business? There are many reasons, but the most important is our promise to prioritize your privacy over everything else. <h2 id="encryption-you-can-rely-on">Encryption you can rely on</h2> We have many protections in place to stop would-be attackers from accessing our servers. (It’s no coincidence that we’ve never been hacked!) And even if a thief somehow slipped through, they would only have access to reams of scrambled information. That’s because 1Password uses end-to-encryption to safeguard everything that your team has in their accounts. Unless the hacker had access to everyone’s decryption keys, the data would be worthless. Every team member’s decryption key comes in two parts. There’s a <a href="https://support.1password.com/strong-master-password/">Master Password</a>, which you need to remember to access your account, and <a href="https://support.1password.com/secret-key-security/">a Secret Key</a>. The latter is a long series of letters and numbers, separated by dashes, which can be copied from your <a href="https://support.1password.com/emergency-kit/">Emergency Kit</a> or by scanning a Setup Code, if you’re already logged in on another device. Without both pieces, a theoretical thief is toast. They could try a brute-force trial-and-error attack, but it would take millions of years for even the most powerful supercomputer to find the correct solution. <h2 id="built-on-top-of-open-standards">Built on top of open standards</h2> It might sound counterintuitive to share how 1Password works. You wouldn’t give a burglar a blueprint for your home, after all. But we believe transparency makes 1Password stronger. It was developed on top of open standards that anyone with the technical knowhow can investigate, implement, and improve. Our defences have been reviewed by independent security specialists, including Cure53 and Onica. And Troy Hunt, a security specialist and founder of the invaluable “Have I Been Pwned” database, sits on our board of advisers. All of these perspectives give us a greater chance of spotting and fixing any potential weaknesses. We want everyone to understand 1Password, though – not just the experts. That’s why we <a href="https://1passwordstatic.com/files/security/1password-white-paper.pdf">created a white paper</a> that explains 1Password’s approach to security. <h2 id="1password-keeps-your-data-safe-in-other-ways">1Password keeps your data safe in other ways</h2> Encryption and keys are only the beginning. 1Password offers a variety of tools that can protect your team’s information: <ul> <li> Auto-lock and manual locking. Team members can set 1Password to automatically log out after a period of inactivity. Alternatively, they can manually lock 1Password with a keyboard shortcut on Mac, Windows, Linux and in the browser. </li> <li> Multi-factor authentication. Many services offer two-factor authentication as an extra layer of security. Your team can set up 1Password to deliver these codes, removing the need for SMS messages or a separate authentication app such as Authy. </li> <li> Obscured passwords. 1Password will only show a person’s passwords if they select Reveal. Otherwise, they’re presented as a series of dots or asterisks, making sure that no-one nearby has any chance of writing them down. </li> <li> Clipboard clearing. Team members can set up 1Password to automatically remove copied passwords from their clipboard, ensuring no hacker can pick them up that way. </li> <li> Careful autofill. 1Password will only offer to <a href="https://1password.com/features/autofill/">autofill passwords</a> on sites that your team members have specified. This way, your business will never be caught out by phishing attacks that use fake but easily believable websites. </li> <li> Privacy Cards. If your team members are based in the US, they can <a href="https://support.1password.com/privacy-cards/">use virtual Privacy Cards</a> to pay for goods and services online. So if a service they use was ever breached – and, heaven forbid, exposed card details – no one could access their actual cash. </li> </ul> <h2 id="well-let-you-know-about-any-known-data-breaches">We’ll let you know about any known data breaches</h2> We can’t stop data breaches from happening at other companies. But we can let your team know when something goes wrong. 1Password Watchtower checks the Have I Been Pwned database and will alert your colleagues if any of their passwords appear in a data breach. It will also flag weak and reused passwords, as well as services where two-factor authentication can be enabled. Administrators can also create a domain <a href="https://1password.com/business/domain-breach-report/">breach report</a> that shows every company email address affected by a known data breach. The results can be alarming, depending on the size and behaviour of your team. But it means you know exactly what’s been exposed and who needs to update their passwords pronto. <h2 id="no-in-app-trackers">No in-app trackers</h2> You <a href="https://www.theverge.com/2021/2/26/22302709/lastpass-android-app-trackers-security-research-privacy">might have heard</a> that 1Password is one of the few password managers that doesn’t have third-party trackers in-app. The reason why is simple: we don’t need them. We do collect a small amount of information about you, such as your name, email address and how many passwords you’ve stored in your account, but only to provide you with the best possible experience and solve any problems you might have. We’ll never, ever share your information with a third-party company. <h2 id="your-data-is-always-yours">Your data is always yours</h2> We hope that your team will use 1Password forever, but we understand that everyone’s circumstances change. If your company ever decides to leave, everyone will be able to export their data, no questions asked. Everyone will also have a way to download their information, even after you’ve stopped paying for 1Password Teams or <a href="https://1password.com/business/">1Password Business</a>. Because trust starts with having the freedom to delete and move your information between services. <h2 id="want-this-level-of-privacy-switch-your-business-to-1password">Want this level of privacy? Switch your business to 1Password</h2> If you’re already paying for another password manager, no problem: let us know, and we’ll give you some credit toward 1Password Teams or 1Password Business. We’ll even walk your team through the switching process, so no-one is left without access to their important accounts. And remember, every employee using 1Password Business also gets a free 1Password Families membership. That way, every team member can protect their privacy at home and at work. <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Switch to 1Password Business</h3> Switch to the world’s most-trusted password manager to receive our generous switching bundle. <a href="https://1password.com/business-switch/" class="c-call-to-action-box__link-href" data-event-category="CTA" data-event-action="call-to-action-button"> Switch now </a> </div> </section></description></item><item><title>Tech needs women: an interview with the women leading security at 1Password</title><link>https://blog.1password.com/tech-needs-women-interview/</link><pubDate>Thu, 11 Mar 2021 00:00:00 +0000</pubDate><author>info@1password.com (Stacey Harris)</author><guid>https://blog.1password.com/tech-needs-women-interview/</guid><description> <img src='https://blog.1password.com/posts/2021/tech-needs-women-interview/header.svg' class='webfeedsFeaturedVisual' alt='Tech needs women: an interview with the women leading security at 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> On International Women’s Day, we shared highlights from our recent <a href="https://blog.1password.com/women-in-tech/">Women in Tech panel</a>, where women at 1Password discussed the obstacles faced by women and non-binary people in the tech industry. One of the issues raised during the panel was how important it is for women working in male-dominated spaces to see other women succeeding. With that in mind, we wanted to highlight and celebrate our women-led Security team. We spoke to Harlie Hardage (Security Training Coordinator), Pilar García (Privacy Officer), and Rainbow (Incident Response Manager) about their paths into the industry, the challenges they’ve faced, and their advice for women and non-binary folks considering a career in privacy and security. What’s your role in the Security team? Harlie: I coordinate our internal security training initiatives, so I spend a lot of time talking to other teams, as well as developing and leading training sessions. Pilar: My area is privacy and compliance. I talk to people in different areas of the company, listen to their needs and then help them achieve their goals in ways that preserve privacy and security. Rainbow: I currently manage our Incident Response team. We keep an eye on everything and try to step in before anything bad happens. If something happens, we’re the ones who investigate, remediate, and get everything back up and running. What made you pursue a career in cybersecurity? Harlie: I&rsquo;ve always loved computers, but I never really thought of making it a career. I honestly thought I wasn&rsquo;t smart enough for it. When I started college as an undeclared major I took Computer Science Basics as an elective and really loved it – it came naturally to me. I never looked back from there because I knew it was what I wanted to do for a living. Pilar: I have a background in physics and math. I originally wanted to go into academia, but it became clear that it was not as glamorous as I had imagined so I decided to go into industry. I met Jeffrey Goldberg (Director of Security) at a company event and after a few hours of talking with him it was like, “Okay, this is where I want to be”. I&rsquo;ve always found privacy stuff very interesting so, as the company grew, I started volunteering for privacy-related things and getting more involved in that area. Rainbow: I had always been into computers as I felt they were fascinating, but didn’t get much chance to play with them early on. In fact, my original planned career path was medicine, not technology. I got my hands on my own computer a little before I graduated high school and a friend gave me a Linux CD. I was immediately hooked and ended up having a bit of a knack for it. At the time, college wasn’t an option and I desperately needed a job, so I started working at a data center. It was like a paid internship and that&rsquo;s where I started: building servers and racking in a data center. I bounced through some tier one support positions early on, and eventually worked my way into Operations, before ultimately ending up in the Infosec space. Have you ever experienced self-doubt – systemic, or not – and what advice do you have for overcoming it? Harlie: I&rsquo;m always going to be battling imposter syndrome, wondering if I should be here or if I’m still smart enough. A lot of that comes from tech being “a man&rsquo;s world”. We can all do a better job at reassuring each other. I try to reach out to my other female coworkers and say “you&rsquo;re doing a great job”. Also, not being too hard on yourself and recognizing when you&rsquo;ve done something awesome. When people compliment you or your work, write it down so you can go and look at it later and remind yourself to keep going and that you’re smart enough to do this. Pilar: I hear a lot that, “If you&rsquo;re in security and you don&rsquo;t have imposter syndrome, then you&rsquo;re doing it wrong”. It&rsquo;s always said tongue in cheek, but I do think it affects women to a larger degree. It can feel alienating when you realize that you’re one of five women attending a conference. You have to take a deep breath and say, “I will just have to get used to it”, and hope that if you get used to it, then it will be less of a thing for others in the future. Rainbow: For women and non-binary folks, it’s really hard in this field. A lot of people in tech have imposter syndrome, but I think something that is hardly mentioned is that it&rsquo;s excessively reinforced for us by others. I can’t even begin to count the number of times where I was the only woman on the team, or how many times I was actively passed over for a promotion in favor of one of the guys, despite equal or greater output on my part. Those of us who identify as women (or non-binary) know we have to work harder, longer, and more intensely to even be seen as being on the same playing field. What challenges have you had to overcome in this profession because of your gender? Harlie: I&rsquo;ve had to face lots of preconceived notions. I think that&rsquo;s the biggest problem. It’s pretty shocking how bold people can be in their assumptions. I remember on the first day of one of my upper-level computer science courses being heckled by a male classmate. Really, all you can do is prove them wrong. That same classmate later asked to partner on multiple projects because he saw I was putting in hard work. You can&rsquo;t ever let those people get you down, you just have to use it as fuel and prove them wrong. Pilar: It can be hard for me to be heard, let alone listened to. I’ve lost track of the number of times I&rsquo;ve been interrupted in the middle of a sentence while I was trying to convey something important. Every time something like that happens, you have to make a choice: Do you let it go or make yourself a little bit louder? And the choice might seem straightforward, because you have something that needs to be heard. But the problem is that “Excuse me, I wasn’t done” can be seen as aggressive when it comes from a woman. So, I’m continuously trying to find my voice, and the right voice to communicate effectively. Rainbow: I second what Pilar has said. Women are often seen as aggressive when trying to speak up. The most important thing for me was finding a place where I could be my authentic self. At 1Password I actually feel heard and that my opinion matters in meetings. That&rsquo;s really nice. I&rsquo;m not used to that. Do you think women face different challenges when comparing security to the broader technology industry? Harlie: It really depends. When I was doing IT in banking it was very much a man’s world, and it was hard to get my word out. Now that I&rsquo;m in cybersecurity – and working for a more progressive company – it&rsquo;s easier. But I think it can vary by experience and where you&rsquo;re at, and I don&rsquo;t think it&rsquo;s limited to just any industry. Rainbow: The security industry seems to be more open and accepting, and more equitable in a lot of ways compared to the rest of the tech and startup world. There&rsquo;s still a lot of work to do in both worlds – it is far from being truly equitable – but there seems to be a tendency in security to look past who someone is and take them on their accomplishments and their abilities. I found community in the security space that I didn&rsquo;t have elsewhere. I want to be clear that this is not necessarily reflective of everyone&rsquo;s personal experiences, but we can all work toward making this a more inclusive and equitable space. So I&rsquo;d say we&rsquo;re doing better than tech at large, but we&rsquo;ve still got a long way to go. Any advice for navigating hostile work environments? Harlie: There&rsquo;s a point where, if you keep getting interrupted and nobody is standing up for you, you need to walk away and find a better environment. But don’t back down, even if it makes you seem assertive. If something is bothering you, call people out on it. And look out for each other, because speaking out on behalf of someone else can be perceived as less aggressive than them defending themselves. If someone gets interrupted and they don&rsquo;t get a chance to speak up again, go back to them and let them finish. Pilar: It’s important to be an ally and help share the load of stopping negative behavior. If people are doing that, the battle becomes a lot easier. Rainbow: You can only shove your way in for so long, trying to make that space for yourself. Eventually, you&rsquo;ll be exhausted and burn out. I’ve almost left tech a few times from burnout. It falls on management and your colleagues to help create that space. Find mentors and allies – people that will help you make that space at the table. How has 1Password been able to build a women-led Security team? Harlie: We have great male leaders on the Security team and are lucky that they notice when women are getting run over in meetings. They address the issue, give us the chance to speak and treat us as equals. I’ve had bad male leaders in the past who make it difficult to get a word in edgewise, or make you feel like you don&rsquo;t have a spot at the table. You have to put yourself out there and exert yourself so much more to make sure you don&rsquo;t get totally run over. We are very lucky to have women leaders on the Privacy and Security teams at 1Password, as well as male leaders who are mindful of breaking down barriers for us. Pilar: Jeffrey Goldberg has been incredibly valuable because he’s always been aware of these things. When he’s hiring, he knows exactly what kind of biases go into applications and does his best to compensate for those. The fact that we have the three of us here, in these positions, is due in large part to the support we have from him. When it comes to resumes, a woman will only tell you she knows a programming language if she has written her own compiler for it. A man will say they know the language if he’s written a &ldquo;Hello, World!&rdquo; program for it. So when Jeff has resumes in front of himself, he says, “The man looks more qualified on paper, but let&rsquo;s talk to both of them and see what they really know”. This recognition on Jeffrey’s part is how we ended up with a better gender balance on our team. Rainbow: The senior leadership on the Security team does a really good job of making that space and making sure that we’re heard. Incident response is a critical role and many companies wouldn’t think to hire a woman for that kind of position. Yet here I am, doing a pretty spiffy job, if I do say so myself. What should be done to increase the number of women in leadership roles? Harlie: It takes all of us working as a team to make sure that women are heard and have the opportunity to advance into these leadership positions. Pilar: If the question is, “What do you do to get more women in leadership positions within security?”, then the answer is you put them in leadership positions within security. Very few people make hiring decisions and they have to keep biases in mind so they can put different kinds of people in leadership roles. Rainbow: There are so many people with untapped talent and non-traditional academic backgrounds – I especially want to give a voice to other women, and feminine presenting or identifying non-binary individuals; we need to consider people from all backgrounds and identities. It falls on hiring managers and senior leadership to hire these people and take a chance on these folks that don&rsquo;t meet the traditional and preconceived notions of what a &ldquo;hacker&rdquo; is supposed to be. As a hiring manager myself, when a resume comes through I want to see what a person can do and how they think, regardless of their education background or work history. I want to be an example for other hiring managers because we are the ones that need to make the space and put people in the roles. What advice would you give to women who want to enter the technology industry? Harlie: Start somewhere and try it. Take a course at your local college, go online, buy a textbook, or use free resources like YouTube and blogs. Or start with a “Hello, World!” program just to see if you can do it. Pilar: I know it&rsquo;s easier said than done, and it&rsquo;s kind of terrifying, but put yourself out there. If you find a meetup, go to it and meet people who are doing things. Ask for help, ask for advice – a lot of people will be very excited to talk about it and give you everything they can to make your path easier. Rainbow: We live in a time where we have access to the single greatest repository of human knowledge ever compiled. The resources are out there and I know that it&rsquo;s daunting, but I firmly believe that you can do it. I&rsquo;m going to speak to the women and non-binary folks that might be reading this right now: I believe in you and know you can do it. Even if no one else is championing you right now, I believe in you, I am championing you, I want to see you succeed. So please put yourself out there! I can’t mentor or bring light to every single voice, but I’m trying my hardest, and I want to call on more folks to do the same. Anything else before we go? Pilar: We were talking about how there&rsquo;s a trend that, because of having to find your voice and create a presence, women in security tend to go for really bright hair colors. The three of us here are examples of that. Rainbow: <a href="https://www.bsdcan.org/2017/schedule/events/865.en.html">Dr. Julie Percival coined the term &ldquo;competency hair&rdquo;</a> – the feminine equivalent of the competency beard. We all know the greybeards at the Unix conferences – they’ve got Gandalf beards down to their toes and the longer your beard is, the more you know, or so it goes. So wildly dyed hair is the feminine equivalent. Most of us who are women or identify feminine can’t, or don’t want to, grow a beard, so we had to find another way of standing out! It was an absolute pleasure to host this interview, and a privilege to work alongside leaders like Harlie, Pilar, and Rainbow. We hope that sharing more stories about women in leadership will help to inspire other organizations to actively address representation issues and create space for more women and non-binary folks to succeed in privacy and security.</description></item><item><title>A smart(er) password generator</title><link>https://blog.1password.com/a-smarter-password-generator/</link><pubDate>Tue, 09 Mar 2021 00:00:00 +0000</pubDate><author>info@1password.com (Megan Barker)</author><guid>https://blog.1password.com/a-smarter-password-generator/</guid><description> <img src='https://blog.1password.com/img/headers/security-header.svg' class='webfeedsFeaturedVisual' alt='A smart(er) password generator' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We&rsquo;ve been told what <a href="https://support.1password.com/strong-master-password/">makes a strong password</a> for years. The rules are indelibly etched in our minds: Make &lsquo;em long, and make &lsquo;em random. The more difficult a password is to guess, the harder it is to crack. That&rsquo;s true. But there&rsquo;s more to it. Our password generator has created an incalculable number of long, random passwords since 2006. It&rsquo;s gone through a few iterations in that time, but it&rsquo;s been dubbed the Strong Password Generator for about 14 years. Because, well, that&rsquo;s what it is, and who needs flashy nomenclature? But it&rsquo;s 2021; it&rsquo;s time for a change, and I&rsquo;m excited to announce the Smart Password Generator. Still strong. So much smarter. <h2 id="one-smart-cookie">One smart cookie</h2> I spoke with Client Apps Product Lead, Mitchell Cohen (also a smart cookie), about how the Smart Password Generator (SPG) earned its name. Mitch first walked me through a user interface (UI) that&rsquo;s clean and simple. <img src='https://blog.1password.com/posts/2021/password-generator/ui.png' alt='Smart Password Generator User Interface' title='Smart Password Generator User Interface' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The UI is sparse because you don&rsquo;t really need it. And therein lies the beauty. Elsewhere lies the brain. The (aptly named) brain is where the core of our code structure lives. When you request a password, the generator calls on this central brain — no matter what version of 1Password you use. In a sense, Mitchell and his incredible team have &lsquo;taught&rsquo; the brain what <a href="https://1password.com/password-generator/">password requirements</a> are, how they work, and how to conform in the strongest way possible. If a website has the <code>passwordrules</code> attribute coded in its HTML (hey-o, devs!), the brain can use those guidelines to generate a password. It can also check the list of websites that have custom password behavior. The list, which lives in the brain, is compiled in part with <a href="https://github.com/apple/password-manager-resources">Apple</a> and holds 200 websites (and counting). And my power users can still dive into the UI to adjust the password recipe, for those times you just need 49 characters. But it&rsquo;s the default setting - the setting that&rsquo;s compatible with millions of websites across the internet, the setting that just works - that&rsquo;s the smartest part. <h2 id="sense-and-sensibility">Sense and sensibility</h2> Mitchell&rsquo;s team worked closely with Chief of Security, Jeffrey Goldberg, to develop a password-generation process that, for the first time, puts function over form. It started with uniform distribution. While people are much more likely to choose some passwords more than others, the mathematical principle of uniform distribution ensures any of the nearly-countless possible passwords are just as likely to be generated as any other. The wordlist used by the Smart Password Generator currently consists of 10,122 plausible English-language syllables. The SPG selects four syllables, one of which will be entirely uppercase, and blends them with separators, which are chosen from ten digits (0-9) and six basic symbols (!@.- _ *). In the blink of an eye, you have a password that&rsquo;s strong, and much more likely to be accepted by any website on earth. So smart. <h2 id="wise-words">Wise words</h2> Long, random passwords just aren&rsquo;t convenient. If you need to enter 45 randomly-generated characters on another device often enough, you&rsquo;ll inevitably change that password to something like password123 because it&rsquo;s easy to type and remember. It&rsquo;s also - you got it - not strong. While a lengthy, unintelligible password may appear stronger than a smart one, it&rsquo;s mainly illusion. Pronounceable syllables make a smart password look human generated and, therefore, weaker. But a human-generated password could never be chosen uniformly and, therefore, can&rsquo;t be accurately assessed for entropy. We&rsquo;ve made a compromise of sorts. We&rsquo;ve sacrificed a few bits of entropy to gain a whole lot of convenience, compatibility, and accessibility — and those certainly are real world, which is what really matters.</description></item><item><title>Tech needs women: how the industry can create a space for them to thrive</title><link>https://blog.1password.com/women-in-tech/</link><pubDate>Mon, 08 Mar 2021 00:00:00 +0000</pubDate><author>info@1password.com (Stacey Harris)</author><guid>https://blog.1password.com/women-in-tech/</guid><description> <img src='https://blog.1password.com/posts/2021/women-in-tech/header.svg' class='webfeedsFeaturedVisual' alt='Tech needs women: how the industry can create a space for them to thrive' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Being a woman in tech means navigating an industry that is difficult to enter, and even more difficult to advance in. It means facing the gender pay gap, challenging systematic bias, and even dealing with harassment – amongst other challenges. We want to get real this International Women’s Day and talk about what everyone can do to help women overcome the obstacles they continue to face in tech. During AGConf this year, our annual company conference, we hosted a Women in Tech panel with seven women leaders at 1Password – Jeannie De Guzman (Chief Financial Officer), Rachel Yarnold (Director of Marketing Campaigns), Meena Lakhanpal (General Counsel), Lynette Kontny (Senior Manager of Customer Success), Mary Sison (Director of Finance), Sasha VanHoven (Staff UX Writer), and Youri Wims (Senior Web Developer). These women shared stories of challenges they’ve faced, how they’ve managed to thrive in the tech industry, and what they think could make the most significant differences for the future of women in tech. <h2 id="give-women-the-spotlight">Give women the spotlight</h2> It’s a well-documented fact that women are underrepresented, underpaid, and discriminated against in the tech industry. Women-centric tech events are relatively new, but are so important to create a safe space where women can share their unique experiences – both failures and successes – when facing challenges in the tech industry. It’s also essential for newer entrants to the field to see women succeeding at the highest levels. In this video, Mary shares some positive impacts women-centric events have for women in tech: <video class="round shadow" style="display: block; margin: auto; padding: 0;"loop="loop" playsinline="" width="100%" alt='' controls> <source src="https://blog.1password.com/posts/2021/women-in-tech/wit-1-mary.mp4" type="video/mp4" /> </video> These events give women a place to speak, network, and ask questions without judgement – helping create a community where women can share knowledge and grow together. Women-oriented tech events put women in the spotlight, where many tech events still lean heavily towards male voices. That’s something that needs to change too. Tech events need to start curating speaker lineups to be more inclusive of diverse voices to accurately represent the wealth of talent in tech. <h2 id="create-a-safe-supportive-environment">Create a safe, supportive environment</h2> Women frequently report <a href="https://www150.statcan.gc.ca/n1/pub/75-006-x/2018001/article/54982-eng.htm">higher levels of workplace harassment than men</a>, and that number is even <a href="https://www.cnbc.com/2020/12/16/40percent-of-women-in-tech-say-theyve-been-harassed-by-boss-or-investor.html">higher for women in tech</a>. Workplace harassment takes many forms, including verbal abuse, physical violence, and unwanted sexual attention or sexual harassment. “What nobody told me at the time, what no one talked publicly about, what no one warned me about is how grey and nebulous the majority of that abuse can be,” Sasha shared. Our panel discussed some ways women can respond to workplace harassment and how companies can create a safer work environment for everyone. <video class="round shadow" style="display: block; margin: auto; padding: 0;"loop="loop" playsinline="" width="100%" alt='' controls> <source src="https://blog.1password.com/posts/2021/women-in-tech/wit-8-sasha.mp4" type="video/mp4" /> </video> Documenting each harassment incident – in a notebook, through screenshots, witness statements, or a formal, documented complaint with HR creates a history of infractions that can be used should harassment continue or escalate. Facing harassment alone in the workplace is challenging, so it’s important to have a strong network to rely on for support to avoid isolation. Having clear policies and procedures in place is just as vital. When women need to report misconduct, they should know who to speak to and how their complaint will be handled. It’s about creating a culture of trust and transparency, where women feel safe to raise any concerns they may have. <h2 id="build-communities-that-encourage-and-elevate">Build communities that encourage and elevate</h2> For women in tech, finding a community that will empower, support, and inspire can be challenging in the workplace. But all of the women in our panel spoke to the critical roles community and mentorship played in their careers. During our panel, Sasha talked about the benefits of a private Slack channel that women and non-binary coworkers used to share and improve on ideas before raising them with leadership. The group also strategically coordinated support for new ideas that otherwise may have gotten lost in meetings, or public Slack channels. Sasha encouraged everyone to intentionally cultivate a community of women who share similar priorities in the workplace and in the tech industry. Mentorship is also an important factor in the growth and development of women in tech. Meena talked about how mentorship should be a mutually beneficial relationship as “even leaders need to talk to somebody to bounce off their ideas.” <video class="round shadow" style="display: block; margin: auto; padding: 0;"loop="loop" playsinline="" width="100%" alt='' controls> <source src="https://blog.1password.com/posts/2021/women-in-tech/wit-2-meena.mp4" type="video/mp4" /> </video> Each of our panelists spoke about imposter syndrome, the self-doubt they’ve felt, and how they overcome these feelings. “You just have to get comfortable with being uncomfortable, or else there’s not going to be change,” Jeannie said. She went on to describe how she turned fear into a positive, using it as fuel to continue pushing forward. Sasha, Meena, and Rachel all also had great suggestions about overcoming imposter syndrome. <video class="round shadow" style="display: block; margin: auto; padding: 0;"loop="loop" playsinline="" width="100%" alt='' controls> <source src="https://blog.1password.com/posts/2021/women-in-tech/wit-7-summary.mp4" type="video/mp4" /> </video> Some strategies women can use to help support each other include creating a safe space to talk, supporting each other&rsquo;s ideas, giving credit, and mentoring and advocating for others. <h2 id="men-make-space-and-advocate">Men: make space and advocate</h2> While coaching and support are important for women’s growth in the workplace, <a href="https://hbr.org/2010/09/why-men-still-get-more-promotions-than-women">advocacy has the greatest impact when it comes to career advancement</a>. With fewer women holding executive level positions in tech, women are at a disadvantage when it comes to being promoted. Men need to become comfortable with sharing the spotlight and, as Sasha explains, “the biggest impact is when someone who is not a woman decides to intentionally support women”. Here are Sasha’s top three tips for men to help support women in the workplace: <video class="round shadow" style="display: block; margin: auto; padding: 0;"loop="loop" playsinline="" width="100%" alt='' controls> <source src="https://blog.1password.com/posts/2021/women-in-tech/wit-4-sasha.mp4" type="video/mp4" /> </video> Leaders can also help support women by ensuring communal work that traditionally falls to women is shared between everyone – work like note-taking, printing, scheduling meetings, organizing travel, etc. This way, women will be free to take on more visible projects to improve their skills and make them more promotable. <h2 id="women-arent-going-anywhere--or-are-they">Women aren’t going anywhere – or are they?</h2> While the fight for a long time has been getting women into tech, now the industry is facing the struggle of keeping women in an industry where they find career advancement lacking. As Youri explains “the greatest issue facing women in tech feels a lot less like getting into the industry and more like staying in the tech industry and feeling like we really belong here”. <video class="round shadow" style="display: block; margin: auto; padding: 0;"loop="loop" playsinline="" width="100%" alt='' controls> <source src="https://blog.1password.com/posts/2021/women-in-tech/wit-5-youri.mp4" type="video/mp4" /> </video> We’ve already talked about harassment, gender bias, salary disparity, and being overlooked for projects that develop new skills, or provide a chance to exhibit leadership qualities – so it should not be surprising that women are leaving the tech industry. And, while most women face challenges in tech for career advancement, it can be even more difficult for women with families. Support for working parents has never been more important as work, childcare, and homeschooling compete for attention. Companies are quickly realizing a 9-5 work day is no longer a realistic option for many employees. As Lynette explains, “focusing on what you are accomplishing and if you are accomplishing the things you need to accomplish” and a shift around flexible working hours will help keep working parents from dropping out of the workforce. <video class="round shadow" style="display: block; margin: auto; padding: 0;"loop="loop" playsinline="" width="100%" alt='' controls> <source src="https://blog.1password.com/posts/2021/women-in-tech/wit-6-mary-lynette.mp4" type="video/mp4" /> </video> To attract women to the tech industry, and retain them, is a complicated process requiring constant reflection and action. Sponsorship, support, and championing women as they grow in their careers are crucial, but we also need diverse leadership that inspires women to join, succeed, and advance within a historically male-dominated industry. 1Password Co-founder, Sara Teare understands the kinds of issues women in tech face and the hard work it takes to overcome these obstacles. &ldquo;From the beginning, I&rsquo;ve been able to help shape and form the company, advocating for representation and making sure we have a more diverse set of voices at the table.&rdquo; &ldquo;Our company was built around flexible working hours to accommodate childcare – I was home with two small kids, so finding time to work when I could was the definition of flexible.&rdquo; &ldquo;I wanted to create a workplace where women felt comfortable &ldquo;taking up space&rdquo; in male dominated areas, and able to voice their opinions. Having my voice heard and respected has made it much easier to bring that sense of value to my work, and I&rsquo;m not afraid to make my presence known.&rdquo; &ldquo;As a female founder of a tech company, I have a unique opportunity to advocate for others on a systemic scale within 1Password. We are committed to elevating the voices of women and others who have been underrepresented, creating safe spaces where everyone feels welcome.&rdquo;</description></item><item><title>Received a data breach notification in 1Password? Take these 5 steps</title><link>https://blog.1password.com/what-to-do-when-you-get-a-data-breach-notification/</link><pubDate>Fri, 26 Feb 2021 00:00:00 +0000</pubDate><author>info@1password.com (Emily Chioconi)</author><guid>https://blog.1password.com/what-to-do-when-you-get-a-data-breach-notification/</guid><description> <img src='https://blog.1password.com/posts/2021/data-breach-notification/header.png' class='webfeedsFeaturedVisual' alt='Received a data breach notification in 1Password? Take these 5 steps' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> News of a data breach is stressful, to say the least. You may be thrown into a panic, wondering: <ul> <li>Is my sensitive data safe?</li> <li>How much of my information was stolen?</li> <li>What am I actually supposed to do next?</li> </ul> Thankfully, 1Password has your back. Let’s break down what a data breach actually is, and walk through five simple steps you can take to secure your data in the event of a breach. <h2 id="what-is-a-data-breach">What is a data breach?</h2> A <a href="https://blog.1password.com/data-breach-101-stay-safe-online/">data breach</a> is when someone with malicious intent gains access to sensitive data, such as financial information or <a href="https://1password.com/resources/guides/how-to-store-social-security-number/">social security numbers</a>, without the owner&rsquo;s permission. This information may be sold on the dark web, held under ransom for payment, or leaked to the public. <h2 id="how-to-protect-your-data-in-the-event-of-a-breach">How to protect your data in the event of a breach</h2> Here are five steps that you can take right now to protect your data in the event of a breach. <h3 id="1-check-watchtower-for-data-breach-reporting">1. Check Watchtower for data breach reporting</h3> <a href="https://watchtower.1password.com/">Watchtower</a> is built right into 1Password. The data breach monitoring tool informs you about security breaches on the websites you use along with other vulnerabilities, like weak passwords or unsecured sites. Watchtower will provide you with details about the data breach analysis, including what information may have been accessed and the date of the breach. Depending on the site that’s been compromised, sensitive data such as your credit card numbers, Social Security number, or banking information can be at risk. Check Watchtower and read the details of the data breach to help you decide on the appropriate next steps, like contacting your bank or credit card company. Watchtower only notifies you of security issues with sites that you’ve saved, which is why it’s critical to add all of your accounts to 1Password. You can also check Watchtower at any time to find out if any lower-risk websites you use have been compromised. <img src='https://blog.1password.com/posts/2021/data-breach-notification/watchtower-opm.png' alt='1Password Watchtower in the Mac app' title='1Password Watchtower in the Mac app' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Find out more: <a href="https://support.1password.com/watchtower/">Use Watchtower to find passwords you need to change</a>. <h3 id="2-use-a-password-generator-to-change-your-passwords">2. Use a password generator to change your passwords</h3> If Watchtower alerts you of a data breach, you’ll need to change your password for the compromised site right away. The 1Password <a href="https://1password.com/password-generator/">password generator</a> will provide you with a strong, unique password that you don’t have to commit to memory. Even if the breach didn’t include login information, it’s still best practice to change your password to ensure future breach protection. Many people use the same password for multiple websites, which increases the chance of someone nefarious gaining access. If you’ve reused passwords for different sites, one data breach can lead to several of your accounts being compromised. Take this opportunity to change any duplicated passwords and limit your vulnerability. Find out more: <a href="https://support.1password.com/change-website-password/">Change your passwords to make them stronger</a>. <h3 id="3-turn-on-two-factor-authentication">3. Turn on two-factor authentication</h3> If you’re given the option, turn on <a href="https://1password.com/features/two-factor-authentication/">two-factor authentication (2FA)</a> to add a second layer of security to your accounts, on top of your usual login details. This extra verification method means that even if someone else has your password, it’ll be much harder for them to gain access to your sensitive data. When it comes to 2FA, text message verification is less secure than using an authentication app. <a href="https://1password.com/resources/guides/protect-data-phone-lost-or-stolen/">Phones can be stolen</a>, SIM cards can be counterfeited, and texts are often sent to more than one device, like a laptop or tablet. Protect your data by using 1Password as an authenticator for sites with <a href="https://1password.com/features/two-factor-authentication/">two-factor authentication</a>. 1Password allows you to store and quickly access your one-time passwords when you turn on 2FA verification for a website. You can even use Watchtower to easily check for sites that offer two-factor authentication. Find out more: <a href="https://support.1password.com/two-factor-authentication/">Use 1Password as an authenticator for sites with two-factor authentication</a>. <h3 id="4-secure-your-business-with-domain-breach-reports">4. Secure your business with domain breach reports</h3> If you use <a href="https://1password.com/business/">1Password Business</a> or 1Password Teams, create a domain <a href="https://1password.com/business/domain-breach-report/">breach report</a> to get a list of all company email addresses affected by known data breaches. It lets you see which email addresses have been affected, as well as the type of data incident that you are facing, so you can immediately prioritize your next steps. <img src='https://blog.1password.com/posts/2021/data-breach-notification/domain-breach-report.png' alt='Screenshot of a domain breach report' title='Screenshot of a domain breach report' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 1Password allows you to send a customizable email notification to anyone impacted by the data incident to help them update their information as quickly as possible. This email will let your team know exactly what’s been breached and offer easy-to-follow instructions on how to address the risks. If they’re not already using 1Password, you can also invite them directly from the report so they can generate strong, unique passwords and safely store them for easy access. Find out more: <a href="https://support.1password.com/breach-report/">Create a domain breach report for your company</a>. <h3 id="5-be-proactive-use-best-practices-for-securing-sensitive-data">5. Be proactive: Use best practices for securing sensitive data</h3> You don’t have to wait for the next data breach to tighten up your online security. Instead, be proactive and protect your information by making security a habit. <ul> <li> Check Watchtower. See weak and reused passwords at a glance and get notifications about a data incident as soon as it occurs. </li> <li> Create strong, unique passwords. Always use a password generator, and never reuse passwords across websites. </li> <li> Protect your credit card numbers. Use Apple Pay or Google Pay, or try <a href="https://support.1password.com/privacy-cards/">Privacy Cards</a> to keep your card numbers confidential. </li> <li> Delete old accounts. Fewer accounts mean a smaller chance that you’ll be involved in a data breach. </li> </ul> <h2 id="1password-has-you-covered-with-data-breach-protection">1Password has you covered with data breach protection</h2> Although data breaches can never be completely avoided, you can still be proactive with your online security. Think progress, not perfection. With 1Password, it’s easy to make a habit of staying on top of data breaches and protect your online presence. Editor&rsquo;s Note: This article was last updated on May 16th, 2022 <section class="c-call-to-action-box c-call-to-action-box--purple"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get 50% off 1Password Families</h3> Keep all your accounts secure with 1Password Families. Sign up now and get 50% off your first year. <a href="https://start.1password.com/sign-up/family?&amp;l=en&amp;c=SWITCH50" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--purple" data-event-category="CTA" data-event-action="call-to-action-button"> Get 50% off </a> </div> </section></description></item><item><title>Transparency, privacy, support: becoming the world's most trusted password manager</title><link>https://blog.1password.com/why-pay-for-1password/</link><pubDate>Wed, 17 Feb 2021 00:00:00 +0000</pubDate><author>info@1password.com (Andrew Zangre)</author><guid>https://blog.1password.com/why-pay-for-1password/</guid><description> <img src='https://blog.1password.com/posts/2021/why-pay-for-1password/header.svg' class='webfeedsFeaturedVisual' alt='Transparency, privacy, support: becoming the world's most trusted password manager' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> At 1Password we&rsquo;re committed to transparency, customer privacy, and support. But becoming the world&rsquo;s most trusted password manager didn&rsquo;t happen overnight, and it didn&rsquo;t come for free. 1Password memberships help power this machine at the highest level, keeping customers safe and satisfied across the globe. If you’re considering using a <a href="https://1password.com/password-manager/">password manager</a> for the first time or making the <a href="https://1password.com/affiliate/promo/personal/?c=SWITCH50&amp;l=">switch to 1Password</a>, here are a few reasons why the small membership cost goes a long way. <h2 id="privacy-and-transparency">Privacy and transparency</h2> Since day one, we&rsquo;ve placed customer trust at the forefront, a commitment that extends from our data privacy protocols to our hundreds of support interactions every day. With any membership you&rsquo;ll get everything 1Password has to offer, with no hidden details or surprise fees. This includes expert-tested data encryption developed on top of open standards. You can read all about how <a href="https://1password.com/security/">we keep your online secrets secure</a>, while never having personal access to your passwords or other info you store in 1Password. Our small monthly fee allows us to maintain this best-in-class privacy and update our product constantly to stay ahead of the curve. Being both the most loved and most trusted app of its kind is no easy feat, but we’re working hard to keep it that way! <h2 id="unlimited-access-and-support">Unlimited access and support</h2> Your digital life stretches across devices, and your 1Password experience will reflect this, never leaving you hanging. Every 1Password membership provides seamless syncing <a href="https://blog.1password.com/1password-apps/">across all your computers and mobile devices</a>, so you can store and access unlimited passwords from anywhere at any time. Using 1Password on your phone or tablet offers the same great experience as using it on your desktop, and vice versa. The same way we support your devices, we support you as well. You can connect with real people on our <a href="https://support.1password.com/">Customer Support team</a> for any issues, big or small. Charging for our app has allowed us to grow the best Support team in the business – you can join us in the <a href="https://1password.community/">1Password Support Community</a>, send us an email, or catch us on <a href="https://twitter.com/1password">Twitter</a>. <h2 id="heaps-of-features">Heaps of features</h2> The 1Password apps are a nonstop labor of love, made possible by our millions of paid users. It all starts with a clean, user-friendly design that works reliably on Mac, iOS, Windows, Android, Linux, and Chrome OS. The 1Password Development team is always improving upon existing features and adding new tools, to address your biggest concerns in an intuitive, engaging way. A handful of features we’re proud to offer that other apps simply don’t: <ul> <li>Watchtower. <a href="https://watchtower.1password.com/">Watchtower</a> lets you know about any security breaches on the websites you use, so you can quickly change the passwords for those accounts. It also alerts you to any weak or reused passwords you may have, which you can update using 1Password’s built-in <a href="https://1password.com/password-generator/">strong password generator</a>.</li> <li>Travel Mode. Using <a href="https://support.1password.com/travel-mode/">Travel Mode</a>, you can hide certain vaults from your devices while on a business or personal trip to keep that information extra safe. This can be handy for individuals as well as administrators of company accounts when employees are traveling.</li> <li>Privacy Cards. 1Password integrates with Privacy for in-app creation of <a href="https://blog.1password.com/privacy-virtual-cards/">Privacy Cards</a>, virtual payment cards that protect you when you spend online. It’s one of many partnerships and integrations that put 1Password in a league of its own.</li> </ul> <h2 id="bring-the-whole-family">Bring the whole family</h2> Security isn’t just a buzzword for us, it’s our core value. We want your entire family to feel protected with 1Password. We’re offering <a href="https://1password.com/affiliate/promo/personal/?c=SWITCH50&amp;l=">50 percent off 1Password Families</a> to sweeten the deal and make your home a 1Password household. <a href="https://1password.com/business/">1Password Teams</a> users can also upgrade to <a href="https://1password.com/business/">1Password Business</a> to give employees a free family account. If you’re using another password manager, consider a <a href="https://1password.com/landing/comparison/">switch to 1Password</a> to see what makes us not only the most loved password manager but one of the <a href="https://blog.1password.com/1password-wins-a-g2-best-software-award/">best software products</a> on the market. <section class="c-call-to-action-box c-call-to-action-box--purple"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get 50% off 1Password Families</h3> Keep all your accounts secure with 1Password Families. Sign up now and get 50% off your first year. <a href="https://start.1password.com/sign-up/family?&amp;l=en&amp;c=SWITCH50" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--purple" data-event-category="CTA" data-event-action="call-to-action-button"> Get 50% off </a> </div> </section></description></item><item><title>Fall in love with 1Password Families</title><link>https://blog.1password.com/make-the-leap-to-1password-families/</link><pubDate>Fri, 12 Feb 2021 00:00:00 +0000</pubDate><author>info@1password.com (Emily Chioconi)</author><guid>https://blog.1password.com/make-the-leap-to-1password-families/</guid><description> <img src='https://blog.1password.com/posts/2021/1password-families-valentines/header.svg' class='webfeedsFeaturedVisual' alt='Fall in love with 1Password Families' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Even if you’re not a fan of all the mushy stuff, Valentine’s Day might still get you in the mood to think about those important relationship milestones. Making things exclusive, getting a drawer at their place, moving in – these are all important steps in a relationship. But one milestone rarely mentioned – perhaps so commonplace it often goes unnoticed – is sharing passwords with your significant other. Okay, so giving someone your Netflix login doesn’t sound that romantic. But while it may not sweep them off their feet, it’s a big sign of trust. Whether you’re married, living together, or you’ve just reached the <a href="https://1password.com/features/secure-password-sharing/">password sharing</a> stage, if you’ve been flirting with the idea of 1Password Families, it’s time to make your move. Not sure you’re totally ready to commit? You can share only the logins and information you’re comfortable with while keeping everything else private. Even better: 1Password Families is cheaper than two separate accounts while still letting you maintain any boundaries you might need. Lost your Master Password? Just like a spare key under the welcome mat, if you&rsquo;re both family organizers, you can recover each other&rsquo;s accounts. And, if your family grows, 1Password can grow with you. You can add up to five family members to your account and even invite additional people for just one dollar a month. Need to leave special instructions for the babysitter? Dog walker looking for the alarm code to pick up your furry friend? You can invite guests to a shared vault – perfect for safely sharing limited information for a limited time. <h2 id="make-the-most-of-1password-families">Make the most of 1Password Families</h2> Still not ready to make a commitment? Here are just a couple of things you can do with 1Password Families. Pretty fly for a Wi-Fi: Share the Wi-Fi password for your place, so your partner always feels at home. Such a strong connection. Netflix and chill: Share logins for streaming services, so you never ruin the mood with an awkward intermission for a <a href="https://blog.1password.com/how-to-reset-password/">password reset</a>. Share a pizza your heart: Takeout for date night? Share logins for your meal delivery apps and easily reorder their favorites without forgetting how they like it. It’s all about the Benjamins: Ready for a joint account for purchases big and small? Add your bank and credit card details to 1Password, so you can both check out online with just a few clicks. Earn those brownie points: If you save your addresses and passports in 1Password, booking surprise hotel stays and holidays is a breeze. So romantic! Distance makes the heart grow fonder: Long distance relationships are tough. Pool your frequent flyer miles and share airline loyalty cards to make travel planning easier on both of you. Chocolates, flowers, a spatula – you’re probably thinking about ways to show your love, so why not do it with password sharing? You can make that relationship status official by <a href="https://blog.1password.com/upgrade-to-1password-families/">inviting your special someone to use 1Password Families with you</a>. And, if you want to read more about the intersection between love and logins, we&rsquo;ve put together a <a href="https://blog.1password.com/love-and-logins/">report on password sharing and relationships</a>. <section class="c-call-to-action-box c-call-to-action-box--purple"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get 25% off 1Password Families</h3> Keep all your accounts secure with 1Password Families. Sign up now and get 25% off your first year. <a href="https://start.1password.com/sign-up/family?c=HIBP21" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--purple" data-event-category="CTA" data-event-action="call-to-action-button"> Get 25% off </a> </div> </section></description></item><item><title>Sharing passwords with a partner: here's what the research says</title><link>https://blog.1password.com/love-and-logins/</link><pubDate>Wed, 10 Feb 2021 00:00:00 +0000</pubDate><author>info@1password.com (Andrew Zangre)</author><guid>https://blog.1password.com/love-and-logins/</guid><description> <img src='https://blog.1password.com/posts/2021/love-and-logins-report/header.svg' class='webfeedsFeaturedVisual' alt='Sharing passwords with a partner: here's what the research says' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Last year we <a href="https://blog.1password.com/family-password-paradigm/">published a report</a> looking at the state of online security and password habits in the home. Today we’re publishing the second half of that research in a new report that focuses on password sharing in relationships and the online security habits of romantic partners. How dating and relationships factor into the online security equation is interesting to say the least. If you want to dive right in, you can <a href="https://1password.com/resources/love-and-logins/">download the report</a> – but I wanted to share some of the most interesting findings here. <h2 id="trust-and-personal-comfort">Trust and personal comfort</h2> As with anything, we all have different philosophies on this topic. Your comfort with sharing private details is your own, and we’re not here to judge. The findings in our report show the range of habits and opinions here, at the intersection of online privacy and romance. According to our survey, 25 percent of people won’t share their smartphone password with a partner until they get married. While not insignificant, that tells us the majority are still trusting enough with that info somewhere along the dating journey. That level of trust is a beautiful thing – so long as you set some ground rules and ensure the password stays between you. <h2 id="different-strokes">Different strokes</h2> The degree that people are comfortable sharing passwords varies by the type of device or account, as well as the age group and gender of the person sharing. Female-identifying respondents, for instance, were less comfortable sharing passwords in their relationships. That goes especially for work devices and email accounts – more than half of women say they won’t reveal their work computer logins to a significant other. Elsewhere in the report, Gen Z and millennials show they’re more likely than older generations to share passwords in the early stages of dating. As privacy experts, this is a trend that gives us some cause for concern. But again, having conversations that help nurture trust and prevent resharing or misuse can make a big difference. If and when you “make the leap” with your partner, <a href="https://blog.1password.com/make-the-leap-to-1password-families/">keeping things safe in 1Password Families</a> is still the ideal way to prevent identity theft and other issues. Rather than scribble various passwords on sticky notes or in emails, <a href="https://support.1password.com/create-share-vaults/">create shared vaults</a> then add the passwords you’re comfortable sharing. Take things slow with what you reveal, to help protect yourselves and your partners. <h2 id="the-not-so-fun-side-of-things">The not-so-fun side of things</h2> Our report also touches on a few prickly but super-relevant items – namely, secret accounts between partners and what happens after breakups. According to our research, many of us keep some things to ourselves, even from our significant other. This includes certain online accounts for nearly half of the people we surveyed. The simple knowledge of that could cause a few arguments, and understandably so. What you share is, again, a personal choice – and plenty of healthy relationships may involve some online secrecy. Then there’s the breakups. Sharing important passwords, even with your <a href="https://blog.1password.com/family-password-paradigm/">family members</a>, reduces your overall security; that’s just a fact. If your relationship goes south, we can’t recommend strongly enough that you change any passwords you shared, no matter how close you were and might continue to be. Our study helps illustrate the point, showing that 44 percent of people try signing into an ex’s account after a breakup. So updating your important logins is the safe move if it comes to that point. And well before you get there, limit your password sharing to those people that have proven their trustworthiness with you. Fixing a problem is way harder than preventing it when it comes to your online safety. <h2 id="get-the-full-report">Get the full report</h2> If you’re curious to learn more, <a href="https://1password.com/resources/love-and-logins/">check out the full report</a> for plenty of insights, paired with some gorgeous visuals from our Design team. We greatly enjoyed putting it together and learning how people approach password management in the throes of love. We hope this report can inspire some productive conversations and increased awareness around online security. Thanks for reading and Happy Valentine’s Day! ❤️ <section class="c-call-to-action-box c-call-to-action-box--purple"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get 25% off 1Password Families</h3> Keep all your accounts secure with 1Password Families. Sign up now and get 25% off your first year. <a href="https://start.1password.com/sign-up/family?c=HIBP21" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--purple" data-event-category="CTA" data-event-action="call-to-action-button"> Get 25% off </a> </div> </section></description></item><item><title>It's easy to move to 1Password Families</title><link>https://blog.1password.com/upgrade-to-1password-families/</link><pubDate>Tue, 09 Feb 2021 00:00:00 +0000</pubDate><author>info@1password.com (Stacey Harris)</author><guid>https://blog.1password.com/upgrade-to-1password-families/</guid><description> <img src='https://blog.1password.com/posts/2021/move-to-1password-families/header.svg' class='webfeedsFeaturedVisual' alt='It's easy to move to 1Password Families' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Upgrading your 1Password membership to 1Password Families lets you <a href="https://1password.com/features/secure-password-sharing/">securely share passwords</a> and documents with family members – no matter where they are. It’s also a great way to encourage your family to adopt better digital security habits. Whether you’re in a relationship or looking to help secure your parents, siblings, or kids, there are plenty of benefits to upgrading to a 1Password Families membership. <h2 id="the-benefits-of-1password-families">The benefits of 1Password Families</h2> 1Password Families is a budget-friendly way to protect your whole family. For less than the cost of two individual memberships, you’ll be able to add five family members to 1Password Families – and if you need to, you can invite more family members for one dollar a month. Upgrading to 1Password Families is a great way to save money while protecting your family. Don’t worry if you’ve got accounts and passwords you’d rather keep to yourself, as each family member has their own private vault where they can tuck away anything they want to keep separate from the rest of the family. Even family organizers can’t gain access to another family member&rsquo;s private vault. <h2 id="peace-of-mind-for-everyone">Peace of mind for everyone</h2> Although group chats are great for sharing your latest lockdown sourdough attempt, they’re not the best place to share passwords and documents. By keeping Wi-Fi passwords, passports, and more in a shared vault, you can be sure your family’s information is safe while still being accessible to everyone, whenever they need it. But what if you need to securely share information with someone who isn’t in your family? Well, that’s why a family account lets you <a href="https://support.1password.com/guests/">invite a guest</a> to a shared vault. So whether you need to share the Netflix password with your friend, financial information with your accountant, or alarm codes with a house sitter, you can do so securely with 1Password Families. <h2 id="recover-accounts">Recover accounts</h2> When you create a family account you become the designated family organizer. As the family organizer you can manage family member and guest invitations, shared vaults, settings, and account recovery. As part of our dedication to privacy, no one at 1Password ever has access to your information. That means we can&rsquo;t recover your account if you get locked out. Unlike individual accounts, if a family member loses their Master Password, a family organizer can still recover their account for them. It’s a great way to help keep less-experienced family members safe while encouraging them to practice strong online security. As a family organizer, you can also change a family member’s role and make them a family organizer as well. By designating a second family organizer, you won’t have to be the only tech support for your family when someone requires an account recovery, or access to a shared vault. Though we know you’d never forget your Master Password, having a second family organizer means you can recover each other’s accounts, just in case. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Did you know? You can now use a <a href="https://blog.1password.com/introducing-1password-recovery-codes/">recovery code</a> to self-recover your 1Password account should you lose your Secret Key or forget your account password. Create one today! </div> </aside> <h2 id="upgrade-your-1password-membership-to-1password-families">Upgrade your 1Password membership to 1Password Families</h2> Upgrading to 1Password Families is super simple. Note that only one family member needs to do this – all other family members will be invited during the setup process: <ol> <li><a href="https://start.1password.com/signin">Sign in</a> to your account 1Password.com.</li> <li>Click Invite People in the sidebar.</li> <li>Select Upgrade to 1Password Families.</li> <li>Choose a name for your family and click Upgrade Account.</li> <li>Click Invite People, then click Invite by Email and enter the email addresses of your family members.</li> </ol> <video class="round shadow" style="display: block; margin: auto; padding: 0;"loop="loop" playsinline="" width="100%" alt='' controls> <source src="https://blog.1password.com/posts/2021/move-to-1password-families/convert-to-family-account.mp4" type="video/mp4" /> </video> After your family members accept your invitation and set up their account, make sure everyone saves a copy of their new <a href="https://support.1password.com/emergency-kit/">Emergency Kit</a>. And that’s it, you’re done and ready to start enjoying the benefits of 1Password Families. If you decide you want to switch back to an individual account, you can <a href="https://support.1password.com/change-account-type/#switch-to-an-individual-account">manually reverse the upgrade</a>. Upgrading to 1Password Families is a simple process that saves time and keeps your whole family secure. With added benefits like account recovery, shared vaults, and cost savings, it’s the perfect choice if you’re already using 1Password and want to introduce it to the most important people in your life.</description></item><item><title>1Password wins a G2 Best Software award</title><link>https://blog.1password.com/1password-wins-a-g2-best-software-award/</link><pubDate>Mon, 08 Feb 2021 00:00:00 +0000</pubDate><author>info@1password.com (Stacey Harris)</author><guid>https://blog.1password.com/1password-wins-a-g2-best-software-award/</guid><description> <img src='https://blog.1password.com/img/headers/news-header.svg' class='webfeedsFeaturedVisual' alt='1Password wins a G2 Best Software award ' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 1Password has been named one of G2&rsquo;s Best Software Products of 2021 and is the only password manager to appear on the list. That seems as good a reason as any to share a brief recap of some highlights from the last 12 months. In 2020, in an effort to slow the spread of coronavirus, many businesses made the shift to remote or hybrid work. This unexpected transition left many businesses scrambling to adjust to new ways of working. We responded to the COVID-19 pandemic by offering businesses <a href="https://blog.1password.com/covid-19-response/">1Password free for 6 months</a>, sharing our experience around <a href="https://blog.1password.com/remote-work-security-tips/">hybrid work and security</a>, and helping <a href="https://blog.1password.com/remote-work-shadow-it/">businesses adjust to the changing nature of the workplace</a>. Though 2020 posed challenges for 1Password – as it has for many – in some ways it’s been a great year for us. The number of businesses using 1Password grew to over 75,000, as more companies shifted to hybrid work and began looking for a secure way to share information and passwords outside of a physical workspace. With plans for both small teams and enterprise-level businesses, we have been able to meet the growing needs of companies looking for more oversight of passwords and other sensitive business information. This last year, we made it possible to deploy 1Password org-wide via <a href="https://blog.1password.com/1password-slack-enterprise-grid/">Slack Enterprise Grid</a>, and we launched an <a href="https://blog.1password.com/privacy-virtual-cards/">integration with Privacy</a> to help people make online payments more safely and easily – at work and at home. And we upped our focus on <a href="https://blog.1password.com/1password-apps/">supporting and developing all our 1Password apps</a>, doubling down on our commitment to give our customers complete control over how they store and use their data. It’s always wonderful to be recognized for creating a quality product that is appreciated by industry professionals and users. Thank you to G2 and everyone who voted to make 1Password the best password manager for 2021. <img src='https://blog.1password.com/posts/2021/g2-awards-2021/g2-badge.png' alt='G2 awards badge showing 1Password in the top 100 best software products for 2021' title='G2 awards badge showing 1Password in the top 100 best software products for 2021' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">1Password vs. the competition</h3> Find out why 1Password is the best in the market with our [password manager comparison](https://1password.com/comparison/)! <a href="https://1password.com/comparison/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Compare password managers </a> </div> </section></description></item><item><title>COMB data breach: what it means, and how to protect yourself</title><link>https://blog.1password.com/what-comb-means-for-you-and-your-business/</link><pubDate>Fri, 05 Feb 2021 00:00:00 +0000</pubDate><author>info@1password.com (Andrew Zangre)</author><guid>https://blog.1password.com/what-comb-means-for-you-and-your-business/</guid><description> <img src='https://blog.1password.com/posts/2021/comb-response/header.svg' class='webfeedsFeaturedVisual' alt='COMB data breach: what it means, and how to protect yourself' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> In the <a href="https://www.consumeraffairs.com/news/over-3-billion-emails-and-passwords-hacked-in-possibly-the-largest-breach-ever-020421.html">Compilation of Many Breaches (COMB)</a>, more than 3 billion unique sets of login credentials have been shared online in what some say is the largest data breach of all time. Though it seems that no new login information has been exposed, the compilation and sharing of so much data significantly increases the risk that previously exposed credentials could be used to gain access to online accounts – particularly where passwords have been reused. With an event of this magnitude, it’s crucial to stay informed and take steps to prevent your online accounts being compromised, whether at home or at work. In a nutshell, that means changing affected passwords ASAP. We’re here to help. <h2 id="what-is-the-comb-data-breach">What is the COMB data breach?</h2> COMB is made up of compromised email and password combinations exposed by around 252 previous breaches, including from major sites like Netflix and LinkedIn. It’s the largest incident of its kind on record – far exceeding the 2019 <a href="https://blog.1password.com/773-million-collection-1/">Collection #1 data breach</a>. This mammoth compilation of hacked data was shared on a hacking forum as an interactive database, with built-in scripts for finding and sorting login data. It’s a veritable playground for hackers, who can automate <a href="https://blog.1password.com/how-to-protect-yourself-from-password-reuse-attacks/">credential stuffing attacks</a> on individuals or groups to access services where exposed passwords have been reused. If one of your passwords has ever leaked, and it’s one you’ve reused elsewhere, it’s a doorway for hackers to access those accounts. This is true even if the breached service is one you haven&rsquo;t used in years. <h2 id="change-all-affected-passwords">Change all affected passwords</h2> We encourage you to act calmly but quickly to protect yourself from any potential COMB-related threats by changing all affected passwords. Rather than scramble to update dozens of different passwords, we recommend that you first check Watchtower for passwords affected by historic breaches, and passwords that have been reused. Because COMB is a re-sharing of data from historic breaches, Watchtower will identify credentials affected by this event. You should immediately change them. After that, changing any other reused passwords to unique alternatives will help <a href="https://blog.1password.com/how-to-protect-yourself-against-the-next-big-data-breach/">keep your accounts safe from future data breaches</a>. If you’ve already taken steps to change weaker passwords identified by Watchtower, the good news is that you’re already one step ahead. We recommend double-checking Watchtower for any new breaches affecting your accounts just in case, but it may be that your proactive steps have kept your data safe. Support: <a href="https://support.1password.com/watchtower/">Use Watchtower to find passwords you need to change</a>; <a href="https://support.1password.com/change-website-password/">Change your passwords to make them stronger</a>. <h2 id="if-in-doubt-change-it-anyway">If in doubt, change it anyway</h2> If you think a service you use has been affected by a breach but you don’t keep those login credentials in 1Password, you could search <a href="https://1password.com/haveibeenpwned/">Have I Been Pwned</a> for those passwords to see if they’ve ever been affected, but only if you’re 100% sure your internet connection is secure. Our advice in this event would be to change the password in any case, ideally using 1Password to create a strong, unique replacement. Though Have I Been Pwned is the very service Watchtower integrates with to identify breached data, when using Watchtower all checks happen locally on your machine – we don’t send your passwords anywhere to make those checks. Support: <a href="https://support.1password.com/explore/get-started/">Get started with 1Password</a>. <h2 id="set-up-two-factor-authentication">Set up two-factor authentication</h2> Using <a href="https://1password.com/features/two-factor-authentication/">two-factor authentication (2FA)</a> is another great way to keep your data safe in the event of a breach. Because 1Password makes it easy to create and fill the one-time passwords you need, we recommend setting up 2FA wherever possible, starting with your most important accounts. Again, Watchtower will identify sites that support two-factor authentication but where this hasn’t yet been set up. With 2FA in place, a hacker with your username and password will still struggle to gain access to your account. Support: <a href="https://support.1password.com/one-time-passwords/">Use 1Password as an authenticator for sites with two-factor authentication</a>. <h2 id="protect-your-companys-data-with-a-domain-breach-report">Protect your company’s data with a domain breach report</h2> If you’re a leader of your business, or responsible for IT or security, this event is a great reason to create a domain <a href="https://1password.com/business/domain-breach-report/">breach report</a> for your company if you never have. A domain breach report identifies any company email address that has been affected by a <a href="https://blog.1password.com/data-breach-101-stay-safe-online/">data breach</a>, and also lets you know if a password was exposed so it can be changed. That way, you can let any affected employees know about passwords they’ll need to change ASAP to make sure important information remains safe. The report will also let you know if any team members aren’t using 1Password so you can re-invite them to make sure they’re using strong, unique passwords for all their online accounts. Support: <a href="https://support.1password.com/breach-report/">Create a domain breach report for your company</a>. <h2 id="get-ahead-of-the-game">Get ahead of the game</h2> Though 1Password is an invaluable tool in responding to data breaches, it’s even better to use 1Password to get ahead of the game. Whether or not you’re affected by these events, we recommend using Watchtower to make sure all your passwords are unique, and that <a href="https://1password.com/features/two-factor-authentication/">two-factor authentication</a> is used wherever possible. And, if you’re a business, creating a domain breach report is a great way to identify security risks and encourage more team members to use 1Password. We’re proud to help millions of users keep safe in their apps and online accounts, and events like COMB remind us why we do what we do. <section class="c-call-to-action-box c-call-to-action-box--purple"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get 25% off 1Password Families</h3> Keep all your accounts secure with 1Password Families. Sign up now and get 25% off your first year. <a href="https://start.1password.com/sign-up/family?c=HIBP21" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--purple" data-event-category="CTA" data-event-action="call-to-action-button"> Get 25% off </a> </div> </section></description></item><item><title>Protect yourself from identity fraud scams</title><link>https://blog.1password.com/identity-fraud-scams/</link><pubDate>Thu, 04 Feb 2021 00:00:00 +0000</pubDate><author>info@1password.com (Stacey Harris)</author><guid>https://blog.1password.com/identity-fraud-scams/</guid><description> <img src='https://blog.1password.com/posts/2021/identity-fraud-scams/header.svg' class='webfeedsFeaturedVisual' alt='Protect yourself from identity fraud scams' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Identity fraud has become a growing problem as more people work, socialize, and shop online. Unsurprisingly, having your identity stolen has a significant impact on your financial and mental health, and it can take years to recover. And unfortunately, identity theft, <a href="https://blog.1password.com/credit-card-numbers-checksums-and-hashes-the-story-of-a-scamming-attempt/">credit card fraud</a>, and having your bank accounts compromised are only the tip of the iceberg. <h2 id="contents">Contents</h2> <ul> <li><a href="#emerging-scams">Emerging scams</a></li> <li><a href="#pandemic-centric-identity-fraud">Pandemic-centric identity fraud</a></li> <li><a href="#early-signs-of-identity-theft">Early signs of identity theft</a></li> <li><a href="#prevent-fraud">Prevent fraud</a></li> </ul> In April last year, Google reported that nearly <a href="https://www.bbc.com/news/technology-52319093">one-fifth of all phishing scams were related to coronavirus</a>. Based on <a href="https://www.fool.com/the-ascent/research/identity-theft-credit-card-fraud-statistics/">previous trends</a>, especially given the effects of the pandemic, we can expect another increase in identity fraud scams in 2021. As scams evolve, it’s important to learn how to spot them so you can protect yourself from these kinds of attacks. <h2 id="emerging-scams">Emerging scams</h2> When lockdowns started in March, banking online became a new reality for many, and online shopping increased exponentially. Technologies like Zoom, HouseParty, TikTok, and Among Us exploded in popularity, as people searched for new ways to connect. Of course, scams emerged taking advantage of the pandemic, including “news” services offering coronavirus updates (in exchange for some personal details, of course), and phishing emails linking to fake government grant applications. And whether they’re legitimate services or not, creating new accounts can make you more susceptible to the risks posed by data breaches if you reuse the same password for multiple accounts. Fortunately, there are a number of ways to <a href="https://blog.1password.com/how-to-protect-yourself-from-password-reuse-attacks/">prevent password reuse attacks</a>, including using a strong, unique password for every online account. <h2 id="pandemic-centric-identity-fraud">Pandemic-centric identity fraud</h2> The coronavirus pandemic has also seen a rise in identity fraud. Governments worldwide responded to the pandemic by offering funding, grants, and loans to help people weather the financial crisis. Out of necessity, many of these aid programs were put together quickly, making them ripe targets for scammers. Using previously exposed data, scammers could take advantage of these new aid programs. For example, a <a href="https://www.cnbc.com/2017/09/07/credit-reporting-firm-equifax-says-cybersecurity-incident-could-potentially-affect-143-million-us-consumers.html">2019 Equifax breach</a> compromised personal information of about 143 million people. That breach included social security and social insurance numbers – personal data, which might go some way to explaining the estimated <a href="https://www.wcnc.com/article/money/still-no-stimulus-check-experts-warn-identity-theft-could-be-to-blame/275-8d78f47c-9cd3-4234-b2d0-89ef14bd37e1">30 million Americans who have yet to receive their stimulus payment</a>, and the more than <a href="https://www.cbc.ca/news/canada/toronto/toronto-cerb-payments-on-hold-after-fraudster-makes-ei-application-1.5670874">700 Canadians who reported that CERB payments were claimed in their name</a>, that they didn’t request or receive. While identity fraud reporting is increasing, the number of actual scams is estimated to be much higher because many people are unaware their identity has been stolen. <h2 id="early-signs-of-identity-theft">Early signs of identity theft</h2> Many people first find out their identity has been stolen when they check their credit score, are denied a loan, or receive a debt repayment call for something they never bought. Common identity fraud signs to keep an eye out for include: <ul> <li>Creditors calling when you haven’t requested credit in the first place</li> <li>Withdrawals or transfers from your bank account that you didn’t initiate</li> <li>Notifications of changes made to your account that you didn’t request</li> <li>Debt collection calls when you don’t have unpaid or late debt payments</li> <li>Missing or undelivered mail with your personal information, like credit card statements</li> </ul> Basically, if you notice anything out of place in your accounts, it’s important to follow up right away, and through official channels like phone numbers or websites you already know – not via links in emails or text messages. <h2 id="prevent-fraud">Prevent fraud</h2> There are also steps you can take now to help prevent attackers from stealing your identity in the first place, and most are small changes that you can make today. These include: <ul> <li>Delete <a href="https://blog.1password.com/ghosts-passwords-past/">unused accounts that put you at risk</a>.</li> <li>Never share personal information over incoming phone calls, especially from unrecognized numbers (and also while in public, via text, or when on public Wi-Fi).</li> <li>Use a password manager to create strong, unique passwords for every account.</li> <li>Enable multi-factor authentication wherever possible, especially important accounts like email and banking.</li> <li>Sign up for alerts from your financial institutions to spot discrepancies faster.</li> <li>Never share personal information via emails – legit organizations and government agencies never request private information this way.</li> <li>Shred any documents with personal information before recycling them.</li> <li>Never give out your social security number unless you trust the recipient and you’re sure the information is required.</li> <li>Check your credit score every month for unexpected changes and follow up on discrepancies.</li> </ul> Checking your credit score doesn’t need to be complicated or expensive. Both <a href="https://www.lendingtree.com/">Lending Tree</a> and <a href="https://www.clearscore.com/">ClearScore</a> offer free credit checks so you can track your credit score and respond to any unexpected changes. Both services handle vital information, so it’s extremely important that you use unique passwords for these accounts. 1Password has partnered with both Lending Tree and ClearScore to offer 25 percent off your first year of 1Password when you sign up with either service. With identity fraud scams increasing worldwide, it’s more important than ever to secure your personal information. Knowing what to look out for and taking early, preventative measures will help reduce your risk and exposure to fraudsters. <section class="c-call-to-action-box c-call-to-action-box--purple"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Your life is online. Secure it</h3> Sign up to 1Password and get 14 days free. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--purple" data-event-category="CTA" data-event-action="call-to-action-button"> Try 1Password free </a> </div> </section></description></item><item><title>1 in 5 corporate passwords include the company name. You need a password manager</title><link>https://blog.1password.com/1-in-5-corporate-passwords-include-company-name/</link><pubDate>Tue, 02 Feb 2021 00:00:00 +0000</pubDate><author>info@1password.com (James Holloway)</author><guid>https://blog.1password.com/1-in-5-corporate-passwords-include-company-name/</guid><description> <img src='https://blog.1password.com/posts/2021/company-password-policy/header.png' class='webfeedsFeaturedVisual' alt='1 in 5 corporate passwords include the company name. You need a password manager' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> If you keep an eye on security headlines, you may have seen the news that up to one in five work passwords include the company name. This is according to <a href="https://www.acronis.com/en-us/blog/posts/celebrating-40th-anniversary-data-privacy-day/">new research</a> by data protection specialists Acronis, which also suggests that around 80 percent of companies don&rsquo;t have an established password policy. Both stats are concerning from the point of view of businesses’ online security – but they are trivial to fix if you use an <a href="https://1password.com/enterprise/">enterprise password manager</a>. <h2 id="the-problem-with-non-random-passwords">The problem with non-random passwords</h2> People use the name of the company they work for as part of their password to make it memorable. When people are forced to remember passwords, especially those that they need to change regularly, it carries the unintended consequence of making passwords less secure. People rotate through minor variations of the same base password, such as using their company name with a few extra characters on the end, to check off password policy requirements while still being able to remember their password. The problem is that hackers can guess the company part of the password, while the remaining characters are easy to crack through computational brute force compared to a truly random password of sufficient length. To put it more simply: Lack of effective password policy puts company data at risk. <h2 id="creating-safer-passwords">Creating safer passwords</h2> You can implement a better password policy in 24 hours by requiring that everyone in the company use 1Password to create the passwords they use at work. Out of the box, 1Password generates strong, unique passwords, and remembers and fills them in for you. 1Password makes the problem of weak passwords go away; because 1Password remembers passwords for everyone in your company, they’re no longer tempted into using the kind of weak, memorable password this research describes. And, after you’re set up with 1Password, you can use Watchtower to find and update weak passwords to stronger ones. <h2 id="updating-and-enforcing-password-policies">Updating (and enforcing) password policies</h2> <a href="https://1password.com/business/">1Password Business</a> includes <a href="https://1password.com/business/advanced-protection/">Advanced Protection</a>, which lets you set stricter Master <a href="https://1password.com/password-generator/">Password requirements</a> for your team to make sure their logins and other important information is safely protected. It also lets you manage two-factor authentication and create rules for how and where your team can use 1Password – for example, preventing logins from countries where no team members are present, and requiring up-to-date apps. Even if you’re using an identity provider, take note. The <a href="https://blog.1password.com/challenges-of-shadow-it/">prevalence of shadow IT</a> makes it almost inevitable that people in your organization – with the absolute best intentions – are using software and services you&rsquo;re not aware of to get things done. In the process, they&rsquo;re very possibly putting company data on external services behind weak passwords (because, hey, they&rsquo;ve already gone to the trouble of memorizing one work password they can reuse). <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Worried about shadow IT? Learn how to control and reduce the risks associated with shadow IT in our <a href="https://www.1password.university/learn/course/external/view/elearning/443/humanizing-shadow-it-with-1password-and-kolide">free 1Password University course</a>. </div> </aside> <h2 id="choose-peace-of-mind">Choose peace of mind</h2> Our hearts sink when we see headlines like these because we know there&rsquo;s a better way. Time and again we see businesses choose against prioritizing their security, and it&rsquo;s a mistake that can cost businesses <a href="https://www.cpomagazine.com/cyber-security/what-is-the-real-cost-of-a-data-breach/">eight- or even nine-figure sums</a>. You can try 1Password Business for free today. When you sign up, your whole team can use 1Password Families at home for free – a great perk that encourages better online security practices both at home and at work. <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Sign up for 1Password Business</h3> Sign up for 1Password Business today and get your first 14 days free. <a href="https://1password.com/business-pricing/" class="c-call-to-action-box__link-href" data-event-category="CTA" data-event-action="call-to-action-button"> Try 1Password free </a> </div> </section></description></item><item><title>There’s an app for that: why we built the 1Password apps</title><link>https://blog.1password.com/1password-apps/</link><pubDate>Thu, 21 Jan 2021 00:00:00 +0000</pubDate><author>info@1password.com (Michael Fey)</author><guid>https://blog.1password.com/1password-apps/</guid><description> <img src='https://blog.1password.com/posts/2021/1password-apps/header.svg' class='webfeedsFeaturedVisual' alt='There’s an app for that: why we built the 1Password apps' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Right now at 1Password, we’re in the process of a large-scale development effort focused on the apps that our customers use every day on macOS, iOS, Windows, Android, and in the browser. We kicked off this effort with the addition of a new platform where <a href="https://blog.1password.com/1password-for-linux-beta-is-now-open/">we’ve never had a desktop app before: Linux</a>. At the genesis of this project we had a lot of internal discussions about programming languages, tech stacks, toolkits, and more. However, one thing we never disagreed on was our commitment to continue building great apps. We’ve been developing native apps since 2004 so we understand the value they bring to our customers – things like offline access, deep integration with system features, and the ability to manage more than passwords. With every new platform we support, we strive to deliver an experience that feels like the 1Password you know and love, but also feels right at home on the platform you’re using. <h2 id="your-passwords-right-where-you-need-them">Your passwords, right where you need them</h2> If you’re a 1Password customer there’s a good chance you’re using it on two or three platforms. Maybe you’ve got it installed on your phone or tablet and have set up <a href="https://blog.1password.com/customers-love-password-autofill-on-ios-and-so-will-you/">Password AutoFill on iOS</a> or <a href="https://blog.1password.com/1password7-7-for-android/">Android</a>. <img src='https://blog.1password.com/posts/2021/1password-apps/ios-autofill.png' alt='Image showing form fields being filled on evernote.com using iOS keyboard with 1password autofill' title='Image showing form fields being filled on evernote.com using iOS keyboard with 1password autofill' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> On your computer, you might be using 1Password in your browser every day to quickly and easily sign in to websites. <img src='https://blog.1password.com/posts/2021/1password-apps/inline-menu.png' alt='inline menu offering suggestions for form field' title='inline menu offering suggestions for form field' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> You might have also installed our desktop app for Mac or Windows (or even jumped on the Linux beta I mentioned earlier!). <img src='https://blog.1password.com/posts/2021/1password-apps/windows.png' alt='Screenshot of 1Password for Windows showing all items view' title='Screenshot of 1Password for Windows showing all items view' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> No matter where you use 1Password, I can guarantee there’s a great experience waiting for you. And that’s not by accident. Every app in the 1Password ecosystem was built with express purpose: <ul> <li>Our desktop apps are the perfect place to manage all your information – create new items, organize your existing ones, run security reports, and share with your team or family.</li> <li>Our mobile apps integrate tightly with iOS and Android Autofill features so your logins are always at your fingertips.</li> <li>1Password for your browser lets you fill your passwords, credit cards, and personal information on the web, with a single click.</li> <li>Our command-line tool allows power users and developers to automate tasks or integrate 1Password into workflows to accomplish things we’ve never even thought of.</li> <li>And, of course, 1Password.com has everything you need to manage your account and invite new team or family members.</li> </ul> We don’t believe in a one-app-fits-all approach – there is no single solution that fits the bill for all the different ways our customers can and want to use 1Password. Flexibility, performance, and security are crucial when it comes to keeping your most important information safe, whether that’s for you, your family, or your team. With the 1Password apps you can access your data whenever and wherever you need to: <ul> <li>All your information is available offline, meaning you can use 1Password at 30,000 feet, during a power outage, or any time you can’t connect to the internet.</li> <li>Deeper integration with operating systems means support for <a href="https://support.1password.com/android-biometric-unlock-security/">biometric unlock</a> like <a href="https://1password.com/mac/">Touch ID</a>, Face ID, and Windows Hello.</li> <li>Because you can use it anywhere, 1Password is perfect for storing more than passwords – you can securely save and share credit cards, identities, license keys, and even documents.</li> </ul> <h2 id="the-future-is-even-brighter-for-1password-apps">The future is even brighter for 1Password apps</h2> Our approach to building software has enabled us to create some fantastic features over the years, and all our apps work together to create a seamless experience, whatever your platform. But we’re really excited about what’s to come, which is why we’re working hard on new features that you’ll find in our <a href="https://support.1password.com/betas/">upcoming betas</a>. Ultimately, our goal at 1Password is to make it easy to stay safe online. The simplest way to do that is to give our customers complete control over how they store and use their data. We’re continuing our efforts to bring the best possible experience to all our customers – whether that’s families, businesses, power users, or novices. Keep your eyes peeled for more stories on how and why we build the 1Password apps, coming soon. <section class="c-call-to-action-box c-call-to-action-box--purple"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Switch to 1Password</h3> Using another password manager? Make the switch and we'll give you six months free when you sign up. <a href="https://start.1password.com/sign-up/plan?c=SWITCH" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--purple" data-event-category="CTA" data-event-action="call-to-action-button"> Try 1Password free </a> </div> </section></description></item><item><title>Set yourself up for security success in 2021</title><link>https://blog.1password.com/security-success-2021/</link><pubDate>Mon, 18 Jan 2021 00:00:00 +0000</pubDate><author>info@1password.com (Kerry DeVito)</author><guid>https://blog.1password.com/security-success-2021/</guid><description> <img src='https://blog.1password.com/posts/2021/security-success-2021/header.svg' class='webfeedsFeaturedVisual' alt='Set yourself up for security success in 2021' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 2020 is over – we can finally say it out loud. While we may not be able to put everything behind us, there are a few things we can pack up and wave a cheery goodbye to. The first one that comes to mind? Bad online security. While it might not be the most obvious new year&rsquo;s resolution, scrubbing up online habits can be a little more exciting than ushering in a reduced Netflix schedule. <a href="https://www.nytimes.com/interactive/2020/04/07/technology/coronavirus-internet-use.html">Internet use changed dramatically</a> over the past year, as companies moved to hybrid work and families opted for virtual gatherings. This shift in online activity comes with an increase in vulnerabilities due to careless online habits, like weak passwords and reusing the same password for multiple accounts (hint: Changing the number at the end just isn’t good enough). The good news is that, with a few simple changes, you can set yourself up for security success this year. <h2 id="start-with-email">Start with email</h2> Think of your email as the gateway to each of your other accounts. That said, it&rsquo;s a logical first step when buttoning up your online security. Use a password manager with a <a href="https://1password.com/password-generator/">random password generator</a> to create a strong, unique password – at least 20 characters with a mix of numbers, symbols, and uppercase and lowercase letters. That means no personal information like your birthday, address, or phone number. If you think your email may have been compromised, head to <a href="https://haveibeenpwned.com/">Have I Been Pwned</a> to confirm. Founded by Troy Hunt, a leader in the security development space, HIBP keeps an updated list of websites that have been “pwned”, and can also alert you if a future breach occurs. And if you really want to make sure you aren&rsquo;t affected by a data breach, we&rsquo;ve built this functionality right into 1Password. <a href="https://support.1password.com/watchtower/">Watchtower</a> alerts you to security problems with the websites you use, so you can update any compromised passwords right away. You can also <a href="https://twitter.com/1PWatchtower">follow @1PWatchtower on Twitter</a> for regular updates. <h2 id="use-mfa-for-added-safety">Use MFA for added safety</h2> Multi-factor authentication (MFA) adds a second layer of protection and should be used wherever it is available. It doubles down on identity verification and requires an authentication code after the correct password has been entered. MFA can be managed digitally on your phone or by using hardware-based authentication, which relies on a physical device such as a <a href="https://www.yubico.com/products/">YubiKey</a>. YubiKey is <a href="https://www.yubico.com/us/works-with-yubikey/catalog/1password/">easily integrated with 1Password</a> and provides a range of authentication options including two-factor, multi-factor, and passwordless. Certain sites only offer MFA through text messages, or SMS, which actually presents its own security risks. We only recommend using SMS for MFA if it&rsquo;s the only option available. If there’s ever a case where your password has been compromised, two-step authentication makes it more difficult for hackers to access the account. Don’t overthink this extra step; <a href="https://support.1password.com/one-time-passwords/">you can set up 1Password as an authenticator</a> and make it easy to sign into sites where MFA is turned on. <h2 id="turn-on-automatic-updates-on-all-your-devices">Turn on automatic updates on all your devices</h2> Here’s another easy one: Stop snoozing the update notifications on your devices and turn on automatic updates. That goes for browsers and apps as well – turning on automatic updates is one of the easiest ways to defend against security vulnerabilities and takes care of the pesky notifications at the same time. <h2 id="check-your-wi-fi-router">Check your Wi-Fi router</h2> Your router (along with smart home devices) can be an entryway for hackers. Many routers are shipped with the default password and username “admin”, which is essentially a welcome mat for privacy breaches. It’s a good idea to update these default settings as soon as possible. Use a password generator (like the one built in to 1Password) to generate a strong, random password and lock down your home network. <h2 id="track-down-old-accounts">Track down old accounts</h2> Don’t be a victim of passwords past. Have an old blog or untouched social media account? Or maybe you don’t use PayPal anymore since Venmo took over. Old accounts can still hold valuable data and sometimes be more vulnerable to attack. Back in 2013, a simple security flaw <a href="https://www.wired.com/story/myspace-security-account-takeover/">compromised millions of MySpace accounts</a>, but the details around this weren’t disclosed until three years later. Lesson learned. Delete any inactive accounts (only after removing personal information like credit card details, date of birth, or your home address) or update them with a strong password that isn’t used anywhere else. <h2 id="new-year-new-tools">New year, new tools</h2> Prioritizing online safety in the new year doesn’t have to be complicated. Any new devices you may have acquired over the holidays are a great place to start. Make 1Password your first download to secure your apps and accounts, and if your device supports biometric unlock, <a href="https://support.1password.com/search/?q=biometric+unlock">set it up with 1Password</a>.</description></item><item><title>Do good and good will follow – 1Password for Good</title><link>https://blog.1password.com/1password-for-good/</link><pubDate>Fri, 08 Jan 2021 00:00:00 +0000</pubDate><author>info@1password.com (Sara Teare)</author><guid>https://blog.1password.com/1password-for-good/</guid></item><item><title>The family password paradigm</title><link>https://blog.1password.com/family-password-paradigm/</link><pubDate>Thu, 17 Dec 2020 00:00:00 +0000</pubDate><author>info@1password.com (Jeff Shiner)</author><guid>https://blog.1password.com/family-password-paradigm/</guid><description> <img src='https://blog.1password.com/posts/2020/family-password-paradigm/header.svg' class='webfeedsFeaturedVisual' alt='The family password paradigm' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Today we&rsquo;re publishing a new report which has some great insights into the state of online security, password use, and password sharing in the home. It&rsquo;s a must-read for anyone interested in improving their family’s online security, or with a professional interest in consumer-level security. Please feel free to <a href="https://1password.com/resources/the-family-password-paradigm/">download the report right away</a>, but I did also want to take a moment to share a few highlights and thoughts. <h2 id="a-brighter-more-secure-future">A brighter, more secure future</h2> Kicking off on a note of optimism, I&rsquo;m personally delighted to see that, according to our survey, 40% of parents talk about online security with their preschool children. Yes, that number could be higher, but it still amounts to a huge number of parents talking about online safety with young children. The idea that 40% of little ones are budding security and privacy advocates is very heartening indeed. <h2 id="points-of-concern">Points of concern</h2> Perhaps inevitably, though, points of concern do arise – particularly when we dig into the areas of password use and <a href="https://1password.com/features/secure-password-sharing/">password sharing</a>. One remarkable stat for me was that, of the people that have kept their first ever password for an online service, 12% cite nostalgia as the reason. Now, we don&rsquo;t recommend changing a perfectly good password for no reason, but I&rsquo;m somewhat concerned that people may be clutching on to insecure passwords out of emotional attachment. If a password is short, non-random, or reused elsewhere, we can’t recommend changing it strongly enough. I’d also like to highlight one of the insights we&rsquo;ve seen into how passwords are shared inside of families. I say inside – turns out that, apparently, 55% of dads are OK with their kids sharing their video streaming password with friends. We recommend password sharing, as long as it’s done securely. For things like family streaming media accounts it makes total sense, and we&rsquo;ve built both <a href="https://1password.com/business/">1Password Business</a> and 1Password Families with the means to share passwords in a safe and controlled way. That said, we don&rsquo;t recommend letting the kids WhatsApp your Netflix login to all and sundry. <h2 id="bad-day-at-work">Bad day at work</h2> The insights into working from home gave rise to further surprises. These include the insight that 51% of parents let their children access work accounts. <img src='https://blog.1password.com/posts/2020/family-password-paradigm/children-work-accounts.png' alt='Image showing child using a laptop and highlighting the fact that 51 percent of parents let their children access work accounts' title='Image showing child using a laptop and highlighting the fact that 51 percent of parents let their children access work accounts' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> I hope the implications for data security don&rsquo;t need to be explained, but one quote from a parent brings home why this can be a bad idea at a level we can all relate to: “Once my boy accessed my work laptop. He accidentally deleted my presentation”. And that&rsquo;s the worst kind of deleted: the irretrievable, start all over again kind. <h2 id="get-the-full-report">Get the full report</h2> Please do take a look at <a href="https://1password.com/resources/the-family-password-paradigm/">the full report</a> for many more data points on these and other areas. In particular, there&rsquo;s a section on end-of-life planning I haven&rsquo;t touched on here that tacitly poses some tough questions for the security and technology industries to grapple with. And suffice to say our talented team of designers and illustrators have gone to town to create some charts for you to pore over. We created this report, in part, to stimulate conversation – so if there&rsquo;s anything you&rsquo;d like to discuss with us as a result, please do let us know. Happy reading! ☕️ <section class="c-call-to-action-box c-call-to-action-box--purple"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Keep your family safe online</h3> Sign up for 1Password Families today and get your first 14 days free. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--purple" data-event-category="CTA" data-event-action="call-to-action-button"> Try 1Password Families free </a> </div> </section></description></item><item><title>What we (don't) know about you</title><link>https://blog.1password.com/what-we-dont-know-about-you/</link><pubDate>Tue, 15 Dec 2020 00:00:00 +0000</pubDate><author>info@1password.com (Megan Barker)</author><guid>https://blog.1password.com/what-we-dont-know-about-you/</guid></item><item><title>Deploy 1Password across Slack Enterprise Grid</title><link>https://blog.1password.com/1password-slack-enterprise-grid/</link><pubDate>Tue, 01 Dec 2020 00:00:00 +0000</pubDate><author>info@1password.com (Chris Mann)</author><guid>https://blog.1password.com/1password-slack-enterprise-grid/</guid><description> <img src='https://blog.1password.com/posts/2020/slack-enterprise-grid/header.svg' class='webfeedsFeaturedVisual' alt='Deploy 1Password across Slack Enterprise Grid' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We’re excited to announce that it’s now easier than ever for Slack Enterprise Grid admins to initiate an org-wide deployment of 1Password Slack app across all of their workspaces. You’ll be able to manage and monitor how your team uses 1Password, and a variety of other apps, in one place – saving you time and focus. If your team is already using 1Password and Slack and you want to know how org-wide deployment of 1Password through Slack makes your work easier, check out the benefits of this top-down deployment approach below. <h2 id="secure-employees-at-scale">Secure employees at scale</h2> The <a href="https://1password.com/features/1password-slack/">1Password Slack app</a> lets you monitor important actions your team takes in 1Password and is one of the simplest ways to roll out 1Password across your business. You can invite an entire workspace at once, invite team members in a specific channel or group, or send a direct message to anyone who hasn’t already joined your team. Using the 1Password Slack app, Admins can see who has been invited and their status. As you know, employees are more likely to adopt company security policies if the process is easy and convenient. By deploying the 1Password Slack app, you’ll be able to help your team seamlessly adopt 1Password, helping them build good security habits from the outset and ultimately reducing your business risk. <h2 id="automate-1password-notifications-in-slack">Automate 1Password notifications in Slack</h2> Once you’ve rolled out 1Password, you can get an overview of your team’s activity with configurable notifications and alerts that can be sent to any Slack channel. Alerts will let you know when you need to take action, like confirming new team members or approving pending account recoveries. Once an action is completed the alert message is automatically updated so everyone in the channel will know the alert has been resolved. You can also set up the 1Password Slack app to automatically provide notifications to let you know when team members sign in, authorize a new device, or turn <a href="https://1password.com/features/travel-mode/">Travel Mode</a> on and off. <h2 id="shine-a-light-on-shadow-it-with-1password">Shine a light on shadow IT with 1Password</h2> Being able to integrate the 1Password Slack app with org-wide rollouts means increased adoption by employees and teams, which means better security practices business wide. When employees open an account without your approval or knowledge they are engaging in <a href="https://blog.1password.com/challenges-of-shadow-it/">shadow IT</a>. There’s a wide range of risks associated with shadow IT, including accidentally sharing private company information with external services, and getting locked out of accounts when employees leave the company. More importantly, if there is a breach, IT won’t know about the exposure. Stopping employees from creating accounts outside of approved solutions can hinder productivity but, by encouraging your team to use 1Password when setting up accounts, you can make sure nothing flies under the radar. Should employees leave, that information stays with your business. And, with 1Password, employees can create strong, unique passwords and securely share them with their team. The 1Password Slack app already allowed you to speed up deployment and monitor how your team is using 1Password. This new, top-down approach will align with all other Slack org-wide apps making it easier for you to manage all of your apps in one place. We see org-wide app deployment as a key way for you to rapidly secure your team and for 1Password to scale alongside your business – that’s worth getting excited about! <h2 id="ready-to-launch">Ready to launch</h2> Read our support article on <a href="https://support.1password.com/slack/">setting up the 1Password Slack app</a> to learn how you can get started. We’re excited for you to see how easy it is to deploy 1Password org-wide using the Slack Enterprise Grid.</description></item><item><title>1Password on Apple Silicon</title><link>https://blog.1password.com/apple-silicon/</link><pubDate>Mon, 23 Nov 2020 00:00:00 +0000</pubDate><author>info@1password.com (Dave Teare)</author><guid>https://blog.1password.com/apple-silicon/</guid><description> <img src='https://blog.1password.com/posts/2020/apple-silicon/header.svg' class='webfeedsFeaturedVisual' alt='1Password on Apple Silicon' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> My new 13” MacBook Pro arrived on Friday and the first thing I did was install 1Password to see how things perform on the new M1 chip. <img src='https://blog.1password.com/posts/2020/apple-silicon/dock-icons.png' alt='1Password freshly installed on macOS Big Sur' title='1Password freshly installed on macOS Big Sur' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The current official release of 1Password was built to target an Intel x86 architecture so Big Sur prompted me to install Rosetta to translate things to run on Apple Silicon. <img src='https://blog.1password.com/posts/2020/apple-silicon/rosetta.png' alt='Install Rosetta to launch 1Password 7 when compiled to Intel x86' title='Install Rosetta to launch 1Password 7 when compiled to Intel x86' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> My heart sank a little as hardware emulation is often slow. Upon launching, however, I was surprised to find 1Password launched as fast as ever. This was an incredible delight for sure. Apple really hit the mark here and the developer in me is very thankful they made this transition so smooth. Of course I wanted to enjoy all the power of this new M1 chip so I tried <a href="https://support.1password.com/betas/">our new beta release</a> which comes as a universal binary. This means it includes both Intel and Apple Silicon instruction sets, allowing macOS to choose the best for the machine it’s running on. This is where things really heated up. 1Password built for Apple Silicon running on the M1 is incredibly fast! 🏎🔥 1Password launches immediately and unlocks instantly. Here’s a video of me unlocking with Apple Watch and having my 4000+ items appear in a flash. <video class="round shadow" style="display: block; margin: auto; padding: 0;"loop="loop" playsinline="" width="100%" alt='' controls> <source src="https://blog.1password.com/posts/2020/apple-silicon/apple-silicon.mp4" type="video/mp4" /> </video> Instant launch. Instant data. Instant satisfaction! 🥰 <a href="https://support.1password.com/betas/">Update to the latest beta</a> to get the silicon you desire. <img src='https://blog.1password.com/posts/2020/apple-silicon/architecture.png' alt='Activity Monitor showing 1Password processes running with Apple architecture instead of Intel' title='Activity Monitor showing 1Password processes running with Apple architecture instead of Intel' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /></description></item><item><title>Ready for Big Sur: Introducing 1Password 7.7 for Mac</title><link>https://blog.1password.com/big-sur-1password-7-7/</link><pubDate>Mon, 16 Nov 2020 00:00:00 +0000</pubDate><author>info@1password.com (Chris De Jabet)</author><guid>https://blog.1password.com/big-sur-1password-7-7/</guid><description> <img src='https://blog.1password.com/posts/2020/big-sur-1password-7-7/header.svg' class='webfeedsFeaturedVisual' alt='Ready for Big Sur: Introducing 1Password 7.7 for Mac' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Hot on the heels of Apple&rsquo;s release of macOS Big Sur, 1Password 7.7 for Mac brings a host of new features, including support for Apple Watch Unlock. Big Sur is here, and we&rsquo;re celebrating with a slew of new features that highlight the technological advances that power Apple&rsquo;s newest operating system. Let’s start with my favorite new way to unlock 1Password. <h2 id="unlock-with-apple-watch">Unlock with Apple Watch</h2> <img src='https://blog.1password.com/posts/2020/big-sur-1password-7-7/apple-watch-unlock.png' alt='1Password for Mac lock screen with Apple Watch logo' title='1Password for Mac lock screen with Apple Watch logo' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> One of our most highly requested features, Apple Watch can now unlock 1Password on any Mac with a <a href="https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/web">Secure Enclave</a>. If you&rsquo;re using macOS 10.15 or later and using the latest devices, you&rsquo;ll now see an option in 1Password preferences to turn on Unlock with Apple Watch alongside the <a href="https://1password.com/mac/">Touch ID</a> option. <img src='https://blog.1password.com/posts/2020/big-sur-1password-7-7/apple-watch-setup.png' alt='1Password for Mac preferences window with new option to set up Apple Watch highlighted' title='1Password for Mac preferences window with new option to set up Apple Watch highlighted' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> After you set it up, you&rsquo;ll get a notification on your Apple Watch any time you open 1Password in macOS. Double click to unlock, and you&rsquo;re in. I can&rsquo;t tell you how handy this has been for me – especially when I&rsquo;m using my MacBook with an external keyboard and trackpad. Now I don&rsquo;t have to reach across my desk to get to the Touch ID button on my laptop. A quick double click on my wrist gets the job done. The whole thing feels seamless and far less intrusive. When you turn on both Apple Watch and Touch ID unlock, 1Password will treat Touch ID as the primary unlock method, but you&rsquo;ll still get the prompt to unlock with your Apple Watch. <h2 id="new-inline-safari-experience">New Inline Safari Experience</h2> <img src='https://blog.1password.com/posts/2020/big-sur-1password-7-7/inline-menu.png' alt='1Password inline menu with suggested item visible in Safari for Mac' title='1Password inline menu with suggested item visible in Safari for Mac' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 1Password X is the best way to experience 1Password, right in your browser. <a href="https://blog.1password.com/1passwordx-december-2019-release/">It&rsquo;s smart enough to analyze webpages in the background</a> and suggest relevant items in your vault to fill forms as you browse. In other words, 1Password X anticipates the action you&rsquo;re trying to take, then makes it easy to perform that action. Now, that same speed and intelligence has come to Safari for Mac. When you&rsquo;re browsing in Safari and select a text field that 1Password supports – credit card forms, address and password fields, etc. – 1Password will now offer to fill it automatically. Select from the available options, and 1Password will do the rest. <h2 id="privacy-cards">Privacy Cards</h2> Since launching <a href="https://blog.1password.com/privacy-virtual-cards/">our partnership with Privacy in 1Password X in September</a>, we&rsquo;ve received many requests asking for support in Safari. We’re excited to deliver on those requests today. Starting today, you can create virtual payment cards with Privacy using 1Password in Safari. 1Password will also offer to save that card so it’s ready the next time you need it. If attackers were to breach that website, they would only gain access to your virtual payment card details, which are useless to them. Hard to get more secure than that. If you don&rsquo;t have a Privacy account yet, 1Password users can get <a href="https://privacy.com/1password">three months of Privacy Pro for free</a>. Enjoy! <h2 id="refreshed-item-detail-design">Refreshed Item Detail Design</h2> <img src='https://blog.1password.com/posts/2020/big-sur-1password-7-7/item-details-view.png' alt='Example 1Password item details windows for login Adobe.com' title='Example 1Password item details windows for login Adobe.com' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> When you view your items in <a href="https://1password.com/mac/">1Password for Mac</a>, you&rsquo;ll notice that everything looks a bit fresher and cleaner. Now when you hover over a field, you&rsquo;ll see a soft highlight marking the active field. At the top of the entry, you’ll also see the vault details at a glance. Not to be outdone, the password generator got a makeover, too. It&rsquo;s now easier to switch the password type between random alphanumeric codes, memorable passwords, and PIN codes. You can also now adjust options to capitalize or use full words, and the password itself is now clearly visible in the generator window. These are small changes, but they all add up to a cleaner, more satisfying experience. <h2 id="update-now">Update now</h2> 1Password 7.7 is a free upgrade for all 1Password subscribers. <a href="https://1password.com/downloads/mac/">Download the update to get the goodness</a>. If you installed 1Password through the Mac App Store, rest assured that 1Password 7.7 has been submitted and will be available upon approval. Want to see what’s coming next for 1Password for Mac – or, better yet, help shape its future? <a href="https://1password.community">Join the discussion in the 1Password Support Community</a>. We love hearing from you.