I've been using 1Password since Version 3 in 2010 and was originally skeptical about the move to a SaaS model. The value I (and now my wife) gets from the Family Plan is easily worth it - it just works and we can easily share some things while keeping others to ourselves.
One pro-tip I learned last year is to replace Google Authenticator with 1Password's 2FA solution. It is really well implemented and copies the 2FA code to the clipboard when you fill in a login, and then removes it a minute or so later. You do need to make sure you're 1Password recovery information is someplace secure because you're in a bad place if you ever lost your devices.
Totally agree on both counts: the value of being able to put certain credentials, documents, notes, etc. in a "Shared" vault is great.
And definitely the TOTP integration. I love how after you hit Cmd-\ to fill in your username and password, it automatically copies the TOTP value to the clipboard for instant-pasting on the nice screen. Such a great feature.
It doesn't even make sense. Their customers must cover a wide age range, so why use language directed at only their youngest customers? Not to mention any one who actually uses "fam" and "lit" is going to cringe at this post. The whole thing belongs in r/fellowkids.
First off - thanks for making 1Password, I've been an unpaid brand ambassador since 2011. I've successfully converted over 5 users (rather lit if you ask me fam).
I was wondering if you can comment on plans for 1Password standalone (non-cloud) version. For me (and few others I'd imagine based on[1]) it is a must have feature. I'd be happy to pay subscription fee of using your software - just that I want absolutely nothing to do with hosting my passwords in 1Password Cloud - this was the argument I used to use during LassPass vs 1Password debates - "with 1Password, you can sync your vault any way you want (rsync/dropbox/lan sync)".
We never comment on future plans simply because they're subject to change. We can't promise something now and expect the software world to be the same in 1 year or 2 years.
All I think is reasonable to say in this case is that 1Password 7 for Mac (and Windows) both have standalone licenses available, as we have traditionally sold (per user, per platform, for that particular version, in this case 7.x) and those standalone licenses support syncing to standalone vaults (Dropbox, iCloud, Folder, and WLAN for Mac. Dropbox for Windows).
Note that version 7 is likely only going to support our OPVault format, NOT AgileKeychain. Import from AgileKeychain, but not sync to AgileKeychain.
Hope that helps, but I realize you might be asking what about version 8, or 9, or future version x. We simply can't answer that question because it's too far in the future. It's like asking me to promise that I'm going to buy a house in 1-2 years when I have no idea what the future holds.
Thanks for converting those users though! You've helped us continue to do what we love to do. We wouldn't be here without users like yourself helping make 1Password as great as it can be.
Yeah, it's annoying that they feel like they have to try so damn hard all the time.
They run a brilliant service though that I can use on my OS X & Android daily drivers, their Android app is top notch -- which even supports fingerprint authentication -- so I can't complain.
Been a happy paying user for nearly 4 years now (still standalone though).
I like how this team keeps iterating and tweaking things, even though they've largely already solved the issues with password management for me. And they aren't just adding superfluous features.
I understand that apps expand, but I've come to move specifically to applications that support markdown. Like Bear, Slack, Trello, etc. Being able to have light-duty text formatting while not being dependent on RTF interface means I can port the text around. Markdown is really gaining steam.
I recently switched from LastPass to 1Password and was surprised with what a bad user experience I'd gotten used to from LastPass. The attention to detail (down to designing their own font!) from the 1Password team is impressive.
Yeah, I tried using LastPass for 6 months or so but never really got into it. The browser integration (at least 3 or so years ago) was pretty janky. Switched to 1Password and never looked back. I've been very happy so far, so hopefully you continue to be as well.
Question 1: Can someone comment on the actual severity of them storing all my passwords remotely? I don't like the idea of it, but it seems like they're a reputable company so I assume they have good systems in place. I have the standalone right now but it's getting to be a pain to move from computer to computer, and I don't trust dropbox sync.
