This week, a very dangerous vulnerability was discovered in one of Linux’s most widely used utilities. The good news is that the good guys discovered it, but the bad news is that it’s potentially "worse than Heartbleed" in the wrong hands, according to some experts (and Heartbleed was pretty bad news). It's a terrible situation for almost everyone in the computing industry. One of the few exceptions is AgileBits, the company behind password-management software 1Password.
Each time a massive hack or leak makes news, 1Password sales go up. Each time celebrity nudes get stolen, a few more people realize that their data is not as secure as they thought it was, and consider what can be done. The developers at AgileBits say they’re just as bummed when something gets hacked — but it’s hard to deny the marketing power of a security flaw in selling an app that promotes better, stronger passwords.
With the launch of iOS 8, AgileBits decided to make its pricey (by App Store standards) $17.99 app free, putting it within reach of just about anyone. Since then, the app has been downloaded over 3 million times, but 1Password is still far from a household word. We spoke with with AgileBits’ Jeff Shiner and David Chartier about the state of online security, the viability of biometric passwords, and what it’s going to take to make "password managers" mainstream.
This interview has been condensed and edited for clarity and brevity.
Why has it taken this long for people to realize they need to lock up their accounts?
Jeff Shiner: Well, part of it is just repetition. Five years ago, it was all about not password hacks. It was about this and that virus. People were looking for anti-virus tools, but over the last few years what we’ve noticed is that [the hacks] don’t just affect little sites that don’t matter. It’s important sites, and in the case of Heartbleed many, many sites. In combination with that over the last X number of years as time has progressed, people are holding their lives online.
"Our job... is to make security convenient."
It’s no longer, "I go on the internet to look at cat pictures." Your entire life, your banking info, your personal info, how you connect with everybody, and even health records are on there. It’s a combination of recognizing that these sorts of breaches can happen almost anywhere, and at the same time I’ve got very important data that I need to protect, that makes that combination just that more potent.
My mom sent me an email last week and said, "I went to update one of games in my iPad and it brings up this terms and conditions page that it wants me to tap "accept" in. I think this game’s trying to steal all my data!" It was iOS 8 update that had come up. Even she now is conscious of the fact that these sorts of things are out there. We look at it from a cultural point of view — people are aware now that privacy online is important, and they want to protect that.
David Chartier: Another thing we’re constantly fighting is human nature, in a sense. As our cryptographer or "Chief Defender Against Dark Arts" Jeff Goldberg is very fond of saying, what’s the most convenient thing to make your password? It’s 123456 or your cat’s name. So our job, and it’s corny because it’s in our tagline, is to make security convenient — to make the secure thing the convenient thing to do.
Do 1Password downloads spike with every big hacking drama?
JS: Absolutely. Whenever there’s something in the public about a breach, we see a spike in interests and downloads and people coming to the blog to read about it, and people downloading the app. It’s word of mouth in that regard.
Heartbleed was one that really stood out. It was in the news so much and affected so many sites that people were asking, "How do I do this? How do I change my password across 20, 50, or 100 sites?" Especially when they’re used to reusing passwords or having a password scheme. That’s where people are learning that you have to let that go. It’s easier to stay secure with a password manager than with these crazy schemes.
DC: it also helps that Heartbleed was the best-branded security breach in years.
So is there an awkward little celebration every time news breaks about a new hack?
DC: I wouldn’t say "celebration." It is kind of odd that some of our best business comes from very unfortunate events, but we approach it with the hope that we now have this opportunity to talk to people about something we truly believe everybody needs. We’ve had analysts talk to us and they always ask, "Who’s your demographic?" It’s a difficult question because it’s really everybody. We’re not just targeting 18- to 34-year-old males. It’s everyone on the planet that has to touch the internet. We have a great opportunity to help people that this terrible event has affected.
Even if you use 1Password, you can still be foiled by the inane security questions most sites still use to recover accounts. What should we do about those?
DC: [Our chief cryptologist] Jeff Goldberg was out at PasswordsCon giving speeches about how our suggestion is: don’t answer security questions honestly. Let a password manager do the job for you. Create an additional field called security question #1, type the name of the question, and then use our password generator to generate some gobbledigook and then it’s stored in your 1Password login. Now, I don’t need to remember my security question. That’s both the educational challenge, and the beauty of a password manager — that it takes some burden away.
