1Password 4 Detailed for Mac, Adds iCloud Syncing, Encrypted Messaging and Custom Fields

[alchemistmuffin]

This is a password app, not an office quite. There is much evidence to suggest that a lower price will bring in a much greater volume of customers.

But with lower price comes lower quality, because of the sacrifices that company will have to make, since they are paying the developer less money.
Some developer take incredible amount of work coding, and some, it's their only income left.

Sure, you can get higher sale, but the return shrinks as prices goes down, even if more people are buying the product, which means less money for the individual people coding the app.

1Password is not just a password app, but it is basically a suite. For example, the feature that allows ability to hold license and membership is available as separate app itself, called AppShelf.

 

[jdechko]

You can attach a photo of your driver's license if you wish. I keep it in 1Password because it's a copy and paste away instead of having to type it in. Do I use it that often? No, but, being able to quickly access it is pretty awesome when I do need it.

I completely forgot about this even though I use it regularly.

1Password does a lot more than just syncing passwords. I have secure (encrypted) entries for all of my bank accounts, debit/ credit cards, SSN's for me & my family, drivers licenses (I should add photos/ scans of them as well). A copy of your passport would be great too.

1Password supports secure notes for things like combination locks, file vault recovery keys and other, general non-login items. And having the identities there rocks! It's like AutoFill on steroids!

Another of my personal favorites is the Software keys. I just bought Hazel the other day, and rather than send you a serial number, they send you a license file that has to be activated. I created an entry in 1P and dragged the license file and receipt to the entry. I'll never have to look for an email if I need to reinstall it.

 

[beefish]

Too Buggy Version 4

Version 4 has been full of bugs. One look at the app store and you will know its not time to update to ver4.
this from the app store......

"What's New In Version 4.2.4 Posted Aug 19, 2013
IMPORTANT: There is a serious bug in version 4.2.4 that crashes 1Password
when syncing with Dropbox......
If possible, please skip this update and wait for version 4.2.5
We are sorry about this and well get it fixed ASAP!....."

That has been 7 days and it is still not fixed and in five days 1Password 3 will no longer sync with Dropbox. So, pay $18 for a buggy app and hope they fix it soon or wait without Dropbox syncing? Hmmmmmm?
Maybe look for an alternative?

 

[OldSchoolMacGuy]

Do you trust Apples iCloud to keep your passwords secure (1password by default stores everything locally)?
Would you rather use Dropbox to sync?

Part of the point of version 4 is that it stores it in iCloud.

Dropbox has a long history of security issues. If you want your data safe, that is one of the last places I'd store it.

 

[Philintheblank]

You could have done all that for $12. In fact you could have done it for free.

I could have. I could have also have bought a PC for half the price of my mac.

Quality costs. In my experience last pass was inferior to 1password for my particular needs. Hence the money spent for something I use multiple times a day was more than worthwhile.

 

[DavidLeblond]

Part of the point of version 4 is that it stores it in iCloud.

Dropbox has a long history of security issues. If you want your data safe, that is one of the last places I'd store it.

I use Dropbox sync because I also have to sync it with my Windows machine.

The file is encrypted. If someone breaks into your Dropbox, they can't just open your 1Password file and get all your passwords.

 

[manu chao]

I don't know what I would do without this piece of software.

You would very likely use Apple's Keychain like almost everybody, maybe coupled with iOS applications like Keychain2Go that sync to it. Unless you need the cross platform support.

 

[manu chao]

I also wonder what EU regulators will say here in Europe seeing as Windows wasn't allowed to come pre-bundled with a web browser. Isn't OSX's new functionality rather anti-competitive?

It all depends, if you have a 90+% market share, you can make it impossible for competitors that offer products for your platform to exit if you undertake what is essentially dumping. Apple bundling Safari would not have killed Netscape, Microsoft bundling IE did so.

And it also depends on whether one could claim that a certain feature is a core functionality of the OS. But that is naturally something which is hard to define.

 

[jonnysods]

You would very likely use Apple's Keychain like almost everybody, maybe coupled with iOS applications like Keychain2Go that sync to it. Unless you need the cross platform support.

Keychain is inferior in my opinion to 1Password. For now at least.

 

[manu chao]

As the 1Password encrypted store is stored locally on the computer/device that would mean that they would have to break into your computer in order to retrieve the file, and use a keystroke logger to find the password. Or attempt to crack the encryption without it.

Which is a little different to having a copy of your data on a server in the US stored by a US based company which may or may not have backdoors. Or transmitting it over the internet to the remote iCloud server where it can be intercepted.

Sure 1Password may be forced to create a backdoor as well, but even then its not like everyones data is stored on the companies servers.