Question 2: Lets say the online version gets hacked... and they steal all the vaults, does that mean they only need my master password to get in? What about people who have weaker master passwords. Can people brute force the password vault in the same way that someone can if they have a hash database of passwords?
But can you brute force my vault using similar techniques as just brute forcing a stolen DB of hashed passwords... in other words, if your vault password is < 6 characters are you screwed? Or are the vault passwords more 'battle hardened'
Any time you try to unlock a vault by providing a password, 1Password's infrastructure has to run it (along with other inputs) through 100,000 iterations of a hash function to derive a key. Many password managers nowadays do something like this, because it makes every guess more expensive (linearly I suppose?).
This is, of course, no substitute for a nice long password whose characters are members of the largest alphabet you can think of, but it's something.
I'm not qualified to analyze a security system in detail, but 1Password have published the mechanism they use to secure vaults. You might want to check it out for more details:
Your vault password should have a similar amount of entropy to the encryption strength, it's one of the good uses of a diceware passphrase, where I'd recommend 8+ words for the encryption passphrase.
It's the only thing you'll have to remember, so while a pass phrase that length would normally be a hurdle, it isn't hard to remember. It'll be a pain to type at first but you'll get muscle memory before too long.
6 Characters? If your master password is only 6 characters then yes, you are screwed if your vault leaks.
Correct me if I'm wrong, but the random secret key must be synchronised somehow, surely? I'm talking about in the case that someone gains access to all your synchronised data.
The process of encrypting a password is one-way, meaning that given an encrypted password you can’t run a process to get the original.
For an attacker to guess your password, they need to run a bunch of guesses through the same encryption process, and only when they get the same encrypted result they’ll know they have the correct unencrypted one. This is time consuming, so attackers may use rainbow tables[1] — essentially a list with a ton of precomputed passwords they can check. To counteract this you salt[2] a password, essentially adding random data to it. So now even if we have the same password, since our salt (random data) will be different, the resulting encrypted version will also be different.
Even if the attacker gets your vault and secret key, they’ll still need to brute-force[3] the password.
Ars Technica’s has an excellent explanation of all this[4].
See Key Derivation on page 24 for this specifically. We call it 2SKD.
Page 26 also shows how the secret key and the master password are combined. From that other keys are derived.
It's actually a very fascinating process, combined with our use of SRP, I have to say I rather love how well all of this meshes together.
In the situation where someone gets your data from our server, which is the big thing people are worried about, they're going to have to combine a guess for your master password and the secret key to perform a guess.
They could in theory get your secret key from your local devices, as these are saved there, but your Master Password protects in that case as it's not stored anywhere (unless you've enabled features like Touch ID or Face ID, but those are protected in other ways).
Your Secret Key protects your data on our server. It makes brute forcing that data an incredibly expensive process.
Your Master Password also helps protect your data on our server, but it also protects your data locally.
Apple doesn't sync secure enclave information to iCloud. Also, not all iCloud synced information can be accessed. iCloud Keychain, for example, can not be decrypted by Apple.
In 1Password 7 for Mac we generate a key pair in the secure enclave. Then use that key pair to encrypt the Master Password and then save it to the Apple Keychain. All decryption of the Master Password goes through the Secure Enclave.
The key pair is generated in, and never leaves, the Secure Enclave. It's how this feature was designed by Apple.
So you are saying to come up with 8 random words and chain them together? Wouldn't 4 or 6 work? (Like the one comic about correct horse battery staple)
A while back I recall AgileBits pushing a blog about their security. While this one isn't from them directly, it reinforces the notion that they slow down the number of passwords you can brute force by increasing the number of rounds.
Vaults stores on their servers are encrypted with a two secret system: one secret is your password, a second secret is a large, random string. So even if your vault password is weak, it should still keep the vault safe. Neither of these secrets are stored by them.
