[This review has been updated to include support of all U2F security keys for two-factor authentication. It was originally published on Dec. 18, 2017.]
1Password got its start as an Apple-only application and has carved out a dedicated following in that audience. The company recently made large strides toward bringing its Windows and Android software closer to parity with its MacOS and iOS apps, but 1Password is still best for users who rely entirely on the Apple ecosystem.
While the service handles all of the basic functions you would expect from a password manager, it simply doesn't hold up against the competition — especially on non-Apple devices. There are more-compelling options out there, such as LastPass and Dashlane.
Costs and What's Covered
1Password is one of the few password managers that hasn't gone for the freemium pricing model. There's a 30-day free trial for new users, but after that, it's $35.88 per year for a single user, or $59.88 per year for a family plan good for up to five users. (Add $12 per year for each additional user after that.)
Users on the single-user plan get unlimited password syncing across all their devices, account access both online and offline, a password generator, a security audit, security alerts, email support, 1GB of secure online storage, and one year of item history, which lets you restore deleted data and passwords. The family plan adds sharing of passwords and documents, permission controls, and account-recovery tools.
For a one-time fee of $64.99, Mac users can still purchase a license for a stand-alone, non-subscription version of 1Password from either from the Mac app store or the AgileBits website. This is the "old" configuration of 1Password, and it limits you to an on-device vault that you can sync with your other computers using iCloud, Dropbox, your own Wi-Fi network or a local folder.
The stand-alone option lacks many newer features that are on the subscription version of 1Password — including sharing, restoring items, Travel Mode and Two-Secret Key Derivation (more on those later) — thus reducing the security of your account unless you're an information-security expert.
To sync your stand-alone vault with the 1Password mobile apps, you need to make a one-time in-app purchase of $9.99 per platform to unlock Pro features. (The mobile versions get 30-day trials of Pro features, but those versions will continue to work as single-device password managers if you choose not to pay.)
On the desktop, 1Password supports Windows 7 or above and MacOS 10.10 or later. The browser extension is available for Google Chrome, Apple Safari, Mozilla Firefox, Microsoft Internet Explorer and Microsoft Edge, but you'll have to get the last one from the Microsoft App Store. On mobile devices, 1Password requires iOS 9 or later, and at least Android 4.1 Jelly Bean.
In the summer of 2018, after this review was first published, 1Password rolled out enhanced browser extensions for Chrome and Firefox that work without desktop software, essentially replicating the LastPass experience. These extensions, called 1Password X, have most of the features of the desktop applications and extend 1Password support to Chrome OS and Linux, after a fashion.
For this review, we used 1Password on an Apple laptop running Windows 10 and macOS 10.12 Sierra, an iPad Pro 12.9, a Samsung Galaxy S8+, and a Google Pixel phone. Google Chrome was our primary browser across all platforms, but we also tested with Safari on macOS and iOS.
1Password has a unique setup process. Users receive a 34-character "Secret Key" that they can use in addition to a master password. (They'd better write it down.) As for the master password itself, 1Password encourages users to go with a long phrase or set of words rather than a more-traditional password.
You definitely can't accuse the 1Password application interface of being too flashy.
As always, make sure you remember your master password, as there is no way to recover it later. 1Password has no access to your secret key or master password; the first lives only on your device, and the second only in your brain (or possibly on a sheet of paper in a safe or safe-deposit box).
To take full advantage of the macOS application, you need to install 1Password Mini in the Finder menu bar and keep that running at all times, and also install the 1Password browser extensions.
Other password managers, such as RoboForm and LastPass, similarly install a Finder menu-bar item, but they don't require a separate step to do so. The 1Password installation process can feel a little cumbersome, but it's just a one-time inconvenience.
The next step is importing your password data. 1Password supports imports only from LastPass, Dashlane, RoboForm, SplashID and previous 1Password accounts. That covers the main players, but it would be nice to see a few more on the list.
You can import data from some other password managers, including Keeper, KeePass, Sticky Password and True Key via a free third-party utility that 1Password recommends but does not maintain. If you import data from any other service, such as a browser password saver, you'll need to first export that data as a comma-separated values (CSV) file.
I was able to install the Android and iOS 1Password apps quickly. The authentication setup is unusual: You first must download the Emergency Kit from within the desktop application, then either enter your info or scan the QR code found in that document. Finally, you have to enter your master password. After this, our mobile app synced up immediately with our 1Password data.
