1Password is not for me: Doesn’t work with third-party applications

I use many, many online services that require passwords access. Some for important stuff like online banking, or gmail, or collaboration tools, or travel arrangements, or Twitter. Others are less important, like news sites that require logins. I was starting to get concerned about password security for all of that, so I tried the Mac application 1Password, which several people recommended to me.

1Password seems pretty powerful. But it’s not for me.

Reason: 1Password only integrates with Web browsers, not with 3rd party applications. For 3rd-party applications, you can generate stronger passwords using 1Password — but then you have to store them in the OSX keychain or elsewhere. If you rely on such applications regularly, this vastly reduces the potential security benefit of 1Password.

This became a dealbreaker for me. Here’s why…

On my laptop I use the Twitter applications Twhirl and Tweetdeck daily. Which means that to use the complex passwords generated by this program, I’d need to either check 1Password and copy and paste each time I wanted to log in — which is a hassle. I’d quickly tire of that hassle and then either store the passwords in the applications, or in a separate file, or in the Mac OSX keychain — all of which would defeat the purpose of using a password-management program.

1Password actively touts the advantages of its keychain over the OSX keychain. Which is why I found it ironic that today a 1Password rep recommended to me that for 3rd party apps I could still use the Mac OSX keychain for password storage. That’s kind of like saying, “Well, you can’t order the chicken, but this rat tastes like chicken.”

1PASSWORD ON IPHONE: WHAT’S THE POINT?

1Password prominently touts its iPhone application, which syncs with your Mac. This lack of integration is an even bigger problem on the iPhone, which has no copy and paste. On the iPhone I primarily use applications other than the browser to access services I use daily — including e-mail. Since 1Password doesn’t integrate with any of those applications, I’d have to manually type in those complex passwords for access, and then store them in the apps.

The only purpose of the 1Password iPhone application apparently is to securely store on your phone sensitive data, like your Social Security number. It won’t let you, say, use the complex password for your BrightKite account, which you set up via 1Password on your laptop, to log in to the BrightKite app on your iPhone. You’d have to type it in manually, or store the password in the app — which again undermines the intended security benefit.

So although 1Password appears to be useful in some ways, for me it’s got too many dealbreakers. I’ve requested a refund.

MASTER KEYWORD WOES? HOW TO START FROM SCRATCH

Oh, and: When I first installed 1Password, I had a problem with the Master Password for the 1Password keychain (something you need to enter in order to be able to use your other passwords — supposedly the only password you’ll need to remember). 1Password was not recognizing the master keyword I’d set. This may have been due to something I did wrong; I’m not blaming 1Password for this.

I ended up having to ditch my original 1Password keychain and make a clean start. In case you need to do the same thing, here are the full instructions (which I couldn’t find on the 1Password site, but 1Password rep Jamie Phelps sent them to me:

First, let’s make sure we’re starting over with a clean slate of 1Password. Make sure that 1Password is installed in your Applications folder rather than running from the disk image or the Desktop or some other location. Second, drag the following files to your desktop if you find them:

Home > Library > Keychains > 1Password.keychain

Home > Library > Application Support > 1Password > 1Password.agilekeychain

Home > Library > Preferences > com.1passwd.plist

Now, try launching 1Password and you should be presented with the blue setup screen again. Go through the initial setup and see if you continue to have trouble. If your master password does not work for you after this, please let us know and we’ll investigate further.

I post that in case anyone else is having the same problem, since I could only find the first step in that process on the 1Password site.

In summary — 1Password may be a great solution if you don’t rely regularly on applications other than your browser to access online services. As I said, several people I respect have recommended it. But if 3rd party applications are crucial to your online experience (on your computer or iPhone), then think twice before buying this software.

If you liked my post, feel free to subscribe to my rss feeds

Post meta

This entry was written by Amy Gahran and posted on March 1, 2009 at 4:37 pm and filed under problems, processes, security, software. Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment(Latest is displayed first) or leave a trackback: Trackback URL.

Share with others

Post 1Password is not for me: Doesn’t work with third-party applications to digg.

Post 1Password is not for me: Doesn’t work with third-party applications to Reddit

One Comment

Thanks for the post! While I’m not happy to hear 1Password did not meet your expectations, I’m thankful you took the time to explain why so we can try to improve.

Unfortunately, the main two items you identified are not something we can do much about as we are not allowed to. Let me explain.

First, the OS X Keychain is an OS X system service that all applications have access to. It would be very difficult for us to remove this service and replace it with our own. While I do see the usefulness of this approach, it would be incredibly fragile and likely break a lot more things then it fixes. Interestingly enough, we used to store our data in the OS X Keychain (using our own keychain separate from the login keychain), and it worked well, but we found for our purposes we needed to develop our own solution. This is not to say the OS X Keychain is bad, but rather it did not fit the needs of 1Password. For example, the OS X Keychain was designed to store 1 or 2 items per application, whereas 1Password needed to store thousands of items. Because our needs were so vastly different, we found many of the design choices made by the OS X Keychain team did not fit our needs so we designed our own.

With that said, the OS X Keychain is still a secure place to store your account passwords (assuming your login password is strong) so you shouldn’t fear using it. You can allow applications like Twhirl and Tweetdeck to store your generated password into the OS X Keychain, and also keep the password in 1Password as a Wallet item or Secure Note. The benefit here is if you ever reset your login keychain, or setup a brand new machine and don’t want to migrate your old keychain, you will have access to the passwords.

As for the iPhone, there are a different set of limitations that we need to abide by. Sadly we are not allowed to extend the Mobile Safari application on iPhone; if we did we would be kicked out of the App Store for violating Apple’s terms of service. If we could, we certainly would have added the 1P icon to Mobile Safari just like we do on Mac.

Since we are not allowed to change Safari, what we do instead is to allow you to browse your sites inside the 1Password application itself. Simply find your Login, click on the URL, and we open up a browser (inside 1Password) to log you into the site. We actually use the same WebKit browser that Safari uses.

Anyway, I just wanted to shed some light on the issues you reported and why we elected to do things the way we did.

Thank you for trying 1Password and I hope your friends who recommended 1Password to you help me change your mind

Cheers!

–Dave Teare
Co-author of 1Password

Nunuv Yurbiz reply on November 11th, 2009 12:19 am:
Yeah, I’m not sure the author’s criticisms make any sense. Basically, the author is saying that 1P is not perfect, that it does not solve all problems (related to passwords), so therefore it’s no good. That doesn’t make sense to me. It’s better than the built-in keychain, which has its own limitations.

The question then becomes is it worth the price. I’m currently using the 3.0 beta. 1P really needs to be able to better handle multi-page logins (ID on one page, password on the other). And those stupid questions that some sites make you answer if, say, you login from an unrecognized IP address. The questions are stupid because it’s the same questions on just about every site! Arrrgh. Now everyone knows the name of my first pet, where I was born, the make of my first car, my favorite teacher (seriously?), etc., etc. Forget marketing questionnaires, which no one will answer, just require the info as part of “security.”


1. David A Teare on March 2nd, 2009 at 9:36 am