1Password Review

calendar Jan 14, 2024 · 6 min read · Technology
Photo by FLY:D on Unsplash

While many of us in the FIRE community are vigilant when taking care of our financial lives, we must also be vigilant when taking care of our digital lives. How many online accounts do we own? How many passwords do we reuse? How strong are our passwords? Hackers know that humans can’t remember hundreds of unique passwords. They rely on the fact that we reuse passwords and that our passwords are usually simple, combining data that can be mined from social media accounts. Computers and internet networks are getting faster, so with short passwords, a hacker can brute-force different combinations. Once they have access to one of your accounts, you can guarantee that they’ll access your other accounts.

I admit it, I used to reuse passwords. I had several different passwords and often got locked out of my accounts frequently. I used to keep a document with censored passwords, that is passwords where I hid most of the password but exposed enough of it so that I could remember them when needed. This method is insecure and doesn’t solve the password misuse problem. That’s when I started to use a password manager.

What is a Password Manager?

A password manager is a software application that stores your passwords. When you need to access the password for an account, you can find it in the password manager. Password managers can generate unique passwords for each account. They simplify your life as you only need to remember one password going forward, known as the master password. In reality, you need to remember two passwords because you shouldn’t store your email password in the password manager.

Are Password Managers Safe?

Yes, most password managers are safe. You need to research what security measures these companies have in place and whether they had security breaches in the past. Most password managers are built as zero-knowledge systems where they don’t record your master password, but the data is encrypted using the master password. If you forget your master password, you’re out of luck because the password manager company will not be able to retrieve your master password. That also means that the data is pretty secure in the event of a hack.

Bye-Bye LastPass

I used LastPass in the past because it was free on multiple devices. I used it as a browser extension and as a smartphone app. What I liked about the browser extension was that I could configure it to prompt for the master password each time. Researching this feature online, I realized that it doesn’t make it safer but at least a regular person can’t access my passwords if I forget to lock my computer.

When LastPass limited the free account to a single device in 2021, I started paying for LastPass families so that my spouse could use it too. One of the features that I liked about their family account is that I can set up an emergency contact who can be granted access if something happens to me. Many other companies don’t have this feature and ask that you print out credentials on a piece of paper and store it in a safe place. But you have to wonder how this feature is possible if LastPass uses a zero-knowledge system.

LastPass had several security breaches between 2015 to 2022. I’ve had to change my account passwords multiple times over the years as a result of these breaches and each instance took multiple hours. The recent security breaches in 2022 were severe. Employees had their credentials stolen both on their work computer and their home computer. A hacker was able to make a copy of the encrypted data. That was the straw that broke the camel’s back.

When I transferred my data from LastPass to 1Password, 1Password was able to access metadata that I didn’t realize that LastPass stored. The metadata included form fields on account creation pages when LastPass prompted me to save a password. The metadata includes addresses, answers to security questions, and previous passwords. Needless to say, I lost trust in LastPass.

Welcome 1Password

My company uses 1Password to store shared credentials. I researched 1Password as an alternative to LastPass in the past. I didn’t like that there was no ability to require master password prompt after opening the vault. I also didn’t like that there was no way to grant access to my account if something happened to me. But I have been okay living without these features.

If your company uses 1Password, you can get a 1Password Families account for free. Simply create a personal 1Password account using your personal email address. If you’re Canadian, make sure that your account is created on the 1password.ca domain and not the 1password.com domain. That ensures that if you leave your company and want to continue paying, you will be charged in CAD. Your account cannot be transferred from one domain to the other.

1Password Security

In addition to your master password, 1Password generates a unique secret key when you create an account. Your data is encrypted using both your master password and the secret key. When logging into 1Password from a new device, you need to provide both. Once authenticated, the secret key is stored on the device and all you need to do is provide the master password.

If you use a Mac, you can also unlock the 1Password vault using Touch ID. Once the vault is unlocked, it will automatically lock after an inactivity timeout.

1Password Features

Many of the leading password managers provide similar features. These were the features that I was looking for:

  • App support across different devices
  • Browser extension
  • Strong password generator
  • Stores passwords, notes, and documents
  • Password sharing with family members
  • Data breach and dark web monitoring

While password managers can also be used as a 2FA authenticator app, I prefer to keep these separate. After all, I use 2FA codes for 1Password and would have to use a separate 2FA authenticator app anyway.

Master Password Recovery

I recently discovered that family organizers as part of a 1Password Families account can help members reset their passwords. So it’s best to make sure there are at least 2 people designated as family organizers in the 1Password Families account. Recovered accounts will continue to have access to what they had before, but their secret key and their 2FA will be reset. Again, I’m not sure how data for an account can be recovered in a zero-knowledge system.

1Password Pricing

Pricing for 1Password Families is C$5.99/month. This is only C$0.49/month (or about C$6/year) more expensive than LastPass Families. The price difference is worth it for the peace of mind that 1Password has not yet had any security breaches.

Conclusion

We live an increasingly digital life where each online account often requires us to create a password. We can’t rely on websites to do a good job of keeping our credentials safe. Many sites have had security breaches whether they know it or not, allowing hackers to extract customer information that may or may not include plain-text passwords. These types of hacks are dangerous if we reuse passwords. That’s why it’s important that we keep our online accounts safe by using strong passwords and unique passwords. This is where password managers can simplify our lives by lifting the mental burden of remembering hundreds of passwords.

If you don’t already use a password manager, I hope that this post convinces you to use one.

1Password LastPass Security