How does 1Password work?
April 8, 2021 6:47 AM
I want to use 1Password, but am curious about how it may interface with my work computer. Can you help me understand how the program will work across different devices, and how it works generally?
I know I want/need a secure password manager. I think that 1Password generally meets my needs the best, but I use a (government-issued) work laptop in addition to my personal laptop and smartphone, and am confused about how 1Password just....actually works.
1. Does the program require any sort of installed widget that is likely to be blocked on my federally-issued computer?
2. What actually like....happens once you purchase 1Password? I understand you set some master password; what are the next steps for each individual site you use? I know it's mostly important to have a really secure password for like, your bank account or whatever, but can I use it for silly store websites like The Gap? What about an academic journal website, which I use a lot for my job?
3. So presumably you do whatever set up process there is the first time with Gap/your bank/wherever, and then once you go back to that site the next time does it just detect your password? Do you re-enter your Master Password?
Thanks very much for helping me become more secure!
I know I want/need a secure password manager. I think that 1Password generally meets my needs the best, but I use a (government-issued) work laptop in addition to my personal laptop and smartphone, and am confused about how 1Password just....actually works.
1. Does the program require any sort of installed widget that is likely to be blocked on my federally-issued computer?
2. What actually like....happens once you purchase 1Password? I understand you set some master password; what are the next steps for each individual site you use? I know it's mostly important to have a really secure password for like, your bank account or whatever, but can I use it for silly store websites like The Gap? What about an academic journal website, which I use a lot for my job?
3. So presumably you do whatever set up process there is the first time with Gap/your bank/wherever, and then once you go back to that site the next time does it just detect your password? Do you re-enter your Master Password?
Thanks very much for helping me become more secure!
I use LastPass, but I think conceptually they're the same thing.
1. This will depend on how locked down it is. Both LP and 1P have standalone desktop tools, as well as browser addons. You may not be able to install either, but check with your IT if you can't, as they may allow it.
2. Yes on the master password. If 1P is anything like LP, it'll allow you to import any existing saved browser passwords. If you don't have certain ones saved in browser, next time you log in, it'll prompt you to save the username/password. You can also add them manually, but that's obv. more work. You should absolutely use it for silly things, because otherwise you're likely re-use the same password and that's very bad because then once one account is breached, they can access all others.
3. Yes, when you get to matching site it'll let you enter username password from the extension/app. There is a setting on whether you need to re-enter the password. My computer is locked down, so I don't have that on. On my mobile I've enabled bio (fingerprint) authentication so it's not burdensome.
Pro tip: Make sure you create and store safely your Emergency Kit.
posted by pyro979 at 7:06 AM on April 8, 2021
1. This will depend on how locked down it is. Both LP and 1P have standalone desktop tools, as well as browser addons. You may not be able to install either, but check with your IT if you can't, as they may allow it.
2. Yes on the master password. If 1P is anything like LP, it'll allow you to import any existing saved browser passwords. If you don't have certain ones saved in browser, next time you log in, it'll prompt you to save the username/password. You can also add them manually, but that's obv. more work. You should absolutely use it for silly things, because otherwise you're likely re-use the same password and that's very bad because then once one account is breached, they can access all others.
3. Yes, when you get to matching site it'll let you enter username password from the extension/app. There is a setting on whether you need to re-enter the password. My computer is locked down, so I don't have that on. On my mobile I've enabled bio (fingerprint) authentication so it's not burdensome.
Pro tip: Make sure you create and store safely your Emergency Kit.
posted by pyro979 at 7:06 AM on April 8, 2021
Hi! I'm a 1Password user personally (and have to use LastPass for work) and it's revolutionary. I never thought I'd be happy at not knowing almost any of my passwords, but here we are. Certainly more secure, and frees up a little bit of brain real estate.
I would agree with the LastPass users who've already answered your 3 questions, those points are generally all the same for 1Password, with some differences outlined below:
1. In addition to desktop & mobile apps, browser extensions for Chrome & Firefox, 1P also has a standalone web application. You can access your 1P vault without needing an extension or application installed. You would lose out on some of the nice features like browser auto-fill or password auto-update, but you can still access everything.
2. It's easy to import passwords, but my recommendation is to take an afternoon and manually import passwords, changing them as you go (and enabling multi-factor authentication where offered.)