The only difference is where the backdoor has to be created:

1. In case of data that sits unencrypted on somebody's server, the company just has to give the NSA access privileges to their servers, that is the easiest backdoor (ie, the door already exists, it's just a matter of handing over the keys).
2. If the data on the servers is encrypted but can be accessed via a website, whatever you type into a website field, ie, your password, is visible to whoever wrote the code for and runs the web server.
   (In the case of 1Password, the server application 'runs' essentially on whichever server the database is stored. Thus it is more like hosting your encrypted database somewhere for it to be downloaded (eg, from Dropbox) with the database including the necessary server side code. Therefore see the next point.)
3. If the encrypted data is stored on a third-party server, a backdoor has to be installed in the application, ie, 1Password to re-route the data but also to send the password to Agile Bits.
4. If the encrypted data is only stored locally, again a backdoor in the application can allow it to spill the beans to whomever it wants.

Sure, applications like Little Snitch could detect any phoning home but who would be suspicious if 1Password tried to contact an Agile Bits server? This might just be the app checking for updates. You can of course download all updates manually (or via the app store) and thus with Little Snitch probably prevent 1Password from phoning home. But then Little Snitch could have a backdoor. And once you consider the possibility that OS X itself has backdoors, nothing is ever save, you'd need to run Linux and hope that your Intel motherboard doesn't have a backdoor (you probably could run OS X inside a VM if you are very careful what information this VM sees).

----------

Keychain is inferior in my opinion to 1Password. For now at least.

Yes, it is but for the key functionality of filling in usernames and passwords on websites, Keychain is perfectly adequate. In fact, it works better in some respects as it doesn't need the kludge that browser extensions are. It is more secure because it makes it easier to create complex passwords and search for multiple uses of a password. But for the basic functionality of remembering things, Keychain delivers the goods.

(And once you have hundreds of entries in the OS Keychain, migrating to another password manager is a real pain. I actually bought 1Password assuming an import was possible, as a manual import was not necessary in some early versions of 1Password, and once I realised it, complained bitterly in 1Password's forums. Agile Bits actually offered to refund me but getting the money back was too low a priority for me and I never followed through.)

 

[AGKyle]

Just going to post this here, for those who may be interested

http://blog.agilebits.com/2013/08/27/1password-4-wifi-sync-beta/

----------

Version 4 has been full of bugs. One look at the app store and you will know its not time to update to ver4.
this from the app store......

"What's New In Version 4.2.4 Posted Aug 19, 2013
IMPORTANT: There is a serious bug in version 4.2.4 that crashes 1Password
when syncing with Dropbox......
If possible, please skip this update and wait for version 4.2.5
We are sorry about this and well get it fixed ASAP!....."

That has been 7 days and it is still not fixed and in five days 1Password 3 will no longer sync with Dropbox. So, pay $18 for a buggy app and hope they fix it soon or wait without Dropbox syncing? Hmmmmmm?
Maybe look for an alternative?

We've submitted 4.2.5 to the App Store, and we flipped the switch on it last night, however, Apple's servers are slow to update so it'll be available when all of Apple's servers catch up.

Note that we are human, mistakes happen, we got the bugs fixed as fast as we could and submitted to the app store as quickly as possible.

That said, we are very sorry for the inconvenience!

 

[jdechko]

Yes, it is but for the key functionality of filling in usernames and passwords on websites, Keychain is perfectly adequate. In fact, it works better in some respects as it doesn't need the kludge that browser extensions are. It is more secure because it makes it easier to create complex passwords and search for multiple uses of a password. But for the basic functionality of remembering things, Keychain delivers the goods.

I completely agree with everything here, except the part about it being more secure. I think it can be just as secure, but don't forget that the user password unlocks the keychain by default. Anyone with access to a logged-in machine can use the passwords, while 1P requires an extra step. And before you say anything, yes, I know that with physical access all bets are off. But for a trusted, shared machine, I'd rather have that extra step.

Keychain sync is a great first step, just like Time Machine is a great first step for backups and reading list is a great first step for time-shifting web reading. That Apple ships these by default, though, doesn't preclude someone coming in and making a better app with more features. The deep integration in Safari on Mac & iOS is something that can't be touched by any third party app, but there are plenty of things that Apple's apps don't include (2 big ones for me are cross-platform and Dropbox integration). We are fortunate enough to have choices.

 

[bobr1952]

I'd much rather just take the time to remember my passwords....

Wow--you must have an awesome memory. Most security advisors recommend (and I agree) unique passwords for every place that requires a password. Passwords should be complicated and at least 12 characters consisting of a combination of upper and lower case letters as well as numbers and symbols. I'm sorry, but my tiny brain could never handle that task so I'm thankful for 1Password.

 

[manu chao]

I completely agree with everything here, except the part about it being more secure. I think it can be just as secure, but don't forget that the user password unlocks the keychain by default. Anyone with access to a logged-in machine can use the passwords, while 1P requires an extra step. And before you say anything, yes, I know that with physical access all bets are off. But for a trusted, shared machine, I'd rather have that extra step.

