1Password Review: For the Apple Faithful

1Password got its start as an Apple-only application and has carved out a dedicated following in that audience. The company recently made large strides toward bringing its Windows and Android software closer to parity with its MacOS and iOS apps, but 1Password is still best for users who rely entirely on the Apple ecosystem.

While the service handles all of the basic functions you would expect from a password manager, it simply doesn't hold up against the competition — especially on non-Apple devices. There are more-compelling options out there, such as LastPass and Dashlane.

MORE: What are the Best Password Managers?

Costs and What's Covered

1Password is one of the few password managers that hasn't gone for the freemium pricing model. There's a 30-day free trial for new users, but after that, it's $35.88 per year for a single user, or $59.88 per year for a family plan good for up to five users. (Add $12 per year for each additional user after that.)

Users on the single-user plan get unlimited password syncing across all their devices, account access both online and offline, a password generator, a security audit, security alerts, email support, 1GB of secure online storage, and one year of item history, which lets you restore deleted data and passwords. The family plan adds sharing of passwords and documents, permission controls, and account-recovery tools.

For a one-time fee of $64.99, Mac users can still purchase a license for a stand-alone, non-subscription version of 1Password from either from the Mac app store or the AgileBits website. This is the "old" configuration of 1Password, and it limits you to an on-device vault that you can sync with your other computers using iCloud, Dropbox, your own Wi-Fi network or a local folder.

The stand-alone option lacks many newer features that are on the subscription version of 1Password — including sharing, restoring items, Travel Mode and Two-Secret Key Derivation (more on those later) — thus reducing the security of your account unless you're an information-security expert.

To sync your stand-alone vault with the 1Password mobile apps, you need to make a one-time in-app purchase of $9.99 per platform to unlock Pro features. (The mobile versions get 30-day trials of Pro features, but those versions will continue to work as single-device password managers if you choose not to pay.)

On the desktop, 1Password supports Windows 7 or above and MacOS 10.10 or later. The browser extension is available for Google Chrome, Apple Safari, Mozilla Firefox, Microsoft Internet Explorer and Microsoft Edge, but you'll have to get the last one from the Microsoft App Store. On mobile devices, 1Password requires iOS 9 or later, and at least Android 4.1 Jelly Bean.

For this review, we used 1Password on an Apple laptop running Windows 10 and macOS 10.12 Sierra, an iPad Pro 12.9, a Samsung Galaxy S8+, and a Google Pixel phone. Google Chrome was our primary browser across all platforms, but we also tested with Safari on macOS and iOS.

Setup

1Password has a unique setup process. Users receive a 34-character "Secret Key" that they can use in addition to a master password. As for the master password itself, 1Password encourages users to go with a long phrase or set of words rather than a more-traditional password.

You definitely can't accuse the 1Password application interface of being too flashy.

As always, make sure you remember your master password, as there is no way to recover it later. 1Password has no access to your secret key or master password; the first lives only on your device, and the second only in your brain (or possibly on a sheet of paper in a safe or safe-deposit box).

To take full advantage of the macOS application, you need to install 1Password Mini in the Finder menu bar and keep that running at all times, and also install the 1Password browser extensions.

Other password managers, such as RoboForm and LastPass, similarly install a Finder menu-bar item, but they don't require a separate step to do so. The 1Password installation process can feel a little cumbersome, but it's just a one-time inconvenience.

The next step is importing your password data. 1Password supports imports only from LastPass, Dashlane, RoboForm, SplashID and previous 1Password accounts. That covers the main players, but it would be nice to see a few more on the list.

You can import data from some other password managers, including Keeper, KeePass, Sticky Password and True Key via a free third-party utility that 1Password recommends but does not maintain. If you import data from any other service, such as a browser password saver, you'll need to first export that data as a comma-separated values (CSV) file.

I was able to install the Android and iOS 1Password apps quickly. The authentication setup is unusual: You first must download the Emergency Kit from within the desktop application, then either enter your info or scan the QR code found in that document. Finally, you have to enter your master password. After this, our mobile app synced up immediately with our 1Password data.

The mobile apps support biometric unlock on both iOS and Android, so you won't have to type in your master password after the first run-through. Face ID unlocks 1Password on iPhone X; Touch ID unlocks it on a compatible MacBook Pro. If your device doesn't support fingerprint unlock, you can instead use the PIN option. There is no support for Windows fingerprint login.

MORE: The Best (and Worst) Identity Theft Protection

1Password on the Desktop

You definitely can't accuse the 1Password application interface of being too flashy. It looks like a built-in utility and falls short of the intuitive, more-modern designs found within Dashlane, LastPass and Keeper.

On the home screen, you see all your saved items, but you can quickly jump to favorites or view only items designated as Logins, Secure Notes, Credit Cards or Identities. Adding new items is simple, and I appreciated that I could attach files (text or images) to items such as credit cards or a driver's license.

With tagging, you can essentially create your own categorization system to break down items in your vault beyond what's possible with the basic options. A feature called Watchtower notifies you of data breaches in any services that you use and (hopefully) warns you in time to change your password.

Security Audit identifies weak passwords, duplicate passwords and older passwords. It helps find potential gaps in your security, but it's not as robust as the audit offerings of many of 1Password's competitors.

Travel Mode makes sure that even if your device is compromised, no sensitive data will be present.

