If we've taken a little bit longer than usual to get back to you in the last week, it's because we had the great pleasure of attending PasswordsCon 14 in Las Vegas (and got into BSidesLV as well). Stephen and I presented "Enhancing Password Based Key Derivation Techniques" which focuses on two experimental developments in SQLCipher: adaptive key derivation and using hardware tokens. Billy presented "Password Generators & Extended Character Set Passwords," which was mostly an argument that it's time we started generating and using Unicode passwords.

There's an engaging sense of community at both of these conferences, and we had some really fun and interesting conversations with both the attendees and organizers. We would like to thank both Per Thorsheim and Jeremi Gosney, there is a lot of work involved in putting on a conference like this and they did an excellent job. Please find the slides to our presentations below, and don't hesitate to reach out if you have any questions or comments.

• Enhancing Password Based Key Derivation Techniques
• Password Generators & Extended Character Set Passwords

While cranking out the updates for the 2.3 series of STRIP over the last few weeks (2.3.2 for iOS was just submitted to Apple this afternoon,) we've been hard at work on 2.4 for Windows and OS X, building a new feature we're really excited about. Want to help us test it, get early access to The New Thing™, find bugs, recommend improvements? We're on a tight schedule so we're hoping to find customers who are able give it some thorough use over the next couple of weeks and review the new feature. If that sounds like you, please write us! support@zetetic.net.

Today we're releasing an update to STRIP for OS X that fixes several bugs that could cause data to be lost if not explicitly saved and a crash where a field had been left in an editing state when the application locks due to inactivity. We've done a lot of testing of this update and with the help of a number of customers who wrote us about the problem and helped us test it's ready to rock.

Download STRIP for OS X 2.3.2

If you bought STRIP from the Mac App Store, click the badge below, and the "View in Mac App Store" button if not prompted by your browser, an update should be available in the App Store app:

If you bought STRIP from Zetetic, click here to download STRIP for OS X:

Download STRIP for OS X

If you haven't been able to install the latest versions of STRIP for OS X because you cannot upgrade a Mac running 10.6 Snow Leopard or 10.7 Lion (there are still some 32-bit Macs alive and kicking out there!) but you want to be able to sync with the latest version of STRIP (2.3) on other devices, we've got a new build of the 2.1 series available. STRIP for OS X 2.1.1 is sync compatible with STRIP 2.3 on iOS and Android as well as 2.3 databases on Dropbox and Google Drive:

Download STRIP for OS X 2.1.1

If you are using OS X 10.8 Mountain Lion or later, ignore this update.

We won't be able to guarantee on-going support for the 2.1 series but we're going to keep it sync-compatible while we can. No changes in the database schema are currently planned for 2.4 so that should be sync-compatible with 2.1 as well.

We've updated the auto-update configuration in 2.1.1 to look out for future updates to the 2.1 series. If we need to do another patch in the future, STRIP's autoupdate/check-for-updates feature will catch it.

It seems that in announcing STRIP's new support for generating time-based one-time passwords (also known as TOTP passwords or TOTP access codes) for use with two-step verification in popular web services like Dropbox and Google accounts we may have confused some of our customers on its utility and use. Two-step verification (also called two-factor authentication and multi-factor authentication) is an additional check performed when you log in to a web service to protect your account should someone else obtain your password. When two-step verification is in use the web service prompts you for an access code to verify that the person using your password is really you. Google has a good explanation of what it is and how it works over here.

There are two main ways that you obtain the six-digit access code to prove your identity to the service:

1. The service sends you a six-digit access code (the TOTP password) via SMS
2. You generate the six-digit access code using a key supplied by the service

How does STRIP fit in?

When enabling two-step verification (for example with Dropbox or Google) you are typically prompted to choose either receiving the codes via SMS or generating them yourself. If you choose the latter, you can simply paste the key supplied by the service into STRIP and it will begin generating six-digit access codes you can use to verify your identity. We've got a short screencast that takes you through the process of enabling two-step verification in Dropbox and configuring STRIP to provide the correct access codes:

Enabling Dropbox 2-Factor Authentication with STRIP for OS X from Zetetic on Vimeo.

Once you've saved the key to a TOTP field in STRIP the current access code will always be displayed on the record. The next time you need to supply the code on login to the service, just pop over to STRIP and copy the current code, no need to do anything else with they key.

Two-step verification is not used for logging into STRIP, we didn't mean to suggest that it was. To log into STRIP you only need to provide your master password as before.

If you are having trouble using the feature or any questions at all, please get in touch at support@zetetic.net.