Sunday, December 22

    I have a confession to make. Before this review, I was somebody who was reusing passwords and stored them inside my head, occasionally resetting the passwords when I forgot them.

    Everywhere you go on the internet needs an account to access specific website features. An account that can use a username or email as identification followed by a password to gain access to that account.

    As we expand our website browsing habits, we need to begin to remember more logins and with that more passwords. Almost all of us will have a username that we like to use everywhere and if it’s unique enough, we can typically get the username we like. Then, to keep things simple, we use the same password or a familiar one.

    That doesn’t sound so bad, does it? In fact, it could be catastrophic.

    On many websites, that username we use is public information. It’s typically shown to everybody and if the website allows you to log in using a username instead of an email, now all a hacker needs to do is guess your password.

    Guess the password for one website and suddenly they’ve got your username, email, and password for all websites because we want things to be simple and rememberable so we keep it all the same.

    You wouldn’t know somebody had access to your account until they begin doing something malicious. Imagine someone gaining access to your social media account and posting political statements that you don’t stand for. They got that access because you used the same login credentials on a phishing website.

    A phishing website is a website where a hacker sets up a website to look like what you expect it to look like. Let’s use the bank as an example. When we go log into our bank, we know what the website looks like and what the login process is like. We can see that we are on www.usbank.com and it all looks okay.

    Well, what if a hacker were to purchase www.uabank.com. At a quick glance it looks really similar to the correct website, but the ‘s’ has swapped to an ‘a’. Maybe you fat fingered the keyboard and accidentally hit ‘a’ instead of ‘s’. Or worse, your memory flipped a bit when processing the correct www.usbank.com website.

    Regardless, you’ve now ended up at a phishing website that is designed and built like the real thing. You login like normal and in a matter of seconds, you’ve transmitted the username and password you use for every website directly to a hacker.

    That was me and I have a strong feeling that is most of you, using the same thing everywhere we go. There’s no reason that we should be doing this and it’s time to stop.

    Password managers have recently picked up in popularity. Their ease of access while protecting your passwords and giving you access to your password anywhere at anytime is quite a good selling point.

    Until this review, I was never a fan of web-based password managers. What would happen if the company were to go under, or if they were hacked, or if they held my passwords to ransom? After extensive research, those questions were answered as they will be revealed to you later on.

    So many password managers to choose from, but there are two that have become the kings in the market. LastPass and 1Password have been two of the big players in this market as they battle one another for market share. Other big players include Dashlane, RoboForm and Keeper.

    Included in my recent eero Plus review was a full subscription to 1Password, so I decided to check them out as my personal password manager.

    Web-based, but desktop and mobile application friendly, 1Password really helped calm my nerves about cloud password managers and now offers me ultimate security for all of my accounts. The question is, can I convince you to swap over and stop poor password use as well?

    Welcome to my review on 1Password.

    Note: Due to privacy concerns, some objects have been blurred or removed from the picture and may not be an accurate view of 1Password.

    Getting Started

    Now, before anybody thinks I sound biased toward 1Password as it’s my first personal cloud-based password manager, I have used LastPass and KeePass 2 before. LastPass is my work password manager with KeePass being the predecessor to my 1Password switch.

    The very first problem I had with password managers is that they aren’t free. Well, some offer free versions of their paid service, but they are strictly limited.

    They’re hosting your passwords on their servers and that, unfortunately, comes at a small cost. Fortunately for the consumer, the costs of cloud password managers are ridiculously low and are a month by month cost.

    My 1Password membership is included in my monthly payments to eero for their eero Plus service, though for you, you can purchase 1Password directly through their website for as little as $2.99 per month.

    Provided to me was the 1Password Families account which allows me to share my subscription with five other family members who have ‘private’, yet ‘all access’ to 1Password. Sharing your subscription does not mean sharing passwords.

    This family account comes with just a few extra perks. Priced at $4.99 per month, I can add those family members, share passwords with people, adjust permissions for family members and restore accounts that get locked out.

    A more personal one-person solution is with 1Password’s single user license for $2.99 per month. You get all of the features you’d expect with the exceptions of the ones listed for families.

    For business, 1Password also offers a Team account that allows you to share with coworkers and have a group folder. Think of it as the family account with different pricing and a slightly different look and feel.

    Regardless of what you choose, a 30-day free trial is given to you after which you are charged to a credit card. Signing up is as easy as they could possibly make it.

