Review: 1Password 4 for Mac makes managing all your passwords easy and secure
Passwords stink. Password policies vary widely from the many sites you choose or have to use, and satisfying them all is hard, and hard to keep up with. That's why 1Password is an invaluable application ??and the new 1Password 4 qualifies as a worthy update.
Whether it's a password policy that says you need 8 to 14 characters with a capital letter and a number, but no symbols, or a policy that changes it every 20 days, or a policy that requires 10 letters, 2 numerals, a soundtrack and a plot, managing passwords can be ridiculous.
But there's a reason we need to get better at passwords: We are human. We are weak. We use the same username, email address, and password repeatedly. The most commonly used password is, well, "password."
In addition, major companies like Adobe and Sony have been hacked and user passwords have been stolen. From these breaches, take away some good practices:
At its most simple, 1Password offers to store passwords as they are entered into websites. It will then allow you to autofill them on subsequent log in attempts using Cmd-\ as a keyboard shortcut. It uses either a browser plug-in or a menu bar application, 1Password Mini, to autofill the username and password. It will recognize the username and password needed for the page, but also allows searching of all saved passwords.
But 1Password is a little better than just a password locker. It generates passwords that comply with the various absurd requirements, fills in the fields as you're creating web page accounts, and saves them for you all in a few short steps.
It also saves credit card information, logins (similar to passwords), identities contaning address information for easy autofill, secure notes, and other categories (bank accounts, social security numbers, reward program numbers, licenses, and more.)
And new in version 4 is the ability to create 'vaults' so users can store account logins and passwords in contexts, such as a "work" vault, a "parents" vault, and so on.
AES-256 Authenticated Encryption and PBKDF2 calibration. AES-256 uses long keys that are difficult to attack and tough to derive. PBKDF2 is used to slow down attempts to crack the master password that secures the 1Password data.
That's glossing over the math, but it is safe to say that AES-256 is quite difficult to attack. Additionally, securing the metadata, the information around the login is important. Item titles and URLs are now always encrypted.
To help manage existing passwords better, the 1Password window has a series of filters that display accounts consisting of weak passwords, duplicate passwords, and date ranges on passwords for those between 6 and 12 months old, 1 and 3 years old, and more than 3 years old.
Admittedly, we had to spend some time and go through resetting passwords to clean up the bulk of old, duplicate weak passwords. But 1Password does a good job of making users aware of their bad habits.
1Password syncs the encrypted password store, and can sync it to the cloud. All versions of 1Password v4 for Mac sync to Dropbox. The Mac App Store version syncs to iCloud as well. However, the Mac App Store does not allow upgrade pricing from earlier versions, so it's worth it to decide if users need iCloud syncing, as well as preferences for purchasing from the Mac App Store, or directly from Agilebits.com
In short, Apple's solution is good, and solves encouraging Apple users to use good passwords almost by default, but 1Password is much more flexible ? data isn't tied to iCloud, isn't tied to Apple products only, and doesn't have to be synchronized over Wi-Fi. 1Password will also allow synchronization over USB, which means users can still have passwords on iOS without having to store them on Dropbox or iCloud.
Whether it's a password policy that says you need 8 to 14 characters with a capital letter and a number, but no symbols, or a policy that changes it every 20 days, or a policy that requires 10 letters, 2 numerals, a soundtrack and a plot, managing passwords can be ridiculous.
But there's a reason we need to get better at passwords: We are human. We are weak. We use the same username, email address, and password repeatedly. The most commonly used password is, well, "password."
In addition, major companies like Adobe and Sony have been hacked and user passwords have been stolen. From these breaches, take away some good practices:
- Never use the same password in two places.
- Never save your credit card, address or other personal information if possible.
At its most simple, 1Password offers to store passwords as they are entered into websites. It will then allow you to autofill them on subsequent log in attempts using Cmd-\ as a keyboard shortcut. It uses either a browser plug-in or a menu bar application, 1Password Mini, to autofill the username and password. It will recognize the username and password needed for the page, but also allows searching of all saved passwords.
But 1Password is a little better than just a password locker. It generates passwords that comply with the various absurd requirements, fills in the fields as you're creating web page accounts, and saves them for you all in a few short steps.