Well, yes if you set your vault password to be less than 6 characters I don't think there are any miracles that can guarantee the safety of your data, unless they use PBKDF2 with 10e10 iterations or something similar
The key used to protect the data (before it is sent to 1Password.com) is generated as 100,000 iterations of PBKDF2-HMAC-256(Master Password + Secret Key).
The most important part here is the Secret Key which provides additional 128 bits of entropy.
According to a comment on the blog we get yet another data file format, and still looks like nothing to replace sudolikeaboss (https://github.com/ravenac95/sudolikeaboss), despite them saying they were working on it.
Mostly it looks like new eye candy, and apparently some speedups, not that it was slow before.
This is incredibly frustrating, to be honest. They offer a CLI tool but it's completely separate from the GUI session, which means juggling envvars and typing your master password many times.
Apple's keychain, while uglier than a Fiat Multipla and harder to use than a Wiimote on a CRT, at least does get this right.
But apparently bold text and 21st century 1337speak sell better than a CLI integration. Unfortunately, I can't say I'm surprised.
I guess the silver lining is: this can only mean password managers are not just used by security professionals anymore, and are actually becoming mainstream. Hurray :/
Out of curiosity, do you use the CLI tool for feeding private keys and/or passwords into scripts, environment variables, or other software that you write?
I had no idea they had a CLI implementation, and I've been looking for something that manages server/api keys as well as cloud service passwords. I imagine there's a better way to do this using enterprise key management software, but I no longer work for a place w/ this kind of budget.
yes, notably 99designs’ aws-vault.[1] They only support keychain and plain file backends on OS X, and I’m trying to write a 1Password backend for it. Half of which will be in a separate lib.[2]
Honestly the more I use it the less I understand how any company can allow employees to store AWS creds in a plain text file :/ lack of alternatives, I’m afraid. As is apparent from this thread :)
There's actually a system-level thing, where password manager apps can register an extension to provide password form-filling, and then apps just include a button (generally a keyhole one) which you tap to trigger the relevant extension sheet from which you can choose your password app.
iOS11 added a new variant on this, with a little key icon in the keyboard when you're in a password area, but it's only filling from the system keychain and isn't open to third parties. (Yet?)
Thanks for responding Kyle! No questions - I love your app. My partner is not very technology savvy and I recently got them to adopt 1password which has been a huge huge boost to her security; her previous solution was just recycle passwords.
One piece of feedback is that when I was comparing your product to Dashlane, they had much better tools to migrate your existing passwords. Specifically Dashlane has a tool to migrate all your passwords in your Mac OS keychain automatically to their manager. I remember y'all having a solution as well but it was a lot more complex and wasn't something that my mom or dad could do without me watching them.
So my main feedback is to build solutions and UX that cater towards your grandma, not to the HN crowd. These are the users that you need to convert over because they have the biggest security risks.
As you can imagine it's quite difficult to take complex topics like this and make it easy to digest for people not familiar with it.
I hope we can continue to make small steps in the right direction in each release. If we wanted to make 1Password as simple to use as possible we could certainly do that by removing all the fancy features that most of our power users find useful, but that would anger them greatly.
We started as a power user tool, so our roots are there. We can't abandon that entirely. We just have to work harder to simplify in ways that aren't going to remove these useful tools.
As for the Mac OS Keychain import bits. There is actually no official way to do this that isn't an incredibly ugly hack. Apple doesn't provide a mechanism to get data out of the macOS keychain, and the one way they do, while it can be scripted requires asking for the user account's password for each item. I suspect if we looked at how other tools do this they are doing some incredibly wonky things that you might be afraid to understand :)
I understand that the point remains, they import, we don't... but it's a tight rope. We don't want to do things that potentially risk us losing goodwill with our users by doing weird things in the background to make it work seamlessly.
Allowing Markdown in secure notes is a great new feature!
I've recently set up 1Password for my parents and it works fine. The applications are still a little too complicated for them though, the gap between a physical notebook containing passwords and 1Password is large. Thankfully the UX on iPhone/iPad with TouchID is simple enough.