    Your email is your first line of defense. This is how you receive notifications and updates. It’s also how you’ll log into 1Password. Next, 1Password will create a special Secret key. This is an incredibly long code, like a CD key code, that is unique to you and must be used to gain access to your account. With your username and secret key set, you can then set your own secure master password. I don’t think I need to mention that the master password you choose needs to be unique and must never be used or have been used on any other website. Sorry, but P@ssw0rd isn’t going to cut it here.

    When you are asked to sign in on the web, on your desktop, on your laptop, or on your phone you will be asked to provide those three forms of identification. Username, secret key, and master password. It sounds like a lot of work, but 1Password helps you with it.

    Let’s use a phone for example. 1Password offers iOS and Android applications for free. You download the application and it will ask for your email followed by the secret key. Since the secret key can be 25 characters long, typing that in is somewhat of a pain. So, you can scan a QR code that will instantly enter that secret key for you. Follow that with your master password and you’ve logged in in a matter of seconds.

    1Password doesn’t store or remember your secret key, which means you need to keep it in a secure place. It’s always stored in your account, but if you need it to get into your account what do you do? They can’t recover this secret key for you.

    Instead, 1Password prompts you to download an emergency kit for your account. They don’t want you to write down your secret key and this emergency kit contains that key. Put this kit somewhere safe, like a flash drive, and encrypt that drive with a password if possible. You’ll need this emergency kit to get back into the account if you get locked out.

    For all the typing of getting started, it should only take you a few minutes to get everything up and running. Then, once logged in you stay logged in and only the master password is needed to log back in. The secret key is used more as a code for new devices.

    Let’s say you’ve gotten started with 1Password and been using it for a couple of months and been paying for it. Something comes up, you aren’t fond of it anymore, or another reason makes you want to switch. What happens to your account?

    If a payment is halted or you cancel your subscription, 1Passwords puts a freeze on your account. You won’t be able to add or edit passwords, but you can still view as well as export them! They don’t want to see you go, but they won’t hold your passwords hostage for money. That is comforting for me to see and answers one of the questions from earlier.

    Do take note that exported passwords are in plain text. They are not encrypted and they are not hidden. Meaning anyone with access to the exported file can easily see your passwords.

    Making the Switch

    As I mentioned earlier, I was previously using KeePass, an open-source and free desktop password manager. What was nice about KeePass was everything was local and free. At the same time, it was also an annoyance.

    While I could create complex and custom passwords for websites, if I was away from the computer I would have had no idea what the passwords were. So, a cloud password manager fixes that.

    With everything stored inside KeePass, I wanted to get all of those accounts and passwords into 1Password. 1Password doesn’t have an official tool to import from other password managers, but a 1Password forum member, MrC, created an, albeit complex, tool to do so.

    The instructions from 1Password are a bit lacking, but with enough understanding of a little bit of coding knowledge and being able to read the in-depth and well outlined included PDF by MrC, it’s totally doable.

    A little bit of troubleshooting was needed to get going, but once I had figured it all out in 30 minutes I had successfully exported my KeePass database right into 1Password.
    It’s not just with KeePass either. You can do the same with LastPass, Dashlane, SpashID, RoboForm, and some others.

    1Password’s Security Features

    I don’t often do this, but I am going to be taking a page from the 1Password website for this section. I’m doing this because it helped me understand how all of this security and password stuff works.

    Your passwords are important, duh. So, everything needs to be encrypted. One reason I liked KeePass was that everything in the database, the usernames, passwords, notes, dates, etc. were all encrypted.

    The same encryption is used with 1Password. Everything in your account is entirely encrypted using AES-256 which is the US Government standard and is practically impossible to be cracked by a computer. Not even 1Password can get past the encryption on your account.

    Remember the triple login credentials from earlier? It’s interesting to understand how it all works behind the scenes. The master password that you create is only known to you and is how you unlock that encryption. Not even 1Password knows your master password.

    They don’t need to know your master password because when you type that password in, they take those characters and run it through a mathematical string. If that mathematical string matches the string that they have on file, it lets you in. YouTuber Tom Scott has an excellent video on how password storing works.

    Recalling the secret key from earlier, this is what allows a client or device to authenticate with 1Password. It’s sent instead of your master password and acts as a more secure password that you don’t have to remember or worry about.

    Interestingly, 1Password touts that they run on Amazon WebServices or AWS. At first, I thought it was interesting that they said that, but it makes sense. 99.99% uptime for their servers and it’s so secure that the US Government now uses AWS with AWS GOV.