</description></item><item><title>Best bits: highlights from 50 episodes of Random but Memorable</title><link>https://blog.1password.com/random-but-memorable-is-50/</link><pubDate>Fri, 30 Oct 2020 00:00:00 +0000</pubDate><author>info@1password.com (Anna Eastick)</author><guid>https://blog.1password.com/random-but-memorable-is-50/</guid><description> <img src='https://blog.1password.com/posts/2020/rbm-turns-50/header.svg' class='webfeedsFeaturedVisual' alt='Best bits: highlights from 50 episodes of Random but Memorable' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> How do we like our passwords? Just like our podcast: <a href="https://randombutmemorable.simplecast.com/">Random but Memorable</a>. We recently hit a huge milestone, recording our 50th episode! That means our fans and listeners have tuned in for 1604 minutes worth of security advice and banter from 1Password and guests. That’s like watching The Lord of the Rings trilogy three times on repeat! Along the way, we’ve been fortunate enough to interview some of the leading voices in the security space. We’ve climbed up a mountain of <a href="https://randombutmemorable.simplecast.com/episodes/mystery-spying-basement-cat">data breaches with Troy Hunt</a>, navigated the wild west of <a href="https://randombutmemorable.simplecast.com/episodes/expect-wild-west-reviews">surveillance with Ann Cavoukian</a>, and dived into the pool of <a href="https://randombutmemorable.simplecast.com/episodes/ethical-bread-tracking-flaw">private browsing with Daniel Davis from DuckDuckGo</a>. We’ve also dished out a healthy dose of 1Password tips and tricks to keep your hunger for security satiated along the way. I’m in the mood to celebrate, so whether you’ve never tuned in before or you just want to relive the highlights, here are my favourite Random but Memorable memories. <h2 id="password-cracking-hacking-spree-with-mike-pound">Password Cracking Hacking Spree with Mike Pound</h2> I love this episode. You can clearly hear the excitement in Matt’s voice as he meets one of his security heroes, Mike Pound. Mike is widely known for his appearances on the YouTube series <a href="https://www.youtube.com/channel/UC9-y-6csu5WGm29I7JiwpnA">Computerphile</a>, and in this episode he helps us to understand how we can simplify security concepts like encryption, password cracking, and much more. This was also the final episode of Season Four, which brought an end to our closing segment Real or Not Real. The segment went out with a bang though, as Matt and Roo try to (hilariously) decide if the entire internet really does weigh the same as one large strawberry. 🍓 <a href="https://randombutmemorable.simplecast.com/episodes/password-cracking-hacking-spree">Listen to Password Cracking Hacking Spree with Mike Pound ›</a> <h2 id="virtual-kindness-pillow-gif-with-eva-galperin-from-eff">Virtual Kindness Pillow Gif with Eva Galperin from EFF</h2> In this episode, we tried to spread love and kindness with our Random Act of Kindness giveaway. We gave listeners the chance to nominate someone to receive three years of 1Password for free. I love that the podcast lets us give back to our listeners and users, either by hooking them up with some 1Password swag or giving the gift of 1Password itself. 🎁 I also had the pleasure of speaking with Eva Galperin, Director of Cybersecurity at EFF and Technical Advisor for the Freedom of the Press Foundation. We discussed everything from stalkerware to how we can protect free speech in 2020. <a href="https://randombutmemorable.simplecast.com/episodes/virtual-kindness-pillow-gif">Tune in to Virtual Kindness Pillow Gif with Eva Galperin ›</a> <h2 id="remote-location-smart-toys-with-ken-munro-from-pen-test-partners">Remote Location Smart Toys with Ken Munro from Pen Test Partners</h2> How many smart devices do you own? And how many of them do you actually need? In this episode Roo sat down with Ken Munro from Pen Test Partners to discuss how safe these IoT devices really are. I love using the podcast as a platform to give our security-conscious listeners some new and helpful tips, particularly in this episode where Ken gives some really practical advice on how to secure your smart devices. Join Ken and Roo as they lift the lid on a whole host of potential vulnerabilities, from the hilarious to the downright terrifying. <a href="https://randombutmemorable.simplecast.com/episodes/remote-location-smart-toys">Listen to Remote Location Smart Toys with Ken Munro ›</a> <h2 id="zero-credit-coffee-oops">Zero Credit Coffee Oops</h2> In season three of the show we launched Hacks Revisited - a segment where we looked back at some of the most scandalous and infamous data breaches of all time. In this particular episode we dissected the Equifax data breach of 2017, which affected over 50% of the U.S. population. Using archive news stories and media, we were able to study the reaction at the time, reflect on what went wrong, and uncover some sensational findings from the many reports since. Essential listening right here. 🎙 <a href="https://randombutmemorable.simplecast.com/episodes/zero-credit-coffee-oops">Give Zero Credit Coffee Oops a listen ›</a> <h2 id="special-fiftieth-live-show">Special Fiftieth Live Show</h2> Of course I couldn’t let this list go unfinished without a mention of our special 50th episode of Random But Memorable! Chaos ensued as we attempted our first episode “in front of a live studio audience”. 🎉 We also introduced our latest closing segment: Play Your Passwords Right. Inspired by a popular game show, this brand new closing segment has quickly become a fan favourite. <a href="https://randombutmemorable.simplecast.com/episodes/special-fiftieth-live-show">Celebrate with our Special Fiftieth ‘Live’ Show ›</a> And there we have it! It’s been a pleasure to work on such a fun and informative show over the past two years and I can&rsquo;t believe we’ve reached 50 episodes already. I want to take the opportunity to say a huge thank you to our listeners, because we would not be here without you tuning in each week. If you’ve loved the show so far, please leave us a review on <a href="https://podcasts.apple.com/gb/podcast/random-but-memorable/id1435486599">Apple Podcasts</a>, because it really helps the podcast reach more people. And for those who haven’t subscribed yet, hopefully these episodes will be a great introduction to your new favourite podcast. Here’s to the next 50! <section class="c-call-to-action-box c-call-to-action-box--purple"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Subscribe to the Random but Memorable podcast</h3> Subscribe for more Random but Memorable moments, as well as the latest security news, tips and tricks. <a href="https://randombutmemorable.simplecast.com/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--purple" data-event-category="CTA" data-event-action="call-to-action-button"> Subscribe now </a> </div> </section></description></item><item><title>Ghosts of passwords past: When old accounts come back to haunt you</title><link>https://blog.1password.com/ghosts-passwords-past/</link><pubDate>Thu, 29 Oct 2020 00:00:00 +0000</pubDate><author>info@1password.com (Sarah Brown)</author><guid>https://blog.1password.com/ghosts-passwords-past/</guid><description> <img src='https://blog.1password.com/posts/2019/halloween-tips-tricks/header.png' class='webfeedsFeaturedVisual' alt='Ghosts of passwords past: When old accounts come back to haunt you' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> If you’re reading this, you probably take your online security seriously – but was your past self as diligent? Most of us have been guilty at some point of reusing passwords or not making our passwords strong enough. But if you haven&rsquo;t corrected those mistakes, your past just may come back to haunt you. We&rsquo;re going to help you clear out those virtual cobwebs and set you up to defend against any ghosts that may be trying to haunt your old accounts. Here’s what you need to watch out for, and how to make sure all your accounts belong to the land of the living. <h2 id="ghost-accounts">Ghost accounts</h2> The Internet moves fast, and in our enthusiasm to try the latest and greatest, we often leave old sites behind. You might not ever have intended to &ldquo;quit&rdquo; Myspace or Ello exactly; you probably visited less and less over time, until it had been months, then years, since your last sign-in. Dormant accounts like these never really go anywhere – and they can come back to haunt you in a data breach. Abandoned accounts are still full of personal and private information — everything from date of birth to credit card numbers — which leaves you vulnerable in the event of a data breach, like the <a href="https://www.wired.com/story/myspace-security-account-takeover/">one that happened to MySpace in 2013</a>. Your email address, password, <a href="https://blog.1password.com/orange-facile-glossary-and-other-questions-answered/">security questions</a>, and personal identification information could be exposed and dumped on hacker forums or the dark web. Go through and close any old accounts that you no longer use. But before you do, try to remove your address, phone number, and financial information and change it to dummy data. That way, even if the site doesn&rsquo;t wholly purge old accounts, your data is safe in the event of a breach. If you have older accounts that you don&rsquo;t visit frequently but need to keep open, make sure you’ve updated your password to something strong and unique, and add it to 1Password anyway. You might not visit the site often, but if you store it in 1Password, Watchtower will alert you if the site is ever breached. <img src='https://blog.1password.com/posts/2019/halloween-tips-tricks/resurrected-email-adresses.png' alt='Resurrected email adresses' title='Resurrected email adresses' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="resurrected-email-addresses">Resurrected email addresses</h2> Abandoned email accounts have the potential to cause even more issues. If an old email address that you never check is listed as a recovery email for any of your current accounts, anyone with access to that email address could take full control of your other accounts by requesting a <a href="https://blog.1password.com/how-to-reset-password/">password reset</a>. And, if that old email account is listed as the recovery address for your current email account, the situation becomes even more serious, and could result in somebody taking complete control of your online life – from hijacking your social profiles and payment sites, to impersonating you to people you know. This is a nightmare scenario, but it&rsquo;s easily avoided. To keep your information safe, treat old email accounts with the same care that you&rsquo;d treat your active ones — use a strong, unique password and two-factor authentication. <h2 id="somebodys-watching-me">Somebody’s watching me</h2> If you’ve ever received an email with your own password in the subject line, you’ll know these scams can be terrifying: the sender claims they’ve hacked your webcam, and have video evidence of you engaging in some rather&hellip;private acts. All you have to do, the scammer says, is send them some bitcoin, and they’ll go away. If you refuse, they’ll share the videos with everyone on your contact list. This is known as a sextortion email, or <a href="https://blog.1password.com/email-extortion-scams/">email blackmail scam</a>. Often, the scammer obtained that password from an old data breach from a completely different site. But, if you’re using that same password on your email account, it can cause a moment of panic. You can safely ignore emails like this, but they serve as a good reminder to check Watchtower for any compromised passwords. If you find a password has been included in a data breach, and you’ve reused the same password on multiple sites, you’ll need to change it everywhere. This stops anybody from using that password to <a href="https://blog.1password.com/how-to-protect-yourself-from-password-reuse-attacks/">access your other accounts</a> — or fooling you into thinking they can. <h2 id="the-doppelgänger">The doppelgänger</h2> An attack or breach on one service may seem bad enough, but when a breach is announced that affects you, it&rsquo;s worth keeping a close watch on your other accounts – especially if you’re in the public eye, or have a large social media presence. Credentials obtained from one data breach can be used to attempt to log in to other services, and data from one breach can be combined with data from other breaches, potentially giving attackers enough information to impersonate you online. <h2 id="fun-size-halloween-security-tips">Fun-size Halloween security tips</h2> <ul> <li>Use strong, unique passwords for every account.</li> <li>Delete old accounts where you can, and use strong passwords when you can’t.</li> <li>Use 1Password to generate random answers to your security questions.</li> <li>Turn on two-factor authentication where available.</li> <li>Never invite a vampire to your 1Password Families account, even as a guest. 🧛‍</li> </ul> Have any password horror stories of your own? Share them with <a href="https://twitter.com/1password">@1Password on Twitter</a>! 👻 <section class="c-call-to-action-box c-call-to-action-box--yellow"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get started with 1Password Families</h3> Protect your personal information and passwords from things that go bump in the night. Try 1Password Families free for 14 days. <a href="https://start.1password.com/sign-up/family?l=en" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--yellow" data-event-category="CTA" data-event-action="call-to-action-button"> Start your free trial </a> </div> </section></description></item><item><title>Troy Hunt partners with 1Password as Strategic Adviser</title><link>https://blog.1password.com/troy-hunt-joins-1password/</link><pubDate>Thu, 29 Oct 2020 00:00:00 +0000</pubDate><author>info@1password.com (Jeff Shiner)</author><guid>https://blog.1password.com/troy-hunt-joins-1password/</guid><description> <img src='https://blog.1password.com/posts/2020/troy-hunt-joins-1p/header.svg' class='webfeedsFeaturedVisual' alt='Troy Hunt partners with 1Password as Strategic Adviser' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> I’m excited to announce that Troy Hunt will be joining the 1Password advisory board. He’ll be helping us support businesses that have been affected by data breaches and continue our work building the world’s most trusted password manager. <h2 id="a-natural-next-step">A natural next step</h2> Many of you will already be familiar with Troy and his work: he’s a key voice in the security industry and the founder of Have I Been Pwned (HIBP), a free service that allows anyone to check if their accounts have been compromised in a data breach. We’ve been collaborating for a number of years already and this feels like the natural progression of our existing partnership. Troy’s been <a href="https://www.troyhunt.com/only-secure-password-is-one-you-cant/">writing about 1Password since 2011</a> and has already introduced millions of people to better password security. In 2018, we partnered with Troy to <a href="https://www.troyhunt.com/have-i-been-pwned-is-now-partnering-with-1password/">bring the power of HIBP to Watchtower</a>. For the first time ever, this meant people had both the knowledge of being affected by a data breach and the tools they needed to protect themselves. Over the last two years, we’ve worked closely with Troy to build on this foundation, and he’s continued to be an incredible advocate for 1Password and the importance of safer online security habits. Troy has even testified before the U.S. Congress on the impact of security breaches. Our latest joint effort is a series of education and training materials for security professionals covering all kinds of topics, from phishing and artificial intelligence to shadow IT and the downfall of on-prem security. <h2 id="whats-next">What’s next?</h2> We’re thrilled to have Troy joining us in a more official capacity, helping to guide 1Password’s efforts as we continue to grow and support more customers and businesses. Troy will be helping us monitor industry trends and developments to provide insight into future 1Password plans and partnerships. <blockquote> “1Password has been a part of my family for years so the announcement today comes with much excitement. I’ll be devoting a slice of my time to help the company build even better products and services in an era when password management has never been more important.” </blockquote> – Troy Hunt We’ll be working together to increase public awareness, helping businesses understand the impact of data breaches and the benefits of a robust password management system. We&rsquo;ll also be developing resources and standards that will help us determine effective next steps for business affected by data breaches. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Sign up for 1Password Business!</h3> Sign up for 1Password Business today and get your first 14 days free. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try 1Password FREE </a> </div> </section></description></item><item><title>Domain breach reports: More power to protect your data</title><link>https://blog.1password.com/domain-breach-report-update/</link><pubDate>Wed, 28 Oct 2020 10:00:00 +0000</pubDate><author>info@1password.com (Chris Mann)</author><guid>https://blog.1password.com/domain-breach-report-update/</guid><description> <img src='https://blog.1password.com/posts/2020/dbr-update/header.svg' class='webfeedsFeaturedVisual' alt='Domain breach reports: More power to protect your data' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> In June, <a href="https://blog.1password.com/domain-breach-report/">we released domain breach reports</a> to help businesses guard against <a href="https://blog.1password.com/data-breach-101-stay-safe-online/">data breaches</a>. Today, we’re excited to share some powerful new features that make it easier to quickly identify threats and notify employees so they can secure their accounts immediately – even if they’re not using 1Password. <h2 id="guard-against-external-breaches">Guard against external breaches</h2> Most hacking attacks are relatively straight-forward. <a href="https://www.verizon.com/about/news/verizon-2020-data-breach-investigations-report">More than 80%</a> involve lost or stolen credentials, or use brute force – guessing different combinations of characters to crack a password. With as many as <a href="https://services.google.com/fh/files/blogs/google_security_infographic.pdf">65% of people reusing passwords</a> for their accounts, it only takes one leaked password to open the door to others – including some you may not have visibility of. The best way to defend against these types of attacks is to act fast: identify the breach and update exposed passwords to strong, unique alternatives. <h2 id="notify-everyone-affected-in-a-few-clicks">Notify everyone affected in a few clicks</h2> Now you can <a href="https://support.1password.com/breach-report/">send a customizable email notification</a> to everyone who has been affected by a breach, including those not using 1Password, so they can update their information right away. The email lets employees know exactly what has been breached and provides easy-to-follow instructions on how to address the risks. They’ll also see an invitation to join 1Password if they’re not using it already. <img src='https://blog.1password.com/posts/2020/dbr-update/breach-notification-email.png' alt='Screenshot of breach notification email' title='Screenshot of breach notification email' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> You can even customize the messages to add more information, like a reminder of your company&rsquo;s security policies, educational resources, or extra steps they should take according to your security procedures. By giving employees everything they need to secure their accounts, you can address vulnerabilities quickly. It also lightens the burden on IT teams and avoids frustrating security processes like company-wide automated password resets. When employees are empowered to take remedial action themselves, they build better security habits, reducing the risk of future breaches. <h2 id="use-filters-to-surface-immediate-risks">Use filters to surface immediate risks</h2> To help you surface the most pressing threats and prioritize next actions, you can now filter breach results by the types of information exposed in each case. <img src='https://blog.1password.com/posts/2020/dbr-update/domain-breach-report.png' alt='Screenshot of domain breach report' title='Screenshot of domain breach report' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Crucially, you can filter by breaches where passwords have been exposed, so they can be updated immediately to prevent future problems. You can also view a list of new breaches or filter by specific breaches that might need deeper investigation. These new filtering capabilities let you intervene surgically and reach out directly to affected employees with accounts that pose an immediate risk. You can also filter out spam lists, making your results clearer and easier to analyze. <h2 id="verify-your-domain-by-dns">Verify your domain by DNS</h2> To make sure that only you can generate a report for your domain, you need to verify it first. This helps safeguard your security and the privacy of your company information. <img src='https://blog.1password.com/posts/2020/dbr-update/dbr-dns1.png' alt='Screenshot of the option to verify domain by DNS' title='Screenshot of the option to verify domain by DNS' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> To make it simpler and more accessible for every company to use domain <a href="https://1password.com/business/domain-breach-report/">breach reports</a>, you can now <a href="https://support.1password.com/breach-report/#set-up-the-domain-breach-report">verify your domain by DNS.</a> <img src='https://blog.1password.com/posts/2020/dbr-update/dbr-dns2.png' alt='Screenshot of verifying domain by DNS' title='Screenshot of verifying domain by DNS' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="get-started">Get started</h2> Domain breach report is available with <a href="https://1password.com/business/">1Password Business</a> and 1Password Teams. Visit <a href="https://support.1password.com/breach-report/">1Password Support</a> to learn how to create a domain breach report and, if you don&rsquo;t already use 1Password, you can try it free for 14 days. <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Try 1Password Business </h3> Sign up for 1Password Business today and get your first 14 days free. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href" data-event-category="CTA" data-event-action="call-to-action-button"> Try 1Password free </a> </div> </section></description></item><item><title>Randomness (or things humans do poorly)</title><link>https://blog.1password.com/randomness-or-things-humans-do-poorly/</link><pubDate>Mon, 26 Oct 2020 00:00:00 +0000</pubDate><author>info@1password.com (Megan Barker)</author><guid>https://blog.1password.com/randomness-or-things-humans-do-poorly/</guid><description> <img src='https://blog.1password.com/img/headers/security-header.svg' class='webfeedsFeaturedVisual' alt='Randomness (or things humans do poorly)' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Our Chief of Security (AKA Chief Defender Against the Dark Arts), Jeffrey Goldberg, wrote a <a href="https://blog.1password.com/alan-turings-contribution-cant-be-computed/">fascinating article</a> back in 2012 that ended with this: <blockquote> 1Password, like pretty much all cryptographic software, needs cryptographically secure random numbers to do its stuff securely. What it means for a number to be cryptographically secure, why 1Password needs such numbers, and where it gets those from will be the subject of a future article. </blockquote> It&rsquo;s been eight years, and I&rsquo;m here to make good on that pledge with said article. Good things come to those who wait and all that, right? I won&rsquo;t make any promises that what you&rsquo;re about to read will be a &ldquo;good thing&rdquo; but let&rsquo;s shoot for the stars. <h2 id="thats-not-so-random">That&rsquo;s (not) so random</h2> As I&rsquo;ve alluded to with the title of this post, humans are notoriously terrible at creating randomness. For example, if I ask you to choose a number between 1 and 10, statistics show about 30% of you will choose 7. There&rsquo;s an excellent chance everyone will choose an integer, and not something like 3.8643, even though I didn&rsquo;t specify you had to select a whole number. So, then, what makes a number random? Strap yourselves in, things are about to get wild. There are two kinds of random numbers: True and pseudorandom. True random numbers are measurements of a random physical phenomenon, with compensation for possible biases in the measurement process. Pseudorandom numbers start with a seed. The seed determines a short algorithmic value which, in turn, produces long sequences of seemingly random results. In actuality, the entire sequence can be reproduced if the seed value is known (hence the &ldquo;pseudo&rdquo; in pseudorandom). What do you think would happen if you combined these two methods? You got it: A cryptographically secure random number that is very difficult for anyone (or anything) to predict. <h2 id="whered-you-come-from-you-random-thang">Where&rsquo;d you come from, you random thang?</h2> All computers are equipped with chips that take &ldquo;randomness&rdquo; from the device itself. They might measure things like how many seconds after 7 p.m. you clicked your mouse, or how many times in one hour you pressed the H key. Your device stores those measurements (in numbers) for use by different applications. 1Password calls on the <code>crypto/rand</code> library for its encryption code. Since code can&rsquo;t pull random numbers from thin air, <code>crypto/rand</code> calls on the system for some of that randomly generated goodness, and the security recipe begins to take shape. <h2 id="you-had-me-at-random">You had me at &ldquo;random&rdquo;</h2> As Jeffrey wrote those many moons ago, 1Password needs cryptographically secure random numbers to do its job.* That job, specifically, is the encryption of secrets via Advanced Encryption Standard (AES). And encryption relies on things being unpredictable to be unguessable. 1Password uses AES 256-bit keys generated by your app, on your device, by a cryptographically appropriate random number generator. That key becomes your vault key and is used to encrypt and decrypt the items in your vault. I would love to get deeper into the weeds here, but this is a half-hour show. If you crave more information about the magic 1Password works with those random numbers, please check out the <a href="https://1passwordstatic.com/files/security/1password-white-paper.pdf">1Password security design white paper</a>. <h2 id="tales-of-the-cryptography">Tales of the crypt(ography)</h2> Merriam-Webster defines random as &ldquo;lacking a definite plan, purpose, or pattern&rdquo;. Some examples of randomness are bad, like random acts of violence. Some examples are good, like a winning lottery ticket. Some are integral to safety and security – there should be absolutely no identifiable pattern to the numbers that are used to secure your secrets. I once read an article about things robots can&rsquo;t do better than humans. Sadly, it was a pretty short list, but that&rsquo;s another post for another blog. Not surprisingly, nearly every point involved emotion. While robots can&rsquo;t express empathy, consider someone&rsquo;s feelings, or gently deliver bad news, they are the masters of using natural phenomena to generate fairly unpredictable outcomes. That said, humans are the entities that design and program these robots. Maybe there will come a day, many (many) years from now, when we can combine natural phenomena with &ldquo;code&rdquo; in our heads to generate randomness. I guess we&rsquo;ll have to leave that to chance. *I intentionally omitted &ldquo;securely&rdquo; here because I feel it&rsquo;s redundant. If 1Password is doing its job, it&rsquo;s done securely.</description></item><item><title>1Password for Linux beta is now open 🎊 🐧 🎊</title><link>https://blog.1password.com/1password-for-linux-beta-is-now-open/</link><pubDate>Wed, 21 Oct 2020 00:00:00 +0000</pubDate><author>info@1password.com (Dave Teare)</author><guid>https://blog.1password.com/1password-for-linux-beta-is-now-open/</guid><description> <img src='https://blog.1password.com/posts/2020/linux-beta/header.svg' class='webfeedsFeaturedVisual' alt='1Password for Linux beta is now open 🎊 🐧 🎊' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Buckle up Linux Desktop users! We just opened an awesome ride that we&rsquo;d love for you to join us on. 🎢 🙌🏼 I’m super excited to announce our first beta release of <a href="https://1password.com/downloads/linux/">1Password for Linux</a>. That’s right – we now have a full-featured desktop app for Linux which you can use to quickly find, edit, and organize your items! And it looks gorgeous, too! 😍 <img src='https://blog.1password.com/posts/2020/linux-beta/1password-linux-hero.png' alt='Main 1Password window, unlocked running on Ubuntu' title='Main 1Password window, unlocked running on Ubuntu' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Planned for official release early next year, we couldn’t wait to share the news with you so today we’re unveiling a beta so you can join in on the fun. <h2 id="a-true-linux-app">A true Linux app</h2> Our new app is built to meet the security and performance expectations of Linux users. Its backend is written completely in Rust, a secure systems programming language that has made a lot of waves in the Linux community. We’re especially proud to be using the incredible <a href="https://github.com/briansmith/ring">ring crypto library</a> to power the end-to-end encryption that keeps your data safe. We used this new foundation to bring you the 1Password experience you know and love to Linux and extended it further with: <ul> <li>Quick Find and intelligent search suggestions 🔎</li> <li>Beautiful new look and feel based on our new design language 😍</li> <li>Move item dialog allows you to easily share items and see who they are shared with 👨‍👩‍👦‍👦</li> <li>Data export ✈️</li> <li>Unlock screen shows all your accounts and supports using different passwords 🔐</li> <li>Watchtower Dashboard provides suggestions on how to improve your Security Score 🎯</li> </ul> In addition to these great improvements we’ve tailored the app to integrate with Desktop Linux: <ul> <li>Simple and secure installs using apt and dnf package managers 📦</li> <li>Automatic Dark Mode selection based on your GTK theme 🌓</li> <li>Open network locations (FTP, SSH, SMB) 🌍</li> <li>Tiling window manager support and descriptive window titles 🏠</li> <li>Unlock with your Linux user account, including biometrics ☝️</li> <li>System tray icon for staying unlocked while closed 📌</li> <li>X11 clipboard integration and clearing ✂️</li> <li>Keyboard shortcuts ⌨️</li> </ul> And this is just what’s available in the first beta. We have many more great things planned to make 1Password for Linux even greater. 😎 <img src='https://blog.1password.com/posts/2020/linux-beta/devlists-penguin.png' alt='A Linux enthusiast reading a newspaper announcing 1Password for Linux' title='A Linux enthusiast reading a newspaper announcing 1Password for Linux' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="beta-users-welcome">Beta users welcome!</h2> We’re really excited about what’s now possible with 1Password on Linux and all the incredible things we have planned. As thrilled as we are it’s important to remember 1Password for Linux is still in beta. Expect some sharp turns and sudden drops so please keep your arms and legs in the vehicle at all times. As such this initial release should be used for testing and validation purposes only and is not suitable for business critical environments. For a stable experience on Linux you’ll want to use <a href="https://support.1password.com/explore/whats-new-1password-x/">1Password X</a> in your browser. <h2 id="free-accounts-for-open-source-teams">Free accounts for open source teams</h2> Our new app is built on great open source projects like the Rust programming language for the underlying logic, and React for a responsive component-based UI. Building an app for Linux wouldn’t have been possible without these giant shoulders to stand upon so we want to give back to the free software community. If you work on an open source team that needs a password manager, open a pull request in our <a href="https://github.com/1Password/1password-teams-open-source">1Password for Open Source Projects</a> repo and we’ll give you and everybody on your team a free account. Thank you so much for your contributions and making the world a better place. 🤗❤️ <h2 id="apt-get-install-1password">apt-get install 1password</h2> If you’re excited to report issues, work with us to resolve them, and update to verify fixes, then you’re welcome to get onboard. See <a href="https://support.1password.com/getting-started-linux/">Get to know 1Password for Linux</a> for installation and troubleshooting instructions. We maintain signed apt and rpm package repositories for Debian, Ubuntu, CentOS, Fedora, and Red Hat Enterprise Linux, as well the <a href="https://snapcraft.io/1password">Snap store</a>. We also have an AppImage for as-of-yet unsupported distributions. Let us know what distribution you use and how well 1Password works there. We hope you are as excited about a 1Password Linux app as we are. To discuss this release, report issues, and talk with our development team, please join us in <a href="https://1password.community/discussion/117274/1password-for-linux-beta">our Linux forum</a>. If you feel like you&rsquo;ve won a big teddy bear when the ride&rsquo;s over, consider spreading the love to our friends at the <a href="https://www.linuxfoundation.org/about/donate">Linux Foundation</a>. <img src='https://blog.1password.com/posts/2020/linux-beta/apt-get-1password.png' alt='Installing 1Password on Ubuntu using sudo apt-get install 1password' title='Installing 1Password on Ubuntu using sudo apt-get install 1password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /></description></item><item><title>From the Founders’ Desk: Finding our centre this Thanksgiving</title><link>https://blog.1password.com/mental-health-thanksgiving/</link><pubDate>Fri, 09 Oct 2020 00:00:00 +0000</pubDate><author>info@1password.com (Sara Teare)</author><guid>https://blog.1password.com/mental-health-thanksgiving/</guid><description> <img src='https://blog.1password.com/posts/2020/thanksgiving/header.svg' class='webfeedsFeaturedVisual' alt='From the Founders’ Desk: Finding our centre this Thanksgiving' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Breathe in, two, three, four. Hold it for two, three, four. Now breathe out, two, three, four, five, six. One more big breath in, and exhale, all the way to your toes. It’s amazing how something that seems so silly – counting your breath – can help to pull you into a completely different mindset. By taking that minute to count and concentrate, you can focus on something that is completely you and under your control. You might be wondering why any of this matters to us here at 1Password. Are we about to add a “count my breath” feature to the world’s best password manager? Although we’re always looking for great ways to bring security and convenience together, that’s not on the roadmap. 😂 As we enter that season where we’re usually reflective, during a year when we all have more to reflect on than ever, I want to talk a little about the importance of finding that centre when you need it most, and how we’re helping our team do that at 1Password. <h2 id="make-self-care-a-priority-seriously">Make self-care a priority, seriously</h2> As we’re all too aware, it’s a different world than it was a year ago. 2020 has brought changes and challenges we’ve never encountered before, and we’re all doing our best. Balancing family and work while navigating a &ldquo;new normal&rdquo; that continues to change is stressful. As a former Girl Guide, it reminds me of the campfire song Button Factory – where you just keep adding one more little thing, then one more, one more, and boom! You&rsquo;re done! “Take time for yourself”, is what everyone says. Well-intended, but difficult to do. For me, wearing more hats than I know what to do with – from company founder to mom, from daughter-in-law to friend, from teacher to advice-giver – making time for myself often feels like wasted time because there are always THINGS. TO. DO! And when I try to take time, I then feel guilty about it. But, I shouldn’t. Not so shockingly, when you put yourself last, moving self-care up on the priority list isn’t easy. <h2 id="dont-forget-to-stop-and-take-a-breath">Don’t forget to stop and take a breath</h2> Some days are harder than others. Life gets in the way of productivity. And with so much going on, it’s easy to fall into “what if” mode, where thoughts start to stray in multiple directions. You feel like you’re falling behind and start to pile on the pressure to catch up. Work faster. Work harder. If I just work more, it’ll be okay. Things spiral, and it just makes you less productive. Stop. Bring things back to centre and begin again with a clear mind. Talk about those challenges, and encourage everyone to be mindful of their actions. Feelings are just as important as interactions. We regularly encourage people to talk to their team leads about their difficulties and take time off when they need it. It’s not always easy, but by talking openly, you’re normalizing these conversations. It makes finding the tools for getting through difficult times easier for everyone. Giving our team the support they need means they come to work healthy and passionate – ready to deliver the excellent customer experience we’ve built our company on. <h2 id="carve-out-time-to-wind-down">Carve out time to wind down</h2> A big battle for me is getting the rest I need. A busy mind keeps me awake, and my son is in the same boat. So, we tried out <a href="https://www.headspace.com/">Headspace</a> together. Now, we do a breathing wind down before bed (it’s his favourite) and then launch a Sleepcast – 90 percent of the time he’s out before it’s done. A few hours later, I launch my own. It helps quiet my thoughts by giving me something else to focus on so I can drift off. Headspace was such a help to me, that we’ve decided to roll it out to our entire team at 1Password. I might be bad at doing things for myself, but if it’s a chance to set a good example, I’m in – just ask my kids! It’s a small step, and there is more we can do to help our team prioritize their wellbeing. This is an ongoing journey that we’re committed to traveling on. <h2 id="this-year-im-thankful-for">This year, I’m thankful for&hellip;</h2> Like every year, I’m thankful that I get to work with so many amazing people. I’m looking forward to building on our wellness initiatives and keeping 1Password a supportive and empathetic place to work. Wishing you all a healthy, happy Thanksgiving. ❤️ <section class="c-call-to-action-box c-call-to-action-box--yellow"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get started with 1Password Families</h3> Keep your family safe online with the world’s most loved password manager. Try 1Password Families free for 14 days. <a href="https://start.1password.com/sign-up/family?l=en" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--yellow" data-event-category="CTA" data-event-action="call-to-action-button"> Start your free trial </a> </div> </section></description></item><item><title>Security questions: How to create and store random answers in 1Password</title><link>https://blog.1password.com/orange-facile-glossary-and-other-questions-answered/</link><pubDate>Wed, 07 Oct 2020 00:00:00 +0000</pubDate><author>info@1password.com (Megan Barker)</author><guid>https://blog.1password.com/orange-facile-glossary-and-other-questions-answered/</guid><description> <img src='https://blog.1password.com/img/headers/security-header.svg' class='webfeedsFeaturedVisual' alt='Security questions: How to create and store random answers in 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Security questions. Used for online account recovery, we&rsquo;re faced with these queries nearly every time we register with a new service or website. You know the deal: Choose about three questions (though the number varies) from a list of presets, and provide the answers in freeform text boxes. If you forget your username or password for that website in the future, answer one (or more, again, depending on the site) of your security questions correctly, and you&rsquo;ll be granted access to your account. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Want to stay secure online? Create a unique username with 1Password&rsquo;s free <a href="https://1password.com/username-generator/">Username Generator</a>! </div> </aside> <h2 id="common-security-questions">Common security questions</h2> Here are some examples of common security questions: <ul> <li>What is your father&rsquo;s middle name?</li> <li>What was the name of your first pet?</li> <li>What is the name of your favorite teacher?</li> <li>What was the model of your first car?</li> <li>Where is your favorite place to go on vacation?</li> </ul> Creating and remembering answers to all of these is easy peasy, right? (insert eye roll emoji) Security questions are common authentication mechanisms and, my goodness, they are a pain. To start, the preset questions are often very narrowly focused. What if you&rsquo;ve never had a pet? What if you live in the heart of a city and have never needed a car? Maybe you don&rsquo;t know your father&rsquo;s middle name, and perhaps you&rsquo;ve never had the chance to travel and don&rsquo;t have a favorite vacation spot. I could go on. The point is that the questions are pretty exclusive – and often intrusive. Oh, and then there are the answers – you know, those things you have to enter verbatim, possibly years from the date you write them. The text fields provided for your responses can be filled with anything. What if you make an error and don&rsquo;t notice? What if you are in a silly mood and craft a cheeky answer? You probably wouldn&rsquo;t remember that particular sass three years later, when you need to recover the account. Then there are websites that make you create your own security questions, which is fun (read: stressful and time consuming). We tend to run into even more trouble here. We typically use very simplistic questions, that are easy to answer, so we can get the process over with. You&rsquo;ll be shocked to hear that I have a solution for these woes. <h2 id="how-to-create-answers-for-security-questions-in-1password">How to create answers for security questions in 1Password</h2> It just so happens that 1Password is the simplest way to create and manage random security questions and answers. It’s also the safest. Your classic win-win scenario! This is how it’s done. Open 1Password. Select the account you’d like to create security questions for and click Edit. <img src='https://blog.1password.com/posts/2020/security-qs/securityquestions1.png' alt='Step one of creating random security questions in 1Password 8' title='Step one of creating random security questions in 1Password 8' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Click Add More and select Security Questions. <video class="round shadow" style="display: block; margin: auto; padding: 0;"loop="loop" playsinline="" width="100%" alt='' controls> <source src="https://blog.1password.com/posts/2020/security-qs/securityquestions2.mp4" type="video/mp4" /> </video> From the dropdown, select a suggested security question or type your own manually. Click the answer field and select Create a New Answer. Use the generator to create a unique security answer and click Use. <video class="round shadow" style="display: block; margin: auto; padding: 0;"loop="loop" playsinline="" width="100%" alt='' controls> <source src="https://blog.1password.com/posts/2020/security-qs/securityquestions3.mp4" type="video/mp4" /> </video> Click Add Another Question if you need to generate additional security questions and answers. To finish up, click Save. With one click, you can now copy your security answers and paste them into the relevant website. <img src='https://blog.1password.com/posts/2020/security-qs/securityquestions4.png' alt='Step four of creating random security questions in 1Password 8' title='Step four of creating random security questions in 1Password 8' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="exit-stage-left">Exit stage left</h2> Let&rsquo;s be real here. Even before the pandemic (and other) insanity enveloped the world, we led crazy lives. It&rsquo;s not practical to expect one to remember – to the letter – a phrase they typed months, or years, prior. I didn&rsquo;t touch on the fact that many websites keep these &ldquo;security&rdquo; questions much less secure than you may hope/think. And I&rsquo;m sure you know they&rsquo;re often very easily answered by people other than you. Our Chief Defender Against the Dark Arts, Jeffrey Goldberg, <a href="https://blog.1password.com/blizzard-and-insecurity-questions-my-fathers-middle-name-is-vr2ut1vnj/">wrote about those very issues back in 2012</a> and his eloquent words hold true today (those retro screenshots, though). But with 1Password, we&rsquo;re afforded a bit of simplicity, and a lot of peace of mind. The creation and management of these omnipresent questions and answers is made much easier, and their security (at least, the part we can control) is second to none. Win-win.</description></item><item><title>Make safer payments online with 1Password and Privacy</title><link>https://blog.1password.com/privacy-virtual-cards/</link><pubDate>Tue, 22 Sep 2020 12:00:00 +0000</pubDate><author>info@1password.com (Andrew Beyer)</author><guid>https://blog.1password.com/privacy-virtual-cards/</guid><description> <img src='https://blog.1password.com/posts/2020/privacy-virtual-cards/header.svg' class='webfeedsFeaturedVisual' alt='Make safer payments online with 1Password and Privacy' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Today we&rsquo;re announcing a new partnership with <a href="https://privacy.com/">Privacy</a>. 1Password now lets you create Privacy Cards, virtual payment cards that protect you when you spend online. You can create as many Privacy cards as you need and control where and how they’re used. <h2 id="contents">Contents</h2> <ul> <li><a href="#1password-and-privacy">1Password and Privacy</a></li> <li><a href="#payments-with-1password">Payments with 1Password</a></li> <li><a href="#getting-started">Getting started</a></li> </ul> <h2 id="1password-and-privacy">1Password and Privacy</h2> We&rsquo;re so pleased to add these features to 1Password – we&rsquo;re pretty sure it&rsquo;s new territory for <a href="https://1password.com/password-manager/">password managers</a> across the board. This partnership means we can now do for your money what we&rsquo;ve always done for your passwords; namely, create unique information for every service you use to keep your most important data as safe as can be. We have all the details below, but here’s a video with the main details if that’s your jam: <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/Czu26pJKMaw" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h2 id="payments-with-1password">Payments with 1Password</h2> 1Password is now the best way to create and use virtual payment cards in your browser. The Privacy integration is available now for 1Password X, and soon for the <a href="https://1password.com/resources/guides/1password-for-safari/">1Password Safari</a> extension. It lets you: <ul> <li>Create new Privacy Cards right from your browser. When you&rsquo;re asked to enter a card number, 1Password will show you an option to create a virtual payment card instead. You can give it any name you choose.</li> <li>Set spending limits. When you create a new Privacy Card with 1Password, you can set a spending limit there and then. You can choose a one-off payment, monthly or annual limits, or a total amount.</li> <li>Save card details in 1Password. If you like, you can save your new Privacy Card in 1Password so it’s always to hand if you need to quickly grab the CVV number. When it&rsquo;s time to enter payment details again, we&rsquo;ll show any cards associated with the site you&rsquo;re on. That way, you won&rsquo;t create cards you don&rsquo;t need.</li> </ul> When you create a card, it’s locked to that merchant so it can only be used for that particular site or service. So if the card details are ever exposed in a data breach, they can’t be used elsewhere. <img src='https://blog.1password.com/posts/2020/privacy-virtual-cards/privacy-create-card.png' alt='Create a virtual payment card' title='Create a virtual payment card' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Partnering with the fantastic team at Privacy is a no-brainer for us – our goals couldn’t be more aligned. Virtual payment cards let you make payments with safety and privacy, all while giving you back control over your spending. It’s been great working closely with Privacy to bring these benefits to 1Password. <h2 id="getting-started">Getting started</h2> At the moment, you&rsquo;ll need to be in the States to use the new Privacy integration. We won&rsquo;t put words in Privacy&rsquo;s mouth, but do keep an eye out for announcements about new countries. We have some introductory offers to help get you started: <ul> <li>New to 1Password? Get 25 percent off your first year of 1Password, including <a href="https://1password.com/business/">1Password Business</a>, 1Password Teams, and 1Password Families – you can get started from our <a href="https://1password.com/promo/expired">promo page</a>.</li> <li>1Password customers new to Privacy can get three months of Privacy Pro for free. Privacy Pro lets you create extra cards, access priority support, and more. You can <a href="https://privacy.com/1password">get started at Privacy.com</a>.</li> </ul> And if you’re already a customer of both 1Password and Privacy, then you can simply activate 1Password in your <a href="https://privacy.com/">Privacy account</a> settings. As always, help in setting up and using the integration is available on the <a href="https://support.1password.com/privacy-cards/">1Password Support site</a>. Please don’t hesitate to give this a try: we think you’ll really like what Privacy and 1Password now bring to the table. <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get 25% off your first year of 1Password</h3> To celebrate our partnership with Privacy we're offering new customers 25% off their first year of 1Password. Try the world's most-loved password manager today. <a href="https://1password.com/promo/expired" class="c-call-to-action-box__link-href" data-event-category="CTA" data-event-action="call-to-action-button"> Try 1Password today </a> </div> </section></description></item><item><title>1Password 7.7 and Android 11: enhanced security, more control</title><link>https://blog.1password.com/1password7-7-for-android/</link><pubDate>Tue, 22 Sep 2020 10:00:00 +0000</pubDate><author>info@1password.com (Michael Verde)</author><guid>https://blog.1password.com/1password7-7-for-android/</guid><description> <img src='https://blog.1password.com/posts/2020/android-11-1password-7-7/header.svg' class='webfeedsFeaturedVisual' alt='1Password 7.7 and Android 11: enhanced security, more control' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> To coincide with the launch of Android 11, we’re bringing you a brand new update to 1Password. Your favourite password manager now takes full advantage of the new features and security enhancements that come with Google’s latest OS update. <h2 id="awesome-autofill">Awesome autofill</h2> <img src='https://blog.1password.com/posts/2020/android-11-1password-7-7/autofill.gif' alt='Autofill preview' title='Autofill preview' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> To start, let’s look at the change nearest and dearest to my heart. With Android 11 comes support for displaying <a href="https://1password.com/features/autofill/">autofill</a> results in the suggestions strip above your keyboard. Now, you can see your logins from 1Password as suggestions in Gboard when signing in to supported apps and browsers. This feels like a natural fit, as the suggestion strip already supports smart suggestions, emojis, and pasting from the clipboard.  <h2 id="protect-your-privacy-with-app-permissions">Protect your privacy with app permissions</h2> Android 11 also gives you even more control over the permissions for apps, like access to your mic, location data, or camera. You can set permissions to automatically expire, so if you haven’t used an app for a while, it won’t continue to access your information. Or, you can grant one-time permissions to apps instead. 1Password handles these permission changes gracefully. If you want to scan a QR code in 1Password, but don’t want to give it permanent access to the camera, that’s no problem. You can simply grant 1Password one-time access instead. <h2 id="put-security-policies-to-work">Put security policies to work</h2> In addition to supporting the latest version of Android, 1Password 7.7 also introduces some new features for using 1Password at work. If your company is using mobile device management with Android work profiles, your administrator can now set requirements for biometrics, PIN codes, and Master Password timeouts to reflect company policies. <h2 id="android-11-a-solid-1110">Android 11: a solid 11/10</h2> We’re excited to have made the most of these changes for our new 1Password release, and we hope you enjoy it. But there’s so much to admire about Android 11 that I want to share some of my favourite updates, even though they’re not directly related to 1Password: <ul> <li>Notifications from messaging apps are collected together into a conversations group</li> <li>Past notifications are viewable from your notification history</li> <li>Media controls are more seamlessly integrated into the notification shade</li> <li>Long-pressing the power button provides shortcuts to smart home controls</li> <li>Built-in screen recording is available from a quick settings tile</li> <li>Smart app suggestions on the home screen of the Pixel launcher</li> </ul> <h2 id="update-now">Update now</h2> 1Password 7.7 is now available on Google Play, so head on over to <a href="https://play.google.com/store/apps/details?id=com.onepassword.android">download the update</a> if you haven’t already. We hope you enjoy these latest improvements and welcome you to share your feedback with us on <a href="https://play.google.com/store/apps/details?id=com.onepassword.android">Google Play</a>, <a href="https://twitter.com/1Password">Twitter</a>, and the <a href="https://1password.community/categories/1password-android">1Password support forum.</a></description></item><item><title>What is the principle of least privilege? And how does it work?</title><link>https://blog.1password.com/guiding-principles-how-least-privilege-leads-to-more-security/</link><pubDate>Thu, 27 Aug 2020 00:00:00 +0000</pubDate><author>info@1password.com (Megan Barker)</author><guid>https://blog.1password.com/guiding-principles-how-least-privilege-leads-to-more-security/</guid><description> <img src='https://blog.1password.com/img/headers/security-header.svg' class='webfeedsFeaturedVisual' alt='What is the principle of least privilege? And how does it work?' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> You&rsquo;ve probably seen the term “principle of least privilege” (or “PoLP”) around the interwebs, or perhaps you&rsquo;ve heard it from your own security consultant. <h2 id="contents">Contents</h2> <ul> <li><a href="#what-does-the-principle-of-least-privilege-polp-mean">What does the principle of least privilege (PoLP) mean?</a></li> <li><a href="#why-does-the-principle-of-least-privilege-polp-matter">Why does the principle of least privilege (PoLP) matter?</a></li> <li><a href="#how-does-the-principle-of-least-privilege-polp-work">How does the principle of least privilege (PoLP) work?</a></li> <li><a href="#how-does-the-principle-of-least-privilege-polp-look">How does the principle of least privilege (PoLP) look?</a></li> <li><a href="#how-is-the-principle-of-least-privilege-polp-used">How is the principle of least privilege (PoLP) used?</a></li> <li><a href="#the-bottom-line">The bottom line</a></li> </ul> I&rsquo;m sure you&rsquo;ve surmised it&rsquo;s dubbed a &ldquo;principle&rdquo; for a reason (i.e. it&rsquo;s a good thing). It&rsquo;s another one of the (myriad) phrases tossed around when people talk about organizational security and – I get it – how can one know each of these phrases in depth unless security is their sole responsibility? It&rsquo;s just not realistic. That&rsquo;s why we&rsquo;re here with our From the Security Desk series, and why I&rsquo;m here to tell you all about the principle of least privilege and how it can strengthen your company&rsquo;s security. <h2 id="what-does-the-principle-of-least-privilege-polp-mean">What does the principle of least privilege (PoLP) mean?</h2> The principle of least privilege is a security practice that restricts users to the minimum levels of access necessary to perform their work. When I first entered the field of security, the principle of least privilege was difficult for me to wrap my head around. As an ardent people-pleaser (I&rsquo;m Canadian, I&rsquo;m sorry), I didn&rsquo;t want to take away someone&rsquo;s access to something they might need someday; to cause them trouble or create extra work. But lesson one in Security 101 is Think About Everything Backwards. I discovered I could no longer think about what might be inconvenient for coworkers, I had to consider what was convenient for attackers, and security vulnerabilities in general. <h2 id="why-does-the-principle-of-least-privilege-polp-matter">Why does the principle of least privilege (PoLP) matter?</h2> Let&rsquo;s approach this from my naïve, yet very common and completely understandable, perspective. Suppose I don&rsquo;t practice the principle within my company. I grant the whole darn team access to every system we have, just in case they need it; I don&rsquo;t want to worry about seniority or questions of trust. I only need to create accounts for a new hire once, and I don&rsquo;t need to keep track of anything else. My problem is forward thinking (also a little laziness from the sounds of it). As I think about the route with the least friction, potential attackers think backwards. Attackers like Bill, who plans to run a competitive startup. He wants all the dirt on my company and, with my structure, he really doesn&rsquo;t have to do much to get it. He could be simply hired as an entry-level employee and have immediate, full access to everything. Oops. <h2 id="how-does-the-principle-of-least-privilege-polp-work">How does the principle of least privilege (PoLP) work?</h2> It&rsquo;s important people understand that we&rsquo;re just that – people. We make mistakes. We slip up, talk out of turn, make typos. These things are inevitable. When we limit access to secrets, we limit the damage they can cause. When fewer people have access to information, there are fewer people who might share it, commit errors with it, or delete it. And, ideally, the workplace culture you create with PoLP is one wherein elevated access isn&rsquo;t equivalent to &ldquo;we trust you&rdquo; or &ldquo;you have more power than the rest of these plebes!&rdquo; What the principle really boils down to is this: You can&rsquo;t abuse, misuse, or lose something you don&rsquo;t have. Coincidentally, this is the idea on which 1Password was built. <h2 id="how-does-the-principle-of-least-privilege-polp-look">How does the principle of least privilege (PoLP) look?</h2> A perfect example of the PoLP in action, 1Password is private by design. The information you store in 1Password is end-to-end encrypted, at rest and in transit, and you are the only one who has the keys to decrypt it: your Master Password and Secret Key. Your account is so secure, in fact, there is no way to recover or reset a lost Master Password or Secret Key because we don&rsquo;t receive them. Frankly, we don&rsquo;t want them. There&rsquo;s another (big) reason we chose to follow the principle of least privilege in our security design: It makes us less subject to attack. We may host blobs of encrypted data, but those are utterly useless without the keys that never leave your devices. <a href="https://blog.1password.com/what-we-dont-know-about-you/">We simply don&rsquo;t have what the bad guys want.</a> And we like it that way. <h2 id="how-is-the-principle-of-least-privilege-polp-used">How is the principle of least privilege (PoLP) used?</h2> How the principle of least privilege manifests will differ from business to business. At 1Password, new hires don&rsquo;t receive access to any internal systems until they&rsquo;ve completed security training, and signed related documents and non-disclosure agreements. At that point, they&rsquo;re granted bare minimum access to the systems needed for their job type. We go a few steps further and heavily restrict the information displayed in those systems based on staff members’ specific roles. If I need access to a new system throughout the course of my work, I need to explain why I need it before permission is granted. Requests for access are important to us for a few reasons. The requests create an audit trail, so we always know when and why a person was granted access to a system. We also find that, when people are asked to really examine their need for information, sometimes they discover it&rsquo;s not a need after all. <h2 id="the-bottom-line">The bottom line</h2> When I think of the principle of least privilege, I remember a conversation I had with our Privacy Officer, Pilar Garcia. She was to be granted access to perform a task in our Back Office but plans changed. She happily said, &ldquo;It&rsquo;s perfect. It means there&rsquo;s less I can potentially screw up&rdquo;. Self-deprecation aside, she&rsquo;s right. And that&rsquo;s what it&rsquo;s all about. She&rsquo;s our Privacy Officer. We trust her with everything. Yet she doesn&rsquo;t have access to everything by default simply because she doesn&rsquo;t need it. And she&rsquo;s okay with that. Because there are fewer things to screw up. And that, my friends, is the PoLP.</description></item><item><title>Return of research: the IAM time suck, the complexities of shadow IT, and EPM to the rescue</title><link>https://blog.1password.com/iam-shadow-it-epm-research-2020/</link><pubDate>Tue, 04 Aug 2020 00:00:00 +0000</pubDate><author>info@1password.com (Jeff Shiner)</author><guid>https://blog.1password.com/iam-shadow-it-epm-research-2020/</guid><description> <img src='https://blog.1password.com/posts/2020/return-of-research/header.png' class='webfeedsFeaturedVisual' alt='Return of research: the IAM time suck, the complexities of shadow IT, and EPM to the rescue' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Back in May, we released <a href="https://blog.1password.com/remote-work-it-survey/">the first installment of findings from a survey we conducted of 1,000 US knowledge workers</a>, including 500 IT department personnel. Those findings shed light on the opportunities and challenges that companies faced as they embarked on their remote work journey, and the largely overlooked successful job of IT in leading the transition. The next chapter of this research, released today, dives into the enormous amount of time IT spends managing Identity and Access Management (IAM), and how this influences the quest that all enterprises have to achieve the holy grail of security, productivity, and convenience. Our research paints a picture of <a href="https://blog.1password.com/remote-work-shadow-it/">shadow IT</a> that is more complicated than many of us expected. While most employees do follow IT’s rules, a small group of workers tries to get more work done by circumventing company policies — and sometimes those workers are enabled by IT personnel who grapple with limited resources and empathize with their pursuit of productivity. Our research found unequivocally that managing the minutiae and complexity of today’s IAM stack can be a significant productivity bog for organizations. <ul> <li>IT personnel burn a full month of work (21 days!) each year on IAM tasks like resetting passwords and tracking app usage. This cramps productivity for IT and rank-and-file employees alike – 57% of IT workers reset employee passwords up to five times a week, and 15% of those do this at least 21 times per week.</li> <li>14% of IT workers spend at least an hour per day on routine IAM tasks, leading to workers who are disillusioned with their IT tools – just 48% of IT workers say the majority of IAM products bring value to the company – and 13% say less than 10% of their IAM products deliver.</li> </ul> Just 20% of workers are driving all shadow IT in the enterprise. But these employees don’t act out of malice but instead to get more done – 49% cite productivity as their top reason for circumventing IT’s rules. Employees who break the rules tend to fall into a few categories: <ul> <li>Speed Demons: They’re nearly twice as likely to say convenience is more important than security.</li> <li>IT Pessimists: They are skeptical of their organization’s IT capabilities, claim the IT department is more of a hindrance than a help, and are nearly twice as likely to say it’s unrealistic for companies to be aware of and manage all apps and devices used by employees at work.</li> <li>Millennials and Gen Z: Nearly three times as many workers aged 18-39 say they do not always follow IT policies, compared with those ages 56 and up.</li> </ul> <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Worried about shadow IT? Learn how to control and reduce the risks associated with shadow IT in our <a href="https://www.1password.university/learn/course/external/view/elearning/443/humanizing-shadow-it-with-1password-and-kolide">free 1Password University course</a>. </div> </aside> Compounding this impact, some IT workers have lifted their foot off the security enforcement pedal as they grapple with the lack of suitable tools and technology resources. According to our research, 25% of IT workers say they don’t enforce security policies universally, and 4% don’t enforce these policies at all due to the hassle of balancing those with concerns over workforce productivity. 38% of IT workers who do not strictly enforce security policies said their organization’s method for monitoring is not robust, while 29% agreed “it&rsquo;s just too hard and time consuming to track and enforce” and 28% said “our employees get more done if we just let them manage their own software.” One in three IT workers say that strict <a href="https://1password.com/password-generator/">password requirements</a> at work aren&rsquo;t worth the hassle. One solution that’s gaining traction to alleviate concerns over management and productivity is <a href="https://1password.com/enterprise/">enterprise password managers</a> (EPMs), which are delivering a range of benefits across the organization, from IT to frontline workers. <ul> <li>89% of IT departments using a password manager say it’s had a measurable impact on security at their company.</li> <li>IT departments using EPMs report that they save time and frustration for employees (57%), reduce time for IT departments (45%), enhance productivity (37%), reduce breaches/attacks (26%), and create happier employees (26%).</li> </ul> We’ve long heard anecdotally that EPMs are helping companies protect themselves while making life easier for employees, and we’re heartened to see the data backs this up. As organizations strive to manage in this difficult time, it’s clear that technologies that improve productivity and security in one fell swoop will be more important than ever.</description></item><item><title>What it means to intern at 1Password</title><link>https://blog.1password.com/dev-internship/</link><pubDate>Fri, 17 Jul 2020 00:00:00 +0000</pubDate><author>info@1password.com (Connor Hicks)</author><guid>https://blog.1password.com/dev-internship/</guid><description> <img src='https://blog.1password.com/posts/2020/dev-internship/header.svg' class='webfeedsFeaturedVisual' alt='What it means to intern at 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The end of the academic semester is always bittersweet at 1Password – a time when we part ways with the talented people who’ve joined us for an internship over the weeks before. Bittersweet because it’s always sad to say goodbye to new friends, but lovely to reflect on the valuable contribution they’ve made to 1Password – both our product and our culture. This year I wanted to share some thoughts from Mio who interned with us over the spring semester as part of the integrations team, working on the command-line tool. I hope Mio’s story gives you some insight into what it’s like to intern at 1Password – and hopefully encourage you to get in touch if it’s something you’d like to do in future. We’re always thrilled to have new students join the team. Take it away Mio… <blockquote> I got to introduce secure password generation to the command-line interface (CLI). I think it&rsquo;s an awesome feature for a password manager to have, so being able to add that to the CLI myself was honestly pretty exciting. Nothing is more motivating than a genuinely exciting project, and I was given the constant opportunity to do just that. Despite this only being my second work term, I feel like I did a lot, and that those things are actually useful internally and to customers. At the start, I was a little daunted by the remote aspect of the job. The company spans across the entire world, and my small team alone contained a nine-hour difference in time zones. Communication is naturally key in a remote company, and it felt like there is a mutual understanding among everyone. I was blessed with the opportunity to meet a good bunch of the company at the annual conference, AGConf. With remote work, it&rsquo;s easy for the conversations to really only focus on work, but being able to bond over all the other interesting things in life definitely made the online communication easier and more relaxed. I found myself thinking that the remote nature of 1Password is a strength. Because everyone is from all over the world, it results in an extremely diverse group of people. </blockquote> Thanks, Mio! I hope this story shows that interning at 1Password is an opportunity to work on real projects. There’s a simple reason for this: It’s best for everyone. I started my 1Password career as an intern working with the iOS team, so I can attest to the invaluable contribution these experiences can make to a career. A few short years later, it’s a privilege to be able to help mentor students during their own internships at 1Password. I also hope it shows that we strive to make sure 1Password is a welcoming, nurturing environment. All interns get hands-on, in-depth experience working with the software and the developers behind it. We encourage everyone to dive in and participate, learn as much as they can, and to always ask questions. We know that it can be challenging to step into an internship with a remote team, but we pride ourselves on our culture. We make sure that internships are a rewarding and inspiring learning experience, where you forge meaningful connections with team members around the world. (Though we also encourage the Toronto-based interns to come into the office once or twice a week for face-to-face time with the team.) If you’re interested in interning at 1Password we’d love to hear from you. We’re always keen to talk to people who are motivated to help us on our mission to make the internet a safer place for everyone. You can keep an eye on our <a href="https://1password.com/jobs/">jobs page</a> and drop us a line when the time is right. We’ll also announce new openings <a href="https://twitter.com/1password">on Twitter</a>. Thanks again to Mio, and all our spring semester interns! It was so great to work with you. We wish you all the best for what I’m sure are very bright futures. <section class="c-call-to-action-box c-call-to-action-box--yellow"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">We&#39;re hiring!</h3> Check out our jobs page to find out more about what it's like to work at 1Password, and see our current openings across a range of teams. <a href="https://1password.com/jobs/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--yellow" data-event-category="CTA" data-event-action="call-to-action-button"> See open positions </a> </div> </section></description></item><item><title>Watchtower notifications: Timely security alerts for the websites you use</title><link>https://blog.1password.com/announcing-watchtower-notifications/</link><pubDate>Tue, 07 Jul 2020 00:00:00 +0000</pubDate><author>info@1password.com (Michael Fey)</author><guid>https://blog.1password.com/announcing-watchtower-notifications/</guid><description> <img src='https://blog.1password.com/posts/2020/watchtower-notifications-update/header.svg' class='webfeedsFeaturedVisual' alt='Watchtower notifications: Timely security alerts for the websites you use' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Today we’re announcing a major update to <a href="https://watchtower.1password.com/">Watchtower</a>, the part of 1Password that lets you know about security breaches on the websites you use. This update adds notifications, so you don’t have to remember to check Watchtower to see if any sites you use have been compromised. Instead, 1Password will notify you if and when there’s a problem, so you can change your password to help keep your online accounts safe. <h2 id="notifications-you-really-want">Notifications you really want</h2> Watchtower will only alert you to security issues with sites you’ve saved, so you can be sure notifications will be relevant. They’ll save you time and worry because you no longer need to check in on Watchtower to see if any websites you use have been compromised. <img src='https://blog.1password.com/posts/2020/watchtower-notifications-update/overview.png' alt='Watchtower notifications in 1Password' title='Watchtower notifications in 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://blog.1password.com/how-to-protect-yourself-against-the-next-big-data-breach/">Website security breaches</a> don’t happen often, so you shouldn’t see Watchtower notifications very much. It won’t send you more than one notification per day, and you’ll only receive notifications when 1Password is unlocked. If a site you use has been exposed by a security breach, your username and password may have been exposed along with it, making it possible for others to access your account. Being notified that a site you use has been compromised lets you change your login information straight away to keep your account secure. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Want to stay secure online? Create a unique username with 1Password&rsquo;s free <a href="https://1password.com/username-generator/">Username Generator</a>! </div> </aside> <h2 id="watchtower-notifications-things-to-know">Watchtower notifications: things to know</h2> Watchtower will use the native notifications of the operating system you’re using, whether that’s desktop or mobile. This will give you the same control over Watchtower notifications that you’re used to with all your other notifications. <img src='https://blog.1password.com/posts/2020/watchtower-notifications-update/notification.png' alt='Watchtower notifications on your desktop' title='Watchtower notifications on your desktop' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Watchtower notifications are available everywhere you use 1Password. You can control Watchtower notifications separately on all your devices. They aren’t turned on by default, so you’ll need to turn them on where you want to receive them. Help is at hand if you need it: <ul> <li>1Password Support: <a href="https://support.1password.com/watchtower/">Use Watchtower to find passwords you need to change</a></li> <li>1Password Support: <a href="https://support.1password.com/notifications/">Manage 1Password notifications</a></li> </ul> <h2 id="watchtower-benefits">Watchtower benefits</h2> You can still access Watchtower at any time to check the status of your logins. It will flag issues that mean you should change your password as soon as possible: <ul> <li>Compromised websites. These are sites that have suffered a known security breach.</li> <li>Vulnerable passwords. These are passwords that have been exposed in a data breach. Watchtower regularly checks the <a href="https://1password.com/haveibeenpwned/">Have I Been Pwned</a> database, which records and verifies all known online data breaches.</li> <li>Reused passwords. If your login details are ever exposed, the risk of a breach is multiplied anywhere passwords are reused.</li> <li>Weak passwords. These are passwords that are too short or simple to be safe to use.</li> </ul> And it will check for these other issues too: <ul> <li>Unsecured websites. These are sites that don’t encrypt data. Your login and any other information could be at risk.</li> <li>Sites where you can use two-factor authentication. These are sites where you can take extra steps to keep your account secure.</li> </ul> As always, <a href="https://support.1password.com/watchtower-privacy/">Watchtower keeps your data safe</a> – all checks are made on your local device. And when you need a new password, 1Password can create and keep <a href="https://1password.com/password-generator/">strong, unique passwords</a> for you. <h2 id="watchtower-has-your-back">Watchtower has your back</h2> Watchtower’s new notifications mean you don’t have to worry about lurking security issues with your online accounts – 1Password will alert you if and when there’s a problem. They’re designed not only to help keep you safe online, but to give you peace of mind. <a href="https://support.1password.com/watchtower/">Turn on Watchtower notifications today.</a></description></item><item><title>More Big Sur-prises: Password AutoFill on macOS!</title><link>https://blog.1password.com/autofill-on-big-sur/</link><pubDate>Tue, 30 Jun 2020 00:00:00 +0000</pubDate><author>info@1password.com (Michael Fey)</author><guid>https://blog.1password.com/autofill-on-big-sur/</guid><description> <img src='https://blog.1password.com/posts/2020/big-sur-autofill/header.svg' class='webfeedsFeaturedVisual' alt='More Big Sur-prises: Password AutoFill on macOS!' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Update</h3> During WWDC season, we often post glimpses at behind-the-scenes work and prototypes we’re exploring. On this occasion, our experiment remains just that — an experiment. We’re excited about AutoFill on macOS, however, and hopeful that it will become part of 1Password for Mac in the future. </div> </section> There’s a <code>.well-known</code> saying: Save the best for last. That’s exactly what Apple has subtly done for 1Password during Friday&rsquo;s <a href="https://developer.apple.com/videos/play/wwdc2020/10115/">AutoFill Everywhere session</a> at WWDC20! Not only did Apple announce that macOS Big Sur is bringing full support for password and security code AutoFill to all apps, they also dropped this gem at the very end of the session: <blockquote> And one more thing that&rsquo;s cool is that macOS Big Sur also supports password manager apps as a data source for AutoFill. </blockquote> <img src='https://blog.1password.com/posts/2020/big-sur-autofill/rooMindBlown.png' alt='Mind blown' title='Mind blown' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://1password.com/features/autofill/">Autofill is key to 1Password</a>, so we rounded up our crack team of Apple developers and added support for Password AutoFill during a Friday afternoon hack-fest. <video class="round shadow" style="display: block; margin: auto; padding: 0;"loop="loop" playsinline="" width="100%" alt='' controls> <source src="https://blog.1password.com/posts/2020/big-sur-autofill/AutoFill-Demo-Final.mp4" type="video/mp4" /> </video> Look for 1Password in the apps on your Mac this fall when macOS Big Sur launches! <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Sign up for 14 days free!</h3> Signup for 1Password today and get your first 14 days free. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href" data-event-category="CTA" data-event-action="call-to-action-button"> Try 1Password FREE </a> </div> </section></description></item><item><title>The iOS clipboard conundrum</title><link>https://blog.1password.com/clipboard-conundrum/</link><pubDate>Tue, 30 Jun 2020 00:00:00 +0000</pubDate><author>info@1password.com (Megan Barker)</author><guid>https://blog.1password.com/clipboard-conundrum/</guid><description> <img src='https://blog.1password.com/img/headers/security-header.svg' class='webfeedsFeaturedVisual' alt='The iOS clipboard conundrum' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <section class="c-call-to-action-box c-call-to-action-box--yellow"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Correction</h3> After this article was published on June 30, 2020, it was pointed out by a keen-eyed user (thank you!) that 1Password for iOS 7.6 does still copy to the clipboard automatically (without your consent) at certain times. * When you edit a Login item, the new password is copied to the clipboard. * When you create a new Login item, the new password is copied to the clipboard. These automatic behaviors will cease with the _next_ release – 1Password for iOS 7.6.1. My sincerest apologies for the error and any confusion it has caused. </div> </section> It was back in March when researchers discovered that a popular video-sharing service was accessing users’ iOS clipboard contents without permission. Apple vowed to address the problem. At last week&rsquo;s WWDC 2020, Apple made good on their promise with the release of the iOS 14 developer beta which, among other great security enhancements, notifies you when an application accesses your clipboard. It&rsquo;s now been revealed that a number of other apps (53, to be precise) access the iOS clipboard without consent. This has sparked a lot of conversation, questions, and concern from our customers, and I&rsquo;d love the chance to address the issue. <h2 id="what-this-means">What this means</h2> It&rsquo;s important to remember that nothing has really changed – this clipboard &ldquo;scraping&rdquo; has happened for some time. The only difference is that, with the release of iOS 14, you&rsquo;ll know when it happens. And knowledge is power. Now that companies have been (and will be) called out for their behavior, those with legitimate business models will be far less likely to engage in such practices. Now, I know why you&rsquo;re really here, so let&rsquo;s get to the goods. First, 1Password never copies data to the clipboard without a specific request from you. In other words, your secure 1Password data will never make it to the clipboard unless you tap Copy, or have Auto-Copy One-Time Passwords turned on. What&rsquo;s more, when you <a href="https://1password.com/features/autofill/">autofill 1Password items</a> on an iOS device, 1Password uses the <a href="https://support.1password.com/ios-autofill/#set-up-autofill">Password AutoFill</a> service, which is built into the framework of iOS. <a href="https://1password.com/features/autofill/">Password AutoFill</a> allows the system itself to pull data from 1Password so there is no interaction with the clipboard (except to copy one-time passwords, when necessary). <h2 id="what-you-can-do">What you can do</h2> If you haven&rsquo;t yet <a href="https://support.1password.com/ios-autofill/#set-up-autofill">set up AutoFill</a> on your iOS device (and this post has been wholly confusing thus far), that&rsquo;s my first recommendation. If you already use 1Password via AutoFill, and you want extra insurance for the odd time you need to copy and paste, turn on Clear Clipboard in <a href="https://1password.com/security/">1Password Security</a> settings. That will clear your iOS clipboard of any 1Password data 90 seconds after it&rsquo;s copied. You can learn even more about <a href="https://support.1password.com/ios-autofill-security/">1Password AutoFill security</a> on the 1Password Support website. <h2 id="in-the-end">In the end</h2> We love that Apple has remained committed to its stance on user privacy, which it called a &ldquo;fundamental human right&rdquo;. We certainly don&rsquo;t disagree. 1Password will remain committed to our foundation – your <a href="https://1password.com/security/">security</a>. Part of that commitment is constant development, which does include ways to further reduce the need for people to copy passwords (and other secrets) to the clipboard. We have a staunch belief that you – and only you – should be in control of your information. &ldquo;Private by design&rdquo; is not just marketing-speak – it&rsquo;s how 1Password was built, and how it will stay.</description></item><item><title>Guard against external data breaches with domain breach reports</title><link>https://blog.1password.com/domain-breach-report/</link><pubDate>Mon, 29 Jun 2020 00:00:00 +0000</pubDate><author>info@1password.com (Chris Mann)</author><guid>https://blog.1password.com/domain-breach-report/</guid><description> <img src='https://blog.1password.com/posts/2020/dbr-announcement/header.svg' class='webfeedsFeaturedVisual' alt='Guard against external data breaches with domain breach reports' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> I’m excited to announce the release of a new 1Password feature designed to help businesses keep their data safe: domain breach report. Create a report to get a list of all company email addresses that have been caught in known <a href="https://blog.1password.com/data-breach-101-stay-safe-online/">data breaches</a>, so you can find and close doors to your data that have been unwittingly left open. <h2 id="identify-risks-secure-your-company">Identify risks, secure your company</h2> Once you have the list of exposed email addresses, you can see the kinds of data exposed in each case. This helps you prioritize next actions. Crucially, the domain <a href="https://1password.com/business/domain-breach-report/">breach report</a> flags exposed passwords, so you can let affected team members know they need to change those passwords immediately. You can also invite affected users to 1Password directly from the report so they can generate strong, unique passwords to use instead. Once set up with 1Password, they can also use <a href="https://support.1password.com/watchtower-privacy/">1Password Watchtower</a> to see where breached passwords have been reused, and change them to make sure those exposed passwords don’t lead to more important accounts being compromised. <h2 id="why-businesses-need-to-care-about-data-breaches">Why businesses need to care about data breaches</h2> One breach can open many doors. Because of the widespread problem of password reuse, a data breach on one website can mean many other sites are affected. This is a huge blindspot for many organizations. <a href="https://services.google.com/fh/files/blogs/google_security_infographic.pdf">Research by Google and Harris Poll</a> in February 2019 suggests that 65 percent of people reuse passwords on some or all of their accounts. Hackers use a relatively simple technique known as <a href="https://blog.1password.com/how-1password-keeps-you-safe-from-cyber-attacks/">credential stuffing</a>, where many stolen passwords (and similar computer-generated derivations) are “stuffed” into sites across the internet until the hacker is able to log in. According to the <a href="https://www.verizon.com/about/news/verizon-2020-data-breach-investigations-report">Verizon 2020 Data Breach Investigations Report</a>, 67 percent of all breaches come from credential theft, errors, or social attacks. If hackers gain access to the applications you use for work, they may have access to sensitive information about your company, employees, or customers. This could leave the company facing costly fines for violating regulations, and a loss of trust in its operations and brand. <h2 id="respect-for-privacy">Respect for privacy</h2> If you know 1Password, you know we take security and privacy very seriously. For the domain breach report, we’ve taken a number of steps to make sure that, in highlighting risks posed by breaches, the privacy of your team is maintained: <ul> <li>Confirm your domains: We send a confirmation email, so only you can generate a report for your domains.</li> <li>Owners control access: Only a 1Password owner in your business can create a domain breach – though they can choose to share it with administrators and a Security group they can create.</li> <li>Passwords and other data aren’t shown: You can see if a password has been exposed, not what it was – the same goes for other information exposed.</li> <li>Personally-sensitive breaches: Breaches that are known to be personally sensitive, such as breaches of adult dating sites, do not appear in the report.</li> </ul> <h2 id="how-to-get-started">How to get started</h2> Domain breach report is available today with <a href="https://1password.com/business/">1Password Business</a> and 1Password Teams. Visit 1Password Support to see how to <a href="https://support.1password.com/breach-report/">create a domain breach report</a>, or if you don’t use 1Password you can <a href="https://1password.com/business/">start a free trial</a> to create a report. We’re so excited to get this feature out into the world, as we think it can help businesses improve their security right away. If you have any thoughts or questions, we’d love to hear from you. <a href="https://1password.community/">Our forums</a> are a great place to share feedback.</description></item><item><title>WWDC20: Live from our living rooms</title><link>https://blog.1password.com/wwdc-2020-at-home/</link><pubDate>Thu, 25 Jun 2020 00:00:00 +0000</pubDate><author>info@1password.com (Michael Fey)</author><guid>https://blog.1password.com/wwdc-2020-at-home/</guid><description> <img src='https://blog.1password.com/posts/2020/wwdc-2020/header.svg' class='webfeedsFeaturedVisual' alt='WWDC20: Live from our living rooms' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Every June, our development team embarks on the great journey to sunny San Jose, California for Apple’s Worldwide Developers Conference. This year the journey was…shorter. In fact, it was just a few steps to the couch for the first remote WWDC. Amidst all the challenges facing the world, Apple did what they do best: Think different. Credit to Apple – they’ve exceeded our expectations for a remote WWDC. The keynote was entertaining and informative. The sessions were clear and concise. And even the labs were great, with one-on-one time with Apple developers from the comfort of our homes. While we’ve really missed hanging out with everyone in San Jose, this was easily a WWDC for the record books. Here are a few highlights from our week as WWDC draws to a close. <h2 id="macos-this-one-goes-to-11-">macOS: This one goes to 11 👩‍🎤</h2> I immediately installed the beta of macOS 11 Big Sur, and it’s no Big Sur-prise that I’ve been loving it ever since. The new design language, SwiftUI-based Control Center and Notification Center, and brand-new Safari are all incredibly exciting. And I can’t wait to get my hands on a Developer Transition Kit for the move to Apple silicon. <img src='https://blog.1password.com/posts/2020/wwdc-2020/Big_Sur_Icon.png' alt='Colorful Big Sur Icons' title='Colorful Big Sur Icons' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> macOS Big Sur introduces a new icon design language. Here’s a sneak peak of 1Password’s new icon in both light and dark modes, compared to its current icon. <h2 id="ios-and-ipados">iOS and iPadOS</h2> Apple continues to move iOS and iPadOS forward in some wonderful ways. I’m delighted by the improved home screen using Widgets and the App Library, improvements to Siri and Dictation, and Safari’s new Password Monitoring and Privacy Reports – both things that are near and dear to our core beliefs. Also, phone calls won’t take over my whole screen anymore! <h2 id="1password-runs-well-on-the-betas">1Password runs well on the betas</h2> We know you’re just as excited to try out Apple’s new operating systems, and may even be considering the public betas when they’re available next month. I’m happy to report that 1Password runs really well on all developer betas: macOS 11 Big Sur, iOS 14, and iPadOS 14. In fact, we wanted to show you a little something. Part of being a good citizen of an app ecosystem is embracing the platform tools wherever possible. One of the benefits of our doing this over the years is that we sometimes get new functionality with little to no extra work. Take a look at how the new Scribble feature in iPadOS 14 works in the current version of 1Password. <img src='https://blog.1password.com/posts/2020/wwdc-2020/Scribble-demo-1.png' alt='Colorful Big Sur Icons' title='Colorful Big Sur Icons' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <img src='https://blog.1password.com/posts/2020/wwdc-2020/Scribble-demo-2.png' alt='Colorful Big Sur Icons' title='Colorful Big Sur Icons' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <img src='https://blog.1password.com/posts/2020/wwdc-2020/Scribble-demo-3.png' alt='Colorful Big Sur Icons' title='Colorful Big Sur Icons' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Handwriting a Title and a Note in a Secure Note item converts into regular typed text. We also wrote the note using Markdown syntax, which converted successfully into the text field, and then displayed as rich text when we were done editing. It just works™. <video class="round shadow" style="display: block; margin: auto; padding: 0;"loop="loop" playsinline="" width="100%" alt='' controls> <source src="https://blog.1password.com/posts/2020/wwdc-2020/scribble.mp4" type="video/mp4" /> </video> <h2 id="new-os-means-new-features">New OS means new features</h2> Scribble isn’t the only new thing we’re excited about. Our developers have been hard at work the past few days exploring the possibilities of what 1Password could do with some of the new features available to us, and I’d like to show you some of those ideas. Widgets Widgets in iOS, iPadOS, and macOS are incredibly useful for seeing key bits of information quickly. This week, we put our heads together and created a widget that provides a glanceable report of your Watchtower stats. The best part is nearly all the code is shared between iOS, iPadOS, and macOS thanks to SwiftUI. <video class="round shadow" style="display: block; margin: auto; padding: 0;"loop="loop" playsinline="" width="100%" alt='' controls> <source src="https://blog.1password.com/posts/2020/wwdc-2020/Widget-demo.mp4" type="video/mp4" /> </video> The 1Password widget shows you Compromised Sites in its small size, and its medium size reports an entire Watchtower summary. And when you&rsquo;ve upped your security, Watchtower celebrates with you. App Clips App Clips are tiny portions of an iOS app that are available on demand from a website, NFC tag, or QR code. The team has put together an App Clip that creates a quick breach report from Watchtower – even without a 1Password membership. If anything comes up in the breach, you can download the rest of the app and start a free trial to improve your security with 1Password. <video class="round shadow" style="display: block; margin: auto; padding: 0;"loop="loop" playsinline="" width="100%" alt='' controls> <source src="https://blog.1password.com/posts/2020/wwdc-2020/app-clip.mp4" type="video/mp4" /> </video> The 1Password App Clip lets you know when and where you&rsquo;ve had compromised accounts. Safari Web Extensions Ever since we released 1Password X, we’ve been asked one question time and again: When is it coming to Safari? Thanks to the introduction of Safari Web Extensions at WWDC20, we were able to get 1Password X mostly running in Safari in a few short hours. We’re not making any promises yet, but the future for 1Password X in Safari is looking bright. <video class="round shadow" style="display: block; margin: auto; padding: 0;"loop="loop" playsinline="" width="100%" alt='' controls> <source src="https://blog.1password.com/posts/2020/wwdc-2020/1passwordx-demo.mp4" type="video/mp4" /> </video> <h2 id="thats-a-wrap">That’s a wrap</h2> Apple has given us a lot of exciting new technologies to craft the next features of 1Password, and we can&rsquo;t wait to see how they evolve. I look forward to sharing more with you later this fall when Apple’s newest operating systems are released to everyone.</description></item><item><title>Log in with ease on Apple TV</title><link>https://blog.1password.com/log-in-with-ease-on-apple-tv/</link><pubDate>Fri, 19 Jun 2020 00:00:00 +0000</pubDate><author>info@1password.com (Sarah Brown)</author><guid>https://blog.1password.com/log-in-with-ease-on-apple-tv/</guid><description> <img src='https://blog.1password.com/posts/2020/autofill-apple-tv/header.png' class='webfeedsFeaturedVisual' alt='Log in with ease on Apple TV' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> I&rsquo;ve been using my time stuck at home to catch up on the movies and TV shows in my digital queues. While my Apple TV makes it easy to access the right streaming app to watch Grey&rsquo;s Anatomy or Avengers: Endgame, having to individually enter the passwords for each app can be frustrating. <h2 id="contents">Contents</h2> <ul> <li><a href="#how-to-use-1password-to-log-in-to-apple-tv">How to use 1Password to log in to Apple TV</a></li> <li><a href="#how-safe-is-it">How safe is it?</a></li> </ul> Whether it&rsquo;s fighting with the onscreen keyboard to painstakingly move between characters, or trying to speak clearly enough for Siri to understand, it&rsquo;s challenging to enter a suitably complex password correctly on first try. But with 1Password <a href="https://support.1password.com/get-the-apps/?ios">set up on my iOS device</a>, I can take advantage of the <a href="https://1password.com/features/autofill/">AutoFill</a> feature to access my stored credentials from my phone or iPad with just a tap. <h2 id="how-to-use-1password-to-log-in-to-apple-tv">How to use 1Password to log in to Apple TV</h2> AutoFill makes it easy to enter passwords on iOS without having to type out a full username and password. This makes it easier for me to use more complex generated passwords in places where I may not have before, keeping me more secure across all of my accounts. When I navigate to the username/password field for the app I want to use, my Apple TV automatically detects the login screen. A simple notification appears at the top of the screen, prompting me to use AutoFill on my iOS device to enter text or fill in a password. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Want to stay secure online? Create a unique username with 1Password&rsquo;s free <a href="https://1password.com/username-generator/">Username Generator</a>! </div> </aside> Tapping on that notification opens up the iOS keyboard, where the 1Password account option is located in the QuickType bar just above the keyboard. If I have more than one login for a single app, I can easily tap the key icon on the right to scroll through and choose the right one. After I&rsquo;ve selected the right login credentials and authenticated using <a href="https://1password.com/mac/">Touch ID</a>, Face ID, or my Master Password, they&rsquo;re sent right over to my Apple TV. This simple process has saved me a headache while logging in to the right accounts for my streaming apps, getting me back to the drama, intrigue, and fictional mayhem that much faster. <h2 id="how-safe-is-it">How safe is it?</h2> AutoFill keeps my credentials as safe as possible and never displays my username or password in plain text on my iPhone, iPad, or Apple TV. Even if I&rsquo;m signing in to an app in a room full of people ready for movie night, my passwords are still secret and kept safely locked in my <a href="https://1password.com/resources/guides/create-and-manage-shared-vaults/">1Password vault</a>. And if I want to add an extra level of security, AutoFill also works with two-factor authentication codes. The code can be entered using the same processes used for other credentials stored in your 1Password vault. <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get started today</h3> Sign up for 1Password today and get your first 14 days free. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href" data-event-category="CTA" data-event-action="call-to-action-button"> Try 1Password free </a> </div> </section></description></item><item><title>1Password command-line tool 1.0: More commands, more power</title><link>https://blog.1password.com/cli-1-0-release/</link><pubDate>Fri, 22 May 2020 00:00:00 +0000</pubDate><author>info@1password.com (Connor Hicks)</author><guid>https://blog.1password.com/cli-1-0-release/</guid><description> <img src='https://blog.1password.com/posts/2020/CLI-may-release/header.png' class='webfeedsFeaturedVisual' alt='1Password command-line tool 1.0: More commands, more power' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Today we’re thrilled to announce the release of <a href="https://developer.1password.com/docs/cli/v1/get-started/">1Password command-line tool 1.0</a>. We’re excited to highlight some of the features the team has worked hard to build. This tool makes your 1Password account accessible entirely from the command line. It gives you robust ways to interact with and manage your 1Password account. <h2 id="working-with-items">Working with items</h2> The command-line tool makes it easy to create a new item in 1Password with <code>op create item</code>: <pre><code>op create item server title=Staging username=admin@example.com url=sftp://staging.example.com </code></pre> The new <code>op edit item</code> command allows you to update an item directly from the command line. Now you can update dozens or even hundreds of items at once with some simple scripting. <pre><code>op edit item “Personal Visa” pin=8910 </code></pre> You can also get specific field values from items using the <code>get item</code> command and the new <code>--fields</code> option. This is super convenient when you want to use information that’s stored securely in 1Password in your command-line workflows. <pre><code>op get item GitLab --fields password,token </code></pre> This 1.0 release also gives you the ability to generate a strong password with the <code>--generate-password</code> option. It works with <code>create item</code> and <code>edit item</code> commands. You can even customize the password recipe to adjust the length and character types to use. <pre><code>op create item login --vault Streaming title=Petflix --generate-password </code></pre> <h2 id="taking-command">Taking command</h2> It&rsquo;s just as efficient to perform administrative tasks in the terminal as it is to manage items. With a single command, you can add, confirm, or remove users from your account, as well as assign users access to specific groups and vaults. Running <code>op create user</code> adds a new user to your account and the <code>add user</code> command can grant them additional access. You can also specify a user&rsquo;s role within a group using the <code>--role</code> option. <pre><code>op add user paddy@1password.com Directors op add group Directors Financials </code></pre> The new <code>op list users</code> options, <code>--group</code> and <code>--vault</code>, allow you to see who has access to what and make changes that align with your organization’s access policies. <pre><code>op list users --group Directors </code></pre> That&rsquo;s just a sample of all of the administrative commands you have at your disposal. Take a look at our <a href="https://developer.1password.com/docs/cli/v1/reference/">documentation</a> for a full list. <h2 id="and-even-more">And even more</h2> We&rsquo;ve also added a bunch of new features to keep things running smoothly: <ul> <li>Link directly to items within your <a href="https://1password.com/resources/guides/create-and-manage-shared-vaults/">1Password vaults</a>. Use <code>get item --share-link</code> to generate a link that points right to items.</li> <li>Easily confirm new users. Use <code>op confirm --all</code> to confirm all pending accepted invitations.</li> <li>Learn at your leisure. The <a href="https://developer.1password.com/docs/cli/v1/reference/">command-line tool documentation</a> provides a complete list of every command and option available to you.</li> </ul> And there are even more features that we haven’t mentioned here for you to discover in the newest release! <h2 id="version-10-is-ready-now">Version 1.0 is ready now</h2> The latest release of the 1Password command-line tool is available to <a href="https://1password.com/downloads/command-line/">download now</a>. For more details, read the <a href="https://app-updates.agilebits.com/product_history/CLI#v100001">full release notes</a>. And don&rsquo;t forget to let us know what you think on <a href="https://twitter.com/1Password">Twitter</a>, and the <a href="https://1password.community/categories/cli">1Password Support forum</a>.</description></item><item><title>Remote work survey: How IT teams managed the Covid-19 transition</title><link>https://blog.1password.com/remote-work-it-survey/</link><pubDate>Thu, 21 May 2020 00:00:00 +0000</pubDate><author>info@1password.com (Jeff Shiner)</author><guid>https://blog.1password.com/remote-work-it-survey/</guid><description> <img src='https://blog.1password.com/posts/2020/wfh-survey-results/header.png' class='webfeedsFeaturedVisual' alt='Remote work survey: How IT teams managed the Covid-19 transition' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 1Password has always been a <a href="https://blog.1password.com/categories/remote-work/">remote-first company</a>. But how have other organizations adapted to remote and hybrid work, especially during the Covid-19 pandemic? In the spring of 2020, we polled knowledge workers in the U.S. to find out how the opportunities and challenges of remote work were affecting companies and their employees. The responses underlined the scale of the changes that had taken place, and the role IT played in enabling it. (That’s IT both in terms of the technology itself, and the professionals that make IT happen.) Here, we&rsquo;ll share some of our findings and talk about the heroic efforts we saw in IT departments. We only spoke with workers in the U.S, but have no reason to think these findings weren&rsquo;t representative of other businesses around the world. Before we go any further, here are a couple of the most important stats: <ul> <li>89% of respondents had no criticism of their company’s IT team. Given the scale of the upheaval, that’s testament to the incredible work IT teams were doing.</li> <li>68% of respondents preferred working from home either some or all of the time. A shift in attitude was also underway, with the majority becoming happier with the idea of remote work.</li> </ul> <h2 id="a-gigantic-upheaval">A gigantic upheaval</h2> We surveyed 1,000 desk-based knowledge workers in the U.S., and the results showed just how colossal significant the shift to remote working had been. <ul> <li>Half of those surveyed were IT professionals.</li> <li>89% of respondents said they had recently made the shift to remote work.</li> </ul> “Revolution” may sound like hyperbole, but it felt appropriate when we looked at what was happening for millions of workers who use computers for their day-to-day job. <img src='https://blog.1password.com/posts/2020/wfh-survey-results/transitioned.png' alt='Have you recently transitioned to remote work?' title='Have you recently transitioned to remote work?' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The results also highlighted the massive transition those companies had made. Only 27% of respondents thought their company was completely prepared for the move, leaving a large majority that still needed to do some figuring out. That said, only 13% of respondents thought their company wasn’t at all prepared, suggesting that the majority of companies were already working in remote-friendly ways to some extent. Few could have predicted a COVID-19-like event. If some companies were more prepared than others, we suspect it’s down to the flexibility granted by forward-thinking IT planning and policy. More than ever, companies are reliant on cloud-hosted or -connected services more than standalone software. Clearly, though, some organizations had gone further on that journey than others when we conducted this survey. It’s ironic that, of the companies with a historical objection to the idea of remote work, many were gradually preparing for it all the same, simply by keeping up with trends in technology. The more you use tools and processes that work anywhere, the easier remote working becomes if and when you do it. Much of the infrastructure for remote work was already in place – where people sit was merely the last piece of the puzzle. In short, the survey showed that Covid-19 accelerated a shift that was already underway. <h2 id="the-it-challenge-is-huge--and-complex">The IT challenge is huge – and complex</h2> As we dug deeper into the results, it quickly became clear that IT was playing a large role in the shift to remote work. IT teams were enabling new ways of working, solving technical problems, and, frankly, saving the day. <img src='https://blog.1password.com/posts/2020/wfh-survey-results/strengthen-protocols.png' alt='Have IT departments strengthened security protocols in the move to remote work?' title='Have IT departments strengthened security protocols in the move to remote work?' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Unsurprisingly, security was a focal point for companies making the change – but it wasn&rsquo;t a straightforward picture. Roughly a third of IT respondents said their companies had strengthened some security protocols, but a third said their organization had relaxed some. (And perhaps unsurprisingly, larger firms were more likely than small ones to have made no changes.) In hindsight, our survey should have allowed that both strengthening and relaxing is simultaneously possible. On the one hand, companies might have been seeking tighter security around passwords, <a href="https://1password.com/features/two-factor-authentication/">two-factor authentication</a>, and access to data. On the other, they may have been trying to loosen policies that limit the selection of apps and services that remote workers could use to get things done. (In other words, <a href="https://blog.1password.com/challenges-of-shadow-it/">bringing shadow IT into the light</a>.) Half the respondents who were breaking their company’s policy were doing so in an attempt to be more productive. <img src='https://blog.1password.com/posts/2020/wfh-survey-results/follow-protocols.png' alt='Do IT professionals think security protocols are followed better or worse from home?' title='Do IT professionals think security protocols are followed better or worse from home?' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> However, 63% of IT professionals told us that compliance with security measures had actually increased. This may have been down to a greater awareness of security issues (no doubt helped by company guidance) and an increased sense of responsibility while working from home. Ultimately, we don&rsquo;t know. Sitting in an office, complete with security guards, locked doors, and visibly-present IT and security teams, possibly lulled people into a sense of security. One that may have been false to some extent, given the nature of online threats. Companies still dubious of remote work should take note: This survey suggested that remote workers were taking security more seriously than ever. And their first priority was being productive. <h2 id="hero-of-the-storm">Hero of the storm</h2> Clearly, IT teams were performing administrative gymnastics to help companies and their staff get work done while simultaneously keeping everyone safe. And that was on top of the increased workload of supporting remote workers with their day-to-day needs. Respondents told us that their top IT requests were helping to resolve connectivity issues, setting up devices, and handling software updates. <img src='https://blog.1password.com/posts/2020/wfh-survey-results/hero.png' alt='A big 89% of people looking happy about their IT teams' title='A big 89% of people looking happy about their IT teams' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Remarkably, 89% of respondents said they had no criticism at all of their company&rsquo;s IT teams. It was clear that the IT industry – and more-so the myriad IT teams out there in the corporate world – were doing excellent work to keep the companies they support in business during these difficult times. <img src='https://blog.1password.com/posts/2020/wfh-survey-results/prefer-work.png' alt='Where would you prefer to work?' title='Where would you prefer to work?' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> It was also clear that recent events were changing minds. 68% of respondents said they preferred working from home either some or all of the time, and 59% of respondents were more inclined to do so. We’ve always been believers in remote work at 1Password. But this survey showed that more and more people are becoming believers too. The responses indicated that remote workers were happy, productive, and security-conscious thanks to the technology – and people – that support remote work. We’re also long-time believers in IT teams and the important work they do. We’re proud to have built 1Password into an app loved by many IT professionals. We understand the challenges they face, and we’re doubling down on making 1Password as easy as possibly to deploy, support, and – above all – use. A big thank you to everyone who took part in the survey. <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Sign up for 1Password Business</h3> Sign up for 1Password Business today and get your first 14 days free. <a href="https://1password.com/business-pricing/" class="c-call-to-action-box__link-href" data-event-category="CTA" data-event-action="call-to-action-button"> Try 1Password FREE </a> </div> </section></description></item><item><title>Apple and Google's contact tracing is privacy preserving</title><link>https://blog.1password.com/contact-tracing/</link><pubDate>Wed, 06 May 2020 00:00:00 +0000</pubDate><author>info@1password.com (Jeffrey Goldberg)</author><guid>https://blog.1password.com/contact-tracing/</guid><description> <img src='https://blog.1password.com/posts/2020/contact-tracing/header.png' class='webfeedsFeaturedVisual' alt='Apple and Google's contact tracing is privacy preserving' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> You may have heard about contact tracing apps, which are designed to help health authorities identify people who have been in contact with someone infected with SARS-CoV-2, the novel coronavirus which causes COVID-19. It&rsquo;s natural to worry that such apps could be used to collect data about who you meet and where you go. Fortunately, there is some clever technology that leaves the user in control and protects privacy, while giving individuals and health authorities the information they need. Apple and Google are introducing that technology to their phones. I fully anticipate that I&rsquo;ll enable the relevant app that uses this exposure notification technology when it becomes available, and that I&rsquo;ll encourage others to, as well. <h2 id="privacy-still-matters">Privacy still matters</h2> It&rsquo;s reasonable to ask whether privacy preservation still matters when there is a pressing and compelling public health need for improved contact tracing. As we face the choice of whether to adopt privacy-preserving tracing apps, privacy-violating apps, or no apps at all, I&rsquo;ll say a few words about why we should choose those that preserve privacy. The data that these apps might gather could include where you travel, who you come into contact with, and some of your health information. That data, on perhaps millions of people, will have to be stored somewhere. Even well-intentioned holders of such data would have an enormous burden to protect it; to ensure that it&rsquo;s only used for its intended purposes, and in ways that don&rsquo;t reveal anything more than it should. We can&rsquo;t rely on all holders of such data to be well intentioned. So I&rsquo;m delighted that Google and Apple are providing these tools. They enable health authorities to distribute apps without putting themselves in a position to have to defend such a rich trove of data. As you will see below, the scheme is set up so contact tracing secrets don&rsquo;t need to be stored in any central location. <h2 id="how-it-works">How it works</h2> I&rsquo;ve been using the term &ldquo;contact tracing&rdquo; a bit loosely. The technology that Apple and Google are rolling out is more properly called exposure notification. It is based on <a href="https://github.com/DP-3T/documents">Decentralized Privacy-Preserving Proximity Tracing (DP-3T)</a>. The Apple/Google scheme is based on an older version of DP–3T, and would work something like this. (Because the diagrams come from DP–3T&rsquo;s documentation, I&rsquo;ll use their terminology.) <ol> <li> Patty and Molly (who may not know each other) both install and enable the app from their health authority. </li> <li> As Patty and Molly go about their business, their phones send and receive Ephemeral Identifiers (EphID) to and from other enrolled phones nearby. These EphIDs are changed every 10 minutes. </li> <li> On Saturday afternoon, they come within Bluetooth distance of each other (a few meters). </li> </ol> <img src='https://blog.1password.com/posts/2020/contact-tracing/DP3T_figureAA.jpg' alt='Bluetooth sharing of EphIDs' title='Bluetooth sharing of EphIDs' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Now Patty and Molly (and others) are running around with lots of these Ephemeral IDs from the day they were received. They are designed to be small, and are purged every 14 days – so even if you are in Bluetooth range of a hundred other devices every 10 minutes, only a few megabytes of data need to be stored. The Ephemeral IDs are actually generated using each user&rsquo;s day key. Molly will create a new secret day key each day, as will Patty and every other user. There is no way to figure out the day key from the EphIDs. In the diagrams, the day key is labelled &ldquo;SKt&rdquo;. <h3 id="patty-gets-sick">Patty gets sick</h3> If nobody gets sick, none of the information needs to go anywhere. But if Patty is diagnosed with COVID-19 the following Wednesday, she will be asked to share her day keys for previous days (at most 14 days). Note that the day keys have never been shared with other devices, and there is nothing secret about them - they tell nothing about Patty&rsquo;s movements or activities, much less actually identify her. The health authority maintains and publishes a database of day keys for people like Patty. In Patty&rsquo;s case, it will include the day keys (along with the dates) for the period they believe she could have been infectious. The backend server will periodically send updates to all the phones of these day keys (and which days they correspond to), so Molly&rsquo;s phone will get Patty&rsquo;s day key from the previous Saturday. Molly&rsquo;s app will then use Patty&rsquo;s day key to perform a cryptographic verification check on the Ephemeral IDs she has for that day. <img src='https://blog.1password.com/posts/2020/contact-tracing/DP3T_figurePT.jpg' alt='Distributing day keys after diagnosis' title='Distributing day keys after diagnosis' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> If Molly&rsquo;s phone finds a match for an EphID, it still needs to figure out whether she was around Patty long enough and close enough for this to be worrisome. In the Apple/Google scheme, Molly&rsquo;s phone will send the day of the contact, the duration of the contact, and the strength of the Bluetooth signal back to the server. The server will use a tuned algorithm to determine risk scoring. If they believe Patty was very infectious, or Molly and Patty were close to each other for a long period, it will tell Molly&rsquo;s phone that this was a possible exposure. Molly&rsquo;s app will then notify Molly and tell her who to contact and what to do next. The Apple/Google scheme differs significantly from the latest version of the DP–3T at this juncture. With the DP–3T scheme, the risk score is computed on Molly&rsquo;s phone, and the backend server updates the various phones on how to compute the risk score. <h2 id="understanding-privacy">Understanding privacy</h2> My fear is that people won&rsquo;t believe this system is privacy preserving. They will hear that this is a Google/Apple scheme and will incorrectly assume that a great deal of data is given to those companies when that&rsquo;s not the case. People are also likely to falsely assume that health authorities using this can track everyone&rsquo;s movements. After all, without the cleverness of the key and ID generation, along with a way to verify an Ephemeral ID when a day key is published, it would seem impossible to have something that works without having to collect a great deal of information about people&rsquo;s movements. Another difficulty with the public understanding of this is that most people will not be able to distinguish between which apps use good privacy-preserving mechanisms and which ones don&rsquo;t. I hope, however, that this article will help you understand that these sorts of things can be built with strong privacy protections. <section class="c-call-to-action-box c-call-to-action-box--purple"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get more security tips</h3> Subscribe to our business security newsletter and get advice on running a secure, productive workplace delivered directly to your inbox. <form method="POST" class="oneline" accept-charset="UTF-8" action="https://flow.1passwordservices.com/api/v1/lead" data-event-category="Newsletter" data-event-action="form-newsletter" id="newsletterForm"> <div id="hidden-fields"> <input type="hidden" name="formSubmitted" value="Newsletter"> <input type="hidden" name="formId" value="c100b28e-6493-493f-b325-6a7f8b3cbb89"> </div> <input type="email" class="c-call-to-action-box__newsletter-email c-call-to-action-box__newsletter-email--purple" name="email" placeholder="" required /> <input class="c-call-to-action-box__newsletter-button c-call-to-action-box__newsletter-button--purple" type="submit" value="Sign up"> </form> <div class="c-call-to-action-box__text c-call-to-action-box__text--purple"> By signing up you agree to receive emails about the latest 1Password announcements, product updates, and events. <a class="c-newsletter-signup-form__gdpr--link" href="https://www.1password.co/email-preferences.html">Unsubscribe</a> any time. You also agree to our <a class="c-newsletter-signup-form__gdpr--link" href="https://1password.com/legal/terms-of-service/">terms of service</a> and <a class="c-newsletter-signup-form__gdpr--link" href="https://1password.com/legal/privacy/">privacy policy</a>. </div> </div> </section></description></item><item><title>Rolling out 1Password: tips for onboarding your team</title><link>https://blog.1password.com/rolling-out-1password-tips-for-onboarding-your-team/</link><pubDate>Fri, 01 May 2020 00:00:00 +0000</pubDate><author>info@1password.com (James Holloway)</author><guid>https://blog.1password.com/rolling-out-1password-tips-for-onboarding-your-team/</guid><description> <img src='https://blog.1password.com/posts/2020/business-adoption/header.png' class='webfeedsFeaturedVisual' alt='Rolling out 1Password: tips for onboarding your team' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> If you’ve just signed up for 1Password Business, this article will help you deploy 1Password quickly and easily, regardless of the size of your organization. However you choose to roll out 1Password, it can all be done remotely. <h2 id="contents">Contents</h2> <ul> <li><a href="#step-1-start-small">Step 1: Start small</a></li> <li><a href="#step-2-scale">Step 2: Scale</a></li> <li><a href="#deployment-tips">Deployment tips</a></li> <li><a href="#were-here-to-help">We’re here to help</a></li> </ul> <h2 id="step-1-start-small">Step 1: Start small</h2> It&rsquo;s a good idea to start with a small group of people so you have the flexibility to tweak your setup as you go. All businesses and their <a href="https://1password.com/password-manager/password-policies/">password policies</a> vary, but here&rsquo;s some advice everyone can follow to get started: <img src='https://blog.1password.com/posts/2020/business-adoption/pilot_group.png' alt='1Password Usage Report for specified user' title='1Password Usage Report for specified user' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Add another owner. Account owners are the people with ultimate control of 1Password in your business. If an owner runs into access issues, only another owner can help out. So a great first step is adding another owner to make sure you don’t lose access to 1Password. A senior and established member of your organization is usually a good choice. While you&rsquo;re at it, <a href="https://support.1password.com/team-recovery-plan/">implement a recovery plan</a> for your team. Add a few administrators. We recommend inviting administrators before adding team members – a great reason being that administrators can add team members themselves. Administrators will probably do most of the overseeing of 1Password; they can do everything owners can except delete the team, manage owner access, or make changes to your subscription. Senior managers and technical leaders are good candidates. And start with a small group. Start using 1Password with a small group of people so it&rsquo;s easy to course-correct if you need to reorganize the account. You can also hone the deployment process before you roll out 1Password company-wide. It might make sense to start with your IT or security team. And if you have 1Password fans on your team already, it may be a good idea to include them. We’ve put together guides for <a href="https://support.1password.com/explore/team-admin/">administrators</a> and <a href="https://support.1password.com/explore/team-member/">team members</a> to help them get started. 