Did I miss something? Is there not a way to use 1Password 7 without it automatically uploading your 1Password 6 vault to their cloud as part of the setup flow (as it did for me)? Unless I did something wrong, it looks like a my.1password.com account is _required_ in 1Password 7.
I've been testing 1PW7 Windows beta, and I'm testing against a local vault. Would surprise me if the Mac version only supported 1password.com cloud vaults.
Wow. 1Password 7 for Mac looks quite a bit better than 1Password 7 for Windows. I wish they put an equal amount of effort into all platforms but I do understand why the develop the way they do. I just hope I can get that new sidebar.
Our Windows app has come a long way in the ~2 years or so of it's existence. We rewrote everything from the ground up with 1Password 6 for Windows. It has roughly 8 years of ground to make up to our Mac and iOS apps. They've come a long way in a short period of time. And it'll continue to get better, but we had some really big features to implement on Windows that just took a lot of time and effort. Adding in standalone license support and syncing to Dropbox is not a simple process but they're now available there in the latest beta.
We want our Windows users to be happy as well, and if you have features that are vital to you please write into our support. They use these requests to help gauge what to work on next, and the list is long so the more we hear from users about what they value the better we can prioritize that list.
As a Mac and iOS developer on the team I am very impressed by how quickly our Windows team has caught up.
Yes, the 1PW7 beta release really raised that version of the software. Thank you for the attention to that platform. Been quite active on the bug reporting forum and I hope you are able to make further improvements. If only the Windows version search capabilities expand, basically the product will be near perfect for me.
Example:
1)search for entries using two or more strings
2)search for entries without two or more certain text. Example, find all entries unrelated to entertainment in "All Items", search for -tag:book -tag:movie -tag:streaming -tag:tv
And saving a search so that I don't have to retype the search language when I QA my 1PW data!
Big fan of this software, have been for using for almost 10 years and love that it keeps getting better. Using family and teams is great too. Even my Grandparents use it on their iPhones.
However, it looks like it pings Troy's service to do its magic so not everything is kept locally. (I don't blame them, for speed, and for not needing a many-gig database download for each client.
Still, a cool feature, but something to be aware of.
I don't use Windows so I don't know if there are any particular bugs in their Windows software but they announced the 1Password 7 beta for Windows eight days before they made this Mac announcement https://blog.agilebits.com/2018/03/20/introducing-1password-...
I keep checking these articles in hope they mention Linux. How can a 1Password expect companies to use it when it does not have a cross platform solution...
1Password X is a Chrome extension, but it's also a full-featured 1Password client! Additionally, 1Password X does work without an internet connection. In version 1.5 we added an offline cache so you can boot up your laptop, unlock 1Password X and get that WiFi password or whatever item you need. If you haven't checked it out lately, I'd highly recommend taking a peek at this recent blog post: https://blog.agilebits.com/2018/03/13/1password-x-better-sma...
I just use KeePass and store the database with a cloud provider so I can access it from all of my devices. There are clients for all platforms, including mobile ones. Seems to work pretty well for me. Probably a bit more setup than 1Password, but I like having more control over it. You could even put a key file on a flash drive for a bit of physical security.
I'm sure 1Password takes security very seriously, but it seems like a big potential attack vector so I prefer a bit less obvious way to store my passwords.
We don't use Electron for our app. 1Password for Mac is a vast majority Objective-C, with a smaller percentage of Swift, and a few web based views (for certain 1Password.com features) which load in a WKWebView.
The rest of the Apple team at AgileBits is very happy writing native code.
One pro-tip I learned last year is to replace Google Authenticator with 1Password's 2FA solution. It is really well implemented and copies the 2FA code to the clipboard when you fill in a login, and then removes it a minute or so later. You do need to make sure you're 1Password recovery information is someplace secure because you're in a bad place if you ever lost your devices.