Sorry, that was a grammatical lapse. What I wanted to say was that 1Password is more secure due to a couple of features like the ability to suggest passwords in the browser.

 

[manu chao]

Wow--you must have an awesome memory. Most security advisors recommend (and I agree) unique passwords for every place that requires a password. Passwords should be complicated and at least 12 characters consisting of a combination of upper and lower case letters as well as numbers and symbols. I'm sorry, but my tiny brain could never handle that task so I'm thankful for 1Password.

I fully agree but I fear the thought of somebody managing to get access to my password manager, however unlikely that is. A bit more generally, my AppleID is becoming a very valuable account to crack:
- OS keychain (via iCloud)
- ability to block and wipe my devices
And I have to enter the password for it quite often, anything to do with the iOS app store or the iTunes store, on touch screen devices in sometimes public spaces, showing even what I type in the password field. The frequency of needing to enter it and the fact that I often have to do it on a touchscreen limits the length and complexity (special characters).

I've gone so far as trying to mostly use a second AppleID for app and media purchases, that has no data beyond my AppleID account data attached to it, which I thus feel more comfortable to use with a short password.

 

[jdechko]

Sorry, that was a grammatical lapse. What I wanted to say was that 1Password is more secure due to a couple of features like the ability to suggest passwords in the browser.

True, but in Mavericks, Safari will also be able to suggest passwords. That's what I thought you were referring to.

Which brings the thought to mind that it may be possible, even a good idea maybe, to come up with a way to store your passwords in both 1P and Safari. If you could find a way to keep them in sync, it could be the best of both worlds.

 

[LizKat]

Slightly off topic here since I'm inquiring about an iOS version syncing issue with 1Password, not so much the laptop/desktop applicaiton itself: I originally wanted to sync my laptop and my iPhone / iPad 1Password data via Dropbox, but I was rather put off by the access request on iOS to be able to access ALL my Dropbox files instead of just the 1Password data.

Somewhere in a FAQ or whatever on agilebits' website it's explained that the "all files" request is currently necessary because of a file pointer issue that the developers hope can be resolved in the future. The pointer in question has to be in the root of the folder and cannot currently be put in the 1Password app's folder I guess, so the only way to get needed access on iOS is ask for all the files in Dropbox folder.

"One or everything" does seem inconvenient for Apple to make the developers work with when one folder is not enough. I guess I could encrypt most of the other stuff I keep in Dropbox, not that much anyway, I use it mostly to move captured items, newsclips or pdfs etc. off a laptop I don't back up, onto one that uses Time Machine. So I could just make a smallish encrypted disk image and move my stuff into and out of that on Dropbox. Still, I don't like the idea of granting full access to the Dropbox. I don't understand the implication of a non-Dropbox app being able to write to the root of the folder from the iOS environment, basically. Everything else only asks for access to its own stuff.

So meanwhile I don't really use the iOS version of 1Password much on my mobiles, since I don't fancy granting that broader access. I have stored a couple website logins for newspapers and such that I use all the time and then I just don't sync. But I have to remember to manually update the passwords on iPads and iPhone when I change them on the laptop. It's a drag. Is there any news on when the access request from the iOS version will only be for the 1Password folder instead of everything in the Dropbox?!

 

[Aluminum213]

So is it safe to update or is it still bugged to hell?

 

[lcseds]

A question about 1P. If it creates mind numbing passwords, I have to log in with a machine that has 1P? What if I borrow a computer or use a guest computer at a hotel? I'm not thinking of banking with anything other than mine, but a lot of places want a password anyway. It would be impossible to log in correct? Assuming I did not remember the password. Then if I want it on my ipad and iphone, I have to buy the iOS copies for those?

 

[padapada]

A question about 1P. If it creates mind numbing passwords, I have to log in with a machine that has 1P? What if I borrow a computer or use a guest computer at a hotel? I'm not thinking of banking with anything other than mine, but a lot of places want a password anyway. It would be impossible to log in correct? Assuming I did not remember the password. Then if I want it on my ipad and iphone, I have to buy the iOS copies for those?

You buy it once for your appleid on IOS, then you can use it on all your IOS devices. Only catch is that Agilebits can at some point create a new app instead of updating the existing one, like (as I understand it) did with version 4. A lot of existing users were not happy with that move.

 

[IGregory]

Only catch is that Agilebits can at some point create a new app instead of updating the existing one, like (as I understand it) did with version 4. A lot of existing users were not happy with that move.

There is no catch, if you don't want to pay for the new version don't upgrade to the new version. The old version will still work. These companies are running a business. They are entitled to make a profit doing it.