3. The autofill is basically magic, and you can use it for credit cards, personal information, pretty much anything. You can either access a site from 1P (search for the site in the extension, click it, it takes you to the login page & auto-fills) or visit the site normally, and as long as 1P is unlocked, it will give you the option to auto-fill just below the user/password box.
Additionally, 1P will check and see if any of your accounts have been involved in known compromises with the Watchtower feature. It's nice peace-of-mind.
Check out the getting started guides, if you haven't yet. And yes - store your Emergency Kit someplace safe. I've not had to use mine yet, and I've been on 1P for about 2 years now. Welcome to having a password manager, enjoy!
posted by spbb at 7:41 AM on April 8, 2021
I would agree with the LastPass users who've already answered your 3 questions, those points are generally all the same for 1Password, with some differences outlined below:
1. In addition to desktop & mobile apps, browser extensions for Chrome & Firefox, 1P also has a standalone web application. You can access your 1P vault without needing an extension or application installed. You would lose out on some of the nice features like browser auto-fill or password auto-update, but you can still access everything.
2. It's easy to import passwords, but my recommendation is to take an afternoon and manually import passwords, changing them as you go (and enabling multi-factor authentication where offered.)
3. The autofill is basically magic, and you can use it for credit cards, personal information, pretty much anything. You can either access a site from 1P (search for the site in the extension, click it, it takes you to the login page & auto-fills) or visit the site normally, and as long as 1P is unlocked, it will give you the option to auto-fill just below the user/password box.
Additionally, 1P will check and see if any of your accounts have been involved in known compromises with the Watchtower feature. It's nice peace-of-mind.
Check out the getting started guides, if you haven't yet. And yes - store your Emergency Kit someplace safe. I've not had to use mine yet, and I've been on 1P for about 2 years now. Welcome to having a password manager, enjoy!
posted by spbb at 7:41 AM on April 8, 2021
1. In addition to the above comments t is worth noting that you can install just the Chrome extension without the application. While I don't know how locked down your computer is it is possible that you can't install the full application but can install the Chrome extension.
2. It makes sense to have all your passwords in 1Password, even the "silly" ones. This lets you prevent password reuse and gets you in the habit of having one system to store all your passwords. Turning off the built in browser auto fill is also useful so you can depend on 1Password fully to remember your passwords, except your 1Password master password and your device passwords (to unlock your phone and laptop for example). An exception is shared passwords such as a Netflix account that the whole family uses, or a bank account shared with a partner. A first step is to just have the easily memorized password entered in 1Password for consistency, and once you are used to 1Password you can upgrade to a family or teams account that has shared vaults. Shared vaults let you have multiple people with their own private vault, as well as vaults that have those communal accounts. Then you can upgrade the bank password to something very strong.
3. You can auto fill existing passwords much how you would expect, but only if 1Password is unlocked. You specify rules in preferences that dictate what causes 1Password to lock.
On the Mac for example choose from any / all of:
Lock on sleep: 1Password will lock when your Mac or display sleeps.
Lock when screen saver is activated: 1Password will lock when your screen saver is activated.
Lock when main window is closed: 1Password will lock when you close the main 1Password app.
Lock when fast user switching: 1Password will lock when you switch users on your Mac.
Lock after computer is idle: 1Password will lock when there’s no keyboard, mouse, or trackpad activity on your Mac for the specified number of minutes.
That list is from https://support.1password.com/auto-lock/ which also lists lock settings for other platforms.
How strict you set it to re-lock depends on the risk for that computer. For example a desktop computer at home may lock less often than a laptop you carry around.
Part of my IT consulting business is helping people get up and running in 1Password. Feel free to get in touch at passwordmanagerhelp.com
posted by ridogi at 8:26 AM on April 8, 2021
2. It makes sense to have all your passwords in 1Password, even the "silly" ones. This lets you prevent password reuse and gets you in the habit of having one system to store all your passwords. Turning off the built in browser auto fill is also useful so you can depend on 1Password fully to remember your passwords, except your 1Password master password and your device passwords (to unlock your phone and laptop for example). An exception is shared passwords such as a Netflix account that the whole family uses, or a bank account shared with a partner. A first step is to just have the easily memorized password entered in 1Password for consistency, and once you are used to 1Password you can upgrade to a family or teams account that has shared vaults. Shared vaults let you have multiple people with their own private vault, as well as vaults that have those communal accounts. Then you can upgrade the bank password to something very strong.