💁 <h2 id="step-2-scale">Step 2: Scale</h2> Once your first group is up and running with 1Password and you’ve optimized your setup, you’re ready to scale, as fast or slow as you’d like. IBM provisioned 50,000 people in just 2 weeks – so if you want to deploy 1Password quickly, you absolutely can. Provision with your identity provider. If you use an identity provider, the 1Password <a href="https://support.1password.com/scim/">SCIM bridge</a> is the way to go. You can connect 1Password to Azure Active Directory, Okta, or OneLogin to provision and deprovision users automatically, as well as add and remove them from groups. Use a sign-up link. A sign-up link is another great way to get your team using 1Password quickly. You can share your sign-up link in a group chat, share it in the #announcements channel of your team communication app, or email it to everyone you want to invite. See <a href="https://support.1password.com/add-remove-team-members/">how to add and remove team members</a> for more. 💁‍♀️ <h2 id="deployment-tips">Deployment tips</h2> Here are some extra tips to help rollout go as smoothly as possible: Add data organically. There’s no need for team members to add all their logins and other information to 1Password right away. It’s often easier when people add and create passwords as they go using the <a href="https://support.1password.com/1password-extension/">1Password browser extension</a>. As well as making it easier to sign in to websites, the extension offers to save your account details as you use them, making it easy to add information to 1Password gradually. Create shared vaults as you need them. Team members should use their private vault to store logins and information only they need access to. Meanwhile, shared vaults are a great way to securely share logins and other important information with the whole team – they’re much safer than using email. You can also create additional vaults to keep your information organized, or to share it with specific members of your team. Make the most of custom groups You can create <a href="https://support.1password.com/custom-groups/">custom groups</a> based on projects, geographic locations, departments, functions, and even access levels. Groups make it easy to give specific people access to vaults, and you can even give them team-level permissions, like the ability to recover accounts. <img src='https://blog.1password.com/posts/2020/business-adoption/group_together.png' alt='Add Groups' title='Add Groups' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Note: If you’re not sure which vaults and custom groups to use, you could look to your company’s organizational structure for inspiration. <h2 id="were-here-to-help">We’re here to help</h2> Should you need any help or advice along the way, we’re here to help. Your customer success representative will be happy to assist, or you can go to <a href="https://support.1password.com/">1Password Support</a> or <a href="https://support.1password.com/contact/">get in touch</a> directly. <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Sign up for 1Password Business!</h3> Sign up for 1Password Business today and get your first 14 days free. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href" data-event-category="CTA" data-event-action="call-to-action-button"> Try 1Password FREE </a> </div> </section></description></item><item><title>Managing security when remote work is thrust upon you</title><link>https://blog.1password.com/remote-work-security-people/</link><pubDate>Tue, 28 Apr 2020 00:00:00 +0000</pubDate><author>info@1password.com (Jeffrey Goldberg)</author><guid>https://blog.1password.com/remote-work-security-people/</guid><description> <img src='https://blog.1password.com/posts/2020/remote-security-management/header.png' class='webfeedsFeaturedVisual' alt='Managing security when remote work is thrust upon you' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Some organizations are born with <a href="https://blog.1password.com/remote-work-culture/">remote culture</a> and security, some achieve it, and some have it thrust upon them. It&rsquo;s important to understand that setting the wrong goals can backfire. Take a step back and look at some of the greater changes you face. 1Password came into the world as a fully remote organization 14 years ago. Even though we&rsquo;ve opened two offices in that time, the majority of our staff still work remotely. Although nobody has an easy time of anything these days, we were in a far better position to adapt than most when we had to suddenly shutter those offices on March 10, 2020. It didn&rsquo;t require the development and implementation of <a href="https://blog.1password.com/remote-work-security-tips/">new security policies and practices</a> for remote workers. Yet we can understand what those suddenly thrust into such a change are confronted with. It is our business to help people and organizations improve their security in ways that work for those people. Security for real people in real organizations is our bread and butter. Because of that, and our long-term experience being mostly remote, I feel that we can offer some advice that goes beyond the innumerable checklists out there. What I say here isn&rsquo;t going to be exhaustive by any means. Indeed, I&rsquo;m deliberately keeping it short. And this introduction has already gone on too long. <h2 id="understand-your-goals">Understand your goals</h2> Start by determining if your goal is genuine information security for your organization, or if you&rsquo;re seeking CYA (Cover Your Anterior) security. The latter isn&rsquo;t so much aimed at preventing security failures as it is at shifting blame and responsibility for them. CYA security: <ol> <li>You create a policy that is difficult for people to realistically comply with.</li> <li>You wait for something to go wrong.</li> <li>You find a person who failed to comply and shift the blame to them.</li> <li>Your anterior is covered.</li> </ol> The major problem, of course, with CYA security, is that it doesn&rsquo;t prevent things from going wrong. It also leads to unhappy people, who are either perpetually stressed by not being able to meet demands or who have simply developed contempt for those creating and enforcing those security policies. The benefit is that you are covered. On the other hand, if you wish to promote genuine security, you&rsquo;ll develop policies and practices that reduce the chance of things going wrong. This approach should reduce real risk, but it does mean that failures are the responsibility of those designing the policies and practices. In real life, policies are going to be a mixture of both. It is not always possible to avoid some CYA security, but you should recognize when you are doing it. What is different now (as you have to learn how to secure your people and organization with everyone working remote or hybrid) is that there will be more cases where genuine security and CYA security come into conflict. Two problems come into play more in the current situation: security fatigue and security absolutism. Security fatigue occurs when people are given so many security-related things to worry about, they are likely to just give up. Security absolutism is the incorrect belief that security is an all-or-nothing concept instead of taking incremental steps to reduce risk. And it&rsquo;s highly destructive. <h2 id="all-or-nothing-gets-you-nothing">&lsquo;All or nothing&rsquo; gets you nothing</h2> Let me walk through an example of where fatigue and absolutism come into play and harm security. We correctly say that people should have strong and unique passwords for each and every service they use, but that doesn&rsquo;t mean that having strong and unique passwords for only some of the sites and services they use does no good. In fact, that kind of absolutist thinking is wrong. Every single time you set a unique password for a service, you are reducing the risk of attack, even if you haven&rsquo;t done so for absolutely all of the others. We need to remind ourselves that achievable incremental improvements are real security improvements. Suppose Molly looks at her duplicate passwords report using <a href="https://watchtower.1password.com/">1Password Watchtower</a> and sees 40 logins that do not have unique passwords. If Molly believes she needs to fix each and every one of those to be secure, she may just give up. But if she takes only a few at a time, starting with the services she uses most often, or that need the most protection, she can make real and substantive improvements. Another example is software updates. Each and every time one of your users applies updates and security patches to their systems and software, they improve their security and the security of your organization. And this is still true even if they don&rsquo;t patch everything. But if people think they have to update the firmware on their internet-connected toaster-fridge for there to be any gain from using the latest version of their web browser, they may not attempt to keep anything updated at all. To genuinely improve security, we must help people understand that they should go after low-hanging fruit. Doing so will reduce their risk and the risk to your organization. This involves communicating that there are real, reasonable things they can do that will improve security and that security is not all-or-nothing. <h2 id="not-lake-wobegon">Not Lake Wobegon</h2> You need to try to understand your users. They are trying to do their jobs in what might be difficult and unusual circumstances. Their goal is to do their jobs; their goal is not to make the IT managers happy. And as you have to have your users perform more of their own IT tasks at home, you need to be careful to not target your rules and guidelines to what you imagine your average user to be. You need policies that will work for pretty much everyone, and not just the average and above. You might also assume that your average user is a lot like you. As an IT or information security specialist, you may automatically think that everyone in every household has their own computer. But many households have one shared computer. They may even use the same account on that computer. You need to consider that not everyone has a private place to work at home, particularly with children out of school. There will also be a wide range of computing skills. So you can&rsquo;t just target your instructions to what you imagine your average user to be. You want everyone to improve their security, not just the most sophisticated users. One thing that we&rsquo;ve found success with at 1Password is that we&rsquo;ve set up a system to granting exemptions for specific policies. We would much rather know that Kim needs to use a third-party browser extension (and what that extension is) than to have Kim and others simply not comply with our browser extension policy. We don&rsquo;t get mad when people ask for exemptions. We get mad when we find out that someone should have asked and didn&rsquo;t. <h2 id="help-and-support">Help and support</h2> You can&rsquo;t expect people to comply with security policies if you don&rsquo;t give them the means to do so. You need to provide the help and support that your people will need to succeed at what you&rsquo;re asking them to do. Sometimes it&rsquo;s as simple as making sure they have <a href="https://1password.com/business/">the best password manager</a> out there (hint, hint). That one is easy. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Find out why 1Password is the best in the market with our <a href="https://1password.com/comparison/">password manager comparison</a>! </div> </aside> Let&rsquo;s take another example: If you are going to ask people to make sure their home Wi-Fi is using WPA2, you have to do more than say, &ldquo;Look at the (usually terrible) documentation for the router (that they don&rsquo;t even know they have)&rdquo;. This is going to be a tricky one. Each household is going to be different, and you are going to spend one-on-one time to help many people through that. This will take time and patience. We learned something like this the hard way. One of our policies for people&rsquo;s home machines is full disk (or file system) encryption. At the time we put this policy together, the only people with Windows machines were developers. Only later did we learn that Bitlocker isn&rsquo;t available on Windows Home edition. Since then, we&rsquo;ve paid for people to move to Windows Professional, and we have a few people who can talk others through setting that up. In general, when you roll out a policy, be sure you have the support in place, so people don&rsquo;t give up in frustration. <h2 id="understand-what-you-can-and-cant-control">Understand what you can and can&rsquo;t control</h2> Just as you have to steer your users to go after the low-hanging fruit, you will have to do the same in terms of what you can control or see about your users’ systems. Managers, particularly IT and security managers, like to know what&rsquo;s going on with their systems and with their people. There&rsquo;s a sense of visibility into activity you have when you can see people in an office, and when they&rsquo;re on your network using machines, you provide for them. You aren&rsquo;t going to have that. Even if you supply people&rsquo;s home devices so you can install your monitoring systems on them, you won&rsquo;t have the kind of awareness you want. This doesn&rsquo;t mean that you have to be blind. You can, for example, generate a number of useful <a href="https://support.1password.com/reports/">reports with 1Password Business</a>. There will be plenty of other things that you can and should see, but I&rsquo;d also encourage you to accept that people&rsquo;s home networks are not your networks. Highly intrusive tracking and monitoring of those is fraught with problems, particularly because those home networks are used by others in the household and for non-work activity. Before installing monitoring tools on those, be aware that some introduce points of attack, so you need to let your people know that you are doing so and that you don&rsquo;t have the right to know about the non-work activity on those networks. <h2 id="real-security">Real security</h2> By understanding your goals, incorporating flexibility, offering sufficient support to your people, and learning to trust in what you&rsquo;ve built, you can get through uncertain times with information security intact. When things return to normal – whatever that means for you – what you&rsquo;ve learned along the way will undoubtedly serve you well. <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get more security tips</h3> Subscribe to our business security newsletter and get advice on running a secure, productive workplace delivered directly to your inbox. <form method="POST" class="oneline" accept-charset="UTF-8" action="https://flow.1passwordservices.com/api/v1/lead" data-event-category="Newsletter" data-event-action="form-newsletter" id="newsletterForm"> <div id="hidden-fields"> <input type="hidden" name="formSubmitted" value="Newsletter"> <input type="hidden" name="formId" value="c100b28e-6493-493f-b325-6a7f8b3cbb89"> </div> <input type="email" class="c-call-to-action-box__newsletter-email" name="email" placeholder="" required /> <input class="c-call-to-action-box__newsletter-button" type="submit" value="Sign up"> </form> <div class="c-call-to-action-box__text"> By signing up you agree to receive emails about the latest 1Password announcements, product updates, and events. <a class="c-newsletter-signup-form__gdpr--link" href="https://www.1password.co/email-preferences.html">Unsubscribe</a> any time. You also agree to our <a class="c-newsletter-signup-form__gdpr--link" href="https://1password.com/legal/terms-of-service/">terms of service</a> and <a class="c-newsletter-signup-form__gdpr--link" href="https://1password.com/legal/privacy/">privacy policy</a>. </div> </div> </section></description></item><item><title>Sort, share, and tag with 1Password 7.5 for iOS</title><link>https://blog.1password.com/1password-7-5-for-ios/</link><pubDate>Wed, 15 Apr 2020 00:00:00 +0000</pubDate><author>info@1password.com (Michael Fey)</author><guid>https://blog.1password.com/1password-7-5-for-ios/</guid><description> <img src='https://blog.1password.com/posts/2020/opi75/header.png' class='webfeedsFeaturedVisual' alt='Sort, share, and tag with 1Password 7.5 for iOS' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The world may feel like it’s on pause, but that hasn&rsquo;t stopped the team from going full steam ahead on a fantastic update to 1Password for iOS. We&rsquo;ve added some new features that make it easier to stay organized and share the essentials with your family and coworkers. There’s a lot to love about 1Password 7.5, so let’s dive right in. <h2 id="stay-organized-with-tags">Stay organized with tags</h2> <img src='https://blog.1password.com/posts/2020/opi75/create-tag-light.png' alt='Create new tag' title='Create new tag' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <img src='https://blog.1password.com/posts/2020/opi75/create-tag-dark.png' alt='Create new tag' title='Create new tag' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://support.1password.com/favorites-tags/">Tags and favorites</a> make it a breeze to keep everything organized in 1Password. You can use multiple tags on a single item, and there&rsquo;s no limit to the number of tags you can create. This release rolls out a new tag editor that allows you to effortlessly apply new and existing tags to your items. Tags can now be added to an item without needing to edit first. While viewing an item, tap on the Add Tag button to unveil the all-new tag editor and make your changes. <h2 id="share-your-items">Share your items</h2> We&rsquo;ve made it easier than ever to <a href="https://support.1password.com/family-sharing/">securely share</a> passwords, documents, and other items with your family and coworkers. Now when you put an item in a shared vault you can send a link directly to the item in 1Password, saving everyone time searching for what they need. Using the link is easy, secure, and gets the other person to the item even quicker. <h2 id="sort-items-with-ease">Sort items with ease</h2> <img src='https://blog.1password.com/posts/2020/opi75/sort-date-light.png' alt='Sort by Date Created' title='Sort by Date Created' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <img src='https://blog.1password.com/posts/2020/opi75/sort-date-dark.png' alt='Sort by Date Created' title='Sort by Date Created' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> For the longest time I&rsquo;ve wanted to sort my items in the iOS app with the most recently edited items first. I&rsquo;ve been testing our new sorting feature in beta for a few weeks, and it&rsquo;s exactly what I&rsquo;ve always wanted. Now when I dive into a list of items it&rsquo;s always sorted just how I would expect. Here are the all-new sorting options available in 1Password for iOS: Category. Easily find and manage your logins for social media, shopping sites, and more. Website. Quickly scan for and find duplicate Login items. Date modified. Find items that haven&rsquo;t been updated in a while to verify the information is still valid. Date created. View items you’ve created recently to finish organizing them by adding tags or sorting into vaults. Date item was last used. Locate and edit or remove items you haven&rsquo;t used in years. <h2 id="ready-now">Ready now</h2> Along with the new features we&rsquo;ve outlined here, this release includes improvements and bug fixes to keep everything running smoothly. 1Password 7.5 is available now and we hope you enjoy the update. While you wait for the download to finish, you can read our <a href="https://app-updates.agilebits.com/product_history/OPI4#v70500003">full set of release notes</a> or pop on over to the App Store and <a href="itms-apps://itunes.apple.com/app/id568903335?action=write-review">leave us a review</a>.</description></item><item><title>1Password 7.5 for Android: making its mark</title><link>https://blog.1password.com/1password-7-5-for-android/</link><pubDate>Fri, 10 Apr 2020 00:00:00 +0000</pubDate><author>info@1password.com (Michael Verde)</author><guid>https://blog.1password.com/1password-7-5-for-android/</guid><description> <img src='https://blog.1password.com/posts/2020/opa75/header.png' class='webfeedsFeaturedVisual' alt='1Password 7.5 for Android: making its mark' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The world looked very different a couple of months ago when I wrote about <a href="https://blog.1password.com/android-january-release/">1Password 7.4 for Android</a>. Since then just about everything has changed. Grocery shopping has gotten a whole lot more strategic. Celebrating birthdays and special occasions requires a new level of creativity. And continuing with school necessitates that parents and kids alike embrace new modes of learning. Despite those and other challenges, it’s good to remind ourselves that many things remain the same. Even if we have to do it from a distance, we still love to share laughter with friends and family. We still enjoy reading a good book, we just happen to be reading a few more than usual. And we still love improving the 1Password experience for you! Here are some of the ways we’ve improved 1Password this time around. <h2 id="sort-your-items">Sort your items</h2> <img src='https://blog.1password.com/posts/2020/opa75/opa75-sorting.png' alt='Sort your items' title='Sort your items' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> With all the time we have at home these days, there&rsquo;s an extra opportunity for spring cleaning. And a good cleaning starts with sorting through your stuff. We&rsquo;ve made that easier than ever in 1Password with all new sorting options. Date modified. Identify and clean out old items you haven&rsquo;t updated in years. Recent items. Grab the items you created most recently and finish organizing them with tags and vaults. Password strength. Easily identify your weakest passwords and make them stronger. Sort by website. Quickly scan and identify duplicate Login items. 1Password remembers your sorting choice, so you can choose how you want to sort your items all the time! <h2 id="link-to-items">Link to items</h2> When you want to <a href="https://support.1password.com/family-sharing/">securely share</a> an item with a colleague or a family member, you drop it into a shared vault so that they can access it. Now you can save them a few steps and send them a link that opens that item in 1Password. No more typos or searching in the wrong vault! <h2 id="mark-up-notes-with-markdown">Mark up notes with Markdown</h2> While 1Password will never replace your favorite text editor, you won&rsquo;t find a more secure place to store your notes. With that in mind, we&rsquo;ve added some text editing convenience to 1Password in the form of <a href="https://support.1password.com/markdown/">Markdown support</a>. In fact, I drafted this entire blog post in 1Password using Markdown. You can now style your notes with things like: <h2 id="different">Different</h2> <h3 id="sized">sized</h3> <h4 id="headings">headings</h4> Bold, italic, and <del>strikethrough</del> text <blockquote> Quote blocks </blockquote> <pre><code>*Pre-formatted text* e x a c t l y as typed </code></pre> <ol> <li>Numbered</li> <li>Lists</li> </ol> <ul> <li>Bulleted</li> <li>Lists <ul> <li>And more bulleted lists</li> </ul> </li> </ul> <h2 id="and-lots-more">And lots more</h2> In addition to everything above, there’s even more to enjoy in this update! <ul> <li>Better organize your data with the ability to delete vaults in your 1Password account from the Vault menu.</li> <li>Use commas or digits and symbols as additional separator options when generating a memorable password.</li> <li>Revisit the What’s New screen any time from Settings &gt; About.</li> <li><a href="https://1password.com/features/autofill/">Autofill</a> your logins on websites in the Brave Beta browser using the 1Password accessibility service.</li> </ul> While that rounds out the features for this release, there are plenty of improvements and fixes to be had as well. Head over to the <a href="https://app-updates.agilebits.com/product_history/OPA4#v70500009">full release notes</a> to check out all of the details. <h2 id="no-need-to-wait">No need to wait</h2> We recently finished rolling out 1Password 7.5 on Google Play, so the update is available for you to download and start using now. As always, we hope that you enjoy all of the great features and improvements that we’ve added in this release. Let us know what you think on <a href="https://play.google.com/store/apps/details?id=com.onepassword.android">Google Play</a>, <a href="https://twitter.com/1Password">Twitter</a>, and the <a href="https://1password.community/categories/1password-android">1Password support forum</a>. Enjoy the update and stay safe out there! <section class="c-call-to-action-review"> <div class="c-call-to-action-review__image"> <img src="https://blog.1password.com/img/reviews/g2.svg" alt="G2" /> </div> <div class="c-call-to-action-review__content"> <h4 class="c-heading c-heading--cta c-call-to-action-review__title">Love 1Password?</h4> Help us spread the word with a review at G2. </div> <div class="c-call-to-action-review__cta"> <a href="https://www.g2.com/products/1password/reviews" class="c-cta-button" data-event-category="Review" data-event-action="button-review-g2">Review 1Password</a> </div> </section></description></item><item><title>How remote teams can reduce the risks of shadow IT</title><link>https://blog.1password.com/remote-work-shadow-it/</link><pubDate>Wed, 08 Apr 2020 00:00:00 +0000</pubDate><author>info@1password.com (Matt Davey)</author><guid>https://blog.1password.com/remote-work-shadow-it/</guid><description> <img src='https://blog.1password.com/posts/2020/remote-shadow-IT/header.png' class='webfeedsFeaturedVisual' alt='How remote teams can reduce the risks of shadow IT' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> As the COVID-19 situation develops, businesses are scrambling to adjust to the <a href="https://blog.1password.com/remote-work-culture/">new reality of remote and hybrid work</a>. The sudden nature of this shift has meant IT teams are ill-prepared for the security implications of remote working. One such risk is shadow IT – the use of apps and services by employees without the knowledge or oversight of your IT team. In our recent look at the <a href="https://blog.1password.com/challenges-of-shadow-it/">risks of shadow IT</a>, we saw that a remarkable 63.5 percent of workers had created at least one shadow IT account in the 12 months prior to our survey. Right now, the use of shadow IT is only likely to increase as people find new workflows to replace old ones that are suddenly unfit for purpose. And people will be all the more tempted by extended free trials offered in the spate of home-working caused by coronavirus. Even the simple act of having a face-to-face conversation needs an app now. Banning the use of shadow IT isn’t practical, and doing so could stifle productivity and innovation in your organization. People will always find a way around imposed limitations out of the commendable desire to get things done. In this post, we’ll look at how to mitigate the risks posed by shadow IT when working as a remote or hybrid team. <h2 id="risks-of-shadow-it">Risks of shadow IT</h2> Let’s quickly recap the risks posed by shadow IT. The nature of these risks doesn’t change due to remote working, particularly. But the risks become more relevant than ever as use of shadow IT increases in light of remote working. You don’t know where your data is. If you don’t know what services your team are using, you don’t know where sensitive company data, or that of your customers, could be lurking. If one of those services is breached, you won’t know that data has been compromised. You don’t know who has access. In the event someone leaves your company suddenly, it can be hard enough closing the work accounts you do know about, let alone the ones you don’t. Former employees could retain access to data to share with competitors. Poor password practices can go unchecked. As people sign up for new accounts, they may use weak passwords or reuse old passwords. Credential surfing and <a href="https://blog.1password.com/how-to-protect-yourself-from-password-reuse-attacks/">password reuse</a> are the most common ways attackers gain access to your confidential information. <h2 id="reducing-those-risks">Reducing those risks</h2> Shadow IT sounds scary, but with a few common sense steps, you can reduce the use of necessary shadow IT, and mitigate the risks associated with the rest. Cover the basics. In a remote or hybrid work environment, everyone is going to need a handful of basic services to get things done. Make sure you provide ways for your team to communicate in writing, meet on a video call, collaborate on documents, prioritize tasks, and share information securely. If you already use an identity provider, choose tools that work with it so the team already has a means of securely signing in without creating their new passwords. Be nimble and amenable. It’s not shadow IT if you know people are using it. Encourage people to share what tools they’re using. Existing policies that prohibit new services may be too stringent for newly remote and hybrid teams. Investigate the tools people are using, and suggest better, safer alternatives where appropriate. Say &ldquo;yes&rdquo; rather than &ldquo;no&rdquo; to new tools where you can. Encourage a culture of common sense. People will appreciate any leniency you can offer when it comes to IT tools, and will be prepared to meet you halfway when it comes to how they’re used. For most day-to-day communication and work, it may not be necessary to use or store sensitive company or customer data. You can let people know they’re free to use certain tools provided sensitive information isn’t shared. Raise awareness about online security. Make sure your team is informed about <a href="https://blog.1password.com/remote-work-security-tips/">online security when remote working</a>. They should know that online attacks and scams such as phishing and <a href="https://blog.1password.com/stop-ceo-fraud/">CEO fraud</a> pose an increased threat at the moment. Everyone should know the importance of using strong, unique passwords and two-factor authentication wherever possible. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Worried about shadow IT? Learn how to control and reduce the risks associated with shadow IT in our <a href="https://www.1password.university/learn/course/external/view/elearning/443/humanizing-shadow-it-with-1password-and-kolide">free 1Password University course</a>. </div> </aside> Use a password manager. Make sure everyone has access to a business <a href="https://1password.com/password-manager/">password manager</a> like 1Password that can create and store strong passwords. This means that if people do ever need to create an account, they can make sure it’s as safe as possible, and can easily access the credentials if they need to delete the account or update the password in the future. Ideally, <a href="https://blog.1password.com/how-to-choose-a-good-password-manager-for-your-business/">choose a password manager</a> that allows secure sharing of passwords and other important information so people have the means to do this safely as the need arises – it almost certainly will. Consider apps carefully. If it’s an option, always speak to your IT team before trying a new app. If you are ever tempted to use a new one, take care to choose a safe app from a reputable source. Download the app from a recognized app store if possible. Check what permissions the app needs, and avoid apps which ask for permissions that don’t make sense or seem more invasive than they need to be. Be a good work citizen. As an employee, reward the trust placed in you at this time by being careful which services you choose to use and how you choose to use them. Keep track of any services you use and share details with your IT team. Don’t share sensitive data outside of approved channels. Be sure to delete data – or replace it with dummy data – from any accounts you no longer need, closing or deleting the accounts themselves when you’re done. <h2 id="heres-where-to-start">Here&rsquo;s where to start</h2> Perhaps the single most important step you can take to mitigate the risks posed by shadow IT is to make sure your team uses a password manager to create, store, and share strong, unique passwords. <a href="https://start.1password.com/sign-up/business?l=en">Sign up today</a> and try <a href="https://1password.com/business/">1Password Business</a> free for 14 days to see how it works for your organization. <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get more security tips</h3> Subscribe to our business security newsletter and get advice on running a secure, productive workplace delivered directly to your inbox. <form method="POST" class="oneline" accept-charset="UTF-8" action="https://flow.1passwordservices.com/api/v1/lead" data-event-category="Newsletter" data-event-action="form-newsletter" id="newsletterForm"> <div id="hidden-fields"> <input type="hidden" name="formSubmitted" value="Newsletter"> <input type="hidden" name="formId" value="c100b28e-6493-493f-b325-6a7f8b3cbb89"> </div> <input type="email" class="c-call-to-action-box__newsletter-email" name="email" placeholder="" required /> <input class="c-call-to-action-box__newsletter-button" type="submit" value="Sign up"> </form> <div class="c-call-to-action-box__text"> By signing up you agree to receive emails about the latest 1Password announcements, product updates, and events. <a class="c-newsletter-signup-form__gdpr--link" href="https://www.1password.co/email-preferences.html">Unsubscribe</a> any time. You also agree to our <a class="c-newsletter-signup-form__gdpr--link" href="https://1password.com/legal/terms-of-service/">terms of service</a> and <a class="c-newsletter-signup-form__gdpr--link" href="https://1password.com/legal/privacy/">privacy policy</a>. </div> </div> </section></description></item><item><title>Remote work: Looking beyond productivity and prioritizing mental health</title><link>https://blog.1password.com/remote-work-mental-health/</link><pubDate>Tue, 07 Apr 2020 00:00:00 +0000</pubDate><author>info@1password.com (Daniel Duke)</author><guid>https://blog.1password.com/remote-work-mental-health/</guid><description> <img src='https://blog.1password.com/posts/2020/mental-health/header.png' class='webfeedsFeaturedVisual' alt='Remote work: Looking beyond productivity and prioritizing mental health' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> As we all adjust to our new normal and many of us are doing remote or hybrid work for the first time, it’s important to look beyond productivity advice and consider the deeper impact of this situation. There are plenty of reports that highlight the benefits of remote working, but it also has consequences for our mental and emotional health that need to be carefully considered. As an experienced remote team these are lessons we’ve been able to learn over the last 14 years, but it can’t be emphasized enough that nothing about this situation is &ldquo;normal&rdquo;. All of the struggles and side effects of hybrid work will be amplified by current events, so it’s more important than ever to be aware of them and to look after yourself. <h2 id="stop-worrying-about-productivity">Stop worrying about productivity</h2> It’s likely you’re finding it hard to be productive right now because there’s a lot going on. You might have <a href="https://blog.1password.com/working-from-home-kids/">kids at home</a>, be working in a new and distracting environment, or just worrying more than usual – you’re not alone. A <a href="https://content.thriveglobal.com/wp-content/uploads/2020/03/Thriving-in-the-New-Normal-March-2020-Thrive-Global.pdf">new report from Thrive Global</a> found that more than 80 percent of U.S. employees now feel significantly more distracted and, on average, more than 45 percent of their workdays have been lost due to distraction and time spent worrying. It’s hard to overstate the impact of this crisis on our lives and our work. The effects of COVID-19 are huge, widespread, and are happening fast. It’s not often we find ourselves adjusting to a whole new workflow and dealing with an existential crisis at the same time, so it’s important to be kind to yourself. Use the flexibility that remote and hybrid work provide to take advantage of short, productive moments and stop for a break when you need to. With a 24-hour news cycle and new headlines every minute, getting distracted is easy. Try to build time into your day for these distractions and don’t beat yourself up about it if you do get sidetracked. <h2 id="fighting-feelings-of-isolation">Fighting feelings of isolation</h2> Now that most of us are on city- or country-wide lockdown, socialising is out of the question. That means work might be the only time you get to interact with other people. Make sure you take advantage of it. Try to have conversations that aren’t work-related and find time to talk about shared interests. This can sometimes be hard when your team is new to remote work, but there are lots of things you can do to help <a href="https://blog.1password.com/remote-work-culture/">create a culture</a> that supports these kinds of interactions. If you can, try to have face-to-face chats via video calls. The benefit of seeing and hearing other human beings can’t be overstated. There’s <a href="https://www.apa.org/monitor/2019/05/ce-corner-isolation">plenty of evidence</a> that links social isolation to mental health issues, and Buffer’s 2020 State of Remote Work report found that even in ”normal times” <a href="https://lp.buffer.com/state-of-remote-work-2020">loneliness was one of the biggest struggles for remote workers</a>. Getting ”face time” with colleagues can help to combat any feelings of isolation you might be struggling with. At 1Password, we have a rolling ”watercooler&quot; video call where team members can drop in and out when they feel like it for the kind of casual, social interactions that are harder to do over text. During the pandemic, we’ve been having semi-regular ”happy hour” calls where team members can sit down together to talk and have a drink. Normalizing conversations around mental health is important because it reminds us that we’re not alone and allows the team to help each other. At 1Password we have a dedicated #mental-health channel in Slack so the team has a safe space to discuss what they’re going through, get advice, and share things that have worked for them. <h2 id="break-up-your-days-to-avoid-burnout">Break up your days to avoid burnout</h2> When your home is suddenly your workplace and you find yourself with more spare time than you’re used to, you might be tempted to work more than usual. Studies have shown that <a href="https://lp.buffer.com/state-of-remote-work-2020">”not being able to unplug”</a> is a problem for a lot of hybrid workers and that they’re <a href="https://www.toptal.com/remote/remote-work-burnout-a-cautionary-tale">more prone to burnout than those working in offices</a>. It’s important to split your time up into work and leisure to add more structure to your days and avoid overworking. There are other ways you can create the work/life division too. The temptation to skip your morning shower or sit in your PJs all day is understandable, but getting up and getting dressed is an important part of getting into the right mindset. You’ll feel better, be more productive, and it will help to make your weekends still feel like weekends, when there’s very little difference right now. Turn off Slack or email notifications when you’re not working so you can properly disconnect. Remember to take a proper lunch break rather than eating at your desk, and make sure to get up and grab a glass of water or a hot drink every once in a while. <h2 id="physical-health-is-important-too">Physical health is important too</h2> If you’re no longer commuting to work, you’re likely spending less time outside your home. Although we all need to practice social distancing right now, there are important aspects of the commute that you might be missing out on – fresh air, getting into the right frame of mind to work, and maybe even getting some regular exercise. Staying active is just as important for your mental well-being as it is for your physical health. It can punctuate the start or end of your day, spend some energy that’s not getting used while you sit at your desk for eight hours, and it’s proven to <a href="https://www.mentalhealth.org.uk/explore-mental-health/publications/how-look-after-your-mental-health-using-exercise">reduce stress and improve your mood.</a> If you’re lucky enough to have outdoor space or if local guidelines allow you to exercise outside, then make the most of it – just make sure you stay six feet away from other people. If you don’t have outdoor space you can still get moving indoors too, even if you don’t have a lot of room. Companies like Nike are now <a href="https://news.yahoo.com/nike-ntc-premium-streaming-free-us-during-covid-120816045.html">offering their workout apps for free</a> so people can exercise at home. There are lots of simple things you can do to stay active during the day, like standing while you work or walking around during a call. <h2 id="if-you-can-take-time-off">If you can, take time off</h2> It might seem counterintuitive right now since you can’t exactly book a trip or jump on a flight, but taking some time off might give you the headspace you need to make sense of recent events. Taking “work” out of the equation for a few days will give you one less thing to think about and let you focus on your own (or your family’s) emotional well-being instead. If you have kids at home and it’s possible, consider reducing your hours or taking regular days off so you can juggle all your new responsibilities with a little less pressure. If you’re managing a team be mindful that staff might take a bit longer to get things done or need to take some time out. <h2 id="look-after-yourself">Look after yourself</h2> The most important thing you can do right now is to look after your own well-being. If you’re feeling overwhelmed, isolated, or distracted, communicate these feelings with your team and your manager. Take time out if you need it and put your health first. After all, staying healthy is more important than anything else. Work can wait. <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get more security tips</h3> Subscribe to our business security newsletter and get advice on running a secure, productive workplace delivered directly to your inbox. <form method="POST" class="oneline" accept-charset="UTF-8" action="https://flow.1passwordservices.com/api/v1/lead" data-event-category="Newsletter" data-event-action="form-newsletter" id="newsletterForm"> <div id="hidden-fields"> <input type="hidden" name="formSubmitted" value="Newsletter"> <input type="hidden" name="formId" value="c100b28e-6493-493f-b325-6a7f8b3cbb89"> </div> <input type="email" class="c-call-to-action-box__newsletter-email" name="email" placeholder="" required /> <input class="c-call-to-action-box__newsletter-button" type="submit" value="Sign up"> </form> <div class="c-call-to-action-box__text"> By signing up you agree to receive emails about the latest 1Password announcements, product updates, and events. <a class="c-newsletter-signup-form__gdpr--link" href="https://www.1password.co/email-preferences.html">Unsubscribe</a> any time. You also agree to our <a class="c-newsletter-signup-form__gdpr--link" href="https://1password.com/legal/terms-of-service/">terms of service</a> and <a class="c-newsletter-signup-form__gdpr--link" href="https://1password.com/legal/privacy/">privacy policy</a>. </div> </div> </section></description></item><item><title>The 1Password team share their work-from-home setups</title><link>https://blog.1password.com/work-from-home-setups/</link><pubDate>Fri, 03 Apr 2020 00:00:00 +0000</pubDate><author>info@1password.com (Emily Marchant)</author><guid>https://blog.1password.com/work-from-home-setups/</guid><description> <img src='https://blog.1password.com/posts/2020/wfh-setups/header.png' class='webfeedsFeaturedVisual' alt='The 1Password team share their work-from-home setups' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Looking for <a href="https://blog.1password.com/how-to-stay-inspired-working-from-home/">inspiration for your remote work</a> setup? From Studio Ghibli-inspired spaces to clean, minimalist setups, our team share what makes their workstations work for them. <h2 id="alex-sales">Alex, Sales</h2> <img src='https://blog.1password.com/posts/2020/wfh-setups/wfh-Alex.jpg' alt='Image of Alex&#39;s work from home setup' title='Image of Alex&#39;s work from home setup' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <blockquote> “My table is 160 cm × 80 cm and height-adjustable with four memory settings. The desk and the chair were considerable investments, but so worth it. Apart from that, there&rsquo;s a camera always at the ready, my earphones, a 1Password pin on the foot of the monitor, my ever-present coffee mug, a stainless steel water bottle, and the Enterprise E (Nemesis version).” </blockquote> <h2 id="marica-web-development">Marica, Web Development</h2> <img src='https://blog.1password.com/posts/2020/wfh-setups/wfh-mica.jpg' alt='Image of Marica&#39;s work from home setup' title='Image of Marica&#39;s work from home setup' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <blockquote> “I&rsquo;m going for &ldquo;Mom from Kiki&rsquo;s Delivery Service&rdquo; or &ldquo;Alchemist next door&rdquo; kind of vibes.” </blockquote> <h2 id="alessandro-development">Alessandro, Development</h2> <img src='https://blog.1password.com/posts/2020/wfh-setups/wfh-venduscolo.jpg' alt='One view of Alessandro&#39;s work from home setup' title='One view of Alessandro&#39;s work from home setup' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <img src='https://blog.1password.com/posts/2020/wfh-setups/wfh-venduscolo2.jpg' alt='Another view of Alessandro&#39;s work from home setup' title='Another view of Alessandro&#39;s work from home setup' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <blockquote> “The desk is a standing desk. In my opinion, having a height-adjustable desk is as important as having a good chair. I always have my thug life glasses handy as well as my horse mask (they’re useful when joking with friends on a video call during this quarantine!). </blockquote> <blockquote> “The medicine container has some Fisherman’s in it – I always wanted that thing you see in the movies. Then there&rsquo;s Padd the padlock, the 1Password magnet, and some Inside Out figures to complete the setup. Yes, I actively use two pairs of headphones!” </blockquote> <h2 id="daniel-content">Daniel, Content</h2> <img src='https://blog.1password.com/posts/2020/wfh-setups/wfh-Daniel2.jpg' alt='Image of Daniel&#39;s work from home setup, featuring Mollie the cat' title='Image of Daniel&#39;s work from home setup, featuring Mollie the cat' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <blockquote> “My workspace doubles as a home studio, so I always have my mic set up for video calls, and my monitors are perfect for listening to tunes while I work.” </blockquote> <h2 id="nick-development">Nick, Development</h2> <img src='https://blog.1password.com/posts/2020/wfh-setups/wfh-nick.jpg' alt='Image of Nick&#39;s work from home setup' title='Image of Nick&#39;s work from home setup' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <blockquote> “The desk is a Fully Jarvis (my first standing desk!) with a minimal set of things on it except for a couple of figures, a keepsake, and a HomePod hidden at the end.” </blockquote> <h2 id="blake-customer-support">Blake, Customer Support</h2> <img src='https://blog.1password.com/posts/2020/wfh-setups/wfh-blake.jpg' alt='Image of Blake&#39;s work from home setup' title='Image of Blake&#39;s work from home setup' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <blockquote> “I’ve fit two different setups into my office. There&rsquo;s my go-to Windows workstation, with another desk that’s adjustable so that when I get tired of sitting, I can stand and work instead! This also doubles as my gaming/streaming workstation, so it’s perfect for me.” </blockquote> <h2 id="emily-content">Emily, Content</h2> <img src='https://blog.1password.com/posts/2020/wfh-setups/wfh-Emily.jpg' alt='Image of Emily&#39;s work from home setup, complete with cat' title='Image of Emily&#39;s work from home setup, complete with cat' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <blockquote> “I usually work out of the house or at the kitchen table, but with my daughter home from school for the foreseeable future, I changed my boiler cupboard/dressing room into a makeshift office. I love the natural light and being able to see outside while working.” </blockquote> <h2 id="arturo-customer-support">Arturo, Customer Support</h2> <img src='https://blog.1password.com/posts/2020/wfh-setups/wfh-Arturo.jpg' alt='Image of Arturo&#39;s simple setup' title='Image of Arturo&#39;s simple setup' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <blockquote> “My setup is as minimalist as it gets: MacBook Pro 13” and Powerbeats Pro.” </blockquote> <h2 id="dayton-customer-support">Dayton, Customer Support</h2> <img src='https://blog.1password.com/posts/2020/wfh-setups/wfh-dayton.jpg' alt='Image of Dayton&#39;s work from home setup' title='Image of Dayton&#39;s work from home setup' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <blockquote> “I wanted a big desk but didn’t want to pay for one, so I bought a piece of furniture-grade plywood, ripped it to size, and propped it up on some IKEA legs. I try to keep things as simple as possible, so I have one monitor attached to a sit/stand arm, and a little 8-bit Mario. I also have a little desk plant and a big orange cat.” </blockquote> <h2 id="chris-development">Chris, Development</h2> <img src='https://blog.1password.com/posts/2020/wfh-setups/wfh-chris.jpg' alt='Image of Chris&#39;s desk in front of a large window' title='Image of Chris&#39;s desk in front of a large window' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <blockquote> “Working with a window, and a view out those windows, is a must! I’m also a big fan of the Jarvis standing. I only sit for the first hour or two of the day, so I use a fairly boring chair.” </blockquote> <h2 id="dane-development">Dane, Development</h2> <img src='https://blog.1password.com/posts/2020/wfh-setups/wfh-dane.jpg' alt='Image of Dane&#39;s setup' title='Image of Dane&#39;s setup' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <blockquote> “I have an adjustable standing desk that I use with an Ergodriven Topo anti-fatigue mat (which I highly recommend) and a Mirra “barstool” office chair that I use when standing becomes too much. </blockquote> <blockquote> “Using two screens gives me the flexibility to either extend my current desktop or hook up another computer for cross-platform work. The monitor arms are fantastic as they keep my screens at a comfortable eye level and declutter my desk. I “dual-wield” a Magic Mouse in my right hand, and a Magic Trackpad in my left. Also coffee, noise-cancelling headphones, an iPad, a capacitive phone charger, and Firewatch.” </blockquote> <h2 id="sarah-content">Sarah, Content</h2> <img src='https://blog.1password.com/posts/2020/wfh-setups/wfh-sarah.jpg' alt='Image of Sarah&#39;s desk complete with figurines' title='Image of Sarah&#39;s desk complete with figurines' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <blockquote> “My workspace is where I do all my writing, both for work and for fun. I have a standing desk to encourage me to get up out of my chair for at least a few hours every day. And then of course, a collection of awesome ladies to inspire me.” </blockquote> <h2 id="grant-enterprise">Grant, Enterprise</h2> <img src='https://blog.1password.com/posts/2020/wfh-setups/wfh-grant.jpg' alt='Image of Grant&#39;s desk and recording equipment' title='Image of Grant&#39;s desk and recording equipment' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <blockquote> “My home office doubles as my studio.” </blockquote> <h2 id="jackie-customer-support">Jackie, Customer Support</h2> <img src='https://blog.1password.com/posts/2020/wfh-setups/wfh-jackie.jpg' alt='Image of Jackie&#39;s laptop on her lap with dog on the sofa' title='Image of Jackie&#39;s laptop on her lap with dog on the sofa' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <blockquote> “While I’d love to say I use my nice home office, I actually don’t, and that’s not just a shelter-at-home thing. You’ll usually always find me working from my couch with a sleeping doggo.” </blockquote> <h2 id="jones-social-and-customer-support">Jones, Social and Customer Support</h2> <img src='https://blog.1password.com/posts/2020/wfh-setups/wfh-jones.jpg' alt='Image of Jones&#39;s working from home setup' title='Image of Jones&#39;s working from home setup' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <blockquote> “For me, natural light is key to not feeling overly cloistered. I like a reasonable amount of clear space on my desk. We&rsquo;ve got a BMO mug, magnetic creativity toy, font poster, and a cookbook holder I use when taking notes from hard-copy books.” </blockquote> <h2 id="kate-social-and-customer-support">Kate, Social and Customer Support</h2> <img src='https://blog.1password.com/posts/2020/wfh-setups/wfh-kate.jpg' alt='Image of Kate&#39;s desk overlooking the living room' title='Image of Kate&#39;s desk overlooking the living room' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <blockquote> “Plenty of natural light, no wall behind the screens so we can shift our focus to something in the distance (good for eye health), plus a big enough desk that we can work together if we want but have our space when we need it. </blockquote> <blockquote> “Also, the monitor lowers into the desk, so when work time is over, our office doubles as a little bar to eat at while watching TV/movies. It’s also a handy place for projects – from board games to designing labels for our latest batch of homebrew.” </blockquote> <h2 id="lily-content">Lily, Content</h2> <img src='https://blog.1password.com/posts/2020/wfh-setups/wfh-lily.jpg' alt='Image of Lily&#39;s work from home setup' title='Image of Lily&#39;s work from home setup' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <blockquote> “Natural light makes a big difference. And a stack of books to bring the MacBook up to eye level.” </blockquote> <h2 id="kaitlyn-qa-and-customer-support">Kaitlyn, QA and Customer Support</h2> <img src='https://blog.1password.com/posts/2020/wfh-setups/wfh-kaitlyn.jpg' alt='First view of Kaitlyns setup with plants and doggy' title='First view of Kaitlyns setup with plants and doggy' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <blockquote> “For me, adding a little bit of life to my office has been crucial – whether that&rsquo;s plants, my dog, or letting my tortoise walk around the room. They all make me smile when I look up from my laptop.” </blockquote> <h2 id="duncan-customer-support">Duncan, Customer Support</h2> <img src='https://blog.1password.com/posts/2020/wfh-setups/wfh-duncan.jpg' alt='Duncan&#39;s desk with iPad, Switch, MacBook and monitor' title='Duncan&#39;s desk with iPad, Switch, MacBook and monitor' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <blockquote> “I don’t keep an especially tidy desk (yes, that is the SeaPass from AGConf on my desk. No, I don’t know why).” </blockquote> <h2 id="will-design-and-web">Will, Design and Web</h2> <img src='https://blog.1password.com/posts/2020/wfh-setups/wfh-will2.jpg' alt='Image of Will&#39;s setup with custom keyboard' title='Image of Will&#39;s setup with custom keyboard' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <blockquote> “I&rsquo;ve tried to create a place of comfort and coziness to spend my workday in. When you spend 8+ hours a day somewhere you want it to be comfortable and enjoyable. I also find that my creativity is driven in part by my environment, so having art and stuff around me makes me happy.” </blockquote> <h2 id="tom-customer-support">Tom, Customer Support</h2> <img src='https://blog.1password.com/posts/2020/wfh-setups/wfh-tom.jpg' alt='Image of Tom&#39;s desk with Final Fantasy 7 wallpaper' title='Image of Tom&#39;s desk with Final Fantasy 7 wallpaper' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="james-content">James, Content</h2> <img src='https://blog.1password.com/posts/2020/wfh-setups/wfh-james.jpg' alt='Image of James&#39;s clear desk' title='Image of James&#39;s clear desk' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <blockquote> “The more screens and peripherals I add, the more restricted I feel. And I still love paper. Especially when it’s time to word-wrestle.” </blockquote> <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get more security tips</h3> Subscribe to our business security newsletter and get advice on running a secure, productive workplace delivered directly to your inbox. <form method="POST" class="oneline" accept-charset="UTF-8" action="https://flow.1passwordservices.com/api/v1/lead" data-event-category="Newsletter" data-event-action="form-newsletter" id="newsletterForm"> <div id="hidden-fields"> <input type="hidden" name="formSubmitted" value="Newsletter"> <input type="hidden" name="formId" value="c100b28e-6493-493f-b325-6a7f8b3cbb89"> </div> <input type="email" class="c-call-to-action-box__newsletter-email" name="email" placeholder="" required /> <input class="c-call-to-action-box__newsletter-button" type="submit" value="Sign up"> </form> <div class="c-call-to-action-box__text"> By signing up you agree to receive emails about the latest 1Password announcements, product updates, and events. <a class="c-newsletter-signup-form__gdpr--link" href="https://www.1password.co/email-preferences.html">Unsubscribe</a> any time. You also agree to our <a class="c-newsletter-signup-form__gdpr--link" href="https://1password.com/legal/terms-of-service/">terms of service</a> and <a class="c-newsletter-signup-form__gdpr--link" href="https://1password.com/legal/privacy/">privacy policy</a>. </div> </div> </section></description></item><item><title>4 ways to keep your family safe online</title><link>https://blog.1password.com/family-scam-safety/</link><pubDate>Wed, 01 Apr 2020 00:00:00 +0000</pubDate><author>info@1password.com (Emily Marchant)</author><guid>https://blog.1password.com/family-scam-safety/</guid><description> <img src='https://blog.1password.com/posts/2020/family-scams/header.png' class='webfeedsFeaturedVisual' alt='4 ways to keep your family safe online' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Working from home, taking online classes, and getting together with family over video chat. We&rsquo;re all living an increasingly virtual way of life, so it’s more important than ever to use the internet safely at home. <h2 id="contents">Contents</h2> <ul> <li><a href="#phishing-scams-are-on-the-up">Phishing scams are on the up</a></li> <li><a href="#tip-1-check-all-messages-carefully">Tip 1: Check all messages carefully</a></li> <li><a href="#were-signing-up-to-more-online-services">We’re signing up to more online services</a></li> <li><a href="#tip-2-vet-apps-and-software-carefully">Tip 2: Vet apps and software carefully</a></li> <li><a href="#tip-3-as-always-practice-good-password-habits">Tip 3: As always, practice good password habits</a></li> <li><a href="#tip-4-secure-your-home-network">Tip 4: Secure your home network</a></li> </ul> To help, we’ve looked into how scammers can take advantage and have put together some tips to help you and your family protect yourselves. <h2 id="phishing-scams-are-on-the-up">Phishing scams are on the up</h2> <a href="https://www.theguardian.com/money/2020/mar/29/coronavirus-social-disease-fraudsters-adapt-old-scams">Three percent of all global spam</a> is now estimated to be coronavirus-related, with many messages impersonating reputable, global organizations like the World Health Organization and the United Nations. These phishing emails are designed to trick you into clicking malicious links or attachments by claiming to direct you to information about the virus, or even direct you to places to buy masks, cures, or tests. <h2 id="tip-1-check-all-messages-carefully">Tip 1: Check all messages carefully</h2> The best way to protect yourself against phishing is to vet messages thoroughly – even if they appear to come from a reputable organization or someone you know. Don’t click any suspicious links or attachments, and if you’re unsure, call the sender or message them directly to check. If the email is from a company or organization, visit the sender’s website directly to find their contact information. Be especially wary of emails and SMS messages that: <ul> <li>Ask you to click a link or sign in to an account</li> <li>Ask you to share any kind of personal or sensitive information</li> <li>Offer tests or cures</li> <li>Appear to be selling masks</li> <li>Claim to be acting for the local authority, saying they need contact details or other sensitive information in case of emergency</li> <li>Link to websites that offer government-funded support or aid</li> <li>Encourage you to sign up for health-related news, information, or alerts</li> <li>Threaten to <a href="https://www.theguardian.com/money/2020/mar/29/coronavirus-social-disease-fraudsters-adapt-old-scams">reveal secrets about you</a> or infect your family</li> </ul> This isn’t an exhaustive list by any means, but it gives you an idea of what to look out for. Here’s some more detailed information on <a href="https://blog.1password.com/what-is-phishing-and-how-can-you-protect-yourself/">how to spot a phishing scam</a>. Make sure you report phishing attempts to the organization or person the scammer was impersonating so that they can take steps to prevent future attempts. And, if you fall victim to a phishing scam, don’t be too hard on yourself. These scams use powerful social engineering tactics and it only takes a momentary lapse in concentration to fall for one. <h2 id="were-signing-up-to-more-online-services">We’re signing up to more online services</h2> As more of us are told to stay home, we’re looking for new ways to work, keep in touch with families, and keep ourselves entertained. Last week, <a href="https://www.thedrum.com/news/2020/03/25/what-s-next-houseparty-the-social-video-app-the-social-distancing-age">2 million people downloaded</a> Houseparty, a social networking service that enables group video chat. Zoom has seen daily users <a href="https://www.marketwatch.com/story/zoom-microsoft-cloud-usage-are-rocketing-during-coronavirus-pandemic-new-data-show-2020-03-30">more than quadruple</a> over the past 30 days, while Microsoft says cloud usage has <a href="https://www.marketwatch.com/story/zoom-microsoft-cloud-usage-are-rocketing-during-coronavirus-pandemic-new-data-show-2020-03-30">grown nearly 800 percent</a>. <img src='https://blog.1password.com/posts/2020/family-scams/video-chat-google-trends.png' alt='Google Trends data shows more people are searching for video chat software' title='Google Trends data shows more people are searching for video chat software' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> A lot of us are also leaning on technology to help with homeschooling, or to keep kids occupied. Duolingo, the language learning app, has seen a <a href="https://www.post-gazette.com/business/tech-news/2020/03/15/Duolingo-coronavirus-COVID-19-spike-in-online-gaming-streaming-in-China/stories/202003090111">200 percent increase in test-taking activity</a>, for example. While fitness influencer, Joe Wicks, has had almost a million tune in to his live YouTube fitness classes. This in itself isn’t a problem, as long as everyone in your family members – whether they&rsquo;re in school, <a href="https://blog.1password.com/starting-college-1password/">away at college</a>, partway through a career, or enjoying retirement – are careful about the apps and services they access. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">The Family Password Paradigm</h3> Learn how different families are approaching online security, password use, and password sharing in the home. <a href="https://1password.com/resources/the-family-password-paradigm/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Download the report </a> </div> </section> <h2 id="tip-2-vet-apps-and-software-carefully">Tip 2: Vet apps and software carefully</h2> Be wary that scammers may be looking to fill demand by creating fake pages or apps designed to capture your personal information and login details. To stay safe: <ul> <li>Check whether the permissions apps are asking for are reasonable, or whether they’re trying to access more than they need.</li> <li>Download apps through official stores and marketplaces. It’s usually safer than downloading them straight from the internet.</li> <li>When trying a new tool, visit the website directly and download it from there.</li> <li>Do a little research. Check out app store reviews, do a quick search online, and ask for opinions on social media. If there’s a major concern with an app, people are likely talking about it.</li> </ul> Also, take the time to set up parental controls before letting kids loose. Not only will you prevent them from inadvertently making costly in-app purchases, but you can also limit what information they can share and who with. <h2 id="tip-3-as-always-practice-good-password-habits">Tip 3: As always, practice good password habits</h2> <ul> <li>Use strong, unique passwords for every service you sign up for. So, if your login details are stolen, they can’t be used to try and access other services or accounts.</li> <li>Spend some time updating <a href="https://blog.1password.com/ghosts-passwords-past/">old passwords</a> so that they’re all strong and unique.</li> <li>Don’t share passwords using insecure methods like email or instant messenger. The safest way is to share them using a password manager.</li> </ul> <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> 💡 Tip! With <a href="https://1password.com/personal/">1Password Families</a>, you can <a href="https://blog.1password.com/family-organizer-tips/">become the family organizer</a> and help everyone protect their accounts with strong, unique passwords. </div> </aside> <h2 id="tip-4-secure-your-home-network">Tip 4: Secure your home network</h2> Your router controls which devices can access to your home Wi-Fi, and when set up correctly, stops anyone from accessing your network that shouldn’t be. As more of our everyday lives are happening online, now is also a good time to make sure it’s set up correctly. To get started: <ul> <li>Check that your <a href="https://blog.1password.com/5-quick-tips-for-smart-home-security/">Wi-Fi network is set up securely</a>.</li> <li>If you’re using the default password for your home router, change it to a strong, unique password of at least 20 characters and save it in a <a href="https://support.1password.com/create-share-vaults/">shared vault</a>, so everyone at home can access it securely.</li> <li>Switch to the more secure <a href="https://blog.1password.com/how-to-stay-safe-on-public-wi-fi/">Wi-Fi Protected Access II (WPA2)</a> protocol if you haven&rsquo;t already.</li> </ul> The best way to protect yourself and your family online is to stay vigilant. Every time you open a new message, pause and question it. If something looks too good to be true, it probably is. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Not using 1Password yet?</h3> Try 1Password today and keep your family safe online. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Get 14 days FREE </a> </div> </section></description></item><item><title>Working from home with kids: How our team juggles jobs and childcare</title><link>https://blog.1password.com/working-from-home-kids/</link><pubDate>Mon, 30 Mar 2020 00:00:00 +0000</pubDate><author>info@1password.com (Emily Marchant)</author><guid>https://blog.1password.com/working-from-home-kids/</guid><description> <img src='https://blog.1password.com/posts/2020/wfh-with-kids/header.png' class='webfeedsFeaturedVisual' alt='Working from home with kids: How our team juggles jobs and childcare' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Like many others, I’m learning what it’s like to work from home with a child in tow. Overnight, lots of us have found ourselves with three full-time jobs: parent, teacher, and the job we’re paid to do. I’ll be honest, I’ve found it overwhelming – and as I write this, my daughter is under my desk, howling that she’s bored. I’m very fortunate to be surrounded by colleagues in the same position, and some have been juggling childcare, homeschooling, and work for a while. So I reached out and asked for help. Here’s what I’ve learned. I hope it will help you too. <h2 id="accept-that-you-cant-work-at-full-capacity">Accept that you can’t work at full capacity</h2> One message came through loud and clear: You are one person, and it’s simply impossible to do three full-time jobs. Even if you’re managing between two people, that’s an awful lot to ask. And, with everything that’s going on at the moment, it’s completely understandable that you’re distracted too. Be honest with yourself and your boss. Ask whether it’s possible to work flexible hours, or to focus on less concentration-intensive tasks or projects. We’re slowing down here so that folks can manage their workloads around other commitments and put their families and <a href="https://blog.1password.com/remote-work-mental-health/">mental health first</a>. <h2 id="remember-kids-dont-get-7-hours-of-teaching-a-day-at-school">Remember: Kids don’t get 7 hours of teaching a day at school</h2> When it comes to homeschooling, I’m just going to hand over to Sara, one of our founders. She keeps 1Password running while homeschooling her kids, so as far as I’m concerned, she&rsquo;s the source of truth on the matter. She reassured me: “With homeschooling, the biggest panic right now is this idea that kids spend a good seven hours at school learning, and they need proper lessons. Nope! They spend a lot of time just waiting to have their turn, washing hands, going outside, doing all kinds of things. “Really, learning time is maybe an hour or two a day. Knowing that makes it easier to remember that TV isn’t always bad – teachers use it too when kids are noisy. Having a favourite show ready when you’re about to have a call is a great tool! Magic School Bus, Dora, Cosmos&hellip; whatever floats your kids’ boat”. Tip: Learning doesn’t always mean conventional schoolwork. Encourage kids to go looking for bugs outside, make busses out of cereal boxes, or build a castle out of Legos. It gets them out of your hair and means they’re learning things they might not at school. <h2 id="have-a-schedule-but-be-flexible">Have a schedule but be flexible</h2> Lots of parents here swear by having a schedule for the day. It gives kids a bit of structure, and helps you plan in time to focus. Here’s a daily schedule that Megs, who works on our Design team, shared with me: <ul> <li>6 a.m. Wake up and have breakfast (both parents)</li> <li>7–11 a.m. Parent A works, parent B plays</li> <li>11 a.m.–12 p.m. Lunch and naptime (both parents there to cook and yell at small ones to lie down)</li> <li>1–4 p.m. Parent B works, parent A cleans and does extra work (if naptime happens) and plays</li> <li>4 p.m. Educational TV or chilled play while one parent cooks</li> </ul> “Splitting responsibility has always been important in our home, and now with the kids home full time, it’s become a crucial tool to help us maintain our sanity. “Our kids are 3 and 1, and demand a lot of attention. My partner and I are each working half a day and parenting for the other half. We&rsquo;re so lucky that our jobs have been flexible and understanding of our needs, and it&rsquo;s been really great to be able to tag-team parenting this way”. I’m on my own with my daughter for most of the day, so swapping in and out isn’t an option. Even so, I have found that putting together a rough outline of her day helps move her from one activity to the next. Admittedly, 9 times out of 10, it goes completely out of the window, but having a few activities lined up means I can throw something new at her when she gets bored. Even if that’s just an educational video or box of art supplies. <h2 id="make-the-most-of-technology">Make the most of technology</h2> How much children should use technology, and what they should use it for, can be a prickly topic for parents. But, if you’re comfortable with it, now is the time to embrace the educational value of technology. Don’t be afraid to lean on TV, iPads, and trusted streaming services if you need to. This is an unprecedented situation, and if technology allows you to be productive while your kid is learning, then as far as I’m concerned it’s a win-win. Coding apps like <a href="https://www.scratchjr.org/">ScratchJnr</a> and <a href="https://www.tynker.com/">Tynker</a> teach kids invaluable skills (ScratchJnr is used in schools), and can keep them occupied while you take a call. Our “school days” have meant morning exercise with Joe Wicks <a href="https://www.youtube.com/watch?v=Rz0go1pTda8&amp;list=PLyCLoPd4VxBvQafyve889qVcPxYEjdSTl">live on YouTube</a>, learning a language with <a href="https://www.duolingo.com/">Duolingo</a>, and listening to <a href="https://www.worldofdavidwalliams.com/">David Walliams audiobooks</a> (they’re free for the next month). Tip: If your child has lessons or activities outside of school, check whether your provider is offering a virtual alternative. My daughter is taking her usual ukulele and Karate lessons every week by video call. I can’t wait to hear what 10 5-year-olds playing the ukulele over video chat sounds like. <h2 id="youre-not-alone">You’re not alone</h2> Don’t worry if you need to jump off a call because your kid needs you, or if they make a quick cameo during the morning standup. Your colleagues will understand, and most folks tell me they love that small insight into each other&rsquo;s lives. Talk to your colleagues about your kids and share your funny stories. They do want to listen, and we’ve found that other team members are keen to help by working around parents’ schedules or by shuffling tasks around. Tip: Will, our Design and Web Lead, suggests trying a closed-door policy. “When the door is closed, it means I&rsquo;m on a call and that the kids should be quiet and not come in. It took some time to get working, but it now works great. Once, during an interview, I had to go to the basement as my kids were being loud and my wife was ill – I nearly got away with it too until someone flushed the toilet and the water pipe was right next to me”. Often, it’s these human moments that help build lasting connections with our colleagues. <h2 id="embrace-the-interruptions">Embrace the interruptions</h2> Once you’ve accepted that interruptions will happen, you might find they become a source of joy, rather than stress. Stop and listen to your child’s explanation of the space cafe they’ve just built in your living room, watch the dance routine they’ve just made up, and talk to them about their day. This is all pretty weird for them too, and you’ll enjoy moments you might usually miss out on while they&rsquo;re at school. Lynette, who works in Customer Success, put it beautifully: “The best part is being able to watch my daughter learn, and spending so much time with her. She watches these videos about singing and dancing, and sometimes her mood completely changes. I just hear her singing along. Also, I love getting hugs throughout the day. I&rsquo;ll be in a meeting and she&rsquo;ll just come up and hug me, and go back to what she was doing. It&rsquo;s the best”. <h2 id="above-all-be-kind-to-yourself">Above all, be kind to yourself</h2> This situation is new to all of us. Things won’t go as planned every day, or maybe ever. And that’s okay – we’re all doing our best. Learn and adjust as you go, and when it all goes out of the window (which it will), try to laugh about it. Embrace the absurdity of it, and share the joy and the humour with your colleagues – we could all use a lift right now. <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get more security tips</h3> Subscribe to our business security newsletter and get advice on running a secure, productive workplace delivered directly to your inbox. <form method="POST" class="oneline" accept-charset="UTF-8" action="https://flow.1passwordservices.com/api/v1/lead" data-event-category="Newsletter" data-event-action="form-newsletter" id="newsletterForm"> <div id="hidden-fields"> <input type="hidden" name="formSubmitted" value="Newsletter"> <input type="hidden" name="formId" value="c100b28e-6493-493f-b325-6a7f8b3cbb89"> </div> <input type="email" class="c-call-to-action-box__newsletter-email" name="email" placeholder="" required /> <input class="c-call-to-action-box__newsletter-button" type="submit" value="Sign up"> </form> <div class="c-call-to-action-box__text"> By signing up you agree to receive emails about the latest 1Password announcements, product updates, and events. <a class="c-newsletter-signup-form__gdpr--link" href="https://www.1password.co/email-preferences.html">Unsubscribe</a> any time. You also agree to our <a class="c-newsletter-signup-form__gdpr--link" href="https://1password.com/legal/terms-of-service/">terms of service</a> and <a class="c-newsletter-signup-form__gdpr--link" href="https://1password.com/legal/privacy/">privacy policy</a>. </div> </div> </section></description></item><item><title>Going remote: 3 tips for building a strong remote work culture</title><link>https://blog.1password.com/remote-work-culture/</link><pubDate>Fri, 27 Mar 2020 00:00:00 +0000</pubDate><author>info@1password.com (Matt Davey)</author><guid>https://blog.1password.com/remote-work-culture/</guid><description> <img src='https://blog.1password.com/posts/2020/remote-culture/header.png' class='webfeedsFeaturedVisual' alt='Going remote: 3 tips for building a strong remote work culture' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Workplace culture may not feel like your priority right now. But your culture is defined by how you handle difficult situations – these are the moments it&rsquo;s both tested and formed. We hope our experiences will help you build a remote or hybrid culture that empowers your team to do great work. <h2 id="be-kind-and-empathetic">Be kind and empathetic</h2> We recognize that our folks are all dealing with a spectrum of exceptional circumstances – family sickness, financial pressures, <a href="https://blog.1password.com/remote-work-security-people/">childcare issues</a>, and more. Even though we’re 14-year veterans of <a href="https://blog.1password.com/remote-work-it-survey/">remote work</a>, we’re aware that right now we have to <a href="https://blog.1password.com/remote-work-mental-health/">slow down and prioritize mental health</a>, and give everyone the space and time they need. Leaders need to take the helm here. During our all-hands call, Jeff (our CEO) let everyone know it’s absolutely okay that productivity isn’t going to be 100 percent. Our focus should be staying safe and healthy. When important messages come directly from the top, there’s less room for misinterpretation and teams are more likely to take advice on board. If you’re new to remote or hybrid working, this is more important than ever. <h2 id="trust-your-team">Trust your team</h2> Remote working lays the groundwork for a real cornerstone of healthy culture – trust. Working flexible hours means we can work when we’re at our most productive. We trust each other to show up and do a good job, and no one wants to break that. Ultimately, we all want to make 1Password as good as it can be. Even when the world is more testing, we trust that everyone is doing their best. And, right now, everyone’s best looks different. If your team is <a href="https://blog.1password.com/remote-work-security-tips/">newly remote</a>, encourage people to experiment with different ways and schedules of working. There will be an adjustment period, but it&rsquo;ll quickly pay off as people figure out what works for them. In more settled times, you’ll see a more productive workforce. Today, hopefully, you’ll have a healthier one. In short, relax. If you trust people, they’ll feel valued and respected, and want to keep your trust. <h2 id="encourage-connections">Encourage connections</h2> We’re lucky to have the opportunity to meet, work (and then hang out with) folks from diverse backgrounds from all over the world. Yes, this happens while working together, but often, it&rsquo;s the informal, unstructured chats that hold the most value to team wellbeing. We have happy hour video calls where colleagues can shoot the breeze with a beer, play online sessions of Settlers of Catan, and share endless Animal Crossing screenshots in our #topic-gaming chat in Slack. These are the kinds of interactions that happen in bricks and mortar workplaces (or in the pub after work) but they can be supercharged using remote-friendly technology. Your teams will find their rhythm. Focus on cultivating a culture where communication between team members is encouraged, but not mandated. When connections form naturally, they’re real and long-lasting. And teams that communicate well will work better together, be happier, and love their jobs. You&rsquo;ll see lower staff turnover, more engaged team members, and potentially even find it easier to recruit new staff because of your company culture. That’s been our experience at 1Password. <h2 id="tldr">TL;DR</h2> When it comes to culture, what matters most is intent – and that needs to be genuine. Build a work environment that encourages productivity rather than enforces it; one that fosters communication without demanding it; and one that is thoughtful, inclusive and, above all, kind. <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get more security tips</h3> Subscribe to our business security newsletter and get advice on running a secure, productive workplace delivered directly to your inbox. <form method="POST" class="oneline" accept-charset="UTF-8" action="https://flow.1passwordservices.com/api/v1/lead" data-event-category="Newsletter" data-event-action="form-newsletter" id="newsletterForm"> <div id="hidden-fields"> <input type="hidden" name="formSubmitted" value="Newsletter"> <input type="hidden" name="formId" value="c100b28e-6493-493f-b325-6a7f8b3cbb89"> </div> <input type="email" class="c-call-to-action-box__newsletter-email" name="email" placeholder="" required /> <input class="c-call-to-action-box__newsletter-button" type="submit" value="Sign up"> </form> <div class="c-call-to-action-box__text"> By signing up you agree to receive emails about the latest 1Password announcements, product updates, and events. <a class="c-newsletter-signup-form__gdpr--link" href="https://www.1password.co/email-preferences.html">Unsubscribe</a> any time. You also agree to our <a class="c-newsletter-signup-form__gdpr--link" href="https://1password.com/legal/terms-of-service/">terms of service</a> and <a class="c-newsletter-signup-form__gdpr--link" href="https://1password.com/legal/privacy/">privacy policy</a>. </div> </div> </section></description></item><item><title>If you only use 1Password in Safari, it’s time to start also using an app</title><link>https://blog.1password.com/if-you-only-use-1password-in-safari-its-time-to-start-also-using-an-app/</link><pubDate>Fri, 27 Mar 2020 00:00:00 +0000</pubDate><author>info@1password.com (Jasper Patterson)</author><guid>https://blog.1password.com/if-you-only-use-1password-in-safari-its-time-to-start-also-using-an-app/</guid><description> <img src='https://blog.1password.com/posts/2020/safari-localstorage/header.png' class='webfeedsFeaturedVisual' alt='If you only use 1Password in Safari, it’s time to start also using an app' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> If you signed up for 1Password in Safari and aren&rsquo;t already using one of the 1Password apps, it’s important to start today. Here’s why. Apple has always been at the forefront of the fight to protect your privacy, and the WebKit team that builds the foundation of Safari is no exception. In 2017, they introduced Intelligent Tracking Prevention, which helps prevent advertisers from tracking you when you use Safari. This was great news for privacy, and a lot of us at 1Password use Safari because of its strong commitment to privacy. Starting in Safari 13.1 for Mac and iOS 13.4, there are <a href="https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/">some additional changes to Intelligent Tracking Prevention</a>. Information a website stores in local storage will now be erased if you don&rsquo;t visit that website at least once every 7 days. This affects full-featured web apps like 1Password that use local storage for legitimate purposes. For example, 1Password stores your Secret Key in local storage. If your Secret Key is removed from Safari and you don&rsquo;t have it stored anywhere else, you won&rsquo;t be able to access your account. <h2 id="more-steps-you-can-take">More steps you can take</h2> When you set up the 1Password apps, your Secret Key will be saved in the apps. So if it gets removed from Safari, you&rsquo;ll still be able to access your account. It&rsquo;s an important first step, but there&rsquo;s more you can do to protect your account. To make sure you always have access to 1Password: <ul> <li>Sign in on all your devices. Your Secret Key is stored on devices you&rsquo;ve used to sign in to your account. When you sign in on all your devices, each one can be used to <a href="https://support.1password.com/secret-key/">find your Secret Key</a> when you need it.</li> <li>Save your Emergency Kit. Your <a href="https://support.1password.com/emergency-kit/">Emergency Kit</a> is a PDF document with your account details, including your Secret Key. Store it someplace safe.</li> <li>Implement a recovery plan. If you use 1Password with your family or team, make sure you have more than one <a href="https://support.1password.com/family-organizer/">family organizer</a> or <a href="https://support.1password.com/team-recovery-plan/">administrator</a>. If you lose your Secret Key, they can help you recover your account.</li> </ul> After you&rsquo;ve taken those steps, you can be sure that you&rsquo;ll always have access to your account even if your Secret Key is removed from Safari. <h2 id="if-youre-a-web-developer">If you&rsquo;re a web developer</h2> If you&rsquo;re a web developer who uses local storage, we encourage you to <a href="https://bugs.webkit.org/">file a WebKit bug report</a> to let them know how you&rsquo;re using it to provide benefits to your users. <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Protect your account</h3> To make sure you can always sign in to your account, set up the 1Password apps. <a href="https://1password.com/downloads/" class="c-call-to-action-box__link-href" data-event-category="CTA" data-event-action="call-to-action-button"> Download 1Password </a> </div> </section></description></item><item><title>Say hello to 1Password 7.4 for Windows</title><link>https://blog.1password.com/1password-7-4-for-windows/</link><pubDate>Tue, 24 Mar 2020 00:00:00 +0000</pubDate><author>info@1password.com (Sergey Galich)</author><guid>https://blog.1password.com/1password-7-4-for-windows/</guid><description> <img src='https://blog.1password.com/posts/2020/opw74/header.png' class='webfeedsFeaturedVisual' alt='Say hello to 1Password 7.4 for Windows' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We&rsquo;re excited to announce that after great work from the team, 1Password 7.4 for Windows is now available! We&rsquo;ve streamlined the app you know and love, so it runs smoother, faster, and more intuitively. There&rsquo;s a lot to like about this latest Windows release, and we&rsquo;ve got you covered with an overview of the essential features. As always, you can view the <a href="https://app-updates.agilebits.com/product_history/OPW6">release notes</a> for a full list of all the changes and updates. <h2 id="say-hello-to-1password">Say Hello to 1Password</h2> Windows Hello integrates smoothly into your workflow, eliminating the need to stop and type out a passcode to open an app or sign in to an account. The built-in biometrics <a href="https://1password.com/resources/guides/using-biometrics-fingerprint-as-password/">use fingerprint or facial recognition</a> to give you instant access to your information. <img src='https://blog.1password.com/posts/2020/opw74/How-Hello-works.gif' alt='Windows Hello and 1Password' title='Windows Hello and 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> And in this release, we&rsquo;ve made it even easier! In 1Password 7.4, we now automatically invoke Hello on every lock view, eliminating the button needed to gain access to the biometric systems. Removing that extra step means the app opens, and your information is available with just a tap or a glance. <h2 id="move-items-with-ease">Move items with ease</h2> Keeping your items organized in 1Password makes it easier for you to find just what you need. However, do you find yourself needing to move items from one vault to another? With the new and improved drag and drop in <a href="https://1password.com/downloads/windows/">1Password for Windows</a>, it&rsquo;s easy to move or copy an item from one vault to another. <img src='https://blog.1password.com/posts/2020/opw74/Move_items_with_ease.png' alt='Move items with ease' title='Move items with ease' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> But what if you want to sign in to the Steam app to start gaming? Now you can drag and drop to <a href="https://1password.com/features/autofill/">autofill</a>. Just drag your username and password from 1Password to any app on your PC. Game on. <h2 id="smoother-faster-safer">Smoother, faster, safer</h2> Here&rsquo;s where we get a bit more technical because this release also brings along some significant performance improvements behind the scenes to provide better protection for you. In 1Password 7.4, we rebuilt the entire network stack and a good portion of the backend in Rust, and we updated some core components along the way. These changes mean 1Password will detect your network settings and handle complex setups with ease, including various proxy standards. 1Password also now performs more tasks in separate processes. This means that when one task is done, the memory is freed up faster. We also rethought our approach to the clipboard. From now on, nothing you copy in 1Password will be stored in the clipboard history or sent to the cloud clipboard. If you want to use the cloud clipboard in Windows 10, you don&rsquo;t have to worry about your 1Password data. This update is a free for everyone with a 1Password membership. <a href="https://1password.com/downloads/windows/">Download 1Password 7.4 for Windows today.</a> We hope you love this update as much as we&rsquo;ve loved building it for you! As always, we’re eager to hear from you, so let us know what you think about this update on <a href="https://twitter.com/1Password">Twitter</a> and in the <a href="https://1password.community/categories/1password-for-windows">1Password Support forum</a>.</description></item><item><title>New to remote working? Here's how to keep your team secure</title><link>https://blog.1password.com/remote-work-security-tips/</link><pubDate>Mon, 23 Mar 2020 00:00:00 +0000</pubDate><author>info@1password.com (James Holloway)</author><guid>https://blog.1password.com/remote-work-security-tips/</guid><description> <img src='https://blog.1password.com/posts/2020/remote-security/header.png' class='webfeedsFeaturedVisual' alt='New to remote working? Here's how to keep your team secure' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Many businesses are having to rush to remote or hybrid working for the first time, but it&rsquo;s important <a href="https://blog.1password.com/remote-work-security-people/">not to let your security slide</a> during the transition. By taking a few simple precautions, remote work can be as secure as working from an office full-time. These tips will help your whole team do remote and hybrid work safely, wherever they are in the world. <h2 id="hardware">Hardware</h2> The first thing is to make sure you work with devices set up to keep company information safe. Use the safest device available. If your computers are provided by work, use them. If they’re not, make sure you work from your own device. Don’t work from public computers, or computers belonging to friends, family or anyone else – these could be insecure in any number of ways. If it’s possible to designate a computer solely to work, it’s a good idea to do that. Set up device passwords. Make sure all devices you work with are password-protected. If someone finds one unattended, you don’t want them to be able to use it. Encrypt storage. The devices you use should also be set up with full disk encryption so any data stored on them is kept as safe as possible, even if someone were to steal the laptop or obtain a copy of the data. Most current operating systems support the encryption of device storage. Keep software up to date. Make sure you keep all software up to date on the devices you work with. That’s everything from the operating system to the apps you use, whether for work or personally. If possible, set operating systems and apps to automatically update. This will make sure any software vulnerabilities are patched as soon as possible. Keep hardware safe. If you ever need to work outside of home, there are steps you can take to keep company information and property safe: <ul> <li>Angle screens so they’re harder for other people to see, and invest in a screen protector.</li> <li>Lock screens when away from a device, even if it’s only for a moment.</li> <li>Never leave a device in a car.</li> <li>Keep devices close at all times.</li> </ul> <h2 id="software">Software</h2> Use only the software you’re cleared to use on work machines. This includes: <ul> <li>Web browsers</li> <li>Browser extensions</li> <li>Word processing software</li> <li>Communication apps</li> <li>Project management software</li> <li>Developer and other specialist tools</li> </ul> Use a dedicated work browser. These days, a lot of work is done in the web browser. If you don’t have a dedicated work computer, it’s a good idea to have one dedicated web browser (or browser profile) for work and another for personal use. On your work browser, make sure you only use allowed browser extensions. This helps keep work-oriented accounts and data secure. <h2 id="network">Network</h2> Most modern home networks are fairly secure, but there are some basic steps you should take to keep company information as safe as possible. Update routers. Your home router may not have been updated in some time. Check your firmware and apply any outstanding updates. If you’ll be working hybrid for the long term, make sure you update your router at least once per year. Keeping firmware up to date will patch any exploits to keep your network as secure as possible. Change default passwords. It’s also possible that you’ve never gotten round to changing the default administrator password on your router. Theoretically, this is as good as giving away network administration rights to anyone (or anything) who’s ever had access to the Wi-Fi network. Make sure you change your default router password if you never have. Be safe on public networks. These days, many websites use secure data transfer, making public Wi-Fi safer than it used to be. Look for the lock in your browser address bar to make sure the site you’re on uses encryption – especially if you’re sharing any personal data, including your login details. If you’re working outside of the home or using an untrusted network, it’s still a good idea to use a <a href="https://blog.1password.com/how-a-vpn-works/">virtual private network (VPN)</a> or a personal hotspot to protect against any network vulnerabilities. <h2 id="data">Data</h2> We’ve looked at various steps you can take to help keep company data safe. But there are also things to consider when it comes to the data itself. Avoid downloading information. As far as possible, don’t download any important, sensitive, or confidential information, especially if it’s about your customers. Regularly check what data you’re storing locally and permanently delete anything that isn’t needed. Where possible, work using secure cloud applications where access can be properly controlled and monitored. And working in the cloud means you never have to worry about backing up your data. Use the right tools. If you need to share confidential information, make sure you use a secure method. With <a href="https://1password.com/business/">1Password Business</a>, companies can share passwords and other important information securely while working remote. Every employee that uses 1Password Business also receives access to <a href="https://1password.com/personal/">1Password Families</a>, so sensitive information shared at home is done so as safely as possible. <h2 id="support-your-team">Support your team</h2> Use technical support. If you’re not sure about any of these steps, don’t suffer in silence. Contact your work IT department or technical support team. They should be able to help. Create a remote working handbook. Done right, remote or hybrid working can be a productive and rewarding experience for everyone. You can help set your team up for success by creating a remote working handbook. <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get more security tips</h3> Subscribe to our business security newsletter and get advice on running a secure, productive workplace delivered directly to your inbox. <form method="POST" class="oneline" accept-charset="UTF-8" action="https://flow.1passwordservices.com/api/v1/lead" data-event-category="Newsletter" data-event-action="form-newsletter" id="newsletterForm"> <div id="hidden-fields"> <input type="hidden" name="formSubmitted" value="Newsletter"> <input type="hidden" name="formId" value="c100b28e-6493-493f-b325-6a7f8b3cbb89"> </div> <input type="email" class="c-call-to-action-box__newsletter-email" name="email" placeholder="" required /> <input class="c-call-to-action-box__newsletter-button" type="submit" value="Sign up"> </form> <div class="c-call-to-action-box__text"> By signing up you agree to receive emails about the latest 1Password announcements, product updates, and events. <a class="c-newsletter-signup-form__gdpr--link" href="https://www.1password.co/email-preferences.html">Unsubscribe</a> any time. You also agree to our <a class="c-newsletter-signup-form__gdpr--link" href="https://1password.com/legal/terms-of-service/">terms of service</a> and <a class="c-newsletter-signup-form__gdpr--link" href="https://1password.com/legal/privacy/">privacy policy</a>. </div> </div> </section></description></item><item><title>COVID-19 Response - Removing trial limits to help businesses work securely from home</title><link>https://blog.1password.com/covid-19-response/</link><pubDate>Fri, 13 Mar 2020 00:00:00 +0000</pubDate><author>info@1password.com (Jeff Shiner)</author><guid>https://blog.1password.com/covid-19-response/</guid><description> <img src='https://blog.1password.com/posts/2020/covid-19-response/header.png' class='webfeedsFeaturedVisual' alt='COVID-19 Response - Removing trial limits to help businesses work securely from home' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Our six-month free trial has ended. If your business still needs support due to the impact of COVID-19, please <a href="https://support.1password.com/contact/">contact our sales team</a> and we&rsquo;ll see what we can do to help. Over the past few weeks, we’ve seen some unprecedented and frightening changes around the world as a result of COVID-19. We&rsquo;ve watched as events are canceled, travel becomes restricted, and towns (and even countries) go into lockdown. In an effort to slow the spread of coronavirus and protect the vulnerable, an increasing number of companies — including Google, Twitter, Shopify and more — are asking their employees to work remote. Here at 1Password, we’re a largely remote company by nature, but even we have implemented steps to slow the spread of the virus by closing our meeting spaces and eliminating business travel. These are important steps we should all take to protect our teams and loved ones. <h2 id="tips-to-make-remote-work-work">Tips to make remote work, work</h2> We’re big proponents of remote and hybrid work, but adjusting to it can be a challenge, especially when the decision to close offices is made quickly. We&rsquo;ve learned a lot about working remotely over the past 14 years, and have <a href="https://blog.1password.com/remote-work-tips/">shared some of our top tips</a> to help those struggling to do so effectively. The hardest part of working remote is <a href="https://blog.1password.com/remote-work-security-tips/">doing so securely</a>. We built <a href="https://1password.com/business/">1Password Business</a> to help you do exactly that. <h2 id="helping-where-we-can">Helping where we can</h2> We’re removing the 14-day trial period on 1Password Business so companies can start keeping their teams secure without getting finance involved. <a href="https://1password.com/business/">Sign up for 1Password Business</a> today and get your first 6 months free. <h2 id="stay-safe">Stay safe</h2> It’s difficult to predict what the next few weeks will look like, but we need to work together to protect our teams, loved ones, and local communities. Reduce unnecessary travel — including travel to and from the office — and be empathetic to the challenges that remote work can bring to your teams and their families. Staying safe is a team effort. ❤️ Our six-month free trial has ended. If your business still needs support due to the impact of COVID-19, please <a href="https://support.1password.com/contact/">contact our sales team</a> and we&rsquo;ll see what we can do to help.</description></item><item><title>How to make remote work, work: tips from 1Password</title><link>https://blog.1password.com/remote-work-tips/</link><pubDate>Thu, 12 Mar 2020 00:00:00 +0000</pubDate><author>info@1password.com (Jeff Shiner)</author><guid>https://blog.1password.com/remote-work-tips/</guid><description> <img src='https://blog.1password.com/posts/2020/work-from-home/header.png' class='webfeedsFeaturedVisual' alt='How to make remote work, work: tips from 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Testing the waters of remote or hybrid working for the first time – whether it’s due to a snow day or a worldwide pandemic – can be a daunting prospect. At 1Password, we understand the challenges all too well – we’ve been an almost entirely remote workforce for 14 years, and have learned a lot along the way. The good news is going remote could actually make your teams <a href="https://lp.buffer.com/state-of-remote-work-2020">happier</a> and <a href="https://www.inc.com/marcel-schwantes/new-study-reveals-why-working-from-home-makes-workers-more-productive.html">more productive</a> if you get it right. If your team needs to work remote or hybrid, or you’re considering trying it out for your business, here are our top tips for getting started. <h2 id="communicate-communicate-communicate">Communicate, communicate, communicate</h2> Keeping communication open and collaboration going can be one of the biggest challenges of <a href="https://blog.1password.com/remote-work-culture/">remote work</a> – loneliness can creep in and teams can begin to feel siloed. Luckily, there are some great tools that make collaborating as a remote or hybrid team a lot easier. Here are a few of our favorites: <ul> <li> Slack. Our go-to tool for everyday collaboration. Channels are a great place to work on projects together – there’s a record of everything so you can always pick up where you left off. Instant messaging means you can get hold of someone for a quick opinion when you need to. It’s also great for community building: We have channels dedicated to watercooler chat, mental health, giving kudos to other team members for great work, and all sorts of hobbies and interests. </li> <li> Google Meet. Perfect for those moments when you just need to be in a room together and great for daily stand-ups or bigger project catch-ups. Just start a call or video chat when you&rsquo;d usually head into a meeting room. </li> <li> Basecamp. For long-term and ongoing projects, Basecamp is ideal. Everything related to each project is in one place – meeting notes, relevant documents, and ongoing conversations – so we always have the full picture. We can see exactly what each other is working on and pitch in if we need to. </li> <li> 1Password. Managing access when you&rsquo;re hybrid or fully remote can be tricky. We learned that from doing it for over a decade, and so we built <a href="https://1password.com/business/">1Password Business</a> to give people access to the tools they need (and only the tools they need) to work. </li> </ul> We also manage projects and development in GitLab, hand off and discuss design files in Zeplin, handle HR using Humi, and manage a whole host of internal processes using some other impressive tools. You’ll find your own setup, but for every communication pain point, there’s a solution out there. <h2 id="set-expectations-from-the-start">Set expectations from the start</h2> What you expect from your teams will depend highly on the type of business you run. Your Customer Service teams may need to be available between specific hours, for example, whereas Design might be able to pick up a project any time of day. Whatever your expectations, communicate them clearly from the start and make sure that everyone fully understands the rules by which you&rsquo;re now working. Here are a few things you might want to think about: <ul> <li> Working hours. Make sure people know if their schedule needs to stay the same, or whether it can be more flexible when working from home. </li> <li> Availability. If you need to know when your teams are present, make sure you have a process in place for communicating that they’re away from their desks. Slack is really useful here – you can set a status letting everyone know that you’re at lunch, in a meeting, or taking a trip to the doctor. </li> <li> Processes and priorities. Some types of work may be possible from home, while others might not – you may need to review some of your processes and priorities and adapt them to hybrid working. Make sure you communicate any changes to your teams. </li> </ul> <h2 id="prioritise-wellbeing">Prioritise wellbeing</h2> Maintaining your teams’ <a href="https://blog.1password.com/remote-work-mental-health/">happiness and work-life balance</a> is just as important as laying the structural groundwork for remote or hybrid working. <a href="https://lp.buffer.com/state-of-remote-work-2020">Difficulty unplugging</a> is one of the top struggles of remote workers, so make sure to encourage people to take proper breaks and time away from their desks – and actually mean it. There are also lots of ways workers can help themselves. <ul> <li> Dedicate a space to work. If you have a spare room to use as an office, that&rsquo;s ideal. I swear by having a separate room to work. But if that’s not possible, use a small desk in another room, your kitchen table, or coworking space. It can be tempting to work from the sofa or bed, but when professional and personal space overlap it can be difficult to switch off. </li> <li> Think about how you use devices. Ideally, you’ll have two devices: one for work and one for home. If that’s not possible, using your laptop with a monitor and keyboard, rather than in your lap, can serve as a mental cue to separate work and personal time. Partitioning your hard drive and creating a separate user account for work is a good idea too. </li> <li> Dress for work. We’re not talking full suit and tie here, but wearing comfy but presentable clothes, rather than tatty pajamas, can help with focus. It also means you’re ready to nip out to get some fresh air. Our COO wears shoes at his desk, it helps put him in the right mindset for work. </li> <li> Stick to a regular schedule. Even if <a href="https://blog.1password.com/remote-work-it-survey/">remote work</a> means you can be more flexible with your time, setting your own hours and sticking to them helps maintain work-life balance and mentally untangle at the end of the day. </li> <li> Get up and move. Without the walk to the station or stroll at lunch, it’s easy to become sedentary when working from home. Walk around while you’re on a call, take the dog for a walk, pop to the shops, or make time for the gym – whatever works for you. At 1Password, we offer everyone an allowance to spend on healthy activities away from their keyboard – whether that’s a yoga class, monthly kayaking trip, or a subscription for a meditation app. The choice is theirs. </li> </ul> <h2 id="secure-your-setup">Secure your setup</h2> When people work from home, even for just part of their week, it inevitably <a href="https://blog.1password.com/remote-work-security-people/">brings new security considerations</a>. Every worker needs to know exactly what to do to <a href="https://blog.1password.com/remote-work-security-tips/">remain safe online</a> while working from home, and it’s your responsibility to make that happen. Here’s a quick checklist to help you get started: <ul> <li>Work should only be done on trusted devices. No working from the public library or on a friend’s computer. If possible, encourage workers to have separate work and personal devices.</li> <li>Home routers should not use default passwords, and should be checked for firmware updates annually.</li> <li>All desktops and laptops should make use of full disk encryption.</li> <li>As general practice, minimize the storage of customer/sensitive data on local devices. Encourage team members to regularly check what they’re storing and give their device a regular purge of non-essential data.</li> <li>Use <a href="https://1password.com/business/">1Password</a> to securely share all the company’s important info and logins with remote and hybrid workers.</li> </ul> <h2 id="trust-your-teams-and-reap-the-rewards">Trust your teams and reap the rewards</h2> Remember, working from home may take a little time to get used to. There are new ways of working and communicating for everyone to get to grips with. Be present and check in with your team regularly, but trust that your employees will continue to excel, even from their kitchen table. A love of doing good work and helping people stay safe online brings us together at 1Password – that doesn’t just go away because we’re working from home. Your team is the same: The values that brought you together remain regardless of where you work. Introducing remote working can be a challenge at first, especially when the decision to do so is out of your control. But, it can also bring benefits to your business and employees – increased productivity, happiness, and better health – and may even be worth considering long term. <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get more security tips</h3> Subscribe to our business security newsletter and get advice on running a secure, productive workplace delivered directly to your inbox. <form method="POST" class="oneline" accept-charset="UTF-8" action="https://flow.1passwordservices.com/api/v1/lead" data-event-category="Newsletter" data-event-action="form-newsletter" id="newsletterForm"> <div id="hidden-fields"> <input type="hidden" name="formSubmitted" value="Newsletter"> <input type="hidden" name="formId" value="c100b28e-6493-493f-b325-6a7f8b3cbb89"> </div> <input type="email" class="c-call-to-action-box__newsletter-email" name="email" placeholder="" required /> <input class="c-call-to-action-box__newsletter-button" type="submit" value="Sign up"> </form> <div class="c-call-to-action-box__text"> By signing up you agree to receive emails about the latest 1Password announcements, product updates, and events. <a class="c-newsletter-signup-form__gdpr--link" href="https://www.1password.co/email-preferences.html">Unsubscribe</a> any time. You also agree to our <a class="c-newsletter-signup-form__gdpr--link" href="https://1password.com/legal/terms-of-service/">terms of service</a> and <a class="c-newsletter-signup-form__gdpr--link" href="https://1password.com/legal/privacy/">privacy policy</a>. </div> </div> </section></description></item><item><title>Strengthen your identity strategy with 1Password and OneLogin</title><link>https://blog.1password.com/onelogin-and-1password/</link><pubDate>Thu, 27 Feb 2020 00:00:00 +0000</pubDate><author>info@1password.com (Jeff Shiner)</author><guid>https://blog.1password.com/onelogin-and-1password/</guid><description> <img src='https://blog.1password.com/posts/2020/one-login-intro/header.png' class='webfeedsFeaturedVisual' alt='Strengthen your identity strategy with 1Password and OneLogin' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> I&rsquo;m thrilled to announce that, starting today, we&rsquo;re partnering with OneLogin to make it easy for you to provision and manage your business accounts in 1Password. OneLogin is a leader in identity and access management (IAM), and this collaboration is something our customers have been requesting for quite some time. <blockquote> &ldquo;We are excited to partner with 1Password by creating a powerful integration for our joint customers that significantly reduces the work required to onboard new employees through our automated user provisioning.&rdquo; – Matt Hurly, VP, Global Channels and Strategic Alliances &amp; GM, Asia Pacific </blockquote> Together, <a href="https://www.onelogin.com/">OneLogin</a> and <a href="https://1password.com/">1Password</a> give you the controls you need to make sure everyone in your company follows your password and security policies. Here’s how it works. <h2 id="seamless-integration-with-your-workflow">Seamless integration with your workflow</h2> The <a href="https://blog.1password.com/scim-bridge-release/">1Password SCIM bridge</a> gives you the ability to strengthen your identity strategy and manage your teams by folding 1Password into your already-established workflows. Now, with <a href="https://www.onelogin.com/partners/technology-partners/1password">OneLogin integration</a>, you have full control over the 1Password deployment process. You can create, update, and deprovision employee accounts in real time and easily set and enforce company-wide security policies, all from a central location. <blockquote> We’ve been waiting for the release of this integration to link 1Password with OneLogin seamlessly. This will automate <a href="https://1password.com/features/user-management/">user management</a> and strengthen our security posture at BlaBlaCar by enabling all employees to secure their passwords. Now that it’s finally here, we can easily provision, deprovision, and manage groups and vaults through our identity provider.” – Andrews Delices, Head of IT, BlaBlaCar </blockquote> <h2 id="always-in-control">Always in control</h2> The <a href="https://support.1password.com/scim/">SCIM bridge</a> delivers the high level of security and encryption that you expect from 1Password. OneLogin acts as a virtual directory in the cloud, synchronizing employees across all your directories, including Active Directory (AD), LDAP, Google Apps directory, OneLogin Cloud Directory, and HR directories. This self-hosted 1Password service is deployable with a single click from multiple cloud providers, or it can be easily integrated into your existing infrastructure. The SCIM bridge connects to your identity provider using the industry-standard protocol to facilitate the connection between OneLogin and 1Password. And, because the SCIM bridge runs within a system under your control, your account encryption keys also stay with you – right where they belong. <h2 id="enforce-your-security-policies">Enforce your security policies</h2> Rolling out 1Password using the SCIM bridge makes it easy to automate and enforce all your existing access, password, and security policies. You can even strengthen security further by using the SCIM bridge with <a href="https://1password.com/business/advanced-protection/">1Password Advanced Protection</a> to set Master <a href="https://1password.com/password-generator/">Password requirements</a>, create firewall rules, require up-to-date apps, and monitor sign-in attempts. Everything is in one place, making administration a breeze. Read how to <a href="https://support.1password.com/scim-onelogin/">connect OneLogin to the 1Password SCIM bridge</a> for help with setting up. <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get started</h3> Want to learn more? Our business team is ready to answer your questions. <a href="support&#43;business@1password.com" class="c-call-to-action-box__link-href" data-event-category="CTA" data-event-action="call-to-action-button"> Contact our business team </a> </div> </section></description></item><item><title>Achieve a better work-life balance with 1Password Families</title><link>https://blog.1password.com/family-versus-business/</link><pubDate>Wed, 19 Feb 2020 00:00:00 +0000</pubDate><author>info@1password.com (Sarah Brown)</author><guid>https://blog.1password.com/family-versus-business/</guid><description> <img src='https://blog.1password.com/posts/2020/family-vs-business/header.png' class='webfeedsFeaturedVisual' alt='Achieve a better work-life balance with 1Password Families' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> When you practice secure password habits at home, those good habits will follow you into work. That&rsquo;s why, if your company uses 1Password Business, you get a free <a href="https://1password.com/personal/">1Password Families membership</a>. Your family account can be shared with up to five family members to help keep everyone more secure – no matter where they are. Your family account belongs to you, not your company. Your family and business accounts work independently from each other, meaning your information is never shared between them. Here&rsquo;s what you need to know about how your business and family accounts work to keep your personal information private and make sure all your data is safe. <h2 id="no-details-shared">No details shared</h2> With multiple accounts, it&rsquo;s easy to keep your personal and business data completely separate and see all your information together in the 1Password apps. Linked family accounts only share their subscription status with the business account, so business administrators can&rsquo;t see what&rsquo;s stored in your family account, how many items or vaults you have, or who you share your family account with. Your private data remains private. <h2 id="private-even-from-us">Private, even from us</h2> Your linked family account belongs solely to you, not your company, and your information is even kept <a href="https://1password.com/security/#privacy">private from the team at 1Password</a>. Everything you store in 1Password is encrypted and inaccessible to us. Personally identifiable information is never shared with third parties, and is only used by us to provide you with service and support. We firmly believe that your data is yours, and we don&rsquo;t want to know anything about it. We don&rsquo;t use it, we don&rsquo;t share it, and we don&rsquo;t sell it. <h2 id="what-happens-when-you-leave">What happens when you leave?</h2> Your 1Password Families membership is free to use as long as it&rsquo;s linked to a business account. But don&rsquo;t worry, you won&rsquo;t lose access to any of the information stored in your family account if you leave your job. When you leave the company, your family account is automatically unlinked from the business account and becomes frozen. Your data is kept safe and sound in a read-only state until you take further action. You can set up your own payment method to continue using your family account without interruption – until you convince your next company to sign up for <a href="https://1password.com/business/">1Password Business</a>. Are you ready to take advantage of your free 1Password Families membership? To get started, sign in to your business account and <a href="https://support.1password.com/link-family/">redeem your family account</a> from your profile page. <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get more security tips</h3> Subscribe to our business security newsletter and get advice on running a secure, productive workplace delivered directly to your inbox. <form method="POST" class="oneline" accept-charset="UTF-8" action="https://flow.1passwordservices.com/api/v1/lead" data-event-category="Newsletter" data-event-action="form-newsletter" id="newsletterForm"> <div id="hidden-fields"> <input type="hidden" name="formSubmitted" value="Newsletter"> <input type="hidden" name="formId" value="c100b28e-6493-493f-b325-6a7f8b3cbb89"> </div> <input type="email" class="c-call-to-action-box__newsletter-email" name="email" placeholder="" required /> <input class="c-call-to-action-box__newsletter-button" type="submit" value="Sign up"> </form> <div class="c-call-to-action-box__text"> By signing up you agree to receive emails about the latest 1Password announcements, product updates, and events. <a class="c-newsletter-signup-form__gdpr--link" href="https://www.1password.co/email-preferences.html">Unsubscribe</a> any time. You also agree to our <a class="c-newsletter-signup-form__gdpr--link" href="https://1password.com/legal/terms-of-service/">terms of service</a> and <a class="c-newsletter-signup-form__gdpr--link" href="https://1password.com/legal/privacy/">privacy policy</a>. </div> </div> </section></description></item><item><title>Introducing 1Password 7.4 for Android</title><link>https://blog.1password.com/android-january-release/</link><pubDate>Fri, 07 Feb 2020 00:00:00 +0000</pubDate><author>info@1password.com (Michael Verde)</author><guid>https://blog.1password.com/android-january-release/</guid><description> <img src='https://blog.1password.com/posts/2020/opa74/header.png' class='webfeedsFeaturedVisual' alt='Introducing 1Password 7.4 for Android' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Congratulations on making it through January with some of your New Year&rsquo;s resolutions intact! While you’ve been sticking to your new exercise routine and drinking healthy smoothies, we’ve been blending up something new for you as well. And although convenience and security don’t make very tasty drink ingredients, they sure do go well with 1Password. Now I could try to introduce the hallmark features with words, but why do that when our What&rsquo;s New screen does it so much better? <img src='https://blog.1password.com/posts/2020/opa74/Whats-New.png' alt='What&#39;s New in Android' title='What&#39;s New in Android' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="create-vaults-on-the-go">Create vaults on the go</h2> <img src='https://blog.1password.com/posts/2020/opa74/New-Vault.png' alt='Create a new vault' title='Create a new vault' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Vaults are great for organizing the items in your account at a very high level. For example, you may want to store all your travel essentials in one vault and your tax documents in an entirely different vault. In this update, you can exercise that desire to organize even while on the go. In just a few taps from the vault menu, you can create a new vault, give it a fitting name, and choose a unique icon. And with that, it’s now ready to store your latest secrets! <h2 id="preview-your-logins-with-autofill">Preview your logins with Autofill</h2> <img src='https://blog.1password.com/posts/2020/opa74/Autofill-Preview-Step1.png' alt='Autofill preview' title='Autofill preview' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> When you visit the sign-in page of a website or an app, it’s helpful to know whether you already have a login available to <a href="https://1password.com/features/autofill/">autofill</a> or whether you need to create a new one. To enjoy this convenience, go to Settings &gt; Autofill and turn on Autofill previews. After you’ve turned on this feature, you’ll always see which logins are available when you want to sign in somewhere. To fill one, choose it and unlock 1Password. You don’t need to try to remember whether you’ve already created an account for an app or website. Learn more <a href="https://support.1password.com/android-autofill-security/">about Autofill security</a>. <h2 id="use-your-usb-or-nfc-security-key">Use your USB or NFC security key</h2> <img src='https://blog.1password.com/posts/2020/opa74/Yubikey-OPA.gif' alt='Unlock with security key' title='Unlock with security key' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The best security is done in depth, and you can now protect your 1Password account with an additional layer of security. To get started, <a href="https://support.1password.com/two-factor-authentication/">turn on two-factor authentication</a> for your account on 1Password.com and <a href="https://support.1password.com/security-key/">add your U2F-compatible security key</a>. When you sign in to your account in 1Password on your Android device, you’ll need your security key in addition to your <a href="https://support.1password.com/secret-key/">Secret Key</a> and Master Password – a little extra peace of mind for you most important data. <h2 id="and-lots-more">And lots more…</h2> On top of the great features above, there’s lots more to enjoy in this release as well: <ul> <li>Use Autofill to update existing Login items in your vaults.