It also saves credit card information, logins (similar to passwords), identities contaning address information for easy autofill, secure notes, and other categories (bank accounts, social security numbers, reward program numbers, licenses, and more.)
And new in version 4 is the ability to create 'vaults' so users can store account logins and passwords in contexts, such as a "work" vault, a "parents" vault, and so on.
How can this be secure?
Users are required to essentially trust their digital life to this application and its data file. How can it be trusted? Because AgileBits, makers of 1Password, are using good encryption.AES-256 Authenticated Encryption and PBKDF2 calibration. AES-256 uses long keys that are difficult to attack and tough to derive. PBKDF2 is used to slow down attempts to crack the master password that secures the 1Password data.
That's glossing over the math, but it is safe to say that AES-256 is quite difficult to attack. Additionally, securing the metadata, the information around the login is important. Item titles and URLs are now always encrypted.
How does 1Password assist in correcting a user's bad habits?
1Password does two things:- Password generation. You can use the application, browser plug-in, or menu bar mini-app to create and auto-fill a strong password that complies with the requirements of the site (mixed case, numerals, hyphens, and password length.) It's appreciated that they've also made "pronouncable" an option, which helps with remembering passwords occasionally.
- For password generation, it does NOT create long passwords made of multiple words. These are desirable, because they're also human memorable.
To help manage existing passwords better, the 1Password window has a series of filters that display accounts consisting of weak passwords, duplicate passwords, and date ranges on passwords for those between 6 and 12 months old, 1 and 3 years old, and more than 3 years old.
Admittedly, we had to spend some time and go through resetting passwords to clean up the bulk of old, duplicate weak passwords. But 1Password does a good job of making users aware of their bad habits.
1Password syncs the encrypted password store, and can sync it to the cloud. All versions of 1Password v4 for Mac sync to Dropbox. The Mac App Store version syncs to iCloud as well. However, the Mac App Store does not allow upgrade pricing from earlier versions, so it's worth it to decide if users need iCloud syncing, as well as preferences for purchasing from the Mac App Store, or directly from Agilebits.com
A Word on Mavericks
OS X 10.9 Mavericks includes a new feature called iCloud Keychain, where Safari will suggest a password and track it, syncing to iOS. However, its password generation and organzation are much more simplified, taking away options 1Password provides, and notably only working on Apple iOS7 and Mavericks.In short, Apple's solution is good, and solves encouraging Apple users to use good passwords almost by default, but 1Password is much more flexible ? data isn't tied to iCloud, isn't tied to Apple products only, and doesn't have to be synchronized over Wi-Fi. 1Password will also allow synchronization over USB, which means users can still have passwords on iOS without having to store them on Dropbox or iCloud.
Score: 4 out of 5
Pros
- Strong password generation
- Synchronization of encrypted password file
- Easy password form filling to login
Cons
- Doesn't create any diceware-style passwords.
- Due to the awkward way some websites create a password on a separate page as the username, 1Password will occasionally only save the password and not username to its locker.
Comments
Now that 1Password has an option to run in the Menu Bar I was hoping it be intelligent enough to add authentication credentials to common apps but I haven't yet gotten that to work. I hope it's just a bug.
The program has allowed me to have different password for every website I use, so if one gave a security issue I do not have to worry about my other websites.
I have used it for years and do complain to them about the fact that when a website changes its login mechanism (or as you mention in your CONS the create account page just differs enough from the actual login screen) 1password just gets confused and the login entry is largely worthless other than copying your complex password to the clipboard and pasting it into safari.
The only way to repair this seems to be to delete and recreate the login for said site. I do wish they would spend some good love on repairing broken logins.
Otherwise syncing with version 4 and the iphone version over icloud, which was one of the major features in this release, is flawless. They did a bang-up job. Prior to version 4 only the iphone/ipad version used icloud and we were left with dropbox only (they abandoned wifi sync at the time, though it has made a comeback).