    Another feature is that 1Password adopted the new WebCrypto standard. It’s an advanced random number/character generator that helps make your system and passwords completely random. Good luck to the hacker who can guess NJM%f-rGcF@wuheKjkPfeG!8kKv#a22 for a password.

    As the apps need to contact the cloud to upload or receive passwords for your account, 1Password will only transmit once it can detect a TLS/SSL encrypted connection. No man-in-the-middle attacks here.

    There are a few more security features that come with 1Password, but what I love about their website is how open they are about these things. LastPass briefly covers that they encrypt your data and little else. 1Password even went out of their way—others have done the same—to create a White Paper document fully outlining the backbone security of their tools.

    Don’t worry, 1Password is only sharing general public details. It doesn’t give a hacker anything close to enough information on how to hack into 1Password.

    Strangely, 1Password lacks a 2-authentication method for logging in. Perhaps with your secret key 1Password considers this to be your second method of authentication and while I think its more than enough, I know others would want to also include a third-party authenticator like Google’s Authenticator.

    What it’s like to use

    You can technically use 1Password from anywhere because it runs in any web browser, but I like to keep things local. To begin using 1Password I installed their Windows desktop application, Chrome Web Browser Extension, and Android application. (They are Mac and iOS friendly too!)

    First, the desktop app is visually appealing and fluid when moving through logins and menus. Everything on the desktop application is clearly outlined and well organized. Nothing seems overly complicated and is quite straightforward.

    Since everything is always synced to the cloud, the Chrome extension knows everything that the desktop app knows. When installed, you tap the icon and the website you are currently on shows as a related login. This eliminated the need to use the search box to find the website.

    Likewise, you can add, generate, organize, and do all of the normal functions you can do with the desktop app right in Chrome. 1Password does not use Autofill, for a good reason, so to fill in fields, you can right-click and select 1Password from the Chrome shortcut menu. Then, click on what you need.

    The mobile application is even easier to use. You can log into 1Password’s mobile application using the phone’s fingerprint reader, something I wish the desktop application supported. Once inside the app, you get to view the categories that are preconfigured. Tapping into the categories reveals their contents which you can tap on for the related fields.

    Universally, the 1Password tools all look, feel, and function the same. It’s more than just a password manager as well.

    When inside 1Password, you can add logins, secure notes, credit cards, identities, passwords, documents, bank accounts, databases, driver license, email accounts, memberships, outdoor licenses, passports, reward programs, servers, social security number, software licenses, and logins for a wireless router.

    Each “item” is just a list of generic labels and fields. For example, selecting credit card will ask you for the credit card number, type, expiration date, type, name, etc. Then, when you check out at a website, you can press the credit card for it to automatically fill in all of the fields.

    In total, I have 86 items in my 1Password vault and it includes everything from local NAS logins to my credit card.

    I’ve been using 1Password for the past three months and I can’t believe I functioned without it in the past. It’s incredibly easy to use, super secure and gives me the peace of mind that my passwords aren’t all the same.

    It doesn’t bother me as much if a website I have an account on gets breached because if it does, they have a 25-character password that was only used once for that one website. That password will never be used again.

    One thing I really like about 1Password is that they won’t pester or annoy you if you do happen to use the same password twice. Both LastPass and Dashlane will show you big red warnings if you, Heaven forbid, use the same password twice! It’s just annoying.

    1Password lets you be you and doesn’t prompt you to change anything. It just offers the tools to make things more secure if you so desire.

    What it does do is have a database of vulnerable websites. If a website has had a recent data breach, it will inform you and ask you to change your potentially hacked password.

    My Final Thoughts

    It’s extremely rare when I type a review that is this lengthy and this in-depth, but, in case you couldn’t tell, I am passionate about my 1Password and have found it to be one of my favorite tools to use. It’s simple, straightforward, and just built fabulously.

    The little things that 1Password does, like having a daily updated blog about security news and 1Password itself is what won me over. They truly care about the customer and make sure they are transparent with you.

    Based in Canada, I find that 1Password well outperforms their Hungarian counterparts in every way and would easily recommend them over the competition. Three months in and I have yet to find a single fault.

    Priced at a very reasonable $2.99 per month with the ability to leave and export all password and document at any time, it seems like a no-brainer to me.

    © 2018 Justin Vendette

    Comments are closed.