This weekend I read a linked post on The Brooks Review which really irritated me. The linked post was about the popular 1Password application. Justin Blanton says:
“While on the topic, if you?re not using 1Password (or similar)?and you can afford it?then you?re an idiot. I?m sorry to be so blunt, but there just isn?t any excuse.”
Not a user of 1Password myself, I was unsurprisingly a bit offended by the “idiot” remark.1 Especially because I consider my password management skills to be quite sufficient. Sure, I’ve heard of 1Password and KeePassX before. Many of my friends and coworkers use these type of password managers. Prior to this weekend, I had made a concious decision NOT to use this type of software. I had considered it on many occasions before and had always decided it wasn’t for me. Well, the above quote got me thinking and I decided to spend a day or two revisiting the topic.
I began by trying to compile a list of the “problems” with 1Password (and all password managers, to be honest). My number one issue with 1Password is the notion of a single master password that can unlock every other password that I have stored. I try to avoid a single point of failure, and this sure seems like a big one. This master password is actually used to encrypt all of your password data using 128-bit keys. The nice thing about this is, if you have a really good master password (which you should, obviously), then it makes your password database very secure. My other security-related concern is the notion of storing the password database in Dropbox. This is an optional step you can take which makes using 1Password across multiple devices significantly more convenient. However, the tradeoff is that your passwords are now stored out in the cloud. This is not always the safest approach. While this might seem crazy, it’s actually not as sketchy as it sounds because the password database is still encrypted when stored in your Dropbox. So even if somebody was able to access the database, they would be unable to read it without your master password. If you decide to go this route, make sure you have a good, unique password for Dropbox!
The other issues I have with 1Password are mostly from an annoyance standpoint. 1Password encourages you to generate a unique (and very complicated) password for each website you visit. This is one of the best aspects of a password manager. The issue with this is that you will no longer have any idea what your passwords are. A typical password will look something like this: HBcTH2}pbnx0cBItEaMO. There’s no chance you are going to remember something like this. This means that you’ll need to have 1Password installed on every machine you access that website on. So, you’re not going to be able to use a public computer (or maybe even your mobile device) to access these websites. (Note: 1Password does have iOS applications for iPhone and iPad, although I haven’t had a chance to try them out yet.) As you can imagine, this will require a little bit of planning and it’s likely that you will get burned occasionally.
As I found out this weekend, it’s also a bit of a pain to get started with 1Password. Sure, you could just start filling out all of your usernames and passwords… but the big security gains come from generating a crazy new password for each website. The only problem is, this means changing your password on many, many websites. What a pain! Interestingly enough, this also provides a good deal of lock-in to 1Password since it would be equally annoying to change all of these passwords again after my trial is over.
Once you have migrated your website passwords over to 1Password, it is a brilliant application. It is able to automatically log you in to websites with the “Go & Fill” feature. It also provides good tools for organizing your sites into folders and tags. I was quite impressed with the Setup wizard when it asked me if I wanted to add the 1Password extension into all of my browsers. With a single click, I was able to get Safari, Chrome, and Firefox extensions installed with no effort whatsoever. Nice. Using these extensions, you can pretty much avoid copying and pasting your crazy password into login forms. The extensions are capable of doing the heavy lifting for you. In fact, there’s even handy keyboard shortcuts for filing out login forms for sites already in your password database.
After using 1Password for two days now, I can honestly say that it makes logging into websites a breeze. I’ve found it especially useful for websites that I don’t access very often, like my electric and cable companies’ websites. Furthermore, there’s no arguing with the fact that having a completely unique password for every site is extremely secure. I currently use close to 10 different passwords, but I often share the same password for websites of the same ‘class’. For example, my credit card and banking websites would share my most secure password. 1Password allows me to take this to the next level with individual (and complicated) passwords for every site. I am a bit skeptical though, that a good 8-10 character password (with a special character, numbers, and capitalization) is practically any different than a 25 character password. Once you get to 8-10 characters, the time required to brute force a password like this is already long. So, I don’t think the “super complicated” password is as important as the unique password.
I’ve decided to continue using 1Password for the majority of my passwords. There are some valid security concerns, but I think it comes down to balancing risk. By keeping a “local” password manager, I’m able to ensure that every website password is unique and secure. Most of the security incidents that occurred in the last few years have been websites getting hacked and usernames, passwords, and email addresses leaked out onto the web. If this happened to one of my 1Password sites, this would be a non-issue. It seems less likely that my machine will become physically compromised. If it does, hopefully my OS X password lock & 1Password master password will be enough to keep my passwords encrypted forever. I’ve decided to keep a few of my “key” passwords (such as Gmail, Twitter, etc) out of 1Password. The main reason is because I use these accounts often and don’t want to rely on always having 1Password available. Furthermore, your email password is the most important password you have, so make sure it’s very secure and never reused.
In Ben’s defense, he did post a follow-up clarifying the statement and explaining his reasoning a bit better.