</li> <li>Quickly sign up for new accounts now that Autofill handles the password confirmation field for you.</li> <li>View all items in a 1Password account by selecting the account in the Vault menu.</li> <li>Stay informed of the latest new features in each update with our What’s New screen.</li> <li>Search your logins when filling on websites using Autofill and Accessibility.</li> </ul> And that&rsquo;s just for starters. Jump on over to the <a href="https://app-updates.agilebits.com/product_history/OPA4">full release notes</a> to read about the other improvements and fixes that are also included in this update. <h2 id="available-now">Available now</h2> 1Password 7.4 for Android is a free update for all 1Password customers. It’s available now on Google Play, so keep an eye out for that update notification. We hope you love this update as much as we’ve loved building it for you! Be sure to let us know on <a href="https://play.google.com/store/apps/details?id=com.onepassword.android">Google Play</a>, <a href="https://twitter.com/1Password">Twitter</a>, and in the <a href="https://1password.community/categories/1password-android">1Password Support forum</a>.</description></item><item><title>New 1Password research reveals risks of shadow IT</title><link>https://blog.1password.com/challenges-of-shadow-it/</link><pubDate>Thu, 06 Feb 2020 00:00:00 +0000</pubDate><author>info@1password.com (Jeff Shiner)</author><guid>https://blog.1password.com/challenges-of-shadow-it/</guid><description> <img src='https://blog.1password.com/posts/2020/shadow-it/header.png' class='webfeedsFeaturedVisual' alt='New 1Password research reveals risks of shadow IT' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> From project management software to plugins that correct your grammar, it seems like a new tool for supercharging workers’ productivity launches every day. While that’s great for innovation, there’s a downside: the accounts employees create without a business’s authorization or awareness, known as shadow IT. At first glance, shadow IT might appear harmless. The problem is, without the oversight and direction of IT, it’s easy for employees to unwittingly create vulnerabilities in even the tightest of security setups. <h2 id="how-prevalent-is-shadow-it">How prevalent is shadow IT?</h2> There’s plenty of anecdotal evidence of how disruptive shadow IT accounts can be, but we wanted data. So, we surveyed a representative sample of 2,119 U.S. adults who work in an office with an IT department and use a computer for work (see end of post for methodology), and found that a staggering 63.5% (± 1.03) of respondents have created at least one account in the past 12 months that their IT department doesn’t know about: <ul> <li>Yes 63.5% (± 1.03)</li> <li>No 36.5% (± 1.03)</li> </ul> Of those that answered yes: <ul> <li>32.4% (± 0.67) had created one account that their IT department doesn’t know about</li> <li>51.8% (± 0.67) had created between two and five accounts that their IT department doesn’t know about</li> <li>15.8% (± 0.67) had created more than five accounts that their IT department doesn’t know about</li> </ul> <img src='https://blog.1password.com/posts/2020/shadow-it/creatiing-shadow-it.png' alt='Graph illustrating the creation of shadow IT accounts' title='Graph illustrating the creation of shadow IT accounts' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> What’s more troubling is that 33.2% (± 1.03) of people who have created shadow IT accounts reuse memorable passwords, and 48.2% (± 1.03) use a pattern of similar passwords. Only 2.6% (± 1.03) said that they use a unique password every time. <img src='https://blog.1password.com/posts/2020/shadow-it/choosing-password.png' alt='Graph illustrating password habits' title='Graph illustrating password habits' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="the-dangers-of-shadow-it">The dangers of shadow IT</h2> So, why is this a problem? Carlos in Marketing opens an Airtable account, and Anita in Legal uses Grammarly to check for grammatical errors. Often, these services are free to use and make it easier for employees to do their jobs. Ultimately that’s a good thing, right? But when employees use services without the authorization of the IT team, it brings risks. Say Carlos populates Airtable with customer data for his email campaigns, and Anita checks sensitive legal documents in Grammarly. Without thinking about it, they’re sharing a lot of important data with external companies that IT doesn’t even know about. If one of these services suffers a breach, the company won’t know it affects them, which leaves them powerless to secure their data after the event. It also means they’ll be unable to disclose it to their customers. This could leave any company facing costly fines and a huge loss of trust in its operations. And, when over <a href="https://www.verizon.com/about/news/verizon-2020-data-breach-investigations-report">80% of data and privacy breaches are due to poor password practices</a>, the risk multiplies when employees use weak, reused, or memorable passwords for the services they’ve signed up to. If those login details are compromised, attackers could use that information to access other accounts, which may also hold sensitive data. <h2 id="who-has-access">Who has access?</h2> Shadow IT can also cause problems when an employee quits or is fired; 20.5% (±0.40) of those surveyed reported getting locked out of a work account because a colleague left the company. But who loses access isn’t the only concern: If an employee leaves, they’ll retain access to the accounts they’ve created outside of IT’s purview. At worst, this company data could be shared with a competitor; at best, it’s left dormant and hidden, but it still puts the company at risk if the service is breached. Our research also found that 37.0% (± 2.04) of respondents had shared an account with a colleague. The most popular methods of <a href="https://1password.com/features/secure-password-sharing/">password sharing</a> were worryingly insecure, with email (39.7% (± 1.46)) and instant messenger (16.9% (± 1.46)) coming out on top. Here’s the full breakdown: Have you ever shared an account or website login with a colleague? <ul> <li>Yes 37.0% (± 2.04)</li> <li>No 63.0% (± 2.04)</li> </ul> Those who answered &ldquo;yes&rdquo; used the following methods to share passwords: <ul> <li>39.7% (± 1.46 ) email</li> <li>16.9% (± 1.46 ) instant messenger</li> <li>13.7% (± 1.46 ) password manager</li> <li>11.4% (± 1.46 ) spreadsheet or similar</li> <li>9.2% (± 1.46 ) verbally</li> <li>4.9% (± 1.46 ) written on paper</li> <li>4.3% (± 1.46 ) other</li> </ul> <img src='https://blog.1password.com/posts/2020/shadow-it/password-sharing.png' alt='Graph illustrating how colleagues share passwords' title='Graph illustrating how colleagues share passwords' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Even more concerning are the password habits of those using insecure digital methods (for example, instant messenger, email, spreadsheet) to share these passwords – 51.1% (± 0.99) use a pattern of memorable passwords, and 37.8% (± 0.99) will reuse passwords. That means 88.9% (± 0.99) of people who share passwords through insecure digital methods either use password patterns or reuse passwords. It’s a huge risk to share passwords insecurely online, and it’s even riskier when those passwords could be used to access other accounts. <h2 id="understanding-unseen-passwords">Understanding unseen passwords</h2> The problem is two-fold: The symptom of shadow IT is unseen passwords. Your business may have a system in place for securing the credentials of the accounts they’ve approved, but what about when people start using services outside that list? These login details may be stored on employees’ phones, in cloud-hosted spreadsheets, or in plain-text documents, creating untraceable holes in a business’s security. That’s on top of the risks we’ve already detailed above. But banning shadow IT altogether has its drawbacks. It slows employee productivity as every new service or app will need approval from the IT department, creating a bottleneck and more work for everyone. It also halts innovation and creates resistance to finding new and better ways of working. Businesses need to find a way to bring it all back under their control without hindering their employees’ ability to excel in their roles. <h2 id="security-facilitates-innovation">Security facilitates innovation</h2> To overcome this and encourage productivity and process improvements, businesses must <a href="https://blog.1password.com/remote-work-shadow-it/">create a safer environment in which shadow IT can exist</a>, rather than banning it outright. Businesses that use a <a href="https://1password.com/password-manager/">password manager</a> like 1Password are better positioned to secure any account, whether they know about it or not – employees can generate strong, unique passwords and save them in a secure and shareable way. This addresses the inclination to reuse passwords or share them using insecure methods. We’re growing our teams responsible for customer education because we know that when it comes to security, it needs to feel easy and convenient. When it does, over time, employees’ confidence grows and security habits change for the better. These practices need to continue at home, too, which is why we offer a free <a href="https://1password.com/personal/">1Password Families</a> membership to everyone who uses <a href="https://1password.com/business/">1Password Business</a>. When security is seamlessly integrated into employees’ professional and personal lives, it makes them inherently more aware of the risks associated with opening new accounts and the importance of securing their credentials. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Worried about shadow IT? Learn how to control and reduce the risks associated with shadow IT in our <a href="https://www.1password.university/learn/course/external/view/elearning/443/humanizing-shadow-it-with-1password-and-kolide">free 1Password University course</a>. </div> </aside> After those good security habits are in place, even accounts outside the view of the IT team will be protected with a strong and unique password. And if these credentials are stored securely, they’ll remain in your hands, even after an employee leaves. By catching and protecting the accounts IT doesn’t know about, 1Password is uniquely situated to solve the issue of shadow IT and unseen passwords – without slowing productivity, stifling innovation, or creating bottlenecks. <h2 id="methodology">Methodology</h2> These results are based on the December 2019 polling of a representative sample of 2,119 American adults (18+) via SurveyMonkey&rsquo;s Audience platform. Survey respondents were paid. <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get more security tips</h3> Subscribe to our business security newsletter and get advice on running a secure, productive workplace delivered directly to your inbox. <form method="POST" class="oneline" accept-charset="UTF-8" action="https://flow.1passwordservices.com/api/v1/lead" data-event-category="Newsletter" data-event-action="form-newsletter" id="newsletterForm"> <div id="hidden-fields"> <input type="hidden" name="formSubmitted" value="Newsletter"> <input type="hidden" name="formId" value="c100b28e-6493-493f-b325-6a7f8b3cbb89"> </div> <input type="email" class="c-call-to-action-box__newsletter-email" name="email" placeholder="" required /> <input class="c-call-to-action-box__newsletter-button" type="submit" value="Sign up"> </form> <div class="c-call-to-action-box__text"> By signing up you agree to receive emails about the latest 1Password announcements, product updates, and events. <a class="c-newsletter-signup-form__gdpr--link" href="https://www.1password.co/email-preferences.html">Unsubscribe</a> any time. You also agree to our <a class="c-newsletter-signup-form__gdpr--link" href="https://1password.com/legal/terms-of-service/">terms of service</a> and <a class="c-newsletter-signup-form__gdpr--link" href="https://1password.com/legal/privacy/">privacy policy</a>. </div> </div> </section></description></item><item><title>Privacy by default with Brendan Eich from Brave</title><link>https://blog.1password.com/brave-default-privacy/</link><pubDate>Tue, 04 Feb 2020 00:00:00 +0000</pubDate><author>info@1password.com (Sarah Brown)</author><guid>https://blog.1password.com/brave-default-privacy/</guid><description> <img src='https://blog.1password.com/posts/2020/brave-survelliance-capitalism/header.png' class='webfeedsFeaturedVisual' alt='Privacy by default with Brendan Eich from Brave' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> This week on <a href="https://randombutmemorable.simplecast.com/">Random but Memorable</a>, we welcome Brendan Eich, Co-founder and CEO of <a href="https://brave.com/">Brave Software</a> and <a href="https://basicattentiontoken.org/">Basic Attention Token</a>. Brendan previously co-founded Mozilla, where he helped launch Firefox, and is the creator of JavaScript. Today, he works with Brave to help people protect their privacy online. If you want to know who can access your information while you surf the web, and how you can take back control, then read on. <h2 id="what-is-surveillance-capitalism">What is surveillance capitalism?</h2> Most websites you visit have ads or links with trackers that are designed to associate or identify you. These trackers then follow every move you make online, collecting more information as you browse. When you use <a href="https://1password.com/resources/guides/why-you-should-have-sso/">single sign-on (SSO)</a> options like Google, Facebook, Apple, or Twitter, they even follow you across devices. That’s why ads for coats start appearing on your mobile after you’ve been shopping for one on your PC. That information is then shared with marketers, publishers, and companies, so they can target you with ads tailored to catch your attention. You and your data become the product, leaving you vulnerable to malware and ad fraud. <h2 id="how-can-you-protect-yourself">How can you protect yourself?</h2> Your data belongs to you, and you should control who can access it. Luckily, there are a few ways you can protect yourself. <ul> <li> Use an ad blocker extension. Ad blockers prevent advertisements from being displayed in your browser, which reduces the risk of tracking or clicking a malicious link. </li> <li> Use a privacy-focused browser. Brave protects you by default, breaking almost all advertising and blocking any tracking scripts. </li> <li> Pay for premium service. Many websites or apps give you the option of paying for a premium, ad-free version of their software. As they’re funded by paying customers, they’re less dependent on ads to generate revenue, so have less need to track you. </li> </ul> <h2 id="whats-the-impact">What&rsquo;s the impact?</h2> Though only a small percentage of people use their browser to block ads and trackers, the numbers are growing. And it has an impact. We’re seeing that impact in new privacy regulations designed to protect consumers, which are being rolled out all over the world. But protecting people from tracking and data collection has collateral damage for publishers. Publishers and marketers need something as simple for them to use as current ad tech is, but without the tracking. The ideal is to strike a balance that works for all invested parties – to give marketers a way to share ads at the opportune time, while providing you with a way to turn off ads if you want. Blocking ads by default in a browser like Brave gives you options for giving back, but the ultimate goal is to keep users safe.</description></item><item><title>Make the most of 1Password Business with reports</title><link>https://blog.1password.com/magic-of-1password-reports/</link><pubDate>Wed, 22 Jan 2020 00:00:00 +0000</pubDate><author>info@1password.com (Sarah Brown)</author><guid>https://blog.1password.com/magic-of-1password-reports/</guid><description> <img src='https://blog.1password.com/posts/2020/business-using-reports/header.png' class='webfeedsFeaturedVisual' alt='Make the most of 1Password Business with reports' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> You&rsquo;ve set up <a href="https://1password.com/business/">1Password Business</a> for your team, but how do you make sure everyone uses it? With reports, you can track how your team uses 1Password and give everyone access to what they need. If anything doesn&rsquo;t look right, it&rsquo;s easy to take action. Here&rsquo;s how you can use <a href="https://support.1password.com/reports/">reports</a> to help your team succeed and make the most out of <a href="https://1password.com/business/">1Password Business</a>. <h2 id="understand-employee-needs">Understand employee needs</h2> Reports hone in on the heart of your company: the people. Everyone slots 1Password into their workflow in a way that best suits their needs. To learn how an employee uses 1Password, create a usage report. It tells you when they last signed in and how many vaults, groups, and items they can access. You&rsquo;ll also see a list of all the shared items they&rsquo;ve used and when they last used them. <img src='https://blog.1password.com/posts/2020/business-using-reports/usagereport-user.png' alt='1Password Usage Report for specified user' title='1Password Usage Report for specified user' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> You can use the item list to help you decide what they need access to. To make it easier, sort the item list by vault, or focus the report around a specific vault. If they haven&rsquo;t used any items in a vault, or they&rsquo;ve used items they shouldn&rsquo;t have, you may want to reduce their access. Usage reports also highlight employees that aren’t using 1Password, or that haven&rsquo;t for a while, so you can intervene early and offer training or support. They might need help getting started with 1Password, or they may not have access to the items they need. Usage reports also come in handy when someone leaves the company. Before you delete their account, create a report so you have a list of <a href="https://1password.com/features/secure-password-sharing/">shared passwords</a> to change. It&rsquo;s much easier than changing every single password in every vault they had access to. <h2 id="see-who-uses-shared-information">See who uses shared information</h2> A password manager is the easiest and most secure way to share and maintain passwords among colleagues. If you haven’t already, it’s time to say goodbye to unsafe practices like using shared spreadsheets or public-facing whiteboards to track and share passwords. Instead, use vaults in 1Password to store and organize everything. <img src='https://blog.1password.com/posts/2020/business-using-reports/usagereport-vault.png' alt='1Password Usage Report for specified vault' title='1Password Usage Report for specified vault' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> To learn how people use a specific vault, create a vault report. You&rsquo;ll see when the vault was created and last updated, and the number of people and groups with access to it. You&rsquo;ll also see a list of vault items, including when each person last accessed them. You can use the vault report to help you organize information and decide who needs access to it. Sort the item list by title to see who uses each item, and which items are most popular. You may want to move less-used or sensitive items into a vault shared with fewer people. Or, if you see the vault is being used for items it wasn&rsquo;t intended for, you could create a new vault for that purpose. <img src='https://blog.1password.com/posts/2020/business-using-reports/usagereport-select.png' alt='1Password Usage Report - Selecting Person' title='1Password Usage Report - Selecting Person' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> If you&rsquo;d like to see how a specific employee uses the vault, choose them from People Included. If they&rsquo;ve used items they shouldn&rsquo;t have access to, or they haven&rsquo;t used the vault at all, you may want to remove them. <h2 id="track-adoption-for-your-team">Track adoption for your team</h2> While usage reports give you a granular look at how individual employees use 1Password, team reports pull back to give you a bird&rsquo;s-eye view of how your whole team is using it. A team report includes the total number of people, groups, and vaults, a list of everyone on the team, and details about their usage. When they last signed in and the number of devices they&rsquo;ve signed in from hints at how often they use 1Password. People with only one device haven&rsquo;t used the 1Password apps. And if they haven&rsquo;t signed in for a while, they may have forgotten their credentials. Reach out to see if they need help. The number of personal items helps you understand how people use their Private vault. Have they saved all their work accounts in 1Password, or only a handful? If they&rsquo;ve saved far more items than others, it could mean they&rsquo;re using it for personal data, too. Encourage them to redeem their <a href="https://support.1password.com/link-family/">free 1Password Families membership</a> for personal use. Many companies require two-factor authentication, and now you can find out who&rsquo;s turned it on for 1Password. To make it easier to see, sort by the 2FA column. It&rsquo;s a good way to assess adoption if you&rsquo;ve <a href="https://support.1password.com/two-factor-authentication/#manage-two-factor-authentication-for-your-team">enforced two-factor authentication</a>. <h2 id="get-an-overview-of-your-business-account">Get an overview of your business account</h2> Step out even further and create an overview report. This one is all about the numbers, with a breakdown of the people, vaults, and items in the account. <img src='https://blog.1password.com/posts/2020/business-using-reports/usage-overview.png' alt='1Password Overview Report' title='1Password Overview Report' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> This dashboard view shows you how many people and guests are on your account, and whether they&rsquo;re active, suspended, or in recovery. Keep an eye on your guest count if you want to stick to the 20 included, and to make sure no one <a href="https://blog.1password.com/ghosts-passwords-past/">overstays their welcome</a>. Compare the number of items and vaults that are private and shared, so you can judge if you need to make any changes. You&rsquo;ll also see how many groups and devices are on the account, and your secure file storage. <h2 id="make-the-most-of-1password-business">Make the most of 1Password Business</h2> With reports, you&rsquo;ll have a better understanding of how your team uses 1Password. Use reports to measure adoption, organize your data, and increase your security. If you use 1Password Teams, you&rsquo;ll see the entire usage history for your account when you upgrade. <a href="https://support.1password.com/reports/">Learn how to create reports in 1Password Business</a>. Is there another report you&rsquo;d like to create in 1Password? <a href="mailto:business@1password.com">Let us know</a>! <section class="c-call-to-action-box c-call-to-action-box--yellow"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Sign up for 14 days free</h3> Use reports in 1Password Business and set your team up for success. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--yellow" data-event-category="CTA" data-event-action="call-to-action-button"> Try 1Password Business </a> </div> </section></description></item><item><title>Yubico’s Stina Ehrensvärd on security keys and second layers</title><link>https://blog.1password.com/interview-with-stina-ehrensvard/</link><pubDate>Tue, 14 Jan 2020 00:00:00 +0000</pubDate><author>info@1password.com (Sarah Brown)</author><guid>https://blog.1password.com/interview-with-stina-ehrensvard/</guid><description> <img src='https://blog.1password.com/posts/2020/rbm-yubico-interview/header.png' class='webfeedsFeaturedVisual' alt='Yubico’s Stina Ehrensvärd on security keys and second layers' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We&rsquo;re kicking off the new year on our podcast, Random but Memorable, by <a href="https://randombutmemorable.simplecast.com/episodes/lego-llama-web-standard">talking with Stina Ehrensvärd</a>, co-founder and CEO of <a href="https://www.yubico.com/">Yubico</a>. Stina started the company in 2007 with her husband, a former white hat hacker, after realizing just how easy it would have been to hack her bank account. If you&rsquo;re wondering how a security key or other external two-factor authentication (2FA) device could benefit you or your business, read on to learn more. <h2 id="what-is-a-security-key">What is a security key?</h2> A <a href="https://blog.1password.com/introducing-support-for-u2f-security-keys/">security key</a> is a small physical device that adds a second layer of protection to your online accounts. When two-factor authentication is turned on for your accounts, you are prompted to use your second factor any time you sign in from a new device. A small security key like Yubico&rsquo;s YubiKey fits in your pocket. It can be used as an extra layer of protection on 1Password, Google, macOS, Firefox, and more. Support for these keys is built in to most web browsers via Yubico’s new <a href="https://blog.1password.com/what-is-webauthn/">WebAuthn</a> API, creating what Stina calls “the seatbelt for the internet”. WebAuthn is backward-compatible with Universal 2nd Factor (U2F), so any certified U2F security keys will work with the WebAuthn-enabled flow. We&rsquo;re excited to be included alongside Google and GitHub to be some of the first to adopt the new browser standard developed by Yubico. <h2 id="does-a-security-key-replace-my-passwords">Does a security key replace my passwords?</h2> Although a security key provides extra protection, it doesn&rsquo;t eliminate the need for passwords. Passwords are still the industry standard for online accounts, and that isn&rsquo;t changing anytime soon. Security keys, like biometric authentication, work with your strong, unique passwords to protect your account against hackers. However, biometric authentication like Face ID and fingerprints operate within a margin of error. &ldquo;What I like about using YubiKey and a password or PIN, is that it&rsquo;s exact. It&rsquo;s 100 percent or nothing”, says Stina. This dual setup provides a higher level of hardware-based security by allowing you to use the same security key across multiple services, browsers, and applications. Although combining a <a href="https://1password.com/password-manager/">password manager</a> with a security key provides the best protection, adding a second factor doesn&rsquo;t mean you can get away with a weaker Master Password or reusing the same password across multiple sites. <a href="https://blog.1password.com/how-to-protect-yourself-from-password-reuse-attacks/">Password reuse</a>, or using the same password for multiple accounts, leaves you vulnerable to hackers and account lockouts. That&rsquo;s why your Master Password, which is used for the encryption of your data, is still instrumental in protecting your 1Password account. <h2 id="who-needs-an-external-authenticator">Who needs an external authenticator?</h2> If you or your business has dealt with the fallout of a breach or hack, you know how much trouble it causes. Adding an external authentication factor gives you peace of mind that your accounts are protected. Apps like Google Authenticator use your phone to add this second layer by prompting you to open the app and type out the six-digit code. However, using your phone as your single authenticator and login method only works if you always have your phone on hand. It can pose a problem if you’re not allowed to bring a phone onsite, or if it’s ever lost or stolen. Using a security key instead of an app allows you to access your accounts without needing your phone. “I’m not advocating that hardware is the solution for everything, but if you want good security, it’s proven to work,” says Stina. Using a password manager and combining it with a physical security key like YubiKey eliminates the chances of being hacked remotely, giving you peace of mind when it comes to the safety of your data. “The internet was not designed for security, it was designed for sharing&rdquo;, Stina explains. This is the problem that inspired Yubico’s mission, which is to develop a standard that will help every person on the planet to be more secure. If you’re interested in learning more about how a security key could protect you, <a href="https://randombutmemorable.simplecast.com/episodes/lego-llama-web-standard">listen to this week’s podcast</a>. If you have a YubiKey already, you can register it with your 1Password account by following <a href="https://support.1password.com/security-key/">these setup instructions</a>. <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get more security tips</h3> Subscribe to our business security newsletter and get advice on running a secure, productive workplace delivered directly to your inbox. <form method="POST" class="oneline" accept-charset="UTF-8" action="https://flow.1passwordservices.com/api/v1/lead" data-event-category="Newsletter" data-event-action="form-newsletter" id="newsletterForm"> <div id="hidden-fields"> <input type="hidden" name="formSubmitted" value="Newsletter"> <input type="hidden" name="formId" value="c100b28e-6493-493f-b325-6a7f8b3cbb89"> </div> <input type="email" class="c-call-to-action-box__newsletter-email" name="email" placeholder="" required /> <input class="c-call-to-action-box__newsletter-button" type="submit" value="Sign up"> </form> <div class="c-call-to-action-box__text"> By signing up you agree to receive emails about the latest 1Password announcements, product updates, and events. <a class="c-newsletter-signup-form__gdpr--link" href="https://www.1password.co/email-preferences.html">Unsubscribe</a> any time. You also agree to our <a class="c-newsletter-signup-form__gdpr--link" href="https://1password.com/legal/terms-of-service/">terms of service</a> and <a class="c-newsletter-signup-form__gdpr--link" href="https://1password.com/legal/privacy/">privacy policy</a>. </div> </div> </section></description></item><item><title>How to use 1Password for Android</title><link>https://blog.1password.com/setup-new-android-device/</link><pubDate>Tue, 24 Dec 2019 00:00:00 +0000</pubDate><author>info@1password.com (Michael Verde)</author><guid>https://blog.1password.com/setup-new-android-device/</guid><description> <img src='https://blog.1password.com/posts/2019/december-android-post/header.png' class='webfeedsFeaturedVisual' alt='How to use 1Password for Android' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Lucky enough to have found a new Android device under the tree this Christmas? Here&rsquo;s how to set it up so you can take it for a spin. I recently <a href="https://blog.1password.com/1password-on-pixel4/">upgraded to a Pixel 4 XL</a>, and I have a few tips and tricks to share for getting your shiny new phone up and running with <a href="https://support.1password.com/upgrade-android/">1Password 7 for Android</a>. <h2 id="how-to-set-up-and-use-1password-for-android">How to set up and use 1Password for Android</h2> <img src='https://blog.1password.com/posts/2019/december-android-post/ChoosePlan.png' alt='Choose a plan' title='Choose a plan' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> First things first: If you don&rsquo;t already have one, <a href="https://1password.com/pricing/">sign up for a 1Password account</a>. With <a href="https://blog.1password.com/1password-7-1-for-android-super-awesome-edition/">1Password 7.1 for Android</a>, we made it quick and easy to sign up and set up your subscription through Google Play billing. Take your time creating your <a href="https://blog.1password.com/toward-better-master-passwords/">Master Password</a>. Your Master Password plays an important role in protecting your data, so you want to go with something that&rsquo;s memorable to you but unguessable to anyone else. If you already have a 1Password account, <a href="https://support.1password.com/add-account/">scan your setup code</a> to add your 1Password account to your new device. <h2 id="the-perfect-setup">The perfect setup</h2> There are a few <a href="https://1password.com/products/">1Password features</a> I&rsquo;d recommend enabling or tweaking as soon as you set up. The first thing I&rsquo;d suggest is getting 1Password to automatically check for any vulnerable passwords you have. This will help you identify any passwords that have been reused or included in a data breach, so you can replace them with something stronger. Then, turn on both Autofill and Accessibility. These features allow you to get the most out of 1Password by detecting the appropriate Login item to autofill into apps and websites for you. No more tapping out long passwords. Just open and click! <img src='https://blog.1password.com/posts/2019/december-android-post/pixel4-enable-face-unlock.gif' alt='Enable Face Unlock' title='Enable Face Unlock' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Enable <a href="https://1password.com/resources/guides/using-biometrics-fingerprint-as-password/">Biometric Unlock</a> on your phone right away so you can unlock 1Password without typing in your Master Password. Just glance at your phone or tap your fingerprint to log in, and you&rsquo;re ready to go. Speaking of locking, you have the option to tweak those lock settings to your liking. Personally, I like to turn off &ldquo;lock on exit&rdquo; and instead choose to have 1Password lock automatically after 2 minutes of being idle. This allows me to open and flip between apps for short periods without having to repeatedly unlock 1Password. With 1Password for Android 7.2 we added support for a <a href="https://blog.1password.com/1password-7-2-for-android-dark-theme-rises/">system-wide Dark Theme</a>. You can tell 1Password to use the Light Theme or Dark Theme exclusively, or you can do what I do and let 1Password follow the system default. <h2 id="download-your-other-apps">Download your other apps</h2> <img src='https://blog.1password.com/posts/2019/december-android-post/Autofill-03.png' alt='Autofill username and passwords' title='Autofill username and passwords' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Once 1Password is set up, you&rsquo;re ready to start downloading and signing in to all of your other apps. If you&rsquo;ve already had your Login items for your apps stored and saved in 1Password, Autofill takes care of filling those in for you. Just a click and you&rsquo;re signed in! And if you don&rsquo;t have your credentials for an app already saved in 1Password? You can easily <a href="https://support.1password.com/android-filling/">create a new Login item</a> without ever having to leave the app. I love how much this speeds up the setup process, getting me to the fun parts much more quickly. Did you get a brand new Android from Santa this year? Let us know about your favorite features on Google Play, <a href="https://twitter.com/1Password">Twitter</a>, or the <a href="https://1password.community/">1Password Forums</a>. <section class="c-call-to-action-box c-call-to-action-box--yellow"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Sign up for 14 days free!</h3> If you want to try 1Password on your brand new Android device, sign up now for a 14-day free trial! <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--yellow" data-event-category="CTA" data-event-action="call-to-action-button"> Try 1Password FREE </a> </div> </section></description></item><item><title>1Password X 1.17: New brain, new menu, and even more accessible</title><link>https://blog.1password.com/1passwordx-december-2019-release/</link><pubDate>Wed, 04 Dec 2019 00:00:00 +0000</pubDate><author>info@1password.com (Sarah Brown)</author><guid>https://blog.1password.com/1passwordx-december-2019-release/</guid><description> <img src='https://blog.1password.com/posts/2019/b5x-november-release/header.png' class='webfeedsFeaturedVisual' alt='1Password X 1.17: New brain, new menu, and even more accessible' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 1Password X harnesses the power of your 1Password account to fill and save passwords, view and edit items, and more – all in your browser. And with today&rsquo;s release, 1Password X gets even better! Here&rsquo;s what&rsquo;s new in 1Password X 1.17. <h2 id="new-filling-brain-written-in-rust">New filling brain written in Rust</h2> 1Password&rsquo;s filling brain is the technology responsible for autofilling your information. The brain analyzes webpages in the background so it can suggest relevant items to fill in the available fields. In 1Password X 1.17, we&rsquo;ve completely rewritten the brain in <a href="https://rustwasm.github.io/docs/book/">Rust and WebAssembly</a>. Rust gives us a boost in both speed and portability – making it smarter, faster, and more embeddable in all our apps. Not to get too technical on you, but we&rsquo;re now using Rust libraries to power many parts of the extension, including all <a href="https://support.1password.com/markdown/">Markdown parsing</a> and <a href="https://support.1password.com/one-time-passwords/">time-based one-time password (TOTP) generation</a>. By taking advantage of Rust&rsquo;s ability to compile to WebAssembly, we can now share this implementation across all of our apps. <h2 id="new-inline-menu">New inline menu</h2> The inline menu gives you <a href="https://1password.com/features/autofill/">autofill</a> suggestions as you browse the web, and now it&rsquo;s faster than ever. With a single click, you can use &ldquo;Hide on this page&rdquo; to stop the inline icon and menu from appearing on specific pages. When you&rsquo;re ready for it to show up again just restart your browser. We also make things easier for people with multiple Google accounts. When signing in to Google, all Login items with a matching username are automatically sorted to the top. <h2 id="accessibility">Accessibility</h2> We want everyone to be able to access their accounts with ease. That&rsquo;s why we followed the web accessibility spec defined by <a href="https://www.w3.org/WAI/ARIA/apg/">WAI-ARIA, the Accessible Rich Internet Applications Suite</a> when we rewrote the inline menu. WAI-ARIA works to establish the best way to create web content and web applications to make them more accessible to people with disabilities. Here are the accessibility improvements in 1Password X: <ul> <li>List item selector. Use your keyboard to open the item list selector from anywhere within the pop-up.</li> <li>Screen reader support. We let screen readers know 1Password is available by stating &ldquo;1Password menu available. Press the down arrow key to select&rdquo;, when focusing in a field, selecting items, or changing the list type.</li> <li>List navigation. Easily navigate the item list and item list selector using your keyboard. For example, pressing &ldquo;Home&rdquo; will select the first item in the list.</li> <li>Type-ahead support. Both lists now support type-ahead, which allows you to start typing in the field and see the suggested items pop up for selection.</li> </ul> <h2 id="get-the-update-today">Get the update today</h2> If you&rsquo;re a 1Password X user, you already have this update. Open your browser and enjoy! If you&rsquo;re new to 1Password X, you can download and install it from the <a href="https://chrome.google.com/webstore/detail/1password-%E2%80%93-password-mana/aeblfdkhhhdcdjpifhhbdiojplfjncoa?hl=en">Chrome Web Store</a> (supports Chrome, Chromium, Brave, Vivaldi, Opera, and Microsoft Edge) or the <a href="https://addons.mozilla.org/en-US/firefox/addon/1password-x-password-manager/?src=search">Firefox Add-ons Gallery</a>, where we are one of <a href="https://blog.1password.com/mozilla-extensions-program/">Mozilla&rsquo;s Recommended Extensions</a>. You can also <a href="https://1password.community/discussion/79610/how-to-install-1password-x-beta-in-chrome">join our beta</a> to be the first to enjoy new features as we add them. We have a lot more exciting features in the works and we can&rsquo;t wait to share them with you. <section class="c-call-to-action-box c-call-to-action-box--yellow"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Sign up for 14 days free!</h3> To take 1Password X for a spin and see if it fits your workflow, sign up for a free 14-day trial of 1Password today. <a href="https://1password.com/pricing/?utm_source=blog/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--yellow" data-event-category="CTA" data-event-action="call-to-action-button"> Try 1Password FREE </a> </div> </section></description></item><item><title>1Password SCIM bridge now available on the DigitalOcean Marketplace</title><link>https://blog.1password.com/announcing-scim-digitalocean/</link><pubDate>Fri, 29 Nov 2019 00:00:00 +0000</pubDate><author>info@1password.com (Jeff Shiner)</author><guid>https://blog.1password.com/announcing-scim-digitalocean/</guid><description> <img src='https://blog.1password.com/posts/2019/scim-digitalocean/header.png' class='webfeedsFeaturedVisual' alt='1Password SCIM bridge now available on the DigitalOcean Marketplace' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> I’m excited to announce that you can now install the <a href="https://blog.1password.com/scim-bridge-release/">1Password SCIM bridge</a> from the DigitalOcean Marketplace! The SCIM bridge makes it simple to automate many common administrative tasks in <a href="https://1password.com/business/">1Password Business</a> while keeping your account keys within your control. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/92oqfsjHZGc" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> This one-click install makes it easy to manage your team and control your 1Password account using the enterprise identity provider you’re already familiar with. Give your administrators a central place to: <ul> <li>Create users and groups, including automated account confirmation</li> <li>Grant and revoke access to groups</li> <li>Suspend deprovisioned users</li> </ul> <h2 id="get-started-with-just-a-click">Get started with just a click</h2> We’re thrilled to partner with <a href="https://marketplace.digitalocean.com/apps/1password-scim-bridge">DigitalOcean</a>. They make it easy to run and scale your applications, services, and environments in the cloud. Our <a href="https://support.1password.com/scim-deploy-digitalocean/">one-click application</a> allows you to quickly set up and deploy the SCIM bridge to a cluster in your environment. The SCIM bridge uses <a href="https://1password.com/security/">the same security as the rest of 1Password</a>, so the encryption keys for your account are only available to you and no one else. The 1Password SCIM bridge provides a SCIM 2.0-compatible web service that accepts OAuth bearer tokens for authentication, so you can use it with both <a href="https://support.1password.com/scim-azure-ad/">Azure Active Directory</a> and <a href="https://support.1password.com/scim-okta/">Okta</a>. <blockquote> “Having the SCIM bridge available as a one-click install from DigitalOcean opens up this feature to all businesses regardless of their internal IT setup. This means that more companies get to take advantage of the SCIM bridge’s incredible capabilities!” – Connor Hicks </blockquote> <h2 id="get-down-to-business">Get down to business</h2> Your business already has access, password, and security policies in place, and rolling out 1Password with the SCIM bridge makes it easy to automate and enforce them. And now with <a href="https://1password.com/business/advanced-protection/">1Password Advanced Protection</a> you can do even more! <a href="https://1password.com/business/advanced-protection/">1Password Advanced Protection</a> gives you the ability to create Master <a href="https://1password.com/password-generator/">Password requirements</a>, set up required two-factor authentication, create firewall rules, require up-to-date apps, and even monitor sign-in attempts. The SCIM Bridge and 1Password Advanced Protection work together to make your account a breeze to administer. If you’re a <a href="https://1password.com/business/">1Password Business</a> administrator, take advantage of the power that the SCIM bridge has to offer and <a href="https://marketplace.digitalocean.com/apps/1password-scim-bridge">install it from the DigitalOcean Marketplace today</a>. For more information, <a href="mailto:support+business@1password.com">contact the 1Password Business team</a> or <a href="https://support.1password.com/scim-deploy-digitalocean/">get started on your own</a>.</description></item><item><title>From Black Friday to seasonal travel: how to stay safe over the holidays</title><link>https://blog.1password.com/stay-safe-this-holiday/</link><pubDate>Wed, 27 Nov 2019 00:00:00 +0000</pubDate><author>info@1password.com (Sarah Brown)</author><guid>https://blog.1password.com/stay-safe-this-holiday/</guid><description> <img src='https://blog.1password.com/posts/2019/safer-holiday-tips/header.png' class='webfeedsFeaturedVisual' alt='From Black Friday to seasonal travel: how to stay safe over the holidays' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> &lsquo;Tis the season for travel, shopping, and family visits, and this tends to leave us busy and distracted. Scammers and crooks like to take advantage of this, so here are some tips for staying safe and merry over the holidays. <h2 id="no-holiday-promo-is-worth-risking-your-security">No holiday promo is worth risking your security</h2> The holiday season brings a drastic increase in emails. Phishing scams are a favorite of cybercriminals, and the lasting popularity of online shopping has made email phishing even more effective. Be wary of emails with attachments like fake receipts or invoices. These files can expose your computer and account to malware, keyloggers, and ransomware when you open the attachment. Malicious links like false purchase verifications or shipping notifications offer prime opportunities for hackers to steal your login credentials. And if you’ve <a href="https://blog.1password.com/how-to-protect-yourself-from-password-reuse-attacks/">reused those login credentials on multiple sites</a> your other accounts may be vulnerable. <img src='https://blog.1password.com/posts/2019/safer-holiday-tips/online-shopping.png' alt='Online Shopping' title='Online Shopping' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="secure-your-wallet-when-shopping">Secure your wallet when shopping</h2> Online shopping saves time during the busy holiday season. But the <a href="https://blog.1password.com/using-1password-for-safer-online-shopping/">price for this convenience could be increased risk</a>. It may be tempting to save your credit card information on a site for easy access, but not all websites are created equal when it comes to security. Use 1Password to securely store everything you need to make a purchase, from the expiration date to the CCV number on the back of the card. When it&rsquo;s time to check out, it only takes one click to fill everything you need. 1Password also protects you by checking the URL before suggesting items to <a href="https://1password.com/features/autofill/">autofill</a>. If the item you’re expecting to see isn’t suggested, double-check the URL to make sure you haven’t been sent to Amaz0n.com instead of Amazon.com. The best way to stay safe is to use a unique password for every site. After all, the more often a password is reused, the more likely it is to be compromised or stolen. Use Watchtower to check for weak or reused passwords, then use the <a href="https://support.1password.com/change-website-password/">strong password generator</a> to replace them with strong, unique ones. <h2 id="keep-your-family-safe-and-connected">Keep your family safe and connected</h2> The holidays can be hectic, and you may need your partner&rsquo;s credit card details to buy a last-minute gift. Or you need to know which flight your grandparents are on so you can meet them at the airport. And if you&rsquo;re the one traveling, you may need your parents’ new Wi-Fi password to survive the week. Help your family practice smart online security and share passwords securely with a <a href="https://1password.com/personal/">1Password Families account</a>. With a shared vault, you can quickly and safely share passwords for things like Netflix, bank accounts, Wi-Fi routers, and more. This holiday season, give your loved ones the tools they need to stay safe online without taking away their independence. <img src='https://blog.1password.com/posts/2019/safer-holiday-tips/safe-travel.png' alt='Stay safe while traveling' title='Stay safe while traveling' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="get-organized-before-you-hit-the-road">Get organized before you hit the road</h2> Whether you&rsquo;re <a href="https://blog.1password.com/how-to-protect-your-digital-life-when-you-travel/">traveling to visit family or just escaping the snow this holiday season</a>, the contents of your devices need just as much protection as the items in your suitcase. When planning for a trip, take the time to <a href="https://blog.1password.com/storing-1password/">store any critical information</a> you&rsquo;ll need in 1Password. You can save details like emergency contact information for your airline, the code for your hotel safe, travel insurance details, and even copies of your passport. Before you head to the airport, <a href="https://blog.1password.com/protect-your-data-when-crossing-borders-with-1password/">turn on Travel Mode for your 1Password account</a>. This protects all the information in your account when you cross borders by temporarily removing it from your devices. When you reach your destination, <a href="https://support.1password.com/travel-mode/">turn off Travel Mode to restore your data</a>. <h2 id="turn-on-two-factor-for-all-accounts">Turn on two-factor for all accounts</h2> Add an extra layer of protection to your accounts with two-factor authentication. With two-factor authentication enabled, even someone who learns your password won&rsquo;t be able to access your account. 1Password can even take care of any <a href="https://support.1password.com/one-time-passwords/">one-time password needs</a> for you, so you don&rsquo;t need to wait for an SMS message or use an additional app. And if you haven&rsquo;t already, now&rsquo;s a great time to turn on <a href="https://support.1password.com/two-factor-authentication/">two-factor authentication for your 1Password account</a>. <section class="c-call-to-action-box c-call-to-action-box--yellow"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get started with 1Password Families</h3> Keep your family safe online with the world’s most loved password manager. Try 1Password Families free for 14 days. <a href="https://start.1password.com/sign-up/family?l=en" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--yellow" data-event-category="CTA" data-event-action="call-to-action-button"> Start your free trial </a> </div> </section></description></item><item><title>What is CEO fraud? And what can your business do to prevent it?</title><link>https://blog.1password.com/stop-ceo-fraud/</link><pubDate>Wed, 20 Nov 2019 00:00:00 +0000</pubDate><author>info@1password.com (Jeff Shiner)</author><guid>https://blog.1password.com/stop-ceo-fraud/</guid><description> <img src='https://blog.1password.com/posts/2019/ceo-fraud/header.png' class='webfeedsFeaturedVisual' alt='What is CEO fraud? And what can your business do to prevent it?' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> CEO fraud is a simple scam that has cost businesses USD$26 billion worldwide since 2016, according to the FBI. We’re calling for CEOs to step up to protect their business. All it takes is a conversation. <h2 id="what-is-ceo-fraud">What is CEO fraud?</h2> 1Password (like many others) has experienced a recent spate of phishing attempts. The team received emails from an attacker pretending to be me, asking for personal information. Although the scam wasn’t successful at 1Password, businesses all over the world have been less fortunate. CEO fraud is a form of BEC (Business Email Compromise). An attacker spoofs the email address of the CEO or poses as them in an email. In the message, they ask an employee to transfer money to an account they control, or to provide personal or financial information. Often, the message will invoke a sense of urgency and put pressure on employees to act quickly. Here’s a <a href="https://www.bbc.co.uk/news/technology-49857948">real example</a> that resulted in USD$8million going missing. <blockquote> &ldquo;Hey, the deal is done. Please wire USD$8 million to this account to finalise the acquisition ASAP. Needs to be done before the end of the day. Thanks.&rdquo; </blockquote> If employees are in the middle of an important deal or eager to impress you, it’s easy to see how something like this could catch them off guard. <h2 id="ceo-fraud-comes-in-different-forms">CEO fraud comes in different forms</h2> In the example above, the email came from the CEO’s spoofed email address, and the attacker knew that a real deal was underway. Often, this type of attack will have a different reply-to address, tricking an unwitting staff member into sending valuable information to the person running the fraud. In some cases, the domain is just one or two characters different from the real company email address. Other attacks have been successful using just the name of the CEO. The email comes from a generic email address (Gmail, Yahoo, and so on), set up to look like the personal email of the CEO. Although the scam has many guises, it is essentially the same. A staff member receives an email, signed by someone important, asking for something valuable. <a href="https://www.pandasecurity.com/en/mediacenter/security/fake-emails-avoid-risks/">60 percent of emails</a> involved in BEC scams don’t contain a link, so it’s difficult for security systems to detect them. Your team is your best defense. Everyone needs to be on the alert, but finance, HR, and executives are the most likely targets. <h2 id="its-for-time-ceos-to-take-action">It’s for time CEOs to take action</h2> We’re campaigning to raise awareness of CEO fraud in a bid to tackle it head-on, and we’re calling for CEOs to commit to doing the same. Your authority and influence have the power to really make a difference here. You need to have a conversation with your employees. Let them know that you will never ask them to make a payment or to send personal information over email. When your employees are armed with the knowledge of how to spot and stop fraud, they’re much less likely to be manipulated into complying. To help, we’ve put together a template to send your employees or use to guide meetings with your teams. <blockquote> Dear team, To tighten our security and protect our business, I’m writing to you to highlight a scam that’s costing businesses billions: CEO fraud. We, as a team, are our best line of defense against such attacks, so please take a moment to read this carefully. What is CEO fraud? CEO fraud is when an attacker impersonates the CEO or another high-level executive via email to request either a payment or the transmission of personal or financial information. The email may come from my company email address, an email address very similar to mine, or one that looks like a personal email. For example, CEO fraud could come from an email address like this: <ul> <li><a href="mailto:ceoname@companydomain.com">ceoname@companydomain.com</a></li> <li><a href="mailto:ceoname@companyname1.com">ceoname@companyname1.com</a></li> <li><a href="mailto:ceoname@gmail.com">ceoname@gmail.com</a></li> </ul> Example CEO fraud emails “Please pay USD$10,000 to this account to finalize the deal I’ve been working on. This needs to be done by the end of the day. Thank you for your help.” “I’ve forgotten the password and have been locked out of our banking system. Please send me the password ASAP as I need to close a deal today.” What you can do about it If you get an email from myself or someone else in the company asking you to make a payment or send confidential information, question it. If you are unsure, ask the person who sent it either in person (if possible) or via another channel (phone, instant messenger) if the email is legitimate. Report anything suspicious to [name] [email@domain.com]. Most importantly, I will never ask you for the following in an email: <ul> <li>For you to make a payment</li> <li>Your own or company payment details (credit card numbers, bank details, and so on)</li> <li>Passwords, verification codes, or secret answers</li> <li>Personally identifiable information (phone number, personal email address, date of birth)</li> <li>To follow a link to sign in to a bank account</li> <li>For you to purchase iTunes or Google Play gift cards</li> </ul> If you ever get an email like this from me, report it immediately. Thank you for your support in securing our business and protecting our employees. Regards [CEO name] </blockquote> <h2 id="make-it-a-company-wide-effort">Make it a company-wide effort</h2> CEOs are valuable targets, and it&rsquo;s vital that they lead the charge against this scam. But they&rsquo;re not the only people in your organization vulnerable to Business Email Compromise. It could happen to anyone. To defend against this fraud in all its forms, make it company policy to never ask for this type of information in an email and provide training on the subject as part of your onboarding process. That way you’ll be protecting your employees from day one. <a href="https://www.pandasecurity.com/en/mediacenter/security/fake-emails-avoid-risks/">91 percent of all cyberattacks</a> start with phishing, so although the focus is on spotting suspicious emails, it’s also a good time to go over the basics of spotting all types of phishing with your team. When employees feel confident and empowered when it comes to security, they’re more likely to make better decisions and spot scams. Remind them of the following good email security practices: <ul> <li>Always question the legitimacy of any email. If something feels suspicious, double-check with the sender. Ideally, check in person. If you can’t, call or instant message them.</li> <li>Never reply to a request for personal information (for example, your Social Security number, phone number, home address) via email.</li> <li>Never send payment details, bank details, or passwords in an email. If someone sends you a link that takes you to a login screen, go to the website some other way (for example, via Google search, or by typing in the URL).</li> <li>Always scrutinize the email address of the sender, links, any URL you are directed to, or attachments you weren’t expecting.</li> <li>Be especially cautious of emails that trigger a warning banner or message.</li> </ul> We hope that you will join us in raising awareness of CEO fraud and Business Email Compromise. The more we talk about it, the less effective it becomes. All it takes is a quick email – or better yet, a training session – to equip your team with the knowledge they need to stop this underhanded scheme in its tracks. <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get more security tips</h3> Subscribe to our business security newsletter and get advice on running a secure, productive workplace delivered directly to your inbox. <form method="POST" class="oneline" accept-charset="UTF-8" action="https://flow.1passwordservices.com/api/v1/lead" data-event-category="Newsletter" data-event-action="form-newsletter" id="newsletterForm"> <div id="hidden-fields"> <input type="hidden" name="formSubmitted" value="Newsletter"> <input type="hidden" name="formId" value="c100b28e-6493-493f-b325-6a7f8b3cbb89"> </div> <input type="email" class="c-call-to-action-box__newsletter-email" name="email" placeholder="" required /> <input class="c-call-to-action-box__newsletter-button" type="submit" value="Sign up"> </form> <div class="c-call-to-action-box__text"> By signing up you agree to receive emails about the latest 1Password announcements, product updates, and events. <a class="c-newsletter-signup-form__gdpr--link" href="https://www.1password.co/email-preferences.html">Unsubscribe</a> any time. You also agree to our <a class="c-newsletter-signup-form__gdpr--link" href="https://1password.com/legal/terms-of-service/">terms of service</a> and <a class="c-newsletter-signup-form__gdpr--link" href="https://1password.com/legal/privacy/">privacy policy</a>. </div> </div> </section></description></item><item><title>1Password partners with Accel for continued growth</title><link>https://blog.1password.com/accel-partnership/</link><pubDate>Thu, 14 Nov 2019 00:00:00 +0000</pubDate><author>info@1password.com (Dave Teare)</author><guid>https://blog.1password.com/accel-partnership/</guid><description> <img src='https://blog.1password.com/posts/2019/accel-partnership/header.png' class='webfeedsFeaturedVisual' alt='1Password partners with Accel for continued growth' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> I wanted to be the first one to tell you: I&rsquo;m incredibly proud to announce that we&rsquo;ve partnered with Accel to help 1Password continue the amazing growth and success we&rsquo;ve seen over the past 14 years. Accel will be investing USD$200 million for a minority stake in 1Password. Along with the investment – their largest initial investment in their 35-year history – Accel brings the experience and expertise we need to grow further and faster. 1Password is a completely bootstrapped company that’s never taken a dime of outside investment, so this announcement may surprise some of you. We’ve built the most-loved password manager and a world-class company, all while remaining profitable during our entire history. So why, after 14 years of self-funding, are we now partnering with Accel? That’s a great question. To answer it, let’s visit our founding heroes where it all began. <h2 id="weve-come-so-far">We’ve come so far</h2> When Roustem and I founded 1Password in 2005, we were trying to solve a simple problem. We were developing a lot of websites, and filling out forms to test them was time-consuming. We started a one-month passion project so we could get our work done more quickly. We thought others might enjoy this as well, so on May 19, 2006, we uploaded <a href="https://app-updates.agilebits.com/product_history/OPM2#v2024">the first version of “1Passwd”</a> to MacUpdate and VersionTracker. We were surprised by how many people loved it. Folks immediately began providing feedback, and we incorporated a lot of it into new releases, which led to more feedback which led to more late-night coding sessions. It was an incredible virtuous cycle. 🥰 <img src='https://blog.1password.com/posts/2019/accel-partnership/happy-founders-coding.png' alt='Happy Founders Coding. Yours truly is on the left and the illustrious Roustem Karimov is on the right.' title='Happy Founders Coding. Yours truly is on the left and the illustrious Roustem Karimov is on the right.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Since then, 1Password has become more successful than we ever dreamed. It’s been humbling to watch as we’ve crossed one milestone after another. I still remember with fondness hiring our first employee, planning our first <a href="https://blog.1password.com/agconf9-adventures-on-the-high-seas/">AGConf</a>, recruiting my friend as CEO, opening our first office, and acquiring our first enterprise customer with over 300,000 employees. In fact, millions of people use 1Password every day, including hundreds of thousands of families. And we have over 50,000 (fifty thousand!) paying business customers, like Basecamp, Slack, and IBM – with employees who actually enjoy using 1Password. Being able to include IBM in that list is especially meaningful to me because I started my career at IBM as an intern in 1998, and they helped me create some of the best memories of my life. <h2 id="weve-stayed-true-to-our-values">We’ve stayed true to our values</h2> With all that growth, I’m proud that the company I co-founded still reflects our core values. In fact, they’ve gotten stronger. We’ve been able to grow our team to turn our values into reality faster than Roustem and I ever could have on our own. <ul> <li>Privacy. We’ve always believed that privacy is a human right, and that’s why 1Password doesn’t have ads or track you. We even have a dedicated Privacy Officer who has the authority to make sure this never changes.</li> <li>Security. Everyone deserves to be safe online, so we created the most modern security design to protect your data. Our expanded security team was able to complete our SOC2 certification and offer the highest bug bounty on BugCrowd.</li> <li>Love. Love is an unexpected company value, but we mean it. We poured our heart and soul into 1Password every day for the last 14 years to give customers like you the love you deserve.</li> </ul> By growing our team we were able to double down on what’s most important to us. We want to do more, and we’re ready to take the next step. <img src='https://blog.1password.com/posts/2019/accel-partnership/gang-of-four.jpg' alt='Our executive team, a.k.a. the Gang of Four. From left to right: Dave Teare, Jeff Shiner, Roustem Karimov, and Sara Teare.' title='Our executive team, a.k.a. the Gang of Four. From left to right: Dave Teare, Jeff Shiner, Roustem Karimov, and Sara Teare.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="weve-made-a-new-friend">We’ve made a new friend</h2> We’ve been turning down venture capital firms for as long as they’ve been courting us. We were profitable and didn’t see the value in partnering with someone else. It was fun to grow the company ourselves from 2 to 176, but just like when we hired our CEO, we’ve reached a point where we need expertise and guidance from those who’ve made this journey before. Thankfully, over the past 6 years we built a friendship with Arun Mathew from <a href="https://www.accel.com/">Accel</a>. Accel has a lot of experience growing sustainable, founder-led companies like ours. We’ve watched them partner with other companies and nurture the things that made those companies great in the first place, change the things that were holding them back, and – most importantly – know the difference between the two. 🙂 Our friend Arun will be joining our board of directors along with Roustem, Sara, Jeff, and myself. For years we wanted the benefit of having an outside perspective, and we&rsquo;re thrilled to finally get it. Our relationship is a true partnership, not just an influx of cash. We’re not getting ready for an exit. We’re boarding a rocket ship. <img src='https://blog.1password.com/posts/2019/accel-partnership/new-friends.jpg' alt='Group hug after sealing the deal in our St. Thomas, Ontario office. From left to right: Dan Levine, Natalia Karimova, Roustem Karimov, Arun Mathew, Dave Teare, Jeff Shiner, Sara Teare, Rich Wong.' title='Group hug after sealing the deal in our St. Thomas, Ontario office. From left to right: Dan Levine, Natalia Karimova, Roustem Karimov, Arun Mathew, Dave Teare, Jeff Shiner, Sara Teare, Rich Wong.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="were-excited-for-the-future">We’re excited for the future</h2> We have a whole list of things we want to do to make 1Password even better. With Accel at our side, we have an opportunity to execute on our vision at an even faster pace with the help of some really smart friends. <ul> <li>Privacy. Privacy is a human right. Our partnership with Accel helps ensure that we have the resources to not only stay at the forefront of the privacy landscape, but push the industry forward as well.</li> <li>Security. Security is a process, not a product. 1Password already has the most modern security design, and Accel will help us take our processes, protections, and research to the next level.</li> <li>Love. Love is what makes 1Password truly special. With Accel’s help, we’re going to triple down on providing the best user experience and the customer support you deserve. ❤️</li> </ul> It’s important to me that you see the parallels between this list and the one I showed you earlier. <a href="https://www.accel.com/noteworthy/our-series-a-in-1password">Our partnership with Accel</a> doesn’t represent a change in direction. Our values are what make 1Password 1Password-y. They’ve guided us this far, and they’ll lead the way through the next 14 years and beyond. Partnering with Accel allows us to be more 1Password-y than ever. Whether you joined us on our journey 14 years ago or 14 days ago, I want to offer you a heartfelt thanks. We wouldn’t have reached this point without you, and we’re honored to have you aboard this rocket ship with us. 🚀❤️ <img src='https://blog.1password.com/posts/2019/accel-partnership/agconf.png' alt='Our team at our annual cruise.' title='Our team at our annual cruise.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> P.S. While writing this announcement, I was overwhelmed by so many wonderful memories that we created over the past 14 years. There were too many to include here so I wrote <a href="https://dteare.medium.com/14-years-of-growth-the-1password-story-fbbf58ebe28b">14 years of growth: the 1Password story</a> to share our founding story in more detail. 😘</description></item><item><title>Use the SCIM bridge and the command-line tool to automate 1Password Business</title><link>https://blog.1password.com/automate-1password-business/</link><pubDate>Wed, 13 Nov 2019 00:00:00 +0000</pubDate><author>info@1password.com (Connor Hicks)</author><guid>https://blog.1password.com/automate-1password-business/</guid><description> <img src='https://blog.1password.com/posts/2019/automating-1password/header.png' class='webfeedsFeaturedVisual' alt='Use the SCIM bridge and the command-line tool to automate 1Password Business' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> As a developer, I love getting different services to work together. Automating things gives me more time to focus on what matters and I want you to have that power, too. So, I’m going to show you how your business can use the <a href="https://developer.1password.com/docs/cli/v1/get-started/">1Password command-line tool</a> and <a href="https://support.1password.com/scim/">1Password SCIM bridge</a> in perfect harmony to automate all sorts of administrative tasks. Let’s get to it. <h2 id="speed-up-specific-tasks-using-the-command-line-tool">Speed up specific tasks using the command-line tool</h2> With <a href="https://1password.com/business/">1Password Business</a>, it’s simple for even the biggest, most complex enterprise to manage their account using the command-line tool. Just type a command to perform common administrative tasks like adding items, granting access to vaults, managing groups, <a href="https://developer.1password.com/docs/cli/v1/usage/">and more</a> – all in Terminal. <img src='https://blog.1password.com/posts/2019/automating-1password/find_out_who_has_access_inline.png' alt='illustration of terminal and iMac' title='illustration of terminal and iMac' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> But what should you try first? Something we hear from a lot of large businesses is that it’s difficult to see and manage exactly who has access to what. The 1Password command-line makes it easy. I’ll show you. To find out who has access to our Directors vault, I just type: <code>op list users --vault=Directors</code> Great! Now we have a list of people with direct access to the Directors vault. But while we&rsquo;re here, we should check which groups have access, too. Use: <code>op list groups --vault=Directors</code> That gives us a list of groups with access to that vault. Now, we need to check who belongs to those groups. So, for each of the groups we got from the last command, we can do: <code>op list users --group=&lt;group uuid&gt;</code> And with just a bit of deduplication, we can see exactly who can use items from the Directors vault. It&rsquo;s easy to script with the command-line tool, because the output is all JSON. There’s so much you can do with the command-line tool, and we have lots of new features coming soon. Keep an eye on the blog for some exciting announcements. <h2 id="manage-your-whole-team-with-the-scim-bridge">Manage your whole team with the SCIM bridge</h2> Automating specific tasks is great, but we know that managing multiple services and online accounts can be a headache for your business. Luckily, enterprise identity providers make it easier. They make sure that everyone in your company gets access to all the tools they need, without forcing you to manage each service individually. If your business is using Okta or Azure Active Directory, <a href="https://blog.1password.com/scim-bridge-release/">SCIM integration</a> makes provisioning employees in 1Password a breeze. Onboarding is seamless: 1Password automatically syncs your identity provider’s groups with the groups in your 1Password account, so everyone in the company has access to the credentials they need from the get-go. Revoking access is just as quick. There are no complicated new systems for administrators to learn or time-consuming processes to implement – everything is managed from a single, central location. Oh, and the best part? It’s incredibly secure. All of this happens without ever sharing your account’s encryption keys, so you&rsquo;re always in control of your data. We&rsquo;ve been working hard to make it simple to automate your 1Password account and we’ll continue to make more automations possible over the coming months. Give the <a href="https://1password.com/downloads/command-line/">1Password command-line tool</a> and <a href="https://support.1password.com/scim/">SCIM bridge</a> a try, and make sure to visit our <a href="https://1password.community/">discussion forums</a> to let us know what you think!</description></item><item><title>Why 1Password excels on the new Surface Pro</title><link>https://blog.1password.com/1password-on-surface-pro/</link><pubDate>Wed, 13 Nov 2019 00:00:00 +0000</pubDate><author>info@1password.com (Sarah Brown)</author><guid>https://blog.1password.com/1password-on-surface-pro/</guid><description> <img src='https://blog.1password.com/posts/2019/windows-surface-pro/header.png' class='webfeedsFeaturedVisual' alt='Why 1Password excels on the new Surface Pro' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Working remotely gives me the freedom to work from wherever I like: the couch, a coffee shop, a plane, or a hotel room. When I&rsquo;m on the move, I need a device that’s both powerful and portable, so I often work from my iPad. And while I love my iPad, I’ve recently been thinking about changing it up. I’ve spent a lot of time with our <a href="https://blog.1password.com/1password-7-for-windows-the-best-ever/">Windows team lately</a>, hearing about the hard work they’ve put into 1Password for Windows, and it’s given me some food for thought. Now, I&rsquo;m seriously considering swapping my iPad for a new Surface Pro. Here’s why. <h2 id="privacy-focused-browsing">Privacy-focused browsing</h2> I&rsquo;ve been using <a href="https://blog.1password.com/taking-a-peek-at-microsoft-edge-for-mac/">Edge on my Mac</a> for a few months now, and I’ve been impressed by its performance and security features. Edge is faster, lighter-weight, and more secure than its predecessor, Internet Explorer. It’s the same browser I’ve come to know and love on my Mac, but feels even more intuitive on the Surface Pro. And it’s only going to get better. The <a href="https://blogs.windows.com/msedgedev/2019/11/04/edge-chromium-release-candidate-get-ready/">new Microsoft Edge, currently in beta</a>, is built on the Chromium engine, giving it better compatibility with extensions and websites. The new version of Edge is more privacy-focused and includes features like tracking prevention and InPrivate mode, which keeps my searches and browsing safe. <h2 id="unlocking-with-ease">Unlocking with ease</h2> Working from a tablet rather than a laptop means I don&rsquo;t always have my hands free to type my passwords easily. With Windows Hello, I can get straight back to work using biometric authentication to unlock my screen and open 1Password. On the Surface Pro, to unlock 1Password, I just <a href="https://support.1password.com/windows-hello/#set-up-windows-hello">place my finger on the fingerprint sensor or glance at the camera</a>, making it quick and easy to pick up where I left off. <h2 id="make-it-my-way">Make it my way</h2> I&rsquo;m guilty of having too many applications, windows, and tabs open on my computer at any given time. It&rsquo;s easy for something to get lost, often forcing me to click through everything to find what I need. It can be frustrating, especially when I’m in a rush. The revamped <a href="https://support.1password.com/keyboard-shortcuts/">keyboard shortcuts in 1Password 7</a> work great on the Surface Pro and put all my information at the tip of my fingers. I can customize or disable shortcuts as needed, so 1Password fits seamlessly with my workflow. <h2 id="keep-it-small">Keep it small</h2> To keep clutter to a minimum, I love using 1Password mini and it feels right at home on the Surface Pro. I can quickly and easily access my information, without having the full-screen version of 1Password open. This comes in handy for filling in details on apps and websites that don’t have 1Password integration. <img src='https://blog.1password.com/posts/2019/windows-surface-pro/SP1Pmini.png' alt='1Password Mini on the Surface Pro' title='1Password Mini on the Surface Pro' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The 1Password mini on Windows even supports the Quick Copy menu, so I can quickly copy usernames, passwords, or grab a one-time password. I just open 1Password mini and everything I need is ready. Best of all, when 1Password detects the use of two-factor authentication, it will automatically copy a one-time use password to the clipboard. Are you using 1Password on a Surface Pro? We’d love to hear what your favorite features are! Drop us a line on <a href="https://twitter.com/1Password">Twitter</a> or reach out on the <a href="https://1password.community/">1Password Forums</a>. <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Sign up for 14 days free!</h3> If you want to try 1Password on your Windows Surface Pro, sign up now for a 14 day free trial! <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href" data-event-category="CTA" data-event-action="call-to-action-button"> Try 1Password FREE </a> </div> </section></description></item><item><title>1Password + Pixel 4 + Android 10 = ❤️🔐</title><link>https://blog.1password.com/1password-on-pixel4/</link><pubDate>Mon, 11 Nov 2019 00:00:00 +0000</pubDate><author>info@1password.com (Michael Verde)</author><guid>https://blog.1password.com/1password-on-pixel4/</guid><description> <img src='https://blog.1password.com/posts/2019/pixel4-1password/header.png' class='webfeedsFeaturedVisual' alt='1Password + Pixel 4 + Android 10 = ❤️🔐' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> I’ve been itching to write this post since the end of September, when we added support for <a href="https://android-developers.googleblog.com/2019/10/one-biometric-api-over-all-android.html">Android’s newest biometric library</a> in 1Password for Android. We’ve known for a while now that <a href="https://www.blog.google/products/pixel/new-features-pixel4/">face unlock was arriving with the Pixel 4</a>, and this update prepared 1Password for that eventuality. The only thing I was missing was the actual device so I could write about the experience firsthand. Each year, I eagerly await the Made by Google event in October when <a href="https://www.cnet.com/tech/mobile/pixel-4-every-made-by-google-2019-announcement-pixel-buds-pixelbook-go-google-stadia/">Google shows off their latest and greatest hardware</a>. It’s like Christmas come early for me, and this year was no exception. As soon as I was able to, I pre-ordered a <a href="https://www.gsmarena.com/google_pixel_4_xl-9895.php">Pixel 4 XL</a> from my carrier and waited impatiently for it to arrive. I’m happy to say that it arrived last week, and it was well worth the wait. I’ve since put 1Password through its paces on my new device, and here’s where we truly shine. <h2 id="pixel-4-xl-meet-1password">Pixel 4 XL, meet 1Password</h2> <img src='https://blog.1password.com/posts/2019/pixel4-1password/lightmodeunlock.gif' alt='Pixel 4 Face Unlock' title='Pixel 4 Face Unlock' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Of course, the first thing I do whenever I get a new device is set up 1Password. As you might imagine, I use a long Master Password to secure my 1Password accounts, and this can be a bit of a pain to type on mobile. <a href="https://1password.com/resources/guides/using-biometrics-fingerprint-as-password/">Fingerprint unlock</a> has made it so much quicker for me to unlock 1Password and I&rsquo;ve made heavy use of it over the past few years. Face unlock takes it to the next level. It took only a moment to set up and now when I launch 1Password, the sequence of verifying my face and unlocking happens faster than me even thinking about moving my finger to that non-existent fingerprint sensor. In fact, after a week of using face unlock, the muscle memory is all but gone. <h2 id="face-unlock-everywhere">Face unlock everywhere</h2> After setting up 1Password on my new Pixel 4 XL, the next order of business was to sign back in to all of my apps. <a href="https://1password.com/features/autofill/">Autofill</a> with 1Password made this a breeze. And even though some of my favourite apps don’t yet support face authentication, 1Password covered for them quite nicely. I simply tapped on the Autofill with 1Password prompt to unlock with my face and sign in to the app. <img src='https://blog.1password.com/posts/2019/pixel4-1password/Quick_unlock.png' alt='Open your Pixel with Face Unlock' title='Open your Pixel with Face Unlock' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="easy-sign-in-and-sign-up">Easy sign-in and sign-up</h2> <img src='https://blog.1password.com/posts/2019/pixel4-1password/darkmodeautofill.gif' alt='Autofill with Face Unlock' title='Autofill with Face Unlock' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Speaking of Autofill, the improvements that we’ve been making over the last couple of releases go well beyond the Pixel 4. Depending on which version of Android you’re running and which browser you prefer, you may be using our Autofill service, our Accessibility service, or a combination of the two. We’ve synced them up so that you get the same experience, no matter which one you happen to be using. We’ve enhanced both services to support filling in login details, even when those details are split across multiple screens. This includes filling in your TOTP codes for you, so you no longer have to bother with copying them to the clipboard. Our Autofill and Accessibility services also let you create new Login items when signing up for a new account. Taken together, these changes make it so much easier to sign up for and sign in to apps and websites. No more flipping between apps. <h2 id="looks-arent-everything-but-they-certainly-help">Looks aren’t everything, but they certainly help</h2> Not only does 1Password work great on the Pixel 4, but it looks great too! When Android 10 launched earlier this year, we <a href="https://blog.1password.com/1password-7-2-for-android-dark-theme-rises/">dressed 1Password up for the occasion in new dark attire</a>. I thought it looked good then, but I have to say that the 90Hz screen of my new Pixel makes Dark Theme truly shine. And Ambient EQ ensures that the colour and brightness are right for any environment. Now I just need to decide whether to commit to one theme or to continue switching between the two. <img src='https://blog.1password.com/posts/2019/pixel4-1password/Keeping_things_accessible.png' alt='Accessibility in Dark Theme' title='Accessibility in Dark Theme' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Did you recently snag your own Pixel 4? Be sure to let us know about your favourite features on Google Play, <a href="https://twitter.com/1Password">Twitter</a>, or the <a href="https://1password.community/">1Password Forums</a>. <section class="c-call-to-action-box c-call-to-action-box--yellow"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Sign up for 14 days free!</h3> If you want to try 1Password on your Android device, sign up now for a 14-day free trial! <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--yellow" data-event-category="CTA" data-event-action="call-to-action-button"> Try 1Password FREE </a> </div> </section></description></item><item><title>Security is a key focus in macOS Catalina</title><link>https://blog.1password.com/macos-catalina-love/</link><pubDate>Fri, 01 Nov 2019 00:00:00 +0000</pubDate><author>info@1password.com (Sarah Brown)</author><guid>https://blog.1password.com/macos-catalina-love/</guid><description> <img src='https://blog.1password.com/posts/2019/mac-catalina-release/header.png' class='webfeedsFeaturedVisual' alt='Security is a key focus in macOS Catalina' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> macOS Catalina launched earlier this month, and it’s <a href="https://www.apple.com/newsroom/2019/10/macos-catalina-is-available-today/">chock full of fantastic new features</a>. We’re thrilled to see the emphasis Apple has placed on user privacy and security in this latest release. I installed it on launch day and have been exploring the ins and outs ever since. Here’s what I was most excited to see – and what the 1Password team thinks you’ll love too. <h2 id="lock-it-up-tight">Lock it up tight</h2> Losing my laptop is one of my worst nightmares – all my photos, music, and writing gone in a flash. Sure, I keep backups of everything, but I don’t want anyone else getting their hands on my important information. Or my high school photos that prove I had no sense of style. That’s why the new Activation Lock feature is so incredible. With the new security feature in place, no one can access your account even if they physically have your computer. So, if your laptop is stolen from a coffee shop, the only person who can erase and reactivate it is you. It gives you peace of mind and adds an additional layer of security to your data. Even if someone got their hands on your laptop, they’d still be completely locked out of everything. <h2 id="exploring-safari">Exploring Safari</h2> I’ve always flip-flopped between browsers. But, no matter what, I’ve always gone back to Safari. It’s like an old reliable friend. And with new intuitive features like directing me to the right tab when I start typing an address of a website I already have open, I may never look back. There’s a lot to love in the latest version of Apple’s web browser. The new start page makes it easy to jump right to my bookmarks and frequently visited websites. It even pulls in and displays links from iMessage, so I don’t have to scroll through weeks of messages just to find the chocolate bourbon cake recipe my sister shared with me. <h2 id="protection-for-macos">Protection for macOS</h2> To keep your Mac running smoothly, Catalina also introduces a new dedicated, read-only system volume to keep your operating system files safe and sound. It’s completely separate from all your other data, which means it can’t be accidentally overwritten. Apple has also made it easier to use and develop hardware peripherals and sophisticated features without compromising on security. With DriverKit and user space system extensions, code for these programs runs separately from the operating system, just like any other app, so they won’t affect macOS if something goes wrong. All of this means extra layers of protection for your critical operating system files – improving reliability and reducing the risk of unwelcome system failures. <h2 id="enhanced-gatekeeper">Enhanced Gatekeeper</h2> Even with the plethora of apps available from the <a href="https://blog.1password.com/a-journey-into-the-new-mac-app-store/">Mac App Store</a>, there are still some that need to be downloaded directly from the developer&rsquo;s site. And if you’re anything like me, you may sometimes forget to verify how safe and secure it is. Enhanced Gatekeeper checks every new app you install for any security issues before you run it for the first time. It will also periodically check that the app remains safe to use, for as long as it’s installed on your machine. It was no small feat for our developers to get 1Password working seamlessly with Apple’s new operating system, but I’m so glad they did. With all of the <a href="https://blog.1password.com/never-better-time-to-upgrade-to-1password-7/">impressive upgrades to 1Password 7</a> and the new exciting features of macOS Catalina, this combination is now my favorite way to browse the web safely. 1Password 7 is <a href="https://support.1password.com/upgrade-mac/">included with every 1Password membership</a>, and has everything you need to organize and secure your digital life. Upgrade today to enjoy the best compatibility with macOS Catalina and all of our new features. Have you downloaded macOS Catalina yet? <a href="https://twitter.com/1Password">Drop us a line on Twitter</a>, we’d love to hear your what your favorite features are! <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Sign up for 14 days free!</h3> 1Password works great on macOS Catalina. Start your free trial today to see for yourself! <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href" data-event-category="CTA" data-event-action="call-to-action-button"> Try 1Password FREE </a> </div> </section></description></item><item><title>1Password and Mozilla at The Glass Room exhibition</title><link>https://blog.1password.com/1password-glass-room-popup/</link><pubDate>Tue, 22 Oct 2019 00:00:00 +0000</pubDate><author>info@1password.com (Cat Friend)</author><guid>https://blog.1password.com/1password-glass-room-popup/</guid><description> <img src='https://blog.1password.com/posts/2019/glass-room-blog/header.png' class='webfeedsFeaturedVisual' alt='1Password and Mozilla at The Glass Room exhibition' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Last week I was in San Francisco to attend the opening of <a href="https://theglassroom.org/">The Glass Room</a>, a pop-up event brought to you by Mozilla and 1Password. It’s designed to generate a global conversation about privacy and personal data, and invites us to explore how technology is shaping our lives and our interactions with the world. Our belief in your right to privacy informs every decision we make at 1Password, from how we design our product to what events we get behind. We’re delighted to support an exhibition whose mission aligns so closely with ours, and help more people make informed decisions about their privacy and personal data. <img src='https://blog.1password.com/posts/2019/glass-room-blog/1passwordexhibit.png' alt='1Password exhibit' title='1Password exhibit' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Several fascinating pieces explore different aspects of technology and digital information. The space is divided into <a href="https://theglassroom.org/san-francisco/exhibits/">five thematic areas</a>, all designed to shine a light on different aspects of digital technology: Deeply Personal, Invisible Labor, Trust in Us, Big Mother, and Open the Box. There&rsquo;s even the Data Detox Bar, where you can find advice on how to take action to create a healthier digital life. One of my favorite pieces allowed me to explore infographics that looked into the political spending on Facebook. Clearly a contentious subject, it tells a story of who may be targeting you, what messages they are using, and the scale they are doing it on. Seeing targeting this personalized makes you question quite a bit of the content you see on social media, and how it may be manipulating you. <img src='https://blog.1password.com/posts/2019/glass-room-blog/catglassroom.png' alt='Cat Friend at the opening of The Glass Room' title='Cat Friend at the opening of The Glass Room' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Another exhibit I found interesting was what seemed from a distance to be an innocuous map. But, as I moved closer, it displayed my phone and all the data it was sharing with a rogue Wi-Fi antenna. And it wasn&rsquo;t just my phone – it revealed all the devices in the area that were attempting to connect to what looked like free Wi-Fi. There are over 50 pieces exploring privacy and how it affects everyday life. Technology is so prevalent in our lives, and it&rsquo;s vital that we have an understanding of what information is out there and how it&rsquo;s being used. If you&rsquo;re in the Bay Area, stop by <a href="https://theglassroom.org/san-francisco/">The Glass Room in San Francisco</a> right on Market Street before the exhibit closes on November 3rd.</description></item><item><title>Mozilla has selected 1Password X as a Recommended Extension for Firefox</title><link>https://blog.1password.com/mozilla-extensions-program/</link><pubDate>Tue, 08 Oct 2019 00:00:00 +0000</pubDate><author>info@1password.com (Andrew Beyer)</author><guid>https://blog.1password.com/mozilla-extensions-program/</guid><description> <img src='https://blog.1password.com/posts/2019/mozilla-extension-program/header.png' class='webfeedsFeaturedVisual' alt='Mozilla has selected 1Password X as a Recommended Extension for Firefox' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://support.mozilla.org/en-US/kb/recommended-extensions-program">Mozilla’s Recommended Extensions</a> program rigorously vets Firefox extensions for quality and security. Out of thousands of extensions, fewer than 100 have been chosen, so we’re incredibly proud that 1Password X meets their high standards. Third-party developers build extensions to add features and customize how your browser works. There are extensions for everything from ad blockers to coupon codes, translation to social sharing, and more. 1Password X brings the full functionality of 1Password into your browser, making it easy for you to sign in to sites, use suggested passwords, and find what you need in your account. However, not all extensions are created equal. Downloading the wrong extension can pose a serious threat to your privacy and security. App add-ons and extensions require you to grant permission to read and even change your data on the websites that you visit, which gives them quite a bit of power. With that level of access, a malicious extension that&rsquo;s been granted access to your full browser could steal your data, track your movements, or capture and store your passwords – all without you even noticing. In an effort to help discover and defend against rogue extensions, <a href="https://blog.mozilla.org/futurereleases/2019/02/19/keeping-add-ons-safe-for-our-users/">Mozilla launched their new Recommended Extensions initiative</a>. The program was created to &ldquo;foster a curated list of extensions that meet [their] highest standards of security, utility, and user experience&rdquo;. <a href="https://1password.com/resources/guides/1password-for-firefox/">Firefox</a> users can feel good about installing these extensions because they know their information will be safe. All Mozilla Recommend Extensions, including 1Password X, go through a standard, rigorous <a href="https://addons.mozilla.org/en-US/firefox/">review process on AMO</a>. When they invited us to join the program, we were asked to undergo an additional review by Mozilla&rsquo;s editorial staff. This review was primarily concerned with the following: <ul> <li>Is the extension really good at what it does?</li> <li>Does the extension offer an exceptional user experience?</li> <li>Is the extension relevant to a general audience?</li> <li>Is the extension safe?</li> </ul> We’re committed to keeping the quality of the 1Password X experience high, and pride ourselves on the level of security we offer. All the information you store in 1Password, no matter what app, extension, or browser you use, is encrypted and can only be accessed from a device you&rsquo;ve already approved. Your data is yours, and only you have the keys to unlock it. <section class="c-call-to-action-box c-call-to-action-box--yellow"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Sign up for 14 days free!</h3> Want to try 1Password X in Firefox? Start your 1Password membership today and get your first 14 days free. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--yellow" data-event-category="CTA" data-event-action="call-to-action-button"> Try 1Password FREE </a> </div> </section></description></item><item><title>The Climate Fixathon: using tech to fight climate change</title><link>https://blog.1password.com/climate-fixathon/</link><pubDate>Thu, 03 Oct 2019 00:00:00 +0000</pubDate><author>info@1password.com (Cat Friend)</author><guid>https://blog.1password.com/climate-fixathon/</guid><description> <img src='https://blog.1password.com/posts/2019/climate-fixathon/header.png' class='webfeedsFeaturedVisual' alt='The Climate Fixathon: using tech to fight climate change' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> At 1Password, we aim to make the online world a better, safer place. But climate change is the biggest threat to the future of our planet, and we want to make a difference there too. That’s why we chose to sponsor the Climate Fixathon. The Climate Fixathon is the world&rsquo;s first online hackathon for makers to help fix the climate. If you’re not familiar, a hackathon is a coding competition, usually held over a set period. People come together to test their skills to solve a particular problem or just create something great. The Climate Fixathon is a 4-week competition, held entirely online. As someone who cares deeply about our planet (last year, I embarked on a 24-day expedition for marine conservation), I was thrilled to be one of the judges. Reviewing and testing the 43 projects from across the globe was eye-opening. It was exciting to see the tech community come together to create websites, apps, and services that aim to help restore a safe climate for our planet. Technology is a powerful force for doing good. There were three categories: Awareness, Action, and Facilitation. On offer was $1,500 for the winning team of each category. As you’d expect, the standard of entries was incredibly high across the board, but there were a few that impressed me in particular. <a href="https://hqco2.org/">HQ→CO2</a> was chosen as the project that best raises awareness of climate breakdown. The website juxtaposes random pairs of images: the headquarters of high-emissions fossil fuel companies with places around the world affected by global warming. It was thought-provoking to see how the HQ pictures appear static and unchanging, while the picture alongside shows dynamic ecological breakdown. Also recognised by the judges was Climate 365, an email service that repeatedly contacts those in power urging them to take action against climate change. Their tool for digital protest won the prize for Action. The prize for Facilitation was awarded to <a href="https://triptocarbon.xyz/#">Trip to Carbon</a>, a carbon footprint calculator with simple API that can be integrated into new and existing websites and products to raise awareness of climate change. Another favourite of mine was the Arctic Calculator. You enter the distance travelled and it gives you the area of the Arctic Circle you’re responsible for melting. Certainly difficult to ignore. <a href="https://shift.andrewpairman.com/">Shift</a> was another great website that everyone can use to make a difference. It tells when grid production in your area is at its least carbon-intense, so that you can time your household electricity consumption, like putting the washing machine on. All exciting and impactful projects that are sure to inspire change. It’s certainly sparked some food for thought about how we do things at 1Password. To learn more about all of the entries, visit <a href="https://fixathon.io/">the Climate Fixathon website</a>. Perhaps it will inspire a project of your own! You can also find out more about my motivations for taking part in my <a href="https://medium.com/fixathon/judge-spotlight-cat-friend-43fc8c28eb0a">judge&rsquo;s interview</a>.</description></item><item><title>Behind the scenes of Random but Memorable</title><link>https://blog.1password.com/making-random-but-memorable/</link><pubDate>Mon, 30 Sep 2019 00:00:00 +0000</pubDate><author>info@1password.com (Anna Eastick)</author><guid>https://blog.1password.com/making-random-but-memorable/</guid><description> <img src='https://blog.1password.com/posts/2019/making-of-rbm/header.png' class='webfeedsFeaturedVisual' alt='Behind the scenes of Random but Memorable' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> It&rsquo;s <a href="https://randombutmemorable.simplecast.com/">Random but Memorable&rsquo;s</a> first birthday, and while we&rsquo;re already into the third season of our security advice podcast, it feels like just yesterday we released the first episode. “Random but memorable” is good advice for creating a strong Master Password, but it also applies to the discussions Matt Davey, Michael Fey (Roo), and I have on the show. Each episode blends informative discussions with humor as we talk about what&rsquo;s new in the world of security. In this post, we&rsquo;re giving you a peek behind the curtain at how our podcast comes together. <h2 id="planning-and-research">Planning and research</h2> You can’t just wing it when recording a podcast. That&rsquo;s how you get long tangents about where to find the best tacos in Toronto. Which, while informative, isn&rsquo;t exactly the breaking security news we want to cover. That&rsquo;s why we have a list of items we need to complete before we can sit down and record. Each episode focuses on a single theme or security topic. Since our goal is to help our audience make the best security choices, we keep an eye on the hot topics in security and privacy. This not only gives our guests an idea of what to talk about, but it also helps keep Matt and Roo on task during the conversation. Once we’ve selected a theme, we research the latest stories for our Watchtower Weekly segment and decide which hack we’ll be revisiting that episode. <h2 id="getting-the-perfect-guest">Getting the perfect guest</h2> We&rsquo;ve been lucky to have a wide range of insightful and fun guests join us for the podcast, including Troy Hunt, Bruce Schneier, and Dr. Jessica Barker. We look for guests who are experts in their fields, have valuable insight to offer, or have knowledge of a specific topic we think our audience might find interesting. We like to keep things informal, but we also want our guests to feel comfortable and prepared when they record their part. We send them a list of questions before recording, as well as a Random but Memorable guest checklist to give them hints and tips so recording goes as smoothly as possible. <h2 id="recording-the-show">Recording the show</h2> With our hosts located in different cities and time zones, scheduling can be tricky. We use a <a href="https://zoom.us/">Zoom</a> audio conference to bridge the distance and record each episode. Each host records the session locally to capture the best sound. Since a podcast relies on good audio, one of the most important things we&rsquo;ve learned is how crucial it is to invest in a quality microphone. Matt and I both use <a href="https://rode.com/en/">Rode mics</a>, while Roo favors an <a href="https://www.audio-technica.com/en-us/atr2100-usb">Audio Technica ATR2100</a>. <h2 id="getting-it-ready-to-release">Getting it ready to release</h2> Editing the podcast is the most critical – and often challenging – part of the process. This is where I take a 90-minute recording and condense it down to a neat and clean 30-minute show. I go through the content our hosts and guests have recorded and cut any content that&rsquo;s not relevant, like unnecessary &ldquo;umms&rdquo; and &ldquo;aaahs&rdquo; that are inevitable during the course of a conversation. I also keep an ear out for any foul language slip-ups that need bleeping to keep the show family-friendly. It’s also my responsibility to create the show notes that we share alongside the audio of each episode. These comprehensive notes are great for skimming over and referencing after listening. We often cover so much content in a single episode that this document can reach a double-digit page count. <h2 id="sending-it-out-into-the-world">Sending it out into the world</h2> Once the final edit has been cut, we&rsquo;re ready to release! New episodes are available every other Tuesday on all major podcast channels and apps. You can listen and subscribe to Random but Memorable on <a href="https://overcast.fm/itunes1435486599/random-but-memorable">Overcast</a>, <a href="https://pca.st/43AW">Pocket Casts</a>, or <a href="https://podcasts.apple.com/gb/podcast/random-but-memorable/id1435486599?mt=2">iTunes</a>. For listeners who don&rsquo;t subscribe, links to new episodes are posted on all our social media channels. Sometimes we even do a giveaway, so be sure to follow on <a href="https://www.facebook.com/1Password/">Facebook</a> and <a href="https://twitter.com/1Password">Twitter</a>! Once the episode has gone live, we&rsquo;re straight onto the next one, and the whole process starts over again! If you&rsquo;d like us to answer your question on the show, tweet us <a href="https://twitter.com/1Password">@1Password</a> using the hashtag <a href="https://twitter.com/search?q=%23ask1password">#ask1Password</a>. If you love listening, please <a href="https://podcasts.apple.com/gb/podcast/random-but-memorable/id1435486599?mt=2">rate us or leave us a review on iTunes</a>. Your feedback and suggestions mean the world to us.</description></item><item><title>1Password 7.4 on iOS 13: Dark Mode, Documents, and Voice Control</title><link>https://blog.1password.com/ios-fall-2019-release/</link><pubDate>Thu, 19 Sep 2019 00:00:00 +0000</pubDate><author>info@1password.com (Michael Fey)</author><guid>https://blog.1password.com/ios-fall-2019-release/</guid><description> <img src='https://blog.1password.com/posts/2019/ios-fall-release/header.png' class='webfeedsFeaturedVisual' alt='1Password 7.4 on iOS 13: Dark Mode, Documents, and Voice Control' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Hello and happy iOS release day, everyone! We’ve been excited for this release since <a href="https://blog.1password.com/1password-apple-betas/">iOS 13 was first announced at WWDC</a>. Now that it&rsquo;s finally here, we’re excited to share 1Password 7.4 for iOS with you. There’s a bunch of stuff I’m pumped to tell you about, so let’s dive in and take a look. <h2 id="dark-mode-for-ios">Dark Mode for iOS</h2> <img src='https://blog.1password.com/posts/2019/ios-fall-release/iOSdarkmode.png' alt='Dark Mode on iOS 13' title='Dark Mode on iOS 13' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Ever since Apple rolled out Dark Mode for macOS at WWDC 2018, I’ve been waiting for them to bring it to iOS. Whether I’m checking my emails first thing after waking up, or looking something up online before turning in for the night, being blasted in the face by a bright screen has never been a positive experience. Dark Mode on iOS solved this problem for me, though, and I couldn’t be happier. I’ve been using iOS 13 exclusively in Dark Mode for a while now, and I love it. We began the work to bring Dark Mode to 1Password for iOS in June and we’re really excited to show it off to you today. We&rsquo;ve also added a special dark app icon that I think looks right at home in the dock on my iPhone. <img src='https://blog.1password.com/posts/2019/ios-fall-release/iOSicon.png' alt='Choose your 1Password icon' title='Choose your 1Password icon' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="use-your-voice">Use your voice</h2> One of the most impressive and exciting parts of iOS 13 is the <a href="https://blog.1password.com/ios-voice-control-wwdc/">addition of Voice Control</a>, and 1Password makes full use of it. This new feature opens up a world of possibility for users who may not have the ability to interact with their iOS device using their hands. With Voice Control you won’t have to lift a finger to search, open, edit, or share items from within 1Password. Control every aspect of your iOS device, including opening and navigating 1Password, just by using some simple, predictable voice commands. <h2 id="documents-documents-documents">Documents, documents, documents</h2> <img src='https://blog.1password.com/posts/2019/ios-fall-release/iOSdoc.png' alt='Add your documents' title='Add your documents' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Ever since we added the ability to create Documents using the camera roll, we have seen requests to expand our capabilities. Today, I’m pleased to say, we’re answering that feedback. Starting in 1Password 7.4 you can create Documents from the camera roll, use the camera directly, or pick a file from the Files app. That last one is particularly exciting as it means you&rsquo;ll be able to bring in files from any app that makes its files available to the Files app – like Dropbox, Google Drive, and more. We’ve also added the ability to use the new document scanner in iOS 13 to create PDFs from your paperwork, complete with optical character recognition text summaries! It’s a fantastic way to scan and store your sensitive information securely and make it available to all your devices. <h2 id="in-closing">In closing</h2> iOS 13 from Apple and 1Password 7.4 are both available today, so fire up your updaters and check out all the cool new features. While you wait, you can read our <a href="https://app-updates.agilebits.com/product_history/OPI4">full set of release notes</a> or pop on over to the App Store and <a href="itms-apps://itunes.apple.com/app/id568903335?action=write-review">leave us a review</a>. Thank you to everyone who provided feedback about this release. 1Password wouldn’t be the app it is today without your involvement. Cheers!</description></item><item><title>Get to know 1Password Advanced Protection with our next webinar</title><link>https://blog.1password.com/advanced-protection-webinar/</link><pubDate>Wed, 18 Sep 2019 00:00:00 +0000</pubDate><author>info@1password.com (Sarah Brown)</author><guid>https://blog.1password.com/advanced-protection-webinar/</guid><description> <img src='https://blog.1password.com/posts/2019/advanced-protection-webinar/header.png' class='webfeedsFeaturedVisual' alt='Get to know 1Password Advanced Protection with our next webinar' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We’ve just launched <a href="https://blog.1password.com/introducing-advanced-protection/">1Password Advanced Protection</a>, a suite of powerful new security tools for <a href="https://1password.com/business/">1Password Business</a>, and we’re excited to show you what it can do. Join us on September 24th or October 8th at 2 p.m. EDT, when we’ll show you how to create security policies, prevent threats, and monitor your team’s access in <a href="https://1password.com/business/">1Password Business</a>. In this live webinar, you&rsquo;ll learn how to: <ul> <li>Set a Master Password policy.</li> <li>Turn on two-factor authentication for the team.</li> <li>Create and manage firewall rules.</li> <li>Monitor your team&rsquo;s sign-in attempts.</li> <li>Set and manage software update requirements.</li> </ul> We’ll also have time for a Q&amp;A session at the end to answer all your questions about Advanced Protection. Join the webinar on either September 24th or October 8th at 2 p.m. It&rsquo;s free, and it&rsquo;s a great way to get to know Advanced Protection.</description></item><item><title>Introducing 1Password Advanced Protection: powerful security tools for business</title><link>https://blog.1password.com/introducing-advanced-protection/</link><pubDate>Tue, 17 Sep 2019 00:00:00 +0000</pubDate><author>info@1password.com (Jeff Shiner)</author><guid>https://blog.1password.com/introducing-advanced-protection/</guid><description> <img src='https://blog.1password.com/posts/2019/advanced-protection/header.jpg' class='webfeedsFeaturedVisual' alt='Introducing 1Password Advanced Protection: powerful security tools for business' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Today, I’m excited to announce the release of 1Password Advanced Protection, a suite of powerful new security tools for <a href="https://1password.com/business/">1Password Business</a>. With <a href="https://1password.com/business/advanced-protection/">1Password Advanced Protection</a>, administrators have the power to create security policies, prevent threats, and monitor their team&rsquo;s access. We&rsquo;ve got five features to cover, so let&rsquo;s get started. <h2 id="master-password-policy">Master Password policy</h2> Employee passwords are the biggest point of failure for most companies. With the <a href="https://support.1password.com/master-password-policy/">Master Password policy</a>, administrators can enforce stricter Master <a href="https://1password.com/password-generator/">Password requirements</a> to match their internal security policies. <img src='https://blog.1password.com/posts/2019/advanced-protection/ap-masterpassword.png' alt='Screenshot of Master Password Policy controls in 1Password Advanced Protection' title='Screenshot of Master Password Policy controls in 1Password Advanced Protection' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> You can increase the minimum length, and require uppercase or lowercase letters, numbers, or symbols. When you update your policy, everyone on your team needs to meet those requirements when they create a new Master Password. <h2 id="two-factor-authentication">Two-factor authentication</h2> Ever since we released <a href="https://support.1password.com/two-factor-authentication/#manage-two-factor-authentication-for-your-team">two-factor authentication</a>, administrators have asked us for the ability to manage it for their entire team. So we made it happen. <img src='https://blog.1password.com/posts/2019/advanced-protection/ap-2fa.png' alt='Screenshot of two-factor authentication controls in 1Password Advanced Protection' title='Screenshot of two-factor authentication controls in 1Password Advanced Protection' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Choose which second factors your team can use when they sign in on a new device: an authenticator app, security keys, or Duo. Then enforce two-factor authentication for your entire team to make sure no one slips through the cracks. <h2 id="firewall-rules">Firewall rules</h2> If you&rsquo;ve ever wanted to restrict where your team can access 1Password, you&rsquo;ll love this. You can create <a href="https://support.1password.com/firewall-rules/">firewall rules</a> to allow, report, or deny sign-in attempts from certain locations or IP addresses. <img src='https://blog.1password.com/posts/2019/advanced-protection/ap-firewall.png' alt='Screenshot of firewall rules in 1Password Advanced Protection' title='Screenshot of firewall rules in 1Password Advanced Protection' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Whether you want to limit access to the office or block access from high-risk countries, you can create firewall rules to help you. You can even block <a href="https://blog.1password.com/how-a-vpn-works/">VPNs</a> and Tor to prevent anonymous IP access. <h2 id="modern-app-requirements">Modern app requirements</h2> For the latest features and security fixes, we know how important it is to keep your software up to date. With <a href="https://support.1password.com/modern-app-requirements/">modern app requirements</a>, you can make sure your employees are on the same page. <img src='https://blog.1password.com/posts/2019/advanced-protection/ap-apps.png' alt='Screenshot of setting modern app requirements 1Password Advanced Protection' title='Screenshot of setting modern app requirements 1Password Advanced Protection' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Find out who uses outdated 1Password apps, and require everyone to keep 1Password up to date. If anyone uses an older version of 1Password, they&rsquo;ll be prompted to update to the latest release. <img src='https://blog.1password.com/posts/2019/advanced-protection/ap-reports.png' alt='Screenshot of app reports in 1Password Advanced Protection' title='Screenshot of app reports in 1Password Advanced Protection' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="sign-in-attempts-report">Sign-in attempts report</h2> The final feature ties everything together. For more insight into account activity, the <a href="https://support.1password.com/sign-in-attempts-report/">sign-in attempts report</a> gives you a clear overview of recently reported, blocked, and failed sign-in attempts. <img src='https://blog.1password.com/posts/2019/advanced-protection/ap-signin-attempts.png' alt='Screenshot of map showing failed sign in attempts in 1Password Advanced Protection' title='Screenshot of map showing failed sign in attempts in 1Password Advanced Protection' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Review the time, location, IP address, and device of each sign-in attempt, and use the interactive map to view attempts from a specific location. Find out why they failed – whether they used the wrong credentials, two-factor authentication failed, or were blocked by your firewall rules – so you can assess how effective your policies are and adjust them to protect your team. <h2 id="get-started-with-1password-advanced-protection">Get started with 1Password Advanced Protection</h2> <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/EMlrU4CKn4o" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> 1Password Advanced Protection is now available for all <a href="https://1password.com/business/">1Password Business</a> customers. If you use 1Password Teams, it’s easy to <a href="https://support.1password.com/change-account-type/#if-you-have-a-team-account">upgrade to a business account</a>. There&rsquo;s lots to explore. Visit our support site to <a href="https://support.1password.com/explore/advanced-protection/">learn about 1Password Advanced Protection in 1Password Business</a>. <h2 id="join-our-webinar">Join our webinar</h2> We’re hosting webinars on September 24 and October 8 to help you get the most out of 1Password Advanced Protection. We’ll even have one of our lead developers on hand to answer all your technical questions. Head over to our <a href="https://blog.1password.com/advanced-protection-webinar/">blog post</a> for more information and to register. <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">1Password Advanced Protection</h3> With 1Password Advanced Protection, it’s easy to customize and enforce your security policies. 1Password Business customers can start fortifying their defenses today. <a href="https://start.1password.com/security" class="c-call-to-action-box__link-href" data-event-category="CTA" data-event-action="call-to-action-button"> Get Started </a> </div> </section></description></item><item><title>Trust, browsing, and privacy with Daniel Davis from DuckDuckGo</title><link>https://blog.1password.com/trust-browsing-privacy-duckduckgo/</link><pubDate>Fri, 30 Aug 2019 00:00:00 +0000</pubDate><author>info@1password.com (Sarah Brown)</author><guid>https://blog.1password.com/trust-browsing-privacy-duckduckgo/</guid><description> <img src='https://blog.1password.com/posts/2019/duckduckgo-webinar/header.png' class='webfeedsFeaturedVisual' alt='Trust, browsing, and privacy with Daniel Davis from DuckDuckGo' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The next video in our <a href="https://www.youtube.com/playlist?list=PLeXQRfNcE6-DKEwaj6hWes8ZU1iAQtp0v">Essentials of Business Security series</a> is ready to watch! Cat talks with Daniel Davis from DuckDuckGo about how to make digital privacy a priority. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/6gDrxD83d-s" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <a href="https://duckduckgo.com/">DuckDuckGo</a> began as a privacy-focused search engine. Today, it offers a browser extension and mobile app to prevent you from being tracked as you browse the web. Here are four key points from our chat with Daniel that will help to keep your business data safe and private. <h2 id="make-privacy-a-priority">Make privacy a priority</h2> Customers and employees want to know that their <a href="https://www.ftc.gov/business-guidance/resources/protecting-personal-information-guide-business">personal information</a> is safe in your hands and on your servers. And as more companies go above and beyond to protect their customers’ privacy, competitive pressure is building for others to keep pace. With data leaks and breaches becoming more frequent, you need to show that <a href="https://customerthink.com/why-data-privacy-should-be-your-companys-top-priority/">privacy is a priority for your business</a>. To do this, put together a privacy policy that is comprehensive, clear, and easily accessible. Be open and transparent with customers about exactly what information you’re storing, and how and where you store it. <h2 id="evaluate-new-tools">Evaluate new tools</h2> Before you purchase or implement any new software, read the privacy policy carefully. If you&rsquo;re in Europe, any software that processes or stores your data must be GDPR compliant. If you&rsquo;re in the United States, software should comply with your state&rsquo;s privacy laws. <h2 id="build-it-into-your-business">Build it into your business</h2> Almost weekly, a new privacy scandal hits the headlines. As a result, more people are aware of the risks to their data and are looking for ways to protect it. You can help by <a href="https://blog.1password.com/small-talk-customer-data-privacy/">building privacy into the way your business operates</a>. Make sure privacy tools like safe search, browser extensions, and mobile apps are simple to use and fit your employees’ needs. Anything that is too complicated, or that disrupts their workflow, is likely to be ignored. <h2 id="take-care-of-the-data">Take care of the data</h2> When handling your customers’ personal information, be clear about exactly what you’re collecting and why you’re collecting it. Never keep data that you don’t need, because if you don’t have it, you can’t lose it or be tricked into giving it away. Trust is the most valuable thing your customers can give you, so be transparent and keep them informed about any changes to your policies. <h2 id="whats-up-next">What&rsquo;s up next</h2> If you enjoyed our chat with Daniel, <a href="https://1password.com/webinars/">sign up for the webinar mailing list</a> to receive notifications of future webinars.