2014-04-22

Unless you’ve been hiding under a rock lately, you know that online security is important. You know you need to have strong passwords and change them regularly. But knowing this doesn’t make it any easier to do it. Passwords are just so hard — one of the primary pain points in our modern digital existence. The application people have been recommending for years to solve this problem is 1Password. We took a deep dive into the app to see how its features stack up against the latest crop of competition, to determine whether it’s still worth the money. The short version: it is.

Note — Apr 22, 2014: Both 1Password for Mac and for iOS were updated today with significant updates, and they are both on sale for half off.

1Password for Mac: $50 → $25

1Password for iOS: $18 → $9

If you’ve been holding out on getting 1Password, now would be a good time. We’re told the sale will last through to this Friday the 25th. This is one of the few apps that we view as a must-have. And, as you can read below, we’ve found 1Password to be the best password manager our there.

Background

The problem of digital identity has been with us since the beginning of the web. There’s a semi-famous talk by a guy named Dick Clarence Hardt that diagnosed this problem more than a decade ago, and amazingly, the diagnosis is still relevant today. Despite all the advances of our modern technology, we haven’t managed to come up with a digital equivalent of the driver’s license. With a driver’s license, I can walk into any liquor store in the United States and prove that I’m old enough to drink, because they can look at the driver’s license and verify that it’s me. But on the internet, no one knows if I’m a dog, or even if I’m a living human being.

So far, the best tool for online verification we have is passwords. I prove who I am by recalling my precise, unique combination of letters, characters, or numbers. I’m supposed to be the only one who knows that precise combination of letters and numbers, so I’m the only one who can be me. Unfortunately, the news is filled with leaks about the NSA and security breaches at many popular web services. As of this writing, the latest bug, nicknamed Heartbleed, has been described as perhaps the most “catastrophic” yet.

Why you need a password manager

So we not only need great passwords, but we need to keep changing them because they keep slipping our grasp.

Yet — for most people — being secure on the Internet is dependent on one single fail point: the human brain. Most people try to rely on remembering their passwords, and most people fail at it. This leads to two terrible things. The first is using the same password for numerous services, which, of course, is incredibly unsafe. If one account is taken over, it can be just a matter of time that others are, too.

The second predicament people end up in is slightly better, but not by much. These users may have different passwords for different accounts and services, but they’re all stashed in a Microsoft Word document or a paper notebook. Using a Word document isn’t the most secure, especially if it’s on your computer. And writing down the passwords on a piece of paper will make you less likely to use the kind of complicated, highly secure passwords most security experts recommend.

A password manager — an app you install on your Mac, iPhone, and/or iPad to store all your various passwords — is the premier solution to easily keeping all your various secure passwords.

Why 1Password is the solution

In looking for an app to help us manage this mess, we considered the following criteria:

Does the app make it easy to save login information as you’re browsing the web?

Can you easily search for and deploy this login information on the web?

Can you store other kinds of information, such as credit cards, personal info, secure notes, receipts, and more?

Does the app provide rich tools for sorting and organizing this information?

Are there secure ways of sharing this information with others?

Is the app beautifully designed with an easy to understand interface?

Is the app available across desktop and mobile platforms?

Does it help you keep up-to-date on your security, allowing you to quickly assess the strength of your passwords, generate stronger ones, and change them on a regular basis?

Does it use state-of-the art encryption standards, so in case someone gets ahold of your computer, all that sensitive information stored in your password manager is safe and secure?

1Password was the first password manager I ever heard about. I took the free trial back in 2008, purchased it soon after, and never looked back. But now, having looked at a number of competitors, and comparing them on these criteria, I can say that 1Password is still the most well-rounded password manager on the market.

Getting Started with 1Password

1Password is available as a native app available for almost every major platform: Mac, iPhone & iPad, and even Windows and Android.

We will be focusing on the Mac and iOS versions, but it’s important to note that 1Password is one of the few password managers available for both Mac and PC; iOS and Android. A lot of people use Macs at home and PCs at work, or use an iPad and an Android Phone, etc. With a version for all major platforms, these users get access to their passwords on any device they’re using, which is a huge advantage.