3. You can auto fill existing passwords much how you would expect, but only if 1Password is unlocked. You specify rules in preferences that dictate what causes 1Password to lock.
On the Mac for example choose from any / all of:
Lock on sleep: 1Password will lock when your Mac or display sleeps.
Lock when screen saver is activated: 1Password will lock when your screen saver is activated.
Lock when main window is closed: 1Password will lock when you close the main 1Password app.
Lock when fast user switching: 1Password will lock when you switch users on your Mac.
Lock after computer is idle: 1Password will lock when there’s no keyboard, mouse, or trackpad activity on your Mac for the specified number of minutes.
That list is from https://support.1password.com/auto-lock/ which also lists lock settings for other platforms.
How strict you set it to re-lock depends on the risk for that computer. For example a desktop computer at home may lock less often than a laptop you carry around.
Part of my IT consulting business is helping people get up and running in 1Password. Feel free to get in touch at passwordmanagerhelp.com
posted by ridogi at 8:26 AM on April 8, 2021
I have used 1Password for over 4 years now. I started when my password needs tripled (due to a 2nd job and ailing relative). I avoid using it on a desktop. I use it from my phone.
Everything needing a password gets an entry.
It has a feature that displays the password on a large human-readable form.
I also had government issued devices and I didn't want to mix something I paid for with something the taxpayers paid for. Worked great- no problems.
It also lets me track identities, like numbers asso with spouses, kids and ailing relatives.
I rarely have to use the master password. When o upgraded my iPhone and had to use facial recognition, my app didn't always recognize me. Once I locked myself on a trip and just took a social media and email break for a couple days because I hadn't thought to memorize the master PW.
I even log when I use Facebook or Google to register. I enter the info and make the password something like "used Facebook"
Have fun! Sanity saver for sure. Totally wotth the $4 per month.
posted by rw at 8:34 AM on April 8, 2021
Everything needing a password gets an entry.
It has a feature that displays the password on a large human-readable form.
I also had government issued devices and I didn't want to mix something I paid for with something the taxpayers paid for. Worked great- no problems.
It also lets me track identities, like numbers asso with spouses, kids and ailing relatives.
I rarely have to use the master password. When o upgraded my iPhone and had to use facial recognition, my app didn't always recognize me. Once I locked myself on a trip and just took a social media and email break for a couple days because I hadn't thought to memorize the master PW.
I even log when I use Facebook or Google to register. I enter the info and make the password something like "used Facebook"
Have fun! Sanity saver for sure. Totally wotth the $4 per month.
posted by rw at 8:34 AM on April 8, 2021
The folks above have pretty much covered it, I think. However, I just wanted to add one observation from a long-term 1Password user here:
I chose 1Password because it was the most flexible and portable service. It works virtually seamlessly on PC, Mac, and phones. There's an application that you can install on your computer that offers advanced features for password management, but if you're working from a more locked down machine you can just install a browser extension in Chrome/Firefox/Edge and still access the passwords.
I gather that Lastpass has a similar approach, but I've never been a user so I don't know first hand (Lastpass required a subscription at the time where 1Password was a one-time purchase - both require a subscription these days).
I'll admit, getting up and running with a password manager will be a small challenge at first. It requires you to change your web habits a bit, and there's a lot of password management to do to change everything over to a unique password (which 1Password will help you to generate if you like). Once you get things running it's very nice though.
posted by owls at 9:15 AM on April 8, 2021
I chose 1Password because it was the most flexible and portable service. It works virtually seamlessly on PC, Mac, and phones. There's an application that you can install on your computer that offers advanced features for password management, but if you're working from a more locked down machine you can just install a browser extension in Chrome/Firefox/Edge and still access the passwords.
I gather that Lastpass has a similar approach, but I've never been a user so I don't know first hand (Lastpass required a subscription at the time where 1Password was a one-time purchase - both require a subscription these days).
I'll admit, getting up and running with a password manager will be a small challenge at first. It requires you to change your web habits a bit, and there's a lot of password management to do to change everything over to a unique password (which 1Password will help you to generate if you like). Once you get things running it's very nice though.
posted by owls at 9:15 AM on April 8, 2021
the passwords (and anything else saved in them) sync across all the devices
An important aspect of this is that the passwords are not synced directly. Instead, what is synced is an encrypted version of the passwords. The passwords are only decrypted locally on your devices, which is why you need the master password. That's what enables the program to decrypt all of your other passwords.
