A big name in commercial password managers, 1Password is a professional product that integrates well on the desktop, and offers some very cool features (notably password security checks and Diceware passphrase generation.) We also think that the security measures it uses are very robust. Unfortunately, 1Password does not integrate so well on mobile platforms, which combined with it being rather expensive, leaves us a little ambivalent about recommending it.
Pricing and Features
1Password uses a rather complex pricing structure. Licences are purchased per person and per platform (not per device), and up to six family members living in the same household can share a licence.
A basic licence for either Windows or Mac costs $49.99, or you can pick up a joint licence for both platforms for $69.99. This is a lifetime licence, but only includes upgrades until the next major version is released. This means that current users will receive free 4.x upgrades, but will have to pay to upgrade when version 5.0 becomes available (or can continue to use their existing 4.x version.)
This pricing structure makes using 1Password a rather pricey proposition, especially if you want to use it on a number of different platforms.
All versions come with a 30 day free trial, after which they are still useable, but major restrictions are placed on them (such as preventing new entries) unless you upgrade to a paid version/licence. The trial advertises itself as “unrestricted”, but there is a limit to 20 items in the Vault.
In addition to the free trial, AgileBits offers a further 30 day money back guarantee.
1Password includes the following features:
- Auto-generation of secure passwords
- Folder-style organization of Vaults
- Watchtower (security audit for weak or duplicated passwords etc.)
- End-to-end password encryption
- Auto-Form fill (“Identities”)
- Secure Notes
- Cloud syncing via iCloud or Dropbox across devices (optional)
- Local WiFi syncing across devices (optional)
- Sharing via a secure channel
Aesthetics, usability and customer support
We would describe the 1Password website as functional rather than a thing of beauty, but more importantly it contains a great deal of useful information. This is particularly true when it comes to explaining the security systems and encryption used, which are detailed to an impressive degree.
Unfortunately for non-Apple fans, most of the information appears to be heavily slanted towards iOS and OSX versions of the product, but we presume that key aspects also apply to Windows and Android versions of the software.
Quick start guides and detailed online manuals are available for all platforms, and a fantastic (searchable) FAQ tackles an impressive array of subjects, although the sheer wealth of information can be overwhelming and can make finding specific information hard.
There is also a support forum, and you can request assistance via Twitter, and the website features a weekly blog to keep you updated with the latest 1Password news.
Security and Privacy
The first thing to note is that 1Password is a closed source product, so all discussion about privacy the security relies on taking AgileBits at its word (something that we are never very happy doing.)
Having said that, AgileBits is very open about how its security system is designed and what it knows about you, and some of the source code for manipulating 1Password keychains has been released by unaffiliated parties. This all still falls well short of being open source, but is encouraging.
A great deal of very in-depth information is available on the website detailing exactly how 1Password protects your passwords, and for those interested in the subject, we strongly recommend rolling up your leaves and diving in (although it is, admittedly, somewhat daunting.)
The TL:DR version is that 1Password uses strong AES-256 encryption with SHA256 key encryption. An encryption key is created derived from the Master Password using base64 encoded 16 byte random salt and PBKDF2-SHA512, which dramatically slows down any attempt to guess your Master Password.
All encryption is end-to-end, and only you should know your password. This does mean that no password recovery is available should you forget it (unlike with LastPass, for example), but this makes for a much more secure system.
The more paranoid out there will be pleased to know that cloud syncing is not enabled by default, and that syncing between devices can be achieved over WiFi, so you never have to send your passwords over the internet. This can be done without a router by creating an ad-hoc wireless network. 1Passworde even offers advice on how to check network activity to ensure that no data is sent being to AgileBits.
In fact, even when performing cloud syncing, no data is sent to AgileBits, as cloud syncing is performed using either your Dropbox or iCloud account (free versions of both services are available that will be sufficient for syncing passwords).
Although we trust neither of these services with our data, the fact that 1Password encrypts your passwords client-side means that this shouldn’t matter, as that without your master password they should be secure regardless of who can access the password file.
There is no getting around the fact that 1Password is closed source, so none of what it says can be checked, but we are nevertheless impressed by AgileBits’ openness when it comes to explaining how anything works, and in general the security measure in place security appear to be very tight.
Unlike many other password manager, 1Password keeps its Android permissions under fairly tight control
1Password allows you to share either individual entries or your entire Vault with a trusted person. This involves sending an unencrypted file that can be imported into the recipient’s 1Password Vault. Because the shared file is unencrypted, it is important that it is sent via a secure channel such as over iMessage or PGP encrypted email.
To be honest, we feel this file sharing “feature” to be rather weak, and you might as well just tell your trusted recipient the password using your preferred secure channel…
Using 1Password (desktop)
The 1Password desktop software is available for Windows 7+ and Mac OSX Yosemite (legacy versions are available for OSX Snow Leopard and Lion). Unfortunate no version is available for Linux. We tested the Windows version.