When you first install 1Password, you’ll be asked to pick a strong “master password” that will be the password you use to get into the app itself. This should be something memorable to you but also difficult to guess. 1Password’s parent company, AgileBits, has a great blog post about how to create strong master passwords (one of the best things about 1Password and AgileBits is the company’s commitment to educating its customers). Among the tips: use whole phrases, including spaces, in your password, don’t include anything personally meaningful to you (which could be in the public record), and don’t include anything obvious (common phrases, song lyrics, a famous quote). Ideally, your password should be a unique string of sensical nonsense that you can still remember.

Once you’ve created your master password, you should then install a browser extension, available for Safari, Firefox, Chrome, and Opera. The browser extension will then take up home in the buttons of your browser’s toolbar.



It should be noted that you have to have 1Password set up on your Mac for the browser extension to work.

Now you just have to start saving user names and passwords. Every time you log in to a website, the 1Password browser extension will give you the option of saving the username or password you enter. That information will get sucked into one password for later use.



1Password Basics

Once you’ve saved some passwords, you will then be able to use them as you browse the web. The easiest way to do this is simply by clicking the browser extension whenever you’re at a website login screen.



As long as you’re logged into 1Password, clicking the browser extension will open up a search box for your various logins, with a prediction at the top of which one you’re looking for. You can then click the suggestion or search for something else. Once you choose a log in, 1Password not only fills in your username and password, but does so with a nice animation of the words popping slightly out of the boxes, visually cueing you to where your info is landing.

Power users, of course, can do all this with keystrokes, and in that regard 1Password 4 offers a slightly different solution from 1Password 3. It used to be that a keyboard shortcut (default: command+\ ) would simply launch the browser extension and fill in the user credentials. But in order to beef up the power of that browser extension, 1Password 4 introduced 1Password Mini, a “side-kick” of the main app, which is installed by default in the Mac menu bar. 1Password Mini is now essentially the brains behind the 1Password extension, and can be invoked with its own keyboard shortcut.

With 1Password Mini, you can quickly search any of your 1Password info with just a few keystrokes. If you don’t like having 1Password Mini in the dock, you can uncheck the “Show mini app icon in the menu bar” checkbox. Then, when you invoke the Mini’s keyboard shortcut, it will appear in the center of your screen.

I like to think of these three parts of 1Password as three differently-sized spacecraft: the browser is the tiny probe that hovers just above the ground, ready for action; the Mini floats in the clouds, relaying data to the ground; and the 1Password app, like a giant mothership in orbit, controls everything from space. Back when 1Password first moved to the Mac App store and updated their browser extension, I would often have problems with it, possibly due to sandboxing issues. Ever since they updated to 1Password 4, with this new three-part system, it’s been rock solid.

Behind the Vault

With the browser extension and 1Password Mini, you can now go days without ever needing to open the main app. But if you need to access that information, you’re presented with one of the most iconic aspects of 1Password’s design: the vault opening action when you log into the main app.

In the era of flat design trends, 1Password is a bit of a throwback, presenting you with a skeuomorphic key slot next to a text box for your master password. But the metaphor works, and makes your information feel as secure as it is, behind AES-256 using Encrypt-then-MAC encryption.

When you enter that master password, the key slot turns from vertical to horizontal, the blue ring turns green, and vault-like doors slide apart, revealing the contents inside. I like to think of this area as a kind of mind palace, a concept made famous by the TV show Sherlock. All your login credentials, and anything else you choose to save in 1Password, are neatly cataloged and organized.

Along the lefthand side of the screen, you have the option to click on “All Items” or “Favorites”. Then there are categories of items, including Logins, Secure Notes, Credit Cards, Identities and Software Licenses.