"Our fingerprints and voice are tremendously unique, but they’re terrible secrets."
Looking forward, are text passwords going to remain our primary passwords? Or will we use TouchID, or something biometric that’s even more advanced?
JS: For the next several years, yes. Hopefully at some point in the further future there will be a better approach. But the challenge with biometrics is that passwords have to work in a lot of places. I need a password that works everywhere. Even from a biometrics point of view, the master password is going to be a lot more secure.
DC: I’m going to steal this from Goldberg, who’s fond of biometrics. Our fingerprints and voice are tremendously unique, but they’re terrible secrets. I can breathe into an analyzer and unlock a door but what happens when that gets duplicated? I can’t go get a new voice, or new fingerprints. There’s a challenge in those technologies, at least as they’re currently conceived.
Does anyone know your master password?
JS: I have mine written down in my safety deposit box at the bank. But one of the fascinating uses of 1Password is that when I die, one of the things my wife can do is go to a "Shared Family Vault" and know that my life insurance policies, 401k, etc are there. She knows how to pay all my bills since she can log in. She has all that information at her fingertips. This is about a lot more than just log-ins. You need your private data kept private, but you need it available when you need it available. We do everything online these days, I pay some bills, my wife pays others. I have no clue how to pay her bills, so I could go to our shared vault. Some of it is the silliest stuff, but it’s stuff you don’t want to have to worry about during one of the worst times in your life.
Yeah, people aren’t really keeping all their important files in their desk drawer anymore are they?
DC: One of our users created a 1Password emergency kit. It’s a fill-in-the blank PDF where you can fill in your master password and you can give it to family members to put in a safe.
We have a lawyer who’s one of our customers who gives a free copy of 1Password to all his customers as part of his "last will and testament package." The uses are far beyond just log-ins, but log-ins are where people know to start.
"The uses are far beyond just log-ins, but log-ins are where people know to start."
What about in the case of someone like Wired’s Mat Honan, who was hacked using social engineering?
JS: A password manager actually helped Mat because one of things you want to do is protect all of your data and logins. If somebody can take your phone whether it’s social engineering or whatnot to get at one of your logins, or if one of websites you use holds that information in clear text. If some of that information is taken, what’s critical is that that information can’t be used anywhere else. Let’s say you go to a website, you register, and they have a breach and they’ve kept your info in clear text. Now someone has your password in clear text, and they aren’t even interested in using it on that site.They’re going to use it on a bunch of sites whether it’s shopping sites, social sites, whatever. It’s the reuse of that information that’s worse than the initial breach.
DC: Even in the case of social engineering where now you are outside the bounds of people hacking at a tool. They’re hacking at people controlling the gates. The strong passwords are still going to mitigate the damage. If someone gets into your email, they might get a few other accounts, but having these unique passwords means they won’t be able to break into anything else. They’re going to get to the point where they’re going to have to start calling to fake an identity. From a hacking standpoint, you’re not gonna sit on the phone for two days resetting passwords.
If a password manager is so important, do you ever worry that Apple or Google will step in and build one of their own? iCloud Keychain in iOS 7 was certainly a first step…
JS:That’s only good for us. Apple has the ability to educate such a breadth of users. The number of people they can reach is far beyond our scope. If Apple can do some core education for us, then that’s awesome. Then all of a sudden everybody will know what a password manager or identity manager can do, and why they need it and what they can get from it. We will always be there with premium solution for those who need a better version. This is what we do. This is all we do.
Do you expect people to care about anything until it’s personally affected them? For example, if more people’s credit cards got stolen maybe we’d be using EMV credit cards by now?
JS: I’m still horrified any time I have to give anyone my card, like when I go to California. In Canada, I don’t have to give anyone my card. When I pay anywhere, it’s equivalent to paying at the pump. They bring the machine to you, you put your card in, enter your PIN, take the card yourself, hand the machine back to the person, and you’re done. You never give a person your card.
DC: It’s a problem in the culture of our technology, but we’re seeing some good signs that it’s getting into the mainstream public. We’re seeing recommendations show up on CNN — this breach happened, you need to look into these things called password managers.