Note that 1Pawword works fine on Windows 10, but at the time of writing a plugin for the new Edge browser is not yet available.
In theory 1Password will import from (and export to) a range of unencrypted file formats (.csv, .html, .htm, .txt), but it failed to import out exported KeePass 2 .html file (just a guess, but this may be due to our KeePass export file exceeding the 20 entries allowed by the 1Password trial we used for this review.)
The desktop client allows easy management of your passwords, which can be sorted into user-defined folders. We particularly like the fact that you can tell how strong your passwords for different sites are at a glance. We also like the fact that password entries can include notes and file attachments
1Password will flag up weak passwords (you set the sensitivity of this using the slider at the bottom of the window), duplicated passwords (it is bad for security to re-use the same password over multiple websites and services), and websites you use that are vulnerable to the Heartbleed bug. Watchtower alerts you known security concerns about particular sites (for details on how it does this without compromising your privacy see here).
Wallet allows you to securely store sensitive information not related to website passwords, and provides useful templates to entering the data. Secure Notes is for securely storing… well… general purpose notes, and Identities saves personal information for auto-filling in web forms
1Password integrates with the top browsers, but has little support for less popular alternatives (unlike Sticky Password, for example)
Contrary to reports we’ve seen elsewhere, the browser plugin features a consistent interface across all desktop browsers. Unlike most other password managers, 1Password does not log you in automatically when you visit a web page – you must select the login using the browser button. Some users may not like this extra step, but we did not find it a problem, and AgileBits claims this approach is more secure anyway
If 1Passwod does not know the login details for website, it will capture your input and ask to save it
It will, of course, generate strong random new passwords for you on request
We particularity like that it can use the Diceware method for generating passwords. This is considered to be very random, but creates passwords you might actually be able to remember yourself, should you need them
1Password on the desktop does an excellent job as a password manager, and despite requiring an extra click on the browser button, performs its function with minimal fuss. We also appreciate the various at-a-glance password security checks, and like the option of generating Diceware passphrases.
Using 1Password (mobile)
Mobile apps are available for iOS and Android. We tested the Android version. There is, intriguingly, also an app for Apple Watch, but (alas) we are unable to review this.
Interestingly, 1Password is trying to move away from a clipboard based system of integrating with other apps, as this has been shown to present a security vulnerability (on all platforms.) Lollipop users can sign up for an Android beta that allows integration with Android that does not rely on the clipboard.
In the meantime, the app provides two ways to enter passwords. The first is a browser built-in to the 1Password app. This works well enough, but it’s unlikely that you will want to ditch your existing much more fully featured browser, which limits its utility somewhat.
The second is a keyboard input method where you can access your passwords through a dedicated 1password keyboard. This is very similar to the method used by open source KeePass2Android, except that the keyboard autofill function only seems to work in the Chrome browser (not Firefox or Android’s built-in Internet browser.)
Again, given that the 1Pasword keyboard is almost certainly less fully featured than your usual keyboard (no spellchecker, auto-complete, swipe input etc.), you are unlikely to want to use it full-time (especially as it only auto-fills passwords in Chrome!)
This means to use the keyboard you will need to change over to it whenever you need to access your passwords, which is a rather tedious business.
The 1Password app does not currently support use of fingerprint scanners in Android, but does in iOS 8+.
In short, we are not very impressed with 1Password’s implementation on Android (and we presume the iOS app is similar.)
- Comprehensive feature set (including password strength check, Watchtower etc.)
- Great desktop client and browser integration
- Strong end-to-end encryption and security
- No password recovery (good for security)
- Local WiFi sync
- Diceware passphrase generation
- Great documentation
- 30 day free trial + 30 day money back guarantee (but not as unlimited as claimed)
We weren’t so sure about
- Mobile integration is very clunky (and keyboard only works in Chrome)
- Limited desktop browser support
- No 2FA or biometrics support (except for fingerprint scanner on iOS devices)
- Sharing is rather weak
- Closed source
- No Linux support
Despite being rather expensive and closed source, we enjoyed using 1Password on the desktop. The app has some funky and very handy features, and we found the browser integration intuitive and non-invasive. We are also impressed by the wealth of documentation available, which explains in quite some detail how everything works (although the sheer quantity of it can be a little overwhelming.)
When it comes to the mobile app things are somewhat different, however, as we found the app awkward to use, and of limited general utility. Since all the password managers we have reviewed so far work well on the desktop, and some also sport impressive mobile integration, this is something of a problem.
1Password is not a bad password manager (not at all in fact), but clumsy mobile implementation means that it struggles to justify its high cost when compared to free and open source rival, KeePass.