</description></item><item><title>Tracking, blocking, and safeguarding with Bennett Cyphers from Privacy Badger</title><link>https://blog.1password.com/tracking-blocking-safeguarding-privacy-badger/</link><pubDate>Thu, 15 Aug 2019 00:00:00 +0000</pubDate><author>info@1password.com (Sarah Brown)</author><guid>https://blog.1password.com/tracking-blocking-safeguarding-privacy-badger/</guid><description> <img src='https://blog.1password.com/posts/2019/privacy-badger-webinar/header.png' class='webfeedsFeaturedVisual' alt='Tracking, blocking, and safeguarding with Bennett Cyphers from Privacy Badger' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> A brand new video in our Essentials of Business Security series is now live! This time, Cat talks with Bennett Cyphers from Privacy Badger about tracking, blocking extensions, and what you can do to safeguard your data while browsing the Internet. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/xydJ6w0kZDs" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> Created by the Electronic Frontier Foundation, <a href="https://privacybadger.org/">Privacy Badger</a> is a browser extension designed to block advertisers and other third-party trackers from monitoring your web activity. It works in the background while you browse, automatically analyzing and blocking any code that seems to track you across multiple websites. Ad companies like Google and Facebook not only track you on their pages – they also use invisible pixels and cookies to follow your journey across the Internet. While we know it&rsquo;s not realistic for most people to quit Google and Facebook altogether, here are five other things you can do to protect your privacy online. <h2 id="switch-to-a-privacy-focused-browser">Switch to a privacy-focused browser</h2> Google Chrome may be a popular browser, but it collects quite a bit of data about you. While there isn&rsquo;t a single best browser option, both <a href="https://www.mozilla.org/en-US/firefox/">Mozilla&rsquo;s Firefox</a> and <a href="https://brave.com/">Brave</a> are excellent choices for protecting your privacy and security. Firefox offers robust privacy features and can be customized to fit your individual security needs. Additionally, you have the option to enable several useful browser extensions that can enhance your privacy and security. Brave is built on <a href="https://en.wikipedia.org/wiki/Chromium_(web_browser)">Chromium</a> and is privacy-focused by default. We recently took <a href="https://blog.1password.com/testing-brave-with-1password/">Brave out for a spin</a> and were impressed by its speed and built-in security features. <h2 id="use-a-blocking-extension">Use a blocking extension</h2> Browser extensions that block ads and trackers work behind the scenes to stop third-party code from capturing your personal information. Some only block cookies and others work as a full ad blocker. Privacy Badger is an extension that automatically analyzes and blocks any tracker or ad that violates the principle of user consent. Rather than working off an existing list of trackers and cookies to block, it learns as you browse. <h2 id="change-your-search-engine">Change your search engine</h2> Google has earned its reputation as a robust search engine, but it comes with a price. To give you a personalized experience, Google tracks and stores an incredible amount of your personal information. And it&rsquo;s not just Google. Most big search engines are essentially data collectors for advertising companies, who use the information to create targeted ads. Thankfully, there are several privacy-focused search engines you can use as an alternative: <ul> <li><a href="https://duckduckgo.com/">DuckDuckGo</a></li> <li><a href="https://www.startpage.com/">Startpage</a></li> <li><a href="https://www.qwant.com/">Qwant</a></li> </ul> <h2 id="use-an-encrypted-messaging-service">Use an encrypted messaging service</h2> Unfortunately, many of the most popular messaging apps – like Facebook Messenger, Skype, and Snapchat – don&rsquo;t offer end-to-end encryption. This means your private information is at risk of being exposed to the companies behind the apps, and anybody they share it with. To keep your conversations away from prying eyes, it&rsquo;s a good idea to use an encrypted messaging service. Apps like Apple’s iMessage and <a href="https://signal.org/">Signal</a> offer end-to-end encryption to keep your conversations private and secure. <h2 id="we-need-strong-privacy-laws-to-protect-people">We need strong privacy laws to protect people</h2> Data breaches can happen to anyone, which is why we need to have strong privacy laws in place to protect people. The EU&rsquo;s <a href="https://gdpr.eu/">General Data Protection Regulation (GDPR)</a> is a step in the right direction, as it&rsquo;s designed to protect and empower all EU citizens when it comes to their data privacy. However, there’s more that can be done to protect your privacy online. Reach out to your politicians and local representatives to let them know how much online privacy matters to you. Use your votes to show them that you want your data kept private.</description></item><item><title>Introducing the 1Password SCIM bridge</title><link>https://blog.1password.com/scim-bridge-release/</link><pubDate>Thu, 08 Aug 2019 00:00:00 +0000</pubDate><author>info@1password.com (Connor Hicks)</author><guid>https://blog.1password.com/scim-bridge-release/</guid><description> <img src='https://blog.1password.com/posts/2019/scim-release/header.png' class='webfeedsFeaturedVisual' alt='Introducing the 1Password SCIM bridge' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> I&rsquo;m thrilled to announce the first major release of the <a href="https://support.1password.com/scim/">1Password SCIM bridge</a>! The SCIM bridge is the best way to automate provisioning of your team in 1Password Business. We&rsquo;ve spent the past year making it easier to roll out 1Password to your company. The 1Password SCIM bridge is available today, and it&rsquo;s compatible with the most popular enterprise identity providers: Azure Active Directory and Okta. It&rsquo;s available for one-click deployment on the Google Cloud Platform Marketplace, or it can be installed more traditionally using Docker, Kubernetes, or Terraform. The SCIM bridge makes it easy to manage your team because it brings 1Password into the workflows you already know and love. It allows you to control your 1Password account from your existing systems, so you can use the enterprise identity provider that your team is already familiar with. Your administrators can remain hands-off and manage your team from one central place to invite employees, grant them access to the correct groups, and deprovision them when they leave. Watch this video to see how the SCIM bridge syncs Okta with 1Password. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/zo5oKsBjfVs" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <blockquote> “At Okta, we securely connect our customers to the technologies they need for their businesses. We’re excited to partner with 1Password to do just that for our joint customers. With the 1Password SCIM bridge, 1Password customers leverage Okta’s full provisioning capabilities and can automate many common administrative tasks, enabling them to increase efficiency throughout their organizations.” — Chuck Fontana, VP, Okta Integrations &amp; Strategic Partnerships </blockquote> To make sure everyone in your company can always access what they need, the SCIM bridge automatically syncs your identity provider’s groups with the groups in your 1Password account. Create <a href="https://support.1password.com/custom-groups/">custom groups</a> in 1Password that you can manage directly from your identity provider to grant access to vaults. The SCIM bridge is designed with a robust and security-focused architecture. It runs within your cloud provider or existing infrastructure and connects to your identity provider using the industry-standard SCIM protocol. Because the SCIM bridge runs within a system under your control, your account’s encryption keys also stay under your control – right where they belong. If you use <a href="https://1password.com/business/">1Password Business</a> at your company, take advantage of the power that the SCIM bridge has to offer, including automatic confirmation of new users. For more information, <a href="https://support.1password.com/contact/?b=sales-business">contact the 1Password Business team</a>. Or <a href="https://support.1password.com/scim/">get started on your own</a>.</description></item><item><title>Keep students safe with 1Password Families</title><link>https://blog.1password.com/starting-college-1password/</link><pubDate>Tue, 06 Aug 2019 00:00:00 +0000</pubDate><author>info@1password.com (Sarah Brown)</author><guid>https://blog.1password.com/starting-college-1password/</guid><description> <img src='https://blog.1password.com/posts/2019/starting-college-1password/header.png' class='webfeedsFeaturedVisual' alt='Keep students safe with 1Password Families' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Summer may still be in full swing, but school is just around the corner. If you’re sending your child off to college for the first time, take the opportunity before they leave to instill the security habits that will keep them safe in college and beyond. With a <a href="https://1password.com/personal/">1Password Families membership</a>, you can give your loved ones the tools to protect themselves – without taking away their independence. <h2 id="get-the-basics-right">Get the basics right</h2> Start teaching your child good password management skills by adding them to your family account. If you have an individual account, you can <a href="https://support.1password.com/change-account-type/">upgrade it on 1Password.com</a>. 1Password keeps your family safe online by helping everybody create and use strong, unique passwords for all their accounts. And, because it makes it quicker and easier to sign in to apps and websites, they’ll actually want to use it. Students starting college need to sign up for a lot of new services, like school emails and online shopping accounts. It’s a lot to take in all at once. This is the perfect time to teach them how important it is to use a <a href="https://blog.1password.com/how-to-protect-yourself-from-password-reuse-attacks/">strong, unique password</a> for every site. <h2 id="store-everything-important">Store everything important</h2> Students are handed a lot of new information and documents in their first week of college. If they store them in 1Password, they’ll know just where to look when they need them. From software licenses to purchase receipts, and school files to credit cards, anything that’s worth keeping safe and private is best kept in 1Password. Students can keep copies of their driver&rsquo;s license and passport in case of emergencies, and any critical medical documents or private notes they might need. 1Password syncs seamlessly between devices, so your child can access their school files and emails from their iPad at school, and again from their desktop computer when they’re home for the holidays. <h2 id="easily-share-information">Easily share information</h2> 1Password is the easiest and safest way to share passwords, credit cards, and anything else that&rsquo;s too important to email. So when your child needs your credit card number to order books for next semester, it’s easy to share it with them – just add it to your shared vault. Your shared vault can also be used to store your family’s Netflix password, insurance cards, and anything else your child may need access to while they’re away from home. You can add new items as needed, update existing ones, or remove outdated information and it will update automatically for everyone in your family. <h2 id="keep-personal-things-private">Keep personal things private</h2> Not everything needs to be shared with the whole family, and it&rsquo;s a good bet that most students won&rsquo;t want their parents to have access to their social media accounts. In addition to shared family vaults, everybody in your family gets their own private vault so they can keep passwords, personal documents, and private notes safe from prying eyes. <h2 id="defend-against-breaches">Defend against breaches</h2> As a parent, it&rsquo;s your job to protect your child, but you can&rsquo;t be with them every moment of every day. <a href="https://watchtower.1password.com/">Watchtower</a>, included with every 1Password membership, can give you peace of mind when it comes to their online safety. Watchtower will alert them if any of the websites they use are compromised, or if any of their passwords are included in a data breach, so they can keep their accounts safe. <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Sign up for 14 days free!</h3> Give your child the tools they need to keep themselves safe online. Sign up now and try 1Password free for 14 days. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href" data-event-category="CTA" data-event-action="call-to-action-button"> Try 1Password Families free </a> </div> </section></description></item><item><title>There's never been a better time to upgrade to 1Password 7</title><link>https://blog.1password.com/never-better-time-to-upgrade-to-1password-7/</link><pubDate>Wed, 31 Jul 2019 00:00:00 +0000</pubDate><author>info@1password.com (Swapna Krishna)</author><guid>https://blog.1password.com/never-better-time-to-upgrade-to-1password-7/</guid><description> <img src='https://blog.1password.com/posts/2019/never-better-time-upgrade-7/header.png' class='webfeedsFeaturedVisual' alt='There's never been a better time to upgrade to 1Password 7' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 1Password 7 was released over a year ago, and thanks to all the new features we’ve added since, there’s never been a better time to upgrade. Let’s take a look at what you get with the latest and greatest version of 1Password. <img src='https://blog.1password.com/posts/2019/never-better-time-upgrade-7/Mini.png' alt='1Password Mini' title='1Password Mini' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="1password-mini">1Password mini</h2> 1Password mini has a beautiful new design in 1Password 7. Every pixel has been reimagined to give you more information and control, so you can keep all your passwords, credit cards, and other important items right at your fingertips. It still works in your favorite browsers, and now you can fill in apps with drag and drop. The new 1Password mini is available in 1Password 7 for both <a href="https://support.1password.com/upgrade-mac/">Mac</a> and <a href="https://support.1password.com/upgrade-windows/">Windows</a>. <h2 id="watchtower-and-security">Watchtower and security</h2> Data breaches happen all the time. If you use 1Password 7, <a href="https://watchtower.1password.com/">Watchtower</a> alerts you if any of your passwords have been compromised and need to be changed. It also keeps track of expiring items (like credit cards or passports) and warns you of unsecured websites. Watchtower even lets you know when you aren&rsquo;t using two-factor authentication on a site that supports it. <img src='https://blog.1password.com/posts/2019/never-better-time-upgrade-7/Watchtower.png' alt='1Password 7 Watchtower' title='1Password 7 Watchtower' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="dark-mode">Dark Mode</h2> 1Password 7 for Mac supports Dark Mode, and because 1Password 7 populates icons to make it easy to find the login you’re looking for, you’re in for a real treat. The colorful icons really pop against the dark background. You can download the latest version of <a href="https://support.1password.com/upgrade-mac/">1Password for Mac</a> now. <img src='https://blog.1password.com/posts/2019/never-better-time-upgrade-7/Sidebar.png' alt='1Password 7 sidebar' title='1Password 7 sidebar' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="preparing-for-safari-13">Preparing for Safari 13</h2> If you’re still using 1Password 6 with Safari, you’ll need to either upgrade to 1Password 7 <a href="https://blog.1password.com/safari-13-is-awesome-upgrade-from-1password-6/">before macOS Catalina comes out later this year</a> or switch to another browser. Regardless, there’s a lot to love about the latest and greatest 1Password release. <a href="https://support.1password.com/upgrade-mac/">Learn more about upgrading.</a> <h2 id="faster-and-more-streamlined">Faster and more streamlined</h2> In 1Password 7, both the Windows and Mac apps were completely rebuilt to give you the most powerful and streamlined 1Password experience ever. We also redesigned the sidebar to show you all of your accounts and vaults with a single glance. <h2 id="organization-and-productivity">Organization and productivity</h2> 1Password 7 is perfect for organization junkies. From customized keyboard shortcuts to support for nested tags, you can make 1Password 7 work the way you need it to. <img src='https://blog.1password.com/posts/2019/never-better-time-upgrade-7/upgradenow.png' alt='Upgrade to 1Password 7' title='Upgrade to 1Password 7' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="upgrade-now">Upgrade now</h2> If you have a 1Password membership, 1Password 7 is included in your subscription. You can download it for <a href="https://support.1password.com/upgrade-windows/">Windows</a> and <a href="https://support.1password.com/upgrade-mac/">Mac</a>. <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Sign up for 14 days free!</h3> Start your 1Password membership today and discover what's new in the best version of 1Password yet. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href" data-event-category="CTA" data-event-action="call-to-action-button"> Try 1Password free </a> </div> </section></description></item><item><title>1Password 7.2 for Android: the Dark Theme Rises</title><link>https://blog.1password.com/1password-7-2-for-android-dark-theme-rises/</link><pubDate>Mon, 22 Jul 2019 00:00:00 +0000</pubDate><author>info@1password.com (Michael Verde)</author><guid>https://blog.1password.com/1password-7-2-for-android-dark-theme-rises/</guid><description> <img src='https://blog.1password.com/posts/2019/opa72/header.png' class='webfeedsFeaturedVisual' alt='1Password 7.2 for Android: the Dark Theme Rises' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Thought I’d go with the obvious Star Wars reference? I have to admit it was tempting, but villains monopolize the dark side in that universe. Heroes can have a dark side too, as evidenced by our friend the Dark Knight, and Dark Theme is definitely the hero feature of this release! Without further ado, and only a few more pop culture references, let&rsquo;s get into what&rsquo;s new in 1Password for Android 7.2. <h2 id="dark-theme">Dark Theme</h2> <img src='https://blog.1password.com/posts/2019/opa72/lock-screen.png' alt='Screenshot showing login screen with blue accents' title='Screenshot showing login screen with blue accents' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The new feature I’m most excited about in 1Password also happens to be my favourite new feature in Android Q. When it launches later this summer, Android Q will bring support for a system-wide Dark Theme. And 1Password will be ready and waiting with our new gothic stylings. <h2 id="i-only-work-in-black--and-sometimes-very-very-dark-grey">I only work in black &hellip; and sometimes very, very dark grey</h2> While we did darken things dramatically, we didn&rsquo;t quite limit our palate to Bat-approved colours. Instead, we used the contrast provided by a dark background to really make important elements pop. Look for bold shots of 1Password blue to tell you where the action is. <h2 id="what-if-your-device-isnt-running-android-q">What if your device isn&rsquo;t running Android Q?</h2> This is the best part. Even old versions of Android support Dark Theme in 1Password, all the way back to Lollipop. On Android Q, 1Password will match your choice in the system setting by default, while earlier OS versions will default to Dark Theme when Battery Saver is enabled. In either case, you can override this behaviour with a quick visit to the display settings in 1Password. <h2 id="enhanced-autofill-functionality">Enhanced Autofill functionality</h2> <img src='https://blog.1password.com/posts/2019/opa72/create-login.png' alt='Screenshot showing login screen' title='Screenshot showing login screen' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Not only does Dark Theme dazzle throughout the app, but it also asserts its sense of style in <a href="https://1password.com/features/autofill/">Autofill</a>. Of course, you&rsquo;re probably more interested in how well Autofill works, rather than how great it looks. To that end, we&rsquo;ve added a couple of exciting improvements to help you out. Now, you can create new Login items using Autofill without having to double back to 1Password. Whether you’re signing in to an app or browser, Autofill prompts you with the option to create a new Login item. If you’re signing up for a new account, you can use the password generator. If that isn’t enough, we’ve enhanced Autofill to support more apps and websites with split-screen logins. Signing in is quicker and easier than ever. <h2 id="manage-trashed-items-on-the-go">Manage trashed items on the go</h2> If you accidentally move an item to the trash, there’s no need to rush back to your computer. Simply navigate to your trashed items and restore the item with a single tap. On the other hand, if you’re confident that you don’t need the item, just empty the trash to purge it from your device. <h2 id="honorable-mentions">Honorable mentions</h2> <img src='https://blog.1password.com/posts/2019/opa72/password-history.png' alt='Screenshot showing password history' title='Screenshot showing password history' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We’ve covered some of the biggest changes to 1Password 7.2, but there’s lots more to explore: <ul> <li>Add/remove additional website fields from logins.</li> <li>View password history for Login and Password items.</li> <li>Use 1Password in desktop mode with Samsung DeX.</li> <li>Dozens of additional features, improvements, and fixes.</li> </ul> <h2 id="rolling-out">Rolling out</h2> 1Password 7.2 for Android is a free update for all 1Password customers. We’ve started rolling it out on Google Play, so keep an eye out for the update notification. Once installed, you can enjoy all the great new features and improvements that I’ve waxed poetic about. This update was a labour of love, and we hope that you love it as much as we do. Be sure to let us know about your favourite features on Google Play, <a href="https://twitter.com/1Password">Twitter</a>, or the <a href="https://1password.community/">1Password Forums</a>.</description></item><item><title>Testing out Brave with 1Password X</title><link>https://blog.1password.com/testing-brave-with-1password/</link><pubDate>Fri, 05 Jul 2019 00:00:00 +0000</pubDate><author>info@1password.com (Emily Marchant)</author><guid>https://blog.1password.com/testing-brave-with-1password/</guid><description> <img src='https://blog.1password.com/posts/2019/brave-test/header.png' class='webfeedsFeaturedVisual' alt='Testing out Brave with 1Password X' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> As people grow more cautious of online tracking and data collection, space is opening up for privacy-conscious browsers like Brave, a relative newcomer that&rsquo;s enjoying some time in the spotlight. To see what all the fuss is about, I’ve been giving Brave a spin. <h2 id="a-quick-introduction-to-brave">A quick introduction to Brave</h2> Developed by Brendan Eich, co-founder of Mozilla, Brave is a privacy-focused browser built on open-source Chromium. The backbone of Brave is the same as Chrome, so it shares a lot of its plus points: It has the same clean look, you can install extensions from the Chrome Store, and it syncs across devices. Brave supports Windows, macOS, Linux, Android, and iOS. <h2 id="getting-started">Getting started</h2> Getting Brave set up is easy. When you launch the browser for the first time, a welcome tour helps you import any bookmarks and settings from your old browser. <img src='https://blog.1password.com/posts/2019/brave-test/1password-lock.png' alt='1Password X locked in Brave' title='1Password X locked in Brave' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> You can install <a href="https://support.1password.com/getting-started-1password-x/">1Password for your browser</a> straight from the Google Chrome Web Store. Remember, when you sign in to 1Password.com for the first time in Brave, you’ll need your Secret Key, <a href="https://support.1password.com/secret-key/">so get that ready</a>. <h2 id="minimizing-disruption">Minimizing disruption</h2> One of the reasons people stick with browsers like Chrome is their dependence on the browser’s password-saving feature. While convenient, browser password managers aren’t always the strongest choice when it comes to protecting your privacy. Tying your passwords to a particular browser makes it difficult to up and leave, too. <img src='https://blog.1password.com/posts/2019/brave-test/1password-autofill.png' alt='1Password X autofilling passwords in Brave' title='1Password X autofilling passwords in Brave' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> That’s where using a dedicated <a href="https://1password.com/password-manager/">password manager</a> makes a big difference. You can access all your passwords in any browser, so you’re not tied in. <h2 id="1password-breaker-of-chains">1Password, breaker of chains</h2> Because 1Password is compatible with so many browsers, it’s easy to try something new without disrupting your workflow. If a browser isn’t the right fit, you can switch back without losing access to your data. <img src='https://blog.1password.com/posts/2019/brave-test/import-passwords.png' alt='Importing passwords to 1Password X' title='Importing passwords to 1Password X' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> I, of course, use 1Password. So when I tried Brave, all my passwords, credit cards, and everything else were ready to use straight away. If you don&rsquo;t use 1Password already, it’s straightforward to import your passwords from <a href="https://support.1password.com/import-chrome/">Chrome to 1Password</a>. Once you’ve done it, you’re free. <h2 id="remember-browser-security-basics">Remember browser security basics</h2> After you set up 1Password in Brave, it’s worth familiarizing yourself with the browser’s security settings. Take a little time to get the basics set up: <ol> <li>Deselect the option to import browsing history and saved passwords during setup.</li> <li>Either turn off cookies, cache, and browser history or clear them regularly.</li> <li>Disable the in-browser password manager.</li> <li>Disable <a href="https://1password.com/features/autofill/">Autofill</a>.</li> <li>Use incognito/private mode on public computers. You can set incognito/private mode as default in Brave, too.</li> </ol> <img src='https://blog.1password.com/posts/2019/brave-test/brave-settings.png' alt='Brave security settings' title='Brave security settings' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="whats-brave-like">What’s Brave like?</h2> Brave claims to be significantly faster than Safari or Chrome, and while I don’t have any independent data to back that up, it was certainly quick. There’s a whole host of privacy features to explore, too. Built into the browser you’ll find ad and tracker shields, Tor integration, fingerprint blocking, HTTPS Everywhere, and more. Counters on the browser’s homepage add up how much time you’ve saved through blocking ads and trackers, which is a nice touch. <h2 id="the-verdict">The verdict</h2> Choosing a browser really comes down to personal preference. It’s a case of weighing up convenience with the features that matter to you. Brave looks and feels a lot like Chrome, so if you’re looking for a less intrusive alternative to Google’s browser, Brave might be right for you. It gives Firefox and Safari a run for their money when it comes to security, and it&rsquo;s far from slow. There’s a lot to like about Brave – its speed, focus on privacy, and built-in security features. And because I use 1Password, I could try it out easily without any interruption to my work. <section class="c-call-to-action-box c-call-to-action-box--yellow"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Sign up for 14 days free!</h3> To take 1Password X for a spin and see if it fits your workflow, sign up for a free 14-day trial of 1Password today. <a href="https://1password.com/pricing/?utm_source=blog/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--yellow" data-event-category="CTA" data-event-action="call-to-action-button"> Try 1Password FREE </a> </div> </section></description></item><item><title>Phishing, fraud, and threat reduction: advice from Alex Rosier</title><link>https://blog.1password.com/phishing-fraud-threat-reduction/</link><pubDate>Tue, 02 Jul 2019 00:00:00 +0000</pubDate><author>info@1password.com (Sarah Brown)</author><guid>https://blog.1password.com/phishing-fraud-threat-reduction/</guid><description> <img src='https://blog.1password.com/posts/2019/business-webinar-phishing/header.png' class='webfeedsFeaturedVisual' alt='Phishing, fraud, and threat reduction: advice from Alex Rosier' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The third webinar in our Essentials of Business Security series is now available! In this video, Matt talks with Alex Rosier from ProtonMail about phishing, fraud, and how you can reduce the threats to your business. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/PCS_Lgcxgv8" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> ProtonMail is five years old, and Alex has been involved since the early days. He started out doing anything and everything that was needed but now focuses on working with businesses of all sizes. To help keep your business safe from <a href="https://blog.1password.com/what-is-phishing-and-how-can-you-protect-yourself/">phishing attacks</a>, we&rsquo;ve put together five key points from their chat. <h2 id="your-email-is-at-risk">Your email is at risk</h2> Despite the rise in popularity of Slack and other messages programs, email remains the largest communication model for businesses. The <a href="https://proton.me/blog/zero-access-encryption">data you send over email</a> is more vulnerable than you may think. Even internal emails can be intercepted and exposed if the right malware has been put into place. If you and the recipient of your email use an encrypted email server like <a href="https://proton.me/mail">ProtonMail</a>, it makes it more difficult for third parties to read or tamper with your messages and the information they contain. <h2 id="information-is-more-public-than-you-realize">Information is more public than you realize</h2> Nothing is as secret or as private as you&rsquo;d like to believe. Everything from your phone number to your social security number may be available to anyone who knows where to look. If a cybercriminal already has the right kind of information about you, it can be easy for them to convince you to hand over even more without realizing what you&rsquo;re doing. Anything you share online can potentially be used against you in an <a href="https://blog.1password.com/what-is-phishing-and-how-can-you-protect-your-business/">attempt to steal your information</a>, so even if you&rsquo;re job hunting and expecting an email from a recruiter, think twice before you send sensitive or confidential data over. <h2 id="phishing-over-email">Phishing over email</h2> It&rsquo;s possible to get almost any information you need by asking the right person the right questions or getting the right person to click the wrong link. Often, a target may be phished for details regarding a password or login information for a simple, non-critical system. However, if that target <a href="https://blog.1password.com/how-to-protect-yourself-from-password-reuse-attacks/">reused their password</a> on more critical systems, their access has now been compromised and data can be accessed by the wrong people. Phishing emails usually appear to come from trusted sources, making them blend in with your inbox. Luckily there are some <a href="https://resources.infosecinstitute.com/topic/recognize-phishing-emails/">easy ways to recognize a phishing email</a> to help you notice and take action when something is off. <h2 id="test-your-security">Test your security</h2> <a href="https://resources.infosecinstitute.com/topic/top-10-reasons-why-pen-testing-is-important-to-help-meet-compliance/">Pen testing</a> within your organization can help you to locate your unique vulnerabilities. Finding these holes and sealing them up before the bad guys can exploit them will ensure that your data stays safe and secure. If your IT department needs assistance putting together a pen test, there are companies that can help. Kevin Mitnick&rsquo;s Global Ghost Team, <a href="https://www.mitnicksecurity.com/">Mitnick Security</a>, provides one way to locate these holes. <h2 id="educate-your-team">Educate your team</h2> Education is undeniably the best protection you have against phishing, which is why it&rsquo;s been a common theme in our webinar series. Your employees may be well-intentioned, but everyone from the CEO down needs the right tools and information to protect themselves and your business. Taking the time to <a href="https://resources.infosecinstitute.com/category/enterprise/phishing/phishing-countermeasures/anti-phishing-the-importance-of-phishing-awareness-training/#gref">educate your team on how to spot phishing attempts</a> is a necessary investment. <h2 id="whats-up-next">What’s up next</h2> If you enjoyed this chat with Alex, <a href="https://1password.com/webinars/">sign up</a> to find out about our upcoming webinars. They’re the best way to learn what’s possible with 1Password.</description></item><item><title>Safari 13 is awesome, but 1Password 6 users need to upgrade to enjoy it</title><link>https://blog.1password.com/safari-13-is-awesome-upgrade-from-1password-6/</link><pubDate>Fri, 28 Jun 2019 00:00:00 +0000</pubDate><author>info@1password.com (Michael Fey)</author><guid>https://blog.1password.com/safari-13-is-awesome-upgrade-from-1password-6/</guid><description> <img src='https://blog.1password.com/posts/2019/safari-13/header.png' class='webfeedsFeaturedVisual' alt='Safari 13 is awesome, but 1Password 6 users need to upgrade to enjoy it' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> On Monday, Apple released the macOS Catalina public beta that includes a preview of Safari 13, which is set for release this fall. We’ve discovered there’s <a href="https://developer.apple.com/documentation/safari-release-notes/safari-13-release-notes">lots to love</a> about Safari 13, but we’ve also learned that it will no longer work for customers using 1Password 6. Those already using 1Password 7 are all set; 1Password 7 is ready for <a href="https://1password.com/resources/guides/1password-for-safari/">Safari</a> 13, so you won’t miss a beat. If you’re still using 1Password 6 in Safari, you don’t have to do anything immediately, but you&rsquo;ll need to take action soon to prevent interruptions to your workflow when Safari 13 arrives. <h2 id="1password-7-supports-safari-13">1Password 7 supports Safari 13</h2> The best way to experience Safari 13 is by using 1Password 7. 1Password 7 is <a href="https://support.1password.com/upgrade-mac/">included with every 1Password membership</a>, and contains a ton of new features to help you organize and secure your life. A few highlights: <ul> <li>Watchtower can now tell you when items you&rsquo;ve saved in 1Password – like credit cards, driver licenses, and passports – are about to expire. Plus, it can tell you what sites support two-factor authentication, and whether or not you&rsquo;ve enabled it.</li> <li>1Password mini is smarter, faster, and more helpful than ever. It suggests passwords for the apps on your Mac, not just when you&rsquo;re browsing the web.</li> <li>Everything has been entirely redesigned since 1Password 6, and that doesn&rsquo;t just mean it looks fresh. The new sidebar makes it easier to switch between vaults and investigate security issues with your logins, and items now display the most important information front and center.</li> </ul> With a whole bunch of new ways to organize your life, 1Password 7 is the perfect companion to the speedy and secure Safari 13. 🙂 For those with a 1Password 6 license, we&rsquo;re offering you <a href="https://start.1password.com/sign-up/family?c=CATALINA">your first 3 months of 1Password Families for free</a> so you can test drive a 1Password membership before Safari 13 lands on your Mac this fall. <h2 id="soldiering-on-with-1password-6">Soldiering on with 1Password 6</h2> 1Password 6 will continue to work with other browsers. Safari lovers like myself won’t want to hear this one, but if you’re stuck and really can’t upgrade, you can still use 1Password 6 in Chrome, Firefox, Opera, and Vivaldi. <h2 id="whats-changing">What’s changing</h2> In previous versions of Safari, extensions were installed via the Safari Extensions Gallery. In Safari 13, the Safari Extensions Gallery is being replaced with Safari App Extensions. It’s great Apple is doing this as Safari App Extensions are faster, lighter and more secure. They run through native Mac apps, meaning they put much less strain on memory and CPU performance. Plus, they&rsquo;re less vulnerable to security exploits like man-in-the-middle attacks. And, as the extensions are bundled right in with the apps you download, you don’t have to worry about compatibility issues or downloading the wrong extension by mistake. 1Password 6 was retired over a year ago and, as an older app, it still relies on an extension from the Safari Extensions Gallery. Safari 13 offers a better browsing experience all around, but to embrace the new, we have to let go of the old. In addition to its inclusion in macOS Catalina, we expect Safari 13 to also be released as an update for everyone using macOS High Sierra and Mojave, so we’d recommend making plans now as this is very likely to affect you. We’ll be discussing this change over on <a href="https://discussions.agilebits.com/discussion/104999/1password-6-legacy-support-information">our forum</a>, so be sure to join us if you’d like to learn more!</description></item><item><title>Why I switched to 1Password X</title><link>https://blog.1password.com/why-i-switched-to-1password-x/</link><pubDate>Mon, 24 Jun 2019 00:00:00 +0000</pubDate><author>info@1password.com (Sarah Brown)</author><guid>https://blog.1password.com/why-i-switched-to-1password-x/</guid><description> <img src='https://blog.1password.com/posts/2019/1passwordx-user-experience/header.png' class='webfeedsFeaturedVisual' alt='Why I switched to 1Password X' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> I’ve used 1Password far longer than I’ve worked here, but until I came on board I only used the Mac and mobile apps. Although I knew that there was a browser-based option, I didn&rsquo;t give it much thought until I was poking around during my new-hire training. Honestly, what took me so long? Within a few weeks of discovering that 1Password X existed, it became the primary way I use 1Password on my computer. 1Password X is a full-featured version of 1Password that runs entirely within a browser. It runs on my Linux machine just as smoothly as it does my Mac. And because 1Password X connects to your 1Password account, you have access to everything you expect. That’s extremely helpful if you’re anything like a lot of us here and find yourself jumping between different computers and platforms multiple times a day. <img src='https://blog.1password.com/posts/2019/1passwordx-user-experience/popover.png' alt='1Password works in your browser' title='1Password works in your browser' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="how-does-it-work">How does it work?</h2> Although I first discovered 1Password X on Linux, it quickly became my preferred way of using 1Password on Mac as well. I love having all my passwords stored in 1Password, and 1Password X streamlines and simplifies my workflow. 1Password X works in the background of my browser, anticipates exactly what I need, and shows the relevant options in-line – right where I need them. If I navigate to a page with a saved login, I simply click the 1Password icon and select an option to fill. It will even detect if I have more than one login for a site, like Gmail or Twitter, and all I have to do is start typing my username to find the one I want. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Want to stay secure online? Create a unique username with 1Password&rsquo;s free <a href="https://1password.com/username-generator/">Username Generator</a>! </div> </aside> It makes signing up for a new website easier too. It suggests and saves a newly generated password right on the account creation page! <img src='https://blog.1password.com/posts/2019/1passwordx-user-experience/suggested-password.png' alt='Suggesting a new password' title='Suggesting a new password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> With 1Password working seamlessly in <a href="https://1password.com/resources/guides/1password-for-google-chrome/">Chrome</a>, it’s become such a natural part of my daily routine that I almost don’t even notice it working away. <h2 id="even-more-fun">Even more fun</h2> I already love 1Password X, perhaps more than is socially acceptable, but the release of the <a href="https://blog.1password.com/1password-x-may-2019-update/">May 2019 update</a> made it even better. I&rsquo;m a big fan of two-factor authentication and have it enabled for every service that offers it. The latest update of 1Password X fills one-time passwords automatically – in addition to usernames and passwords – even when the login process is split across multiple pages. I can’t wait to see what else they’re cooking up and how those improvements will make my digital life even easier. <h2 id="1password-x-works-in-your-browser">1Password X works in your browser</h2> 1Password X takes the experience I expect from the Mac and iOS apps I had been using and makes them even better. It&rsquo;s available on Linux, Chrome OS, Mac, and Windows. And it’s easy to set up and use in your favorite browser: Chrome, Firefox, Opera, or Brave. It’s a re-imagination of how 1Password works on the web, designed to make your life easier. And, just like all the 1Password apps, the <a href="https://support.1password.com/1password-x-security/">security of 1Password X</a> keeps your most important information safe and confidential. 1Password X is awesome and incredibly useful, but that doesn&rsquo;t stop me from using 1Password.com or <a href="https://1password.com/mac/">1Password for Mac</a> when I want to. I’ll sign in to my account on 1Password.com to search for something or turn on <a href="https://1password.com/features/travel-mode/">Travel Mode</a>, and I’ll use the Mac app to manage and organize the information I have saved in 1Password. Being able to choose the best option for a specific task makes my workflow easier. If you’re using the <a href="https://1password.com/resources/guides/1password-for-google-chrome/">1Password extension</a> for the desktop app, <a href="https://support.1password.com/getting-started-1password-x/">try 1Password X</a>. It’s included with your 1Password membership, and you can switch back at any time. <section class="c-call-to-action-box c-call-to-action-box--yellow"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Sign up for 14 days free!</h3> To take 1Password X for a spin and see if it fits your workflow, sign up for a free 14-day trial of 1Password today. <a href="https://1password.com/pricing/?utm_source=blog/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--yellow" data-event-category="CTA" data-event-action="call-to-action-button"> Try 1Password FREE </a> </div> </section></description></item><item><title>Smooth sailing with 1Password on the new Apple betas</title><link>https://blog.1password.com/1password-apple-betas/</link><pubDate>Fri, 21 Jun 2019 00:00:00 +0000</pubDate><author>info@1password.com (Sarah Brown)</author><guid>https://blog.1password.com/1password-apple-betas/</guid><description> <img src='https://blog.1password.com/posts/2019/macos-beta-release/header.png' class='webfeedsFeaturedVisual' alt='Smooth sailing with 1Password on the new Apple betas' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> WWDC, Apple&rsquo;s annual Worldwide Developers Conference, happened in San Jose earlier this month. It&rsquo;s an exciting opportunity for developers from all over the world to meet and talk with Apple engineers and for Apple to show off their upcoming software. <img src='https://blog.1password.com/posts/2019/macos-beta-release/iphonedm.png' alt='1Password in dark mode on iOS 13' title='1Password in dark mode on iOS 13' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The conference always kicks off with a keynote, and this year it was bursting with announcements and updates. The most exciting news for our team was the announcement of brand new versions of <a href="https://www.wired.co.uk/article/best-ios-13-features">iOS</a>, <a href="https://www.theverge.com/2019/6/3/18650197/apple-ipad-os-ipados-multitasking-homescreen-features-wwdc-2019">iPadOS</a>, and <a href="https://www.theverge.com/2019/6/24/18701200/apple-macos-mac-os-catalina-first-look-features/">macOS</a>! Roo has already talked about how impressed he is by <a href="https://blog.1password.com/ios-voice-control-wwdc/">Voice Control in iOS 13</a> and how excited he is for <a href="https://blog.1password.com/ios-dark-mode-wwdc/">Dark Mode for iOS</a> to finally arrive. If you&rsquo;re a member of the <a href="https://developer.apple.com/programs/">Apple Developer Program</a>, the developer beta versions of all three pieces of software announced at WWDC are already available to download and install. All of the software previews were absolutely stunning, and we know 1Password 7 will look amazing on all of them. But the best part? If you have <a href="https://support.1password.com/explore/whats-new-mac/">1Password 7</a> installed, everything should work as expected on the iOS 13, iPad OS, and Catalina developer betas. You can keep using 1Password in your daily workflow without fear of any significant interruptions. <img src='https://blog.1password.com/posts/2019/macos-beta-release/wwdc-inline-mac.png' alt='1Password 7 on macOS Catalina' title='1Password 7 on macOS Catalina' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> However, since everything is in closed beta, you may run into some glitches here and there with your 1Password workflow. While there were so many incredible things announced at WWDC, we’re only just scratching the surface of what we can do with them. If you come across something that doesn&rsquo;t work as it should, we&rsquo;d love it if you could share your feedback on the <a href="https://1password.community/categories/1password-mac-beta">1Password Support forum</a>. Currently, macOS Catalina, iOS 13, and iPadOS are limited to Apple developers, but a public beta will be available for download and testing in July with the full launch coming later this year. If you&rsquo;re using the latest beta operating systems, pair them with <a href="https://support.1password.com/betas/">the current 1Password beta</a>. We&rsquo;ve made a lot of improvements already, and you&rsquo;ll be the first to receive new ones.</description></item><item><title>Improve your team’s security with our next webinar</title><link>https://blog.1password.com/improve-your-teams-security-with-our-next-webinar/</link><pubDate>Tue, 18 Jun 2019 00:00:00 +0000</pubDate><author>info@1password.com (Lisa Verheul)</author><guid>https://blog.1password.com/improve-your-teams-security-with-our-next-webinar/</guid><description> <img src='https://blog.1password.com/posts/2019/admin-webinar/header.png' class='webfeedsFeaturedVisual' alt='Improve your team’s security with our next webinar' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> As we move into the second half of 2019, it&rsquo;s a great time to re-evaluate your team&rsquo;s security habits. If their password management isn&rsquo;t up to scratch, 1Password can help. Our next webinar will show you how to get started. On July 16 at 2 p.m. EDT, we&rsquo;re hosting a repeat of our Administrators: Get Started webinar. If you&rsquo;re looking to set up 1Password for your team, have just been appointed as a team administrator, or simply need a refresher, this webinar is for you. In this webinar, we&rsquo;ll show you how to: <ul> <li>Invite people to your team</li> <li>Share data and manage permissions</li> <li>Create and manage groups</li> </ul> We&rsquo;ll also have time for a Q&amp;A session at the end to answer all your questions about 1Password Teams and <a href="https://1password.com/business/">1Password Business</a>. To receive notifications of future webinars, <a href="https://1password.com/webinars/">sign up for the mailing list</a>. (Editor&rsquo;s note: This webinar is no longer available.)</description></item><item><title>Scams, malware, and preventative measures: advice from Michael Sherwood</title><link>https://blog.1password.com/scams-malware-preventative-measures/</link><pubDate>Mon, 17 Jun 2019 00:00:00 +0000</pubDate><author>info@1password.com (Sarah Brown)</author><guid>https://blog.1password.com/scams-malware-preventative-measures/</guid><description> <img src='https://blog.1password.com/posts/2019/businesswebinar-scams-malware/header.png' class='webfeedsFeaturedVisual' alt='Scams, malware, and preventative measures: advice from Michael Sherwood' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The second webinar in our Essentials of Business Security series is now available! In this video, Matt talks with Michael Sherwood from Malwarebytes about scams, malware, and what you can do to protect your business. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/fIOCCAST_oI" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> Michael’s journey to Malwarebytes began with an interest in technology and an Apple IIc in ‘84. From there, he joined the U.S. military, where in the mid-90s (the Windows NT era) he found his feet in cryptography. Today, he is VP of Enterprise Online at Malwarebytes, and we’re thrilled that he’s bringing his expert insight to our latest webinar. To help keep your business safe from scams and malware, we’ve put together five key points from our chat for you to take away and consider. <h2 id="the-landscape-is-shifting">The landscape is shifting</h2> Michael highlights that, in the past, ransomware has been mostly an annoyance rather than malicious. However, the focus has shifted; attacks have become more advanced, and it&rsquo;s all about making money. The good news is that cybersecurity solutions <a href="https://www.trendmicro.com/vinfo/us/security/news/threat-landscape/smarter-phishing-techniques-cybersecurity-tools-advanced">are keeping up</a> and getting better at detecting scams, fraud, and phishing attempts. <h2 id="everyone-is-at-risk">Everyone is at risk</h2> Cyber breaches and scams are on the rise. A <a href="https://www.hiscox.com/cybersecurity">recent global survey</a> indicates that more than 60 percent of organizations were affected by a security event in the last year. Use of ransomware is no longer only focused on attacking major organizations and corporations – it&rsquo;s just as likely to hit a small business or independent shop. If a few small shops pay up, attackers will likely widen their net and send ransomware to as many similar businesses as possible. The larger the audience, the higher the chances are that someone will fall for their scam. The Federal Trade Commission has put out a helpful <a href="https://www.ftc.gov/business-guidance/resources/scams-your-small-business-guide-business">guide for small businesses</a> on what to look out for to avoid getting scammed. <h2 id="a-c-in-your-job-title-ups-your-risk">A “C” in your job title ups your risk</h2> <a href="https://www.phishlabs.com/blog/bec-attacks-ceos-executives-risk/">Owners, executives, and C-suite level employees</a> hold the keys to the business, making them a hot target for scammers and phishers. Matt notes that when he moved to a C-level position, the number of scam and <a href="https://blog.1password.com/what-is-phishing-and-how-can-you-protect-yourself/">phishing emails</a> increased. Scammers may pose as a coworker or a colleague to bypass your defenses, in the hope that they’ll be able to trick you into giving up your credentials. <h2 id="implement-the-basics">Implement the basics</h2> Having the right security software in place is your best defense. At a minimum, you should install <a href="https://www.business.com/categories/best-antivirus-and-internet-security/">anti-virus and anti-malware</a> software on all employee machines. Additionally, research the right <a href="https://1password.com/password-manager/">password manager</a>, two-factor authentication, and email services for your business. Consider hiring an IT professional to lead your security efforts too. <h2 id="educate-your-team">Educate your team</h2> After the tools are in place, your employees need to know how to use them. Humans can be a weak link in your security chain, but the right training increases their strength. Educating your team on security basics, best practices, and how to stop phishing attempts is one of the best investments you can make. <a href="https://www.isaca.org/Journal/archives/2010/Volume-1/Pages/Performing-a-Security-Risk-Assessment1.aspx">Annual security assessments</a> and <a href="https://www.imperva.com/learn/application-security/penetration-testing/">pen testing</a> help you to find knowledge gaps and weaknesses in your system. From there, you can create a comprehensive training plan. Malwarebytes also has a <a href="https://www.malwarebytes.com/blog">security blog</a> that highlights important events in the security world. They focus on thought leadership and take the time to break down how and why breaches happen, and what you should do if you&rsquo;re affected. <h2 id="whats-up-next">What&rsquo;s up next</h2> If you enjoyed this chat with Michael, <a href="https://1password.com/webinars/">sign up</a> to find out about our upcoming webinars. They&rsquo;re the best way to learn what&rsquo;s possible with 1Password.</description></item><item><title>4 essential password and business security tips from Troy Hunt</title><link>https://blog.1password.com/passwords-breaches-data-dumps/</link><pubDate>Wed, 12 Jun 2019 00:00:00 +0000</pubDate><author>info@1password.com (Sarah Brown)</author><guid>https://blog.1password.com/passwords-breaches-data-dumps/</guid><description> <img src='https://blog.1password.com/posts/2019/business-webinar-troyhunt/header.png' class='webfeedsFeaturedVisual' alt='4 essential password and business security tips from Troy Hunt' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We&rsquo;ve kicked off an exciting new webinar series, Essentials of Business Security, designed to help your businesses stay safe online. In the first installment Matt talks with <a href="https://twitter.com/troyhunt">Troy Hunt</a>, a longtime friend of 1Password and the founder of <a href="https://haveibeenpwned.com/">Have I Been Pwned</a>. Troy created this site to help people find out if their passwords have been leaked on the internet, making him an expert on password-related security issues. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/6QppFBnu-Uo" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> Matt and Troy covered four key points in the webinar that will help you protect your business and employees. <h2 id="use-strong-and-unique-passwords-for-every-account">Use strong and unique passwords for every account</h2> Views on passwords are always changing and evolving. Requiring employees to change their passwords every 30, 60, or 90 days <a href="https://blog.1password.com/should-you-change-passwords-every-90-days/">has been a business standard for years</a>, but the National Counterintelligence and Security Center (NCSC) changed their stance and now <a href="https://www.ncsc.gov.uk/blog-post/problems-forcing-regular-password-expiry">advises against password rotation as a policy</a>. Your employees should create a strong and unique password for every account, and only change these passwords if they suspect an account has been compromised. <h2 id="educate-your-team">Educate your team</h2> Your employees are only human, and humans will naturally try to find the shortest path to the end result. But if you help your employees create <a href="https://resources.infosecinstitute.com/topic/top-10-security-awareness-training-topics-for-your-employees/">smart, easy-to-follow password and security habits</a> from day one, they&rsquo;re more likely to stick. You want to instill a questioning nature in your employees without going overboard. Your employees should be cautious of links or files from unknown senders, aware of how and where data is stored and protected, as well as what information they can publicly share. If your employees are empowered to make smart choices, your company&rsquo;s data is more likely to be safe. <h2 id="put-the-right-tools-in-place-like-a-password-manager">Put the right tools in place (like a password manager)</h2> Having the <a href="https://www.entrepreneur.com/article/306294">right tools in place</a> from the beginning helps your employees create good security habits. It&rsquo;s easier to help your employees start off on the right foot than it is to try to make a company-wide change further down the road after your employees have had the chance to develop their own bad habits. At a minimum, your employees should be set up with a password manager and two-factor authentication on all accounts that offer it. A good password manager is designed to blend into your routine so seamlessly that it&rsquo;s actually harder for your employees not to use it. At 1Password, every business account comes with a <a href="https://1password.com/business/">free family account</a> to help your team practice good security habits both at work and at home. <h2 id="how-to-handle-a-data-breach">How to handle a data breach</h2> The gold standard of breach response belongs to the <a href="https://www.troyhunt.com/the-red-cross-blood-service-australias-largest-ever-leak-of-personal-data/">Australian Red Cross Blood Service</a>. In 2016 a text file containing sensitive donor information, including blood type and eligibility answers, was found on a public-facing site. This kind of breach could be devastating. Within 72 hours of being notified, the Red Cross determined what happened, had their CEO give a straightforward and thorough statement, and set up a call center for inquiries. All of this, even though they determined that only two people (one being Troy) had accessed the file. When a breach happens to your business, it&rsquo;s essential that you step up and take ownership. <a href="https://blog.1password.com/facebook-password-change/">Downplaying or brushing</a> off the incident doesn&rsquo;t give your customers confidence in your ability to protect their data going forward. <h2 id="whats-up-next">What&rsquo;s up next</h2> If you enjoyed this webinar, <a href="https://1password.com/webinars/">sign up</a> to find out about our upcoming webinars. They&rsquo;re the best way to learn what&rsquo;s possible with 1Password.</description></item><item><title>Introducing support for U2F security keys</title><link>https://blog.1password.com/introducing-support-for-u2f-security-keys/</link><pubDate>Tue, 11 Jun 2019 00:00:00 +0000</pubDate><author>info@1password.com (Jasper Patterson)</author><guid>https://blog.1password.com/introducing-support-for-u2f-security-keys/</guid><description> <img src='https://blog.1password.com/posts/2019/u2f/header.png' class='webfeedsFeaturedVisual' alt='Introducing support for U2F security keys' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> You can now use U2F-compatible security keys as a second factor for your 1Password account. Last year we <a href="https://blog.1password.com/multi-factor-authentication-in-1password/">added two-factor authentication</a> to provide another layer of protection for your 1Password account. When this is enabled, you are prompted to enter your second factor any time you sign in from a new device. Initially, that second factor was a time-based one-time password generated by an authenticator app on your phone. Today, I&rsquo;m happy to announce a new option: We now offer support for Universal 2nd Factor (U2F)-compatible security keys. This is done via the new <a href="https://blog.1password.com/what-is-webauthn/">WebAuthn</a> API, and we’re excited to be among the first services to adopt this new browser standard. WebAuthn is backwards-compatible with U2F, so all certified U2F security keys will work with our WebAuthn-enabled flow. <img src='https://blog.1password.com/posts/2019/u2f/chrome-security-key-prompt.png' alt='Security key prompt in Chrome' title='Security key prompt in Chrome' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="what-is-a-security-key">What is a security key?</h2> Security keys are small physical devices that can be used as a second factor. Support is built into most web browsers and works with many online services like Google and GitHub. <blockquote> “WebAuthn brings to life the concept of using an external security key across multiple devices and platforms, with no shared secrets among services. It’s exciting to see 1Password implement WebAuthn support to enable YubiKey hardware-backed authentication for their users”. – Derek Hanson, VP, Solutions Architecture and Alliances at Yubico </blockquote> When you&rsquo;re prompted for your second factor, just tap a button on your security key and you&rsquo;re in. No need to find your phone, open the authenticator app, and type out the six-digit code while trying to race the countdown. <h2 id="using-your-key-with-1password">Using your key with 1Password</h2> Security keys are currently supported on 1Password.com in the latest versions of Chrome, Firefox, Opera, and Edge. (It&rsquo;s coming to Safari 13 this fall.) So while it works great as your second factor in those browsers, for now you&rsquo;ll still need an authenticator app set up to use with the 1Password desktop and mobile apps (and any unsupported browsers). You can add your security keys now by heading over to the 1Password web app and visiting our new <a href="https://start.1password.com/profile/2fa">Two-Factor Authentication page</a>. <img src='https://blog.1password.com/posts/2019/u2f/manage-2fa-page.png' alt='Two-Factor Authentication page in 1Password web app' title='Two-Factor Authentication page in 1Password web app' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Your Master Password, which is used for the encryption of your data, still remains the most important thing protecting your 1Password account. Adding a second factor does not mean you can get away with a weaker Master Password. <h2 id="where-to-buy-a-security-key">Where to buy a security key</h2> If you&rsquo;re interested in getting a security key, you can buy a <a href="https://www.yubico.com/">YubiKey</a> from the Yubico Store, <a href="https://www.amazon.com/Feitian-ePass-NFC-FIDO-Security/dp/B01M1R5LRD/">Feitian</a> keys from Amazon, or <a href="https://store.google.com/us/product/titan_security_key?hl=en-US">Titan</a> keys from the Google Store. Any device that supports the U2F standard will work. <h2 id="how-it-works-under-the-hood">How it works under the hood</h2> WebAuthn is a pretty neat implementation based on public key crypto, and resolves security vulnerabilities like phishing. Our server generates a random token and asks your browser to get it cryptographically signed by your security key. The browser also includes the current domain (and some other data) as part of the payload that is signed. This signed response gets sent back to our server, which will decode it; make sure the token, domain, and other data match what we expect; and finally verify the signature using the device&rsquo;s public key.</description></item><item><title>Voice Control in iOS 13 is amazing and 1Password is ready</title><link>https://blog.1password.com/ios-voice-control-wwdc/</link><pubDate>Thu, 06 Jun 2019 00:00:00 +0000</pubDate><author>info@1password.com (Michael Fey)</author><guid>https://blog.1password.com/ios-voice-control-wwdc/</guid><description> <img src='https://blog.1password.com/posts/2019/ios-voice-control/header.png' class='webfeedsFeaturedVisual' alt='Voice Control in iOS 13 is amazing and 1Password is ready' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> One of the most impressive parts of Apple’s enormous WWDC keynote on Monday was the announcement of Voice Control for iOS 13. This brand new feature is a complete game changer for users who may not have the ability to interact with their iOS device using their hands and fingers. Using simple, predictable voice commands you can control every aspect of your iOS device. We pride ourselves on providing a 1Password experience that works for all our customers and when it came time to add Voice Control support to our iOS app all that prior work paid huge dividends. <h2 id="check-this-out">Check this out</h2> <video class="round shadow" style="display: block; margin: auto; padding: 0;"loop="loop" playsinline="" width="100%" alt='' controls> <source src="https://blog.1password.com/posts/2019/ios-voice-control/voiceControliOS.mp4" type="video/mp4" /> </video> So many incredible things have been announced at WWDC this year and we’re only starting to scratch the surface of the things we can do. I can’t wait for you to try out Voice Control on IOS 13 when it launches this fall!</description></item><item><title>1Password for iOS shines in the dark on iOS 13</title><link>https://blog.1password.com/ios-dark-mode-wwdc/</link><pubDate>Wed, 05 Jun 2019 00:00:00 +0000</pubDate><author>info@1password.com (Michael Fey)</author><guid>https://blog.1password.com/ios-dark-mode-wwdc/</guid><description> <img src='https://blog.1password.com/posts/2019/ios-dark-mode/header.png' class='webfeedsFeaturedVisual' alt='1Password for iOS shines in the dark on iOS 13' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> For those of us on the Apple team, it’s our favorite time of year: Apple’s Worldwide Developer Conference (WWDC for short, or Dub Dub if you want to go even shorter). This year Apple announced a plethora of promising updates for all their platforms. There was multi-user support on tvOS and HomePod, game-changing security announcements like Sign In with Apple, iPad officially branching off from iPhone with iPadOS, Project Catalyst, and that oh-so-incredible Mac Pro. We also got something I’ve been anticipating for quite some time: Dark Mode for iOS. <h2 id="challenge-accepted">Challenge accepted</h2> Each year we watch the WWDC keynote with bated breath, waiting for the announcement that will dictate our workload for the next 3 months. We also take it as a personal challenge to see how quickly we can add Apple’s newest technologies to 1Password. This year is no different and I’m happy to report that our track record continues: <video class="round shadow" style="display: block; margin: auto; padding: 0;"autoplay='true'muted='true'loop="loop" playsinline="" width="100%" alt='' controls> <source src="https://blog.1password.com/posts/2019/ios-dark-mode/darkmodeiOS.mp4" type="video/mp4" /> </video> <h2 id="see-you-in-the-fall">See you in the fall</h2> As always, you can expect to see 1Password ready for Dark Mode when iOS 13 launches this fall.</description></item><item><title>Bruce Schneier on bridging the gap between policy and tech</title><link>https://blog.1password.com/bruce-schneier-talks-web-security/</link><pubDate>Thu, 30 May 2019 00:00:00 +0000</pubDate><author>info@1password.com (Michael Fey)</author><guid>https://blog.1password.com/bruce-schneier-talks-web-security/</guid><description> <img src='https://blog.1password.com/posts/2019/bruce-schneier-qa/header.png' class='webfeedsFeaturedVisual' alt='Bruce Schneier on bridging the gap between policy and tech' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Last week on Random But Memorable, renowned security technologist <a href="https://www.schneier.com/">Bruce Schneier</a> joined me to discuss surveillance capitalism and internet security policy. Read the interview, or <a href="https://randombutmemorable.simplecast.com/episodes/scrambled-hidden-potato-device">listen to the full podcast</a>. Michael: Bruce, you don’t need an introduction, but I’m going to give you the opportunity to give one anyway. Welcome to the show. Bruce: Hi. People might not know that I now teach internet security policy at the Harvard Kennedy School. I’m trying to teach a little bit of tech to policy students, and internet policy to techies. I’m trying to bridge the gap between policy and tech. Our serious problems are how do we govern tech, and what is the governance of tech. We need people who can speak both languages. Michael: So often these days we have rules and laws being put in place that aren’t necessarily based in reality or practical matter. Bruce: Did you watch the Facebook hearings? If legislators ask questions like “How does Facebook make money?” we’re not going to get good internet security policy. Michael: It seems like every company these days is creating and selling data and metadata about us. Then other companies are buying it up, or it’s being made public through accidental breaches. Do you think this notion of companies trading and being careless with our data makes us more careless as consumers? Bruce: Shoshana Zuboff calls this “<a href="https://news.harvard.edu/gazette/story/2019/03/harvard-professor-says-surveillance-capitalism-is-undermining-democracy/">surveillance capitalism</a>”. It’s a new way businesses are monetizing information about us. It’s both companies that do it as a primary revenue source – the Facebooks and Googles, and all the other companies that sell you appliances, toys, and other services. They realize they have a data revenue stream. It is everywhere. It seems like the new form of capitalism. I’m not sure it makes us more careless. I think a lot of us are resigned to it. Companies go out of their way to make it not salient, so we don’t think about it. Certainly, when we think about it, we’re concerned. It seems like from surveys, it’s less that we care less or are careless. It’s that we think it’s inevitable and don’t see viable alternatives. If I tell people, “If you want to protect your privacy, you should not have an email address, carry a cell phone, or use a credit card”, that’s fundamentally dumb advice. You can’t live in the 21st century, first-world countries without engaging in those technologies. So people are deleting their Facebook accounts more and more, but for a lot of people, they need to be on Facebook for socialization. A lot of people are resigned to it. That’s where I look at government as the missing link, because it’s not going to be consumer rebellions that change surveillance capitalism. It’ll be rules and laws. Michael: I don’t think people deleting their Facebook accounts in 2019 is necessarily going to hurt Facebook’s bottom line. Bruce: Especially if they use Instagram instead. Michael: I would think most people don’t even realize that Instagram is owned by Facebook. Bruce: Facebook doesn’t keep it a secret, but they don’t advertise it. I think they’re playing that game. Michael: Do you think it’s possible to opt out of this type of life? Bruce: You can build a cabin in the woods, be off the grid, and not have any communications. It’s possible. It’s just not reasonable to expect. If you were interviewing me 5 or 10 years ago, we would talk about protecting your data on your computer, and how you could have better security. But now our data isn’t even on our computers. Our mail is on Google’s computers. Our photos are on someone else’s site. When these security breaches happen, they don’t happen to us. They happen to companies like Marriott, and our information is lost or stolen, and there’s nothing we can do about it. Even if you try to opt out, your data is not under your control anymore. That makes it even harder. My email is not on Google’s servers, but probably about half of my email is, because everybody else’s email is on Google’s servers. So here I am opting out from Gmail, but I’m not really opting out because I can’t. Michael: And we’re beyond opting out of social media. You can not be on Twitter, Facebook, or Instagram, but these breaches go well beyond that data that you would voluntarily share. Bruce: Social media is really how we interact with our colleagues. I am not on Facebook, and I notice the lapse socially. I occasionally find businesses who don’t have a website – just a Facebook page. There is a cost for not being on these platforms. Sometimes you’re willing to pay it, and sometimes you’re not. Michael: If you look at 1Password, we handle people’s data like nuclear waste. We limit who touches it, and we only ask for what we need. We treat our customers’ data with as much care as humanly possible. But this is not the trend. Bruce: No, because it’s expensive. Password management is inherently, “We want to be more secure because it’s the things that secure other things”. But you move to other data, and you’re not going to make those kinds of tradeoffs. You can go further. I have a <a href="https://1password.com/password-manager/">password manager</a>, and I deliberately don’t let anybody put anything in the cloud ever. But I’m sacrificing a feature, because if your data is in the cloud, you can sync over different devices. We’re all making these tradeoffs of usability versus security. Michael: Where do you draw that distinction? Bruce: You draw it where you make it. A typical business is going to draw the line where it makes financial sense. Let’s use your typical retailer as an example. If they are not going to lose customers because of bad security, they’re not going to worry about it too much. Yahoo is pretty famous for skimping on security because it didn’t matter to them financially, but if you look at a program that advertises security, it’s going to be more of a reputational thing. For a bank, security is going to be money. They’re going to spend more to protect the money they would lose otherwise. Everybody is making their tradeoffs based on usability, profits, and regulations. Michael: Do you think there’s a way to set a new baseline in people’s mindsets for what security should be when it comes to handling personal data? Bruce: Maybe, but it’s pretty opaque. You could call Facebook and ask, “How do you handle my data?” and they’re not going to tell you. None of these companies will, because they don’t want to make that public. I don’t see a consumer-led push to increase security, just like you don’t have consumer-led pushes to increase safety in pretty much anything. It is a government-led push because that’s where you have the information to make intelligent decisions that ratchet up safety. I think you might have a generic, “We want more security for our data,” that will lead to government regulation. We saw that in Europe with <a href="https://gdpr.eu/">GDPR</a>. The government set the rules because there was the political will to do that. Michael: You can debate the merits of having government involved in setting those types of laws. Bruce: You can, but I’m not sure what the alternative is. The alternative is nothing. The alternative is what we have today in the U.S. – an absolute free for all. Michael: What do you think are some of the best ways to improve password habits? Bruce: We know that people are terrible at choosing passwords. We’re at the point where pretty much anything you can remember can be hacked, so we want people to choose unmemorable passwords. I think a password manager is essential because we need some system that will remember them for you. There is also a system for choosing unbreakable passwords that you can remember. Basically, I tell people to craft a sentence and use it as a way to generate the password. Take the first letter of every word, and then add some number and letter substitutions, extra punctuation, or weird capitalization. You remember the sentence – it’s something memorable from your life that’s personal. I suggest a sentence that you’d be embarrassed to write down, because they are easier to remember, and you’re less likely to write it down. Then you remember the production rule of how to turn that sentence into the password. Use that for high-value passwords, like the password for your password manager. Also, turn on two-factor authentication whenever you can and it matters. Anything where there’s money, your reputation, or personal information involved, you want to turn those features on. Michael: One last thing to wrap it up here. What do you think we need to see as a societal change in regards to security or privacy? What’s something you’re hoping we see in our lifetime? Bruce: The thing that is missing for security and privacy writ large, whether it’s our data privacy, Internet of Things security, or our national cybersecurity is involvement of government. That is who has abdicated their role. This will only work if everybody is working together, pushing against each other to figure out optimal strategies. We have corporations running the show, so it’s optimized for profit and not security. If you want to fix that, you have to bring government back. I think it’s inevitable. Governments regulate dangerous things. Once the internet starts killing people, government will be involved, but it really shouldn’t take that. We’re starting to see some movement in that direction, most notably in Europe, but the U.S. is so anti-government involvement that we are hurting ourselves and producing very suboptimal solutions. Michael: And that brings us back to where we started, which is your efforts to educate future policymakers. Bruce: And to convince technologists to become part of policy. It’s not just a matter of making sure legislators and regulators understand tech. It’s getting people who do understand tech to take a couple of years in their career and work on policy, advise, speak, or write. There are lots of ways we can engage, and we’re just not doing it.</description></item><item><title>Taking a peek at Microsoft Edge for Mac</title><link>https://blog.1password.com/taking-a-peek-at-microsoft-edge-for-mac/</link><pubDate>Wed, 29 May 2019 10:00:00 +0000</pubDate><author>info@1password.com (Sarah Brown)</author><guid>https://blog.1password.com/taking-a-peek-at-microsoft-edge-for-mac/</guid><description> <img src='https://blog.1password.com/posts/2019/living-on-the-microsoft-edge/header.png' class='webfeedsFeaturedVisual' alt='Taking a peek at Microsoft Edge for Mac' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Although Microsoft Edge has been out for Windows for a few years, the beta version for Mac was only released in May. Microsoft Edge has been my go-to browser on the rare occasion I use a Windows PC, so I was excited to get a peek at how the browser, and 1Password, would work on my Mac. <img src='https://blog.1password.com/posts/2019/living-on-the-microsoft-edge/1password-light.png' alt='1Password homepage - light mode' title='1Password homepage - light mode' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <img src='https://blog.1password.com/posts/2019/living-on-the-microsoft-edge/1password-dark.png' alt='1Password homepage - dark mode' title='1Password homepage - dark mode' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="solid-as-a-rock">Solid as a rock</h2> This new version of Microsoft Edge is built on Chromium, the same base that Chrome uses, making it more stable and reliable than the Internet Explorer of my early internet days. While it’s still only in beta, it feels speedy enough that it could easily fit into my day-to-day workflow without slowing me down or dragging my tasks out. And the best part is that on my Mac, Microsoft Edge not only looks like a native Mac application but it functions like one, too. All my go-to keyboard shortcuts work exactly as I expect them to, which means I don&rsquo;t have to move my mouse to open 1Password! With just a tap of the keys, I&rsquo;m able to sign in and access my saved information. <img src='https://blog.1password.com/posts/2019/living-on-the-microsoft-edge/sign-in-light.png' alt='1Password homepage - light mode' title='1Password homepage - light mode' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <img src='https://blog.1password.com/posts/2019/living-on-the-microsoft-edge/sign-in-dark.png' alt='1Password homepage - dark mode' title='1Password homepage - dark mode' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="keep-it-secret-keep-it-safe">Keep it secret, keep it safe</h2> It can be challenging to know and track how different companies use the data I share. I love that Microsoft Edge pulls all my privacy and ad-tracking settings into a single location: the privacy dashboard. I&rsquo;m able to change the privacy and sharing settings as well as manage browsing data, clear search history, and even edit location data. <img src='https://blog.1password.com/posts/2019/living-on-the-microsoft-edge/privacy-light.png' alt='Microsoft Edge Privacy Dashboard - light mode' title='Microsoft Edge Privacy Dashboard - light mode' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <img src='https://blog.1password.com/posts/2019/living-on-the-microsoft-edge/privacy-dark.png' alt='Microsoft Edge Privacy Dashboard - dark mode' title='Microsoft Edge Privacy Dashboard - dark mode' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> I know my passwords are safe in 1Password, but having this level of control over my browser data gives me even more peace of mind. <h2 id="join-the-dark-side">Join the dark side</h2> <img src='https://blog.1password.com/posts/2019/living-on-the-microsoft-edge/toolbar-dark.png' alt='Microsoft Edge - dark mode' title='Microsoft Edge - dark mode' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> I&rsquo;m a huge fan of Dark Mode on my Mac, and I love how sleek it makes the Microsoft Edge browser look. And it doesn&rsquo;t hurt that Dark Mode really makes the 1Password icon pop in the toolbar. Of course, if you&rsquo;re more on the traditional side, the browser and icon look just as good in light mode too. <h2 id="right-at-your-fingertips">Right at your fingertips</h2> Just like on Chrome, all the power of 1Password is right there in the toolbar. <a href="https://support.1password.com/getting-started-1password-x/">1Password X</a> automatically syncs everything to my 1Password account, so I can switch between browsers, operating systems, and devices without missing a beat or forgetting a login. <img src='https://blog.1password.com/posts/2019/living-on-the-microsoft-edge/1passwordx-light.png' alt='Microsoft Edge Privacy Dashboard - light mode' title='Microsoft Edge Privacy Dashboard - light mode' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <img src='https://blog.1password.com/posts/2019/living-on-the-microsoft-edge/1passwordx-dark.png' alt='Microsoft Edge Privacy Dashboard - dark mode' title='Microsoft Edge Privacy Dashboard - dark mode' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 1Password X makes helpful suggestions as I browse the web, allowing me to painlessly sign in to accounts or fill credit card and billing information. If I need to create a new account, it pops up the password generator so I can create a complex and unique password. All with just a few simple keystrokes. If you&rsquo;re using the Microsoft Edge beta for Mac, you can <a href="https://chrome.google.com/webstore/detail/1password-%E2%80%93-password-mana/aeblfdkhhhdcdjpifhhbdiojplfjncoa?hl=en">add 1Password X from the Chrome store</a>, just make sure you&rsquo;ve turned on the feature to <a href="https://pureinfotech.com/install-chrome-extension-chromium-edge/">allow extensions from other stores</a>.</description></item><item><title>1Password 7.3 for Mac – our life in miniature</title><link>https://blog.1password.com/1password-7-3-for-our-life-in-miniature/</link><pubDate>Tue, 28 May 2019 10:00:00 +0000</pubDate><author>info@1password.com (Michael Fey)</author><guid>https://blog.1password.com/1password-7-3-for-our-life-in-miniature/</guid><description> <img src='https://blog.1password.com/posts/2019/opm73/header.png' class='webfeedsFeaturedVisual' alt='1Password 7.3 for Mac – our life in miniature' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> For the last several months the Design and Development team at 1Password has been hard at work on a major renovation to the smallest part of everyone&rsquo;s favorite password manager: 1Password mini. Since we launched 1Password 7 last May, we&rsquo;ve received more feedback about that incarnation of 1Password mini than any other part of our version 7 update. Given that it was such a significant departure from its predecessor, we anticipated this feedback. Instead of snapping into reaction mode, we took a wait-and-see approach; change is hard, and we didn&rsquo;t want to jump to the wrong conclusions. Over time, we built up a wish list of improvements we wanted to bring to 1Password mini and we set off on our journey. <h2 id="core-competencies">Core competencies</h2> Before a single mockup or wireframe was created, we took a step back to define exactly what 1Password mini needed to do well: <ul> <li>Show items that match the frontmost app or website.</li> <li>Fill your passwords, credit cards, and address information into a web page.</li> <li>Generate new passwords quickly and easily.</li> </ul> The mini&rsquo;s primary goal is to get your information out of 1Password and into the places where you need it with a strong focus on filling your passwords, credit cards, and address information into web pages. Additionally, it needs to be clear how to perform every action. &ldquo;Mini is for filling&rdquo; quickly became our mantra during this redesign, and each decision was made in service of that mission. <img src='https://blog.1password.com/posts/2019/opm73/evernote-light.png' alt='Easy to find AutoFill - Light mode' title='Easy to find AutoFill - Light mode' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <img src='https://blog.1password.com/posts/2019/opm73/evernote-dark.png' alt='Easy to find AutoFill - Dark mode' title='Easy to find AutoFill - Dark mode' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> A big piece of what makes 1Password mini successful when it comes to filling your information is our &ldquo;filling brain&rdquo;. Powered by machine learning that takes place locally on your device, 1Password analyzes the web page and suggests the items you&rsquo;re most likely to need on that page. What this means is that when you&rsquo;re on a shopping cart page buying that bespoke artisanal handmade teak wood lute, 1Password mini will have your credit cards ready and waiting for you. <h2 id="complex-passwords-made-easy">Complex passwords made easy</h2> Using a strong, unique password for every account is the best thing you can do for your personal internet hygiene. 1Password mini makes creating these passwords incredibly easy. Simply hit the New Password button, adjust the length of the password as needed, then save and copy the password. To get back to your previously generated passwords, just click the menu button above the item list and select Passwords. All of your passwords are there, conveniently sorted in reverse chronological order: <img src='https://blog.1password.com/posts/2019/opm73/save-copy-light.png' alt='Strong new passwords - light mode' title='Strong new passwords - light mode' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <img src='https://blog.1password.com/posts/2019/opm73/save-copy-dark.png' alt='Strong new passwords - dark mode' title='Strong new passwords - dark mode' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="speedy-search">Speedy search</h2> While filling into web pages and creating new passwords might be what you do the most, all your items are available in 1Password mini, and they&rsquo;re only a keystroke away. Simply start typing the name of any item and our speedy search will bring it right up: <img src='https://blog.1password.com/posts/2019/opm73/passport-light.png' alt='Where&#39;s my passp.. never mind, I found it! Light mode' title='Where&#39;s my passp.. never mind, I found it! Light mode' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <img src='https://blog.1password.com/posts/2019/opm73/passport-dark.png' alt='Where&#39;s my passp.. never mind, I found it! Dark mode' title='Where&#39;s my passp.. never mind, I found it! Dark mode' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="drag-and-drop-wonderland">Drag and drop wonderland</h2> 1Password has wonderful support for the native apps on your computer, making it easy to sign in to your accounts with Slack, Discord, Omni, and many more. 1Password mini makes this even easier with some lovely drag-and-drop support: <video class="round shadow" style="display: block; margin: auto; padding: 0;"autoplay='true'muted='true'loop="loop" playsinline="" width="100%" alt='' controls> <source src="https://blog.1password.com/posts/2019/opm73/ZoomDragDrop.mp4" type="video/mp4" /> </video> <h2 id="wrapping-it-up">Wrapping it up</h2> 1Password 7.3 is available today as a free update for all 1Password 7 customers. If you&rsquo;re still using 1Password 6, you can download and install 1Password 7 from our website here: <a href="https://1password.com/downloads/mac/">1Password.com/downloads</a>. If you&rsquo;d like to chat with us about this update (or tell us about your new lute) you can do so on our <a href="https://1password.community/categories/1password-for-mac">discussion forum</a>.</description></item><item><title>From the Founders’ Desk: thoughts on mental health</title><link>https://blog.1password.com/thoughts-on-mental-health/</link><pubDate>Wed, 15 May 2019 00:00:00 +0000</pubDate><author>info@1password.com (Sara Teare)</author><guid>https://blog.1password.com/thoughts-on-mental-health/</guid><description> <img src='https://blog.1password.com/posts/2019/mental-health-week/header.png' class='webfeedsFeaturedVisual' alt='From the Founders’ Desk: thoughts on mental health' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> With several countries observing a mental health awareness week in May, now is a great time to think about how we care for ourselves and others. We are all worthy of support, encouragement, and happiness. Sometimes feeling okay is easier said than done, but by carving out a bit of time each day to focus on mental and physical health, we can work towards that reality together. Here at 1Password, a huge part of our culture is being positive and working to bring the &ldquo;wow&rdquo; factor to our customers – but to do that, we need to take time to recharge ourselves, too. That’s why we encourage folks to get active during the day, and spend time doing things they love. Whether we’re coding amazing new features or helping answer questions from awesome users, it&rsquo;s a pretty sedentary job. Having activities outside of work – like going to the gym, yoga, a darts league, or squash – gets you moving, helps the body stay active, and feeds the brain. :) We also do a few things within 1Password to help keep people feeling connected. Sharing news of engagements, losses, small victories, and other personal stories helps to make us family. When one person celebrates, we all cheer, and when someone is suffering, we all offer support. Finding a group of folks that you can both work and share your life with is something special, and I&rsquo;m proud to be a part of it. I was recently asked if we had ever considered hiring someone with a mental illness. The idea that mental health could be just a checkbox on a list of qualities we look for in a candidate amazed me. A diverse team is never made up of check marks, but of real people doing their best to share their passions and talents with the world. I found this article online and have shared it with our team before, and I want to share it with you all too, because we all have moments when things don&rsquo;t feel awesome and we need to reach out. <a href="https://eponis.tumblr.com/post/113798088670/everything-is-awful-and-im-not-okay-questions-to">Everything Is Awful and I&rsquo;m Not Okay</a> is a short list of great suggestions that can help get you through that moment. So on those days when you need to &ldquo;fake it to make it&rdquo;, find joy in something small. Pay a kindness forward – buy someone a coffee, compliment a stranger. Smile, laugh, and remember that you are not alone.</description></item><item><title>1Password X: May 2019 update</title><link>https://blog.1password.com/1password-x-may-2019-update/</link><pubDate>Wed, 08 May 2019 00:00:00 +0000</pubDate><author>info@1password.com (Dave Teare)</author><guid>https://blog.1password.com/1password-x-may-2019-update/</guid><description> <img src='https://blog.1password.com/posts/2019/b5x1.15/header.png' class='webfeedsFeaturedVisual' alt='1Password X: May 2019 update' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Welcome to the May update of 1Password X! They say April showers bring May flowers, and boy howdy do we have some incredible flowers to share with you today. 🌹🌷 From a freshly redesigned pop-up, to drag-and-drop support, to some incredible speed boosts, <a href="https://support.1password.com/getting-started-1password-x/">1Password X</a> is <del>lit AF</del> better than ever. <h2 id="all-new-pop-up-design">All new pop-up design</h2> The 1Password X pop-up has been completely recreated to use a two-column layout. With one less column, things are now simpler, more responsive, and allow you to see your item details right away. Along with smart suggestions, you can quickly find your logins, credit cards, and identities when you need them. <img src='https://blog.1password.com/posts/2019/b5x1.15/NewPopupSuggestions.png' alt='1Password X showing suggestions for the current page: logins and credit cards' title='1Password X showing suggestions for the current page: logins and credit cards' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Search feels more natural in the new design and is faster than ever. Start typing and 1Password will do the rest. After you find the login you&rsquo;re looking for, press Enter and 1Password will open the website and automatically fill your information. If you need to manually type a password on another device, use Large Type to make it as easy as possible. And you&rsquo;re not limited to just passwords – you can now use Large Type for all of your item fields. <img src='https://blog.1password.com/posts/2019/b5x1.15/NewPopupLargeType.png' alt='1Password X pop-up showing a password in large type' title='1Password X pop-up showing a password in large type' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Watchtower alerts look great in the new design as well. Immediately see if your items have a compromised website or vulnerable password, and discover sites where you can enable two-factor authentication (2FA). <img src='https://blog.1password.com/posts/2019/b5x1.15/NewPopupItemDetailsWatchtowerTOTP.jpg' alt='New 1Password X pop-up showing Evernote logins with a Watchtower alert for enabling 2FA' title='New 1Password X pop-up showing Evernote logins with a Watchtower alert for enabling 2FA' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> With a single click, you can use 1Password as an authenticator for sites that support two-factor authentication. When you see the QR code, click the &ldquo;QR Code&rdquo; icon and 1Password will automatically scan it for you, add it to your item, and copy the current one-time password to your clipboard. The coolest part of all is the next time you sign in, 1Password will fill your one-time password automatically. You don&rsquo;t need to lift a finger: <video class="round shadow" style="display: block; margin: auto; padding: 0;"autoplay='true'muted='true'loop="loop" playsinline="" width="100%" alt='1Password X automatically fills 2FA one-time passwords' controls> <source src="https://blog.1password.com/posts/2019/b5x1.15/TOTP-Filling-in-1Password-X.mp4" type="video/mp4" /> </video> <h2 id="detach-the-pop-up">Detach the pop-up</h2> You can now open the pop-up in its own window by clicking the &ldquo;Open in new window&rdquo; icon. This is great when you need to keep an item open so you can refer back to it. It&rsquo;s also the perfect companion to our new drag-and-drop feature! <img src='https://blog.1password.com/posts/2019/b5x1.15/DetachedWindowDragAndDrop.jpg' alt='Dragging and dropping an SSH key from the detached 1Password X window into Terminal' title='Dragging and dropping an SSH key from the detached 1Password X window into Terminal' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Drag anything from 1Password X and drop it onto any app, browser, or otherwise. It feels great and is much faster than copy and paste. 😍 <h2 id="speed-speed-speed">Speed, speed, speed!</h2> A ton of performance and speed enhancements have made their way into this release. Scrolling the item list in the pop-up is now (vegan) buttery smooth without any stuttering or reloading. Windows and Linux users will especially enjoy this update as the scrollbars now behave how you expect. With our move to WebAssembly, page filling and analysis now runs at least twice as fast as before, and those websites with a large number of fields are up to 13x faster in Chrome and up to 39x faster in Firefox! It&rsquo;s blazing fast. 🔥 Last but not least, there are <a href="https://support.1password.com/getting-started-1password-x/#use-keyboard-shortcuts">keyboard shortcuts</a> for everything imaginable in the pop-up. Keyboard warriors rejoice! <h2 id="get-yours-today">Get yours today</h2> If you already use 1Password X, you already have this update. Enjoy! 😘 If you&rsquo;re new to 1Password X, you can download and install it from the <a href="https://chrome.google.com/webstore/detail/1password-%E2%80%93-password-mana/aeblfdkhhhdcdjpifhhbdiojplfjncoa">Chrome Web Store</a> (supports Chrome, Chromium, Brave, Vivaldi, Opera, and Microsoft Edge) or the <a href="https://addons.mozilla.org/en-US/firefox/addon/1password-x-password-manager/?src=search">Firefox Add-ons Gallery</a>. You can also <a href="https://1password.community/discussion/79610/how-to-install-1password-x-beta-in-chrome">join our beta family</a> to be the first to enjoy new features as we add them. The next step in our adventure is integrating with the desktop apps. Integration with <a href="https://1password.com/mac/">Touch ID</a> is available in the beta today, and support for Windows Hello will be landing soon. I hope you enjoy 1Password X as much as we enjoyed creating it for you. 🤗❤️</description></item><item><title>CSX: The internal tool that gives our support team superpowers</title><link>https://blog.1password.com/csx-the-internal-tool-that-gives-our-support-team-superpowers/</link><pubDate>Tue, 07 May 2019 00:00:00 +0000</pubDate><author>info@1password.com (Oliver Dunk)</author><guid>https://blog.1password.com/csx-the-internal-tool-that-gives-our-support-team-superpowers/</guid><description> <img src='https://blog.1password.com/posts/2019/csx/header.png' class='webfeedsFeaturedVisual' alt='CSX: The internal tool that gives our support team superpowers' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Since 1Password was founded in 2005, customer support has been at the heart of everything we do. I&rsquo;ve been working with a small team to build CSX, a Chrome extension that makes providing support as easy as 1Password makes managing your passwords. <h2 id="why-do-we-need-a-tool-like-csx">Why do we need a tool like CSX?</h2> As 1Password grows, so do the number of customers we talk to. To make sure we have time to give every reply the thought it deserves, we wanted to automate the repetitive, more administrative parts of the process. For example, we&rsquo;ll often get an email that mentions a forum thread or Twitter conversation. Finding that discussion is a repetitive, time-consuming endeavor, and it would be much better if we could spend that time crafting our reply. To give one more example, we have a collection of &ldquo;Charms&rdquo;, which let a new team member know how to write the perfect response for every situation. These are new to us and we&rsquo;ll likely write about them in the future, but suffice it to say, they help us ensure that every customer gets the same special treatment. It&rsquo;s easy to forget to look for these, especially since the collection changes over time. It would be great if our tools could do the searching on a team member&rsquo;s behalf. These are just some of the reasons why building a tool like CSX was important to us. I could go on, but I&rsquo;d much rather show you the result! <img src='https://blog.1password.com/posts/2019/csx/main-widget.png' alt='Main CSX widget displaying information about customer' title='Main CSX widget displaying information about customer' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="meet-csx">Meet CSX</h2> Here&rsquo;s CSX&rsquo;s main widget, helpfully displayed beside an email. Immediately, you can see that we&rsquo;ve identified the most relevant customer to the conversation, and surfaced information that might help us craft the perfect response. Let&rsquo;s talk about each of these in more detail: <h3 id="accounts">Accounts</h3> CSX is authenticated with 1Password.com, and is able to retrieve service data about a customer&rsquo;s accounts. What&rsquo;s shown is a summary of the most important details – the region they&rsquo;re in, how recently they&rsquo;ve accessed 1Password on a device, and how they&rsquo;re paying for the service. With this information, we&rsquo;ll notice if you&rsquo;re paying with an Apple subscription, and change our billing advice accordingly. Or that you signed up on 1Password.eu, which explains why you can&rsquo;t sign in on 1Password.com. <h3 id="order-information">Order information</h3> Through integrations with third-party APIs, we look for licences you might have on our old WebStore or on FastSpring, which we use for 1Password 7. This helps us identify which version of 1Password you&rsquo;re licensed to use, and gives us more information about your purchase if we need it. <h3 id="other-context">Other context</h3> CSX also shows if you&rsquo;re active on the 1Password Support forum, or if you have other conversations open in Cerb, our email tool. This helps us choose where to put our response, and ensures that we only respond in one place. <h3 id="charms">Charms</h3> <img src='https://blog.1password.com/posts/2019/csx/charms.png' alt='CSX displaying Charms relevant to a conversation' title='CSX displaying Charms relevant to a conversation' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> This one is exciting! Charms are essentially guides for writing the perfect answer to a customer with a particular question. We show relevant Charms based on the &ldquo;bucket&rdquo; your email is routed to, using our own API that exposes Charms to the extension. <h3 id="slack">Slack</h3> <img src='https://blog.1password.com/posts/2019/csx/slack.png' alt='CSX showing a Slack question about a feature request' title='CSX showing a Slack question about a feature request' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Being a remote company, Slack is vital for our internal communication. Through integration with the Slack API, CSX can search for discussions about a particular question, and surface them in a widget just under the main one. This means we won&rsquo;t waste time asking the same question twice. Notice that we also show who&rsquo;s replied – this can indicate at a glance if we have an authoritative answer, or if there&rsquo;s just been a small amount of discussion. We also allow our team to ask questions directly from CSX. Based on the bucket your email was routed to, we&rsquo;ll pick the best Slack channel for your question. Every message is handcrafted by CSX to show relevant context, leading to answers in the quickest time possible. <h3 id="filling-issues">Filling issues</h3> If there&rsquo;s one thing that Dave – the heart and soul of 1Password – loves to say, it&rsquo;s that filling is our bread and butter. We want to help our team take action whenever you tell us that filling isn&rsquo;t perfect. Links that you send us are highlighted if there are known problems, and if there aren&rsquo;t any, filing the issue for investigation can be done with a click. <img src='https://blog.1password.com/posts/2019/csx/filling-issue.png' alt='A filling issue displayed inline as part of an email' title='A filling issue displayed inline as part of an email' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h3 id="twitter">Twitter</h3> Twitter is a popular way to reach out to us, and I understand why. I love being able to speak to a company quickly, without needing to dig out their email address or open my email client. That said, email is better for some discussions. In the past, when we asked a customer to email us, we lost everything that had been said so far. To fix that, we made CSX add a &ldquo;Move to Cerb&rdquo; button to our Twitter client. This creates a new conversation in Cerb with details about our chat on Twitter, so we don&rsquo;t have to search for a needle in the Twitter haystack. <img src='https://blog.1password.com/posts/2019/csx/twitter.png' alt='Move to Cerb button in our Twitter client' title='Move to Cerb button in our Twitter client' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="our-forums">Our forums</h2> CSX isn&rsquo;t limited to email. Our forum is a hotspot for questions, too, so we find the email associated with a thread&rsquo;s author and use that to show as much information as we can. Since this is a public discussion, we have to be more careful about what we share. That said, the context can still be useful if we don&rsquo;t quite understand something you&rsquo;ve said. <h2 id="whats-next">What&rsquo;s next?</h2> I honestly couldn&rsquo;t say! Ultimately, we&rsquo;ll pick whatever benefits our customers the most. Our thoughts on what that is may change as we explore all the ideas we have.</description></item><item><title>World Press Freedom Day: 1Password for Journalism</title><link>https://blog.1password.com/world-press-freedom-day-1password-journalism/</link><pubDate>Fri, 03 May 2019 00:00:00 +0000</pubDate><author>info@1password.com (Swapna Krishna)</author><guid>https://blog.1password.com/world-press-freedom-day-1password-journalism/</guid></item><item><title>1Password wins a Webby!</title><link>https://blog.1password.com/1password-webby-nomination/</link><pubDate>Tue, 23 Apr 2019 00:00:00 +0000</pubDate><author>info@1password.com (Sarah Brown)</author><guid>https://blog.1password.com/1password-webby-nomination/</guid><description> <img src='https://blog.1password.com/posts/2019/webby-nomination/header.png' class='webfeedsFeaturedVisual' alt='1Password wins a Webby!' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We are thrilled to announce that 1Password <a href="https://www.webbyawards.com/winners/2019/apps-mobile-and-voice/apps-mobile-sites-general/services-utilities/">has won its first Webby</a> award! The Webbys, hailed as the “internet’s highest honor” by The New York Times, are presented anually by the International Academy of Digital Arts and Sciences (IADAS) and have been around since the mid ’90s. We&rsquo;re delighted that 1Password has been chosen by the Academy as the 2019 winner for Services &amp; Utilities in the Apps, Mobile, and Voice category, as well as being named an honoree in Web Services for the 23rd annual Webby Awards. <a href="https://www.webbyawards.com/winners/2019/apps-mobile-and-voice/apps-mobile-sites-general/services-utilities/" title='1Password Webby Winner'> <img src='https://blog.1password.com/posts/2019/webby-nomination/1password-webby-winner.png' alt='1Password Webby Winner' title='1Password Webby Winner' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> </a> We take great pride in providing the best user experience not just on iOS but across all of our platforms, and we’re excited to be recognized for it. We&rsquo;d also like to thank everybody who voted for us in the People&rsquo;s Voice component of the award. Your support means a lot to us! <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Award-winning password management</h3> 1Password makes it easy to keep your online accounts safe. Try our award-winning app today for free, and find out how simple secure password management can be. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href" data-event-category="CTA" data-event-action="call-to-action-button"> Try free for 14 days </a> </div> </section></description></item><item><title>Introducing the Essentials of Business Security: a new webinar event</title><link>https://blog.1password.com/business-essentials-webinar/</link><pubDate>Wed, 17 Apr 2019 00:00:00 +0000</pubDate><author>info@1password.com (Matt Davey)</author><guid>https://blog.1password.com/business-essentials-webinar/</guid><description> <img src='https://blog.1password.com/posts/2019/business-essentials/header.png' class='webfeedsFeaturedVisual' alt='Introducing the Essentials of Business Security: a new webinar event' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Are you doing enough to keep your business secure? We&rsquo;re hosting a series of webinars with prominent security experts to help you learn the essentials of keeping your business safe online. Covering everything from ransomware to <a href="https://watchtower.1password.com/">password breaches</a>, each of these 30-minute webinars will teach you something new about the threats you face and the actions you can take to stay secure. <h2 id="troy-hunt-from-have-i-been-pwned-on-thursday-april-25th-2019">Troy Hunt from Have I Been Pwned on Thursday, April 25th, 2019</h2> 10 a.m. BST / 5 a.m. EST Troy Hunt is joining us for a security chat about password breaches, data dumps, and encouraging your team to use unique passwords. Troy Hunt is a security researcher and founder of <a href="https://haveibeenpwned.com">Have I Been Pwned</a>. You can learn more about Troy and his work at <a href="https://www.troyhunt.com">troyhunt.com</a>. <h2 id="michael-sherwood-from-malwarebytes-on-thursday-may-2nd-2019">Michael Sherwood from Malwarebytes on Thursday, May 2nd, 2019</h2> 5 p.m. BST / 11 a.m. EST Michael Sherwood, VP of Enterprise Online at Malwarebytes, is joining us to talk scams, malware, and preventative measures. Malwarebytes proactively protects people and businesses against dangerous threats such as malware, ransomware, and exploits that escape detection by traditional antivirus solutions. Find out more at <a href="https://www.malwarebytes.com">malwarebytes.com</a>. <h2 id="alex-rosier-from-protonmail-on-thursday-may-23rd-2019">Alex Rosier from ProtonMail on Thursday, May 23rd, 2019</h2> 6 p.m. BST / 12 p.m. EST Alex Rosier is the Head of Business Development at ProtonMail. We&rsquo;ll be discussing phishing, fraud, and methods to reduce targets within your business. ProtonMail is a private, end-to-end encrypted email provider. Find out more at <a href="https://proton.me/">proton.me</a>. <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Sign up to the webinar mailing list</h3> Get emails about upcoming webinars, including information about how to attend the Essentials of Business Security series. <a href="https://1password.com/webinars/" class="c-call-to-action-box__link-href" data-event-category="CTA" data-event-action="call-to-action-button"> Sign up </a> </div> </section></description></item><item><title>Setting up 1Password at work? Our webinar can help you onboard your team</title><link>https://blog.1password.com/setting-up-1password-at-work-our-webinar-can-help-you-onboard-your-team/</link><pubDate>Tue, 09 Apr 2019 00:00:00 +0000</pubDate><author>info@1password.com (Lisa Verheul)</author><guid>https://blog.1password.com/setting-up-1password-at-work-our-webinar-can-help-you-onboard-your-team/</guid><description> <img src='https://blog.1password.com/posts/2019/team-member-webinar/header.png' class='webfeedsFeaturedVisual' alt='Setting up 1Password at work? Our webinar can help you onboard your team' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Rolling out new business software can be a challenge. Getting everything set up is one thing, but training your team to use it can be time-consuming if you don&rsquo;t have the right resources. Our webinar takes the guesswork out of onboarding. At 1Password, we want to give you the tools you need for a successful deployment. If you’re an administrator looking for the best way to train your staff, we’re here to do some of the heavy lifting for you. On May 7 at 2 p.m. EST, we’re hosting a webinar for team and business customers. This webinar is perfect for team members who are just getting started with 1Password or need a refresher. In this webinar, we’ll show you how to: <ul> <li>Use 1Password.com to view and edit your passwords and other important information</li> <li>Set up the 1Password apps and 1Password X</li> <li>Save, fill, and change your passwords to make them more secure</li> </ul> We’ll also have time for a Q&amp;A session at the end to answer all your burning questions about 1Password. <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Register for the webinar</h3> Join the webinar on May 7 at 2 p.m. It's free, and we'd love to help you make the most of 1Password. <a href="https://1password.com/webinars/" class="c-call-to-action-box__link-href" data-event-category="CTA" data-event-action="call-to-action-button"> Register now </a> </div> </section> To receive notifications of future webinars, <a href="https://1password.com/webinars/">sign up to the mailing list</a>.</description></item><item><title>Introducing the 1Password Internet Password Book (April Fools'!)</title><link>https://blog.1password.com/1password-password-book/</link><pubDate>Mon, 01 Apr 2019 00:00:00 +0000</pubDate><author>info@1password.com (Sarah Brown)</author><guid>https://blog.1password.com/1password-password-book/</guid><description> <img src='https://blog.1password.com/posts/2019/april-fools/header.png' class='webfeedsFeaturedVisual' alt='Introducing the 1Password Internet Password Book (April Fools'!)' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Don’t worry, we haven’t completely lost our minds over here — it’s just April Fool’s day! At 1Password we take privacy and security very seriously, and we think everybody else should too. That’s why we would never really suggest ditching your password manager for a cute password book you keep on your desk. And while writing down lots of unique passwords is admittedly safer than reusing the same password for everything, it still isn’t anywhere near as safe as using a password manager, and it certainly isn’t as convenient. Password books can get lost, damaged, or accessed by other people — and, worse, they encourage people to use weak, easy-to-type passwords (because if you’re manually typing things in, you don’t want to spend forever doing it). Our <a href="https://1password.com/password-generator/">password generator</a> creates passwords like <code>=Rw}U5Wx}cHxc)2g6-^Z#7</code>. Imagine writing dozens of passwords like that in a notebook, and copying them out each time you need to use them. You probably wouldn’t, right? Getting started with 1Password is the best decision you can make for your online security. By removing the burden of remembering or copying out login information, it makes it really easy to use extremely secure passwords. 1Password keeps your information <a href="https://blog.1password.com/are-password-managers-safe/">secure</a> and <a href="https://1password.com/security/#privacy">private</a> — as well as helping you to identify weak, reused, or compromised passwords thanks to <a href="https://watchtower.1password.com/">Watchtower</a>. With 1Password, your <a href="https://blog.1password.com/toward-better-master-passwords/">Master Password</a> is the only password you need to remember. You can forget the rest. Make them long, random, and secure. They’re all safe inside 1Password, ready for you to fill with a click. Make your life easier and your passwords safer by signing up for a free trial of 1Password today. <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Try 1Password for free</h3> Sign up for a 1Password membership today and see how easy secure password management can be. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href" data-event-category="CTA" data-event-action="call-to-action-button"> Get 14 days free </a> </div> </section></description></item><item><title>Why you should change your Facebook password</title><link>https://blog.1password.com/facebook-password-change/</link><pubDate>Thu, 21 Mar 2019 00:00:00 +0000</pubDate><author>info@1password.com (Sarah Brown)</author><guid>https://blog.1password.com/facebook-password-change/</guid><description> <img src='https://blog.1password.com/posts/2019/facebook-passwords/header.png' class='webfeedsFeaturedVisual' alt='Why you should change your Facebook password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Today, <a href="https://about.fb.com/news/2019/03/keeping-passwords-secure/">Facebook revealed</a> that 200–600 million user passwords had been stored in a plain text file on an internal server. This left the affected users vulnerable and searchable by more than 20,000 employees – with around 2000 taking advantage of this. However, Facebook did state that no passwords were shared or leaked externally. Any affected users will be directly notified, and Facebook is not advising anyone to change their password. But, given the number of employees who accessed those passwords, we’d urge you to err on the side of caution and change yours just in case. Instances like this, where passwords are stored and accessible in plain text, are a good example why you should use a unique password for each site. Having a unique password means that the bad practices of one company don’t lead to your <a href="https://blog.1password.com/how-to-protect-yourself-from-password-reuse-attacks/">account being compromised</a> on other sites where you use the same password. To keep your passwords truly secure, change them any time you suspect they’ve been compromised. We know it can be time-consuming to keep track of every website you visit and any security issues they might have, but that’s where <a href="https://watchtower.1password.com">Watchtower</a> steps up. Watchtower integrates with <a href="https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/">Pwned Passwords</a>, a service that allows you to check if your passwords have been leaked on the Internet. 1Password will stay on top of things and alert you to compromised logins and breaches so you <a href="https://blog.1password.com/introducing-watchtower-2.0-the-turret-becomes-a-castle/">know when to change your password</a>. Keep your accounts and passwords secure by signing up for <a href="https://1password.com/personal/">1Password Families</a>. <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Sign up for 6 months free!</h3> Try 1Password Families today and get your first 6 months free. <a href="https://start.1password.com/sign-up/family?c=FBPOST" class="c-call-to-action-box__link-href" data-event-category="CTA" data-event-action="call-to-action-button"> Try 1Password FREE </a> </div> </section></description></item><item><title>AGConf[9]: Adventures on the high seas</title><link>https://blog.1password.com/agconf9-adventures-on-the-high-seas/</link><pubDate>Wed, 06 Mar 2019 00:00:00 +0000</pubDate><author>info@1password.com (Sarah Brown)</author><guid>https://blog.1password.com/agconf9-adventures-on-the-high-seas/</guid><description> <img src='https://blog.1password.com/posts/2019/agconf9/header.png' class='webfeedsFeaturedVisual' alt='AGConf[9]: Adventures on the high seas' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> One of the challenges as a remote company is that we’re scattered all across the world, which makes it difficult to meet in person. That&rsquo;s why all of us at 1Password eagerly look forward to our annual meetup, AGConf, which is held each winter on a cruise ship in the Caribbean. We met up in Fort Lauderdale, Florida. Many of us were escaping cold and snow back home, and what better way to soak up the sun than to spend a week aboard Royal Caribbean&rsquo;s Independence of the Seas — with stops in Nassau, Haiti, and Jamaica? <h2 id="pre-cruise-hangouts">Pre-cruise hangouts</h2> With people coming in from overseas, one even as far as New Zealand, a lot of folks like to get to Florida a day early. It helps them adjust to the time zone and get a good night’s sleep on land before venturing onto the boat. One group met up to get dinner and drinks at a tiki bar, another group went out in search of excellent Cuban sandwiches, and a lot of people just hung out in small groups in their hotel lobbies. It was a great way to meet up with old friends, and for the newbies to ease into the madness before it kicked up a notch the next day. <h2 id="1password-continues-to-grow">1Password continues to grow</h2> Since I only joined 1Password last August, this was my first AGConf, and I was very excited to meet people in person and put faces to the names I’d been talking to over Slack for months. And while it may have been my first meetup, it was clear from looking at last year&rsquo;s photos just how much we&rsquo;d grown since AGConf[8]! There were so many of us that we took over a large portion of the top deck when we gathered there after boarding. We all wore our 1Password shirts so it was easy to spot everyone. As the ship pulled away from the port, we spread out on lounge chairs to chat, grabbed drinks at the bar, and snagged hugs from friends old and new. <section class="gallery"> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row3-column3"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-1/agconf-5.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-1/agconf-5-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column2"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-1/agconf-6.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-1/agconf-6-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row2-column2"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-1/agconf-2.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-1/agconf-2-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row2-column3"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-1/agconf-4.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-1/agconf-4-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column1"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-1/agconf-9.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-1/agconf-9-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column1"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-1/agconf-10.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-1/agconf-10-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column1"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-1/agconf-11.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-1/agconf-11-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column1"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-1/agconf-12.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-1/agconf-12-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row2-column5"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-1/agconf-1.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-1/agconf-1-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row3-column2"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-1/agconf-8.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-1/agconf-8-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column3"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-1/agconf-7.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-1/agconf-7-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row2-column3"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-1/agconf-13.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-1/agconf-13-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> </section> After everyone had found their way to the group, we gathered together to take our first full team photo on the ship&rsquo;s helipad, crowding together to fit everyone in the frame. <h2 id="getting-work-done">Getting work done</h2> While we were all excited to hop off the ship and explore the various ports, our first priority was still you, our customers. Every morning after breakfast, a number of ‘Bits would gather together in the dining room to get you the answers you were looking for. It was fun to just yell our questions across the room and get a response from the right team. We were able to mingle across teams, learning more about the different parts of our company. <section class="gallery"> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row3-column3"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-2/agconf-14.