Below these categories, there are two more items which you have to hover over with your mouse and then click “show” to view. The first is folders. You have the option of creating as many different folders to organize your passwords as you choose. You can even nest folders within folders, if that’s how you roll. Additionally, there’s an option to create smart folders based on all kinds of criteria, including password, username, number of times used, and so on (though currently, smart folders will not sync with iOS apps).

Finally, at the bottom, you will find one of 1Password’s most valuable features: the “Security Audit.” This allows you to search through your log-ins based on different criteria related to security. You can see which logins contain weak passwords, which use duplicate passwords, and which contain passwords that are older than 3 years, older than 1 year, or older than 6 months. The security audit allows you to quickly identify and change the passwords for any of these logins that could leave you open to a security breach. The Security Audit will also show you all the websites where you use the same password, making it easy to identify which sites you should update your passwords on.

Changing Passwords

The Security Audit highlights what’s possibly 1Password’s most important feature in light of the recent security bugs: how it enables you to quickly find and change your passwords.

Mashable recently published a list of services hit by the Heartbleed security bug, and recommends you change passwords for all of those services. But how do you do that? Though 1Password can’t do it for you, it can certainly make it easier.

First, just search for the site in 1Password, then click on the link to the site to go there. In most cases, 1Password will log you in, and then you can navigate to the account area where it’s possible to change your password. Once again, 1Password makes this easier by offering its own Password generator right in the browser extension. The generator offers lots of options for making your password as random and impossible to guess as you choose.

Click “fill” and the new password will both be filled into the new password fields as well as copied to your clipboard. (The password will be deleted from your clipboard automatically after a few minutes.) Then when you save the new password, 1Password will prompt you to update the password on its end. And you’re done. AgileBits has their own description of this process here.

Beyond Passwords

But enough about passwords. 1Password can store lots of other things, as I briefly mentioned above. The most convenient of these are the kinds of information you have to use to fill out online forms or shopping information. 1Password can store this information in its Credit Cards and Identities sections, which are accessible from the browser for whenever you have to fill out any of these forms online. It can also store software licenses, so that you have them all in one place and they’ll be easy to find once you’ve set up 1Password on a new computer. Finally, 1Password can store what it calls “Secure Notes,” which basically allow you to add anything else to the vault you want.

One of the most convenient features of all these storage options is the ability to add tags, notes, and even attachments of any kind. You can scan an image of both sides of your credit card and add it to your 1Password credit card file. You can scan your driver’s license and passport and add them to your identity file. You can export the purchase email and user license from a software vender as a PDF and add it to your software license file for that piece of software.

In short, 1Password is an ideal home for all of your most important and sensitive information.

Extra Vaults

One of the most recent features of 1Password is the ability to have multiple vaults and shared vaults.

You can create multiple new vaults with their own master passwords, and you can then use those vaults to share selected items with family, friends, or co-workers who might need access to logins or sensitive information.

Once a new vault is created, you can then populate it with notes, login credentials, and any other information that you want shared. And, the way multiple vaults work in 1Password, there’s no way you could accidentally “share” something from your primary vault with a shared vault because all items in the shared vault have to be created from scratch.

iOS Apps

In addition to 1Password’s incredibly rich Mac client, it also has a fully-featured universal iOS app that gives you access to all your logins, credit cards, notes, and more.

Logins are stored as bookmarks within the app, ready to be launched and filled in for all of your most frequently visited websites. You can search for individual items, but it will save you a lot of time if you have marked your most frequent logins as favorites.

You can also use the app as an alternate internet browser, with all your data at your finger tips. While browsing, you can apply new logins, credit card and personal information, and the password generator. The iPad version of the app even includes tabbed browsing.

Syncing

To achieve this seamless sharing of information between devices, you have to decide how you want to synchronize your information. This is a delicate question, considering that the whole point of password management is to be more secure. Maybe you don’t feel comfortable putting all your passwords, even if they are encrypted, on Dropbox. Or maybe you want to use Dropbox, but one of your passwords stored in 1Password is your Dropbox password, and so if you get locked out of 1Password, you don’t know how you will get into Dropbox to get back into 1Password. (Writing that sentence made my head hurt).