One unique 1Password feature is Travel Mode. When you turn it on, 1Password will remove any vaults not marked as Safe for Travel from your laptop or smartphone. (They will be restored from the internet once you switch Travel Mode off.) This makes sure that even if your device is compromised — by an overzealous border agent or an "evil maid" in a hotel, perhaps — no sensitive data will be present.

Yet, even on a Mac, a lot of little quirks on 1Password make it just a bit harder to use than the competition.

Filling in forms requires a keyboard command, rather than being automatic or occurring via a single mouse click. Logging into 1Password on a MacBook Pro using the Touch ID fingerprint reader requires that you first tap an on-screen button, which eliminates some speed and convenience.

These little hiccups, coupled with the sparse feature set, make 1Password feel like a step down from the best-in-class options, particularly given the rather hefty yearly subscription fee.

1Password Mobile Apps

On mobile devices, the iOS app remains the better option: It has a built-in browser, can create a stand-alone vault, and supports form-filling in Safari or Chrome. But the Android app is catching up. Devices running Android 8 Oreo can natively fill forms, and Android 7 or earlier can fill forms using the 1Password keyboard. (You'll have to enable this function in the Accessibility part of Android's settings.)

Neither app has any Security Audit functionality, which seems odd considering the rudimentary nature of these features on the desktop software. Yet, both mobile apps are well-designed, and I preferred their look and navigation options over those found in the apps' desktop counterparts. Adding new items was straightforward, and my data synced seamlessly between devices.

But ultimately, users who use primarily mobile devices would be better-served by Dashlane, LastPass or Keeper. Those password managers offer more parity between the mobile and desktop experiences.

MORE: 12 Computer Security Mistakes You’re Probably Making

Security

1Password uses the same 256-bit AES encryption as most other password managers, as well as a master password that is never transmitted to the company.

One big difference is the 34-character secret key, which can be used in combination with the master password. (Those are the two parts of Two-Secret Key Derivation.) According to 1Password, this takes the security of your account from a best-case scenario of 60 bits of entropy to 128 bits. In real-world terms, this means that your data should be uncrackable regardless of the time or effort put into hacking it.

The trade-off is that 1Password doesn't support any form of two-factor authentication (2FA). It was the only password manager we tested that completely lacked anything resembling this feature. 1Password argues that 2FA is unnecessary due to the company's end-to-end encryption model and secret-key implementation, but 1Password's solution feels like an imperfect legacy implementation.

As mentioned earlier, Mac owners can use an older version of 1Password that syncs data locally or on Dropbox or iCloud rather than on 1Password's servers. Security and privacy fanatics will appreciate this option, but everyone else will probably be safer using the cloud-based model.

The cloud version includes Travel Mode, which is a unique feature among the password managers we tested and a must-have for business travelers who frequently cross international borders. It's no accident that the Toronto-based AgileBits introduced this feature just as U.S. border-control agents began actively demanding access to the digital devices of both foreign visitors and U.S. nationals.

Bottom Line

If you're an Apple diehard and enjoy the look and feel of a built-in Apple utility, then you could certainly do worse than 1Password — especially if you often travel abroad for business. But if you often stray to other platforms or simply want a little more out of your password manager, you may be better-served by a full-featured, platform-agnostic option such as LastPass or Dashlane.

Create a new thread in the Antivirus / Security / Privacy forum about this subject
5 comments
Comment from the forums
    Your comment
  • AGEva
    My name is Eva Schweber and I work for AgileBits, the folks who make 1Password. Thank you for reviewing our software. There are a few points in your review that I would like to address.

    "But it can't automatically capture existing credentials as you log into sites for which you already have accounts — instead, you have to enter those credentials manually into 1Password."

    The first time that you enter credentials into a new site, the app will automatically capture the login information and add it to the app. Make sure that you have the 1Password web browser extension installed for this feature to work. https://agilebits.com/onepassword/extensions

    I would also like to clarify the distinction between 1Password accounts (our 1Password Families and 1Password Teams subscription plans) and our standalone apps. 1Password accounts include the latest version of our apps for all of our platforms and your data is always consistent across all of your devices. The standalone apps are licensed per person and platform, and can be set up to sync locally (without data touching the cloud) using Wi-Fi, or with the cloud using Dropbox or iCloud (if only Apple devices are being used).

    Our Android and Windows apps are newer and we are working hard on feature parity across platforms. The latest version of our Android app does include some nice features like automatic filling and Fingerprint Unlock. Multiple vaults are supported if you have a 1Password Teams or 1Password Families account.

    Regarding two-factor authentication, our security model is built on strong, end-to-end encryption. Authentication is used to provide our hosted services, but it is not relied on for securing your data. You can read more about the distinction and how we secure our customers' data on our website.
    https://support.1password.com/authentication-vs-encryption/
  • GrumpyAs
    This is rubbish.
    The review is dated 23 May but it's much older than that.
    The AgileBits spokes person response is 10 months old...how can that be?
    The pricing is wrong
    The standalone version ain't available on their web site not on the Apple App Store.
    It's all subscription only hosted on the devs servers.
    This is just a fluff filler ... regurgitated old stuff .... to separate the advertisements.
  • KerryT
    i LOOOVE 1Password. My kids can never remember their passwords and we got family sharing.
  • Entrepreneurial
    Jason, you nailed it. 1Password is a confusing mess if you want to sync it with Apple and non-Apple products.
  • PeterKendrick
    Or people can use free KeePassx