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-2/agconf-14-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column2"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-2/agconf-15.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-2/agconf-15-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row2-column2"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-2/agconf-16.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-2/agconf-16-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row2-column3"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-2/agconf-17.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-2/agconf-17-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column1"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-2/agconf-18.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-2/agconf-18-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column1"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-2/agconf-19.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-2/agconf-19-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column1"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-2/agconf-20.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-2/agconf-20-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column1"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-2/agconf-21.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-2/agconf-21-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row2-column5"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-2/agconf-22.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-2/agconf-22-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row4-column2"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-2/agconf-23.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-2/agconf-23-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row2-column3"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-2/agconf-24.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-2/agconf-24-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row2-column3"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-2/agconf-25.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-2/agconf-25-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> </section> Some days at sea were also spent in the dining room, splitting time between responding to customers and listening to some inspirational and informative talks. We heard from our CEO Jeff Shiner, founders Dave and Sara, and of course our head of security Jeff Goldberg. We celebrated our successes from 2018 and discussed what’s on the horizon for 2019. We even recorded an episode of <a href="https://blog.1password.com/random-but-memorable-the-security-advice-podcast-from-1password/">Random but Memorable</a> right there on the ship! It was encouraging and exciting to hear about the great stuff we have planned and what we’ll be doing to reach our goals. <h2 id="fun-off-and-on-the-ship">Fun off and on the ship</h2> When we’d wrap up with work for the day, there were plenty of other adventures to be had. We got dressed in our fanciest clothes for formal night. There were quite a few ‘Bits that discovered a love – and talent – for karaoke, hitting up the open mic sessions nearly every time they were available. Quite a few people brought games, and we spent some late nights in an empty conference room playing Resistance, Unstable Unicorns, Codewords, and more. No matter where you found yourself, there was sure to be plenty of laughter. Sara and Maria also managed to book us time in the onboard escape room and laser tag area, which were both huge hits. In the escape room on the top deck, ‘Bits worked together to solve puzzles and beat the clock to break free. Meanwhile, on the bottom deck, a group of us battled hard at laser tag, creeping around the course and trying to catch the opposing team off-guard. <section class="gallery"> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row3-column3"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-3/agconf-26.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-3/agconf-26-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column2"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-3/agconf-27.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-3/agconf-27-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row2-column2"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-3/agconf-28.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-3/agconf-28-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row2-column3"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-3/agconf-29.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-3/agconf-29-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column1"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-3/agconf-30.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-3/agconf-30-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column1"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-3/agconf-31.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-3/agconf-31-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column1"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-3/agconf-32.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-3/agconf-32-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column1"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-3/agconf-33.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-3/agconf-33-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row2-column5"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-3/agconf-34.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-3/agconf-34-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row3-column2"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-3/agconf-35.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-3/agconf-35-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column3"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-3/agconf-36.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-3/agconf-36-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row2-column3"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-3/agconf-37.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-3/agconf-37-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> </section> Itching for some sun after a few months of northern winter, I was hoping to spend some time wandering Nassau and Jamaica, soaking up the sun. Unfortunately, mother nature had other plans for us. Both days in port ended in sudden downpours, drenching everyone who ventured off the ship. However, luck was our side when we got to Labadee, Haiti! It was sunny and the temperature was perfect, which worked out great as this was our beach day. We grabbed fancy coconut and pineapple drinks before settling into cabanas, just steps away from crystal blue water. It was a wonderfully fun and relaxing day. <section class="gallery"> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row3-column3"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-4/agconf-38.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-4/agconf-38-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column2"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-4/agconf-39.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-4/agconf-39-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row2-column2"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-4/agconf-40.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-4/agconf-40-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row2-column3"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-4/agconf-41.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-4/agconf-41-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column1"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-4/agconf-42.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-4/agconf-42-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column1"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-4/agconf-43.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-4/agconf-43-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column1"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-4/agconf-44.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-4/agconf-44-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column1"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-4/agconf-45.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-4/agconf-45-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row2-column5"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-4/agconf-46.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-4/agconf-46-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row3-column2"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-4/agconf-47.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-4/agconf-47-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column3"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-4/agconf-48.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-4/agconf-48-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row2-column3"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-4/agconf-49.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-4/agconf-49-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> </section> While in Labadee, some of the more adventurous ‘Bits headed out to zipline down the mountain and out across the water. I prefer to keep my feet firmly on solid ground, but it’s clear from this video that those who were brave enough had a spectacular view and an incredible time. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/nIWLoBJH3XE" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h2 id="time-to-say-goodbye">Time to say goodbye</h2> All too soon, the week came to a close and it was time for us to say goodbye. We met up in the same room we had our welcome party in, but this time there was more mingling, more laughter, and more inside jokes. After a week of sharing karaoke, games, support requests, and rain-soaked adventures, we’d bonded, and I was a little sad to be heading home the next day. Sara, Dave, Jeff, and Roustem all stood up and said a few words, thanking us for our work and sharing in the fun we’d had all week. <section class="gallery"> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row3-column3"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-5/agconf-50.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-5/agconf-50-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row2-column2"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-5/agconf-51.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-5/agconf-51-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column2"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-5/agconf-52.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-5/agconf-52-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row2-column3"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-5/agconf-53.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-5/agconf-53-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column1"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-5/agconf-54.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-5/agconf-54-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column1"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-5/agconf-55.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-5/agconf-55-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column1"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-5/agconf-56.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-5/agconf-56-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column1"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-5/agconf-57.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-5/agconf-57-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row2-column5"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-5/agconf-58.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-5/agconf-58-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row3-column2"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-5/agconf-59.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-5/agconf-59-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row1-column3"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-5/agconf-60.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-5/agconf-60-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> <figure itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject" class="item item-row2-column3"> <meta itemprop="contentUrl" content="/posts/2019/agconf9/gallery-5/agconf-61.jpg" /> <img itemprop="thumbnail" src="https://blog.1password.com/posts/2019/agconf9/gallery-5/agconf-61-thumb.jpg" alt="AGConf9" style='max-width: 100px; width: 100%; display: inline-block;' /> </figure> </section> This was a perfect way to end my first AGConf, I’m already looking forward to next year and AGConf[10]!</description></item><item><title>Come find us at RSA Conference 2019</title><link>https://blog.1password.com/come-find-us-at-rsa-conf-2019/</link><pubDate>Fri, 01 Mar 2019 10:00:00 +0000</pubDate><author>info@1password.com (Jason Richards)</author><guid>https://blog.1password.com/come-find-us-at-rsa-conf-2019/</guid><description> <img src='https://blog.1password.com/posts/2019/RSA-conf/header.png' class='webfeedsFeaturedVisual' alt='Come find us at RSA Conference 2019' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> From March 4-8, RSA Conference 2019 will bring around 50,000 security professionals together in San Francisco to learn, share, and discuss the future of the industry. We’re all about improvement at 1Password, so we’re going to be there along with some of the leading lights in information security. <h2 id="come-and-say-hi">Come and say hi</h2> <img src='https://blog.1password.com/posts/2019/RSA-conf/swag.png' alt='Pigeon carrying 1Password merchandise' title='Pigeon carrying 1Password merchandise' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The <a href="https://1password.com/business/">1Password Business</a> and Security teams will be attending because we want to make sure that we remain at the forefront of the latest developments in the cybersecurity world. At 1Password, we firmly believe that the sharing of ideas is how we all get better at what we do, and I know our teams can&rsquo;t wait to get started. If you&rsquo;re making the pilgrimage to RSA Conference 2019, keep an eye out for your friends from 1Password at booth 2456. We love to meet our customers and we&rsquo;ll have stickers and other goodies to hand out as well. <h2 id="enjoy-everything-rsa-conference-has-to-offer">Enjoy everything RSA Conference has to offer</h2> There&rsquo;s so much going on at RSA Conference 2019, and if you&rsquo;re anything like me, you might not know where to begin. To help, I&rsquo;ve chosen one event from each day that I think you&rsquo;ll love. If you check out just some of these events, I think you&rsquo;ll have a great time in San Francisco. <h2 id="monday-mar-04">Monday, Mar 04</h2> <h3 id="0430-pm---0600-pm--moscone-south-303">04:30 P.M. - 06:00 P.M. | Moscone South 303</h3> <a href="https://www.rsaconference.com/events/us19/agenda/sessions/17228-Women's-Leadership-Celebration-Reception">Women&rsquo;s Leadership Celebration Reception — WLC-REC</a> Diversity is important in all walks of life, and an event &ldquo;celebrating the contributions and rich history of women in science and technology&rdquo; sounds like a great way to kick off the week. <h2 id="tuesday-mar-05">Tuesday, Mar 05</h2> <h3 id="1100-am---1150-am--moscone-west-2018">11:00 A.M. - 11:50 A.M. | Moscone West 2018</h3> <a href="https://www.rsaconference.com/events/us19/agenda/sessions/16976-Hacking-the-Human-Special-Edition">Hacking the Human: Special Edition — HT-T06</a> No matter how great technology becomes, it can only take us part of the way to a secure internet. Helping humans remain vigilant is key to completing that journey. <h2 id="wednesday-mar-06">Wednesday, Mar 06</h2> <h3 id="0700-am---0750-am--moscone-west-3018-table-p">07:00 A.M. - 07:50 A.M. | Moscone West 3018 Table P</h3> <a href="https://www.rsaconference.com/events/us19/agenda/sessions/17507-Smart-Connected-Devices-and-Security">Smart Connected Devices and Security — BOF3-W01P</a> Smart homes and devices are upon us, and that&rsquo;s great. But it also brings new considerations that need to be made, and I look forward to discussing them at RSA Conference 2019. <h2 id="thursday-mar-07">Thursday, Mar 07</h2> <h3 id="0800-am---0850-am--moscone-south-203">08:00 A.M. - 08:50 A.M. | Moscone South 203</h3> <a href="https://www.rsaconference.com/events/us19/agenda/sessions/15926-Software-Bill-of-Materials-Progress-toward-Transparency-of-Third-Party-Code">Software Bill of Materials: Progress toward Transparency of Third-Party Code — PDAC-R02</a> Understanding what the software bill of materials offers us, and what challenges it presents makes for a fascinating discussion. <h2 id="friday-mar-08">Friday, Mar 08</h2> <h3 id="0830-am---0920-am--moscone-south-205">08:30 A.M. - 09:20 A.M. | Moscone South 205</h3> <a href="https://www.rsaconference.com/events/us19/agenda/sessions/14733-Threat-Modeling-in-2019">Threat Modeling in 2019 — ASD-F01</a> The world is changing at a breakneck pace. Threat modelling needs to change with it, and this is a great chance to learn about emergent cybersecurity threats. <h2 id="well-see-you-there">We&rsquo;ll see you there</h2> Meeting our customers is one of the most rewarding parts of being in the 1Password family. We can&rsquo;t wait to see you in San Francisco and chat about 1Password and cybersecurity. Track us down at booth 2456 and remember to ask for a sticker.</description></item><item><title>Get more from 1Password Business with our next webinar</title><link>https://blog.1password.com/get-more-from-1password-business-with-our-next-webinar/</link><pubDate>Tue, 26 Feb 2019 00:00:00 +0000</pubDate><author>info@1password.com (Lisa Verheul)</author><guid>https://blog.1password.com/get-more-from-1password-business-with-our-next-webinar/</guid><description> <img src='https://blog.1password.com/posts/2019/business-webinar/header.png' class='webfeedsFeaturedVisual' alt='Get more from 1Password Business with our next webinar' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> After you&rsquo;ve set up 1Password for your business, it&rsquo;s time to take things to the next level. Our new webinar will show you that the next step is just as simple as the first. On March 26 at 2 p.m. EST, we&rsquo;re hosting a webinar to help you get more from <a href="https://1password.com/business/">1Password Business</a>. Whether you need help choosing a plan, are upgrading from 1Password Teams, or simply want to learn more about the <a href="https://support.1password.com/explore/business/">1Password Business features</a>, this webinar is for you. In this webinar, we&rsquo;ll show you how to: <ul> <li>Organize your team with custom groups and roles</li> <li>Manage access with vault permissions</li> <li>Audit your team with reports and the Activity Log</li> </ul> We&rsquo;ll also have time for a Q&amp;A session at the end to answer all your questions about 1Password Business. <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Register for the webinar</h3> Join the webinar on March 26 at 2 p.m. EST. It's free, and we'd love to help you make the most of 1Password Business. <a href="https://1password.com/webinars/" class="c-call-to-action-box__link-href" data-event-category="CTA" data-event-action="call-to-action-button"> Register now </a> </div> </section> To receive notifications of future webinars, <a href="https://1password.com/webinars/">sign up for the mailing list</a>.</description></item><item><title>Connection, culture, and cruising in the Caribbean</title><link>https://blog.1password.com/connection-culture-and-cruising/</link><pubDate>Wed, 20 Feb 2019 00:00:00 +0000</pubDate><author>info@1password.com (Sarah Brown)</author><guid>https://blog.1password.com/connection-culture-and-cruising/</guid><description> <img src='https://blog.1password.com/posts/2019/agconf-video/header.png' class='webfeedsFeaturedVisual' alt='Connection, culture, and cruising in the Caribbean' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 1Password is a fully remote company with people scattered across the globe — from New Zealand to Germany to our home in Canada. Late last month, we all met up for AGConf, our annual company gathering. It’s a chance to meet new friends, reunite with old ones, and discuss the coming year’s plans while cruising around the Caribbean. But our week at sea isn’t just for sunbathing — it’s also how we connect on a personal level with those we work with. Instead of gathering in chat rooms and on conference calls, we’re able to spend time talking in person over food, drinks, games, and even while relaxing in a hot tub. Friends and partners are welcome too, and our new Chief Customer Advocate Lynette Kontny brought her husband Nathan along. He used the opportunity to cut some footage for his <a href="https://youtu.be/-YgJAMXOHfQ">daily vlog</a>. Nathan Kontny’s YouTube channel tackles important issues pertaining to business, family, and psychology in an engaging and thought-provoking way. The installment Nathan released after the cruise, “Slack&rsquo;s Great. But We&rsquo;re Terrible At It,” tackles both how we approach culture as a remote company and how we can connect as a team even when we’re spread out all over. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/-YgJAMXOHfQ" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> It’s often said that if you have to explain what your culture is, you don’t have one, and it seems to be true: no one sat down with Nathan to explain our culture, but he was able to pick up on it just by spending time around us for a week. In this vlog Nathan focused on remote work and how workers communicate — too often ineffectively — when they aren’t in the same physical space. And what we’re doing differently to create a culture that’s allowing us to succeed.</description></item><item><title>1Password 7.1 for Android - Super Awesome Edition</title><link>https://blog.1password.com/1password-7-1-for-android-super-awesome-edition/</link><pubDate>Tue, 12 Feb 2019 10:00:00 +0000</pubDate><author>info@1password.com (Oliver Haslam)</author><guid>https://blog.1password.com/1password-7-1-for-android-super-awesome-edition/</guid><description> <img src='https://blog.1password.com/posts/2019/opa71/header.png' class='webfeedsFeaturedVisual' alt='1Password 7.1 for Android - Super Awesome Edition' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Our Android team has been working hard to make sure 1Password for Android sticks to its 2019 resolutions. We couldn&rsquo;t be happier that after many hours in the gym, it&rsquo;s now bigger and better than ever. I think you’re going to love 1Password 7.1 for Android. For this update, our Android team resolved to make it even easier for new 1Password customers to get started. That informed much of their work, and I&rsquo;m sure you&rsquo;ll agree when I say they absolutely met their goals. With a slicker sign-up process and easier <a href="https://support.1password.com/emergency-kit/">Emergency Kit</a> creation, you can be up and running much faster. A lot of work has gone into this update, and as ever, you can see everything that&rsquo;s changed by reading the <a href="https://app-updates.agilebits.com/product_history/OPA4">release notes</a>. There&rsquo;s a lot to whet the appetite in there, and I wanted to pick out a few of the biggest changes that we&rsquo;re really proud to bring to 1Password for Android. <h2 id="start-your-1password-membership-with-google-play">Start your 1Password membership with Google Play</h2> If you install 1Password from the Google Play Store, you probably want your membership to be taken care of there, too. By bringing 1Password memberships to the Google Play Store, we&rsquo;ve made it quicker and easier to get started when you first install 1Password. <hr /> <section class="app-box android"> <div class="details"> <h3>Try it out</h3> Signing up for a 1Password membership has never been easier, and the process even fits into a GIF! </div> </section> <h2 id="generate-and-save-your-emergency-kit-during-sign-up">Generate and save your Emergency Kit during sign-up</h2> Speaking of the sign-up process, wouldn&rsquo;t it be great if you could generate and save your Emergency Kit right after you create your account? It really would, so we&rsquo;ve flicked the switch and now you don&rsquo;t have to go back and generate it afterwards. Generating an Emergency Kit during sign-up means there&rsquo;s less chance you could find yourself without one when you need it most. <h2 id="tag-all-the-things">Tag all the things</h2> For many people, tags are crucial for organizing their passwords, and with 1Password 7.1 for Android, you can tag all the things right from your phone or tablet. You can now create, edit, rename, and remove tags, and you can even nest tags to take your password organization to the next level. That&rsquo;s great news for the tag-ninjas among you, and managing <a href="https://1password.com/downloads/android/">passwords on Android</a> devices has never been so much fun. I know I can’t wait to get tagging! <img src='https://blog.1password.com/posts/2019/opa71/tags.png' alt='Screenshots showing nested tagging' title='Screenshots showing nested tagging' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="enjoy-one-time-passwords-without-the-hassle">Enjoy one-time passwords without the hassle</h2> We feel strongly about the importance of one-time passwords, but we also know that entering a password and then switching to another app to get a code is no fun. With 1Password 7.1 for Android, that frustration is a thing of the past. Now, when you <a href="https://1password.com/features/autofill/">Autofill</a> a password, the one-time password for that account will be automatically copied to your clipboard. Just paste it into the web page or app, and you&rsquo;re good to go. After 30 seconds, the code is removed from your clipboard. <h2 id="some-honorable-mentions">Some honorable mentions</h2> There’s a ton of work gone into this release, and I wanted to highlight some of the great changes that have been made. Other notable improvements include: <ul> <li>Category names and item templates are now localized for those with 1Password.com accounts.</li> <li>Autofill now automatically syncs the latest changes from your other devices. You don’t need to open 1Password to sync.</li> <li>You can now use Autofill to sign in to websites in the stable version of Firefox.</li> <li>It’s now easier than ever to move items between vaults.</li> </ul> <h2 id="coming-to-an-android-device-near-you">Coming to an Android device near you</h2> We&rsquo;re rolling out 1Password 7.1 for Android this week as a free update for all 1Password customers. Once it&rsquo;s available for your device, you can <a href="https://play.google.com/store/apps/details?id=com.onepassword.android">download the new update</a> from Google Play to enjoy all of the fantastic improvements I&rsquo;ve mentioned above. I hope you love using 1Password 7.1 for Android as much as our Android team loved building it for you. As always, we would love to hear your feedback on the <a href="https://1password.community/categories/1password-android">1Password Support forum</a>. Enjoy!</description></item><item><title>SMS phishing - a cautionary tale</title><link>https://blog.1password.com/sms-phishing-tale/</link><pubDate>Thu, 07 Feb 2019 00:00:00 +0000</pubDate><author>info@1password.com (Will Moore)</author><guid>https://blog.1password.com/sms-phishing-tale/</guid><description> <img src='https://blog.1password.com/posts/2019/smishing/header.png' class='webfeedsFeaturedVisual' alt='SMS phishing - a cautionary tale' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Scams that try to extract personal information via phishing sites, phone calls, or SMS are on the rise. It’s something we covered in detail in <a href="https://blog.1password.com/what-is-phishing-and-how-can-you-protect-yourself/">What is phishing, and how can you protect yourself?</a> As someone who works for 1Password, security is a big focus of mine. I’m happy to admit that this job has made me far more paranoid than I used to be, and naturally I use 1Password to make sure all my passwords are strong, unique, and have never been <a href="https://blog.1password.com/773-million-collection-1/">included in any breach</a>. I&rsquo;ve read our internal security guide many times over, and I took part in a company-wide security training session just recently at our annual company get-together. You’d think all this preparation would keep me safe from phishing – but last week, I was nearly caught by an SMS phishing attempt. If I can be caught out, so can you, and so I write this post in the hope that my experience will encourage others to be cautious. <h2 id="the-perfect-time-and-place">The perfect time and place</h2> In January, the <a href="https://1password.com/teams/">1Password team</a> got together in Florida for our annual AGConf, and I was waiting in Miami airport for my flight home when the perfect storm of events began to occur. I went to the store for some water and a packet of cinnamon Altoids (you can’t get them in 🇨🇦) and weirdly my Scotiabank Amex card was declined. I tried my MasterCard and same thing – no dice. Resigning myself to being dehydrated and not having spicy cinnamon candy for the journey, I gave up and boarded my flight, planning on calling my bank when I got home. I reconnected my cell phone when I landed in Toronto and the usual flood of notifications came in. One of these was an SMS from my bank. <img src='https://blog.1password.com/posts/2019/smishing/sms.png' alt='fraudulent sms image' title='fraudulent sms image' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> In my tired state I clicked the link without thinking. My card had been blocked, so a message was expected – the timing was perfect. As I hit the website on my phone, I remembered the security training we&rsquo;d completed the week before and began to question what I was seeing. <img src='https://blog.1password.com/posts/2019/smishing/screen.png' alt='fraudulent website image' title='fraudulent website image' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> I went back to the SMS. Let’s list the errors there: <ol> <li>Last time I checked, Scotiabank wasn’t spelled with a 0 (SC0TIABANK)</li> <li>My &ldquo;client card&rdquo;? That’s a weird way of saying it…</li> <li>4536 is quoted. The first 4 numbers of a card are public knowledge.</li> <li>Hang on a minute… scotiabank.ca is a subdomain, not the actual domain!</li> </ol> There were even more clues on the webpage: <ol> <li>The biggest one is the lack of padlock in the address bar. This indicates that the site isn&rsquo;t using SSL to encrypt the connection – that’s a big no-no for a bank.</li> <li>That Online Security Guarantee is very badly designed. Not sure the real Scotiabank would let that slide.</li> </ol> I closed the page, thankful that I hadn’t provided any personal information, but concerned that I&rsquo;d so nearly given someone access to all my bank accounts. <h2 id="lesson-learned">Lesson learned</h2> Everyone is vulnerable – whether you&rsquo;re an expert or have no security background at all. If the conditions are right, you can be caught out. I was just the right level of distracted and tired that I nearly fell for this, and by total chance the timing of the message was perfect for my circumstance. Suffice it to say, I will be even more paranoid from now on, and I hope you will be too! If you&rsquo;re using 1Password already and want to improve your personal security, running a <a href="https://support.1password.com/watchtower/">Watchtower report</a> is a great place to start. You can also keep your credit cards in 1Password, and a great tip that I got from a colleague is to add the <a href="https://support.1password.com/custom-fields/">emergency number on the back of the card to the item in 1Password</a> – that way, if your card is lost, you can still easily cancel it. <section class="c-call-to-action-box c-call-to-action-box--yellow"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Not using 1Password yet?</h3> Increase your personal security by starting a 1Password membership today. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--yellow" data-event-category="CTA" data-event-action="call-to-action-button"> Get 14 days FREE </a> </div> </section></description></item><item><title>773 million records added to Watchtower after Collection #1 data breach</title><link>https://blog.1password.com/773-million-collection-1/</link><pubDate>Wed, 16 Jan 2019 00:00:00 +0000</pubDate><author>info@1password.com (Matt Davey)</author><guid>https://blog.1password.com/773-million-collection-1/</guid><description> <img src='https://blog.1password.com/posts/2019/hibp-collection1/header.png' class='webfeedsFeaturedVisual' alt='773 million records added to Watchtower after Collection #1 data breach' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Earlier today, security researcher Troy Hunt <a href="https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/">announced the Collection #1 data breach</a> and updated Have I Been Pwned with over 773 million new compromised logins. These are now available in Watchtower, so you can check if you&rsquo;ve been affected by the breach right from 1Password. <h2 id="what-is-the-collection-1-data-breach">What is the Collection #1 data breach?</h2> Collection #1 consists of over 1 billion username and password combinations, taken from individual data breaches on thousands of different websites. The data has been circulating on the dark web and hacker forums and is the single largest breach to ever be added to <a href="https://1password.com/haveibeenpwned/">Have I Been Pwned</a> and Watchtower. Collection #1 contains: <ul> <li>1,160,253,228 unique combinations of email address and password</li> <li>773,138,449 unique email addresses</li> <li>21,222,975 unique passwords</li> </ul> Around 140 million email addresses in this breach had never appeared in Have I Been Pwned before. <h2 id="what-do-attackers-want-with-this-data">What do attackers want with this data?</h2> Attackers use bots to try passwords stolen from breaches on many other websites with the aim of gaining access to those accounts. This is known as <a href="https://blog.1password.com/how-to-protect-yourself-from-password-reuse-attacks/">credential stuffing</a> and is why password reuse is such a security risk. When one account is breached, hackers have access to any other account that uses the same email address and password combination. <blockquote> <h2 id="1passwords-integration-with-have-i-been-pwned-makes-it-simple-for-people-to-check-to-see-if-they-are-at-risk--jeff-shiner-ceo">1Password&rsquo;s integration with Have I Been Pwned makes it simple for people to check to see if they are at risk. — Jeff Shiner, CEO</h2> </blockquote>  <img src='https://blog.1password.com/posts/2019/hibp-collection1/dashboard.png' alt='watchtower dash' title='watchtower dash' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="what-should-i-do-now">What should I do now?</h2> To see if you’ve been affected by the Collection #1 data breach, sign in to your account on 1Password.com, select your vault, and click Watchtower in the sidebar. Watchtower automatically checks the logins you store in 1Password and tells you which passwords have been compromised, which have been used elsewhere, and which aren’t very strong. If you&rsquo;re affected by this breach, change your password on any affected site to something strong and unique. <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Sign up for 14 days free!</h3> If you don't have a 1Password membership, start a free 14-day trial to get started. <a href="https://1password.com/pricing/" class="c-call-to-action-box__link-href" data-event-category="CTA" data-event-action="call-to-action-button"> Get secured today </a> </div> </section></description></item><item><title>Good password security: the perfect New Year’s resolution for your business and employees</title><link>https://blog.1password.com/good-password-security-free-family-accounts/</link><pubDate>Wed, 09 Jan 2019 16:00:00 +0000</pubDate><author>info@1password.com (Matt Davey)</author><guid>https://blog.1password.com/good-password-security-free-family-accounts/</guid><description> <img src='https://blog.1password.com/posts/2019/family-accounts-free/header.png' class='webfeedsFeaturedVisual' alt='Good password security: the perfect New Year’s resolution for your business and employees' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The New Year&rsquo;s resolutions we stick to have a few things in common: they&rsquo;re realistic, focused, and have clear benefits. That&rsquo;s why improving company-wide password habits is a great resolution for 2019. According to the <a href="https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_en_xg.pdf">most recent data from Verizon</a>, over 70% of employees reuse passwords at work. The report also finds a staggering 81% of hacking-related breaches used stolen or weak passwords. A security breach of your own wouldn&rsquo;t be a great start to the year, especially if you know it could have been avoided. <img src='https://blog.1password.com/posts/2019/family-accounts-free/50-per-user.png' alt='worth $50 per user' title='worth $50 per user' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://1password.com/business/">1Password Business</a> makes improving password habits an easy resolution for you and your employees to keep, both at work and at home. You get a password solution for your entire business — complete with advanced access controls and <a href="https://support.1password.com/watchtower/">Watchtower</a> breach monitoring — that’s compliant to the most stringent industry standards. When your employees are practicing good password habits at home, they are infinitely more likely to practice them at work. The beginning of the year is the perfect time to roll out a password manager out — many employees will already be in the right mindset for making changes, committing to new things, and improving their day-to-day lives. <blockquote> <h2 id="with-your-1password-business-account-every-employee-gets-a-free-1password-families-membership">With your 1Password Business account, every employee gets a free 1Password Families membership.</h2> </blockquote>  Using 1Password will quickly become second nature — and unlike most New Year&rsquo;s resolutions, this one will actually save you time, even from the start. <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Sign up for 14 days free!</h3> If you're not already set up with 1Password Business, you can get started for free today <a href="https://1password.com/business-pricing/" class="c-call-to-action-box__link-href" data-event-category="CTA" data-event-action="call-to-action-button"> Try 1Password FREE </a> </div> </section> If you&rsquo;re already using 1Password Business and want to remind employees about their free family accounts, we have some great materials for you to send around: <ul> <li> <a href="https://support.1password.com/link-family/">How to link a family account to your business account</a> </li> <li> <a href="https://support.1password.com/multiple-accounts/">How to use multiple accounts</a> </li> <li> <a href="https://support.1password.com/add-account/">How to add your 1Password account to the apps</a> </li> </ul> &hellip;and if your company is anything like ours, it&rsquo;s not an all email without a GIF. <video class="round shadow" style="display: block; margin: auto; padding: 0;"autoplay='true'muted='true'loop="loop" playsinline="" width="100%" alt='man rubbing temples' controls> <source src="https://blog.1password.com/posts/2019/family-accounts-free/giphy.mp4" type="video/mp4" /> </video> <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Get more security tips</h3> Subscribe to our business security newsletter and get advice on running a secure, productive workplace delivered directly to your inbox. <form method="POST" class="oneline" accept-charset="UTF-8" action="https://flow.1passwordservices.com/api/v1/lead" data-event-category="Newsletter" data-event-action="form-newsletter" id="newsletterForm"> <div id="hidden-fields"> <input type="hidden" name="formSubmitted" value="Newsletter"> <input type="hidden" name="formId" value="c100b28e-6493-493f-b325-6a7f8b3cbb89"> </div> <input type="email" class="c-call-to-action-box__newsletter-email" name="email" placeholder="" required /> <input class="c-call-to-action-box__newsletter-button" type="submit" value="Sign up"> </form> <div class="c-call-to-action-box__text"> By signing up you agree to receive emails about the latest 1Password announcements, product updates, and events. <a class="c-newsletter-signup-form__gdpr--link" href="https://www.1password.co/email-preferences.html">Unsubscribe</a> any time. You also agree to our <a class="c-newsletter-signup-form__gdpr--link" href="https://1password.com/legal/terms-of-service/">terms of service</a> and <a class="c-newsletter-signup-form__gdpr--link" href="https://1password.com/legal/privacy/">privacy policy</a>. </div> </div> </section></description></item><item><title>1Password 7.3 for Windows - More polished than ever</title><link>https://blog.1password.com/1password-7-3-for-windows-more-polished-than-ever/</link><pubDate>Wed, 09 Jan 2019 10:00:00 +0000</pubDate><author>info@1password.com (Oliver Haslam)</author><guid>https://blog.1password.com/1password-7-3-for-windows-more-polished-than-ever/</guid><description> <img src='https://blog.1password.com/posts/2019/opw73/header.png' class='webfeedsFeaturedVisual' alt='1Password 7.3 for Windows - More polished than ever' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> When we <a href="https://blog.1password.com/introducing-1password-7.3-beta-for-windows/">said this release was just around the corner</a>, we weren&rsquo;t kidding! After some great work by the team over the last few weeks, 1Password 7.3 for Windows is ready, and you can download it now. There&rsquo;s a lot to enjoy with this release, and we hope you love it as much as we do. With 1Password 7.3 for Windows, our teams have made some huge changes to the way the app looks and works. We&rsquo;ve taken the 1Password that you all know and love and then supercharged it. With this update installed, you&rsquo;re getting the best version of 1Password that Windows has ever seen. There&rsquo;s so much to share that we&rsquo;re just going to jump right in, and as ever the full rundown of what has changed under the hood can be found in <a href="https://app-updates.agilebits.com/product_history/OPW6">our release notes</a>. <img src='https://blog.1password.com/posts/2019/opw73/secure-desktop.gif' alt='Secure Desktop in 1Password 7.3 for Windows' title='Secure Desktop in 1Password 7.3 for Windows' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="watchtower-and-security">Watchtower and security</h2> Security is always at the forefront of everything we do at 1Password, and we never miss an opportunity to make it easier for you to stay secure, too. To that end we&rsquo;ve added support for Secure Desktop, giving you the option of unlocking 1Password in an isolated desktop environment. That isolation ensures that no other apps can run alongside it, preventing key loggers from capturing anything you type. We&rsquo;ve made changes to how Watchtower banners keep you safe, too. 1Password now ranks Watchtower banners by their severity, helping those items at the greatest risk stand out from the crowd. Banners can now also be collapsed, making items easier to read and use. <h2 id="security-never-looked-so-good">Security never looked so good</h2> <img src='https://blog.1password.com/posts/2019/opw73/new-item-detail.gif' alt='UI Improvements for item details' title='UI Improvements for item details' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We think that a great-looking app is one you&rsquo;ll keep coming back to, and 1Password is no different. We&rsquo;ve made changes throughout this release to make 1Password look better than ever. Everything is more colorful, more sleek, and more polished to help make passwords fun. You&rsquo;ll notice that passwords now have colorful characters to help differentiate them, and right beside your password is a new, more color-filled password strength indicator. Fantastic passwords are green, and poor passwords are red – who doesn&rsquo;t love a traffic light system? Continuing the polishing process, 1Password 7.3 will identify the type of credit card based on just the first few numbers you enter. That means not only can we format those numbers for easier reading, but the default card images used are now more representative of the real-world card, too. Amex cards now look like real Amex cards and Visa cards now look like Visa cards, making it easier than ever to identify a card at a glance. <img src='https://blog.1password.com/posts/2019/opw73/old-new.gif' alt='7.2 to 7.3 Improvements' title='7.2 to 7.3 Improvements' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Rounding things out, 1Password templates now speak your language for all item types. No matter the template, no matter the item. <h2 id="the-keyboard-shortcut-to-our-heart">The (keyboard) shortcut to our heart</h2> When you&rsquo;re in the thick of things, keyboard shortcuts are the way to reduce friction. We wanted to make 1Password available when you need it without it getting in your way, so we&rsquo;ve revamped keyboard shortcuts with 1Password 7.3. Those who like to take full control can now customize their shortcuts, or even disable them. We&rsquo;ve made shortcuts even more reliable for our international users, too. <img src='https://blog.1password.com/posts/2019/opw73/quick-copy.gif' alt='Quick copy in 1Password mini' title='Quick copy in 1Password mini' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 1Password Mini has now gained support for the Quick Copy menu, and can be accessed via the shortcut (Control + Shift + C). Once open, the menu offers up options to copy an item&rsquo;s username, password, or even one-time password for those website that support them. <h2 id="and-much-much-more">And much, much more</h2> There is of course much more to look forward to with 1Password 7.3, including a brand new installer. 1Password is now even more responsive when starting, which means using the app is now slicker than ever before. Couple that with more than 100 additional improvements that have been made and we think you&rsquo;ll agree that this is a huge update. You can <a href="https://1password.com/downloads/windows/">download the monster 1Password 7.3 update</a> and take it for a spin right now and please do let us know how you find it over in the <a href="https://1password.community/categories/1password-for-windows">1Password for Windows support forum</a>.</description></item><item><title>Introducing 1Password 7.3 Beta for Windows</title><link>https://blog.1password.com/introducing-1password-7.3-beta-for-windows/</link><pubDate>Thu, 20 Dec 2018 00:00:00 +0000</pubDate><author>info@1password.com (Oliver Haslam)</author><guid>https://blog.1password.com/introducing-1password-7.3-beta-for-windows/</guid><description> <img src='https://blog.1password.com/posts/2018/opw-7.3.602beta/header.png' class='webfeedsFeaturedVisual' alt='Introducing 1Password 7.3 Beta for Windows' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 1Password 7.3 for Windows is around the corner, and you can help us get it ready. There&rsquo;s lots to look forward to, and we&rsquo;re sure you&rsquo;ll agree that this is the best 1Password that Windows has ever seen. We&rsquo;ve been working on this update for some time, and we want to make sure that it&rsquo;s as awesome as can be. That means we&rsquo;re still a few weeks away from the release of 1Password 7.3 for Windows, but if you want to test the waters and help us create something awesome, you can <a href="https://app-updates.agilebits.com/product_history/OPW6#beta">download the latest beta release</a> right now. Whenever you <a href="https://1password.com/downloads/windows/">download 1Password</a> 7.3 for Windows — beta or otherwise — you&rsquo;re going to see plenty changes this time around. They all build on the strong foundations that 1Password 7 gave us earlier this year, and we wanted to give you a quick sneak-peak of what you can expect. We think that you&rsquo;re going to love 1Password 7.3 for Windows, and here&rsquo;s why. <h2 id="1password-gains-its-own-desktop">1Password gains its own desktop</h2> Now 1Password is even safer with the addition of &ldquo;Unlock using Secure Desktop.&rdquo; 1Password can now be unlocked in its own secure desktop, with no other apps active alongside it. This helps to prevent keyloggers from capturing anything you type. <h2 id="a-whole-new-installer">A whole new installer</h2> We&rsquo;ve greased just the right wheels to make sure no one ever sees &ldquo;File in use&rdquo; again. Our new installer gives us more flexibility when it comes to how 1Password is installed and will prevent any false positives from security solutions, too. <h2 id="templates-now-speak-your-language">Templates now speak your language</h2> 1Password 7.3 for Windows uses localizations for all item templates. That means that all of your item templates will be in your own language, including all new items you create. <img src='https://blog.1password.com/posts/2018/opw-7.3.602beta/templates-speak-your-language.png' alt='Templates in multiple langauges' title='Templates in multiple langauges' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="improved-stability-and-performance">Improved stability and performance</h2> Sometimes it&rsquo;s the intangibles that make all the difference, and performance is a great example of that. Everyone wants their apps to be responsive and immediately available. We couldn&rsquo;t agree more, and now 1Password 7.3 for Windows is faster and more stable than ever. <h2 id="watchtower-is-now-stronger-taller-and-more-watchful">Watchtower is now stronger, taller, and more watchful</h2> Watchtower is often the unsung hero of 1Password, but it gets the love it deserves in this release. Now, 1Password ranks Watchtower banners by their severity, meaning those items at the greatest risk will now be easier to spot, helping you see the wood through the trees. <h2 id="faster-and-more-reliable-sync-for-standalone-vaults">Faster and more reliable sync for standalone vaults</h2> Great news, with 1Password 7.3 for Windows, sync is now faster, smarter, and improved on all fronts. It&rsquo;s plain sailing from here on out for all of you rocking standalone vaults. <h2 id="tweaks-as-far-as-the-eye-can-see">Tweaks as far as the eye can see</h2> This is just the tip of the 1Password iceberg, and there are many more improvements that have gone into this release, with even more to come. 1Password 7.3 for Windows is a huge update for us, and you can check out the <a href="https://app-updates.agilebits.com/product_history/OPW6#beta">full release notes</a> for all the details. The overarching theme is a simple one — 1Password 7.3 for Windows is the same 1Password you know and love, but so much better. <h2 id="get-it-now">Get it now</h2> Just like any other big software update, we need your help to make sure that 1Password 7.3 for Windows is as great as it can be. You can download the beta and put it through its paces. If you run into anything we should know about, <a href="https://1password.community/categories/windows-beta">hit us up in the 1Password Support forum</a>. We&rsquo;d love to hear your feedback!</description></item><item><title>Improve your team’s security in 2019 with our next webinar</title><link>https://blog.1password.com/improve-your-teams-security-in-2019-with-our-next-webinar/</link><pubDate>Tue, 18 Dec 2018 00:00:00 +0000</pubDate><author>info@1password.com (Lisa Verheul)</author><guid>https://blog.1password.com/improve-your-teams-security-in-2019-with-our-next-webinar/</guid><description> <img src='https://blog.1password.com/posts/2018/admin-webinar/header.png' class='webfeedsFeaturedVisual' alt='Improve your team’s security in 2019 with our next webinar' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Start 2019 with the goal of improving your team&rsquo;s security habits. Rolling out 1Password is one of the best ways to achieve that result. Our next webinar will help you get started. On January 15 at 2 p.m. EST, we&rsquo;re hosting a webinar to help administrators get started with 1Password. If you&rsquo;re looking to set up 1Password for your team, have just been appointed as a team administrator, or simply need a refresher, this webinar is for you. In this webinar, we&rsquo;ll show you how to: <ul> <li>Invite people to your team</li> <li>Share data and manage permissions</li> <li>Create and manage groups</li> </ul> We&rsquo;ll also have time for a Q&amp;A session at the end to answer all your questions about 1Password Teams and <a href="https://1password.com/business/">1Password Business</a>. To receive notifications of future webinars, <a href="https://1password.com/webinars/">sign up for the mailing list</a>. (Editor&rsquo;s note: This webinar is no longer available.)</description></item><item><title>Does Australia's access and assistance law impact 1Password?</title><link>https://blog.1password.com/does-australias-access-and-assistance-law-impact-1password/</link><pubDate>Tue, 11 Dec 2018 00:00:00 +0000</pubDate><author>info@1password.com (Jeffrey Goldberg)</author><guid>https://blog.1password.com/does-australias-access-and-assistance-law-impact-1password/</guid><description> <img src='https://blog.1password.com/posts/2018/aabill/header.png' class='webfeedsFeaturedVisual' alt='Does Australia's access and assistance law impact 1Password?' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Australia recently passed the so-called Assistance and Access Act. This law (correctly) <a href="https://www.eff.org/deeplinks/2018/12/new-fight-online-privacy-and-security-australia-falls-what-happens-next">has many digital security and privacy experts worried</a>. We&rsquo;d like to offer some preliminary remarks on how it may impact the privacy and security of 1Password customers and how it may affect the way we work. Even at this early stage we can remind everyone that we do not currently, and will not introduce back doors into our products, and we will continue to operate in a way that would make it difficult for a back door to be inserted. Our remarks on the Assistance and Access Act (discussed under the hashtag #aaBill) must be preliminary at this point. There is a great deal of vagueness in the law in its current form, and we do not know how it will be interpreted and used when it goes into effect into effect. Nonetheless there are a number of things that we can clearly (re)state now. <h2 id="we-dont-like-back-doors">We don&rsquo;t like back doors</h2> A back door is a deliberate and hidden weakness in a system that is designed to allow certain people to bypass the security of the system. We have argued on multiple occasions that not only do back doors weaken security for everyone, but that a system in which a back door can (easily) be inserted is inherently weaker than a system in which a back door cannot (easily) be inserted. This fact plays an important role in the design of 1Password and in how we build it. It is not that we are particularly worried about government-compelled back doors in practice. Instead, it is just a consequence of good security practices. The goal is not to specifically deny government lawful access; instead the goal is to protect people from criminal access, malicious insiders, accidental information disclosure, and a host of other things people have the right to be protected from. We are not trying to protect criminals from prosecution; we are trying to protect our customers from criminals. It is impossible to offer 100% guarantees against insider attacks, but <a href="https://blog.1password.com/1password-and-the-crypto-wars/">as we wrote five years ago</a> (and recently updated), we do a number of things that make it substantially harder for back doors to be inserted into 1Password without detection. There is always room for improvement, and that improvement is an ongoing process. <h2 id="compelled-insider-attackers">Compelled insider attackers</h2> Correction 14 December, 2018: My commentary below appears to be based on a misunderstanding of the law. The law, as passed, does not appear to authorize the government to compel an employee to surreptitiously work against our interests and without our knowledge. As always, the precise interpretation of the law will be determined by practice and courts, and so no one truly knows what it will mean. However, my error was large enough that it does need correction. <a href="https://twitter.com/stilgherrian">Stilgherrian</a> has written a <a href="https://www.zdnet.com/article/whats-actually-in-australias-encryption-laws-everything-you-need-to-know/" title="ZDnet: What's Actually in Australia's Encryption Laws">good discussion clarifying #aaBill</a>. One of the most disturbing things about the Assistance and Access Act is that it apparently <del>authorizes the Australian government to compel someone subject to its laws to surreptitiously take actions that harm our customers’ privacy and security without revealing that to us.</del> Would an Australian employee of 1Password be forced to lie to us and do something that we would definitely object to? We do not, at this point, know whether it will be necessary or useful to place extra monitoring on people working for 1Password who may be subject to Australian laws. Our existing security and privacy design and internal controls may well be sufficient without adding additional controls on our people in Australia. Nor do we yet know to what extent we should consider Australian nationality in hiring decisions. It may be a long time before any such internal policies and practices go into place, if they ever do, but these are discussions we have been forced to have. Despite those considerations and discussions, our primary response and tactic is to continue to make it hard for anyone, whether inside or outside of 1Password, to harm customers’ security and privacy. That is what we do to protect our customers from any adversary, and that is what we will continue to do.</description></item><item><title>Cyber Hotel Business Hack</title><link>https://blog.1password.com/cyber-hotel-business-hack/</link><pubDate>Mon, 10 Dec 2018 00:00:00 +0000</pubDate><author>info@1password.com (Sarah Brown)</author><guid>https://blog.1password.com/cyber-hotel-business-hack/</guid><description> <img src='https://blog.1password.com/posts/2018/rbm-7-review/header.png' class='webfeedsFeaturedVisual' alt='Cyber Hotel Business Hack' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Random but Memorable is back with an episode full of a new Watchtower Weekly, customer questions, and even a chat with Charles Arthur, author of <a href="https://www.koganpage.com/product/cyber-wars-9780749482008">Cyber Wars: Hacks that Shocked the Business World</a>. <div class="c-simplecast-embed"> <iframe class="c-simplecast-embed__iframe" title="1Password Random but Memorable Podcast" width="100%" frameborder="no" scrolling="no" seamless src="https://player.simplecast.com/dde01a21-68a6-4165-b99e-7b6976ddc1e5?dark=false"></iframe> </div> Watchtower Weekly talked briefly about the Marriott breach, which potentially impacts nearly 500 million Marriott and Starwood customers. Data exposure can always leave you vulnerable, so it’s a good idea to take Marriott up on their offer for a <a href="https://news.marriott.com/news/2018/11/30/marriott-announces-starwood-guest-reservation-database-security-incident#:~:text=Free%20WebWatcher%20Enrollment">free year of WebWatcher</a> to monitor your information. They also brought up a rather <a href="https://www.forbes.com/sites/lianeyvkoff/2018/11/16/a-tesla-owner-complains-to-customer-service-gets-more-than-he-bargained-for/">embarrassing incident for Tesla</a> in which a disgruntled customer complaining to their customer support forum got more than he bargained for. Instead of just an answer, a support agent ended up giving him administrative permissions for the entire forum! That&rsquo;s right, he was granted full access to the entire forum. There’s going above and beyond to help your users and then there’s giving them the ability to not only edit and delete any post but also gave him access to full profile information for every single user. Including Elon Musk. And according to this week’s guest, that sort of thing isn’t as uncommon as you’d like to believe. Matt and Roo talked to Charles about the research he did for his book, which included studying a number of older hacks against large companies and organizations. With how fast technology moves I would think studying older hacks wouldn’t be useful, so I was surprised to learn that’s not exactly the case. Older hacks have a lot to teach people, both in how to prevent hackers from accessing your information as well as what sort of information and organizations may be most vulnerable. Charles covered the <a href="https://www.washingtonpost.com/news/the-switch/wp/2014/12/18/the-sony-pictures-hack-explained/?utm_term=.406c8af8f45f">Sony Pictures hack</a> from 2014 which I was familiar with and I remember the impact it had on Hollywood when that hack exposed pay gap information between lead actors and actresses. I was fascinated to hear Charles talk about these corporate hacks can expose how complacent companies can be with their security. As companies like Sony grow, new security requirements come into play that can be difficult to implement. And as they are primarily an entertainment company, it may come as no surprise that security was not their first instinct. But what was surprising to me is that they’d already been attacked at least once before on the PlayStation side of the business, but hadn’t learned their lesson. The best part? It turns out that the November 2014 leak revealed a deep structural failure at Sony. There was a file with plain text passwords simply labeled “passwords”. Doesn’t take much digging to crack that code. These stories really do feel like modern-day parables for businesses, showing how even companies that have been hacked can fool themselves into thinking everything is okay. When in reality they are just as vulnerable. And while those parables may be applicable to a larger scale business, I know that I often fall into that trap myself. This week’s user question was a great one and one I’m ashamed I haven’t asked before: if you give a PDF app access to your cloud drive, would they be able to rifle through everything else stored there? The short, but scary answer is, yes. So it’s a good idea to be very careful about what applications you give permissions to and to do your research before blindly clicking “allow access”. Which means I have some research to do before de-authorizing some third-party applications. As always, they ended the episode trying to see who could most accurately pronounce a place sent in by Twitter user @toonetown: Tooele. Who was closest? You’ll have to listen to find out! If you’d like to see your question answered on the show you can tweet us <a href="https://twitter.com/1Password">@1Password</a> using the <a href="https://twitter.com/search?q=%23ask1password">#ask1Password</a> hashtag. If you haven’t been listening to the podcast, you don’t know what you’re missing! Check out the current episode <a href="https://randombutmemorable.simplecast.com/episodes/05-immutable-australian-future-wave-fa5e5c25">here</a> and subscribe in <a href="https://overcast.fm/itunes1435486599/random-but-memorable">Overcast</a>, <a href="https://pca.st/43AW">Pocket Casts</a>, or <a href="https://podcasts.apple.com/gb/podcast/random-but-memorable/id1435486599?mt=2">iTunes</a> to make sure you don’t miss a single episode.</description></item><item><title>Better, faster, stronger - our new blog and how we made it</title><link>https://blog.1password.com/better-faster-stronger-our-new-blog-and-how-we-made-it/</link><pubDate>Tue, 04 Dec 2018 00:00:00 +0000</pubDate><author>info@1password.com (Jasper Patterson)</author><guid>https://blog.1password.com/better-faster-stronger-our-new-blog-and-how-we-made-it/</guid><description> <img src='https://blog.1password.com/posts/2018/new-blog/header.png' class='webfeedsFeaturedVisual' alt='Better, faster, stronger - our new blog and how we made it' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Welcome to our new blog! It&rsquo;s been re-built, re-designed, and moved to a new home on 1Password.com. It&rsquo;s the fastest and most efficient experience we can give readers and we really love it. Learn how we built it as a static, serverless site with Hugo and AWS. Our blog has seen many homes over the years, going all the way back to the <a href="https://www.switchersblog.com/">original one</a> nearly 13 years ago (which is impressively still live on the internet today). You may have already noticed the new blog you&rsquo;re reading on now as it&rsquo;s been around for a couple months, but today, we&rsquo;re happy to officially announce it! As well as the retirement of our previous one at blog.agilebits.com. Be sure to <a href="https://blog.1password.com/index.xml">subscribe via RSS</a> and follow us on <a href="https://twitter.com/1Password">Twitter</a> or <a href="https://www.facebook.com/1Password">Facebook</a> to stay up to date with our news, announcements, security tips, and all things 1Password. The previous blog was built with WordPress, which served us well for the past decade, but we figured we could do better and build something more lightweight, fast, and secure. And of course there&rsquo;s also new gorgeous design that not only matches the style of our other sites but looks all around amazing. I mean, look at that header artwork at the top of all the posts! <h2 id="building-a-strong-foundation-with-hugo">Building a strong foundation with Hugo</h2> We love using static sites for their performance, security, and simplicity. The entire site&rsquo;s content is created at build time. No server logic, no databases, just plain old HTML files. We chose <a href="https://gohugo.io">Hugo</a> a while ago for our main <a href="https://1password.com">1Password.com</a> site, so migrating our blog to it as well was a natural fit. The builds are quick, and it&rsquo;s easy to use, for both our developers and content writers. Each blog post is simply a Markdown file and it all lives in a GitLab project. Merge requests make for a perfect way to do content reviews. Hugo is very active project too – we&rsquo;ve been taking advantage of several of their recently added features like <a href="https://gohugo.io/hugo-pipes/scss-sass/">built-in SCSS processing</a>, and <a href="https://gohugo.io/hugo-pipes/fingerprint/">asset fingerprinting</a> which is useful for cache busting. <h2 id="faster-performance-">Faster performance ⚡</h2> Building something that loads super fast was essential to us. This is an area our previous WordPress blog certainly fell short on: <img src='https://blog.1password.com/posts/2018/new-blog/lighthouse-audit-old.png' alt='Lighthouse audit results on old blog' title='Lighthouse audit results on old blog' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Having a fully static site without the overhead of dynamically generating pages is a great start. Plus it allows 100% of the content that is loaded to be served by a content delivery network (CDN) which uses local caches near you to minimize network delays. Keeping the page size small is critical as well. Our home page now weighs just 800kb and uses less than 20 network requests, with much better results: <img src='https://blog.1password.com/posts/2018/new-blog/lighthouse-audit-new.png' alt='Lighthouse audit results on new blog' title='Lighthouse audit results on new blog' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> These tests were performed with Google&rsquo;s new <a href="https://web.dev/measure/">Lighthouse audit tool</a>, which is a great way to see how your site is doing. It points out modern best practices you might not be following, such as image optimzation, and minifying your CSS and JavaScript. If you run a website, I&rsquo;d highly recommend giving your site a test, you&rsquo;ll almost certainly learn some good tips. <h2 id="stronger-security-">Stronger Security 🔒</h2> Security is at the top of our minds in everything we do, and our blog is no exception. Using a first-party solution that&rsquo;s fully in our control is imperative, in addition to adhering to the same front-end security best practices we use with everything on 1Password.com, such as having a strict <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy</a>. It&rsquo;s also extremely important to us for changes be made in a trackable and reviewable manner (with Git), along with having a locked down deployment process. Going back to the benefits of static sites, there&rsquo;s a lot less that can go wrong with static HTML files versus a complex platform like Wordpress. <h2 id="serverless-infrastructure-">Serverless Infrastructure 🏗</h2> The blog runs on a serverless setup with Amazon Web Services (AWS) taking advantage of several of their services. <img src='https://blog.1password.com/posts/2018/new-blog/aws.png' alt='AWS infrastructure diagram' title='AWS infrastructure diagram' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> It starts with S3, short for Simple Storage Service, which is cloud file storage – this is where all the Hugo generated content lives. It&rsquo;s a perfect place for storing static resources and is very reliable with almost no downtime. On top of that is CloudFront, a content delivery network (CDN) that speeds up the serving of our content through a global network of edge locations. When you load the site, you&rsquo;ll get routed to an edge location near you which provides the lowest delay. It also handles extras like the custom domain, TLS, HTTP/2, and GZIP, all with no additional configuration. We also use <a href="https://docs.aws.amazon.com/lambda/latest/dg/lambda-edge.html">Lambda@Edge</a>, this is a newer AWS service that allows small snippets of code to run at the edge locations in response to CloudFront requests. When we tried to build a similar static site setup a few years ago, we were left wanting a few little features server-side features like the ability to add HTTP headers and perform redirects/rewrites. The introduction of Lambda@Edge has solved that for us, allowing a static, serverless site but still lending a few pieces of functionality that would normally only be available with a traditional server. In addition to CloudFront providing support for HTTPS, AWS Certificate Manager makes issuing and managing your TLS certificate effortless, and it seamlessly integrates with CloudFront. <a href="https://web.dev/why-https-matters/">HTTPS is the future of the web</a> – every site should support it (even your blog). And if you&rsquo;re using AWS, there&rsquo;s really no excuse as they make it incredibly easy, and free. We manage all this with <a href="https://www.terraform.io">Terraform</a>, which is a tool for writing infrastructure setup as code. We&rsquo;ve talked previously about how we already use this for our 1Password.com service, I&rsquo;ll let you <a href="https://blog.1password.com/terraforming-1password/">check out that post</a> if you&rsquo;d like to learn more. For this project, Terraform made it simple to create an identical internal testing site for previewing posts before we publish them. <h2 id="deployment-">Deployment 🚀</h2> The final step was setting up automatic building and deployment of all this. We decided on GitLab CI, which is built right into GitLab projects. To run the CI build, you&rsquo;ll need a <a href="https://www.docker.com">Docker</a> container with your dependencies installed, such as Hugo, Terraform, AWS CLI, and Node. The same container also works perfectly for those who want to build it locally, all you need to install is Docker Desktop. Then it&rsquo;s as simple as adding a few commands to the <a href="https://docs.gitlab.com/ee/ci/yaml/">GitLab CI config file</a>. From there, it builds the site with Hugo, runs some <a href="https://en.wikipedia.org/wiki/Lint_%28software%29">linters</a> to make sure all content is as good as it can be, syncs the static files to S3, applies Terraform changes if needed, and creates a CloudFront invalidation. This happens with every commit – it deploys to our internal preview site, and then to production on every merge to master. <img src='https://blog.1password.com/posts/2018/new-blog/gitlab-ci.png' alt='GitLab CI' title='GitLab CI' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="beyond-the-blog">Beyond the blog</h2> We&rsquo;re really happy with how this turned out and are now using this exact setup across many of our web properties, including the main <a href="https://1password.com">1Password.com</a> site and even <a href="https://watchtower.1password.com">Watchtower</a>. If working on this kind of stuff interests you, we&rsquo;re currently hiring a <a href="https://jobs.lever.co/1password">front-end web developer</a>.</description></item><item><title>Setting up 1Password at work? Our webinar can help</title><link>https://blog.1password.com/setting-up-1password-at-work-our-webinar-can-help/</link><pubDate>Wed, 28 Nov 2018 00:00:00 +0000</pubDate><author>info@1password.com (Lisa Verheul)</author><guid>https://blog.1password.com/setting-up-1password-at-work-our-webinar-can-help/</guid><description> <img src='https://blog.1password.com/posts/2018/webinars/header.png' class='webfeedsFeaturedVisual' alt='Setting up 1Password at work? Our webinar can help' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Rolling out new business software can be a challenge. Getting everything set up is one thing, but training your team to use it can be time-consuming if you don&rsquo;t have the right resources. Our new webinar takes the guesswork out of onboarding. At 1Password, we want to give you the tools you need for a successful deployment. If you’re an administrator looking for the best way to train your staff, we’re here to do some of the heavy lifting for you. On December 4 at 2 p.m. EST, we’re hosting our first webinar for team and business customers. This webinar is perfect for team members who are just getting started with 1Password or need a refresher. In this webinar, we’ll show you how to: <ul> <li>Use 1Password.com to view and edit your passwords and other important information</li> <li>Set up the 1Password apps</li> <li>Save, fill, and change your passwords to make them more secure</li> </ul> We’ll also have time for a Q&amp;A session at the end to answer all your burning questions about 1Password. <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Register for the webinar</h3> Join the webinar on December 4 at 2 p.m. It's free, and we'd love to help you make the most of 1Password. <a href="https://1password.com/webinars/" class="c-call-to-action-box__link-href" data-event-category="CTA" data-event-action="call-to-action-button"> Register now </a> </div> </section> To receive notifications of future webinars, <a href="https://1password.com/webinars/">sign up to the mailing list</a>.</description></item><item><title>Special Thanksgiving presents from 1Password</title><link>https://blog.1password.com/special-thanksgiving-presents-from-1password/</link><pubDate>Tue, 20 Nov 2018 00:00:00 +0000</pubDate><author>info@1password.com (Dave Teare)</author><guid>https://blog.1password.com/special-thanksgiving-presents-from-1password/</guid><description> <img src='https://blog.1password.com/posts/2018/thanksgiving/header.png' class='webfeedsFeaturedVisual' alt='Special Thanksgiving presents from 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The trees are turning colours and the smell of pumpkin pie is in the air. That can only mean one thing: Thanksgiving is almost here! <img src='https://blog.1password.com/posts/2018/thanksgiving/monty.png' alt='Our 1Password friend, Monty' title='Our 1Password friend, Monty' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> I love this time of year for so many reasons but my favourite is being reminded of all the incredible things I have in my life. From a wonderful family to great friends to working at my dream job, I have a lot to be thankful for. All of this wouldn&rsquo;t be possible without awesome customers like you. Thank you for supporting us all these years! 😘 <h2 id="give-a-free-year-of-1password">Give a free year of 1Password</h2> This year I am giving you a gift for those special people in your life: give them the gift of security with a free year of 1Password and show them that you care. If you purchased 1Password 7 or have an active subscription into 2019, simply click this link to send your gift: <a href="https://www.1password.com/thanksgiving/" class="call-to-action thanksgiving"> Send your gift now </a> <img src='https://blog.1password.com/posts/2018/thanksgiving/turkey.png' alt='Thanksgiving' title='Thanksgiving' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Gifts can be sent to direct family members, extended family, friends, or someone who is doing good things in your community. Showing them that you care is sure to bring a smile to their faces. Thank you again for supporting us all these years. We literally wouldn&rsquo;t be here without you. ❤️ P.S. One can never be too thankful, regardless of where you live. As a Canadian I personally enjoy celebrating twice a year as it gives me an extra opportunity to reflect on what I&rsquo;m most thankful for in life. That and the extra pumpkin pie. 🙂</description></item><item><title>Apps Love 1Password</title><link>https://blog.1password.com/apps-love-1password/</link><pubDate>Sun, 18 Nov 2018 00:00:00 +0000</pubDate><author>info@1password.com (Oliver Haslam)</author><guid>https://blog.1password.com/apps-love-1password/</guid><description> <img src='https://blog.1password.com/posts/2018/apps-love-1password/header.png' class='webfeedsFeaturedVisual' alt='Apps Love 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> People love using 1Password with their favorite apps. Other developers have integrated 1Password into their own apps because they were eager to offer their customers the very best experience. As developers ourselves, and people who use those apps, we can’t thank them enough for their work. Changes to the way iOS and Android handle password management and filling have given 1Password an opportunity to make password filling better than ever. It&rsquo;s never been easier to use strong, secure passwords for every website and app you use. With support for Authentication Services and <a href="https://1password.com/features/autofill/">Password AutoFill</a> in iOS 12 and the Autofill API in Android 8 (Oreo), 1Password is ready for the next step in our journey. And things will get even better as developers fully support all the new tools on offer. I&rsquo;ve been using the latest autofill features on iOS and Android, and they&rsquo;re brilliant. Entering passwords on a phone has never been easier. In fact, it&rsquo;s downright fun. I&rsquo;m a little bit in love with the work developers have already done to make our lives easier, and I&rsquo;m so happy that everyone can now enjoy these features, too. <img src='https://blog.1password.com/posts/2018/apps-love-1password/platforms.png' alt='Icons for the Google Play Store and App Store' title='Icons for the Google Play Store and App Store' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="developers-developers-developers">Developers, developers, developers!</h2> Even though Apple and Google have improved things with recent software updates to iOS and Android, there&rsquo;s still work to be done by developers to make sure the experience is as great as possible. Adding support for the latest frameworks to your app means it will work great with 1Password, delighting your customers along the way. <img src='https://blog.1password.com/posts/2018/apps-love-1password/we-love-apps.png' alt='1Password icon holding a sign reading &#39;We Love Apps&#39;' title='1Password icon holding a sign reading &#39;We Love Apps&#39;' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> If you&rsquo;re a developer, it&rsquo;s trivial to add support to your app: <ul> <li><a href="https://developer.apple.com/documentation/xcode/supporting-associated-domains?language=objc">Optimize your iOS app for autofill</a></li> <li><a href="https://developer.android.com/guide/topics/text/autofill-optimize">Optimize your Android app for autofill</a></li> </ul> Your customers will thank you, and so will we. Some trailblazing apps are already fully compliant with the new frameworks, and we want to highlight some of them. <section class="c-call-to-action-box"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Tell us about your app</h3> We’re starting off with three apps for both iOS and Android today, but we’ll be sharing more in the future. If you’re a developer, we’d love to know when your app is updated with support for the latest autofill features! <a href="mailto:media&#43;appdone@agilebits.com" class="c-call-to-action-box__link-href" data-event-category="CTA" data-event-action="call-to-action-button"> Tell us about your app </a> </div> </section> <h2 id="ios-apps-with-enhanced-autofill">iOS apps with enhanced autofill</h2> Signing in to an app that&rsquo;s optimized for autofill takes a simple tap. You don&rsquo;t have to hunt for the right password. It&rsquo;s ready and waiting for you when you need it. <hr /> <section class="app-box ios"> <div class="details"> <h3>Evernote</h3> They say that an elephant never forgets, and with <a href="https://apps.apple.com/us/app/evernote/id281796108" title="View Evernote on iOS AppStore">Evernote</a> neither will you. With notes that can effortlessly sync across multiple devices and platforms, if you need to remember or reference it later, Evernote is a great home for it whether you’re working alone or as part of a team. </div> </section> <hr /> <section class="app-box ios orange"> <div class="details"> <h3>Fandango</h3> Who doesn’t love going to the movies? <a href="https://apps.apple.com/us/app/fandango-movie-tickets-times/id307906541" title="View Fandango on iOS AppStore">Fandango</a> takes the pain out of booking movie tickets, showing the latest showtimes, Rotten Tomatoes scores, and even showing trailers, so you can be sure you’re picking the right movie to watch. </div> </section> <hr /> <section class="app-box ios"> <div class="details"> <h3>Chase Mobile</h3> Mobile banking is the only way to manage money in an always-connected world, and with the <a href="https://apps.apple.com/us/app/chase-mobile/id298867247" title="View Chase Mobile on iOS AppStore">Chase Mobile</a> app customers can pay bills, check balances, and transfer money securely from anywhere. </div> </section> <h2 id="android-apps-with-enhanced-autofill">Android apps with enhanced autofill</h2> These are just some of the apps that don&rsquo;t just look great but take password filling to the next level, too. No more searching for the right password. The apps know which one to suggest. <hr /> <section class="app-box android"> <div class="details"> <h3>Expedia</h3> With everything you need to be able to book your next vacation, <a href="https://play.google.com/store/apps/details?id=com.expedia.bookings" title="View Expedia on Google Play">Expedia</a> can take the stress out of planning it all. Whether you’re booking a hotel, a rental car, or a train ride everything can be found under the one roof with Expedia. </div> </section> <hr /> <section class="app-box android"> <div class="details"> <h3>Starbucks</h3> We’re big coffee lovers at 1Password, and we know many of you are, too. With the <a href="https://play.google.com/store/apps/details?id=com.starbucks.mobilecard" title="View Starbucks on Google Play">Starbucks</a> app, your next cup of coffee is easy to find thanks to its store locator. You can manage your Starbucks cards and pay in-store all from within the app. </div> </section> <hr /> <section class="app-box android"> <div class="details"> <h3>Trello</h3> Staying organized is no mean feat in an ever increasingly hectic world. <a href="https://play.google.com/store/apps/details?id=com.trello&hl=en" title="View Trello on Google Play">Trello</a> makes it look easy, whether you’re working with a team or just planning your grocery shopping. It’s never been easier to stay organized while on the go. </div> </section> <h2 id="try-1password-for-yourself">Try 1Password for yourself</h2> The real winners here are the people using your app. To find out why 1Password customers are so passionate about seeing support for enhanced autofill in all the apps they use, <a href="https://1password.com/pricing/">try 1Password free for 14 days</a>. You&rsquo;ll have plenty of time to optimize your app for autofill and test it for yourself, and we think you&rsquo;ll like it enough to stick around. ❤️</description></item><item><title>Let's all go to the park - introducing 1Password Park</title><link>https://blog.1password.com/lets-all-go-to-the-park-introducing-1password-park/</link><pubDate>Thu, 15 Nov 2018 00:00:00 +0000</pubDate><author>info@1password.com (Sara Teare)</author><guid>https://blog.1password.com/lets-all-go-to-the-park-introducing-1password-park/</guid><description> <img src='https://blog.1password.com/posts/2018/1password-park/header.png' class='webfeedsFeaturedVisual' alt='Let's all go to the park - introducing 1Password Park' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 1Password was born and raised in Canada, with an amazing team of people working around the world to continue development and provide support to all our customers. Last Christmas, we wanted to help provide food security to those in need, and donated $50,000 to Food Banks throughout Ontario, where our Founders are based. We&rsquo;ve been fortunate to be able to help others in our community, and found a new way to continue helping. <img src='https://blog.1password.com/posts/2018/1password-park/team.jpg' alt='Coach Dave Teare with St Thomas Soccer Club' title='Coach Dave Teare with St Thomas Soccer Club' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Several years ago, Dave Teare began coaching in his hometown, with the St. Thomas Soccer Club. When the City of St. Thomas decided to build a new outdoor soccer space to ensure there would be fields for kids to play on, we knew it was something we wanted to be involved with. We&rsquo;re super excited to announce that in the spring of 2019, kids from all over will be able to enjoy 1Password Park - a 65 acre outdoor complex featuring soccer fields, an artificial turf football field, a playground with a splash pad and walking trails. 1Password Park will be an awesome place to play and enjoy time with family and friends! In addition to announcing the naming of 1Password Park, we&rsquo;re also excited to be announcing a new office in St. Thomas as well. If you&rsquo;re interested in joining the <a href="https://1password.com/teams/">1Password team</a> at our new location, helping to make 1Password even greater for the millions of users who love 1Password, you can <a href="mailto:robh@agilebits.com" title="apply to join the 1Password team by emailing Rob Hanslip">apply by emailing Rob</a>, our Customer Care Coordinator. See you on the fields! 👋 ❤️</description></item><item><title>Immutable Australian Future Wave</title><link>https://blog.1password.com/immutable-australian-future-wave/</link><pubDate>Fri, 09 Nov 2018 00:00:00 +0000</pubDate><author>info@1password.com (Sarah Brown)</author><guid>https://blog.1password.com/immutable-australian-future-wave/</guid></item><item><title>From dark to light and back again</title><link>https://blog.1password.com/from-dark-to-light-and-back-again/</link><pubDate>Thu, 08 Nov 2018 00:00:00 +0000</pubDate><author>info@1password.com (Will Moore)</author><guid>https://blog.1password.com/from-dark-to-light-and-back-again/</guid><description> <img src='https://blog.1password.com/posts/2018/dark-mode/header.png' class='webfeedsFeaturedVisual' alt='From dark to light and back again' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We&rsquo;ve had a lightbulb moment and added Dark Mode to our blog. It makes it more readable, more enjoyable, and more fun than ever before. Read on to find out how we did it and how you can add it to your own website. Dark Mode in Mojave is great for apps, but until now websites didn&rsquo;t have a way to participate in the fun. Apple just gave us a gift with their latest update to Safari Technology Preview, and we&rsquo;ve been having fun exploring the new possibilities. <h2 id="welcome-to-the-dark-side-">Welcome to the dark side 🌗</h2> Today I’m happy to say that the 1Password blog is now 100% compatible with Dark Mode, and the experience is fantastic. 🎉 <img src='https://blog.1password.com/posts/2018/dark-mode/light-dark.gif' alt='1Password Blog supports Dark Mode' title='1Password Blog supports Dark Mode' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Although the Safari app itself has supported Dark Mode ever since macOS Mojave debuted, websites had no way to know when their content was being presented in Dark Mode. You saw the same color scheme on each website, no matter which mode your Mac was in. <a href="https://webkit.org/blog/8475/release-notes-for-safari-technology-preview-68/">Safari Technology Preview 68</a> changed this by adding support for the <code>prefers-color-scheme</code> media query. It&rsquo;s exactly what websites need to support Dark Mode. Images appear brighter and more vivid, and reading one of <a href="https://blog.1password.com/toward-better-master-passwords/">Jeff Goldberg’s security lessons</a> is easier on the eyes by far. 👀 Right now, Dark Mode is only available on macOS Mojave, but because the media query is part of WebKit, we&rsquo;re hopeful that it will come to other platforms in time. To check it out yourself, install <a href="https://developer.apple.com/safari/technology-preview/">Safari Technology Preview</a>, or just sit tight. This new feature will be available in Safari proper sometime soon. If you do install Safari Technology Preview, switch to Dark Mode while viewing this blog post for an extra visual treat. <img src='https://blog.1password.com/posts/2018/dark-mode/switcher.png' alt='1Password Blog supports Dark Mode' title='1Password Blog supports Dark Mode' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="add-support-for-dark-mode-to-your-site">Add support for Dark Mode to your site</h2> Although Apple gives you the basic information you need to add support for Dark Mode to your site, it’s not a complete picture. So we wanted to share how we did it. Feel free to use any of the code snippets below. At a basic level, Dark Mode can be accessed through a CSS media query: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-css" data-lang="css">@media screen and (prefers-color-scheme: dark) {} </code></pre></div>We then decided to convert this into a <a href="https://sass-lang.com/guide#topic-6">Sass mixin</a> to make things a little neater: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-scss" data-lang="scss">@mixin dark-mode($background: null, $color: null) { @media screen and (prefers-color-scheme: dark) { @if ($background != null and $color != null) { background-color: $background; color: $color; } @else if ($background != null and $color == null) { background-color: $background; } @else if ($color != null and $background == null) { color: $color; } @else { @content; } } } </code></pre></div>Because we were mainly changing background color and font color, we thought it made sense to have these as variables to pass in on a single line to the mixin. This works in an &ldquo;and/or&rdquo; manner, but it also works if neither are passed in. This allows us to set any CSS properties we need to. The different ways to call the mixin are like so: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-scss" data-lang="scss">@include dark-mode($background: #000, $color: #fff); @include dark-mode($color: #fff); @include dark-mode($background: #000); @include dark-mode() { background-color: #000; opacity: 0.5; border: 1px solid #fff; } </code></pre></div>We&rsquo;d love to hear from you to find out if the above was helpful to you. If you make use of any of the code snippets and want to show off, ping <a href="https://twitter.com/1Password">@1Password</a> on Twitter. Cheers! 👋</description></item><item><title>Hello Brooklyn, Hello 1Password: Apple’s special event wrap-up</title><link>https://blog.1password.com/hello-brooklyn-hello-1password-apples-special-event-wrap-up/</link><pubDate>Tue, 30 Oct 2018 00:00:00 +0000</pubDate><author>info@1password.com (Michael Fey)</author><guid>https://blog.1password.com/hello-brooklyn-hello-1password-apples-special-event-wrap-up/</guid><description> <img src='https://blog.1password.com/posts/2018/brooklyn-reaction/header.png' class='webfeedsFeaturedVisual' alt='Hello Brooklyn, Hello 1Password: Apple’s special event wrap-up' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Today’s Apple Event in NYC was one of my favorites in years. From the new Macs, to the new iPads, to 1Password making an awesome cameo on stage it had everything I could want in an Apple keynote. Full disclosure before we go any further in today’s post, folks: I am tapping into a deep vein of long-running Apple fanboyism. If you’d rather not hear me gush about all the stuff that was announced at the Brooklyn Academy of Music, here’s the gist: 1Password on stage, woo! Brand new iPad Pros with Face ID, incredible! New MacBook Airs (with <a href="https://1password.com/mac/">Touch ID</a>) and Mac minis, fantastic! Speaking of that cameo, we were super surprised and honored to show up on the screen behind Laura. Touch ID on the Mac is one of my favorite features and having Apple use 1Password to show it off to the world was just terrific. 🙏 <img src='https://blog.1password.com/posts/2018/brooklyn-reaction/image_0.png' alt='1Password appearing on stage at the event' title='1Password appearing on stage at the event' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="brand-new-macs">Brand New Macs</h2> Now I don’t care to engage in hyperbole, and the word “finally” is usually uttered in a wry tone, but seeing new a whole new model of Mac mini finally announced today was so great. We love these little Macs here at 1Password, especially on the development team where they make great build and test servers. You can bet we’ll be adding one or two of these to our arsenal to supplement the iMac we currently use to distribute <a href="https://1password.com/mac/">1Password for Mac</a> and iOS. It was also great to see the all new MacBook Air with Touch ID and Retina display! While I’ve never actually owned an Air, any time I’ve used a friend’s I’ve always been blown away by how thin they are. Seeing Touch ID show up in another Mac in Apple’s lineup is super cool, too. It makes <a href="https://support.1password.com/explore/get-started/">using 1Password</a> such a breeze and anything that makes it easier for folks to sign in to their online accounts without typing a password gets a 👍 from me. <h2 id="all-new-ipad-pros">All New iPad Pros</h2> I am a huge fan of the iPad Pro. My current second generation iPad Pro 12.9” (which I call Big Bertha) is one of my favorite Apple devices I’ve ever owned. The giant screen and speedy processor work so well for photo editing that I’ve completely replaced my MacBook Pro as my photography production rig. Today’s announcement of the all new iPad Pro takes what was already a fantastic device and raises it to a whole new level. Face ID is a natural progression for this product. We’ll know more very soon, but if I had to imagine it I’m guessing this is what 1Password’s lock screen will soon look like on iPad: <img src='https://blog.1password.com/posts/2018/brooklyn-reaction/image_1.png' alt='Mockup of 1Password lock screen' title='Mockup of 1Password lock screen' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="wrapping-it-up">Wrapping it Up</h2> I warned you at the beginning that there was going to be a bit of gushing today. We love Apple here at 1Password and it’s always inspiring to watch them unveil great new products. Seeing how they push the envelope of what is possible with hardware makes us want to create even greater software. How about you, what was your favorite part of today’s event? Have you ordered any shiny new hardware? I warmed up my credit card this afternoon with a new 12.9&quot; iPad Pro + Smart Keyboard Folio. Next Wednesday cannot come soon enough.</description></item><item><title>Introducing 1Password for Democracy</title><link>https://blog.1password.com/introducing-1password-for-democracy/</link><pubDate>Tue, 23 Oct 2018 00:00:00 +0000</pubDate><author>info@1password.com (Matt Davey)</author><guid>https://blog.1password.com/introducing-1password-for-democracy/</guid></item><item><title>Random but Memorable: the security advice podcast from 1Password</title><link>https://blog.1password.com/random-but-memorable-the-security-advice-podcast-from-1password/</link><pubDate>Tue, 23 Oct 2018 00:00:00 +0000</pubDate><author>info@1password.com (Matt Davey)</author><guid>https://blog.1password.com/random-but-memorable-the-security-advice-podcast-from-1password/</guid><description> <img src='https://blog.1password.com/posts/2018/podcast-announce/header.png' class='webfeedsFeaturedVisual' alt='Random but Memorable: the security advice podcast from 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Last month, we launched Random but Memorable, a bi-monthly security advice podcast. Random but Memorable is named after your Master Password, but is also very appropriate for the show. The “memorable” part mainly comes from my co-host Michael Fey (Roo) not reading the show notes until we start recording, and the “random” part is a direct result of this. In our first episode, Correct Battery Horse Pilot we talk about our iOS 12 and Mojave beta releases, and discuss the security news of the week. We experimented with a few ending segments of lighthearted banter but settled on trying to pronounce odd-looking place names, starting with the British city of Loughbrough. <div class="c-simplecast-embed"> <iframe class="c-simplecast-embed__iframe" title="1Password Random but Memorable Podcast" width="100%" frameborder="no" scrolling="no" seamless src="https://player.simplecast.com/673b6214-ae11-4b0c-82a8-8e92c2f2f1f2?dark=false"></iframe> </div> The second installment is called Machine Factor Toaster Data and introduces our first guest, Mitchell Cohen, who works on 1Password X. We discuss what 1Password X is and how it uses machine learning in a privacy-conscious way. <div class="c-simplecast-embed"> <iframe class="c-simplecast-embed__iframe" title="1Password Random but Memorable Podcast" width="100%" frameborder="no" scrolling="no" seamless src="https://player.simplecast.com/8fa0aff1-fa63-4086-af69-4efb6e859fc1?dark=false"></iframe> </div> The third episode, Nickelback Apologist Math Bounty is my favourite so far. In it, we answer some questions from users about the password generator, and then talk to Jeffrey Goldberg our Chief Defender Against the Dark Arts about how the security behind 1Password works. <div class="c-simplecast-embed"> <iframe class="c-simplecast-embed__iframe" title="1Password Random but Memorable Podcast" width="100%" frameborder="no" scrolling="no" seamless src="https://player.simplecast.com/a01d5833-e7e1-4a21-b49c-ae435bf48bb6?dark=false"></iframe> </div> The fourth episode, Localised Banana-Pants Hack Guide is out today with guest Glenn Fleishman, writer of Practical Guides, and includes us ruining the best placement of all time. <div class="c-simplecast-embed"> <iframe class="c-simplecast-embed__iframe" title="1Password Random but Memorable Podcast" width="100%" frameborder="no" scrolling="no" seamless src="https://player.simplecast.com/ff2cc414-bc1c-4c35-934f-b6b81ccd004e?dark=false"></iframe> </div> A new episode launches every two weeks to discuss what’s new in 1Password and the wider world of security. If you&rsquo;d like us to answer your question on the show, tweet us <a href="https://twitter.com/1Password">@1Password</a> using the hashtag <a href="https://twitter.com/search?q=%23ask1password">#ask1Password</a>. Subscribe in <a href="https://overcast.fm/itunes1435486599/random-but-memorable">Overcast</a>, <a href="https://pca.st/43AW">Pocket Casts</a>, or <a href="https://podcasts.apple.com/gb/podcast/random-but-memorable/id1435486599?mt=2">iTunes</a> and please rate and review us on iTunes!</description></item><item><title>1Password 7.2 for Mac: Welcome to the dark side</title><link>https://blog.1password.com/1password-7.2-for-mac-welcome-to-the-dark-side/</link><pubDate>Wed, 10 Oct 2018 00:00:00 +0000</pubDate><author>info@1password.com (Michael Fey)</author><guid>https://blog.1password.com/1password-7.2-for-mac-welcome-to-the-dark-side/</guid><description> <img src='https://blog.1password.com/posts/2018/opm7.2/header.png' class='webfeedsFeaturedVisual' alt='1Password 7.2 for Mac: Welcome to the dark side' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> It’s fall and you know what that means: new Apple operating systems! When Apple announced macOS Mojave with Dark Mode back in June, we knew we wanted to be there on day one with an update to 1Password that looked great in the dark. So we hiked up our programmer pants and got to work. <h2 id="1password-has-a-dark-side">1Password has a dark side</h2> As soon as Tim Cook left the stage at the Worldwide Developers Conference keynote we hustled back to our hotel and got to work on some mockups for what a Dark Mode version of 1Password might look like. We started, naturally, with the lock screen: <img src='https://blog.1password.com/posts/2018/opm7.2/image_0.png' alt='lock screen in dark mode' title='lock screen in dark mode' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Of course we didn’t stop there. Once you unlock 1Password, you’ll be greeted with a user interface that is right at home in Dark Mode. I love how website icons pop against the dark background, making it easier than ever to spot the login you’re looking for. <img src='https://blog.1password.com/posts/2018/opm7.2/image_1.png' alt='item view in dark mode' title='item view in dark mode' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="safari-support-baked-right-in">Safari support, baked right in</h2> 1Password has had the ability to work within Safari for years, making it super easy to fill your usernames and passwords directly into websites. With 1Password 7.2 we’ve built the Safari extension right into the app, meaning you’ll never have to install a separate browser extension again! The <a href="https://1password.com/resources/guides/1password-for-safari/">new Safari 1Password extension</a> also brings with it loads of security improvements. By using the new Safari App Extension feature provided by Apple, 1Password has even more protections against man-in-the-middle attacks and other exploits of that nature. <h2 id="mojave-mo-secure">Mojave, mo’ secure</h2> The latest incarnation of macOS didn’t just come with a new pretty face; Apple also added some incredibly powerful security improvements for third party developers to take advantage of. We’re always keen to jump on anything that helps improve the security of our customers, so 1Password now runs within a hardened runtime. This &ldquo;hardened runtime&rdquo; ensures that 1Password cannot be manipulated or modified by other apps or processes running on your computer. 1Password 7.2 also makes use of Apple’s new notary service: 1Password is now fully notarized, which means Apple has verified it as being free of malware. 👍 You’ll also notice that 1Password 7.2 no longer automatically submits passwords once they have been filled. This was a difficult decision to make, but we made it for a few reasons that we wanted to share: <ul> <li>Sometimes a website doesn’t behave as 1Password might expect, resulting in passwords being filled sub-optimally, or fields being left blank. If 1Password were to automatically submit forms in these cases, users are left with an experience that we don’t feel reflects how we want 1Password to work and can lead to confusion.</li> <li>The mechanism by which 1Password was performing autosubmit is no longer supported in macOS Mojave. As yet another step towards a more secure environment, apps that can virtually type the ‘Return’ key on the keyboard have been significantly restricted.</li> <li>1Password automatically leaves focus on the password field so there&rsquo;s no need to click the submit button. Just press the Enter key and you&rsquo;re all set. Alongside the Command-\ fill keyboard shortcut, it works quite well.</li> </ul> We feel strongly that removing the ability to automatically submit passwords is the right call. I’ll be fully transparent, it’s taken some getting used to, but now that it’s part of my workflow&hellip; autosubmit? I don’t miss it. <h2 id="how-do-i-get-it">How do I get it?</h2> We’re glad you asked! You can download the latest version of <a href="https://1password.com/mac/">1Password for Mac</a> here: <a href="https://app-updates.agilebits.com/download/OPM7">Download 1Password for Mac</a> 1Password 7.2 is included free for everyone with a 1Password membership, as well as those who own a 1Password 7 license. Simply unlock 1Password after downloading and you’re good to go. If you’ve downloaded 1Password 7 from the Mac App Store, you can update to the latest version from the &ldquo;Updates&rdquo; tab over there, too. We hope you enjoy using this new, altogether faster, more secure and, of course, darker version of 1Password for Mac. We sure enjoyed working on it!</description></item><item><title>California Password Law</title><link>https://blog.1password.com/california-password-law/</link><pubDate>Fri, 05 Oct 2018 00:00:00 +0000</pubDate><author>info@1password.com (Sarah Brown)</author><guid>https://blog.1password.com/california-password-law/</guid><description> <img src='https://blog.1password.com/posts/2018/cf-password-law/header.png' class='webfeedsFeaturedVisual' alt='California Password Law' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> California just became the first state to put a <a href="https://www.bbc.com/news/technology-45757528">cybersecurity law</a> on the books for any internet-connected devices that are made or sold in the state. This new legislation goes into effect January 2020 and is designed to protect consumers by setting higher security standards for smart devices. To comply with this <a href="https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB327">new law</a>, companies will either need to set a unique password for the device at the time of manufacture or prompt people to set a new password during the initial device setup. This is a big step in the right direction for safety and privacy. Too often, people in a rush to get up and running will leave the default password in place rather than taking the time to set a strong password. Unfortunately, the default passwords are trivial to crack. As well as putting our privacy at risk, default passwords make it possible for hackers to take control of thousands of devices at once and use them to bring down other services. Twitter, Spotify, and Reddit have all been attacked in this way. Although smart devices make our lives easier, they can also make us more vulnerable. Banning default passwords will certainly help with security, but it isn’t enough on its own. People are still likely to pick insecure, easy-to-remember passwords when setting up a new device. It&rsquo;s important to use strong, unique passwords everywhere – from your Twitter account to your espresso machine, and without a password manager, that’s just not practical. “People are often too relaxed about the security of their home network, and leaving the default password on smart devices is far too common,” says Jeff Shiner, 1Password CEO. “While requiring users to create new passwords on launch is a great first step, manufacturers still have a greater responsibility to ensure software is frequently updated and patched against security threats.” While this current law only applies to California, the benefits will be felt nationwide for any devices manufactured within the state. And it’s likely only a matter of time before other laws start to pop up in other states.</description></item><item><title>A journey into the new Mac App Store</title><link>https://blog.1password.com/a-journey-into-the-new-mac-app-store/</link><pubDate>Wed, 03 Oct 2018 00:00:00 +0000</pubDate><author>info@1password.com (Lily Bradic)</author><guid>https://blog.1password.com/a-journey-into-the-new-mac-app-store/</guid><description> <img src='https://blog.1password.com/posts/2018/mas-journey/header.png' class='webfeedsFeaturedVisual' alt='A journey into the new Mac App Store' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> macOS Mojave launched last week, and while Dark Mode was the feature I’d been most eager to test-drive, the redesigned Mac App Store quickly proved to be a dark horse itself. Here’s what I’ve been loving about the new Mac App Store, and what the 1Password team think you’ll love too. ❤️ <h2 id="the-first-voyage">The first voyage</h2> The Mac App Store has never been somewhere I’ve gone to browse, exactly — I’d usually open it with the intent of downloading a specific app. I wasn’t really expecting this to change, and the first time I opened it after upgrading to Mojave I was too struck by how incredible it looked in Dark Mode to notice much else. But after my initial &ldquo;ooh, Dark Mode!&rdquo; reaction subsided, I realized it wasn’t just the contrast between the dark backdrop and the rich illustrations that was impressive, but the design of the Mac App Store itself. For the first time ever, the App Store feels like one of the beautifully designed apps you’d go there to purchase — as well as a platform for discovering them. <img src='https://blog.1password.com/posts/2018/mas-journey/image_0.png' alt='Mac App Store main view' title='Mac App Store main view' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="discovering-the-new-mac-app-store">Discovering the new Mac App Store</h2> Apple have recreated the Mac App Store from the ground up, and it’s a pleasure to use. There’s a joy in simply browsing: with the all-new Discover tab, Apple has introduced fascinating stories, in-depth interviews and weekly picks. These editorial features bring everything together, creating an ecosystem that celebrates the best of what app developers have to offer. This new iteration builds on the Featured tab and Editors’ Choice picks, but the experience feels a lot more user-oriented, with apps clustered together around objectives you might have — like increasing your writing productivity or streamlining your workflow. The write-ups add a human touch, and it’s one we’ve never really had before. Exploring the new Mac App Store feels like an adventure, and it inspires you to make the most of what your Mac is capable of doing. <img src='https://blog.1password.com/posts/2018/mas-journey/image_1.png' alt='Master the menu bar with 1Password' title='Master the menu bar with 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="your-guide-to-the-stars-">Your guide to the stars 🚀</h2> I think this last week in Dark Mode has started to affect my brain, because I’m seeing everything as an interplanetary adventure — bright app icons scattered across the dark expanse of space. The editorial features and tutorials are amazing at helping you find your way round, and it’s absolutely worth checking back regularly to see what new guides and collections have been added. <img src='https://blog.1password.com/posts/2018/mas-journey/image_2.png' alt='Unlock 1Password&#39;s hidden secrets' title='Unlock 1Password&#39;s hidden secrets' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The Create, Work, Play and Develop tabs provide some great recommendations and showcase some of the best apps on offer. Of course, 1Password 7 for Mac is <a href="https://apps.apple.com/us/app/1password-7-password-manager/id1333542190?mt=12">right at home in the new App Store</a> and it’s looking pretty stunning in Dark Mode, even if we do say so ourselves. And as a fully remote team, we’re grateful for how much Slack can simplify communication, but the notifications can get a bit out of hand — so the App Store’s new feature on <a href="https://apps.apple.com/story/id1401946445">keeping notifications in check</a> is pretty interesting. <img src='https://blog.1password.com/posts/2018/mas-journey/image_3.png' alt='Tame your Slack notifications' title='Tame your Slack notifications' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> I’m a newly converted Things 3 user — the keyboard shortcuts are life-changing, and it’s such a pleasure to use — so I really appreciate the pro tips <a href="https://itunes.apple.com/story/id1378480998">here</a>, too (and I have to mention that Things also looks incredible in Dark Mode). <img src='https://blog.1password.com/posts/2018/mas-journey/image_4.png' alt='3 things to love about Things 3' title='3 things to love about Things 3' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> And this <a href="https://apps.apple.com/gb/story/id1378479254">Firewatch story</a> is even tempting me to break my self-imposed &ldquo;no games on the MacBook because they’ll distract you&rdquo; rule&hellip;. <img src='https://blog.1password.com/posts/2018/mas-journey/image_5.png' alt='Venture into Firewatch&#39;s mystery' title='Venture into Firewatch&#39;s mystery' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We’d love to hear your favorite features in the new App Store. Join the conversation on Twitter — and don’t forget to check out 1Password in Dark Mode. 😉</description></item><item><title>Customers love Password AutoFill on iOS and so will you</title><link>https://blog.1password.com/customers-love-password-autofill-on-ios-and-so-will-you/</link><pubDate>Tue, 02 Oct 2018 00:00:00 +0000</pubDate><author>info@1password.com (Will Moore)</author><guid>https://blog.1password.com/customers-love-password-autofill-on-ios-and-so-will-you/</guid><description> <img src='https://blog.1password.com/posts/2018/password-autofill/header.png' class='webfeedsFeaturedVisual' alt='Customers love Password AutoFill on iOS and so will you' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> It’s been a couple of weeks since iOS 12 was released into the wild, and we have loved playing with all the new features it has to offer. Screen Time has shown many of us that we perhaps spend a little too much time on our iPhones, but one thing that has definitely sped up our mobile interactions is Password AutoFill. <img src='https://blog.1password.com/posts/2018/password-autofill/autofill.gif' alt='Video showing how 1Password can fill credentials into Twitter&#39;s website' title='Video showing how 1Password can fill credentials into Twitter&#39;s website' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> To recap, <a href="https://developer.apple.com/documentation/security/password_autofill/">Password AutoFill</a> opened up the filling technology included with iOS to third-party developers, meaning that we could make <a href="https://1password.com/features/autofill/">autofilling your passwords</a> even easier. When iOS 12 was announced back in June, <a href="https://blog.1password.com/wwdc18-presents-from-apple/">we were there</a> in the audience of WWDC, and were thrilled to learn that we could now integrate 1Password directly into iOS. As soon as the keynote was finished, our developers jumped to work, and by dinner we already <a href="https://twitter.com/1Password/status/1003824297725460481">had a working demo</a>. Skip forward three months and that demo has turned into a fully fledged feature, ready to transform how password filling works on iPhone and iPad. <h2 id="love-and-praise-from-1password-users">Love and praise from 1Password users</h2> As soon as our customers began to update their devices, they got in touch to let us know how much they loved the feature. <div class="tweet"> <img src="https://blog.1password.com/img/icons/twitter.svg" alt="@DeaNHtiD99 tweet" /> Absolutely love the new <a href="https://twitter.com/1Password">@1Password</a> integration on iOS12. Seamless - @DeaNHtiD99 <a href="http://twitter.com/user/status/1041927137903747072" title="@DeaNHtiD99" class="view-tweet" target="_blank" rel="noopener">View tweet</a> </div> <div class="tweet"> <img src="https://blog.1password.com/img/icons/twitter.svg" alt="@terblanchejp tweet" /> <a href="https://twitter.com/1Password">@1Password</a> just want to say thanks for an absolute gem of an update! Auto fill works great with iOS 12. You guys rock! - @terblanchejp <a href="http://twitter.com/user/status/1041931116578566144" title="@terblanchejp" class="view-tweet" target="_blank" rel="noopener">View tweet</a> </div> <div class="tweet"> <img src="https://blog.1password.com/img/icons/twitter.svg" alt="@andreas__k tweet" /> Adding <a href="https://twitter.com/1Password">@1Password</a> as custom provider for password <a href="https://twitter.com/hashtag/autofill?src=hash">#autofill</a> is the best enhancement since inventing the smartphone <a href="https://twitter.com/hashtag/ios12?src=hash">#ios12</a> - @andreas__k <a href="http://twitter.com/user/status/1042134762817835009" title="@andreas__k" class="view-tweet" target="_blank" rel="noopener">View tweet</a> </div> We were, and continue to be, humbled by these comments. Hearing that a feature that we work on is as loved as we hope it will be, makes building 1Password the best job in the world. <h2 id="are-you-using-password-autofill">Are you using Password AutoFill?</h2> As you can see from the above, we think Password AutoFill is a pretty big deal, and we want everyone to use and enjoy it. Setting it up is super simple, just follow these instructions: <ol> <li> On the Home screen, tap Settings. </li> <li> Tap Passwords &amp; Accounts &gt; AutoFill Passwords. </li> <li> Turn on AutoFill Passwords. </li> <li> Select 1Password. </li> </ol> <img src='https://blog.1password.com/posts/2018/password-autofill/settings.jpeg' alt='Changing the apps enabled for AutoFill in iOS' title='Changing the apps enabled for AutoFill in iOS' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> From now on, you’ll be able to fill and save passwords, without ever opening the 1Password app. To stop iCloud Keychain from asking to save your passwords, deselect iCloud Keychain. Then you’ll always know passwords are saved in 1Password, without any confusion. Setting it up is just the start and if you’d like to read more on how Password AutoFill and 1Password work together on your iPhone and iPad, do take a look at our <a href="https://support.1password.com/ios-autofill/">walkthrough article.</a> Give it a go, and you’ll quickly see why Password AutoFill has become my favourite way to use 1Password on iOS. 🙂</description></item><item><title>1Password.com is now available in multiple languages</title><link>https://blog.1password.com/1password.com-is-now-available-in-multiple-languages/</link><pubDate>Wed, 12 Sep 2018 00:00:00 +0000</pubDate><author>info@1password.com (Chris Meek)</author><guid>https://blog.1password.com/1password.com-is-now-available-in-multiple-languages/</guid><description> <img src='https://blog.1password.com/posts/2018/localization/header.png' class='webfeedsFeaturedVisual' alt='1Password.com is now available in multiple languages' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Over the past year alone, we&rsquo;ve seen a 172% increase in non-English-speaking visitors to 1Password.com. We want everyone to feel completely at home using 1Password, so today we&rsquo;re excited to announce an important step toward a truly global service. For the first time ever, all of 1Password – the apps and <a href="https://1password.com/">1Password.com</a> – is available in 11 languages: <ul> <li>English</li> <li>Français</li> <li>Deutsch</li> <li>Italiano</li> <li>日本語</li> <li>한국어</li> <li>Português</li> <li>Русский</li> <li>Español</li> <li>简化字</li> <li>繁體字</li> </ul> Whether you&rsquo;re using 1Password on your own, with your family, or for business, you’ll find that everything has been translated: pricing pages, account-related emails – everything in your account on 1Password.com. View every button, field name, email, and vault item in the language you choose. Many of the most popular articles on our support website have already been translated, and we continue to translate more every day. Our in-house customer support team is also multilingual, spread around the world, and growing fast. We&rsquo;re here to help you every day of the week. When you sign up, you&rsquo;ll get to pick your language right from the start, and you can always change it later. <img src='https://blog.1password.com/posts/2018/localization/language-settings.png' alt='Changing preferred language at 1Password.com' title='Changing preferred language at 1Password.com' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> With an increasing number of businesses operating across multiple countries, it’s important to us that employees and team members everywhere can use 1Password in their native language. The easier it is for people to manage their security online, the more likely they are to make safe decisions, and that’s good news for everyone.</description></item><item><title>1Password X 1.10: Large Type, Watchtower, and easy two-factor authentication</title><link>https://blog.1password.com/1password-x-1.10-large-type-watchtower-and-easy-two-factor-authentication/</link><pubDate>Thu, 06 Sep 2018 00:00:00 +0000</pubDate><author>info@1password.com (Mitch Cohen)</author><guid>https://blog.1password.com/1password-x-1.10-large-type-watchtower-and-easy-two-factor-authentication/</guid><description> <img src='https://blog.1password.com/posts/2018/b5x1.10/header.png' class='webfeedsFeaturedVisual' alt='1Password X 1.10: Large Type, Watchtower, and easy two-factor authentication' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> New goodies abound, plus a treat for Linux users. 1Password X is a 1Password experience that works entirely within your web browser, independent of a desktop app. It brings all the power of 1Password to <a href="https://chrome.google.com/webstore/detail/1password-%E2%80%93-password-mana/aeblfdkhhhdcdjpifhhbdiojplfjncoa?hl=en">Chrome</a> and <a href="https://addons.mozilla.org/en-US/firefox/addon/1password-x-password-manager/?src=search">Firefox</a>, and it works great on Linux, Mac, Windows, and Chrome OS. <h2 id="whats-new-in-version-110">What&rsquo;s new in version 1.10</h2> It&rsquo;s been an incredibly busy summer for the 1Password X team, starting with our <a href="#link">Independence Update</a> in July. September brings some of our biggest features yet — and we mean that literally. <h3 id="large-type">Large Type</h3> Large Type is a beloved feature in the 1Password apps, and it&rsquo;s made its way to 1Password X in style. Now you can make any of your passwords big and bold, so they&rsquo;re easy to copy and read. Beautiful, eh?? <img src='https://blog.1password.com/posts/2018/b5x1.10/large-type.png' alt='Large Type for a generated password' title='Large Type for a generated password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h3 id="watchtower">Watchtower</h3> Watchtower helps you proactively identify breached passwords, so you can update them and stay secure. The Watchtower interface was completely redesigned for 1Password 7 for Mac, and we knew we had to include it in 1Password X as well. Watchtower integrates with the <a href="https://haveibeenpwned.com">haveibeenpwned.com</a> service to let you know if any of your passwords has been exposed in a data breach. <img src='https://blog.1password.com/posts/2018/b5x1.10/watchtower.png' alt='Large Type for a generated password' title='Large Type for a generated password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h3 id="easy-two-factor-authentication-2fa">Easy two-factor authentication (2FA)</h3> 1Password X already filled authentication codes automatically, but now it can save them, too. You can scan QR codes directly from the 1Password X pop-up to add one-time passwords to your logins. It&rsquo;s the easiest way to use 1Password as an authenticator for sites that use two-factor authentication. <img src='https://blog.1password.com/posts/2018/b5x1.10/2fa.png' alt='Scanning a QR code from the pop-up' title='Scanning a QR code from the pop-up' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="1password-x--linux">1Password X ❤️ Linux</h2> 1Password X is a wonderful experience on your Mac or Windows PC, but we&rsquo;re especially proud of how well it works on Linux. To celebrate the release of version 1.10, we&rsquo;ve launched a new <a href="https://support.1password.com/explore/linux/">1Password on Linux showcase</a> which covers all the ways to enjoy your favourite password manager on your favourite OS. 