The unencrypted passwords are never sent to 1Password / LastPass. They could not uncover your passwords even if they wanted to or if law enforcement or a court ordered them to. The same is true of a hacker accessing their servers: they would only get encrypted copies of people's passwords.
It's a very secure system as long as your master password is strong. A catch is that if you forget your master password no one can help you, so if you have trouble remembering passwords then it may be worth storing it (or a good hint) written down in a physically secure location, hence the 1Password Emergency Kit mentioned above.
posted by jedicus at 10:20 AM on April 8, 2021
An important aspect of this is that the passwords are not synced directly. Instead, what is synced is an encrypted version of the passwords. The passwords are only decrypted locally on your devices, which is why you need the master password. That's what enables the program to decrypt all of your other passwords.
The unencrypted passwords are never sent to 1Password / LastPass. They could not uncover your passwords even if they wanted to or if law enforcement or a court ordered them to. The same is true of a hacker accessing their servers: they would only get encrypted copies of people's passwords.
It's a very secure system as long as your master password is strong. A catch is that if you forget your master password no one can help you, so if you have trouble remembering passwords then it may be worth storing it (or a good hint) written down in a physically secure location, hence the 1Password Emergency Kit mentioned above.
posted by jedicus at 10:20 AM on April 8, 2021
By way of contrast, the main reason I initially chose KeePass, later switching to KeePassXC, is that these do not require anything to be installed on computers that are not under my full control and will not stop working even if the organization responsible for them goes belly up or chooses to impose unacceptable terms of service.
KeePass and its descendants all rely of the app having local access to a database file where your passwords are stored. The file is strongly encrypted, even when open in the app, which decrypts only what it needs to, when it needs to, for as little time as it needs to. Various ways of getting passwords from the database into online login forms are provided, from simple clipboard-based copy and paste, through various flavours of keyboard emulation (Auto-Type), to browser integration via installable browser extensions. I generally rely on Auto-Type with occasional fallback to copy and paste for sites that can't be made to play nice otherwise.
In order to make my passwords easily accessible from all devices, I need to rely on a file sharing service that isn't built into the password manager. This extra fiddliness has an upside as well, in that the password manager becomes completely insensitive to which file sharing service I'm using. At present, a free Dropbox account is working very nicely for me. If I'm working on several computers at once, saving changes to the password database on one of them will make the others prompt me that the database file has changed and ask if I want to reload it, just as soon as Dropbox has propagated the changed file. This is adequately slick for my purposes. And because the files remain locally stored, I don't lose them even if Dropbox goes belly up; I would just need to use a different file syncing service in its place.
KeePass and KeePassXC are both available from their official download sites as a portable apps that will run without formal installation into a system. I keep a recent copy of KeePassXC, along with a recent copy of my password database, on a USB stick attached to my car keys as well as in a Dropbox folder whose sharing link I've converted using a URL shortener and memorized. It's pretty rare to be unable to download a copy of that folder to the desktop and run my password manager from in there.
Phone apps that support the same file formats are also available, both on Android and iOS; these generally let you get passwords into things via copy and paste.
Any password manager is only ever going to be as secure as its master password allows it to be. One reasonable way to make a strong master password is to take two or three existing passwords that you can already remember and just glue them together; my own master password is an eighteen character string of essentially random gibberish made exactly this way.
On the computers I use most often, I have KeePassXC set to run automatically as soon as I log in. So the very first thing I always see right after I log in is a big dialog box asking for my master password. So I'm typing it every day, my fingers have learnt it and I don't have to think about it any more. As soon as it's entered, KeePassXC minimizes itself to the system tray and runs unobtrusively in the background until I call on its services or log off again.
I like that it's free, but I love that its password storage is local.
posted by flabdablet at 10:56 AM on April 8, 2021
KeePass and its descendants all rely of the app having local access to a database file where your passwords are stored. The file is strongly encrypted, even when open in the app, which decrypts only what it needs to, when it needs to, for as little time as it needs to. Various ways of getting passwords from the database into online login forms are provided, from simple clipboard-based copy and paste, through various flavours of keyboard emulation (Auto-Type), to browser integration via installable browser extensions. I generally rely on Auto-Type with occasional fallback to copy and paste for sites that can't be made to play nice otherwise.