 

[jdechko]

A question about 1P. If it creates mind numbing passwords, I have to log in with a machine that has 1P? What if I borrow a computer or use a guest computer at a hotel? I'm not thinking of banking with anything other than mine, but a lot of places want a password anyway. It would be impossible to log in correct? Assuming I did not remember the password. Then if I want it on my ipad and iphone, I have to buy the iOS copies for those?

Depending on how much you trust the machine you are using, you can always copy the 1Password.agilekeychain file/ folder over to a USB drive. Inside the folder is a file named 1Password.html. If you double-click on it, the file will open a web page that has a password field. Type your master password and you have instant access to your 1P keychain.

If you use Dropbox for syncing, the same task can be accomplished from there as well.

You still have to have a level of trust on the machine you are using (no key loggers, viruses, etc), but if you don't trust the machine enough to do one of the above, you probably should rethink typing your password in the first place.

 

[AGKyle]

Slightly off topic here since I'm inquiring about an iOS version syncing issue with 1Password, not so much the laptop/desktop applicaiton itself: I originally wanted to sync my laptop and my iPhone / iPad 1Password data via Dropbox, but I was rather put off by the access request on iOS to be able to access ALL my Dropbox files instead of just the 1Password data.

Somewhere in a FAQ or whatever on agilebits' website it's explained that the "all files" request is currently necessary because of a file pointer issue that the developers hope can be resolved in the future. The pointer in question has to be in the root of the folder and cannot currently be put in the 1Password app's folder I guess, so the only way to get needed access on iOS is ask for all the files in Dropbox folder.

"One or everything" does seem inconvenient for Apple to make the developers work with when one folder is not enough. I guess I could encrypt most of the other stuff I keep in Dropbox, not that much anyway, I use it mostly to move captured items, newsclips or pdfs etc. off a laptop I don't back up, onto one that uses Time Machine. So I could just make a smallish encrypted disk image and move my stuff into and out of that on Dropbox. Still, I don't like the idea of granting full access to the Dropbox. I don't understand the implication of a non-Dropbox app being able to write to the root of the folder from the iOS environment, basically. Everything else only asks for access to its own stuff.

So meanwhile I don't really use the iOS version of 1Password much on my mobiles, since I don't fancy granting that broader access. I have stored a couple website logins for newspapers and such that I use all the time and then I just don't sync. But I have to remember to manually update the passwords on iPads and iPhone when I change them on the laptop. It's a drag. Is there any news on when the access request from the iOS version will only be for the 1Password folder instead of everything in the Dropbox?!

There's no real worry here. We only access the 1Password related data. But, we request access to all of Dropbox because for legacy reasons we allowed users to put their data almost anywhere in Dropbox. I suspect this will change down the road.

Sounds like you ended up talking to Jeff though, as he's our security expert, his advice would be best to follow if he provided any to your specific questions.

So is it safe to update or is it still bugged to hell?

We released 4.2.5 and any crashing related issues we are aware of were fixed.

A question about 1P. If it creates mind numbing passwords, I have to log in with a machine that has 1P? What if I borrow a computer or use a guest computer at a hotel? I'm not thinking of banking with anything other than mine, but a lot of places want a password anyway. It would be impossible to log in correct? Assuming I did not remember the password. Then if I want it on my ipad and iphone, I have to buy the iOS copies for those?

I suggest only logging into important sites on trusted computers. Personally, I'd never trust a borrowed computer or a public computer. I'm obviously a bit more on the paranoid side, but I go nowhere without my iOS devices. So, I use a VPN on those with 1Password to log into any site when I am on any untrusted network.

You can, as the user above me states, use 1PasswordAnywhere. But, again, this involves trusting the computer. Any computer I didn't setup is effectively a "untrusted" computer in my mind.

Buy once on iOS and you're set.

You buy it once for your appleid on IOS, then you can use it on all your IOS devices. Only catch is that Agilebits can at some point create a new app instead of updating the existing one, like (as I understand it) did with version 4. A lot of existing users were not happy with that move.

Apple did it with Logic, Tweetie did it with Tweetie 2, it doesn't appear as though Apple is going to allow developers to charge upgrade pricing for existing users and full price for new users. We'd love it if they did allow this, but it doesn't appear they will. OmniGroup seems to be heading down this same path as well. They whole reason for their "OmniKeyMaster" app is to allow MAS users to get a website license, allowing discounted upgrades.

This is going to become a new normal thing. And for history on 1Password:

Versions 1-3 were the same app. So users who purchased version 1-2 got free upgrades until version 4. Version 4 was a brand new app, for a variety of reasons, I can run through those if you wish, just let me know. I have no idea what we'll do with version 5, it's just too far out. Keep in mind that version 3 of the iOS app had been out for around 3 years before we released version 4.

I hope that helps explain things a little better.