😉 We often hear from Linux users who are just finding out about 1Password X and our other offerings for Linux. If you use Linux on some computers but are on the fence about committing, then you&rsquo;ll love our new promotion. <a href="https://start.1password.com/signup/plan?&amp;c=SUDOSEC">Sign up</a> for a 1Password membership with promo code SUDOSEC, you&rsquo;ll get 91 days free to discover how 1Password X can fit into your workflow. If your Linux box looks more like a <a href="https://1password.com/resources/guides/1password-for-chromebook/">Chromebook</a>, don&rsquo;t forget that 1Password X also plays well with Chrome OS. <h2 id="get-1password-x-110">Get 1Password X 1.10</h2> <a href="https://app-updates.agilebits.com/product_history/B5X">Read the full changelog</a> to see everything that&rsquo;s new in 1Password X. If you already have 1Password X installed, you&rsquo;ll get the latest update automatically. If you haven&rsquo;t tried it yet and you have a 1Password account, there&rsquo;s never been a better time to try it out: <ul> <li> <a href="https://addons.mozilla.org/en-US/firefox/addon/1password-x-password-manager/?src=search">Get 1Password X for Firefox</a> </li> <li> <a href="https://chrome.google.com/webstore/detail/1password-%E2%80%93-password-mana/aeblfdkhhhdcdjpifhhbdiojplfjncoa?hl=en">Get 1Password X for Chrome</a> </li> </ul> Give it a go, and I think you&rsquo;ll quickly see why 1Password X has become my favourite way to use 1Password on the web. 🙂</description></item><item><title>An open letter to banks</title><link>https://blog.1password.com/an-open-letter-to-banks/</link><pubDate>Tue, 28 Aug 2018 00:00:00 +0000</pubDate><author>info@1password.com (Megan O'Brien)</author><guid>https://blog.1password.com/an-open-letter-to-banks/</guid><description> <img src='https://blog.1password.com/posts/2018/open-letter-banks/header.png' class='webfeedsFeaturedVisual' alt='An open letter to banks' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Many banking sites impose password restrictions and security measures that do little to increase user security, while ultimately making it more difficult for users to rely on password managers to fill their complex passwords. These security measures include putting a limit on maximum <a href="https://1password.com/password-generator/">password length</a> and restricting the ability to paste passwords, with some banks claiming that having to memorize and enter your password regularly makes it more secure. For those of us who rely on 1Password (and other password managers) on a daily basis, this advice is cringe-worthy. Unfortunately, it’s really not all that uncommon in the banking world. We want to help users stay safe with all of their accounts and logins, including banking. The ultimate goal would be to work hand-in-hand with banks and other financial institutions, creating passwords that meet their strict rules, and then keeping those passwords safe. To help achieve that goal, I’ve written an open letter to banks and financial institutions everywhere to encourage them to take users’ security more seriously. I’m writing this not only as a member of the <a href="https://1password.com/teams/">1Password team</a> who deals with security issues on a daily basis, but also as a concerned customer who just wants simple and secure access to her data. <blockquote> Dear banks, I know you have my best interests at heart. I know you’ve worked hard to put “safeguards” in place (such as disabling pasting into password fields, obfuscating usernames, spreading the login process across multiple pages and using “please input the nth character of your password” fields) to thwart various types of attacks. But the truth is that these security measures are not actually helping your users. Do you know what would really help your users? <a href="https://support.1password.com/change-website-password/">Longer, random passwords</a>. Using long, random, and unique passwords is the best defense that we, your customers, have against attackers. This advice is true for every site we have to sign into these days, and believe me, we sign into a lot more than just our financial sites. Keeping 100 or so strong and unique passwords memorized is not only a silly suggestion, it’s nearly impossible. <a href="https://1password.com/password-manager/">Password managers</a> help increase security by remembering these unique passwords for us, keeping them stored securely, and filling them in on websites so we don’t have to. Many of the “security measures” you have in place serve only to make it more difficult for those of us who rely on password managers. Password managers are not your enemy here. In fact, encouraging the use of trusted password managers will do more for your users’ security than any of the measures you currently have in place. You have an awesome opportunity here. Take the time to educate your users on the value of true security. Encourage users to adopt long, random, and unique passwords that never need to be stored in their brains. Make it easy for password managers to store and fill these secure passwords for your users in web browsers and mobile apps. Now, it just so happens that there are a couple of very simple ways you can give your users easy access to their banking data in your mobile apps. We’ve written an <a href="https://github.com/AgileBits/onepassword-app-extension">App Extension API</a> that can be added to your iOS app in <a href="https://github.com/AgileBits/onepassword-app-extension#step-1-download-the-source-code-and-sample-apps">3 easy steps</a>. The app extension will allow users to select their password manager of choice and fill their complex passwords into your form, with no typing required. And with iOS 12, Apple is also introducing support for passwords in their QuickType Bar which will make filling passwords even easier. If you haven’t yet done so, make sure you’ve <a href="https://developer.apple.com/documentation/xcode/supporting-associated-domains?language=objc">added an associated domain</a> to your app and website so that Password <a href="https://1password.com/features/autofill/">AutoFill</a> can show the best possible matches in the QuickType Bar. 1Password has been giving people control over passwords for over a decade, and it truly is a wonderful thing. We’ve been advocating for stronger, safer passwords for years, and we’d be so happy if you stood with us. For now, passwords are a necessary evil. Remembering them shouldn’t have to be. Please help us increase awareness of online security. Your users will be ever-so-grateful that you are taking their security seriously, and you’ll be making their lives a lot simpler too. Signed, A hopeful user. </blockquote> The good news is that some banks, like TD Canada, are already beginning to take strides that will allow them to integrate with password managers and even let users copy and paste in the password screen. These banks have a great opportunity here to set the standard for banking apps and give other financial institutions a secure example to follow. I’m excited to see what they come out with! If you believe that banks should <a href="https://github.com/AgileBits/onepassword-app-extension">add 1Password (and other password managers) integration</a> to their iOS apps, please consider sharing this open letter with your bank or other financial institution! #BanksNeed1Password Want to keep your bank passwords and financial institution logins safe and secure? Sign up and get started with 1Password today!</description></item><item><title>1Password 7 for Android: The Best Ever</title><link>https://blog.1password.com/1password-7-for-android-the-best-ever/</link><pubDate>Wed, 22 Aug 2018 00:00:00 +0000</pubDate><author>info@1password.com (Michael Verde)</author><guid>https://blog.1password.com/1password-7-for-android-the-best-ever/</guid><description> <img src='https://blog.1password.com/posts/2018/opa7.0/header.png' class='webfeedsFeaturedVisual' alt='1Password 7 for Android: The Best Ever' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We recently launched massive updates to 1Password on both Mac and Windows. Today, I’m thrilled to reveal that 1Password is getting a bold new update on the Android platform as well. 1Password 7 blends the best features of 1Password with the unique style of Android to deliver the best possible experience for managing your vaults on the go. We started with a design overhaul of the screens you use the most and then packed in some great new functionality to make it easier to access and update your data. On top of the added convenience, we’ve also made it easier to up your security game with some fantastic features I know you’re going to love. <h2 id="lock-it-down">Lock it down</h2> Let’s start by diving into the first thing that you’ll notice after updating to 1Password 7: the fresh new design. You’ll be greeted with a shiny new lock screen standing guard over your data. <img src='https://blog.1password.com/posts/2018/opa7.0/lock-screen.png' alt='New 1Password lock screen design' title='New 1Password lock screen design' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Not only does this new design pay homage to the strength of the protections around your data, but it also includes a delightful animation for those times when you mistype your Master Password. Just try not to get too distracted playing around with it! 😉 <h2 id="see-more-do-more">See more, do more</h2> After you’ve unlocked 1Password, your items will meet your eye in a cleaner format that’s designed to make it easier to find what you’re looking for at a glance. <img src='https://blog.1password.com/posts/2018/opa7.0/item-list.png' alt='List of items in 1Password 7' title='List of items in 1Password 7' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> And this beauty comes with power, as you can now perform actions on more than one item at once. Starting with a long press, you can select multiple items from your list and mark them as favourite, copy them to another vault, or delete them. <img src='https://blog.1password.com/posts/2018/opa7.0/multi-select.png' alt='Selecting multiple items from list' title='Selecting multiple items from list' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> When it’s time to switch to a different view of your items, the new bottom navigation makes it quicker and easier than ever. Favourites, Categories, and Tags are all within a single tap’s reach. <img src='https://blog.1password.com/posts/2018/opa7.0/bottom-navigation.png' alt='New bottom navigation bar' title='New bottom navigation bar' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> If you’re rocking multiple vaults with your 1Password membership, you can easily see which vault you currently have selected with the vault indicator at the top left. <img src='https://blog.1password.com/posts/2018/opa7.0/vault-icon.png' alt='Active vault icon displays in toolbar' title='Active vault icon displays in toolbar' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Tapping on that icon reveals the updated vault switcher, allowing you to quickly switch between vaults with only a couple of taps. <img src='https://blog.1password.com/posts/2018/opa7.0/vault-switcher.png' alt='Vault switcher shown in navigation drawer' title='Vault switcher shown in navigation drawer' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="its-all-in-the-details">It’s all in the details</h2> When you decide to view one of your items, you’ll see that we’re presenting those details in a whole new light too! We’ve updated the item detail view to highlight the most important details of your item, while organizing any additional information in an easily readable format. <img src='https://blog.1password.com/posts/2018/opa7.0/item-details.png' alt='Item details for Google account' title='Item details for Google account' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Of course, we went way beyond skin-deep changes too. You can switch into edit mode and customize your item to include additional sections and fields. This is great for adding security questions and other important details that you need to remember. Better yet, you can now use the built-in QR code scanner to add one-time passwords to your Logins to enhance the security of your accounts. <img src='https://blog.1password.com/posts/2018/opa7.0/edit-mode-2fa.png' alt='Editing item details for Google account' title='Editing item details for Google account' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="staying-alert">Staying alert</h2> I’m thrilled to say that Watchtower is now an integral part of <a href="https://1password.com/downloads/android/">1Password 7 on Android</a>. Whether it’s compromised logins, vulnerable passwords, or even items that are expired or expiring soon, we’ve got you covered. A banner will display above your item details whenever there is a Watchtower alert, providing you with the necessary details and guiding you on any actions that you should take. <img src='https://blog.1password.com/posts/2018/opa7.0/watchtower-vulnerable-password.png' alt='Watchtower warning that password for Evernote account has compromised in a data breach' title='Watchtower warning that password for Evernote account has compromised in a data breach' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="smart-passwords">Smart passwords</h2> When it comes time to choose a new password or update an existing one, the new and improved <a href="https://1password.com/password-generator/">Strong Password Generator</a> will help you create exactly the right one for your needs. The memorable password recipe is great for passwords that you’ll need to type out or read aloud over the phone. The PIN Code recipe will help you with bank cards or memberships that limit you to only using digits. And for everything else, you can choose random password to get the strongest possible password. In each case, the Strong Password Generator provides you with convenient options for tweaking the passwords as you see fit. <img src='https://blog.1password.com/posts/2018/opa7.0/strong-password-generator.png' alt='Strong Password Generator creating a word-based password' title='Strong Password Generator creating a word-based password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="document-all-the-things">Document all the things</h2> With 1Password memberships, you can use Document items to store important files for insurance, wills, taxes or anything else you might want to keep secure. 1Password 7 makes it even easier to do so by allowing you to upload files directly from your Android device. Grab a photo from your camera roll, a PDF from Google Drive, or just about anything else that you can think of. <h2 id="and-much-more">And much more</h2> <ul> <li>Fresh welcome and setup screen designs</li> <li>New setup flow helps you get started with Fingerprint Unlock and <a href="https://1password.com/features/autofill/">Autofill</a></li> <li>Use Autofill with 1Password in the <a href="https://play.google.com/store/apps/details?id=com.duckduckgo.mobile.android">DuckDuckGo</a> and <a href="https://play.google.com/store/apps/details?id=com.brave.browser">Brave</a> browsers</li> <li>Categories are now sorted with the most commonly used categories at the top</li> <li>OPVault is the default format for both Dropbox and local storage sync</li> <li>Use multiple URLs with Login items for a better filling experience</li> </ul> <h2 id="how-do-i-get-it">How do I get it?</h2> 1Password 7 is available on Google Play as a free update for devices running Android 5 or later. If you’ve got automatic updates enabled (and we recommend that you do), you don’t need to do anything to receive this latest and greatest version of 1Password. Otherwise, head on over to Google Play and click that update button: <a href="https://play.google.com/store/apps/details?id=com.onepassword.android">Download 1Password 7</a> Don&rsquo;t worry if the update doesn&rsquo;t show up right away for you. We&rsquo;re rolling it out to all of our customers over the next few days. I hope you enjoy 1Password 7 as much as we enjoyed making it for you! We couldn’t have done it without your help. Please join us in our discussion forums or on Twitter to share your experiences with us and help craft the future of 1Password. We always love hearing from you.</description></item><item><title>A 1Password Journey Through SOC2</title><link>https://blog.1password.com/a-1password-journey-through-soc2/</link><pubDate>Thu, 09 Aug 2018 00:00:00 +0000</pubDate><author>info@1password.com (Pilar García)</author><guid>https://blog.1password.com/a-1password-journey-through-soc2/</guid><description> <img src='https://blog.1password.com/posts/2018/socannouncement/header.png' class='webfeedsFeaturedVisual' alt='A 1Password Journey Through SOC2' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> A while ago, we decided it was time for 1Password to become SOC2 certified&hellip; Don&rsquo;t worry, we aren&rsquo;t designing socks. Protecting customers’ data has always been our highest priority, and this certification is one more way we can attest to that. SOC stands for Service and Organization Controls, a family of certifications related to others you might have heard of like ISO or FedRAMP. While there are SOC1, SOC2 and SOC3 the one relevant to 1Password is SOC2. Being <a href="https://1password.com/soc/">SOC2 certified</a> means that we&rsquo;ve demonstrated that we follow best practices for Security and Availability. <img src='https://blog.1password.com/posts/2018/socannouncement/SOC-seal.png' alt='SOC Seal' title='SOC Seal' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Security in this case is not about our encryption, which we all know is the best out there. 😉 In the world of SOC2, Security ensures that we have—and follow—processes and policies that keep 1Password secure from all angles- everything from the way we train our employees to how the software is developed. Availability means -you guessed it- that 1Password will be working whenever you need it to. Demonstrating our commitment to security and availability sounded like an easy task but as we went throughout the process we discovered there was much more to it. We created a <a href="https://1password.com/teams/">1Password Team</a> account to help with the process, using it to communicate securely with the auditors and store all our documentation. The whole process took about a year and a half, and we couldn&rsquo;t have done it without 1Password. <h2 id="how-we-used-1password-to-certify-1password">How we used 1Password to certify 1Password</h2> There are two types of SOC2: Type 1 certifies that you have policies in place, while Type 2 verifies that you follow them. And because we always aim high, we set out to do both. To start, we ensured that we had policies and procedures in place. For example, we&rsquo;ve always had security training for 1Password employees but now we have a new policy for annual training for everyone in the company. This stage took several months, but by the end, we had quite a few documents that needed to be shared among the SOC2 team. To do this easily and securely, we used the Shared vault in our Team account. To meet the requirements of Type 2 we had to demonstrate that we could enforce our policies during a period of six months. Thanks to our awesome employees that was never much of a challenge. Everyone received security training in January as promised. To demonstrate our compliance we produced dozens of documents- everything from spreadsheets, screenshots, PDFs, quick notes&hellip; We not only had to share these with auditors, we also had to track the changes that had been made since Type 1. Thankfully 1Password made it easy. With a few clicks, we created an additional vault for all the new documents and shared it. As the auditors provided feedback, we were able to update those documents and keep track of previous changes using item history. Each item keeps track of who did changes and when so there was a built in audit trail. To stay organized, we used tags that allowed us to categorize, then find, items of each kind. The tag &ldquo;Updated&rdquo; immediately showed us documents that had to be adjusted. With a click on the &ldquo;From Auditors&rdquo; tag, we could see all those items uploaded by the auditors, while &ldquo;From AgileBits&rdquo; gave us all those that we uploaded. Every item in 1Password has a field for notes. These notes helped us communicate details that didn&rsquo;t belong in the document or title. We recorded things like: what we last updated, related items, exceptions made in the documents, and more. <img src='https://blog.1password.com/posts/2018/socannouncement/item-notes.png' alt='1Password items with SOC related notes' title='1Password items with SOC related notes' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="what-we-learned">What we learned</h2> Security in general, and SOC2 in particular, aren&rsquo;t things that you do once and then forget about. We have not finished keeping 1Password secure and available because this year&rsquo;s SOC2 audit is complete. The next time around, we&rsquo;ll know exactly what we&rsquo;re doing and 1Password will be there to help us one more time.</description></item><item><title>1Password X 1.8: The Independence Update for Chrome and Firefox</title><link>https://blog.1password.com/1password-x-1.8-the-independence-update-for-chrome-and-firefox/</link><pubDate>Thu, 28 Jun 2018 00:00:00 +0000</pubDate><author>info@1password.com (Dave Teare)</author><guid>https://blog.1password.com/1password-x-1.8-the-independence-update-for-chrome-and-firefox/</guid><description> <img src='https://blog.1password.com/posts/2018/b5x1.8/header.png' class='webfeedsFeaturedVisual' alt='1Password X 1.8: The Independence Update for Chrome and Firefox' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> A massive release with credit card and two-factor authentication code filling, password generator history, and a whole lot more. What is 1Password X? It&rsquo;s a 1Password experience that works entirely within your web browser, independent of a desktop app. It brings all the power of 1Password to <a href="https://chrome.google.com/webstore/detail/1password-%E2%80%93-password-mana/aeblfdkhhhdcdjpifhhbdiojplfjncoa?hl=en">Chrome</a> and <a href="https://addons.mozilla.org/en-US/firefox/addon/1password-x-password-manager/?src=search">Firefox</a>, and it works great on Linux, Mac, Windows, and Chrome OS. <img src='https://blog.1password.com/posts/2018/b5x1.8/1password-x-on-chrome-os-pixel-book.png' alt='1Password X on a Pixelbook running Chrome OS' title='1Password X on a Pixelbook running Chrome OS' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> With today&rsquo;s release, we&rsquo;re closer than ever to realizing our dream of independence. In fact, there&rsquo;s more than enough in this release to call it 2.0, but seeing that 1Password X is evergreen software, we decided to cut out the version inflation and go with a good &lsquo;ol name. 🙂 Just in time for Canada Day and July 4th, let me introduce you to 1Password X: The Independence Update. 🇨🇦🇺🇸🎆 <h2 id="redesigned-on-page-experience">Redesigned on-page experience</h2> The signature feature of 1Password X is direct integration with webpages. It&rsquo;s what people love the most, and in the Independence Update we made it even better. 1Password X is now smarter, more proactive, and more helpful. It&rsquo;s powered by on-device machine learning and makes the right suggestions as you browse the web. <h3 id="guided-sign-up">Guided sign up</h3> 1Password will now help you sign up for new accounts on websites. It will offer to fill in your name and email address, and then it will suggest a strong password automatically. You can fill in an entire sign up form without typing a single letter. <img src='https://blog.1password.com/posts/2018/b5x1.8/evernote-signup-use-suggested-password.png' alt='Creating an Evernote account using a Suggested Password' title='Creating an Evernote account using a Suggested Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h3 id="credit-cards-and-addresses">Credit Cards and Addresses</h3> 1Password is now able to detect when you need to enter a credit card, address, or telephone number and will automatically suggest items from your vaults. <img src='https://blog.1password.com/posts/2018/b5x1.8/add-credit-card-at-amazon.png' alt='Adding a credit card form on Amazon with 1Password X suggesting cards to fill' title='Adding a credit card form on Amazon with 1Password X suggesting cards to fill' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h3 id="one-time-password-filling">One-time password filling</h3> If your logins have two-factor authentication set up, 1Password will detect when your code is required and offer to fill it for you. It&rsquo;s really magical! 🧙‍♂️ <img src='https://blog.1password.com/posts/2018/b5x1.8/autofill-two-factor-auth-on-github.png' alt='Automatically filling one-time password two-factor authentication on GitHub' title='Automatically filling one-time password two-factor authentication on GitHub' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h3 id="automatic-multi-step-filling">Automatic multi-step filling</h3> If a website requires you to sign in across multiple pages, you just need to fill once and 1Password will automatically take care of the rest. It will even fill two factor authentication codes without you lifting a finger. It&rsquo;s extra magical! 🧙‍♀️ <video class="round shadow" style="display: block; margin: auto; padding: 0;"autoplay='true'muted='true'loop="loop" playsinline="" width="100%" alt='1Password automatically filling a login across multiple sign-in pages' controls> <source src="https://blog.1password.com/posts/2018/b5x1.8/multi-step-filling.mp4" type="video/mp4" /> </video> <h3 id="guided-password-changes">Guided password changes</h3> 1Password also helps you out when you need to change your password on a site: it fills your existing password, offers a new one, and then prompts you to update your login item. It&rsquo;s really convenient. <img src='https://blog.1password.com/posts/2018/b5x1.8/change-password-on-evernote-with-suggested-password.png' alt='Change password on Evernote with 1Password X automatically suggesting a new password' title='Change password on Evernote with 1Password X automatically suggesting a new password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="password-generator">Password Generator</h2> In the Independence Update we&rsquo;ve made the <a href="https://1password.com/password-generator/">password generator</a> smarter and more helpful. It now remembers the last settings you used as well as your settings per recipe, so you can customize your passwords to your heart&rsquo;s content. <img src='https://blog.1password.com/posts/2018/b5x1.8/generate-password.png' alt='Generating a strong, unique password with 1Password X' title='Generating a strong, unique password with 1Password X' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> But the fireworks really go off when you see the new Generator History. Now whenever you fill or copy a password from the Password Generator, it will be recorded in your encrypted Generator History. This way you&rsquo;ll be able to retrieve your password later, even if you didn&rsquo;t save it. <img src='https://blog.1password.com/posts/2018/b5x1.8/password-generator-history.png' alt='Generator History in the Strong Password Generator' title='Generator History in the Strong Password Generator' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="lighting-up-the-sky-">Lighting up the sky 🎇</h2> The Independence Update has over 100 new features and changes to wow and delight and amaze the crowd: <h3 id="markdown">Markdown</h3> Add rich text formatting to your notes with our new Markdown support. <img src='https://blog.1password.com/posts/2018/b5x1.8/secure-note-markdown.png' alt='A Secure Note with rich text formatting using Markdown' title='A Secure Note with rich text formatting using Markdown' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h3 id="amazing-icons">Amazing icons</h3> We&rsquo;ve made a ton of changes to icons! Your credit cards will now have different icons depending on their type. You&rsquo;ll see any custom icons that you have on your items. And logins without a rich icon will have a beautiful monogram of their initials that matches the beauty in 1Password 7 for Mac. <img src='https://blog.1password.com/posts/2018/b5x1.8/fancy-fave-icons.png' alt='1Password X toolbar popup showing favourite logins along with their fancy new icons' title='1Password X toolbar popup showing favourite logins along with their fancy new icons' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h3 id="better-dark-theme-support">Better dark theme support</h3> Our toolbar icon now looks great in dark browser themes and Incognito windows. And on top of that you can even choose between colour and monochrome in Settings. <img src='https://blog.1password.com/posts/2018/b5x1.8/incognito-mode.png' alt='The dark Incognito theme sporting the new coloured 1Password X icon' title='The dark Incognito theme sporting the new coloured 1Password X icon' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h3 id="and-so-so-much-more">And so so much more</h3> You can <a href="https://app-updates.agilebits.com/product_history/B5X">read the full changelog</a> for all the details but here are a few more of my favourites: <ul> <li>Added language support for Korean, Portuguese, and Traditional Chinese.</li> <li>You can now select a default account for saving new items.</li> <li>Your favourites now have stars next to them everywhere they appear.</li> <li>Added support to fill one-time passwords that are split across multiple fields. E.g. wealthsimple.com.</li> <li>Better support for <a href="https://1password.com/resources/guides/1password-for-firefox/">Firefox</a> fingerprinting resistance and privacy settings, including <a href="https://wiki.mozilla.org/Security/Fingerprinting">privacy.resistFingerprinting</a>.</li> <li>Your password generator settings now remain persistent over restarts.</li> <li>1Password uses machine learning to fill login forms more accurately.</li> <li>The inline menu appears in more fields automatically, e.g. username fields that don&rsquo;t have an accompanying password field.</li> <li>Added options to the inline menu to switch between item types.</li> </ul> The Independence Update is available today for Chrome and Firefox. If you already have 1Password X installed, you&rsquo;ll get this update automatically. If you haven&rsquo;t tried it yet and you have a 1Password account, there&rsquo;s never been a better time to try it out: <a href="https://addons.mozilla.org/en-US/firefox/addon/1password-x-password-manager/?src=search">Get 1Password X for Firefox</a> <a href="https://chrome.google.com/webstore/detail/1password-%E2%80%93-password-mana/aeblfdkhhhdcdjpifhhbdiojplfjncoa?hl=en">Get 1Password X for Chrome</a> Give it a go and I think you&rsquo;ll quickly see why 1Password X has become my favourite way to use 1Password on the web. 🙂</description></item><item><title>Make a Pitstop in Denver and visit 1Password at GopherCon</title><link>https://blog.1password.com/make-a-pitstop-in-denver-and-visit-1password-at-gophercon/</link><pubDate>Wed, 27 Jun 2018 00:00:00 +0000</pubDate><author>info@1password.com (Will Moore)</author><guid>https://blog.1password.com/make-a-pitstop-in-denver-and-visit-1password-at-gophercon/</guid><description> <img src='https://blog.1password.com/posts/2018/gophercon/header.png' class='webfeedsFeaturedVisual' alt='Make a Pitstop in Denver and visit 1Password at GopherCon' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Each year, a bunch of us make the annual pilgrimage to <a href="https://www.gophercon.com/">GopherCon</a>, the largest and most well attended <a href="https://go.dev/">Go</a> developer conference in the world. We take in the sights Denver has to offer, get the best coffee around from <a href="https://www.littleowlcoffee.com/">Denver Little Owl Coffee</a> (If you think there’s better, please <a href="https://twitter.com/1Password">tweet</a> us 😉), and most importantly learn all about the miraculous things people are creating with Golang. This year things will be even more special as we are the headline sponsor of GopherCon 2018! The GopherCon organizers have some amazing things planned this year, with the racing theme in full effect. As this is our first time sponsoring, make sure you visit the 1Password Pitstop while attending the conference! <img src='https://blog.1password.com/posts/2018/gophercon/pitstop.png' alt='1Password Pitstop Gophers' title='1Password Pitstop Gophers' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="visit-the-1password-pitstop">Visit the 1Password Pitstop</h2> If you are attending GopherCon, come and get a checkup from our expert Passwordologists at the 1Password Pitstop, and find out the best ways to secure your business and family online. We also love to hear from customers already using 1Password, so do come on over and chat about your favourite 1Password productivity features. Our Pitstop will have will have lots of surprises, and if you come by, you’ll get the chance to meet some of the amazing people behind 1Password. It’s a great opportunity to talk shop and maybe even pick up some stickers to pimp your ride and add some bling to your device! <h2 id="1password-and-go">1Password and Go</h2> We use Go all over the place at 1Password! Every 1Password account relies on our Go servers. Making everything work together is no easy feat and so we needed a strong (and fast!) language like Go to create the backbone that connects all our apps together. We also use <a href="https://gohugo.io/">Hugo</a> for our many of our websites. Sharing code between our six different apps across six platforms helps us provide a consistent experience and minimize bugs. Our filling engine “The Brain”, our new password generator, and a host of other features are already built in Go. Our command-line tool is also built entirely in Go. For more sneak peaks of the exclusive 1Password GopherCon shirt and the 1Password Pitstop, follow us on <a href="https://twitter.com/1password">Twitter</a>. If you are in Denver between August 27th – 30th, I really hope to have the chance to meet you in person at the conference!</description></item><item><title>Watchtower: we shall fight on the breaches</title><link>https://blog.1password.com/watchtower-we-shall-fight-on-the-breaches/</link><pubDate>Mon, 25 Jun 2018 00:00:00 +0000</pubDate><author>info@1password.com (Rick Fillion)</author><guid>https://blog.1password.com/watchtower-we-shall-fight-on-the-breaches/</guid><description> <img src='https://blog.1password.com/posts/2018/b5-wt-hibp/header.png' class='webfeedsFeaturedVisual' alt='Watchtower: we shall fight on the breaches' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 1Password’s Watchtower service has been helping users identify accounts that have been affected by breaches for years. Today we’re proud to announce an enhancement to how 1Password finds and identifies breached accounts. 1Password can now use <a href="https://haveibeenpwned.com/">Have I Been Pwned</a> to find accounts that have been compromised based on the email address associated with the account. It can even do this without needing to share your email address with anybody. Before we dive in to learn about the details, take a look at the awesome work Matt and Jasper did to bring this to life. <div style="text-align: center !important;"> <iframe src="https://www.youtube-nocookie.com/embed/VKW7f5oI9X4" frameborder="0" allow="autoplay; encrypted-media" width="500px !important;" height="281px !important;" style="width: 500px !important; height: 281px !important; display: inline-block !important" allowfullscreen></iframe> </div> <h2 id="breach-report">Breach Report</h2> There’s actually a fair amount to unpack here, and it’s difficult to see detail on a video, so let’s break down the <a href="https://1password.com/business/domain-breach-report/">breach report</a> in screenshot form. <img src='https://blog.1password.com/posts/2018/b5-wt-hibp/watchtower-data-found.png' alt='Breach Report' title='Breach Report' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The Breach Report is split into three sections. The top most section is a list of websites where an account with your email address has been identified as having been compromised, but you don’t have any information about this website in 1Password. That’s amazingly powerful as 1Password can help you identify breaches that impact you without you having actually added information to 1Password. In this case, you’re going to want to generate a unique strong password for that website, and while you’re at it you should consider adding it to 1Password. If it’s a website for which you have no interest in having an account, you should delete the account as opposed to ignore it. Accounts often have additional data, such as a mailing address or maybe a phone number. You should be protecting that private information, and thanks to excellent pieces of legislation like the GDPR most websites have a way to request permanent deletion of your data. The second section lists breached websites for which you’ve got an item in 1Password, but 1Password suspects that password to be compromised. You’ll definitely want to create a new password for that website. The last section lists breaches for which you’ve got an item in 1Password, but you’ve already updated the password so there’s nothing more to do. <h2 id="how-does-it-work">How Does It Work?</h2> The Breach Report is based on a new service provided by <a href="https://haveibeenpwned.com/">Have I Been Pwned</a> which allows 1Password to query for compromised accounts based on an email address. 1Password can achieve this without needing to share the email address with <a href="https://1password.com/haveibeenpwned/">Have I Been Pwned</a> because this new service functions much like its Pwned Passwords service, and uses the same <a href="https://en.wikipedia.org/wiki/K-anonymity">K-anonymity</a> model. This model allows 1Password to work with Have I Been Pwned to find breaches without needing to share sensitive information with Have I Been Pwned. Let’s take a look at how that works… Have I Been Pwned has a database with over 5 billion compromised accounts obtained from the various data breaches around the internet over the last few years. This database contains the email address associated with the account as well as a SHA-1 hash of the password that was compromised. The new service allows 1Password to look up entries in that database based on the email address. <img src='https://blog.1password.com/posts/2018/b5-wt-hibp/rick-email-hash.png' alt='Email Hash Illustration' title='Email Hash Illustration' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> In order to perform a lookup, 1Password takes the email address associated with your account, and hashes that using SHA-1. Sending that full SHA-1 hash to the server would provide too much information and could allow someone to reconstruct your email address. Just like the Pwned Passwords service, this new service only requires the first few characters of the hash, six to be precise. Similarly to Pwned Passwords, the process is completed within 1Password itself. Have I Been Pwned sends 1Password a list of possible matches based on the start of the hash that was sent, and 1Password needs to complete the search by looking for exact matches with the full hash that was created in the first step. <h2 id="bringing-you-more-info-on-compromised-logins">Bringing You More Info On Compromised Logins</h2> When viewing items in the Compromised Logins section of <a href="https://watchtower.1password.com/">Watchtower</a>, you may notice that some of them have a slightly different banner at the top and include a “More Info” link. <img src='https://blog.1password.com/posts/2018/b5-wt-hibp/watchtower-notification.png' alt='Watchtower Notification Banner' title='Watchtower Notification Banner' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Clicking it will bring up a panel with some information about the breach, letting you know what information in that account was made available. <img src='https://blog.1password.com/posts/2018/b5-wt-hibp/wendy-breachinfo.png' alt='Breach Info' title='Breach Info' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> This was made possible with the additional breach information that is provided by Have I Been Pwned. Run, don’t walk, to change the password associated with this Login. And also change the password for any other Login item you might have that happens to share that password (you’re using strong unique passwords everywhere, right?). <h2 id="taking-watchtower-further">Taking Watchtower Further</h2> Have I Been Pwned allows us to push Watchtower further and do more to keep you safe online. The k-anonymity model used in both this service as well as Pwned Passwords ensures that your privacy is respected, which is incredibly important to us. We’re thrilled to be one of the first services using Have I Been Pwned in this way. You can try it today by using Watchtower on 1Password.com, and we’re looking forward to bringing this feature to all of our apps. Thank you Troy for building an excellent service that makes this feature possible.</description></item><item><title>WWDC18: Presents from Apple</title><link>https://blog.1password.com/wwdc18-presents-from-apple/</link><pubDate>Thu, 07 Jun 2018 00:00:00 +0000</pubDate><author>info@1password.com (Michael Fey)</author><guid>https://blog.1password.com/wwdc18-presents-from-apple/</guid><description> <img src='https://blog.1password.com/posts/2018/wwdc18/header.png' class='webfeedsFeaturedVisual' alt='WWDC18: Presents from Apple' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Hello everyone! It’s WWDC week and a large portion of the 1Password development team is here in San Jose basking in the glow of this year’s Apple’s Worldwide Developer Conference. For me it’s my first time coming to WWDC since it was last held in San Francisco two years ago, and I absolutely love it. The conference center itself is gorgeous, and the surrounding area is wonderful. Somehow I’m finding it easier to run into folks I know, and I’ve already caught up with a bunch of old friends and made a number of new ones since I’ve arrived. WWDC is much more than a place for me to stretch the wings of my social butterfly tendencies, however; it’s all about new tech, and boy oh boy did Apple hook us up this year. Many of us are already rocking iOS 12 and macOS Mojave on our main devices and computers and they are awesome. Not only that, but 1Password is running quite happily on iOS 12 and needs just a couple small tweaks on macOS Mojave. <h2 id="ios-12-and-password-autofill">iOS 12 and Password Autofill</h2> On Monday afternoon, during Apple’s Platform State of the Union I sat down with my teammate Rudy and jumped into Apple’s newly announced <a href="https://1password.com/features/autofill/">Password Autofill</a> API. By the time we were ready to grab some dinner we had a <a href="https://twitter.com/1Password/status/1003824297725460481">tweet-worthy</a> demo all done: <div class="tweet"> <img src="https://blog.1password.com/img/icons/twitter.svg" alt="@1Password tweet" /> What a wonderful present for us at WWDC this year! Thank you to all our friends at Apple for this great new API. <a href="https://twitter.com/hashtag/1PasswordAutofill?src=hash">#1PasswordAutofill</a> - @1Password <a href="http://twitter.com/user/status/1003824297725460481" title="@1Password" class="view-tweet" target="_blank" rel="noopener">View tweet</a> </div> This new capability is transformational in our ability to integrate with iOS. Starting in the next version of iOS, 1Password will be able to fill your credentials into every app that has opted into the <a href="https://developer.apple.com/documentation/security/password_autofill/">Password Autofill</a> functionality that Apple introduced with iOS 11 last year. <h2 id="macos-mojave-and-dark-mode">macOS Mojave and Dark Mode</h2> After our incredibly successful launch of 1Password 7 a few weeks ago we’ve been waiting to see what Apple had in store for the Mac. On Monday we got our first glimpse of dark mode in macOS Mojave, which of course left our designer Dan itching to get back to his computer to start playing. Since then the mockups have been flowing like water: <img src='https://blog.1password.com/posts/2018/wwdc18/opm7-dark.png' alt='Locked 1Password 7 for Mac in dark mode' title='Locked 1Password 7 for Mac in dark mode' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="privacy-and-security">Privacy and Security</h2> Apple’s dedication to privacy and security are legendary and this year they introduced a whole host of new tools to help keep your computer safe. The biggest ones that we’re excited about are system integrity protection (SIP) for apps and notarized apps. Apple’s documentation gives a concise definition of SIP at a high level: <blockquote> System Integrity Protection is a security technology in OS X El Capitan and later that’s designed to help prevent potentially malicious software from modifying protected files and folders on your Mac. </blockquote> SIP for apps allows us to opt in to these same protections for the 1Password app binary that resides on your computer. It gives you (and us!) peace of mind knowing that the app we built and shipped is the one running on your computer. Notarized apps is the other thing that we’re really excited about. Apple is standing up a new service for developers where they can submit their app prior to release. The service will check the app, verify that it’s free of malware, and issue a certificate that will be “stapled” to the app. This certificate is then used by your Mac to verify that the version of 1Password you’re using has been screened and approved as being free of malware. Coupled with SIP, these two new technologies are going to be great for all apps, and 1Password in particular. <h2 id="wrapping-it-up">Wrapping it Up</h2> While I can’t comment on rumor or speculation, you could use our previous track record to reasonably conclude that when iOS 12 and macOS Mojave ship later this year we’ll be there, on day one, with full support for both. In the meantime, make sure you <a href="https://support.1password.com/betas/?ios">sign up for the iOS beta</a>, and opt-in to the betas of <a href="https://1password.com/mac/">1Password for Mac</a> in Preferences: <img src='https://blog.1password.com/posts/2018/wwdc18/opm7-beta-preferences.png' alt='Locked 1Password 7 for Mac in dark mode' title='Locked 1Password 7 for Mac in dark mode' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> How about you? What was your favorite announcement from WWDC this year? Sound off in the comments below, I’d love to chat about it with you.</description></item><item><title>1Password 7 for Windows: The Best Ever</title><link>https://blog.1password.com/1password-7-for-windows-the-best-ever/</link><pubDate>Tue, 29 May 2018 00:00:00 +0000</pubDate><author>info@1password.com (Dave Teare)</author><guid>https://blog.1password.com/1password-7-for-windows-the-best-ever/</guid><description> <img src='https://blog.1password.com/posts/2018/opw7.0/header.png' class='webfeedsFeaturedVisual' alt='1Password 7 for Windows: The Best Ever' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Hot on the heels of <a href="https://blog.1password.com/1password-7-for-mac-the-best-ever/">last week&rsquo;s 1Password 7 for Mac announcement</a>, I&rsquo;m pleased as punch to unveil the best version of 1Password for Windows ever: 1Password 7 for Windows is here! 🎉 👏 This is a massive release where quite literally everything has changed. Seriously, every bit and every pixel has been recreated from scratch using the latest and greatest technologies to make 1Password the best it can be. From an incredible new design to having all your vaults in one place to a whole new architecture, 1Password 7 is the fastest, prettiest, and most powerful version of 1Password yet. In short, it&rsquo;s simply the best. A bold claim but thankfully we can back it up. 😎 <h2 id="all-new-modern-design">All new modern design</h2> Our design team has been working their tails off reimagining every aspect of 1Password. We wanted to make it as powerful and beautiful as the Mac app while staying true to the Windows platform. It all added up to a breathtaking new design that you&rsquo;re going to love. And it all starts with the lock screen. <img src='https://blog.1password.com/posts/2018/opw7.0/opw7-locked-surface.png' alt='1Password 7 for Windows lock screen asking for your Master Password with a Windows Hello button' title='1Password 7 for Windows lock screen asking for your Master Password with a Windows Hello button' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The steel doors look great and also symbolize the strong encryption that protects your data. And to would-be-attackers, our encryption design is far more secure than the strongest steel. Once you unlock 1Password with your Master Password (or Windows Hello), you&rsquo;ll be delighted by the stunning new layout protected behind those doors. <img src='https://blog.1password.com/posts/2018/opw7.0/opw7-unlocked.png' alt='1Password 7 for Windows main window with new sidebar and item layout' title='1Password 7 for Windows main window with new sidebar and item layout' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Beautiful! 😍 Everything has changed and not a single element of the design has been left untouched. Yet the heart and soul of 1Password remain, so you’re able to jump right in and find everything you need. Your items have never looked better and with full support for time-based one-time passwords, logins really shine. They look so good that you&rsquo;ll find yourself happily waiting for a new 2FA code simply so you can watch the countdown animation. 🙂 <img src='https://blog.1password.com/posts/2018/opw7.0/opw7-totp.png' alt='Login details for GitHub with 2FA code showing' title='Login details for GitHub with 2FA code showing' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> You can also zoom right in on the password using Large Type. This is perfect for those times you need to type it on another device or are asked for specific characters from your password. <img src='https://blog.1password.com/posts/2018/opw7.0/opw7-large-type.png' alt='Password shown in Large Type window' title='Password shown in Large Type window' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Our new highlight feature while searching makes finding what you&rsquo;re looking for super easy. And with the addition of search power-ups like <code>title:</code>, <code>tag:</code>, and <code>file:</code>, it&rsquo;s never been easier to discover what you&rsquo;re looking for. <img src='https://blog.1password.com/posts/2018/opw7.0/opw7-search-highlights.png' alt='1Password main window during search with highlights' title='1Password main window during search with highlights' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> And when you prefer to browse, the sidebar is great for navigating between your categories and tags. Along with support for nested tags you can take things to a whole new level by organizing your organization. 😉 <img src='https://blog.1password.com/posts/2018/opw7.0/opw7-nested-tags.png' alt='1Password sidebar with nested tags' title='1Password sidebar with nested tags' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Oh and the sidebar gets even better as your vaults live there, too. <h2 id="all-your-vaults-all-in-one-place">All your vaults, all in one place</h2> There&rsquo;s more to the sidebar than meets the eye. Sitting just beneath the surface is a powerful new way to organize and securely share your items. Simply click on the sidebar header and your categories will slide away, revealing your collection of vaults. Vaults allow you to group your items depending on their purpose and who needs access to them. <img src='https://blog.1password.com/posts/2018/opw7.0/opw7-sidebar-vaults.png' alt='1Password sidebar shows vaults and accounts' title='1Password sidebar shows vaults and accounts' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Vaults are so nice that you’ll find yourself adding lots of them. Between my AgileBits business and Teare family accounts, I now have over 50 vaults. Being able to switch between vaults and accounts makes it super simple to stay focused on the task at hand. Together with a <a href="https://1password.com/personal/">1Password Families</a> or <a href="https://1password.com/business/">1Password Business</a> account, vaults can be used to <a href="https://1password.com/features/secure-password-sharing/">securely share passwords</a> with your family and colleagues. Simply sign in to 1Password.com and choose who you want to share with and 1Password will do the rest. <img src='https://blog.1password.com/posts/2018/opw7.0/opw7-manage-vault-access.png' alt='Manage vault window showing who has access to our Directors vaults' title='Manage vault window showing who has access to our Directors vaults' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> My favourite part of sharing passwords this way is the ability to control everyone&rsquo;s permissions, including making passwords read-only. For those with edit access, changes they make will be seen by everyone else right away. <h2 id="1password-mini-is-always-by-your-side">1Password mini is always by your side</h2> The new awesome carries over into 1Password mini as well, yielding a more powerful and beautiful experience. When you&rsquo;re on a website and need to login, 1Password mini makes it super easy. <img src='https://blog.1password.com/posts/2018/opw7.0/opw7-mini-login-evernote.png' alt='Google Chrome on Evernote.com sign in screen with 1Password mini showing each saved Evernote login' title='Google Chrome on Evernote.com sign in screen with 1Password mini showing each saved Evernote login' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Selecting a login will automatically fill your username and password for you. And if you have two-factor enabled, the one-time password will be automatically copied to your clipboard so you have everything you need right at your Ctrl-V fingertips. <img src='https://blog.1password.com/posts/2018/opw7.0/opw7-mini-totp-evernote.png' alt='Evernote sign in page asking for the second factor authentication code; filled using the code placed in the clipboard after filling from 1Password mini' title='Evernote sign in page asking for the second factor authentication code; filled using the code placed in the clipboard after filling from 1Password mini' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 1Password mini will also help you create new logins as well. When you sign up for a new service or log in for the first time, 1Password mini will jump in and offer to save it for you. <img src='https://blog.1password.com/posts/2018/opw7.0/opw7-mini-save-login.png' alt='1Password mini prompting to save a login on Evernote.com' title='1Password mini prompting to save a login on Evernote.com' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> In addition to naming your new login and assigning tags, you can also choose which vault to save it to. This is great for keeping things organized as well as choosing who to share with. And if a website has been breached, mini will alert you so you know that you need to update the password. <img src='https://blog.1password.com/posts/2018/opw7.0/opw7-mini-watchtower.jpeg' alt='1Password mini showing matching logins for Yahoo; one login has been identified by Watchtower as needing its password changed' title='1Password mini showing matching logins for Yahoo; one login has been identified by Watchtower as needing its password changed' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Oh and then there&rsquo;s also Open and Fill which automatically opens websites and fills passwords for you. When combined with the search and organization features of 1Password mini, it&rsquo;s perfect for bookmarking your favourite sites. <h2 id="designed-for-everybody">Designed for everybody</h2> We wanted to create 1Password 7 for everybody and be as inclusive as possible. That started with allowing you to sync your vaults yourself as well as using 1Password accounts on <a href="https://1password.com">1Password.com</a>, <a href="https://1password.com/pricing/ca/">1Password.ca</a>, and <a href="https://1password.com/pricing/eu/">1Password.eu</a>. 1Password also speaks your language and has been localized to Français, Deutsch, Italiano, 日本語, 한국어, Português, Pyсский, 简体中文, 繁體中文, and Español. <img src='https://blog.1password.com/posts/2018/opw7.0/opw7-japanese.png' alt='1Password main window in Japanese with the settings window open' title='1Password main window in Japanese with the settings window open' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Being able to use 1Password in your language is great and it’s even better on High-DPI displays. 1Password 7 has full support for HiDPI in Windows 10 so it looks incredible on 4K monitors and other high density screens. And for those of you who rely on assistive technologies, rest assured that 1Password 7 is fully accessible with out-of-the-box support for screen readers like <a href="https://support.microsoft.com/en-us/windows/chapter-1-introducing-narrator-7fe8fd72-541f-4536-7658-bfc37ddaf9c6">Narrator</a>. <h2 id="why-hello-there-windows-hello">Why hello there, Windows Hello</h2> We also added support for Windows Hello so you can unlock 1Password using your fingerprint or simply your smile. This works great in the main app as well as in mini. <video class="round shadow" style="display: block; margin: auto; padding: 0;"autoplay='true'muted='true'loop="loop" playsinline="" width="100%" alt='1Password main window in Japanese with the settings window open' controls> <source src="https://blog.1password.com/posts/2018/opw7.0/opw7-windows-hello.mp4" type="video/mp4" /> </video> I love the &ldquo;looking for you&rdquo; animation with the eye looking back and forth, and can&rsquo;t help but grin when I&rsquo;m greeted with a smiling face along with the &ldquo;Hello, dave!&rdquo; message. 🙂 As for security, your data is protected by your Master Password as always. To keep things as secure as possible, the first time you unlock you will need to provide your Master Password and then Windows Hello will be able to unlock 1Password thereafter. <h2 id="strong-foundations">Strong foundations</h2> 1Password 7 is a completely new modern app built from the ground up to use the latest and greatest technologies available. This gave us a strong foundation and allowed us to push the envelope to make 1Password the best it could be. In addition to fundamental enhancements like HiDPI and Unicode support, 1Password 7 comes with a whole new database layer that enabled us to make everything much, much, much faster. And if you&rsquo;re moving over to our new 1Password memberships, syncing your data is <a href="https://1password.com/security/">more secure</a> than ever. With the addition of a <a href="https://support.1password.com/secret-key/">Secret Key</a>, <a href="https://blog.1password.com/developers-how-we-use-srp-and-you-can-too/">Secure Remote Password</a>, and Galois/Counter Mode, your data has never been safer. Oh, and to top things off, the speed and reliability is simply unparalleled. All of these changes combine into the fastest, most secure, and best looking 1Password experience on Windows ever! Long story short: you&rsquo;re in for an amazing treat! 🍪 <h2 id="how-do-i-get-it">How do I get it?</h2> To start enjoying the best version of 1Password ever built, grab it here: <a href="https://app-updates.agilebits.com/download/OPW7">Download 1Password 7</a> 1Password 7 is included free for everyone with a 1Password membership. Simply unlock 1Password after downloading and you’re good to go. Those of you with a standalone license will be prompted to subscribe or purchase a license when 1Password 7 first opens. Licenses will cost $64.99 but are available during our launch special for only $49.99. Licenses are per-person, per-platform so you can use your single license on as many PCs as you have. 1Password 7 for Mac is a separate purchase. I hope you enjoy 1Password 7 as much as we enjoyed making it for you. We couldn’t have done it without your help. ❤ Please join us in our discussion forums or in the comments below to share your experiences with us and help craft the future of 1Password. We always love hearing from you. 😘</description></item><item><title>1Password 7 for Mac: The Best Ever</title><link>https://blog.1password.com/1password-7-for-mac-the-best-ever/</link><pubDate>Tue, 22 May 2018 00:00:00 +0000</pubDate><author>info@1password.com (Dave Teare)</author><guid>https://blog.1password.com/1password-7-for-mac-the-best-ever/</guid><description> <img src='https://blog.1password.com/posts/2018/opm7.0/header.png' class='webfeedsFeaturedVisual' alt='1Password 7 for Mac: The Best Ever' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Today is a momentous day! It’s time to take the wraps off something incredible that changes the world as we know it: 1Password 7 for Mac is here! 🎉🙌 There&rsquo;s a ton of amazing features packed into this release and I couldn&rsquo;t stop myself from writing a lot about them. If you&rsquo;d like to start rocking right away, feel free to jump ahead and <a href="https://app-updates.agilebits.com/download/OPM7">download 1Password 7</a> now. For everyone else, it&rsquo;s my distinct pleasure to share with you the awesome that is 1Password 7. <h2 id="marvellous-mini">Marvellous mini</h2> 1Password mini is how most of us use 1Password on a daily basis and for version 7 we wanted to make that experience the best it could be. 1Password mini has been completely reimagined and comes with so many features that we needed to give it its own window. When you bring up mini you&rsquo;ll find it waiting for you with an incredibly powerful and beautiful new look. <img src='https://blog.1password.com/posts/2018/opm7.0/mini-favourites.png' alt='1Password mini unlocked showing favourited items' title='1Password mini unlocked showing favourited items' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> While in your browser, mini will automatically suggest the items you&rsquo;re most likely to need. Select the login you want to sign in with and 1Password will do the rest. <img src='https://blog.1password.com/posts/2018/opm7.0/mini-suggested-items-evernote.png' alt='1Password mini showing suggested items for Evernote.com' title='1Password mini showing suggested items for Evernote.com' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> And mini doesn&rsquo;t limit itself to just browsers. With our new app integration we&rsquo;ll automatically suggest logins for the current app you&rsquo;re using. Along with support for drag and drop, this is a real game changer. <img src='https://blog.1password.com/posts/2018/opm7.0/mini-drag-and-drop-into-itunes.png' alt='Drag and drop passwords from 1Password mini into iTunes' title='Drag and drop passwords from 1Password mini into iTunes' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> You can also make edits, move items between vaults, and even add documents – all without ever leaving mini. Soon you&rsquo;ll wonder how you ever lived without it. 🙂 <h2 id="beautiful-bold-design">Beautiful, bold design</h2> The beauty you&rsquo;ll find in mini continues throughout the rest of 1Password as well. It all starts with the newly designed lock screen and it looks incredible, especially with <a href="https://1password.com/mac/">Touch ID</a>. <img src='https://blog.1password.com/posts/2018/opm7.0/locked-touch-id.jpeg' alt='1Password locked and ready to unlock using Touch ID' title='1Password locked and ready to unlock using Touch ID' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> As great as those vault doors look, they pale in comparison to what lies secured behind them. <img src='https://blog.1password.com/posts/2018/opm7.0/unlocked-main-list-view.jpeg' alt='1Password 7 main view after unlocking' title='1Password 7 main view after unlocking' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The first thing that grabs you is the stunning new sidebar. It draws you in with its bold dark theme and delights you with its simplicity. The new sidebar looks great without being overpowering and the high contrast between it and your content allows your eyes to focus on what&rsquo;s most important: your items. <h2 id="detailing-your-items">Detailing your items</h2> Your items are able to join in on the fun as well with a new design and some lovely new touches. Each of your items now prominently show which vault they belong to and have their most important information highlighted. <img src='https://blog.1password.com/posts/2018/opm7.0/item-details.jpeg' alt='Login details' title='Login details' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> If you caught yourself yelling What Are Those?! when looking at the formatted notes field, you&rsquo;re not alone. You can now give your notes richly formatted text using Markdown! 🎉 Along with the improved layout and typography, we&rsquo;ve added a beautiful custom font created specifically for 1Password called Courier Prime Bits (based on the lovely <a href="https://quoteunquoteapps.com/courierprime/">Courier Prime</a>). <a href="https://github.com/a-dg">Alan Dague-Greene</a> is the creative genius behind this font and it makes large type passwords look absolutely incredible. <img src='https://blog.1password.com/posts/2018/opm7.0/large-type.png' alt='Large Type' title='Large Type' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Speaking of incredible, when you combine our new custom font with Markdown support, <a href="https://1password.com/features/secure-notes/">secure notes</a> are now at an entirely new level of awesome. <img src='https://blog.1password.com/posts/2018/opm7.0/secure-notes-markdown.jpeg' alt='Secure Markdown Notes' title='Secure Markdown Notes' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Once you start using Markdown in your notes you&rsquo;ll find yourself wanting to create a lot of them. And when you do, you can keep your notes and items organized using tags. You can even use nested tags if you want to be fancy. <img src='https://blog.1password.com/posts/2018/opm7.0/nested-tags.jpeg' alt='Organizing items with nested tags' title='Organizing items with nested tags' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Oh and if you need to copy fields between items or into another app, you can detach the item details view into its own separate window by clicking the <img src="https://blog.1password.com/posts/2018/opm7.0/inline-pop-out-icon.png" alt="Pop out toolbar icon"> button in the toolbar. This is incredibly useful although to be honest I often find myself clicking it for no other reason than to see the lovely animation. 🙂 <h2 id="watching-out-for-you">Watching out for you</h2> 1Password 7 is doubling down on how it keeps you safe online. We have bundled together a suite of security tools that notify you of breaches, warn you of bad habits, and highlight vulnerable passwords. We call it Watchtower and it&rsquo;s amazing. <img src='https://blog.1password.com/posts/2018/opm7.0/watchtower.jpeg' alt='Watchtower suite of security tools' title='Watchtower suite of security tools' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Watchtower integrates with Troy Hunt’s <a href="https://haveibeenpwned.com/">haveibeenpwned.com</a> service to see if any of your logins are vulnerable. 1Password securely checks your items against a collection of breached passwords (over 500 million and counting) and notifies you to change them. <img src='https://blog.1password.com/posts/2018/opm7.0/have-i-been-pwned-yes.jpeg' alt='Watchtower highlighting a Pwned Password' title='Watchtower highlighting a Pwned Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Watchtower also knows which websites support two factor authentication and will alert you when it finds logins without 2FA enabled. <img src='https://blog.1password.com/posts/2018/opm7.0/watchtower-enable-2fa.png' alt='Watchtower warning that 2FA is not enabled' title='Watchtower warning that 2FA is not enabled' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Watchtower will also alert you to logins that are using an insecure (HTTP) website address, weak passwords, and horror of horrors, reused passwords (seriously, don&rsquo;t do that!). And finally it&rsquo;ll even warn you if your credit cards or passports are expiring soon so you don&rsquo;t miss out on your vacation. 😎 <img src='https://blog.1password.com/posts/2018/opm7.0/watchtower-expiring-soon.jpeg' alt='Watchtower alert for an expiring passport' title='Watchtower alert for an expiring passport' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="organize-amp-securely-share-your-items">Organize &amp; securely share your items</h2> Let&rsquo;s get back to that sidebar because there&rsquo;s more there than meets the eye. Sitting just beneath the surface is a powerful new way to organize and securely share your items. Simply click on the sidebar header and your categories will slide away, revealing your collection of vaults. Vaults allow you to group your items depending on their purpose and who needs access to them. <img src='https://blog.1password.com/posts/2018/opm7.0/sidebar-vaults.jpeg' alt='Sidebar with vaults revealed' title='Sidebar with vaults revealed' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> You can drag and drop items between vaults and even between accounts. Or, drop your items on the New Vault button and a new vault will be created for you right then and there. It&rsquo;s so simple it&rsquo;s like magic. <img src='https://blog.1password.com/posts/2018/opm7.0/edit-vault.jpeg' alt='Create new vault' title='Create new vault' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Once you have your new vault created, sharing it with your team or family couldn&rsquo;t be easier. Select who you want to have access to your vault and 1Password will do the rest. <img src='https://blog.1password.com/posts/2018/opm7.0/manage-vault-access.jpeg' alt='Manage vault access' title='Manage vault access' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Best of all, any updates to the items appear automatically for everyone. It&rsquo;s easier to share securely with 1Password than being insecure without it. 💪 <h2 id="strong-foundations">Strong foundations</h2> Along with all these new features and improvements, a lot of heavy lifting took place to make 1Password 7 faster and secure-er than ever. It all began by combining 1Password and 1Password mini into a single process. This made items faster to load, reduced memory usage, and decreased launch times. The overall performance boosts made us smile as soon as we saw them and we think they&rsquo;ll make you smile, too. Also new in 1Password 7, we&rsquo;ve taken advantage of Apple&rsquo;s Secure Enclave to protect your Master Password when Touch ID is enabled. This is incredibly cool because the keys used for encryption are protected by the hardware and not accessible to other programs or the operating system. <img src='https://blog.1password.com/posts/2018/opm7.0/touch-id-prompt.jpeg' alt='Touch ID unlock prompt' title='Touch ID unlock prompt' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> And if you&rsquo;re moving over to our new 1Password memberships, syncing your data is <a href="https://1password.com/security/">more secure</a> than ever. With the addition of a <a href="https://support.1password.com/secret-key/">Secret Key</a>, <a href="https://blog.1password.com/developers-how-we-use-srp-and-you-can-too/">Secure Remote Password</a>, and Galois/Counter Mode, your data has never been safer. And the speed and reliability is simply unparalleled. <h2 id="and-so-much-much-much-more">And so much much much more!</h2> <img src='https://blog.1password.com/posts/2018/opm7.0/collapsed-sidebar.png' alt='Collapsed sidebar for small screen warriors' title='Collapsed sidebar for small screen warriors' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> I told you at the beginning that I was going to write a lot about 1Password 7 and I could keep going. But in the interest of getting you into 1Password 7 sooner, I&rsquo;m curtailing the rest into this fancy bulleted list! <ul> <li>Collapse the sidebar entirely so your items get all the love</li> <li>Quickly find items with our new Spotlight integration</li> <li>Use Handoff to view iOS items right from your Dock</li> <li>Easily see your currently selected vault and account</li> <li>Marvel at the monogrammed icons for tags and logins</li> <li>Edit your vaults directly from the sidebar</li> <li>Enjoy the new password strength meter</li> <li>Remove duplicate items on a per-vault basis</li> <li>Jump to items and vaults with ease using Quick Open</li> <li>Opt in to automatic updates so you can always enjoy the latest and greatest 1Password has to offer</li> </ul> <h2 id="how-do-i-get-it">How do I get it?</h2> To start enjoying the best version of 1Password ever built, grab it here: <a href="https://app-updates.agilebits.com/download/OPM7">Download 1Password 7</a> 1Password 7 is included free for everyone with a 1Password membership. Simply unlock 1Password after downloading and you&rsquo;re good to go. Those of you with a standalone license for version 6 will be prompted to subscribe or purchase a license when 1Password 7 first opens. Licenses will cost $64.99 but are available during our launch special for only $49.99. Licenses are per-person, per-platform so you can use your single license on as many Macs as you have. 1Password 7 for Windows will be released next week as a separate purchase. I hope you enjoy 1Password 7 as much as we enjoyed making it for you! We couldn&rsquo;t have done it without your help. ❤ Please join us in our <a href="https://1password.community/categories/1password-for-mac">discussion forums</a> or in the comments below to share your experiences with us and help craft the future of 1Password. We always love hearing from you. 😘</description></item><item><title>1Password at Google I/O 2018</title><link>https://blog.1password.com/1password-at-google-io/</link><pubDate>Mon, 21 May 2018 00:00:00 +0000</pubDate><author>info@1password.com (Saad Mohammad)</author><guid>https://blog.1password.com/1password-at-google-io/</guid><description> <img src='https://blog.1password.com/posts/2018/google-io/header.png' class='webfeedsFeaturedVisual' alt='1Password at Google I/O 2018' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Just over a week ago, I was incredibly lucky to attend Google’s annual developer conference at the Shoreline Amphitheatre in Mountain View. I always look forward to this event because it showcases the latest and greatest technologies coming to Google’s platforms. And to make things even better, I was joined by Gene, Peri, Shiner and Michael – our largest group at I/O yet! <h2 id="google-io-2018">Google I/O 2018</h2> <img src='https://blog.1password.com/posts/2018/google-io/team.jpg' alt='Team photo at Google I/O 2018' title='Team photo at Google I/O 2018' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> After grabbing coffee and snacks, we took our seats and eagerly waited for the keynote to begin. Sundar Pichai opened the conference by revisiting the most pressing issue of last year: the hamburger and beer emoji fiasco! With the cheese now in the right place, he continued with the keynote and introduced one of the main themes of the conference: leveraging machine learning to solve both simple and complex problems in our daily lives. The improvements to the Google Assistant such as “continued conversations” and the new voices are fantastic. I do worry that I may fall back asleep if John Legend’s soothing voice reads my daily briefing each morning! The Duplex demo was just incredible and I am amazed at how the Assistant was able to understand and deliver natural language conversations over the phone. I’ve shown the video to all of my family members… maybe even scared them a bit. But don’t worry mom, I promise it will be the real me calling. 😉 <h2 id="android-p-popsicle">Android P (Popsicle?)</h2> It wouldn’t be Google I/O without a strong focus on the next version of Android. Immediately after they announced the Android P beta, I installed it on my Pixel 2 XL and revelled in the beautiful controls, typography, and roundedness of its design. Android P is all about intelligently analyzing and adapting to our usage patterns. This is being used to drive powerful features such as the new Digital Wellbeing. I’m looking forward to using it to remind me to disconnect and focus on the real world sometimes. <h2 id="developing-on-a-pixelbook">Developing on a Pixelbook</h2> One pleasant surprise that got Michael very excited was the announcement that Android Studio is coming to Chrome OS. He quickly got it running on his Pixelbook and then challenged me to a race to see who could build 1Password faster. We were both shocked to find that his Pixelbook came in only 7 seconds behind my MacBook Pro. That’s pretty impressive! <div class="tweet"> <img src="https://blog.1password.com/img/icons/twitter.svg" alt="@michaelverde tweet" /> The <a href="https://twitter.com/hashtag/chromeos?src=hash">#chromeos</a> team gave us an awesome present at <a href="https://twitter.com/hashtag/io18?src=hash">#io18</a> this year. With support for Linux apps, I can now use <a href="https://twitter.com/androidstudio">@androidstudio</a> on my Pixelbook to build and run <a href="https://twitter.com/1Password">@1Password</a>. ❤️ - @michaelverde <a href="http://twitter.com/user/status/994690122468610048" title="@michaelverde" class="view-tweet" target="_blank" rel="noopener">View tweet</a> </div> <h2 id="1password-on-chrome-os">1Password on Chrome OS</h2> As exciting as it is to build 1Password on a Pixelbook, it’s even more thrilling to run an optimized version of it on Chrome OS. We built 1Password 6.8 for Android with an emphasis on the desktop experience, and we’re incredibly proud to have been featured by Google during I/O as an example of doing this well. <div class="tweet"> <img src="https://blog.1password.com/img/icons/twitter.svg" alt="@shahidhussain tweet" /> Shout out to <a href="https://twitter.com/1Password">@1Password</a> from <a href="https://twitter.com/hashtag/chromeos?src=hash">#chromeos</a> <a href="https://twitter.com/hashtag/io18?src=hash">#io18</a> - @shahidhussain <a href="http://twitter.com/user/status/994619846078820352" title="@shahidhussain" class="view-tweet" target="_blank" rel="noopener">View tweet</a> </div> One of my favourite desktop features added in 1Password 6.8 is using the arrow keys and the keyboard shortcuts to get around. I also find it extremely convenient using drag and drop to move text between Android apps. Now I can drag my credentials to sign into the Twitter app! <img src='https://blog.1password.com/posts/2018/google-io/drag-and-drop.gif' alt='Dragging credentials into the Twitter app from 1Password on Chrome OS' title='Dragging credentials into the Twitter app from 1Password on Chrome OS' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Give 1Password a try on your <a href="https://1password.com/resources/guides/1password-for-chromebook/">Chromebook</a> and let us know what you think. <h2 id="until-next-year">Until next year!</h2> We all had a fun and productive week at Google I/O. It was my first time listening to Justice and Phantogram at the concert, and my god, do I love them! I have “Fall in Love” playing on repeat right now. 🕺 <img src='https://blog.1password.com/posts/2018/google-io/concert.jpg' alt='Photo at Google I/O concert' title='Photo at Google I/O concert' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Google I/O sparked some great ideas that we’re eager to explore in 1Password on both <a href="https://1password.com/downloads/android/">Android</a> and <a href="https://1password.com/downloads/chrome-os/">Chrome OS</a>. Which of the showcased technologies are you excited to see in 1Password? Let me know in the comments below!</description></item><item><title>Using Splunk with 1Password Business</title><link>https://blog.1password.com/using-splunk-with-1password-business/</link><pubDate>Fri, 11 May 2018 00:00:00 +0000</pubDate><author>info@1password.com (Jacob Wilson)</author><guid>https://blog.1password.com/using-splunk-with-1password-business/</guid><description> <img src='https://blog.1password.com/posts/2018/splunk/header.png' class='webfeedsFeaturedVisual' alt='Using Splunk with 1Password Business' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 1Password Business makes it easy to monitor events that happen on your team using the Activity Log, and you can take that to the next level by adding <a href="https://www.splunk.com/">Splunk</a> to the mix. Using the 1Password command-line tool, you can send your team’s 1Password activity to Splunk and keep track of it there alongside other happenings within your team. One of Splunk’s most popular features is the ability to find events and <a href="https://docs.splunk.com/Documentation/Splunk/7.0.3/Alert/Aboutalerts">trigger alerts based on them</a>. For example, in your team you could set things up so the sysadmins are alerted whenever someone is added to the Owners group in 1Password. I’ll get into that example a bit more later in this post. <h2 id="set-up-the-1password-command-line-tool">Set up the 1Password command-line tool</h2> To kick things off, let’s set up the 1Password command-line tool, if you’re not using it already: <a href="https://developer.1password.com/docs/cli/v1/get-started/">1Password command-line tool: Getting started</a> When setting up the tool, start by <a href="https://support.1password.com/custom-groups/">creating a custom group and giving it the View Admin Console permission</a> so it can view the Activity Log, then add a user to that group. Once the tool is set up with that user’s account, get a session token: <code>$ op signin example</code> This will allow you to interactively enter the Master Password with secure input. Since you’re definitely putting this in a script, you’ll want to pass the Master Password through <code>stdin</code> to the <code>op signin</code> call to get your session token: <code>[password] | op signin example.1password.com wendy_appleseed@example.com A3-XXXXXX-XXXXXX-XXXXX-XXXXX-XXXXX-XXXXX</code> To make things simpler, you can omit the email address and Secret Key from <code>op signin</code> since they are saved in <code>~/.op/config</code>. You can then simplify the whole sign in step to one line by piping the Master Password to it: <code>gpg -q --decrypt password.enc | op signin example</code> To automate all this, though, you can get the Master Password from a secure storage location and pipe it to sign in. A HashiCorp vault is a good place to securely store the account’s Master Password. I’m using GPG in this example, but you can use KMS or something else that you’re comfortable with – just avoid <code>echo</code>. 😉 <h2 id="start-fetchin-those-audit-events">Start fetchin’ those audit events</h2> Now that we have our session token, we can start getting some audit events. Create a script that’s run by a job scheduler such as cron at regular intervals (every 10 minutes should suffice). That script needs to: <img src='https://blog.1password.com/posts/2018/splunk/op-list-events-dog.png' alt='op list events Dog' title='op list events Dog' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <ol> <li>Create the session like we just did above.</li> <li>Read the last processed event ID from disk.</li> <li>Fetch events newer than that ID.</li> <li>Send the events to Splunk.</li> <li>Save the latest event ID to disk.</li> </ol> To do this, we’ll be working with JSON, so <a href="https://stedolan.github.io/jq/">JQ</a> is a good idea if you’re working with bash; you could also use a scripting language that supports JSON, such as Python or Ruby. You can fetch up to 100 events newer than $ID. To fetch them: <code>op list events $ID newer</code> To make sure you get all the events, you’ll need to run that until nothing is returned, since only 100 events are returned each time. This command will return a JSON array of event objects like this: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json">{ &#34;eid&#34;: 392879, &#34;time&#34;: &#34;2018-01-23T15:50:49Z&#34;, &#34;actorUuid&#34;: &#34;YJTZ3RWWFRBNTF4M2YEEY3EPOQ&#34;, &#34;action&#34;: &#34;join&#34;, &#34;objectType&#34;: &#34;gm&#34;, &#34;objectUuid&#34;: &#34;hd22y2bob6qdpap2ge6d7nn4yy&#34;, &#34;auxInfo&#34;: &#34;A&#34;, &#34;auxUUID&#34;: &#34;YJTZ3RWWFRBNTF4M2YEEY3EPOQ&#34; } </code></pre></div>You can send all of the events in the array to Splunk at this point by using something like the <a href="https://www.splunk.com/en_us/blog/learn/splunk-universal-forwarder.html">Splunk universal forwarder</a>. Next, take the <code>eid</code> of the first object in that array and save it to disk so it can be used for the next fetch. If the array from <code>op list events</code> is empty, it means there are no newer events, and you’re done here — for now. <h2 id="get-alerts-about-important-actions-in-your-team">Get alerts about important actions in your team</h2> Earlier I mentioned one such handy use for Splunk with <a href="https://1password.com/business/">1Password Business</a> would be to see when someone is added to the Owners group. To do this, you would find an event in the Activity Log that has: <ul> <li>action: <code>join</code></li> <li>objectType: <code>gm</code> (Group Membership)</li> <li>objectUuid: your Owners group’s UUID, which you can get by opening <a href="https://start.1password.com/groups,">https://start.1password.com/groups,</a> signing in, and clicking Owners, then copying the UUID from the end of the address bar in your browser.</li> </ul> Every audit event comes with a <code>actorUuid</code> field. It’s a great identifier, but when perusing, we have no idea who <code>YJTZ3RWWFRBNTF4M2YEEY3EPOQ</code> is. To fix this up, let’s upgrade our script a bit. Before we fetch events, let’s get a user list with <code>op list users</code>. This will get us all users on the account along with some basic information like their name and email address. With that we can process each event object, look up the user by UUID, then add more descriptive information for when we send things to Splunk. In this example case of sending an alert when someone is added to the Owners group, it’s probably nice to know who was added. The <code>auxUUID</code> field of the audit event will be the UUID of the user who was added to the group. You can do the same lookup that we did above for the actor. For many events, <code>auxUUID</code> will not be a user UUID, so make sure to fail gracefully there. Now that we’ve set things up, whenever Splunk finds an event matching this, it’ll be able to alert your sysadmins via Slack or another method and let them know that Lorraine added Bobby to the Owners group. From there, they can take action if they need to. <img src='https://blog.1password.com/posts/2018/splunk/matching-event-slack.png' alt='Matching event in Slack' title='Matching event in Slack' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="try-it-out-and-tell-us-what-you-think">Try it out and tell us what you think</h2> When it comes down to it, sending your team’s 1Password activity to Splunk gives you one place to audit any administrative action your team has been taking in 1Password, alongside all the other tools your company uses. There are a lot of things you can look out for, from the Owners group example I mentioned before to knowing when someone adds or removes a team member from a vault or <a href="https://support.1password.com/create-share-vaults-teams/#manage-access">changes their permissions</a>. We’d love to hear how you set things up, so feel free to comment below or send us a message at <a href="mailto:support+cli@agilebits.com">support+cli@agilebits.com</a> or <a href="https://1password.community/categories/cli">start a discussion in our forum</a> with suggestions, questions, and anything else you’d like to chat about!</description></item><item><title>Getting 1Password 7 ready for the Mac App Store</title><link>https://blog.1password.com/getting-1password-7-ready-for-the-mac-app-store/</link><pubDate>Thu, 10 May 2018 00:00:00 +0000</pubDate><author>info@1password.com (Jeff Shiner)</author><guid>https://blog.1password.com/getting-1password-7-ready-for-the-mac-app-store/</guid><description> <img src='https://blog.1password.com/posts/2018/opm7-mas/header.png' class='webfeedsFeaturedVisual' alt='Getting 1Password 7 ready for the Mac App Store' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 1Password 7 has been in beta for six weeks now and the feedback has been fantastic. We are getting close to the official release date and have begun final preparations, including submitting 1Password 7 to the Mac App Store. 🎉 When 1Password 7 is released it will be available from the Mac App Store as well as our website, and will be available as both a subscription and a standalone license. When adding 1Password 7 to the Mac App Store we needed to answer the following two questions: <ul> <li>Should it be a new app?</li> <li>Should it support both subscriptions and licenses?</li> </ul> Ultimately we decided that 1Password 7 will be a new app in the Mac App Store, and available only as a subscription. I know that many of you will be curious about this, so I wanted to share with you why we decided on this approach. <h2 id="mac-app-store-and-upgrades">Mac App Store and upgrades</h2> The Mac App Store is one of the most convenient ways to purchase apps for your Mac. You can purchase with confidence, pay quickly in your local currency, and updates happen automatically. Overall it is a pretty sweet experience. The App Store, for all it does well, struggles mightily when a paid upgrade is introduced because it does not allow developers to charge for an update to an existing app. When considering a paid upgrade, developers have two choices: they can re-use their existing app or submit a new one. Both have their pros and cons. <h2 id="re-using-an-existing-app">Re-using an existing app</h2> Developers are very creative and one approach that some have used to introduce paid upgrades is to re-use their existing app and offer an In-App Purchase to make the upgraded features available. We actually went ahead and gave this an honest, if short-lived, try. Very quickly it became apparent that this would lead to a complete mess of spaghetti code as we tried to encapsulate new features. Worse yet, any significant UI updates (including the many we have in 1Password 7) were next to impossible to add as we’d have to keep the old UI around as well. Ultimately this proved infeasible and all my developers threatened to mutiny. 🙂 <h2 id="submitting-a-new-app">Submitting a new app</h2> A new app avoids these issues, allowing us to keep our code base clean and my developers happy. It comes at a price though. Introducing a new app means that everyone who wants the upgraded version needs to go back to the Mac App Store, find this new version, and download it. We’ve done this before with 1Password 4 for iOS, and have the scars to prove it. Thousands of customers were confused when trying to update because their 1Password 3 app claimed to be up-to-date. To this day we have customers on 1Password 3 who do not realize a new version is out. To be quite honest, one of the main reasons we haven’t had a paid upgrade on the Mac side for all these years is that we were dreading the pain this would cause us and our customers. However the time has come to bite the bullet and have a paid upgrade. To avoid this pain in the future, this will be the last time we will be submitting a new app to the App Store. To make that possible, 1Password 7 will only be available as a subscription in the Mac App Store. <h2 id="mac-app-store-for-subscriptions-only">Mac App Store for subscriptions only</h2> 1Password subscriptions are eligible for free upgrades, meaning we can keep the same app in the App Store and seamlessly upgrade everyone to the new version as it comes out. This is just one of many the reasons <a href="https://blog.1password.com/why-we-love-1password-memberships/">why we love memberships</a>. If we were to sell standalone licenses in the Mac App Store we would have these same problems all over again when <a href="https://1password.com/mac/">1Password 8</a> is released. Ultimately this is why we decided not to sell licenses through the Mac App Store. While still tough, this decision was easier to make as people looking for licenses will be able to <a href="https://1password.com/downloads/mac/">download 1Password</a> 7 directly from our website. I know this isn’t ideal for those who love the Mac App Store and prefer to purchase standalone licenses and I apologize for that. But overall I believe this was the correct decision to make. I’ll be out at WWDC in a few weeks and would be more than happy to talk further if you have questions or are facing similar decisions with your own apps.</description></item><item><title>Learn how your business is using 1Password with reports</title><link>https://blog.1password.com/learn-how-your-business-is-using-1password-with-reports/</link><pubDate>Mon, 07 May 2018 00:00:00 +0000</pubDate><author>info@1password.com (Jacob Wilson)</author><guid>https://blog.1password.com/learn-how-your-business-is-using-1password-with-reports/</guid><description> <img src='https://blog.1password.com/posts/2018/usage-reports/header.png' class='webfeedsFeaturedVisual' alt='Learn how your business is using 1Password with reports' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> One of the top requests we’ve gotten from teams using 1Password over the past few years is a way to see what items their team’s been using. With <a href="https://1password.com/business/">1Password Business</a>, we’ve added item usage reports, a new tool for you to see how the people on your team are using 1Password. <h2 id="know-what-your-team-can-access">Know what your team can access</h2> <img src='https://blog.1password.com/posts/2018/usage-reports/person-usage.png' alt='Report generated for a user' title='Report generated for a user' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> An administrator or owner on your team can create a report for a team member to see what items they’ve used, how many vaults and items they have access to, and more. To create your first report for a team member: <ol> <li><a href="https://start.1password.com/signin">Sign in</a> to your business account on 1Password.com.</li> <li>Click People in the sidebar.</li> <li>Click the name of a team member, then click Create Usage Report below their name.</li> </ol> We’ve designed reports to focus on the vaults that matter to you, so you’ll see items from shared vaults in a person’s report. <h2 id="know-whats-being-used-in-your-vaults">Know what’s being used in your vaults</h2> <img src='https://blog.1password.com/posts/2018/usage-reports/vault-usage.png' alt='Report generated for a vault' title='Report generated for a vault' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> You can also create a report for a vault to see what people have been using in it. To create a report for a vault: <ol> <li>Click <a href="https://start.1password.com/vaults">Vaults</a> in the sidebar.</li> <li>Click the name of a vault, then click Create Usage Report below its name.</li> </ol> The handy thing about creating a report for a vault is that you can see what has been used often in that vault. Sorting by item name gives you an organized list, and each item will be shown as a separate entry for each person who has used it. <h2 id="know-what-to-do-when-someone-leaves-your-team">Know what to do when someone leaves your team</h2> <img src='https://blog.1password.com/posts/2018/usage-reports/change-passwords.png' alt='Case containing password to update' title='Case containing password to update' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> When someone leaves your team, you can <a href="https://support.1password.com/add-remove-team-members/#suspend-an-account-temporarily">suspend their account</a> to revoke their access to vaults and items, then create a report to get an idea of what passwords you might need to change. Then you can click the item in the report and use 1Password to quickly <a href="https://support.1password.com/change-website-password/">change the password</a>. Keeping passwords in a <a href="https://support.1password.com/create-share-vaults-teams/">shared vault</a> in your team means any changes made to them will be available to the people who can access that vault right away. Then you can change the password to keep those accounts secure, and through the magic of shared vaults, everyone who needs that password will automatically get the new one so they can use it right away. <h2 id="start-using-reports">Start using reports</h2> Usage reports are centered on the best part of any company: the people. They focus on the vaults someone has access to, as well as important dates, like when they joined the team or last signed in. And the best part is only the admins and owners of your team know which items and websites your team is using: we can’t see any of that. The goal of reports is to help you make better judgments about whether Emmett or Lorraine really need to keep access to those potentially high-value resources. And if they don’t, you <a href="https://support.1password.com/create-share-vaults-teams/">change their access</a> to something that better suits them. <a href="https://support.1password.com/reports/">Learn more about creating reports in 1Password Business</a> This is only the beginning — we’d love your feedback on what else you’d like to see in the reports. Comment below to start a discussion or send us a message at <a href="mailto:business@1password.com">business@1password.com</a> to share some feedback.</description></item><item><title>Introducing Watchtower 2.0: The turret becomes a castle</title><link>https://blog.1password.com/introducing-watchtower-2.0-the-turret-becomes-a-castle/</link><pubDate>Fri, 04 May 2018 00:00:00 +0000</pubDate><author>info@1password.com (Jeff Shiner)</author><guid>https://blog.1password.com/introducing-watchtower-2.0-the-turret-becomes-a-castle/</guid><description> <img src='https://blog.1password.com/posts/2018/b5-wt-2/header.png' class='webfeedsFeaturedVisual' alt='Introducing Watchtower 2.0: The turret becomes a castle' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Introducing the all new Watchtower – it is absolutely gorgeous, and appears to be rather timely! Twitter asked their 330 million users to change their password yesterday due to a <a href="https://blog.twitter.com/official/en_us/topics/company/2018/keeping-your-account-secure.html">security snafu</a>, putting privacy and security at the forefront of everyone’s mind once again. 1Password includes <a href="https://watchtower.1password.com/">Watchtower</a>, with its suite of security tools, making it the easiest and most comprehensive way for you to check the security of all your passwords. <img src='https://blog.1password.com/posts/2018/b5-wt-2/dashboard.png' alt='Watchtower report' title='Watchtower report' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> With a click of a button, Watchtower audits your passwords against a wide range of security vulnerabilities giving you an easy to read report with simple steps on how to fix any issues it finds. Let’s take a look at some of the defences. <h2 id="on-the-lookout-for-breaches">On the lookout for breaches</h2> Watchtower will automatically notify you if there’s been a security breach for a website you use. A bright red bar that’s pretty darn hard to miss will display across the top of the item, prompting you to <a href="https://support.1password.com/change-website-password/">change the password</a> for that site. <img src='https://blog.1password.com/posts/2018/b5-wt-2/twitter-compromised.png' alt='Login showing a breach' title='Login showing a breach' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Please excuse me while I hop away for a sec and go change that Twitter password. 😀 <h2 id="a-vanguard-for-pwned-passwords">A vanguard for pwned passwords</h2> Watchtower can check your passwords to see if any have been exposed in a breach. Integrating with Troy Hunt’s <a href="https://haveibeenpwned.com/">haveibeenpwned.com</a> service, your passwords are checked against over 500 million exposed passwords, highlighting any that are found. <img src='https://blog.1password.com/posts/2018/b5-wt-2/vulnerable-passwords.png' alt='Watchtower showing vulnerable passwords' title='Watchtower showing vulnerable passwords' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> To keep your passwords private, Troy <a href="https://blog.1password.com/finding-pwned-passwords-with-1password/">found a brilliant way</a> to check if passwords have been leaked without ever sending your password to his service. <h2 id="strong-unique-passwords-are-your-greatest-defence">Strong, unique passwords are your greatest defence</h2> Using strong, unique passwords for every website is your surest way to keep safe. When a website is breached and your password compromised, that password can be used to sign in to other websites that use the same one. If you’ve reused that password elsewhere, you’re putting all those sites at risk. Watchtower not only shows you which of your passwords should be stronger, it also alerts you when you’re using the same passwords for more than one website. <img src='https://blog.1password.com/posts/2018/b5-wt-2/strength-meter.png' alt='Graph of password strengths' title='Graph of password strengths' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Now would be a great time to use Watchtower to see if you reused your Twitter password for your bank account 😱 <h2 id="a-second-line-of-defence">A second line of defence</h2> Enabling <a href="https://1password.com/features/two-factor-authentication/">two-factor authentication (2FA)</a> on websites is a great way to keep your accounts there safe. Watchtower will now let you know about websites you have saved in 1Password that support 2FA, but don’t have it enabled. <img src='https://blog.1password.com/posts/2018/b5-wt-2/two-factor-available-notification.png' alt='Alert showing missing 2FA' title='Alert showing missing 2FA' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> This gives you the chance to enable 2FA for those sites. When you enable 2FA, make sure to <a href="https://support.1password.com/one-time-passwords/">keep the one-time password in 1Password</a>. <h2 id="dont-get-caught-off-guard">Don’t get caught off guard</h2> Watchtower not only looks out for your passwords, but for you as well. It will now warn you if one of your credit cards, driver’s licenses, or passports are expiring soon, making sure you aren’t scrambling to make last-minute arrangements. <img src='https://blog.1password.com/posts/2018/b5-wt-2/expiring-soon.png' alt='Alert showing expiring passport' title='Alert showing expiring passport' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Here in Canada you can’t travel internationally if your passport expires within 6 months, so this can be a real life saver if you have that long-planned vacation coming up soon. <h2 id="try-today-with-your-1password-membership">Try today with your 1Password membership</h2> Watchtower is available today, so it’s time to give it a try now! <img src='https://blog.1password.com/posts/2018/b5-wt-2/generating-report.png' alt='Generating Watchtower report' title='Generating Watchtower report' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Sign in to your <a href="https://start.1password.com/">1Password.com account</a>, select a vault, and click Watchtower in the sidebar to create your report. If you don’t have a 1Password membership, <a href="https://1password.com/pricing/">start a free 14-day trial</a> to get started. Oh, and don’t forget to change your Twitter password :)</description></item><item><title>How strong should your 1Password account password be? For World Password Day we’d like to know</title><link>https://blog.1password.com/how-strong-should-your-master-password-be-for-world-password-day-wed-like-to-know/</link><pubDate>Thu, 26 Apr 2018 00:00:00 +0000</pubDate><author>info@1password.com (Jeffrey Goldberg)</author><guid>https://blog.1password.com/how-strong-should-your-master-password-be-for-world-password-day-wed-like-to-know/</guid><description> <img src='https://blog.1password.com/posts/2018/world-password-day/header.png' class='webfeedsFeaturedVisual' alt='How strong should your 1Password account password be? For World Password Day we’d like to know' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Just how strong should a <a href="https://blog.1password.com/toward-better-master-passwords/">1Password account password</a> be? We recommend that account passwords be generated using our wordlist generator using passwords that are four words long. This gets you something like “napery turnip speed adept”. Among other things, this gives you the chance to learn new words. My dictionary has now informed me that “napery” means household linens such as table cloths and napkins. But let me move on from obscure vocabulary to asking about 1Password account password strength: What we know about account password strength, what we would like to know about it, and how can we get expert password crackers to help us learn? That’s why we are announcing a password cracking challenge to be managed by Bugcrowd with cash money rewards. First prize earns $8192, second prize is half of that, and third prize is half again. The race <del>will begin</del> has begun at noon Eastern Time on World Password Day, May 3, 2018. For those who want to jump right to the contest details, without reading the rest of this, you can head right over to our <a href="https://bugcrowd.com/agilebits">Bugcrowd brief</a> or to <a href="https://github.com/agilebits/crackme">our description</a>. The challenge <a href="https://github.com/agilebits/crackme/blob/master/password-day-2018.json">hashes/keys are now available</a>. <img src='https://blog.1password.com/posts/2018/world-password-day/cracking-prizes.png' alt='Prizes' title='Prizes' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="what-is-your-1password-account-password-for">What is your 1Password account password for?</h2> Your 1Password account password is your defense against someone who manages to steal your encrypted 1Password data from your own machines. Your data on our machines is also protected by your <a href="https://support.1password.com/secret-key-security/">Secret Key</a>, making account password guessing futile. Unlike a human usable password, your Secret Key is completely unguessable, and that is what makes what is stored on 1Password.com uncrackable. <img src='https://blog.1password.com/posts/2018/world-password-day/secret-key.png' alt='Sample Secret Key' title='Sample Secret Key' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> But your Secret Key does not protect you if data is stolen from your own devices because your Secret Key is stored on your own devices. Likewise, our <a href="https://blog.1password.com/multi-factor-authentication-in-1password/">Multi-Factor Authentication</a> only defends against attempts to connect to our systems. MFA doesn’t protect you from data acquired from your own machines. So when it comes to keeping 1Password data stored on your own machine from prying eyes, your account password is your defense. It needs to be as strong as you can reasonably use and it must be unique. Consider Molly (a not all that bright dog), who has a 1Password account password of “RabbitHunter#1”. She also has some very important Login items, such as her PawPal account within 1Password. Now suppose that Mr Talk (the neighbor’s cat) has contrived to steal data off of Molly’s laptop, including her encrypted 1Password data. Mr Talk will set up automated password guessing software to make many thousands of guesses per second. We can slow that down with PBKDF2, but Mr Talk is doing everything on his own machines and is not connecting to any of our systems. That is why MFA doesn’t do Molly any good in these circumstances. Now if Mr Talk has some expertise in password cracking and is willing to dedicate some computer power to this, he might be able to crack that account password within a few hours or maybe it would take a week. However long that is is how much time Molly has to change her PawPal password and other passwords that she keeps in 1Password. <img src='https://blog.1password.com/posts/2018/world-password-day/patty.png' alt='Dog holding stick representing a 1Password account password' title='Dog holding stick representing a 1Password account password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Let’s suppose that Mr Talk got Patty’s data as well. But Patty (a clever dog) used our <a href="https://1password.com/password-generator/">Strong Password Generator</a> and ended up with a 1Password account password of “saddle harass mod gunk”. Even if Mr Talk dedicated enormous amounts of computer resources to this, it would take decades or centuries to crack that. So Patty remains safe because she used a strong, randomly generated account password. Again, for Mr Talk to have a whisker of a chance of cracking any of these passwords, he’d need to get data directly from Patty and Molly’s system, which will also provide Mr Talk with their Secret Keys. Mr Talk would not be able to launch such an attack from data acquired from our systems. <h2 id="reducing-the-guesswork-by-measuring-the-guessing-work">Reducing the guesswork by measuring the guessing work</h2> How did I come up with saying “hours to a week” for Molly’s and “decades to centuries” for Patty’s? I did so with a lot of guesswork. But we’d like to improve on that guess work, and the way to do that is to invite (incentivize) expert crackers to try to crack passwords and find out just how much work they have to put into it. Now if my guess about decades is anywhere on target for the four word password, that is simply too large of a challenge. So we are presenting a number of keys derived from three word passwords from our <a href="https://1password.com/password-generator/">password generator</a>. We are also <a href="https://github.com/agilebits/crackme">posting all the details</a> about how they were generated and the wordlist used.) We are also simplifying some of the odd details of our key derivation function to focus solely on the 100,000 rounds of PBKDF2-HMAC-SHA256. This will make it easier for participants to get set up without really affecting the result of what we are trying to measure with this exercise. <h2 id="we-want-winners">We want winners</h2> We want people to win the prizes, and we want people going into this to know that we want people to win. Otherwise we wouldn’t get participants to put in the effort that we are trying to measure. So let me remind everyone again, the challenges that we have created here do not have the protection of the Secret Key and they are using 1Password account passwords that are at the weaker end of what we recommend. This contest simulates attacking only one single component of <a href="https://1password.com/security/">1Password security</a>. <h2 id="knowing-your-system-is-a-good-thing">Knowing your system is a good thing</h2> It’s been nearly seven years since we helped revive the notion of wordlist-based passwords with <a href="https://blog.1password.com/toward-better-master-passwords/">this article</a>. And one of the many virtues of generated passwords is that they remain strong even if the attacker knows how they were generated. So with that in mind, we are also <a href="https://github.com/agilebits/crackme">publishing the source</a> used to generate the challenges. <h2 id="how-long-until-we-have-answers">How long until we have answers?</h2> If we knew how much effort it takes to crack a three word password, we wouldn’t be giving away money to find out, would we? We also don’t know what kinds of resources people will throw at the problem. If people or teams dedicate fleets of hashing rigs at the problem they will find things more quickly than someone who just uses a couple of more ordinary computers. <img src='https://blog.1password.com/posts/2018/world-password-day/mining-titan.png' alt='Mining Rig' title='Mining Rig' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h3 id="money-is-time">Money is time</h3> It may be more useful to ask about the cost of cracking a password versus how much time it takes. In any particular cracking attempt there will be some combination of fixed costs and variable costs ranging from developing the expertise and equipment depreciation to the cost of the electricity used to run and cool the machines. We want to develop an estimate that considers the total cost. So we hope that the challenge takes long enough that the results will show a useful mixture of fixed and variable costs. We’ve also structured the contest as a race. The first to find a password will earn <del>$8192</del> $12288, while the second place prize is <del>$2048</del> $8192. The third place prize is <del>$1024</del> $6144, And the fourth place prize is $4096. My own wild guess is that it could take anywhere between $250 and $2000 worth of effort to crack one of these three word passwords from our list, and so we’re offering a first prize that is double the higher end guess. This way it should be worth their time to switch some of their coin mining rigs over to password cracking. Update: Nearly three months into the contest it is clear that I underestimated the cost. We have increased the prizes twice by now (July 26, 2018), and are still not certain that it is enough. <a href="https://1password.community/discussion/89318/world-password-day-cracking-challenge">Join us and participants in the forums</a> for discussion of updates in cost estimates and how we may ensure that this challenge is worthwhile to participations. <h2 id="what-now">What now?</h2> If you would like to participate, head over to Bugcrowd for <a href="https://bugcrowd.com/agilebits">the official rules</a> and to get set up with them if you are not already a Bugcrowd researcher, as all submissions will go through them. Details can also be found in our <a href="https://github.com/agilebits/crackme">crackme challenge Github repository</a>. If you’d like to just follow along at home before and after the starting gun on World Password Day, keep following us on <a href="https://twitter.com/1Password">Twitter</a>, <a href="https://facebook.com/1Password">Facebook</a>, or your favorite place to do such things. And if you would like to discuss things further, just join us in our discussion forums. We’ve set up a specific discussion in our <a href="https://1password.community/discussion/89318/world-password-day-cracking-challenge">Lounge</a> for this discussion.</description></item><item><title>Multi-Factor Authentication in 1Password</title><link>https://blog.1password.com/multi-factor-authentication-in-1password/</link><pubDate>Wed, 25 Apr 2018 00:00:00 +0000</pubDate><author>info@1password.com (Rick Fillion)</author><guid>https://blog.1password.com/multi-factor-authentication-in-1password/</guid><description> <img src='https://blog.1password.com/posts/2018/mfa/header.png' class='webfeedsFeaturedVisual' alt='Multi-Factor Authentication in 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The more the merrier, my mother likes to say. And why shouldn’t that apply to authentication factors? You have your Master Password and Secret Key, and they’re combined to be one amazingly strong factor via <a href="https://blog.1password.com/developers-how-we-use-srp-and-you-can-too/">Secure Remote Password</a>. We’ve added two more to the guest list, and you get to invite whichever you’d like. <h2 id="contents">Contents</h2> <ul> <li> <a href="#two-factor-authentication">Two-Factor Authentication</a> </li> <li> <a href="#duo-security">Duo Security</a> </li> <li> <a href="#another-layer-of-protection">Another layer of protection</a> </li> <li> <a href="#supported-across-all-1password-apps">Supported across all 1Password apps</a> </li> </ul> <h2 id="two-factor-authentication">Two-Factor Authentication</h2> Two-factor authentication in 1Password is implemented with <a href="https://blog.1password.com/totp-and-1password/">Time-based One-Time Passwords.</a> Time-based One-Time Passwords is a mouthful, so forgive me for abbreviating it to TOTP from here on out. TOTP is a widely adopted standard and it’s a great way of adding a familiar additional factor to your authentication process. When setting up two-factor authentication, you’ll be provided with a TOTP secret that you can store in an authenticator app of your choosing. 1Password has been a TOTP authenticator for years now and storing it there is very convenient, but we recommend also storing it in an authenticator app like <a href="https://authy.com/">Authy</a>. Ideally you’d store it in both so you have access to it when needed. When it comes to backups, the more the merrier, just like Mom said! 🙂 Any time you sign in to your account from a new device you’ll be prompted for a one-time password. Use the authenticator app to get the current one-time password, punch it in and you’re off to the races. <img src='https://blog.1password.com/posts/2018/mfa/two-factor.png' alt='1Password Two Factor Authentication page' title='1Password Two Factor Authentication page' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <a href="https://support.1password.com/two-factor-authentication/">Turning on two-factor authentication is a breeze</a>. All you need to do is go to <a href="https://start.1password.com/profile">My Profile</a>, choose ‘More Actions’ on the action bar on the left, then ‘Turn On Two-Factor Authentication’. From there instructions will have you set up in no time. Just make sure that you keep your TOTP secret safe as it’s going to be required any time you sign in from a new device. <h2 id="duo-security">Duo Security</h2> <a href="https://duo.com/">Duo Security</a> is a slightly different approach to protecting accounts and has been available as a beta feature in 1Password for a number of months. The feedback we’ve gotten from it has been unanimously positive, and Duo is now available for anyone using 1Password Teams or <a href="https://1password.com/business/">1Password Business</a>. The best part of Duo is that once configured by an administrator it will automatically apply to all members of the team. When you sign in to 1Password, you’ll be prompted to send a push notification to your mobile device where you can either allow or deny the request to sign in. <img src='https://blog.1password.com/posts/2018/mfa/duo-mac.png' alt='Duo &#43; 1Password for Mac' title='Duo &#43; 1Password for Mac' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Duo is a great option if you’re looking to enforce the use of an additional factor across a whole team. <h2 id="another-layer-of-protection">Another layer of protection</h2> The awesome part about these additional factors during authentication is that they get to stand on the shoulders of <a href="https://blog.1password.com/developers-how-we-use-srp-and-you-can-too/">Secure Remote Password</a>. The SRP handshake needs to occur and all additional factor requests get the benefits of that secure channel. Without SRP the same attacks that could disclose your password to an attacker eavesdropping on a connection could also disclose your additional authentication factor. SRP protects both your password and the additional factor. This also means that enabling two-factor authentication or Duo does not mean that you can have a weaker Master Password. They protect against very different things, and your Master Password is ultimately what’s protecting your data. <h2 id="supported-across-all-1password-apps">Supported across all 1Password apps</h2> We’ve rolled out support for both Duo and TOTP in all of our apps. Windows, Mac, iOS, Android, Web, and Chrome. We’ve even added both to our <a href="https://1password.com/downloads/command-line/">1Password CLI tool</a>, and it’s pretty amazing to have a terminal emulator trigger a push notification to my iPhone. Just make sure that you’re using the latest versions of our apps and you’ll be set.</description></item><item><title>Meet the team that builds 1Password.com</title><link>https://blog.1password.com/meet-the-team-that-builds-1password-com/</link><pubDate>Mon, 23 Apr 2018 00:00:00 +0000</pubDate><author>info@1password.com (Rick Fillion)</author><guid>https://blog.1password.com/meet-the-team-that-builds-1password-com/</guid><description> <img src='https://blog.1password.com/posts/2018/rickconf/header.png' class='webfeedsFeaturedVisual' alt='Meet the team that builds 1Password.com' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Last week found a number of us flying out to Toronto for what we called RickConf (I swear I didn’t name it!). The weather did its best to try to get in our way as the ice storm caused some of us to arrive a day later than expected. We all made it though, and I think we all took turns assuring the Californians that this weather is not normal. <img src='https://blog.1password.com/posts/2018/rickconf/electric-logo.png' alt='RickConf &#39;Logo&#39;' title='RickConf &#39;Logo&#39;' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> RickConf was an opportunity for everyone that works on 1Password.com to get together, hang out, and prototype some ideas for the future. 1Password is a remote company, so this is one of the few times per year where the whole team gets together. We think that it’s incredibly important that we get to know each other beyond the avatars we have on Slack. I’d like to introduce you to the team, and help put faces to names you may have seen when emailing in with questions. <img src='https://blog.1password.com/posts/2018/rickconf/team.jpg' alt='1Password.com Team Photo' title='1Password.com Team Photo' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> From left to right we have Jiannine, Jasper, Jacob, Betty, Rob, Meek, Brett, Isha, Connor, Matt, and finally myself. Not pictured here are Shiner and Roustem who are an absolutely critical part of our team, and spent the week with us as well. Our team is responsible for the 1Password.com service which includes: <ul> <li>The server app that stores all of your encrypted secrets and coordinates the syncing of that data across all of your apps.</li> <li>The web app that allows you to manage your account as well as view and edit the contents of your vaults.</li> <li>The command-line utility that provides a way to programmatically interact with your account.</li> <li>And finally the SCIM bridge that allows you to connect an identity provider like Azure Active Directory to your 1Password.com account for automated user provisioning and deprovisioning.</li> </ul> Last week we prototyped some new ideas for each of those four projects. I won’t go into what those were, but I’m super excited for us to polish up that code and get it into your hands.</description></item><item><title>Introducing 1Password Business</title><link>https://blog.1password.com/introducing-1password-business/</link><pubDate>Tue, 03 Apr 2018 00:00:00 +0000</pubDate><author>info@1password.com (Jeff Shiner)</author><guid>https://blog.1password.com/introducing-1password-business/</guid><description> <img src='https://blog.1password.com/posts/2018/business-intro/header.png' class='webfeedsFeaturedVisual' alt='Introducing 1Password Business' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Since 2015, over 30,000 businesses have signed up for 1Password Teams and discovered how 1Password can help them be secure while also increasing their productivity. We’ve learned a lot by working with these companies and found that what works for a team of 20 doesn’t necessarily work for a company of 20,000. So we got to work. Today, I am thrilled to announce the results of that work: <a href="https://1password.com/business/">1Password Business</a>. 