In order to make my passwords easily accessible from all devices, I need to rely on a file sharing service that isn't built into the password manager. This extra fiddliness has an upside as well, in that the password manager becomes completely insensitive to which file sharing service I'm using. At present, a free Dropbox account is working very nicely for me. If I'm working on several computers at once, saving changes to the password database on one of them will make the others prompt me that the database file has changed and ask if I want to reload it, just as soon as Dropbox has propagated the changed file. This is adequately slick for my purposes. And because the files remain locally stored, I don't lose them even if Dropbox goes belly up; I would just need to use a different file syncing service in its place.
KeePass and KeePassXC are both available from their official download sites as a portable apps that will run without formal installation into a system. I keep a recent copy of KeePassXC, along with a recent copy of my password database, on a USB stick attached to my car keys as well as in a Dropbox folder whose sharing link I've converted using a URL shortener and memorized. It's pretty rare to be unable to download a copy of that folder to the desktop and run my password manager from in there.
Phone apps that support the same file formats are also available, both on Android and iOS; these generally let you get passwords into things via copy and paste.
Any password manager is only ever going to be as secure as its master password allows it to be. One reasonable way to make a strong master password is to take two or three existing passwords that you can already remember and just glue them together; my own master password is an eighteen character string of essentially random gibberish made exactly this way.
On the computers I use most often, I have KeePassXC set to run automatically as soon as I log in. So the very first thing I always see right after I log in is a big dialog box asking for my master password. So I'm typing it every day, my fingers have learnt it and I don't have to think about it any more. As soon as it's entered, KeePassXC minimizes itself to the system tray and runs unobtrusively in the background until I call on its services or log off again.
I like that it's free, but I love that its password storage is local.
posted by flabdablet at 10:56 AM on April 8, 2021
One more things - I alluded to "password and anything else," and wanted to expand on that a bit - LastPass (and 1Password) can securely store other things, like notes, credit cards, and so on. The credit cards can be used to automatically complete online purchase, where you'd normally need to enter them in manually, and the notes can be any sort of free text, including pictures. This turns out to be a really useful feature. For example:
I try to enable 2FA wherever it's offered by the website, and a common part of that process is for the site to send you a list of one-time passwords you can use if the token is unavailable. These get saved as notes. I've saved software license keys in notes as well, too. I also just saved an image of my Covid vaccination card as part of a secure note.
posted by jquinby at 12:03 PM on April 8, 2021
I try to enable 2FA wherever it's offered by the website, and a common part of that process is for the site to send you a list of one-time passwords you can use if the token is unavailable. These get saved as notes. I've saved software license keys in notes as well, too. I also just saved an image of my Covid vaccination card as part of a secure note.
posted by jquinby at 12:03 PM on April 8, 2021
Password managers that can't save general notes should not be on anybody's shortlist, imo.
KeePass database entries can include attached documents as well as having provision for arbitrary notes in plain text.
posted by flabdablet at 12:17 PM on April 8, 2021
KeePass database entries can include attached documents as well as having provision for arbitrary notes in plain text.
posted by flabdablet at 12:17 PM on April 8, 2021
(I still can't understand something - if I use LP/1P on my own phone/laptop etc., what if I have to use someone else's computer to check my email? How do I log into Gmail on, say, my mom's computer if I don't know my password??)
posted by tristeza at 12:38 PM on April 8, 2021
posted by tristeza at 12:38 PM on April 8, 2021
You can set your phone (with 1p/lp installed) to display the password, then you can type it in manually on someone else's computer.
posted by kschang at 1:32 PM on April 8, 2021
posted by kschang at 1:32 PM on April 8, 2021
(I still can't understand something - if I use LP/1P on my own phone/laptop etc., what if I have to use someone else's computer to check my email? How do I log into Gmail on, say, my mom's computer if I don't know my password??)
