Agile Web Solutions Support Forums - Agile Lounge http://support.agilewebsolutions.com/ en Thu, 29 Jul 2010 11:22:49 GMT vBulletin 60 http://support.agilewebsolutions.com/images/misc/rss.png Agile Web Solutions Support Forums - Agile Lounge http://support.agilewebsolutions.com/ College/University Sales http://support.agilewebsolutions.com/showthread.php?25278-College-University-Sales&goto=newpost Thu, 22 Jul 2010 19:13:00 GMT Have you guys thought about working with College/Universities to give them site licenses for their staff & students to use 1Password both on Mac & PC. The reason why I mention this is my school (and I know it isn't unique) is 'obsessed' with security, forcing the students to change their passwords every 60 days (even when this has been proven to be more insecure). Additionally I know that many campuses provide students with a copy of Norton AV (or McAfee, etc) to 'protect' them from viruses.

Maybe you guys could talk to some universities and get some nice contracts with them. You could explain how using 1Password (w/dropbox) is the most secure way to generate hard-to-guess passwords and store them safely.

Just a thought. ]]> Agile Lounge stevenc317 http://support.agilewebsolutions.com/showthread.php?25278-College-University-Sales IE, FF, Chrome, and Safari browsers are susceptible to attacks http://support.agilewebsolutions.com/showthread.php?25254-IE-FF-Chrome-and-Safari-browsers-are-susceptible-to-attacks&goto=newpost Wed, 21 Jul 2010 19:28:16 GMT A good reason not to store user names and passwords in the browser. http://www.theregister.co.uk/2010/07/20/browser_info_disclosure_weaknesses/ A good reason not to store user names and passwords in the browser.

http://www.theregister.co.uk/2010/07...re_weaknesses/ ]]> Agile Lounge kurtd http://support.agilewebsolutions.com/showthread.php?25254-IE-FF-Chrome-and-Safari-browsers-are-susceptible-to-attacks Hacked! Now What?! http://support.agilewebsolutions.com/showthread.php?24959-Hacked!-Now-What-!&goto=newpost Thu, 08 Jul 2010 10:35:52 GMT Hi,

I'm not sure if this is the correct spot to post this, but I'm writing to say that 1password saved me BIG TIME! I randomly plugged my email address into google yesterday and to my utter dismay the first thing that popped up was my main email address and one of the passwords I used to use quite a bit. It turns out it's part of a huge list of email addresses and passwords on some German forum for trading stolen credit card and financial information! I about soiled myself! Obviously some place I visited got hacked.

The only good thing is that about two years ago I bought 1password (when I first got an iPhone 3G), and, at that time, I decided to beef up the passwords on all my major accounts (email, banking, etc.). As a result, most of the important sites were safe. After seeing that last night, I went through everything using that password and changed them using very strong, unique passwords for every one of the sites. I will NEVER use the same password on two websites ever again! I hope to God nothing important ended up in those S.O.B's hands. The only thing I have noticed is that for nearly the past year that email address has been getting spammed like crazy!

Here is my question. What do I do from here?

I'm thinking my next steps will be:

1) Delete any accounts in my real name on all non-essential sites, and if they are places I want to continue subscribing (like forums), I will setup new accounts using a pseudonym and unique, strong passwords.

2) For the remaining essential sites that I need to keep in my real name, I will ensure that I have strong, unique passwords.

3) Cancel that Yahoo address ASAP. Does anyone know if it's possible to download my email off of Yahoo into a useable format. I'm on a Mac. I think I have a couple of gigs worth of email.

4) Send a link to that German site to the FBI's online fraud task force. I forget the name of the task force. Probably won't help, but it's worth reporting.

Also, since I plan to do some major password overhauling, I'm even more concerned than before about losing this info. My last computer died and I lost a lot of important stuff. Is it pretty easy to save a copy of all of my passwords on 1password into an encrypted file? I've never done this before. I'd like to store this info online somewhere, just in case.

Am I missing anything?

Man I feel violated.

Thanks to all especially the 1password guys. I have to admit, I was weary of the price at first, now I realize it is invaluable software.

PS: You might want to put together a list of things that people like myself should do on your website. I bet there are lots of people that start looking into a product like this AFTER something like this happens. It would not only be a good service, but might help people realize how essential this type of product is. ]]> Agile Lounge Skjold http://support.agilewebsolutions.com/showthread.php?24959-Hacked!-Now-What-! <![CDATA[[!1Password] FileVault Encryption and Time Machine]]> http://support.agilewebsolutions.com/showthread.php?24953-!1Password-FileVault-Encryption-and-Time-Machine&goto=newpost Thu, 08 Jul 2010 02:03:13 GMT Hi guys,

I'm not really sure where to post this, but Agile seems to have a community focused around this, so this seems like a good place!