1Password has options. If you want to use Dropbox, you can sync with Dropbox. If you want to avoid Dropbox, you have an option of syncing with iCloud. If you don’t like the idea of this encrypted collection of all your nearest and dearest information sitting in a data center somewhere, you have the option of local sync over Wi-Fi. And if you’d prefer your information not even travel over the air, you can sync it through a USB cable through File Sharing.

iOS 7 Update

Just today (Apr 22, 2014), 1Password for iOS received a significant update. The most notable features in the update include support for multiple vaults (it used to be that the iOS app could only have one vault), and a massive design refresh to match the look of iOS 7. There are many, many additional improvements throughout as well, such as a new app icon, a jazzed-up login screen animation, easier-to-access search, and improvements to the in-app browser (to name a few).

Tips and Tricks

It was Brett Terpstra’s post that showed me how you can actually use 1Password on any machine, as long as you have access to your 1Password Keychain.

If you locate the 1Password.agilekeychain file (Preferences → General, first item) and right click it in Finder, you can view the package contents. Immediately inside you’ll see a file called 1Password.html. It’s a web-based means of accessing all your data without 1Password. Just open it in your browser and go.

I’ve heard Katie Floyd from Mac Power Users say on more than one occasion that she keeps her 1Password Keychain file literally on her keychain, in a tiny USB, so that she always has her 1Password data with her.

My other favorite 1Password tip (which I thought I also learned from Mr. Terpstra, but I can’t find it now), is that you can drag a login item from 1Password to your browser’s menu bar, thereby creating a magic bookmark. Now, when you click that link in the menu bar, (as long as you’re logged into 1Password on your Mac) it will automatically log you into that website.

iCloud Keychain

When Apple announced that iCloud would start saving passwords and credit card information for users, a lot of people thought 1Password might be in trouble. After all, what could be easier than having your device itself, without the use of a separate app, save all your passwords for you?

And it’s true — iCloud Keychain offers an unparalleled experience in reducing the friction of saving passwords and having them saved and synced to all your other Apple devices and computers. To understand exactly how this works, you first have to understand the difference between iCloud Keychain and AutoFill.

What is AutoFill?

AutoFill is a 1Password-like feature built into Safari on both the Mac and iOS, which allows you to save and use login information for various kinds of web forms. To use AutoFill on the Mac, go to Safari preferences and click on the AutoFill tab, where you can choose to enable the option for contact info, usernames, passwords, credit cards, and other forms.

You can also edit (and add to) the information you have saved in each of these areas (passwords are also accessible through the dedicated Passwords tab in Safari Settings). Once you enable AutoFill, Safari will begin to prompt you for saving passwords whenever you enter them on your Mac.

Autofill is also available in the Safari app on iOS. To enable/disable it, go to Settings → Safari → Passwords & AutoFill:

From here you have the option to turn on AutoFill for various kinds of information, view the information you have saved, and change that information if you’d like. Once enabled, you will be prompted to save passwords on iOS as well.

What is iCloud Keychain?

The difference with iCloud Keychain is that you can now share all of this information seamlessly between devices. To turn on iCloud Keychain on the Mac, open System Preferences and click on iCloud. Then tick the checkbox next to Keychain.

You will be prompted to take some security precautions. Apple will encourage you to require a passcode on your computer for logging back in after the computer goes to sleep. This will protect you in case someone else has access to your device — you might not want that person to have access to all your passwords, let alone credit card information. You will also have to enter your Apple ID, and if it is the first device you’ve enabled for iCloud Keychain, you’ll be asked to create a security code. If it’s not the first device with iCloud Keychain, you have to request permission to use the information from each device currently connected to the Keychain. iCloud will send a request to the screen of each device to approve the sharing.

To enable the same on iOS, go into the Settings app → tap on iCloud → tap on Keychain to switch it on.

You will be prompted for your Apple ID and your security code. Depending on which device you set up first, you might have to enter a new passcode Apple randomly generates and sends to your device.