🎉 <img src='https://blog.1password.com/posts/2018/business-intro/team-vaults.jpg' alt='Introducing 1Password Business' title='Introducing 1Password Business' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 1Password Business provides the features you need as a larger team. It gives you the tools to protect your employees, secure your most important data, and stay compliant. Your administrators will love it for the control it gives them, and your employees will love how easy it is to use. <h2 id="control-access-and-be-compliant">Control access and be compliant</h2> GDPR, HIPAA, SOC2, PCI, PIPEDA… man, there’re enough compliance requirements to make your head spin. Thankfully, 1Password helps by keeping you in control of who has access to what. Each employee gets a place to store their private, work-related passwords. But there are times when passwords need to be shared. For those times, it’s easy to share passwords with only the people who need them. Fine-grained permissions – give employees exactly the access they need. Custom Groups and Roles – organize your staff and their access. Device Restrictions – limit where access is granted. Managed <a href="https://1password.com/features/travel-mode/">Travel Mode</a> – restrict employee access when travelling. <img src='https://blog.1password.com/posts/2018/business-intro/devops-access.jpg' alt='Managing access to a shared vault' title='Managing access to a shared vault' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We ourselves are growing quickly and long gone are the days where everyone worked on every project. We are looking to hire another 100 people this year, and 1Password helps us stay compliant with our SOC2 regulations as we grow. <h2 id="automated-provisioning">Automated provisioning</h2> Sometimes you are growing so fast, or have gotten so large, that no matter how simple the onboarding steps, they just aren’t fast enough. In these cases automation comes to your rescue. Active Directory Integration – automate provisioning and de-provisioning. Okta Integration – allow Okta to manage your team for you. Command line Integration – integrate 1Password into your custom business flows. <img src='https://blog.1password.com/posts/2018/business-intro/active-directory.jpg' alt='Provisioning and deprovisioning with Active Directory' title='Provisioning and deprovisioning with Active Directory' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Now that we are starting to use Azure AD ourselves, onboarding those next 100 people should be a breeze. 😉 <h2 id="adding-a-second-third-factor">Adding a <del>second</del> third factor</h2> 1Password protects your passwords behind both your Master Password and your Secret Key. Now you can add yet another layer of protection with our multi-factor authentication (MFA) support. Team members can turn on two-factor authentication to further protect their 1Password accounts. Or, if your company uses <a href="https://duo.com/docs/1password">Duo</a>, you can require its use for your entire team. <img src='https://blog.1password.com/posts/2018/business-intro/mfa.png' alt='Multi-factor authentication screen during sign in' title='Multi-factor authentication screen during sign in' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="advanced-auditing-and-reporting">Advanced auditing and reporting</h2> In 1Password Business, we’ve created some super useful reports for you and your administrators. It’s never been easier to keep track of everything happening on your team. Employee Access Report – see which <a href="https://1password.com/features/secure-password-sharing/">shared passwords</a> an employee has used. Shared Password Report – audit shared passwords to see who has used them. Activity Log – review administrative actions taken by your team. Action Dashboard – view activities that are awaiting your action. <img src='https://blog.1password.com/posts/2018/business-intro/employee-report.png' alt='Employee access report' title='Employee access report' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="free-family-accounts">Free family accounts</h2> <img src='https://blog.1password.com/posts/2018/business-intro/free-family-account.png' alt='Worth more than $50 per user' title='Worth more than $50 per user' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Your business data is only as safe as your employees’ habits. If anyone brings unsafe password habits from home into your work environment, they put your entire business at risk. Now, you can protect your business by keeping those you work with safe at home. With 1Password Business, each employee on your team gets a free <a href="https://1password.com/personal/">1Password Families</a> membership. This way they can learn the habits they need to protect themselves and your company. <h2 id="try-1password-business-today">Try 1Password Business today</h2> Sign up today for a free 14 day trial and see for yourself how 1Password can help your company. Your data will be more secure and your employees more productive than ever. <a href="https://1password.com/business-pricing/">Sign up for 1Password Business</a> If you have any questions or would like to schedule a demo, <a href="mailto:business@1password.com">contact our business team</a>. We’ll be happy to show you how 1Password can work for your business. After using 1Password for a few weeks at your company I promise you’ll wonder how you ever lived without it!</description></item><item><title>MyFitnessPal Shows How to Handle a Breach</title><link>https://blog.1password.com/myfitnesspal-shows-how-to-handle-a-breach/</link><pubDate>Mon, 02 Apr 2018 00:00:00 +0000</pubDate><author>info@1password.com (Dave Teare)</author><guid>https://blog.1password.com/myfitnesspal-shows-how-to-handle-a-breach/</guid><description> <img src='https://blog.1password.com/posts/2018/myfitnesspal/header.png' class='webfeedsFeaturedVisual' alt='MyFitnessPal Shows How to Handle a Breach' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We all witnessed something refreshing last week when MyFitnessPal announced their data breach. They were open and honest about what happened and they should be congratulated. Many companies hide from the truth and make things much worse for themselves and their customers. Instead, MyFitnessPal did it right. Not only did they handle the disclosure with finesse, they also had excellent systems in place to limit the exposure of the leak. MyFitnessPal provides a great case study on how to handle a data breach and protect customer information. Let’s start with the announcement itself. <h2 id="the-announcement">The Announcement</h2> First it needs to be said that it was awesome that there actually was an announcement and that it was published in a timely manner. This is a very good thing! There was an <a href="https://content.myfitnesspal.com/security-information/notice.html">in-app notification</a>, <a href="https://content.myfitnesspal.com/security-information/notice.html">direct emails</a>, and a <a href="https://twitter.com/MyFitnessPal/status/979751327612911617">pinned Twitter post</a>. <img src='https://blog.1password.com/posts/2018/myfitnesspal/in-app-notification.jpeg' alt='In app notification about the MyFitnessPal data breach' title='In app notification about the MyFitnessPal data breach' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <img src='https://blog.1password.com/posts/2018/myfitnesspal/pinned-tweet.jpeg' alt='A pinned Tweet from MyFitnessPal announcing their data breach' title='A pinned Tweet from MyFitnessPal announcing their data breach' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> They also posted <a href="https://content.myfitnesspal.com/security-information/FAQ.html">Frequently Asked Questions</a> that were excellent and when I emailed their support team with some questions for this post, their automated reply included information about the breach and what they were doing to protect their customers. MyFitnessPal was incredibly open and transparent about everything and at no point did they try to hide details from their users, myself included! That allowed me to update my password and get on with my life. <img src='https://blog.1password.com/posts/2018/myfitnesspal/1password-x-change-password.jpeg' alt='A 1Password X update password prompt after changing the password on MyFitnessPal' title='A 1Password X update password prompt after changing the password on MyFitnessPal' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> I wasn’t overly attached to <code>qdd84b7UayEwM9J6dZV</code> anyway so I didn’t mind changing it. And since I only used this password on <a href="https://www.myfitnesspal.com/">myfitnesspal.com</a> I didn’t need to update any other websites. Strong unique passwords FTW! 🙂 <h2 id="secure-handling-of-passwords">Secure Handling of Passwords</h2> Equally commendable was how MyFitnessPal stored passwords in their systems. Or more to the point, how they didn’t store passwords. Many sites choose to store the plain text password, which is bad. The fact that <a href="https://haveibeenpwned.com/">Have I Been Pwned?</a> now has over a half a billion plain text passwords in their database shows how prevalent this horrible bad practice is. MyFitnessPal was much smarter than that as they never stored the actual password. Instead they stored a hash of the password, most of which were created using <a href="https://en.wikipedia.org/wiki/Bcrypt">bcrypt</a>. Our Chief Defender Against The Dark arts <a href="https://blog.1password.com/bcrypt-is-great-but-is-password-cracking-infeasible/">wrote at length</a> about bcrypt and how it can be used to protect user passwords. It’s possible to go even further than bcrypt and avoid sending passwords to the server by using <a href="https://blog.1password.com/developers-how-we-use-srp-and-you-can-too/">Secure Remote Password</a>. We use this in 1Password and are <a href="https://blog.1password.com/developers-how-we-use-srp-and-you-can-too/">quite smitten with it</a>. <h2 id="avoiding-other-sensitive-information">Avoiding Other Sensitive Information</h2> The other smart thing MyFitnessPal does that should be commended is collecting and storing the minimum amount of data. From their FAQ: <blockquote> The affected data did not include government-issued identifiers (such as Social Security numbers and driver’s license numbers) because we don’t collect that information from users. Payment card data was not affected because it is collected and processed separately. </blockquote> The easiest way to protect data is to not have it in the first place! We follow a similar mentality in 1Password and it’s refreshing to see other companies taking security and privacy seriously. MyFitnessPal made some excellent design choices and quickly organized an effective response to a bad situation. For those looking to learn more about the MyFitnessPal breach, Troy Hunt started his <a href="https://www.troyhunt.com/weekly-update-80/">Weekly Update 80</a> with a full discussion on the subject that I found very intriguing, especially the strategy on how to migrate from a SHA-1 hash to using bcrypt. P.S. A great deal of this post was inspired by an incredible letter I received from Benjamin Fox about how unique passwords helped him quickly recover from the MyFitnessPal breach. Thank you for the inspiration, Benjamin! ❤ <blockquote> Hi Dave, I know you get hundreds of emails but I can’t help but send this email. I received an email from MyFitnessPal today and of course the news-breaking headlines. In reading the email, I simply smiled. Headed to my 1password vault and checked the password. Sure enough, there was a 40 character, numbers + symbols password. I smiled smugly and thought of you. Your amazing product keeps my data safe every single day. I have not one single duplicated password. Back about 4 years ago I spent the entire weekend updating 200 plus sites with a unique password ( MyFitnessPal being one of them ). I have recommended so many people to your platform knowing that you have an amazing product and just as importantly, a fantastic support team. Take care my friend and I send you a warm-hearted thanks from Darwin, Northern Territory, Australia! Keep doing what you’re doing! Benjamin Fox. </blockquote> We really do have the best users in the world. 😘</description></item><item><title>The 1Password 7 Beta for Mac Is Lit and You Can Be, Too</title><link>https://blog.1password.com/the-1password-7-beta-for-mac-is-lit-and-you-can-be-too/</link><pubDate>Wed, 28 Mar 2018 00:00:00 +0000</pubDate><author>info@1password.com (Dave Teare)</author><guid>https://blog.1password.com/the-1password-7-beta-for-mac-is-lit-and-you-can-be-too/</guid><description> <img src='https://blog.1password.com/posts/2018/opm7.0-beta/header.png' class='webfeedsFeaturedVisual' alt='The 1Password 7 Beta for Mac Is Lit and You Can Be, Too' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Guess what, Mac fam? 1Password 7 for Mac is on its way! 🎉👏 This first beta is just a taste of what’s to come and it’s already packed full of new features and improvements. Here’s what we have so far. <h2 id="beta-bling">Beta bling</h2> <img src='https://blog.1password.com/posts/2018/opm7.0-beta/locked.png' alt='1Password main window while locked' title='1Password main window while locked' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The awesome starts with the lock screen but the real magic happens when those doors open. <h3 id="enhanced-sidebar">Enhanced sidebar</h3> 1Password 7 comes at you fast with its bold, beautiful sidebar. The sidebar shows more information than ever, but the dark theme and monochrome icons allow you to focus your attention on what matters most: your items. <img src='https://blog.1password.com/posts/2018/opm7.0-beta/main-window.png' alt='1Password main window while unlocked' title='1Password main window while unlocked' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h3 id="drag-and-drop">Drag and drop</h3> You can now see all your vaults in the sidebar. This makes it easy to drag and drop items between vaults to organize them. You can even drag them between two different accounts. And if you drag items onto New Vault, a vault will be created for you right there and then. It’s never been easier to share and organize your information. <img src='https://blog.1password.com/posts/2018/opm7.0-beta/sidebar-vaults.png' alt='1Password sidebar with vaults revealed' title='1Password sidebar with vaults revealed' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h3 id="easily-edit-vaults">Easily edit vaults</h3> With the new sidebar it seemed fitting to allow you to manage your vaults directly from there. So that’s what we did. Edit vault names, change their descriptions, choose an avatar or upload your own. All without ever leaving 1Password. <img src='https://blog.1password.com/posts/2018/opm7.0-beta/edit-vaults.png' alt='Edit vault window' title='Edit vault window' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h3 id="rich-formatting-in-notes">Rich formatting in notes</h3> Are you feeling bold? How about emphatic? You can now express your emotions in <a href="https://1password.com/features/secure-notes/">secure notes</a>. Use Markdown in any of your notes to add clickable links, ordered and unordered lists, and eye catching styles. <img src='https://blog.1password.com/posts/2018/opm7.0-beta/rich-formatting.png' alt='A Secure Note with richly formatted text' title='A Secure Note with richly formatted text' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h3 id="nested-tags">Nested tags</h3> Tag fanatics rejoice! Not only can you organize your items with tags but you can also organize your tags. There’s an Inception joke here somewhere; while you wait for me to find it, add a forward slash to your tag names and 1Password will do the rest. <img src='https://blog.1password.com/posts/2018/opm7.0-beta/nested-tags.png' alt='Sidebar with nested tags showing' title='Sidebar with nested tags showing' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h3 id="pop-out-items">Pop-out items</h3> If you use lots of different apps on your Mac or enjoy viewing multiple items at once, you’re going to love this: click the <img src="https://blog.1password.com/posts/2018/opm7.0/inline-pop-out-icon.png" alt="Pop out toolbar icon"> icon on the toolbar and your item details are whisked away into a new sticky window that will stick around until you dismiss it. <img src='https://blog.1password.com/posts/2018/opm7.0-beta/popout-items.png' alt='A separate window showing an iTunes login' title='A separate window showing an iTunes login' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h3 id="our-own-font-courier-prime-bits">Our own font: Courier Prime Bits</h3> No design is ever complete without finding the perfect font. We’ve added a beautiful custom font created specifically for 1Password called Courier Prime Bits (based on the lovely <a href="https://quoteunquoteapps.com/courierprime/">Courier Prime</a>). <a href="https://runningshot.com/">Alan Dague-Greene</a> is the creative genius behind this font and it makes your passwords look alive. <img src='https://blog.1password.com/posts/2018/opm7.0-beta/font.png' alt='A password shown in Large Type' title='A password shown in Large Type' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h3 id="finding-pwned-passwords-">Finding pwned passwords 🕵🏼‍♀️</h3> Troy Hunt has collected more than 500 million passwords from various breaches in his <a href="https://haveibeenpwned.com/">Have I Been Pwned?</a> database. Easily check if your password is among them. <img src='https://blog.1password.com/posts/2018/opm7.0-beta/hibp-change-password.png' alt='A login item whose password is in Troy Hunt&#39;s Have I Been Pwned database' title='A login item whose password is in Troy Hunt&#39;s Have I Been Pwned database' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h3 id="secure-enclave-for-touch-id">Secure Enclave for Touch ID</h3> Secure Enclave protects your Master Password when <a href="https://1password.com/mac/">Touch ID</a> is enabled. This greatly improves your security when using Touch ID because the encryption keys are protected by the hardware in your Mac and are not accessible to any other programs or the operating system. <h3 id="safari-app-extension">Safari App Extension</h3> Our Safari extension now comes built in to 1Password 7. There’s no need to manage it separately, it updates whenever 1Password updates, and it’s more secure to boot! <h3 id="single-process-architecture">Single process architecture</h3> We completely rearchitected 1Password 7 to run within a single process. This eliminates connection issues between the main app and mini, greatly speeds up loading, and improves performance everywhere. <h3 id="grab-bag-of-lit-ness">Grab bag of lit-ness</h3> <img src='https://blog.1password.com/posts/2018/opm7.0-beta/collapsed-sidebar.png' alt='An item list shown with a collapsed sidebar' title='An item list shown with a collapsed sidebar' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The changelog for beta 1 is huge. Coming in at nearly 100 additional features and improvements, it’s literally <a href="https://app-updates.agilebits.com/product_history/OPM7">too much to read</a>. Here are the CliffsNotes (or <a href="https://en.wikipedia.org/wiki/Coles_Notes">Coles Notes</a> if you’re reppin’ Canada): <ul> <li>Collapse the sidebar entirely so your items get all the love</li> <li>Share vaults directly from the sidebar</li> <li>Easily see your currently selected vault and account</li> <li>Login details now highlight one-time passwords</li> <li>Tags are monogrammed with their initials</li> <li>Select which vaults to focus on right from the sidebar</li> <li>Quickly find items with our new Spotlight integration</li> <li>Use Handoff to view iOS items right from your Dock</li> <li>Login icons have never looked better</li> </ul> <h2 id="get-it-now">Get it now</h2> Getting lit with beta 1 is easy! <del>Download 1Password 7 Beta For Mac</del> <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Editor&rsquo;s note: this beta is no longer available. <a href="https://1password.com/downloads/">Learn how to get started with 1Password 8</a>! </div> </aside> 1Password 7 is included free for everyone with a 1Password membership. Simply unlock 1Password after downloading and you’re good to go. Those of you with a standalone license for version 6 will be prompted to subscribe or purchase a license when the beta first opens. Licenses will be available for $64.99 when we launch later this year, but are available now for only $39.99. You can also try a membership and start enjoying 1Password 7 today with your first month free. We’re looking forward to sharing more surprises with you on our journey towards 1Password 7. In the meantime, please join us in our <a href="https://1password.community/categories/1password-mac-beta">beta forums</a> and help craft the future of 1Password. We always love hearing from you. 😘 <img src='https://blog.1password.com/posts/2018/opm7.0-beta/footer.png' alt='1Password 7 sitting on a hill, basking in the sunshine, getting ready for launching later this year.' title='1Password 7 sitting on a hill, basking in the sunshine, getting ready for launching later this year.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> P.S. This post was heavily inspired by asking the question that we should all ask ourselves from time to time: what would Drake say? I think I got close but if you know <a href="https://www.facebook.com/Drake/">Drake</a>, please ask and let me know. 🙂</description></item><item><title>Introducing 1Password 7 Beta for Windows</title><link>https://blog.1password.com/introducing-1password-7-beta-for-windows/</link><pubDate>Tue, 20 Mar 2018 00:00:00 +0000</pubDate><author>info@1password.com (Dave Teare)</author><guid>https://blog.1password.com/introducing-1password-7-beta-for-windows/</guid><description> <img src='https://blog.1password.com/posts/2018/opw7.0-beta/header.png' class='webfeedsFeaturedVisual' alt='Introducing 1Password 7 Beta for Windows' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 1Password 7 for Windows is almost here! 🎉🙌 Today marks our first beta and you’re invited to join in on the fun. This is a massive release where quite literally everything has changed. And with support for local vaults, everyone can enjoy the awesomeness that is 1Password 7 for Windows. Read on to see what all the hullabaloo is about and I think you’ll find our excitement is quite contagious. 🙂 <h2 id="incredible-new-design">Incredible New Design</h2> Our design team has been working their tails off making 1Password 7 for Windows the best it can be, so it seems fitting that we start by showing how great 1Password 7 looks. The awesome starts with the lock screen. <img src='https://blog.1password.com/posts/2018/opw7.0-beta/locked.jpeg' alt='1Password 7 Beta for Windows Lock Screen' title='1Password 7 Beta for Windows Lock Screen' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Once you unlock 1Password with your Master Password (or Windows Hello), you’re in for a delightful surprise. I’ll let 1Password speak for itself here. <img src='https://blog.1password.com/posts/2018/opw7.0-beta/unlocked.jpeg' alt='Main window view from 1Password 7 Beta for Windows' title='Main window view from 1Password 7 Beta for Windows' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> From the typography to the rich icons to the layout, everything has changed. Yet the soul of 1Password remains, so you’re able to jump right in and find everything you need. The new sidebar is not only gorgeous but it’s more powerful, too. It allows you to navigate between your categories and tags just like you always could, but now your vaults live there as well. <h2 id="all-your-vaults-all-in-one-place">All your vaults, all in one place</h2> <img src='https://blog.1password.com/posts/2018/opw7.0-beta/vault-sidebar.jpeg' alt='Easily browse account vaults and standalone vaults with 1Password 7 Beta for Windows' title='Easily browse account vaults and standalone vaults with 1Password 7 Beta for Windows' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Organizing your items into vaults is a great way to keep your items tidy and share them with those who need them. Vaults are so nice that you’ll find yourself adding lots of them. Thankfully the sidebar makes it easy to see every vault you have at a glance. If you want to zoom in and see all the items in a vault or an account, just click on it. When you’re ready to zoom out again, click All Vaults to see all your items. Between my AgileBits business and Teare family accounts, I now have over 50 vaults. Being able to switch between vaults and accounts makes it super simple to stay focused on the task at hand. Which is perfect for those days when I need to find my mom’s Pokémon password. 🙂 <h2 id="small-passwords-large-passwords">Small passwords. Large passwords!</h2> If you spend as much time looking at computer screens as I do, your eyes will love our new Large Type. Passwords have never looked better! <img src='https://blog.1password.com/posts/2018/opw7.0-beta/large-type.jpeg' alt='Large Type Viewer in 1Password 7 Beta for Windows' title='Large Type Viewer in 1Password 7 Beta for Windows' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> This is great when you need to type a password into another app. But for browsers, 1Password mini will take care of this large task for you. <h2 id="1password-mini-is-always-by-your-side">1Password mini is always by your side</h2> To keep up with their bigger sibling, 1Password mini has a new design of their own and has learned some new tricks as well. As always, mini will automatically find the logins that are most relevant to the website you are on, making it super easy to sign in. <img src='https://blog.1password.com/posts/2018/opw7.0-beta/evernote-mini.jpeg' alt='Quickly fill logins using 1Password mini in 1Password 7 Beta for Windows' title='Quickly fill logins using 1Password mini in 1Password 7 Beta for Windows' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> And if a website has been breached, mini will alert you so you know which of your logins need to have their passwords changed. <img src='https://blog.1password.com/posts/2018/opw7.0-beta/mini-watchtower-alert.jpeg' alt='1Password mini showing matching logins for Yahoo; one login has been identified by Watchtower as needing its password changed' title='1Password mini showing matching logins for Yahoo; one login has been identified by Watchtower as needing its password changed' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> You can also open logins directly within your browser. And as an added bonus, your password will also be filled automatically after the page opens, making 1Password a great way to bookmark websites. <h2 id="designed-for-everybody">Designed for everybody</h2> We wanted to create 1Password 7 for everybody and be as inclusive as possible. That started with allowing you to sync your vaults yourself as well as supporting 1Password accounts. 1Password also speaks your language and has been localized into 9 languages, including Français, Deutsch, Italiano, 日本語, 한국어, Português, Pyсский, and Español. <img src='https://blog.1password.com/posts/2018/opw7.0-beta/vault-settings-japanese.jpeg' alt='1Password settings screen localized into Japanese' title='1Password settings screen localized into Japanese' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Being able to use 1Password in your language is great and it’s even better on High-DPI displays. 1Password 7 has full support for HiDPI in Windows 10 so it looks incredible on 4K monitors and other high density screens. And for those of you who rely on assistive technologies, rest assured that 1Password 7 is fully accessible. Accessibility is near and dear to my heart and I’m looking forward to seeing your feedback on this beta. <h2 id="why-hello-there-windows-hello">Why hello there, Windows Hello</h2> We also added support for Windows Hello so you can unlock 1Password using your fingerprint or simply your smile. This works great in the main app as well as in mini. <img src='https://blog.1password.com/posts/2018/opw7.0-beta/mini-hello-unlock.jpeg' alt='1Password mini lock screen with Windows Hello preparing to identity you' title='1Password mini lock screen with Windows Hello preparing to identity you' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> To keep things as secure as possible, the first time you unlock 1Password you will need to provide your Master Password. Windows Hello will then be able to unlock 1Password afterwards. <h2 id="pricing">Pricing</h2> 1Password 7 is included free with every 1Password membership. This includes individual accounts, as well as anyone who is part of a family or team. If this is you, you’re all set! Jump to the next section to get started with the beta. For standalone license holders, 1Password 7 for Windows will be a paid upgrade. Once 1Password 7 for Windows is officially released later this year, a new license will be required and will cost $64.99. If you join the beta you will get access to a special discount to show our thanks for helping us get the beta polished. The code hasn’t been written yet, but in the next few months an upgrade window will appear, giving you the opportunity to purchase your license for just $39.99. So join the beta, give us your feedback, and save! Here’s how… <h2 id="join-our-beta-family">Join our beta family</h2> Intrepid testers who enjoy being on the cutting edge can jump right in by downloading the beta today. <a href="https://app-updates.agilebits.com/download/OPW6/Y" class="call-to-action "> Download the 1Password 7 Beta for Windows </a> Please see our <a href="https://1password.community/discussion/87401/known-issues-for-1password-7-for-windows-alpha-beta-updates">release notes</a> for known issues and join us in <a href="https://1password.community/categories/windows-beta">our discussion forum</a> to let us know what worked great and where we need to improve. We wouldn’t be here without you so thanks again for all your help! 😘 <img src='https://blog.1password.com/posts/2018/opw7.0-beta/footer.png' alt='A &#39;bits blue&#39; 7 being constructed with bricks and mortar, with scaffolding holding it up' title='A &#39;bits blue&#39; 7 being constructed with bricks and mortar, with scaffolding holding it up' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /></description></item><item><title>1Password X: Better, Smarter, Faster, and Japanese! マジで!</title><link>https://blog.1password.com/1password-x-better-smarter-faster-and-japanese-%E3%83%9E%E3%82%B8%E3%81%A7/</link><pubDate>Tue, 13 Mar 2018 00:00:00 +0000</pubDate><author>info@1password.com (Dave Teare)</author><guid>https://blog.1password.com/1password-x-better-smarter-faster-and-japanese-%E3%83%9E%E3%82%B8%E3%81%A7/</guid><description> <img src='https://blog.1password.com/posts/2018/b5x1.6/header.png' class='webfeedsFeaturedVisual' alt='1Password X: Better, Smarter, Faster, and Japanese! マジで!' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> If you’re new to 1Password X, you’re in for a treat! <a href="https://chrome.google.com/webstore/detail/1password-%E2%80%93-password-mana/aeblfdkhhhdcdjpifhhbdiojplfjncoa?hl=en">1Password X</a> is a full featured version of 1Password that runs entirely within your web browser. It’s great if you’re using Linux or Chrome OS and has quickly become my favourite way to enjoy 1Password on the web. Since <a href="https://blog.1password.com/1password-x-a-look-at-the-future-of-1password-in-the-browser/">launching in November</a> we&rsquo;ve been hard at work exploring what&rsquo;s possible and polishing everything else. I&rsquo;d love to share with you what&rsquo;s new since 1Password X blasted off! 🚀 <h2 id="our-best-password-generator-yet">Our best password generator yet</h2> One of the things that we wanted to explore in 1Password X was how could we make <a href="https://1password.com/password-generator/">our beloved password generator</a> even better. And we were willing to go back to the drawing board to make it happen. We started by suggesting new passwords directly within websites: <img src='https://blog.1password.com/posts/2018/b5x1.6/evernote-suggested-password.png' alt='1Password X suggesting a password when signing up to Evernote' title='1Password X suggesting a password when signing up to Evernote' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Just click Use Suggested Password when signing up and you&rsquo;ve secured this website. It&rsquo;s incredibly easy and perfect for most sites. Some websites, however, don&rsquo;t accept long passwords. Or sometimes you need a memorable password or a numeric PIN code. 1Password X now has a fully customizable password generator and it’s our best one yet! When you need a custom password just open 1Password from the toolbar and bring up the password generator: <img src='https://blog.1password.com/posts/2018/b5x1.6/evernote-secure-password-generator.png' alt='1Password X&#39;s secure password generator' title='1Password X&#39;s secure password generator' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> In addition to looking amazing, our new generator is more powerful and easier to use than ever. You can customize everything and choose between different kinds of passwords depending on your needs. <img src='https://blog.1password.com/posts/2018/b5x1.6/select-password-type.png' alt='Selecting a password type in 1Password X' title='Selecting a password type in 1Password X' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> I&rsquo;ve always enjoyed the simplicity of our password generator and didn&rsquo;t want to lose that as we added more options. I&rsquo;m incredibly thankful that our designers found a way to pack so much power into such a simple and beautiful window. <h2 id="smarter-filling-and-saving">Smarter filling and saving</h2> Using machine learning, we can now distinguish between registration forms and sign-in forms. This is incredibly cool as it allows us to anticipate what you need and suggest appropriate actions. When you&rsquo;re on a sign-in form, 1Password X will offer to fill it for you. If you&rsquo;re on a registration form, it will suggest a strong, unique password for you to use. And if you need to change an existing password, 1Password X can help you there, too: <img src='https://blog.1password.com/posts/2018/b5x1.6/update-saved-login-evernote.png' alt='Updating the login saved for Evernote' title='Updating the login saved for Evernote' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Along with these more visible improvements, we also greatly improved form filling all around (especially credit cards and identities) and added support for those running in Incognito mode. <h2 id="faster-everything">Faster everything</h2> Feel the need for speed? 1Password X is packed full of it! Unlocking 1Password is now over 30 times faster and loading your items is instantaneous. I&rsquo;m now able to unlock 1Password X on my 2014 MacBook Pro faster than I can type my Master Password. I have over 3000 items in 50+ vaults spanning two accounts and I have access to everything I need before I can say &ldquo;oh my&rdquo;. 🙂 In addition to blazing unlock speeds, you&rsquo;re also able to view your item details and fill Logins faster than ever. To achieve this incredible speed, 1Password X caches your encrypted data locally so it&rsquo;s always available. That means you always have access to your data, even when you don&rsquo;t have internet or are on spotty Wi-Fi. <h2 id="and-so-much-more">And so much more</h2> We&rsquo;ve added over <a href="https://app-updates.agilebits.com/product_history/B5X">120 new features and improvements</a> to 1Password X since our inaugural 1.0 release. In addition to the highlights above, some more of our favourites include creating new items, customizable auto-lock settings, and full support for Japanese! <img src='https://blog.1password.com/posts/2018/b5x1.6/japanese-inline-menu.png' alt='1Password X in Japanese suggesting a newly generated password in Japanese' title='1Password X in Japanese suggesting a newly generated password in Japanese' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> To get started, all you need to do is <a href="https://chrome.google.com/webstore/detail/1password-x-%E2%80%93-password-ma/aeblfdkhhhdcdjpifhhbdiojplfjncoa">install 1Password X</a> and sign in to your 1Password account. <h2 id="oh-and-theres-one-more-thing">Oh, and there&rsquo;s one more thing</h2> <a href="https://chrome.google.com/webstore/detail/1password-x-%E2%80%93-password-ma/aeblfdkhhhdcdjpifhhbdiojplfjncoa">1Password X</a> initially came out for Google Chrome and since then we&rsquo;ve added support for Vivaldi, Ghost Browser, and coming very soon, Opera. But as much as I love Chrome and its Chromium-based relatives, it&rsquo;s time for 1Password X to support more browsers. Mozilla does an amazing job of keeping the web an open and inclusive space for everyone to enjoy, and we want to support that. So that&rsquo;s what we&rsquo;re going to do! 1Password X is coming to Firefox. 🎉 🙌 We have an internal build of 1Password X running on Firefox Nightly already and we&rsquo;re almost ready to share it with adventurous testers. If that&rsquo;s you, please <a href="https://email.agilebits.com/h/r/0D6ED375D55C4CF1">give us your email</a> and we&rsquo;ll be in touch. There are even more exciting things planned for 1Password X and I hope to share them with you soon. Your feedback is immensely valuable in helping us set priorities so please <a href="https://1password.community/categories/saving-and-filling-logins">join us in our forum</a> and say hi. Onward and upwards! 🚀 😘 <a href="https://chrome.google.com/webstore/detail/1password-x-%E2%80%93-password-ma/aeblfdkhhhdcdjpifhhbdiojplfjncoa" class="call-to-action center"> Install 1Password X </a> <img src='https://blog.1password.com/posts/2018/b5x1.6/firefox-ahead.png' alt='After launching off from the Chromium space station, Harold prepares to land at the newly constructed Firefox space station.' title='After launching off from the Chromium space station, Harold prepares to land at the newly constructed Firefox space station.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /></description></item><item><title>Give the gift of 1Password</title><link>https://blog.1password.com/give-the-gift-of-1password/</link><pubDate>Tue, 27 Feb 2018 00:00:00 +0000</pubDate><author>info@1password.com (Jeff Shiner)</author><guid>https://blog.1password.com/give-the-gift-of-1password/</guid><description> <img src='https://blog.1password.com/posts/2018/gift-cards/header.png' class='webfeedsFeaturedVisual' alt='Give the gift of 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Ever since we launched <a href="https://1password.com/pricing/">1Password memberships</a>, people have been asking us how they can gift 1Password to their friends and loved ones. As you might expect, we see the most interest around the holidays, and this past holiday season was no different. I always thought it was a great idea, but we didn’t have a good answer – until now. <h2 id="125-for-only-99-">$125 for only $99 🎉</h2> With 1Password Gift Cards, you can help anyone stay safe online. Give them to others or redeem them for yourself. You can purchase them in amounts of $25, $50, or $125. And because everyone loves to save money, we put the $125 gift cards on sale for only $99! <a href="https://1password.com/giftcards/"> <img src='https://blog.1password.com/posts/2018/gift-cards/gift-card.png' alt='$125 1Password Gift Card' title='$125 1Password Gift Card' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> </a> <a href="https://1password.com/giftcards/" class="call-to-action center"> Get a 1Password Gift Card </a> <h2 id="paypal-and-more">PayPal and more</h2> Another request we’ve seen is the ability to pay for a 1Password membership without using a credit card. Gift cards make that easy. You can <a href="https://1password.com/giftcards/">purchase 1Password Gift Cards</a> with PayPal, and – because it’s 2018 – cryptocurrencies, like Bitcoin, Ethereum, and Litecoin. You can even <a href="https://blog.1password.com/how-to-use-1password-to-manage-cryptocurrency/">use 1Password to manage your cryptocurrencies</a>. And for those of you who are like myself – a bit old-fashioned – credit cards are still an option as well. 😉 <h2 id="gifts-are-for-everyone">Gifts are for everyone</h2> <img src='https://blog.1password.com/posts/2018/gift-cards/gift-card-gift-box.png' alt='Present containing 1Password Gift Card' title='Present containing 1Password Gift Card' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Giving the gift of 1Password is incredibly easy. When you purchase a gift card, you’ll receive an email with the gift code. Simply forward that email to your friend or loved one, and they can sign up for 1Password to <a href="https://support.1password.com/gift-cards/">redeem the gift card</a> or apply it to the 1Password membership they already have. And you don’t even have to limit gift cards to people you like. You can send one to someone you don’t like. Maybe it’ll be the beginning of a beautiful friendship. 😊</description></item><item><title>How to use 1Password to manage cryptocurrency</title><link>https://blog.1password.com/how-to-use-1password-to-manage-cryptocurrency/</link><pubDate>Wed, 21 Feb 2018 00:00:00 +0000</pubDate><author>info@1password.com (Lisa Verheul)</author><guid>https://blog.1password.com/how-to-use-1password-to-manage-cryptocurrency/</guid><description> <img src='https://blog.1password.com/posts/2018/cryptocurrency/header.png' class='webfeedsFeaturedVisual' alt='How to use 1Password to manage cryptocurrency' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> In 2017, the cryptocurrency market skyrocketed to over <a href="https://www.bitcoinprice.com/news/cryptocurrency-market-cap-crosses-600-billion-altcoins-rally-like-never-dec-18/">$600 billion</a>. It’s the digital gold rush, and everyone wants their share. The lure of riches is too much to ignore, but there are also enormous risks. We can’t teach you how to make the best investments, but we can help you manage your cryptocurrencies securely. <h2 id="contents">Contents</h2> <ul> <li> <a href="#set-up-1password-before-investing-in-crypto">Set up 1Password before investing in crypto</a> </li> <li> <a href="#how-to-use-1password-to-store-your-crypto">How to use 1Password to store your crypto</a> </li> <li> <a href="#exchange-accounts">Exchange accounts</a> </li> <li> <a href="#wallets">Wallets</a> </li> <li> <a href="#cryptocurrency-addresses">Cryptocurrency addresses</a> </li> <li> <a href="#organize-your-crypto-with-tags">Organize your crypto with tags</a> </li> <li> <a href="#pay-for-your-1password-account-with-crypto">Pay for your 1Password account with crypto</a> </li> </ul> I’ve been trading crypto for a while now, and to be perfectly honest, none of it would be possible without 1Password. It helps me stay secure, and creating and managing all of my credentials – 46 and counting – is an absolute breeze. <h2 id="set-up-1password-before-investing-in-crypto">Set up 1Password before investing in crypto</h2> <img src='https://blog.1password.com/posts/2018/cryptocurrency/secure-piggy.png' alt='Set up 1Password before investing in crypto' title='Set up 1Password before investing in crypto' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Before you invest in crypto, you need to take your security seriously. The best way to do that is with 1Password. I’ve seen people invest without using a password manager at all, and I’m seriously terrified for them. They create weak passwords, which they store on a piece of paper or unencrypted on their device. Or, <a href="https://slate.com/technology/2017/12/people-who-cant-remember-their-bitcoin-passwords-are-really-freaking-out.html">like a number of early bitcoin investors discovered</a>, they no longer remember their credentials. So while they may have thousands of dollars stored in a digital wallet somewhere, it’s lost forever. There have already been reports of people losing over $100,000 by <a href="https://www.cbsnews.com/news/bitcoins-worth-100k-stolen-over-public-wireless-network/">accessing their accounts on public Wi-Fi</a>, or signing in to a fake website. While 1Password can’t protect you from insecure networks (if it’s unavoidable, always use a <a href="https://blog.1password.com/how-a-vpn-works/">VPN</a> like <a href="https://encrypt.me/">Encrypt.me</a>), we can protect you from phishing sites, weak and duplicate passwords, and a foggy memory. <img src='https://blog.1password.com/posts/2018/cryptocurrency/swirl-of-coins.png' alt='How to use 1Password to store your crypto' title='How to use 1Password to store your crypto' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="how-to-use-1password-to-store-your-crypto">How to use 1Password to store your crypto</h2> So just how can you use 1Password to manage your crypto? It depends what you’re storing: account credentials, private keys, wallet seeds and backups, or crypto addresses. I’ll shed some light on how I use 1Password to manage them all. <h2 id="exchange-accounts">Exchange accounts</h2> Exchanges are where all the action takes place. After you’ve purchased some crypto, you can send it to an exchange and trade it for any other coin on offer. Unless you only trade the top 20, you’ll need to sign up for a few exchanges to buy the coins you want. <img src='https://blog.1password.com/posts/2018/cryptocurrency/exchange.png' alt='Exchange accounts' title='Exchange accounts' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> When I sign up for an exchange like Bittrex, Binance, or Kucoin, I save it as a Login item, just as I would for a regular account. I enable 2-factor authentication using <a href="https://support.1password.com/one-time-passwords/">one-time passwords</a>, and I strongly recommend you do the same before depositing money there. When I want to sign in, 1Password fills my username and password, and copies my one-time password to the clipboard for easy retrieval. Plus, it won’t fill my details anywhere except the specified URL, keeping me well protected from both man-in-the-middle and phishing attacks. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Want to stay secure online? Create a unique username with 1Password&rsquo;s free <a href="https://1password.com/username-generator/">Username Generator</a>! </div> </aside> <h2 id="wallets">Wallets</h2> If the <a href="https://www.coindesk.com/markets/2014/03/04/the-non-experts-guide-to-the-mt-gox-fiasco/">collapse of Mt Gox</a> taught us anything, it’s that you should always take your coins off an exchange. To keep them safe, you’ll need to set up some wallets. Cryptocurrency wallets allow you to interact with the blockchain to store, send, and receive crypto. Because most coins have their own blockchain, you’ll likely need more than one. <img src='https://blog.1password.com/posts/2018/cryptocurrency/software-wallet.png' alt='DeepOnion Wallet' title='DeepOnion Wallet' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> There are 3 main wallet types: <a href="https://blockgeeks.com/guides/cryptocurrency-wallet-guide/">software, hardware, and paper</a>. Many people prefer hardware wallets like the <a href="https://shop.ledger.com/pages/ledger-nano-x">Ledger Nano</a> because they’re not connected to the internet. My only advice here? <a href="https://news.bitcoin.com/mans-life-savings-stolen-from-hardware-wallet-supplied-by-a-reseller/">Don’t buy one second hand</a>. I’m worried I’d lose a hardware wallet, so I use a mix of paper and software wallets and store the details in 1Password. I set up my software wallets on an encrypted Virtual Machine with the password saved as a Login item. I create a Login item for each wallet (software and paper), and use the <a href="https://1password.com/password-generator/">password generator</a> to create a wallet seed or passphrase. If my wallet address won’t change, I set it as the username. If I create multiple addresses, I add them to a new section called <code>Addresses</code> for easy retrieval. And if I need to save private keys, I add a new field to the Login item, label it <code>Private Key</code> and set it as a password so it’s always concealed. <img src='https://blog.1password.com/posts/2018/cryptocurrency/paper-wallet.png' alt='MyEtherWallet' title='MyEtherWallet' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Once my wallet is encrypted, I save a backup and attach it to the Login item in 1Password. This way, if I ever lose my MacBook Pro, I can restore the wallets on another computer using my wallet backups and credentials. To help me see how my coins are spread, I can use the notes section to keep a tally. I find this especially helpful for keeping track of coins in MyEtherWallet, a paper wallet that stores both Ethereum and ERC20 tokens. <h2 id="cryptocurrency-addresses">Cryptocurrency addresses</h2> Much like a bank account, if someone in my family wants to send me crypto, they’ll need to know my wallet address and the currency tied to it. 1Password covers that, too. I simply create a Bank Account item and name it after the currency. I use the name of the wallet for the bank, and insert my wallet address into the account number field. Then I just add it to our Shared vault so it’s there whenever they need it. <img src='https://blog.1password.com/posts/2018/cryptocurrency/coin-address.png' alt='Cryptocurrency addresses' title='Cryptocurrency addresses' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="organize-your-crypto-with-tags">Organize your crypto with tags</h2> I have a lot of data in my vaults, and with my crypto items growing rapidly, I need a good way to organize them. Luckily, that’s a simple fix. All I need to do is tag them crypto and I can see everything at a glance. <img src='https://blog.1password.com/posts/2018/cryptocurrency/full-screenshot.png' alt='Organize your crypto with tags' title='Organize your crypto with tags' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="pay-for-your-1password-account-with-crypto">Pay for your 1Password account with crypto</h2> <img src='https://blog.1password.com/posts/2018/cryptocurrency/gift-card-eth-payment.png' alt='1Password gift cards - Eth payment' title='1Password gift cards - Eth payment' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> If you ever wanted to pay for your 1Password account with crypto, now you can. We’ve released <a href="https://1password.com/giftcards/">1Password Gift Cards</a> as an alternative payment option, which you can purchase with Bitcoin, Ethereum, Litecoin, and Bitcoin Cash. When you get to the checkout, choose Coinbase as your payment method and complete your order in the cryptocurrency of your choice. Once your payment has cleared and you’ve received your gift card, you can redeem it by adding the code to your <a href="https://start.1password.com/billing">Billing page</a>. <section class="c-call-to-action-box c-call-to-action-box--blue"> <div class="c-call-to-action-box__content"> <h3 class="c-call-to-action-box__title">Sign up for 1Password and manage your cryptocurrency</h3> Sign up for 1Password today and get your first 14 days free. <a href="https://start.1password.com/sign-up/family?l=en" class="c-call-to-action-box__link-href c-call-to-action-box__link-href--blue" data-event-category="CTA" data-event-action="call-to-action-button"> Try 1Password free </a> </div> </section></description></item><item><title>1Password is for Families</title><link>https://blog.1password.com/1password-is-for-families/</link><pubDate>Fri, 16 Feb 2018 00:00:00 +0000</pubDate><author>info@1password.com (Sara Teare)</author><guid>https://blog.1password.com/1password-is-for-families/</guid><description> <img src='https://blog.1password.com/posts/2018/for-families/header.jpg' class='webfeedsFeaturedVisual' alt='1Password is for Families' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Today we’re celebrating Family Day here in Ontario and throughout other parts of Canada. It’s a great way to remind ourselves of the people in our lives who are always here when we need them. Family can mean a lot of different things – my brother-in-law Mike calling to ask if I need help shovelling snow, my aunt sharing a new card game, or a friend who needs a ride to an appointment – in the end, family means “together”. <h2 id="sharing-together">Sharing together</h2> <img src='https://blog.1password.com/posts/2018/for-families/sharing-family-items.png' alt='Sharing together' title='Sharing together' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Most of the time, sharing lives together is as simple as sharing a meal, sharing how your day was, and – these days – sharing Wi-Fi passwords and Netflix accounts. 1Password Families can’t cook for you or get your kids to clean their rooms, but it’s great with online accounts. In fact, it’s great for sharing a lot more than passwords, too. The Winter Olympics in Pyeongchang got me thinking about international travel, and I’m reminded of Jeff’s post about his son’s trip to Texas. He used 1Password Families to help his son prepare for his trip to the USA for an international gymnastics training camp. I’ll let him tell the story: <blockquote> I created a Texas Trip vault [and] added our passports, contact info, and a credit card for emergencies (new headphones are not an emergency). In went the flights, insurance policies, consent forms, and all the rest. Finally, I added passwords for all the ways he could reach us, from Skype to FaceTime to Zoom; although, trying to get a 15-year-old to actually talk to his parents was another matter. </blockquote> <blockquote> It was really quite reassuring to know that all of that information was there for him to easily access on either his Mac or his iPhone. </blockquote> And that’s just one example. There are as many different ways to use 1Password Families as there are families. You get to <a href="https://support.1password.com/family-sharing/">choose who has access to shared information</a>, and everyone gets their own personal vault for stuff that’s private. But no matter what you share with your family, you can be sure that your secrets are safe. <h2 id="recovering-your-peace-of-mind">Recovering your peace of mind</h2> <img src='https://blog.1password.com/posts/2018/for-families/family-recovery.png' alt='Recovering your peace of mind' title='Recovering your peace of mind' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> One of my favourite taglines for 1Password is “Go ahead, forget your passwords”. Taking that plunge into a world of not knowing my passwords was scary, but now that I’m here, I can’t imagine going back. There’s only one password I need to remember now: my Master Password. But what happens if I forget that?! I’d normally start to feel my peace of mind slip away just thinking about that, but thanks to my family, I don’t have to worry. Nobody at 1Password ever has access to your information. That means that if you forget your Master Password, we can’t help you recover your account. But if you have a 1Password Families membership, you can <a href="https://support.1password.com/family-organizer/">designate another family member</a> who can help you recover your account. You get to have peace of mind because you’re in control. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Did you know? You can now use a <a href="https://blog.1password.com/introducing-1password-recovery-codes/">recovery code</a> to self-recover your 1Password account should you lose your Secret Key or forget your account password. Create one today! </div> </aside> <h2 id="make-the-switch">Make the switch</h2> If you have a 1Password account and have been considering inviting your family, there’s never been a better time. There are a ton of benefits to <a href="https://1password.com/personal/">1Password Families</a>, some of which I mentioned above. A family account lets you: <ul> <li>Share vaults securely. <a href="https://support.1password.com/create-share-vaults/">Shared vaults</a> show up on your family’s devices instantly.</li> <li>Recover accounts. If someone in your family forgets their Master Password or can’t find their <a href="https://support.1password.com/secret-key/">Secret Key</a>, a <a href="https://support.1password.com/family-organizer/">family organizer</a> can help <a href="https://support.1password.com/recovery/">recover their account</a>.</li> <li>Simplify payment. A single subscription covers a family of 5, with room to grow.</li> </ul> <img src='https://blog.1password.com/posts/2018/for-families/invite-all-the-family-banner.png' alt='Invite all the family' title='Invite all the family' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h3 id="upgrading-to-a-family-account-is-as-easy-as-inviting-more-people">Upgrading to a family account is as easy as inviting more people.</h3> Simply sign in to your account on 1Password.com and click Invite People in the sidebar. 😀 <h2 id="love-for-our-1password-family">Love for our 1Password Family</h2> With that, I’d like to wrap this up with a special thank you to all of our extended 1Password family members. Without the lovely people I work with every day and all the amazing customers who have supported us over the years, 1Password wouldn’t be where it is today. Thank you! And I mean it when I say we have amazing customers. Dave and I were recently away and came back one day to our room and saw this on the door: <img src='https://blog.1password.com/posts/2018/for-families/post-it.jpg' alt='Thank you for making truly amazing software. I use 1Password everyday (when I&#39;m not cruising) ❤️ @miwahall' title='Thank you for making truly amazing software. I use 1Password everyday (when I&#39;m not cruising) ❤️ @miwahall' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> It’s heartwarming to be making connections with people, and we’re so glad we’ve had the chance to be a part of your lives! ❤️</description></item><item><title>Secure Remote Password (SRP): How 1Password uses it</title><link>https://blog.1password.com/developers-how-we-use-srp-and-you-can-too/</link><pubDate>Wed, 14 Feb 2018 00:00:00 +0000</pubDate><author>info@1password.com (Rick Fillion)</author><guid>https://blog.1password.com/developers-how-we-use-srp-and-you-can-too/</guid><description> <img src='https://blog.1password.com/posts/2018/srp/header.png' class='webfeedsFeaturedVisual' alt='Secure Remote Password (SRP): How 1Password uses it' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> 1Password uses a multi-layered approach to protect your data in your account, and Secure Remote Password (SRP) is one of those very important layers. Today we’re announcing that <a href="https://github.com/1Password/srp">our Go implementation of SRP is available as an open source project</a>. But first, I’d like to show you the benefits SRP brings as an ingredient in the 1Password security parfait. Contents <ul> <li><a href="#parfaits-delicious-and-secure">Parfaits: delicious and secure</a></li> <li><a href="#srp-a-hell-of-a-layer">SRP: a hell of a layer</a></li> <li><a href="#how-1password-uses-srp">How 1Password uses SRP</a></li> <li><a href="#enrollment">Enrollment</a></li> <li><a href="#authentication">Authentication</a></li> <li><a href="#verification">Verification</a></li> <li><a href="#implement-srp-in-your-own-app">Implement SRP in your own app</a></li> </ul> <blockquote> Donkey: Oh, you both have layers. Oh. You know, not everybody likes onions. Cake! Everybody loves cake! Cakes have layers! </blockquote> <blockquote> Shrek: I don’t care what everyone likes! Ogres are not like cakes. </blockquote> <blockquote> Donkey: You know what else everybody likes? Parfaits! Have you ever met a person, you say, “Let’s get some parfait,” they say, “Hell no, I don’t like no parfait”? Parfaits are delicious! </blockquote> <h2 id="parfaits-delicious-and-secure">Parfaits: delicious and secure</h2> <img src='https://blog.1password.com/posts/2018/srp/security-served-up.png' alt='1Password themed Parfait' title='1Password themed Parfait' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The first layer of security in 1Password, your account password, protects your data end to end – at rest and in transit – but we wanted to go further. The second layer is something we call <a href="https://support.1password.com/secret-key-security/">Two-Secret Key Derivation</a>. It combines your Secret Key with your 1Password account password to greatly improve the strength of the encryption. Thanks to your Secret Key, even if someone got your data from our servers, it would be infeasible to guess your account password. That still wasn’t enough for us, though. When we first started planning how we were going to securely authenticate between 1Password clients and server, we had a wish list. We wanted to ensure that: <ul> <li>your 1Password account password is never transmitted or stored on the server.</li> <li>eavesdroppers can’t learn anything useful.</li> <li>the identity of user and server are mutually authenticated.</li> <li>the authentication is encryption-based.</li> </ul> There was actually one other requirement that wasn’t exactly part of the list but applied to every item in the list: we didn’t want to roll our own solution. We know better than to roll our own crypto, and we wanted to find a proven solution that’s been around and has stood the test of time. We wanted this layer to be just right. <h2 id="secure-remote-password-a-hell-of-a-layer">Secure Remote Password: a hell of a layer</h2> It took us a while to find what we needed for this layer. (Apparently the marketing department of augmented password-authenticated key agreement protocols is underfunded.) But we eventually found SRP, which ticked all our boxes. SRP is a handshake protocol that makes multiple requests and responses between the client and the server. Now, that may not sound very interesting – and I’m not one to show excitement easily – but SRP is a hell of a layer. With SRP we can: <ul> <li>authenticate without ever sending a password over the network.</li> <li>authenticate without the risk of anyone learning any of your secrets – even if they intercept your communication.</li> <li>authenticate both the identity of the client and the server to guarantee that a client isn’t communicating with an impostor server.</li> <li>authenticate with more than just a binary “yes” or “no”. You actually end up with an encryption key.</li> </ul> <img src='https://blog.1password.com/posts/2018/srp/levels-of-security.png' alt='1Password Parfait with layers identified' title='1Password Parfait with layers identified' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> All this makes SRP a great fit for 1Password, and it keeps your data safe in transit. As an added bonus, because SRP is encryption-based, we end up with a session encryption key we can use for transport security (the fourth layer) instead of relying on just Transport Layer Security (TLS). So that’s four layers of protection: 1Password account password, <a href="https://support.1password.com/secret-key/">Secret Key</a>, SRP, and TLS. Now I’d love to show you how SRP works step by step in 1Password. <h2 id="how-1password-uses-secure-remote-password">How 1Password uses Secure Remote Password</h2> Before any authentication can be done, the account needs to be enrolled. 1Password does this when you create an account. To use SRP, you’ll need a couple different things: <ul> <li>a key derivation function (KDF) that will transform a password (and, in our case, also your Secret Key) into a very large number. We’ve chosen PBKDF2.</li> <li>an SRP group consisting of two numbers: one very large prime and one generator. There are seven different groups – we’ve chosen the 4096-bit group.</li> </ul> <h2 id="srp-enrollment">SRP enrollment</h2> To enroll, the client sends some important information to the server, and the server saves it: <ul> <li>The client generates a random salt and Secret Key.</li> <li>The client asks the user for a 1Password account password.</li> <li>The client passes those three values to the KDF to derive x.</li> <li>The client uses x and the SRP group to calculate what’s called a verifier.</li> <li>The client sends the verifier, salt, and SRP group to the server.</li> <li>The server saves the verifier and never transmits it back to the client.</li> </ul> Now the account is ready for all future authentication sessions. <h2 id="srp-authentication">SRP authentication</h2> To authenticate, the client and server exchange non-secret information. Then the client combines that with a secret that only it knows and the server combines it with a secret only it knows: <ol> <li>The client requests the salt and the SRP group from the server.</li> <li>The client asks the user for the 1Password account password and Secret Key.</li> <li>The client passes those three values (minus the SRP group) to the KDF to derive x.</li> <li>The client:</li> <li>Generates a random secret number a.</li> <li>Uses the SRP group to calculate a non-secret counterpart A.</li> <li>Sends A to the server.</li> <li>The server:</li> <li>Generates a random secret b.</li> <li>Uses the SRP group to calculate a non-secret counterpart B.</li> <li>Sends B to the client.</li> </ol> So A and B are exchanged, but a and b remain secrets. Through the power of math, the client (with x, a, B) and the server (with the verifier, A, b) can both arrive at the same very large number using different calculations. This is the number that 1Password uses as a session encryption key. <h2 id="srp-verification">SRP verification</h2> The last step is verification. After all, no amount of fancy math will help if the numbers don’t match up between client and server. To verify, the client and server exchange encrypted messages: <ol> <li>The client encrypts a message with the session encryption key and sends it to the server.</li> <li>The server decrypts the message and verifies it.</li> <li>The server encrypts its own message with the same session encryption key and sends it to the client.</li> <li>The client decrypts the message and verifies it.</li> </ol> If the client and server both used the correct inputs then they’ll both have the same session encryption key, which allows them to decrypt and verify the message. If they don’t use the correct inputs, everything fails. The verification process proves to the server that the client has x, which can only be derived using the correct 1Password account password and Secret Key. It also proves to the client that the server has the verifier, which ensures that the client is communicating with the 1Password server, not an impostor. Now that it has been verified, the session encryption key can be used to encrypt every message between the client and server going forward. As you can see, it’s critical to remember your 1Password account password and keep your Secret Key safe if you ever want to authenticate your 1Password account. They’re also very important layers, after all. 🙂 And, like any good parfait, everything comes together to create something better than the individual layers alone. <img src='https://blog.1password.com/posts/2018/srp/delivered-for-you.png' alt='1Password Parfait delivery' title='1Password Parfait delivery' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="implement-srp-in-your-own-app">Implement SRP in your own app</h2> We love SRP so much that we want to see it used in more of the apps we use. That’s why we want to help you get started with SRP in your own project. Our Go implementation of SRP is available as an open source project: <ul> <li><a href="https://github.com/1Password/srp">GitHub: agilebits/srp</a></li> </ul> This package provides functions for both clients and servers, and you only need to BYOKDF (Bring Your Own Key Derivation Function, like any good party). It’s the same code we’re using on our server and in the 1Password command-line tool, so we welcome security researchers to take a look and report any issues through the <a href="https://bugcrowd.com/agilebits">1Password Bugcrowd bug bounty program</a>. SRP is one of the less appreciated parts of 1Password, and I hope I’ve explained it well enough for you to implement it in your own project. You can read more about how we use SRP in the <a href="https://1passwordstatic.com/files/security/1password-white-paper.pdf">1Password Security Design White Paper</a>. Leave a comment if you have any questions, or <a href="https://github.com/1Password/srp/issues">file an issue</a> if you see something that can be improved. Until next time, enjoy that parfait!</description></item><item><title>Terraforming 1Password</title><link>https://blog.1password.com/terraforming-1password/</link><pubDate>Thu, 25 Jan 2018 00:00:00 +0000</pubDate><author>info@1password.com (Roustem Karimov)</author><guid>https://blog.1password.com/terraforming-1password/</guid><description> <img src='https://blog.1password.com/posts/2018/terraforming-1password/header.jpg' class='webfeedsFeaturedVisual' alt='Terraforming 1Password' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> A tweet I posted a few days a go generated quite a bit of interest from people running or managing their services, and I thought I would share some of the cool things we are working on. <div class="tweet"> <img src="https://blog.1password.com/img/icons/twitter.svg" alt="@roustem tweet" /> 1Password servers will be down for the next few hours. We are recreating our entire environment to replace AWS CloudFormation with <a href="https://twitter.com/HashiCorp">@HashiCorp</a> Terraform. It is like creating a brand new universe, from scratch. - @roustem <a href="http://twitter.com/user/status/954912547555090433" title="@roustem" class="view-tweet" target="_blank" rel="noopener">View tweet</a> </div> This post will go into technical details and I apologize in advance if I explain things too quickly. I tried to make up for this by including some pretty pictures but most of them ended up being code snippets. 😊 <h2 id="1password-and-aws">1Password and AWS</h2> 1Password is hosted by Amazon Web Services (AWS). We’ve been using AWS for several years now, and it is incredible how easy it was to scale our service from zero users three years ago to several million happy customers today. AWS has many geographical regions. Each region consists of multiple independent data centres located closely together. We are currently using three regions: <ul> <li>N. Virginia, USA <code>us-east-1</code></li> <li>Montreal, Canada <code>ca-central-1</code></li> <li>Frankfurt, Germany <code>eu-central-1</code></li> </ul> In each region we have four environments running 1Password: <ul> <li>production</li> <li>staging</li> <li>testing</li> <li>development</li> </ul> If you are counting, that’s 12 environments across three regions, including three production environments: <a href="https://start.1password.com/">1password.com</a>, <a href="https://start.1password.ca/">1password.ca</a>, and <a href="https://start.1password.eu/">1password.eu</a>. Every 1Password environment is more or less identical and includes these components: <ul> <li>Virtual Private Cloud</li> <li>Amazon Aurora database cluster</li> <li>Caching (Redis) clusters</li> <li>Subnets</li> <li>Routing tables</li> <li>Security roles</li> <li>IAM permissions</li> <li>Auto-scaling groups</li> <li>Elastic Compute Cloud (EC2) instances</li> <li>Elastic Load Balancers (ELB)</li> <li>Route53 DNS (both internal and external)</li> <li>Amazon S3 buckets</li> <li>CloudFront distributions</li> <li>Key Management System (KMS)</li> </ul> Here is a simplified diagram: <img src='https://blog.1password.com/posts/2018/terraforming-1password/simplified-1password-env.png' alt='1Password environment' title='1Password environment' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> As you can see, there are many components working together to provide 1Password service. One of the reasons it is so complex is the need for high availability. Most of the components are deployed as a cluster to make sure there are at least two of each: database, cache, server instance, and so on. Furthermore, every AWS region has at least two data centres that are also known as Availability Zones (AZs) – you can see them in blue in the diagram above. Every AZ has its own independent power and network connections. For example, Canadian region <code>ca-central-1</code> has two data centres: <code>ca-central-1a</code> and <code>ca-central-1b</code>. If we deployed all 1Password components into just a single Availability Zone, then we would not be able to achieve high availability because a single problem in the data centre would take 1Password offline. This is why when 1Password services are deployed in a region, we make sure that every component has at least one backup in the neighbouring data centre. This helps to keep 1Password running even when there’s a problem in one of the data centres. <h2 id="infrastructure-as-code">Infrastructure as Code</h2> It would be very challenging and error-prone to manually deploy and maintain 12 environments, especially when you consider that each environment consists of at least 50 individual components. This is why so many companies today switched from updating their infrastructure manually and embraced Infrastructure as Code. With Infrastructure as Code, the hardware becomes software and can take advantage of all software development best practices. When we apply these practices to infrastructure, every server, every database, every open network port can be written in code, committed to GitHub, peer-reviewed, and then deployed and updated as many times as necessary. For AWS customers, two major languages could be used to describe and maintain the infrastructure: <ul> <li><a href="https://aws.amazon.com/cloudformation/">AWS CloudFormation</a></li> <li><a href="https://www.terraform.io/">HashiCorp Terraform</a></li> </ul> CloudFormation is an excellent option for many AWS customers, and we successfully used it to deploy 1Password environments for over two years. At the same time we wanted to move to Terraform as our main infrastructure tool for several reasons: <ul> <li>Terraform has a more straightforward and powerful language (HCL) that makes it easier to write and review code.</li> <li>Terraform has the concept of <a href="https://www.terraform.io/docs/providers/">resource providers</a> that allows us to manage resources outside of Amazon Web Services, including services like <a href="https://www.datadoghq.com/">DataDog</a> and <a href="https://www.pagerduty.com/">PagerDuty</a>, which we rely on internally.</li> <li>Terraform is completely open source and that makes it easier to understand and troubleshoot.</li> <li>We are already using Terraform for smaller web apps at AgileBits, and it makes sense to standardize on a single tool.</li> </ul> Compared to the JSON or YAML files used by CloudFormation, Terraform HCL is both a more powerful and a more readable language. Here is a small example of a snippet that defines a subnet for the application servers. As you can see, the Terraform code is a quarter of the size, more readable, and easier to understand. <h3 id="cloudformation">CloudFormation</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-html" data-lang="html">&#34;B5AppSubnet1&#34;: { &#34;Type&#34;: &#34;AWS::EC2::Subnet&#34;, &#34;Properties&#34;: { &#34;CidrBlock&#34;: { &#34;Fn::Select&#34; : [&#34;0&#34;, { &#34;Fn::FindInMap&#34; : [ &#34;SubnetCidr&#34;, { &#34;Ref&#34; : &#34;Env&#34; }, &#34;b5app&#34;] }] }, &#34;AvailabilityZone&#34;: { &#34;Fn::Select&#34; : [ &#34;0&#34;, { &#34;Fn::GetAZs&#34; : &#34;&#34; } ]}, &#34;VpcId&#34;: { &#34;Ref&#34;: &#34;Vpc&#34; }, &#34;Tags&#34;: [ { &#34;Key&#34; : &#34;Application&#34;, &#34;Value&#34; : &#34;B5&#34; }, { &#34;Key&#34; : &#34;env&#34;, &#34;Value&#34;: { &#34;Ref&#34; : &#34;Env&#34; } }, { &#34;Key&#34; : &#34;Name&#34;, &#34;Value&#34;: { &#34;Fn::Join&#34; : [&#34;-&#34;, [ {&#34;Ref&#34; : &#34;Env&#34;}, &#34;b5&#34;, &#34;b5app-subnet1&#34;]] } } ] } }, &#34;B5AppSubnet2&#34;: { &#34;Type&#34;: &#34;AWS::EC2::Subnet&#34;, &#34;Properties&#34;: { &#34;CidrBlock&#34;: { &#34;Fn::Select&#34; : [&#34;1&#34;, { &#34;Fn::FindInMap&#34; : [ &#34;SubnetCidr&#34;, { &#34;Ref&#34; : &#34;Env&#34; }, &#34;b5app&#34;] }] }, &#34;AvailabilityZone&#34;: { &#34;Fn::Select&#34; : [ &#34;1&#34;, { &#34;Fn::GetAZs&#34; : &#34;&#34; } ]}, &#34;VpcId&#34;: { &#34;Ref&#34;: &#34;Vpc&#34; }, &#34;Tags&#34;: [ { &#34;Key&#34; : &#34;Application&#34;, &#34;Value&#34; : &#34;B5&#34; }, { &#34;Key&#34; : &#34;env&#34;, &#34;Value&#34;: { &#34;Ref&#34; : &#34;Env&#34; } }, { &#34;Key&#34; : &#34;Name&#34;, &#34;Value&#34;: { &#34;Fn::Join&#34; : [&#34;-&#34;, [ {&#34;Ref&#34; : &#34;Env&#34;}, &#34;b5&#34;, &#34;b5app-subnet2&#34;]] } } ] } }, &#34;B5AppSubnet3&#34;: { &#34;Type&#34;: &#34;AWS::EC2::Subnet&#34;, &#34;Properties&#34;: { &#34;CidrBlock&#34;: { &#34;Fn::Select&#34; : [&#34;2&#34;, { &#34;Fn::FindInMap&#34; : [ &#34;SubnetCidr&#34;, { &#34;Ref&#34; : &#34;Env&#34; }, &#34;b5app&#34;] }] }, &#34;AvailabilityZone&#34;: { &#34;Fn::Select&#34; : [ &#34;2&#34;, { &#34;Fn::GetAZs&#34; : &#34;&#34; } ]}, &#34;VpcId&#34;: { &#34;Ref&#34;: &#34;Vpc&#34; }, &#34;Tags&#34;: [ { &#34;Key&#34; : &#34;Application&#34;, &#34;Value&#34; : &#34;B5&#34; }, { &#34;Key&#34; : &#34;env&#34;, &#34;Value&#34;: { &#34;Ref&#34; : &#34;Env&#34; } }, { &#34;Key&#34; : &#34;Name&#34;, &#34;Value&#34;: { &#34;Fn::Join&#34; : [&#34;-&#34;, [ {&#34;Ref&#34; : &#34;Env&#34;}, &#34;b5&#34;, &#34;b5app-subnet3&#34;]] } } ] } }, </code></pre></div><h3 id="terraform">Terraform</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-html" data-lang="html">resource &#34;aws_subnet&#34; &#34;b5app&#34; { count = &#34;${length(var.subnet_cidr[&#34;b5app&#34;])}&#34; vpc_id = &#34;${aws_vpc.b5.id}&#34; cidr_block = &#34;${element(var.subnet_cidr[&#34;b5app&#34;],count.index)}&#34; availability_zone = &#34;${var.az[count.index]}&#34; tags { Application = &#34;B5&#34; env = &#34;${var.env}&#34; type = &#34;${var.type}&#34; Name = &#34;${var.env}-b5-b5app-subnet-${count.index}&#34; } } </code></pre></div>Terraform has another gem of a feature that we rely on: <code>terraform plan</code>. It allows us to visualize the changes that will happen to the environment without performing them. For example, here is what would happen if we change the server instance size from <code>t2.medium</code> to <code>t2.large</code>. <h3 id="terraform-plan-output">Terraform Plan Output</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"># # Terraform code changes # # variable &#34;instance_type&#34; { # type = &#34;string&#34; # - default = &#34;t2.medium&#34; # + default = &#34;t2.large&#34; # } $ terraform plan Refreshing Terraform state in-memory prior to plan... ... An execution plan has been generated and is shown below. Resource actions are indicated with the following symbols: -/+ destroy and then create replacement Terraform will perform the following actions: -/+ module.b5site.aws_autoscaling_group.asg (new resource required) id: &#34;B5Site-prd-lc20180123194347404900000001-asg&#34; =&gt; (forces new resource) arn: &#34;arn:aws:autoscaling:us-east-1:921352000000:autoScalingGroup:32b38032-56c6-40bf-8c57-409e9e4a264a:autoScalingGroupName/B5Site-prd-lc20180123194347404900000001-asg&#34; =&gt; default_cooldown: &#34;300&#34; =&gt; desired_capacity: &#34;2&#34; =&gt; &#34;2&#34; force_delete: &#34;false&#34; =&gt; &#34;false&#34; health_check_grace_period: &#34;300&#34; =&gt; &#34;300&#34; health_check_type: &#34;ELB&#34; =&gt; &#34;ELB&#34; launch_configuration: &#34;B5Site-prd-lc20180123194347404900000001&#34; =&gt; &#34;${aws_launch_configuration.lc.name}&#34; load_balancers.#: &#34;0&#34; =&gt; max_size: &#34;3&#34; =&gt; &#34;3&#34; metrics_granularity: &#34;1Minute&#34; =&gt; &#34;1Minute&#34; min_size: &#34;2&#34; =&gt; &#34;2&#34; name: &#34;B5Site-prd-lc20180123194347404900000001-asg&#34; =&gt; &#34;${aws_launch_configuration.lc.name}-asg&#34; (forces new resource) protect_from_scale_in: &#34;false&#34; =&gt; &#34;false&#34; tag.#: &#34;4&#34; =&gt; &#34;4&#34; tag.1402295282.key: &#34;Application&#34; =&gt; &#34;Application&#34; tag.1402295282.propagate_at_launch: &#34;true&#34; =&gt; &#34;true&#34; tag.1402295282.value: &#34;B5Site&#34; =&gt; &#34;B5Site&#34; tag.1776938011.key: &#34;env&#34; =&gt; &#34;env&#34; tag.1776938011.propagate_at_launch: &#34;true&#34; =&gt; &#34;true&#34; tag.1776938011.value: &#34;prd&#34; =&gt; &#34;prd&#34; tag.3218409424.key: &#34;type&#34; =&gt; &#34;type&#34; tag.3218409424.propagate_at_launch: &#34;true&#34; =&gt; &#34;true&#34; tag.3218409424.value: &#34;production&#34; =&gt; &#34;production&#34; tag.4034324257.key: &#34;Name&#34; =&gt; &#34;Name&#34; tag.4034324257.propagate_at_launch: &#34;true&#34; =&gt; &#34;true&#34; tag.4034324257.value: &#34;prd-B5Site&#34; =&gt; &#34;prd-B5Site&#34; target_group_arns.#: &#34;2&#34; =&gt; &#34;2&#34; target_group_arns.2352758522: &#34;arn:aws:elasticloadbalancing:us-east-1:921352000000:targetgroup/prd-B5Site-8080-tg/33ceeac3a6f8b53e&#34; =&gt; &#34;arn:aws:elasticloadbalancing:us-east-1:921352000000:targetgroup/prd-B5Site-8080-tg/33ceeac3a6f8b53e&#34; target_group_arns.3576894107: &#34;arn:aws:elasticloadbalancing:us-east-1:921352000000:targetgroup/prd-B5Site-80-tg/457e9651ad8f1af4&#34; =&gt; &#34;arn:aws:elasticloadbalancing:us-east-1:921352000000:targetgroup/prd-B5Site-80-tg/457e9651ad8f1af4&#34; vpc_zone_identifier.#: &#34;2&#34; =&gt; &#34;2&#34; vpc_zone_identifier.2325591805: &#34;subnet-d87c3dbc&#34; =&gt; &#34;subnet-d87c3dbc&#34; vpc_zone_identifier.3439339683: &#34;subnet-bfe16590&#34; =&gt; &#34;subnet-bfe16590&#34; wait_for_capacity_timeout: &#34;10m&#34; =&gt; &#34;10m&#34; -/+ module.b5site.aws_launch_configuration.lc (new resource required) id: &#34;B5Site-prd-lc20180123194347404900000001&#34; =&gt; (forces new resource) associate_public_ip_address: &#34;false&#34; =&gt; &#34;false&#34; ebs_block_device.#: &#34;0&#34; =&gt; ebs_optimized: &#34;false&#34; =&gt; enable_monitoring: &#34;true&#34; =&gt; &#34;true&#34; iam_instance_profile: &#34;prd-B5Site-instance-profile&#34; =&gt; &#34;prd-B5Site-instance-profile&#34; image_id: &#34;ami-263d0b5c&#34; =&gt; &#34;ami-263d0b5c&#34; instance_type: &#34;t2.medium&#34; =&gt; &#34;t2.large&#34; (forces new resource) key_name: &#34;&#34; =&gt; name: &#34;B5Site-prd-lc20180123194347404900000001&#34; =&gt; name_prefix: &#34;B5Site-prd-lc&#34; =&gt; &#34;B5Site-prd-lc&#34; root_block_device.#: &#34;0&#34; =&gt; security_groups.#: &#34;1&#34; =&gt; &#34;1&#34; security_groups.4230886263: &#34;sg-aca045d8&#34; =&gt; &#34;sg-aca045d8&#34; user_data: &#34;ff8281e17b9f63774c952f0cde4e77bdba35426d&#34; =&gt; &#34;ff8281e17b9f63774c952f0cde4e77bdba35426d&#34; Plan: 2 to add, 0 to change, 2 to destroy. </code></pre></div>Overall, Terraform is a pleasure to work with, and that makes a huge difference in our daily lives. DevOps people like to enjoy their lives too. 🙌 <h2 id="migration-from-cloudformation-to-terraform">Migration from CloudFormation to Terraform</h2> It is possible to simply import the existing AWS infrastructure directly into Terraform, but there are certain downsides to it. We found that naming conventions are quite different and that would make it more challenging to maintain our environments in the future. Also, a simple import would not allow us to use the new Terraform features. For example, instead of hard-coding the identifiers of Amazon Machine Images used for deployment we started using <code>aws_ami</code> to find the most recent image dynamically: <h3 id="aws_ami">aws_ami</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-html" data-lang="html">data &#34;aws_ami&#34; &#34;bastion_ami&#34; { most_recent = true filter { name = &#34;architecture&#34; values = [&#34;x86_64&#34;] } filter { name = &#34;name&#34; values = [&#34;bastion-*&#34;] } filter { name = &#34;virtualization-type&#34; values = [&#34;hvm&#34;] } name_regex = &#34;bastion-.*&#34; owners = [92135000000] } </code></pre></div>It took us a couple of weeks to write the code from scratch. After we had the same infrastructure described in Terraform, we recreated all non-production environments where downtime wasn’t an issue. This also allowed us to create a complete checklist of all the steps required to migrate the production environment. Finally, on January 21, 2018, we completely recreated 1Password.com. We had to bring the service offline during the migration. Most of our customers were not affected by the downtime because the 1Password apps are designed to function even when the servers are down or when an Internet connection is not available. Unfortunately, our customers who needed to access the web interface during that time were unable to do so, and we apologize for the interruption. Most of the 2 hours and 39 minutes of downtime were related to data migration. The 1Password.com database is just under 1TB in size (not including documents and attachments), and it took almost two hours to complete the snapshot and restore operations. We are excited to finally have all our development, test, staging, and production environments managed with Terraform. There are many new features and improvements we have planned for 1Password, and it will be fun to review new infrastructure pull requests on GitHub! I remember when we were starting out we hosted our very first server with 1&amp;1. It would have taken weeks to rebuild the very simple environment there. The world has come a long way since we first launched 1Passwd 13 years ago. I am looking forward to what the next 13 years will bring! 😀 <h2 id="questions">Questions</h2> A few questions and suggestions about the migration came up on Twitter: <blockquote> By “recreating” you mean building out a whole new VPC with Terraform? Couldn’t you build it then switch existing DNS over for much less down time?1 </blockquote> This is pretty much what we ended up doing. Most of the work was performed before the downtime. Then we updated the DNS records to point to the new VPC. <blockquote> Couldn’t you’ve imported all online resources? Just wondering.2 </blockquote> That is certainly possible, and it would have allowed us to avoid downtime. Unfortunately, it also requires manual mapping of all existing resources. Because of that, it’s hard to test, and the chance of a human error is high – and we know humans are pretty bad at this. As a wise person on Twitter said: <a href="https://twitter.com/filler/status/955509298356015109">“If you can’t rebuild it, you can’t rebuild it“</a>. If you have any questions, let us know in the comments, or ask me (<a href="https://twitter.com/roustem">@roustem</a>) and Tim (<a href="https://twitter.com/stumyp">@stumyp</a>), our Beardless Keeper of Keys and Grounds, on Twitter.</description></item><item><title>1Password command-line tool 0.2: Tim’s new toys</title><link>https://blog.1password.com/1password-command-line-tool-0.2-tims-new-toys/</link><pubDate>Thu, 11 Jan 2018 00:00:00 +0000</pubDate><author>info@1password.com (Connor Hicks)</author><guid>https://blog.1password.com/1password-command-line-tool-0.2-tims-new-toys/</guid><description> <img src='https://blog.1password.com/posts/2018/cli-0.2/header.png' class='webfeedsFeaturedVisual' alt='1Password command-line tool 0.2: Tim’s new toys' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Some of you may know Tim, our Beardless Keeper of Keys and Grounds here at AgileBits. Tim and his team keep everything running smoothly. The servers are serving happily and the networks are flowing gracefully. Tim is also the administrator of our company team on 1Password.com. <img src='https://blog.1password.com/posts/2018/cli-0.2/arcade-machine.png' alt='Tim standing behind a CLI themed arcade machine' title='Tim standing behind a CLI themed arcade machine' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Tim can script and automate with the best of them, and from the moment he got a preview of <code>op</code>, the DevOps team began bombarding us with feedback. One of the first things he asked for was the ability to create vaults, so we added that right away. But we knew we could still do more for Tim – after all he was on the nice list this year – so we got him some new toys to play with. If you’re too excited to read more, you can just <a href="https://app-updates.agilebits.com/product_history/CLI">start playing with <code>op</code> 0.2 now</a>. To find out more, read on. <h2 id="vault-into-the-new-year">Vault into the new year</h2> Our first gift to Tim was more control over vault access. He can now use <code>op</code> to add users to vaults, remove users from vaults, and even delete vaults. So when Dave told Tim about a new project (codenamed Honey Badger), it was easy to set things up. Dave needed two developers, Chris and Betty, as well as one of our designers, Matt, involved in the project. With the command-line tool, Tim can switch to his terminal and do this right away. After he signs in, he can create the vault needed for the project: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash">op create vault &#34;Honey Badger&#34; </code></pre></div>But this is old news! He’s been creating vaults for months now. What’s new is that he can now give everyone involved access to that vault: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash">op add &#34;Chris Meek&#34; &#34;Honey Badger&#34; op add &#34;Betty Da&#34; &#34;Honey Badger&#34; op add &#34;Matt Davey&#34; &#34;Honey Badger&#34; </code></pre></div>Tim can even create a script to take a list of email addresses and add everyone to the vault at once: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash">#!/bin/bash # Usage: add-everyone.sh &#34;Honey Badger&#34; &lt; emailaddresses.txt while read p; do op add $p $1 done </code></pre></div>After Matt is done designing project Honey Badger, it’s just as simple to remove him from the vault: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash">op remove &#34;Matt Davey&#34; &#34;Honey Badger&#34; </code></pre></div>When everyone is done with the project, Tim can use <code>op delete vault &quot;Honey Badger&quot;</code> and move on to his next gift. <img src='https://blog.1password.com/posts/2018/cli-0.2/game-controllers.png' alt='CLI themed console controllers' title='CLI themed console controllers' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="new-year-new-groups">New year, new groups</h2> The next gift we gave Tim was control over group membership. He can now use <code>op</code> to create and delete groups and choose who belongs to them. When Dave told Tim that Wendy was moving from the support team to the design team, Tim just casually sipped his cocoa. He knew this would be trivial. We already have groups set up for both teams, so he just ran two commands: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash">op remove &#34;Wendy Appleseed&#34; &#34;Support&#34; op add &#34;Wendy Appleseed&#34; &#34;Design&#34; </code></pre></div>Tim can also create and remove groups with <code>op create group</code> and <code>op delete group</code> if ever he needs to. <h2 id="resolve-to-level-up-your-skills">Resolve to level up your skills</h2> <img src='https://blog.1password.com/posts/2018/cli-0.2/tim-inline.png' alt='Tim' title='Tim' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The holidays may be over, but we have a feeling Tim will be playing with his new toys for many days to come. If you want to level up your own skills, head over to download this latest release and read the <a href="https://developer.1password.com/docs/cli/v1/usage/">full documentation</a> on our support site. <a href="https://app-updates.agilebits.com/product_history/CLI" class="call-to-action "> Level up with op 0.2! </a> Then pop in to <a href="https://1password.community/categories/cli">the 1Password Support forum</a> to let us know what you think. You’re all on our nice list, and we love hearing from you. Your feedback after the initial public beta was instrumental in shaping this release. We’re incredibly excited to continue work on this tool, as it gives you access and control over your 1Password data in a way that’s never been possible before.</description></item><item><title>1Password X: A look at the future of 1Password in the browser</title><link>https://blog.1password.com/1password-x-a-look-at-the-future-of-1password-in-the-browser/</link><pubDate>Mon, 13 Nov 2017 00:00:00 +0000</pubDate><author>info@1password.com (Dave Teare)</author><guid>https://blog.1password.com/1password-x-a-look-at-the-future-of-1password-in-the-browser/</guid><description> <img src='https://blog.1password.com/posts/2017/b5x1.0/header.png' class='webfeedsFeaturedVisual' alt='1Password X: A look at the future of 1Password in the browser' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> &ldquo;Wouldn&rsquo;t it be cool if 1Password could do X?&rdquo; is a question we often ask ourselves. The values for X are always changing, but some ideas come up again and again. Wouldn&rsquo;t it be cool if&hellip; <ul> <li>When you log in to a site, 1Password is right there on the page ready to fill?</li> <li>You could use 1Password without downloading the app?</li> <li>Linux users and Chrome OS users could join in on the fun?</li> </ul> Now 1Password can do all these and more. We call it <a href="https://blog.1password.com/why-i-switched-to-1password-x/">1Password X</a>, and it&rsquo;s our brand new, full-featured experience that runs entirely in your browser. It&rsquo;s super easy to set up, deploy, and use. It works everywhere Chrome works, including Linux and Chrome OS. And it&rsquo;s a re-imagination of how 1Password works on the web. <img src='https://blog.1password.com/posts/2017/b5x1.0/evernote-login.png' alt='1Password X sign in to Evernote' title='1Password X sign in to Evernote' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="x-is-for-extension">X is for extension</h2> Before we jump in, I want to address one thing you may be thinking: our X is a letter, not a version number. Our X is a hat tip to one of the most beloved features of 1Password, namely our 1Password extension. <img src='https://blog.1password.com/posts/2017/b5x1.0/evernote-save.png' alt='Saving Evernote login with 1Password X' title='Saving Evernote login with 1Password X' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> The extension is what allows us to have the little 1Password icon in your browser toolbar. I call it our bread and butter, and I couldn&rsquo;t live without it. 😊 1Password X builds on this experience and takes it to the next level. The most visible change you just saw above – your logins are now available directly within the webpage you are viewing! It&rsquo;s smart, too. 1Password anticipates what you need and shows you the options that are most relevant to your current task. If you are signing up for a new site, 1Password suggests a generated password for you right then and there. You can also save your new login, name it, and pick which vault to store it in. <h2 id="x-is-for-linux">X is for Linux</h2> One of the most popular requests of all time has been Linux support. In fact, the forum thread asking for Linux has over 75,000 views. That&rsquo;s a lot of cold penguins. 🙂 Because <a href="https://1password.com/resources/guides/1password-for-google-chrome/">1Password X is a Chrome extension</a>, it works everywhere Chrome is available, including Linux. In fact, we initially shared 1Password X exclusively with Linux users as we wanted to make sure we nailed it. <img src='https://blog.1password.com/posts/2017/b5x1.0/b5x-locked.jpg' alt='1Password X in locked state' title='1Password X in locked state' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Tim, our chief sysadmin and &ldquo;beardless keeper of keys and grounds&rdquo; is a hardcore Linux evangelist who, until now, has had no other choice than to use Wine to run 1Password. Tim has been our toughest critic over the years for our lack of Linux support, and so far he&rsquo;s been thrilled. There&rsquo;s still lots of work to do, but we have thousands of happy Linux users already enjoying 1Password X. And we can&rsquo;t wait to invite all of the other penguins in out of the cold! 😘 <h2 id="x-is-for-exceedingly-powerful">X is for exceedingly powerful</h2> 1Password X has all of the power of a full-featured app. And because it connects directly to your 1Password account, everything you expect from 1Password is there – your vaults, your items, and all their details. <img src='https://blog.1password.com/posts/2017/b5x1.0/b5x-features.png' alt='1Password X displaying logins' title='1Password X displaying logins' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> And we&rsquo;ve sprinkled in some additional features to absolutely delight you: <ul> <li>Keyboard navigation: We know this is a big one for power users, so we made sure everything can be done without lifting your fingers from the keyboard.</li> <li>Smart search: Just start typing to find exactly what you need – ideal for when you have multiple logins for a site.</li> <li>Perfect memory: 1Password remembers what you were doing last, whether you were in the middle of a search or looking at an item&rsquo;s details.</li> <li>One-time password filling: Your two-factor authentication codes are filled just like usernames and passwords.</li> <li>Authentication dialog filling: If you ever see one those old-school HTTP authentication prompts, rest assured that 1Password can fill them.</li> </ul> My personal favourite has to be our amazing new search – I just start typing and my matching items appear automatically. I love it so much that filling one-time passwords had to take second <del>factor</del> place. It was close, though – only 30 seconds behind! 😃 <h2 id="x-is-for-extra-easy-setup">X is for extra easy setup</h2> Historically, we&rsquo;ve needed to teach people how to first install and set up the app, and then take them out of the app to install the extension. With 1Password X, they&rsquo;re one and the same. Just install it, enter your Master Password, and you&rsquo;re in. Because there&rsquo;s no need to install a separate desktop app, deployment within team environments is as simple as can be. And by using multiple Chrome profiles, your team members can share the same machine while having access to their own 1Password data. 1Password X can even be installed on Chrome OS, which makes me super excited as now I can finally buy one of those lovely new Pixelbooks. 🤘 <h2 id="x-is-for-excelsior">X is for Excelsior!</h2> 1Password X is a radical new way of using 1Password, but it&rsquo;s not (yet) for everyone. It&rsquo;s still in its early stages so some features are not yet available. For example, it&rsquo;s not yet possible to customize generated passwords or use browsers like Safari, Firefox, and Edge. But it is an exciting new way to use 1Password on the web, and for me, that outweighs any drawbacks. I&rsquo;ve been using 1Password X exclusively for the last 6 months, and I couldn&rsquo;t be happier. So is 1Password X for you? If you&rsquo;re running Linux or Chrome OS, you should jump right in. Or if you&rsquo;re adventurous and enjoy the thrill of discovering new things while being on the cutting edge, then 1Password X is for you – it runs fine alongside the 1Password apps and extension you already use. 1Password X was designed for our hosted 1Password service and connects directly to your account. It is available in English, French, German, Italian, Russian, and Spanish and can be installed from the Chrome Web Store: <a href="https://chrome.google.com/webstore/detail/1password-%E2%80%93-password-mana/aeblfdkhhhdcdjpifhhbdiojplfjncoa" class="call-to-action "> Install 1Password X </a> I hope you’re as excited about 1Password X as I am! Learn how to <a href="https://support.1password.com/getting-started-1password-x/">get started with 1Password X</a> and <a href="https://1password.community/categories/saving-and-filling-logins">join the discussion in our forum</a> to let us know what you think! ❤️ Now let&rsquo;s all go join Harold in their rocket ship and explore what&rsquo;s possible! 😃 🚀 <img src='https://blog.1password.com/posts/2017/b5x1.0/b5x-rocket.png' alt='Harold boarding a 1Password X rocket, getting ready to blast off to start a new world.' title='Harold boarding a 1Password X rocket, getting ready to blast off to start a new world.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /></description></item><item><title>1Password 7 for iOS: Efficiency Abounds</title><link>https://blog.1password.com/1password-7-for-ios-efficiency-abounds/</link><pubDate>Fri, 03 Nov 2017 00:00:00 +0000</pubDate><author>info@1password.com (Michael Fey)</author><guid>https://blog.1password.com/1password-7-for-ios-efficiency-abounds/</guid><description> <img src='https://blog.1password.com/posts/2017/efficiency-abounds/header.jpg' class='webfeedsFeaturedVisual' alt='1Password 7 for iOS: Efficiency Abounds' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Hello and happy November, everyone! We’ve long anticipated this day here at AgileBits. After months of hard work, <a href="https://1password.com/downloads/ios/">1Password 7 for iOS</a> is now available on iOS 11. The very first step in the journey that brought us to this point was taken back in June, shortly after the Apple Worldwide Developers Conference. Before a single line of code was written, before a single new screen was designed, we set a single goal for this update: efficiency. Along the way, we also added a few more features, like support for iPhone X and Face ID, and we’re excited to finally share it all with you. As our release notes say, this is the greatest version of 1Password for iOS we have ever shipped, so let’s dive in, shall we? <h2 id="iphone-x-and-face-id">iPhone X and Face ID</h2> <img src='https://blog.1password.com/posts/2017/efficiency-abounds/face-id.png' alt='iPhone X and Face ID' title='iPhone X and Face ID' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> On September 12th, like many of you, everyone here at AgileBits was glued to their screens watching Apple’s keynote from the beautiful Steve Jobs Theater at the new Apple Park campus. The announcement of iPhone X was already exciting, but the introduction of Face ID was like Christmas for us. We knew right away that we’d move heaven and earth to be there on launch day with Face ID support. We began working immediately to make sure that 1Password worked perfectly on iPhone X. Apple was smart and made Face ID work wherever <a href="https://1password.com/mac/">Touch ID</a> already does, so technically we didn’t need to do anything. But that’s not the way we roll. We completely optimized the lock screen for Face ID. Matt Davey, who led the design effort, blew the doors off with this one. 🙂 My iPhone X is set to arrive tomorrow, and I can’t wait to install 1Password and step into the future. <h2 id="quick-copy">Quick Copy</h2> In a perfect world, every developer would <a href="https://blog.1password.com/apps-love-1password/">be as awesome as these folks</a> and take five minutes to <a href="https://github.com/agilebits/onepassword-app-extension">add support for 1Password</a> to their app. But because we don’t live in a perfect world, signing in to another app sometimes used to mean you needed to: <ol> <li>Open 1Password.</li> <li>Find the Login you need.</li> <li>Copy your username.</li> <li>Switch back to the app where you need it.</li> <li>Paste your username.</li> <li>Switch back to 1Password.</li> <li>Copy your password.</li> <li>Switch back to the app where you need it.</li> <li>Paste the password.</li> </ol> And if you needed the <a href="https://support.1password.com/one-time-passwords/">one-time password</a> for that app, there were four more steps after that. Yeesh! In 1Password 7, copying is now done automatically. After you copy your username and paste it in another app, switching back to 1Password will automatically copy your password. And it’s the same with one-time passwords. Switch back one more time, and they’re copied automatically, too. You can learn more about <a href="https://support.1password.com/copy-passwords/?ios#use-quick-copy">Quick Copy</a> on our lovely support site. <aside class="c-technical-aside-box c-technical-aside-box--background"> <div class="c-technical-aside-box__description"> Want to stay secure online? Create a unique username with 1Password&rsquo;s free <a href="https://1password.com/username-generator/">Username Generator</a>! </div> </aside> <h2 id="favorites">Favorites</h2> <img src='https://blog.1password.com/posts/2017/efficiency-abounds/1Password-7-Favorites.gif' alt='Favorites' title='Favorites' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> There’s no faster way to access an item than by adding it as a favorite. At least, that’s what we used to think. In 1Password 7, I’m happy to say that we’ve done better. Way better. Now, when you tap an item in Favorites, you’ll see all the details you want to copy in a beautiful array of bubbles. Simply tap on any one of the bubbles to copy its value to the clipboard. Not only that, but items on the Favorites list participate in Quick Copy as well! <h2 id="the-key-to-a-great-app">The Key to a Great App</h2> iOS has wonderful support for external keyboards, and I’m happy to report that now 1Password does, too. If you’re one of our keyboard warriors, make sure you give it a try. 1Password 7 includes <a href="https://support.1password.com/keyboard-shortcuts/?ios">keyboard shortcuts</a> for searching, switching tabs, opening and filling items, and more. <h2 id="go-speed-racer">Go Speed Racer</h2> Big, new features are awesome, but we didn’t stop there. We dug deep to unearth some truly fantastic perfomance increases for this update as well. 1Password now unlocks 33% faster and has seen a 400% increase in stability throughout. We also made some improvements to our password generator to make it much more responsive and easier to use. <h2 id="wrapping-it-up-in-a-pretty-package">Wrapping It Up In a Pretty Package</h2> <img src='https://blog.1password.com/posts/2017/efficiency-abounds/New-App-Icon-Reveal.png' alt='Wrapping It Up In a Pretty Package' title='Wrapping It Up In a Pretty Package' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> No major update would be complete without a fresh coat of paint on the user interface. 1Password 7 sports a beautiful new icon with a gorgeous gradient on the lock ring. That color scheme carries through to the lock screen where, if you let it sit for a few seconds, you’ll notice a gentle “happiness vortex” animation take place as the colors go for a spin. Many of you use the 1Password extension to sign in to websites directly in Safari or other third-party apps. The next time you do, you’ll see the extension received a fantastic visual update as well! We’ve also overhauled the navigation bar at the bottom of the screen with some new iconography and a better layout. Coupled with the aforementioned new look for Favorites, our beloved <a href="https://1password.com/downloads/ios/">iOS app</a> has never looked better. <h2 id="and-the-hits-keep-coming">And the Hits Keep Coming</h2> Check out the <a href="https://app-updates.agilebits.com/product_history/OPI4">1Password for iOS release notes</a> for a full account of everything we’ve crammed into 1Password 7, but I wanted to close out with a few more of my top picks: <ul> <li>If you register a new fingerprint with Touch ID, 1Password will require your Master Password the next time you open it.</li> <li>You can now delete multiple items at once. Swipe down from the top of an item list, select the items you want to remove, then tap Delete.</li> <li>Recently used items appear in Favorites for easy access.</li> <li>Saving a new Login now informs you that the password for that Login has been copied to the clipboard.</li> <li>An advanced security setting allows you to use a PIN code to unlock 1Password, even on devices that support Touch ID or Face ID.</li> </ul> Whew! Are you still with me? If so, well done! If you haven’t already done so, go <a href="https://itunes.apple.com/us/app/1password-password-manager/id568903335?mt=8&amp;ign-mpt=uo%3D4">download 1Password 7</a> now and tell us what your favorite new feature is. <a href="https://apps.apple.com/us/app/1password-password-manager/id568903335?ign-mpt=uo%3D4" title='Download 1Password 7 on the app store'> <img src='https://blog.1password.com/posts/2017/efficiency-abounds/Download_on_the_App_Store.png' alt='Download 1Password 7 on the app store' title='Download 1Password 7 on the app store' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> </a> Until next time!</description></item><item><title>1Password living on the [Microsoft] Edge</title><link>https://blog.1password.com/1password-living-on-the-microsoft-edge/</link><pubDate>Tue, 10 Oct 2017 00:00:00 +0000</pubDate><author>info@1password.com (Kate Sebald)</author><guid>https://blog.1password.com/1password-living-on-the-microsoft-edge/</guid><description> <img src='https://blog.1password.com/posts/2018/microsoft-edge/header.jpg' class='webfeedsFeaturedVisual' alt='1Password living on the [Microsoft] Edge' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> I’ve long been curious about Microsoft Edge. It’s fast, light-weight, and much more secure than the Internet Explorer of my childhood. It had everything you look for in a browser … except 1Password support. Today that changes! <img src='https://blog.1password.com/posts/2018/microsoft-edge/Edge-Extension-Light.png' alt='Edge Extension' title='Edge Extension' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Thanks to the hard work of the Microsoft Edge and Windows Store teams, along with our own Windows team, I’m excited to announce that 1Password now has a lovely new home right on your Microsoft Edge toolbar. 🎉 <h2 id="boldly-go-where-no-login-item-has-gone-before">Boldly go where no Login item has gone before</h2> To bring your items with you to explore Microsoft Edge, first make sure you have 1Password 6.7 or later <a href="https://support.1password.com/explore/get-started/">installed and set up</a>. Then, head to the Windows Store and <a href="https://microsoftedge.microsoft.com/addons/detail/1password-%E2%80%93-password-mana/dppgmdbiimibapkepcbdbmkaabgiofem">grab the 1Password extension</a>. Open Microsoft Edge, enable the <a href="https://1password.com/downloads/windows/#browsers">1Password extension</a>, and enjoy saving new Login items, opening and filling in Microsoft Edge from 1Password mini, filling addresses and credit card details, and easy access to the Strong Password Generator, just like you’ve come to know and love. If you’re still using an older version of 1Password, you can follow this <a href="https://support.1password.com/migrate-1password-account/">handy guide</a> to migrate your existing data to the latest version of 1Password to get ready to seek out new frontiers in Microsoft’s latest browser. <h2 id="hello-dark-mode-my-old-friend">Hello dark mode, my old friend</h2> <img src='https://blog.1password.com/posts/2018/microsoft-edge/full-width-light-dark.png' alt='Edge Extension' title='Edge Extension' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> As you’re working your own 1Password magic in Microsoft Edge, don’t forget to check out my favorite feature: its super-sleek dark mode. I love how it turns your 1Password extension icon into a lovely point of light on your toolbar and it’s perfect for late-night browsing. Let the stars next to your favorites light up Microsoft Edge and help guide you to your most loved websites at the click of a Login item. Of course, if a different vision has been planted in your brain, the extension icon looks right at home in light mode too. 😉 <img src='https://blog.1password.com/posts/2018/microsoft-edge/darkmode.png' alt='Edge Extension' title='Edge Extension' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="to-the-edge-and-beyond">To the Edge and beyond!</h2> As stoked as we are about 1Password coming to Microsoft Edge, this is only the beginning and some finishing touches are coming in future releases. Support for keyboard shortcuts to fill logins and some tweaks to how mini lets you know you’re filling in Edge are included with the latest <a href="https://support.1password.com/betas/?windows#get-the-1password-beta">1Password 6 for Windows beta</a>. Additional improvements for filling on certain sites will also be addressed down the road. Currently, the 1Password extension in Microsoft Edge requires 1Password 6.7 for Windows or later and a 1Password membership. We will be expanding Edge availability in future releases but if you’d like to enjoy using Edge sooner than later, now is a great time to <a href="https://support.1password.com/explore/get-started/">give a 1Password membership a try</a>. In addition to early access, there are <a href="https://support.1password.com/why-account/">many other benefits</a> and it’s free for 14 days! I hope you enjoy saving and filling in Microsoft Edge and, as always, we love seeing your feedback in <a href="https://1password.community/">our support forum</a>. 😊</description></item><item><title>Announcing the 1Password command-line tool public beta</title><link>https://blog.1password.com/announcing-the-1password-command-line-tool-public-beta/</link><pubDate>Wed, 06 Sep 2017 00:00:00 +0000</pubDate><author>info@1password.com (Connor Hicks)</author><guid>https://blog.1password.com/announcing-the-1password-command-line-tool-public-beta/</guid><description> <img src='https://blog.1password.com/posts/2017/public-beta/header.jpg' class='webfeedsFeaturedVisual' alt='Announcing the 1Password command-line tool public beta' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Here at AgileBits, we’ve been working hard over the last few months to bring power users, developers, and administrators more powerful ways to interact with 1Password. We’re proud to announce that we have something that fits the bill. It’s called the 1Password command-line tool, and we can’t wait to see what you build with it. Let me take this opportunity to walk you through the exciting potential. <h2 id="introducing-op">Introducing <code>op</code></h2> <img src='https://blog.1password.com/posts/2017/public-beta/cli-icon.png' alt='The 1Password command-line tool makes your 1Password account accessible entirely from the command line.' title='The 1Password command-line tool makes your 1Password account accessible entirely from the command line.' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> Password apps are available on just about every platform, but they’ve always had the same dependency: a graphical interface. Now all of 1Password is available with just two characters: <code>op</code>. The <a href="https://1password.com/downloads/command-line/">1Password command-line tool</a> makes your 1Password account accessible entirely from the command line. A simple <code>op signin</code> will securely authenticate you with the 1Password service and give you access to a wide range of capabilities: Getting usernames and passwords from items: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-html" data-lang="html">$ op get item OpenProxy | jq &#39;.details.fields[] | select(.designation==&#34;password&#34;).value&#39; &#34;genuine-adopt-pencil-coaster&#34; </code></pre></div>Creating new items and vaults: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-html" data-lang="html">$ op create item login $(cat aws.json | op encode) --title=&#34;AWS&#34; {&#34;uuid&#34;:&#34;5hinhvejl7wtmbeorfts7ho3di&#34;,&#34;vaultUuid&#34;:&#34;i5imjpvdivbsxo56m2ap2n66gy&#34;} </code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-html" data-lang="html">$ op create vault devops {&#34;uuid&#34;:&#34;ny5khay7t3lmhrp4pjsxl4w34q&#34;} </code></pre></div>Working with documents: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-html" data-lang="html">$ op create document ./devops.pdf --vault=devops --tags=architecture {&#34;uuid&#34;:&#34;i3rsiwjfh7aryvbu5odr4uleki&#34;,&#34;vaultUuid&#34;:&#34;ny5khay7t3lmhrp4pjsxl4w34q&#34;} </code></pre></div>If you’re a team administrator, you can also manage other users and shared vaults — all without leaving your terminal: <code>op suspend john@acmecorp.com</code> One of the most frequent requests we receive from 1Password Teams customers is the ability to export the Activity Log. With the <a href="https://support.1password.com/explore/teams-pro/">Pro plan</a>, <code>op list events</code> makes it easy to ingest activity data into the application of your choosing. Be it Splunk, Kibana, Papertrail, or your own tool, <code>op</code> outputs JSON, so it’s simple to work with. But we didn’t just build the tool to solve specific requests. It’s flexible enough to handle use cases we haven’t even thought of. The possibilities are endless, and we know you’ll come up with something amazing. <img src='https://blog.1password.com/posts/2017/public-beta/cli-command-blocks.png' alt='CLI command blocks' title='CLI command blocks' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="-rock-robot-rock-solid-">🎶 Rock, robot rock (solid) 🎶</h2> The command structure is similar to tools you already use, providing easy integration with your workflow. Now automated systems can have access to secure credentials without ever storing them in plaintext. Here at AgileBits, for example, we’ve been using <code>op</code> for the last few months as part of our automated build systems. It’s been super useful for fetching secure keys and tokens required for building and deploying 1Password. After a secure <code>op signin</code>, we have a script that fetches the appropriate signing key from a shared vault and automatically signs new builds. The tool was written from the ground up with the battle-tested Go programming language, the very same we used to build the 1Password service itself. As with every 1Password client, all encryption and decryption is done on your machine locally, ensuring the highest level of security best practices you’ve come to expect from the entire family of 1Password apps. <h2 id="get-yo-nix-on">Get yo’ *NIX on</h2> Our dreams of late have been filled with penguins. Two weeks ago we shared a treat with Linux users, and this week it becomes a feast. You might have already tried <a href="https://blog.1password.com/welcoming-linux-to-the-1password-family/">1Password for Linux</a> and <a href="https://1password.com/resources/guides/1password-for-chromebook/">Chrome OS</a>, but we know what really makes developers salivate: a CLI. You can download <code>op</code> for macOS, Linux, FreeBSD, OpenBSD, and NetBSD on i386, ARM, and AMD64 architectures. Oh, and our Windows friends can play too! <img src='https://blog.1password.com/posts/2017/public-beta/cool-users.png' alt='Cool users' title='Cool users' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <h2 id="whats-next">What’s next?</h2> If you’re as excited as we are about this, here’s everything you need to get started: <ul> <li><a href="https://app-updates.agilebits.com/product_history/CLI">Download</a> the 1Password command-line tool.</li> <li>Discover all the <a href="https://developer.1password.com/docs/cli/v1/get-started/">amazing things</a> you can do with the tool.</li> <li>Stop by the <a href="https://1password.community/categories/cli">1Password Support forum</a> to post your ideas, scripts, and feedback.</li> </ul> We highly value the thoughts of people using the beta in the real world, so we can continue improving the tool for you. As we work toward a stable release and eventually open source, please bear in mind that there may be breaking changes down the line, but we’re more than happy to work with you to resolve any issues. We look forward to working together to create some truly useful and powerful tools, and we can’t do it without you. Now let’s get ready to 🎶 <code>pipe</code> it, <code>grep</code> it, <code>cat</code> it, <code>sed</code> it 🎶</description></item><item><title>Introducing Travel Mode: Protect your data when crossing borders</title><link>https://blog.1password.com/introducing-travel-mode-protect-your-data-when-crossing-borders/</link><pubDate>Thu, 18 May 2017 00:00:00 +0000</pubDate><author>info@1password.com (Rick Fillion)</author><guid>https://blog.1password.com/introducing-travel-mode-protect-your-data-when-crossing-borders/</guid><description> <img src='https://blog.1password.com/posts/2017/travel-mode/header.png' class='webfeedsFeaturedVisual' alt='Introducing Travel Mode: Protect your data when crossing borders' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> We often get inspired to create new features based on feedback from our customers. Earlier this month, our friends at Basecamp <a href="https://m.signalvnoise.com/basecamps-employee-handbook-is-public/">made their Employee Handbook public</a>. We were impressed to see they had a whole section about using 1Password, which included instructions for keeping work information off their devices when travelling internationally. We knew right away that we wanted to make it easier for everyone to follow this great advice. So we hunkered down and built <a href="https://1password.com/features/travel-mode/">Travel Mode</a>. Travel Mode is a new feature we’re making available to everyone with a 1Password membership. It protects your 1Password data from unwarranted searches when you travel. When you turn on Travel Mode, every vault will be removed from your devices except for the ones marked “safe for travel.” All it takes is a single click to travel with confidence. <img src='https://blog.1password.com/posts/2017/travel-mode/activate.gif' alt='Activate travel mode animation' title='Activate travel mode animation' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> It’s important for me that my personal data be as secure and private as possible. I have data on my devices that’s ultimately a lot more sensitive than my personal data though. As one of the developers here at AgileBits I’m trusted with access to certain keys and services that we simply can’t take any risks with. <h2 id="how-it-works">How it works</h2> Let’s say I had an upcoming trip for a technology conference in San Jose. I hear the apples are especially delicious over there this time of year. :) Before Travel Mode, I would have had to sign out of all my 1Password accounts on all my devices. If I needed certain passwords with me, I had to create a temporary travel account. It was a lot of work and not worth it for most people. Now all I have to do is make sure any of the items I need for travel are in a single vault. I then sign in to my account on 1Password.com, mark that vault as “safe for travel,” and turn on Travel Mode in my profile. I unlock 1Password on my devices so the vaults are removed, and I’m now ready for my trip. Off I go from sunny Winnipeg to hopefully-sunnier San Jose, ready to cross the border knowing that my iPhone and my Mac no longer contain the vast majority of my sensitive information. <img src='https://blog.1password.com/posts/2017/travel-mode/travel-mode-backpack.png' alt='Backpack containing 1Password items' title='Backpack containing 1Password items' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> After I arrive at my destination, I can sign in again and turn off Travel Mode. The vaults immediately show up on my devices, and I’m back in business. <h2 id="not-just-a-magic-trick">Not just a magic trick</h2> Your vaults aren’t just hidden; they’re completely removed from your devices <a href="https://support.1password.com/travel-mode/">as long as Travel Mode is on</a>. That includes every item and all your encryption keys. There are no traces left for anyone to find. So even if you’re asked to unlock 1Password by someone at the border, there’s no way for them to tell that Travel Mode is even enabled. In 1Password Teams, Travel Mode is even cooler. If you’re a team administrator, you have total control over which secrets your employees can travel with. You can turn Travel Mode on and off for your team members, so you can ensure that company information stays safe at all times. Travel Mode is going to change how you use 1Password. It’s already changed the way we use it. When we gave a sneak peek to our friends at Basecamp, here’s what their founder, David Heinemeier Hansson, had to say: <img src='https://blog.1password.com/posts/2017/travel-mode/david-heinemeier-hansson.png' alt='David Heinemeier Hansson' title='David Heinemeier Hansson' style='max-width: 600px; width: 100%; display: inline-block; margin: 0 auto;' /> <blockquote> International travel while maintaining your privacy (and dignity!) has become increasingly tough. We need better tools to help protect ourselves against unwarranted searches and the leakage of business and personal secrets. 1Password is taking a great step in that direction with their new Travel Mode. Bravo. </blockquote> Travel Mode is available today, included in every <a href="https://1password.com/business-pricing/">1Password membership</a>. Give it a shot, and let us know how you travel with 1Password. <a href="https://support.1password.com/travel-mode/">Learn how to use Travel Mode</a> on our support site.</description></item></channel></rss>