What is 1Password?
A big name in commercial password managers, 1Password is a professional product that integrates well on the desktop, and offers some very cool features (notably password security checks and Diceware passphrase generation.) We also think that the security measures it uses are very robust. Unfortunately, 1Password does not integrate so well on mobile platforms, which combined with it being rather expensive, leaves us a little ambivalent about recommending it.
1Password includes the following features:
- Auto-generation of secure passwords
- Folder-style organization of Vaults
- Watchtower (security audit for weak or duplicated passwords etc.)
- End-to-end password encryption
- Auto-Form fill (“Identities”)
- Secure Notes
- Cloud syncing via iCloud or Dropbox across devices (optional)
- Local WiFi syncing across devices (optional)
- Sharing via a secure channel
Is 1Password Secure?
The first thing to note is that 1Password is a closed source product, so all discussion about privacy the security relies on taking AgileBits at its word (something that we are never very happy doing.)
Having said that, AgileBits is very open about how its security system is designed and what it knows about you, and some of the source code for manipulating 1Password keychains has been released by unaffiliated parties. This all still falls well short of being open source, but is encouraging.
A great deal of very in-depth information is available on the website detailing exactly how 1Password protects your passwords, and for those interested in the subject, we strongly recommend rolling up your leaves and diving in (although it is, admittedly, somewhat daunting.)
The TL:DR version is that 1Password uses strong AES-256 encryption with SHA256 key encryption. An encryption key is created derived from the Master Password using base64 encoded 16-byte random salt and PBKDF2-SHA512, which dramatically slows down any attempt to guess your Master Password.
All encryption is end-to-end, and only you should know your password. This does mean that no password recovery is available should you forget it (unlike with LastPass, for example), but this makes for a much more secure system.
The more paranoid out there will be pleased to know that cloud syncing is not enabled by default, and that syncing between devices can be achieved over WiFi, so you never have to send your passwords over the internet. This can be done without a router by creating an ad-hoc wireless network. 1Password even offers advice on how to check network activity to ensure that no data is sent being to AgileBits.
In fact, even when performing cloud syncing, no data is sent to AgileBits, as cloud syncing is performed using either your Dropbox or iCloud account (free versions of both services are available that will be sufficient for syncing passwords).
Although we trust neither of these services with our data, the fact that 1Password encrypts your passwords client-side means that this shouldn’t matter, as that without your master password they should be secure regardless of who can access the password file.
There is no getting around the fact that 1Password is closed source, so none of what it says can be checked, but we are nevertheless impressed by AgileBits’ openness when it comes to explaining how anything works, and in general the security measure in place security appear to be very tight.
Unlike many another password manager, 1Password keeps its Android permissions under fairly tight control
Using 1Password on desktop
The 1Password desktop software is available for Windows 7+ and Mac OSX Yosemite (legacy versions are available for OSX Snow Leopard and Lion). Unfortunate no version is available for Linux. We tested the Windows version.
Note that 1Pawword works fine on Windows 10, but at the time of writing a plugin for the new Edge browser is not yet available.
In theory 1Password will import from (and export to) a range of unencrypted file formats (.csv, .html, .htm, .txt), but it failed to import out exported KeePass 2 .html file.
The desktop client allows easy management of your passwords, which can be sorted into user-defined folders. We particularly like the fact that you can tell how strong your passwords for different sites are at a glance. We also like the fact that password entries can include notes and file attachments
1Password will flag up weak passwords (you set the sensitivity of this using the slider at the bottom of the window), duplicated passwords (it is bad for security to re-use the same password over multiple websites and services), and websites you use that are vulnerable to the Heartbleed bug. Watchtower alerts you known security concerns about particular sites.
Wallet allows you to securely store sensitive information not related to website passwords, and provides useful templates to entering the data. Secure Notes is for securely storing… well... general purpose notes, and Identities saves personal information for auto-filling in web forms
1Password integrates with the top browsers, but has little support for less popular alternatives (unlike Sticky Password, for example)
Contrary to reports we’ve seen elsewhere, the browser plugin features a consistent interface across all desktop browsers. Unlike most other password managers, 1Password does not log you in automatically when you visit a web page - you must select the login using the browser button. Some users may not like this extra step, but we did not find it a problem, and AgileBits claims this approach is more secure anyway
If 1Password does not know the login details for website, it will capture your input and ask to save it
It will, of course, generate strong random new passwords for you on request
We particularity like that it can use the Diceware method for generating passwords. This is considered to be very random, but creates passwords you might actually be able to remember yourself, should you need them
1Password on the desktop does an excellent job as a password manager, and despite requiring an extra click on the browser button, performs its function with minimal fuss. We also appreciate the various at-a-glance password security checks, and like the option of generating Diceware passphrases.
Using 1Password on mobile
Mobile apps are available for iOS and Android. We tested the Android version. There is, intriguingly, also an app for Apple Watch.
Interestingly, 1Password is trying to move away from a clipboard based system of integrating with other apps, as this has been shown to present a security vulnerability (on all platforms.) Lollipop users can sign up for an Android beta that allows integration with Android that does not rely on the clipboard.
In the meantime, the app provides two ways to enter passwords. The first is a browser built-in to the 1Password app. This works well enough, but it’s unlikely that you will want to ditch your existing much more fully featured browser, which limits its utility somewhat.
The second is a keyboard input method where you can access your passwords through a dedicated 1password keyboard. This is very similar to the method used by open source KeePass2Android, except that the keyboard autofill function only seems to work in the Chrome browser (not Firefox or Android’s built-in Internet browser.)
Again, given that the 1Pasword keyboard is almost certainly less fully featured than your usual keyboard (no spellchecker, auto-complete, swipe input etc.), you are unlikely to want to use it full-time (especially as it only auto-fills passwords in Chrome!)
This means to use the keyboard you will need to change over to it whenever you need to access your passwords, which is a rather tedious business.
The 1Password app does not currently support the use of fingerprint scanners in Android, but does in iOS 8+.
In short, we are not very impressed with 1Password’s implementation on Android (and we presume the iOS app is similar.)
Despite being rather expensive and closed source, we enjoyed using 1Password on the desktop. The app has some funky and very handy features, and we found the browser integration intuitive and non-invasive. We are also impressed by the wealth of documentation available, which explains in quite some detail how everything works (although the sheer quantity of it can be a little overwhelming.)
When it comes to the mobile app things are somewhat different, however, as we found the app awkward to use, and of limited general utility.
1Password is not a bad password manager (not at all in fact), but clumsy mobile implementation means that it struggles to justify its high cost when compared to free and open source rival, KeePass.