Favorites – 1Password

The folks at 1Password highlighted their Family feature today. if you haven’t tried it out yet, go have a look!

I’ve been a 1Password use for years now and it’s one of those apps that gets installed almost immediately on any new device, being it a personal one or one at the office. Kinda logical since it contains every password, license key or ssh key I’ve ever generated, so without those I can’t really work. But also because it’s just an awesome set of apps.

When creating accounts online there are a few best practices that everyone knows and no one follows:

  1. A password should be complex. The longer the better and preferable mixed case.
  2. A password should be unique. Having the same password on multiple sites means if someone discovers one, they can open all your online doors.
  3. A password should be stored somewhere save and never be written down where someone can find it.

(And yes, this list is not complete and way to basic)

Remembering all those passwords is next to impossible. Storing them on your desktop in password.txt or in the Notes app is a terrible idea. And using variations of the same password is like wearing a fake moustache and hope no-one recognizes you.

Password manager

1Password is a password manager: it takes away most of the issues mentioned in the previous paragraph.

  1. It allows you to store passwords for all your online services in one secure place.
  2. It can generate complex passwords for every website you visit.
  3. It can alert you when you’ve used the same password on a different site already.

Since it saves them in all in a vault, you can allow yourself to forget all those passwords once you’ve setup your web accounts. You just need to remember the one password that unlocks the application (pun intended). You open the app, unlock it with your password/fingerprint/face, and you can copy your login information into the login field of the website you want to open. And thanks to some nice integrations, more often than not 1Password does that for you automagically.

Is it secure? You betcha. Although most of their blog articles go way over my head, they manage to explain the basic gist of their security in layman’s terms. And as the saying goes: if you can explain something complex with basic words, it proofs you really understand the matter. Anyone can throw around technical terms. But explaining what they mean, that’s something different.

The service is available on iOS, macOS and on the web via their Family or Teams subscriptions and syncs your data across all your devices.  (Or Android and Windows if you use those)

My Setup

I currently have two subscriptions running: a Family account and a Teams account.

The Family account contains four vaults: One for my wife, containing her personal passwords (and no I can’t access it) and one for myself.
A third one is shared between the two of us. Perfect for sharing logins for Netflix, Amazon, banking stuff, utilities, …

The fourth one I use to store passwords for clients I work for: their WordPress accounts, Squarespace login, Twitter password + 2FA keys etc. They know I have those passwords, and saving them encrypted is the correct way to handle these. Beats a spreadsheet in Google Drive any day of the week.

The Teams account is for Switch.be, the company whose IT I currently manage.
Most backoffice users have an account that stores a vault shared with their department, and a personal vault for their own workrelated accounts.

Most internal services at Switch run on OneLogin which allows people to use Single Sign On, alleviating the need for multiple accounts and passwords. But every department needs to work with external partners, portals and tools that are not integrated with our SSO solution, so using complex passwords and saving/sharing them with 1Password allows us to safely manage that part of our online activities. And thanks to some nice on-and offboarding tools, people get and lose access to their vaults with a few clicks. As an IT Manager I love it.

What’s stored in my account

I currently have around 1200 passwords spread across both accounts, with most also containing the 2 factor codes and recovery keys for those apps.

Yes, 1Password also generates multi-factor authentication codes: you can replace those irritating SMS codes and Google Authenticator logins with codes stored in the same app that saves your passwords.

Aside from passwords it also contains all my software license keys, scans of my passports and licenses, banking account numbers, a copy of the birth certificate of my son,… all safe and secure in the app.

 1Password on the iPad.  1Password on the iPad.

Backing it up

1Password syncs across devices so if I lose my iPhone I can still find all my passwords on my iPad. If all devices are gone, they have a web interface. And if I lose all devices there’s a solution too!

When setting up 1Password the app creates a PDF for you that contains all the data you need to connect to your account. I have saved a copy of that PDF in my wife’s Personal 1Password vault (and vice versa). So in a worse case scenario where I lose all devices, I can get access to my data again by using the PDF stored on my wife’s devices + my personal one password.

Optionally, 1Password on the Mac also allows you to create backups of your data on a regular interval. Once every few months or so I copy that backup file to iCloud Drive. iCloud is protected with 2FA, so I know it’s not easily accessible to external parties. The backup itself is encrypted. It’s a secure and safe way to make sure that the vaults are backed up. Is it necessary? No. But it only takes a few minutes.

What’s missing?

(If you don’t currently use 1Password this part can be skipped)

Every app has its shortcomings. In the case of 1assword that list is short.

  • I’d like to see WatchTower, their service that alerts you when a web service has been recently hacked, to be available on iOS.
  • Similarly, iOS currently doesn’t allow you to add icons to websites or import Keychain items.
  • Adding 2FA codes on iOS to vault items requires you to have access to two devices. One that loads the site and shows the QR code, and one that actually scans the code. Being able to use the sharing extension to add a 2FA code to a password entry would be nice.

Conclusion

1Password is one of those tools that you didn’t know you’d need until you start using it. And when your used to having it available, you can’t live without it.

Give it a try.