It is more difficult to write about the process of of enabling these features than it is to enable them in the real world. And it’s worth it. Using AutoFill and iCloud Keychain is dramatically easier than using other password managers. Go to a website you’ve logged into before on any device, and your login and password are already waiting for you in their little yellow boxes. It feels so easy, like having a loyal dog retrieve your slippers.1

The seamless login experience is even more important on iOS devices, where it’s more difficult to type logins, and where you’re not allowed (because of sandboxing) to have a password manager built into Safari. Before iCloud Keychain, you had to log into 1Password’s separate app to either copy and paste passwords into Safari, or use 1Password’s browser instead. Now, if you find yourself on Safari on your iPhone, you can have your logins immediately available without needing a separate app.

All this data is saved on iCloud using industry-standard encryption techniques, and the unencrypted data is never shared with Apple.

Working in Tandem: Using iCloud Keychain and 1Password together

You could decide that iCloud Keychain sync is all you need for a password manager, but it does lack many of the features of 1Password:

For instance, it’s possible to dig into settings on your various devices to see what information you’ve saved, but you don’t have the handy list of searchable bookmarked websites that 1Password provides.

While iCloud Keychain will suggest a unique password when you need to create a new password on a website, it doesn’t come close to the level of detail and customization that the 1Password password generator gives you.

You have no way of organizing this information or doing something like a security audit to quickly assess and change passwords.

iCloud Keychain lacks the ability to store other information, such as software licenses and secure notes. The only option in that case is File Vault, accessible through System Preferences under Security & Privacy. Enabling File Vault will encrypt the entire contents of your drive so that only someone with your login password can retrieve or view your files.

Finally, iCloud Keychain is, by nature, not cross platform, so you wouldn’t be able to access any of your data on a non-Apple Device.

Different people also have different levels of comfort with iCloud Keychain. I, for one, don’t actually love the frictionless experience. I want to be intentional about how I use my passwords and my credit card information, and I like how 1Password makes me conscious of when I’m using those things. I also like how I have more control over access to my information on my devices. I can require a login to 1Password after not using it for even a few minutes. I also like that if my daughter is using my iPad, she can’t easily hop over to Zappos and buy herself a new pair of shoes with my credit card.

But many smart (and perhaps less paranoid) people, including our Editor-in-Chief, Shawn Blanc, see a lot of benefit in using iCloud Keychain and 1Password in tandem. By doing so, you can take advantage of the convenience and frictionless experience of iCloud Keychain, especially on iOS devices, while using 1Password as the main hub for data you want to secure. Shawn actually recorded a podcast on this very subject: 1Password and iCloud Keychains: How They Work Together.

The nice thing about using both is that you get to finely calibrate your own personal balance of convenience and security.

The Competition

As great as 1Password is, it has gotten some competition in recent years.

KeePass: The Open Source Password manager

If you want a free, open-source way of managing your passwords across platforms, KeyPass is the recommended app of the open-source community. It was originally written for Windows, but it now supports the Mac, and it’s getting regular updates, including one this month. Design-wise, it’s not nearly as polished as some other apps, but it has the open-source benefit of letting programmers peer under the hood to examine the code and make sure it’s doing everything properly.

LastPass: The Most Basic Password Manager

Another you might consider if you were bargain hunting is LastPass, which attempts to pack most of the basic functionality of something like 1Password entirely into a browser extension.

LastPass lets you save, manage and fill in all the usual information entirely from the browser. It’s free to use on the desktop, as is the iOS app, but signing up for the Premium membership ($12 a year) brings features like offline support for mobile users. Overall, LastPass’s interface shows a lack of attention to detail, especially on the Mac. It’s clunky to use, and downright ugly in some places. The Safari plug in isn’t full-featured, and the iOS app lacks several of the niceties of 1Password. While this doesn’t affect its core functionality, something that is frustrating to use is often used less.