You can open the app on your phone to see the password and just type it into the other computer. You don't have to generate password that are random like KVn@qPUhZTX9i*eb2db-YRr@FKGiPD. You can create "memorable" passwords like home-undertow-singlet-deeply-CHATTEL that are easy to type on another computer. 1Password lets you tap on a password to temporarily show it at maximum size on your phone to make it easier.
posted by ridogi at 1:38 PM on April 8, 2021
You can open the app on your phone to see the password and just type it into the other computer. You don't have to generate password that are random like KVn@qPUhZTX9i*eb2db-YRr@FKGiPD. You can create "memorable" passwords like home-undertow-singlet-deeply-CHATTEL that are easy to type on another computer. 1Password lets you tap on a password to temporarily show it at maximum size on your phone to make it easier.
posted by ridogi at 1:38 PM on April 8, 2021
With the KeePass family of password managers I can still check my email on somebody else's computer even without access to my phone. The process is a little lengthy but reasonably straightforward and doesn't involve trying to re-type a long and probably unfamiliar password without errors.
If I don't have my phone but do have my car keys, I can just plug in the USB stick that hangs off my keyring and do the same thing without the download and unzip steps, because that stick always has reasonably recent versions of portable KeePassXC and stephen.kdbx on it already.
posted by flabdablet at 2:27 PM on April 8, 2021
- Open a private web browser window.
- Download stephen.kdbx from Dropbox via the custom tiny.cc URL I made and memorized from its Dropbox sharing link, and save it to the computer's desktop.
- Download the Zip file for the portable version of KeePassXC from https://keepassxc.org and unzip it to the desktop.
- Open the resulting KeePassXC-xxx-xxx folder and double-click KeePassXC.exe inside it to launch KeePassXC.
- Tell KeePassXC to open stephen.kdbx, then enter the usual master password.
- When stephen.kdbx is open, click the Email group.
- Click the Fastmail entry, then press Ctrl-U to copy its login URL to the clipboard.
- Bring the private browser window to the front, right-click in its address bar and choose Paste & Go.
- When the Fastmail login page appears, click in the Username box.
- Bring the KeePassXC window to the front and press Shift-Ctrl-V. This makes KeePassXC minimize itself and then auto-type my Fastmail username and password into the now-frontmost browser window.
If I don't have my phone but do have my car keys, I can just plug in the USB stick that hangs off my keyring and do the same thing without the download and unzip steps, because that stick always has reasonably recent versions of portable KeePassXC and stephen.kdbx on it already.
posted by flabdablet at 2:27 PM on April 8, 2021
Another nice thing about KeePass/KeePassXC is that its auto-type facility doesn't care what you ask it to type into; it doesn't have to be a web browser, anything capable of receiving text and bouncing from username to password via the Tab key will work. So I can use KeePassXC to log into e.g. the Skype app on a foreign computer just as easily as logging into my webmail.
posted by flabdablet at 2:50 PM on April 8, 2021
posted by flabdablet at 2:50 PM on April 8, 2021
I use - and pay for - 1Password for my personal laptop and devices to store all of my passwords. I also have a free LastPass account that I’ll use on a work laptop to store work passwords and a few personal passwords that I need at work - Github, Docker, timesheet and paycheck sites, etc.
I’m very happy with 1Password and that there’s a desktop app.
posted by bendy at 1:25 AM on April 13, 2021
I’m very happy with 1Password and that there’s a desktop app.
posted by bendy at 1:25 AM on April 13, 2021
« Older Tea-Light and Tempered Glass - The Safe Distance... | Help my friend further streamline her baking... Newer »
This thread is closed to new comments.
The app installs as a browser-add on, and is also available on mobile devices. When you create an account and sign into each of them, the passwords (and anything else saved in them) sync across all the devices. I used the free version for quite some time before finally purchasing it, mostly because the paid version has some family-sharing features that we wanted to use.
You set a single master password to log-in to the app/service, and that's the only one you need to remember. I use my password manager for every single website I use, however silly, and each of them gets a ridiculously strong, unique password, period. Once I'm logged into LastPass, it automatically detects the page I'm on and will either automatically fill everything in (username and password), or, if it doesn't have anything saved yet, offer to save whatever I enter into a new record for use next time.
It's also pretty good at parsing the page to see if you're changing a password - a little indicator appears in the field that will tell it to generate a new secure password for the site, enter it automatically, and save it to the database.
The whole thing takes a little bit of getting used to; some websites used to make the app flake out but that hasn't happened in while now.
posted by jquinby at 7:04 AM on April 8, 2021