The mobile apps support biometric unlock on both iOS and Android, so you won't have to type in your master password after the first run-through. Face ID unlocks 1Password on iPhone X; Touch ID unlocks it on a compatible MacBook Pro. If your device doesn't support fingerprint unlock, you can instead use the PIN option. There is no support for Windows fingerprint login.
1Password on the Desktop
You definitely can't accuse the 1Password application interface of being too flashy. It looks like a built-in utility and falls short of the intuitive, more-modern designs found within Dashlane, LastPass and Keeper.
On the home screen, you see all your saved items, but you can quickly jump to favorites or view only items designated as Logins, Secure Notes, Credit Cards or Identities. Adding new items is simple, and I appreciated that I could attach files (text or images) to items such as credit cards or a driver's license.
With tagging, you can essentially create your own categorization system to break down items in your vault beyond what's possible with the basic options. A feature called Watchtower notifies you of data breaches in any services that you use and (hopefully) warns you in time to change your password. It now also checks to see whether an individual password has been compromised in a data breach.
Security Audit identifies weak passwords, duplicate passwords and older passwords. It helps find potential gaps in your security, but it's not as robust as the audit offerings of many of 1Password's competitors.
Travel Mode makes sure that even if your device is compromised, no sensitive data will be present.
One unique 1Password feature is Travel Mode. When you turn it on, 1Password will remove any vaults not marked as Safe for Travel from your laptop or smartphone. (They will be restored from the internet once you switch Travel Mode off.) This makes sure that even if your device is compromised — by an overzealous border agent or an "evil maid" in a hotel, perhaps — no sensitive data will be present.
Yet, even on a Mac, a lot of little quirks on 1Password make it just a bit harder to use than the competition, even if it does now support macOS Mojave's Dark Mode.
Filling in forms requires a keyboard command, rather than being automatic or occurring via a single mouse click. Logging into 1Password on a MacBook Pro using the Touch ID fingerprint reader requires that you first tap an on-screen button, which eliminates some speed and convenience.
These little hiccups, coupled with the sparse feature set, make 1Password feel like a step down from the best-in-class options, particularly given the rather hefty yearly subscription fee.
1Password Mobile Apps
On mobile devices, the iOS app remains the better option: It has a built-in browser, can create a stand-alone vault, and supports form-filling in Safari or Chrome. But the Android app is catching up. Devices running Android 8 Oreo or later can natively fill forms, and Android 7 or earlier can fill forms using the 1Password keyboard. (You'll have to enable this function in the Accessibility part of Android's settings.)
Neither app has any Security Audit functionality, which seems odd considering the rudimentary nature of these features on the desktop software. Yet, both mobile apps are well-designed, and I preferred their look and navigation options over those found in the apps' desktop counterparts. Adding new items was straightforward, and my data synced seamlessly between devices.
But ultimately, users who use primarily mobile devices would be better-served by Dashlane, LastPass or Keeper. Those password managers offer more parity between the mobile and desktop experiences.
1Password uses the same 256-bit AES encryption as most other password managers, as well as a master password that is never transmitted to the company.
One big difference is the 34-character secret key, which can be used in combination with the master password. (Those are the two parts of Two-Secret Key Derivation.) According to 1Password, this takes the security of your account from a best-case scenario of 60 bits of entropy to 128 bits. In real-world terms, this means that your data should be uncrackable regardless of the time or effort put into hacking it.
Until 2018, the trade-off was that 1Password didn't support any form of two-factor authentication (2FA), and it was the only password manager we tested that didn't. Thankfully, that has now been resolved, and 1Password happily supports the Authy, Google Authenticator and Microsoft Authenticator smartphone apps, and also, as of June 2019, U2F security keys, including those made by Feitian, Google and Yubikey.
As mentioned earlier, Mac owners can use an older version of 1Password that syncs data locally or on Dropbox or iCloud rather than on 1Password's servers. Security and privacy fanatics will appreciate this option, but everyone else will probably be safer using the cloud-based model.
The cloud version includes Travel Mode, which is a unique feature among the password managers we tested and a must-have for business travelers who frequently cross international borders. It's no accident that the Toronto-based AgileBits introduced this feature just as U.S. border-control agents began actively demanding access to the digital devices of both foreign visitors and U.S. nationals.
If you're an Apple diehard and enjoy the look and feel of a built-in Apple utility, then you could certainly do worse than 1Password — especially if you often travel abroad for business. But if you often stray to other platforms or simply want a little more out of your password manager, you may be better-served by a full-featured, platform-agnostic option such as LastPass or Dashlane.