OneSafe: The Manager with the Most Security Options

OneSafe is another app that came up in my research, and it received high marks from Macworld.

It costs $9.99 in the Mac App store, and unlike LastPass, it’s a stand-alone app, separate from the browser. It uses a vault-like design, reminiscent of 1Password, but it offers a number of unique features to create extra security. For instance, you can create a virtual “safe-within-a-safe,” by putting certain items inside your safe behind a second password. You can have a “decoy-safe” to fool hackers. You can monitor attempts to break into your safe. And you have a number of different options to create master passwords for your safe, such as the so-called “tri-pin” code, which mixes numbers, colors, and symbols on a keypad to make your password even more unbreakable.

OneSafe is also available in mobile form for iOS ($9.99 in the App Store), Android, and Windows Phone. But its greatest drawback is that it currently lacks a browser extension. So you can store all your passwords in it, but you don’t have a convenient way to get them out again without copying and pasting. The developer of the app says a browser extension is coming soon.

DashLane: The Best Free Option

Finally, the most fully-featured competitor to 1Password is DashLane, which is free for the basic version, and costs $29.99 a year for the Premium Version. Premium features include sync across all devices, secure backup, and web access to passwords.

DashLane matches nearly all of the main features of 1Password, offering to store and organize the same kinds of information, and offering the same kind of browser extension, with slight stylistic tweaks. When you store a password, for instance, you’re offered the option to give it a category, which is nice.

And you have many of the same features inside the main app, including a kind of security audit called Security Dashboard. After I had saved one password, it proclaimed me a “champ!”

But little details like this started to rub me the wrong way. I sometimes felt the app was treating me like a child. When I picked my master password, the app forced me to use at least one capital letter and one number, and the hand-holding felt demeaning. Then, every time I clicked on the browser extension, I was encouraged to share the app with my friends.

“Sharing” is also featured prominently as a tab in the application preferences. Promoting the app on Twitter and Facebook wasn’t the kind of sharing I expected between “account” and “security”.

I know developers need to spread the word, but DashLane felt like it was going over the line a bit with self-promotion. More than once in the setup process, the app announced that it was “the world’s best password manager.” But it still lacks many of the deeper features of 1Password, especially in the area of storage and organization. You can’t create folders, for one thing. You also can’t add attachments to items in the vault. It has secure notes, but they are mere text fields to be typed into, so you couldn’t add a scan of a birth certificate if you wanted to. Most important for anyone who likes to keep their hands on the keyboard, DashLane lacks any keyboard shortcuts for filling in login fields.

So while DashLane may be the best app if you’re looking for a free option, you should consider whether you want to give up sync across devices, as well as many of the more sophisticated features of 1Password, just to save a buck.

Other Resources for 1Password

One sign of a truly great app is the community of users that rise up around it to savor its details and share its best features.

1Password is often spoken of as one of the first apps people install on their Macs. Brett Terpstra lists 1Password as one of those apps, as does Sven Fechner, and Federico Viticci says he’s been using 1Password since he got his first Mac in 2008. And 1Password is at the top of our list for Mac apps we think all moderately computer-savvy persons should be using.

Recently, many folks in the Mac community have been providing in depth looks at 1Password, partly because of the security breaches that keep hitting the news. Mac Power Users did a complete show devoted to the app in January. More recently, the Technical Difficulties podcast did an episode on passwords that delved deep into the app and its many uses. One of the points the guys made on that episode is how rich the AgileBits blog is for information about security and how it never feels like marketing speak — it just feels honest.

Finally, another resource for 1Password is the recently updated Take Control of 1Password by Joe Kissell.

Conclusion

In short, 1Password is the best app for managing your passwords because it does the best job of taking hold of our slippery digital identity, all the myriad digital bits of ourselves we use to prove who we are, and helps ease the friction of our travels through the digital world.

Another advantage of iCloud Keychain sync is that it syncs Wi-Fi passwords. Join a private wireless network with your Mac, and your iPad will learn the login info as well. It feels a bit like magic. ↩

Show more