I'm looking to enable FileVault encryption on my Macbook, but by default this means that Time Machine will not backup the volume unless I'm logged out. Additionally, I'd like to encrypt my Time Machine backup both at home and at work as it contains a fair bit of sensitive information.

I've found some articles describing how to enable Time Machine backups while logged in, and a little bit of information on how to encrypt the TM volume itself.

What I'd like to know is: is this the right approach? I'm wondering if I'm maybe just using the wrong tools...

Cheers, ]]> Agile Lounge kop48 http://support.agilewebsolutions.com/showthread.php?24953-!1Password-FileVault-Encryption-and-Time-Machine Security Considerations in 1Password http://support.agilewebsolutions.com/showthread.php?24951-Security-Considerations-in-1Password&goto=newpost Thu, 08 Jul 2010 01:18:16 GMT I originally started this discussion with 1Password's support email, but it seemed a bit more constructive to post here, so that everyone can see the answers.

My original question:
Quote:
Just reading this article http://bit.ly/dbaZo1 Wondering how you guys stop string-recovery from memory and HDD?
Jeff's answer:
Quote:
You ask very good and subtle questions. We fully understand that although the encryption itself uses a 128 bit key, individuals' master passwords are never that strong in and of themselves.

What Bruce Schneier talks about in the article is addressed by our use of PBKDF2 with 1000 iterations.

http://en.wikipedia.org/wiki/PBKDF2

The master password (or a hash of it) is not used directly to create the decryption key, but goes through 1000 iterations of a deliberately slow process that creates a wider key. This dramatically increases the cost of trying a dictionary attack on the master password. Along with this the master password is appropriately salted also to make "pre-cooked" dictionary attacks impractical.

The derived key itself is not use to (de/en)crypt your data, but instead is used to decrypt a truly random decryption key stored in your keychain. This allows people to change their master password without all of their data needing to be decrypted and re-encrypted. The Agile Keychain design also means that the smallest necessary bits of our data are decrypted to fill a form, not the whole keychain.

One thing to note is that our Login Bookmarklet feature (used by some users to have access to 1Password in otherwise unsupported browsers) does not use PBKDF2 or other password strengthening, which is why we recommend that users only use that for low security passwords.

String recovery from memory techniques are harder to thwart, although we do follow recommended practices from the security community. Decrypted material or keys are never explicitly written to disk (and we recommend that users use encrypted swap) and we try to keep that material in memory for as short amount a time as possible, while still allowing users to set how frequently they are prompted for their master password. Naturally some balance is involved here. When the decryption key is stored in memory, it is deliberately obfuscated so that even if the string were somehow made accessible to other processes it wouldn't reveal much.

Of course if an attacker has complete access to all of the memory on your computer all the time, there is nothing that can be done to prevent a breach, but we do take the steps that are within the power of our unprivileged app (1Password runs with ordinary user privileges) to make things harder for an attacker.

I hope that this helps answer your questions. What I want to communicate most strongly is that we actively follow developments and discussion within the security community and seek to implement their recommendations. As you may know, we actually don't have any encryption code in 1Password proper, but instead call upon the OpenSSL libraries. This way we use the tools that have had the most thorough review possible for the guts of the encryption.
]]> Agile Lounge kop48 http://support.agilewebsolutions.com/showthread.php?24951-Security-Considerations-in-1Password My head hurts from all the forum activity http://support.agilewebsolutions.com/showthread.php?24906-My-head-hurts-from-all-the-forum-activity&goto=newpost Tue, 06 Jul 2010 23:31:13 GMT Just a funny to say you guys are really trying to keep me on my toes I have to severely be careful which forum Im in now. :razz: But thats a good... Just a funny to say you guys are really trying to keep me on my toes I have to severely be careful which forum Im in now. :razz:

But thats a good thing. Congratulations on the announcement for android. What did I say a while back about 1P growing by leaps and bounds. No its just skyrocketing. (giggle)

I am almost scared to ask whats next. :oops:

I am glad I am here to see the growing. Keep going, you have yet to reach the moon. Ill let you save that for next week. ]]> Agile Lounge thightower http://support.agilewebsolutions.com/showthread.php?24906-My-head-hurts-from-all-the-forum-activity