I am not sure if I will move to icloud keychain or not, but it won't be due to the mac application. What would drive me away would be how well icloud keychain works on iOS devices. My 5S and fingerprint purchases go a long way to alleviate my frustrations but typically it goes like this:
1. I want to purchase something in the app store (or say a login for ebay or whatever)
2. Fire up 1password
3. Unlock 1password
4. Locate my password and copy it to the clipboard
5. Dclick home button and navigate back to app store
6. purchase, pasting password in popup.
The fingerprint sensor alleviates straight-up itunes and appstore purchases but not in-app purchases and well still a lot of password queries by iOS. Since my passwords are insane random jobs, 1Password on the phone is still important.
If icloud keychain can help me with that flow, I may move over.
Or just wait for Mavericks.
If you don't want iCloud or Dropbox sync then you can turn it off.
On the other hand, as long as you are using a strong password to lock 1password there is no way anyone will be able to access your data, so you don't really need to worry about it being stored in the cloud.
Those that would use 1Password aren't likely to use or like Apple's iCloud Kwychain. Applw's solution is for people that would otherwise just use the same password for everything.
The point of a tool like 1Password is that there is no reason to create memorable passwords. The tool does the work and all the user has to remember is the master password. For that, the diceware method is exactly what Agile recommends.
crap, bought this like 2 weeks ago for almost 70$
Did you buy the Mac and Windows bundle license? That costs $70ish.
The single user license for Mac is $39.99. The family license (more machines) or the Mac+Windows bundle costs more.
https://agilebits.com/store
Not really. I use different passwords for everything; not having to remember them, even once, to put them on every device is the tops.
Those that would use 1Password aren't likely to use or like Apple's iCloud Kwychain. Applw's solution is for people that would otherwise just use the same password for everything.
I did not get that impression. iCloud keychain and the mac os password generator / suggester seem to go hand in hand and offer unique logins for any site/service. It also offers to remember credit cards.
If you bought it directly from agilebits (not the App Store) you should get the upgrade for free.
I bought version 3 several months ago, and at the time they were advertising free upgrade to 4.
edit: pipped by TS
I've used this app for a few years on my iMac, iPhone and iPad.
I kept seeing it at the top of the list of every article titled, e.g., "Top 10 Must Have Apps!"
I have been quite pleased with it's integration and relatively ease of use once set-up.
I have deliberately used all Apple's apps/SW as opposed to third party options. So when Mavericks Keychain comes out I will read the reviews and make my decision whether or not to upgrade 1Password.
If you don't want iCloud or Dropbox sync then you can turn it off.
On the other hand, as long as you are using a strong password to lock 1password there is no way anyone will be able to access your data, so you don't really need to worry about it being stored in the cloud.
They also do not allow WiFi sync when the introduced the icloud sync if you using the latest version you have to sync through those service.
I do have a long and random master password, however, it can easily be crack once someone has the file. When the article said it not easy, they mean someone could not do a brute force attach and gain access, but if someone can get their hands on the actual file it make cracking easier since you can use a computer to analysis encryption to crack it.
Just like do not put my tax returns on line anywhere or my quicken files why store all your pass words online.
Yeah a thief can break into my house and still my computer, but most thieves lack the skill and knowledge to crack a encrypted file, but internet hackers do have the skills so where do you want to put your risk.
As a user of 1Password since August 2009, I love it. I manage 601 logins with it.
You beat me to it. Apple already solved this issue folks with 10.9 and way better I would suspect.
I Like how this review doesn't mention that after you spend your $40 on 1 Password for your Mac and got it all set up and ready for transferring to your iPod Touch, iPad or iPhone you realize you need a separate app for iDevices. An iDevice app that costs $17.99. That's a total of $589 to have secure passwords across your devices. Yes, it's a small fee compared to if your bank account was hacked but Apple's solution is FREE and does almost everything this one does.
And where is the Interface for it? Where can I see the strength of my passwords? Where can my secret questions and answers as a list or screenshot? Where I can see other info like CC data with all the various field? Where I can even delete old CC data from the DB? Where I see other secure information, including files, that I keep in 1Password? How can I access it from a device I don't own?
Look, I've been using iOS 7 and Mavericks since the betas first appeared. I love these OSes and have clearly iCloud Keychain is a great feature, but it's not a replacement for what 1Password offers, which is why I bought 1Password 4 for both iOS and Mac OS X as soon as they were available.