For most people, a password manager that’s limited to Windows isn’t good enough. It’s important to have password access on all your devices. AgileBits 1Password has you covered, with apps for Windows, macOS, Android, and iOS, plus browser extensions for Chrome, Edge, Firefox, Opera, and Safari. A Chrome-only add-on extends the product’s reach to any platform that can run Chrome, including Linux. However, it’s not as automated as most, and it lacks high-end features such as password inheritance and automated password updates.
Pricing for password managers varies more than many other categories of security software. You can get Zoho Vault for just $12 per year, Dashlane costs $39.99 per year, and most of the rest fall somewhere in between. With 1Password, you pay $3.99 per month, which goes down to $2.99 per month ($35.88 per year) if you pay a year at a time. You can use the product on all your devices, and syncing is instant and automatic.
1Password also offers a family plan, at $5.99 per month, or $59.88 per year. This gets you five licenses, along with the ability to share passwords within your family. Keeper has a similar family plan that gets you five licenses plus 10GB of secure online storage. For business, you can set up a team account, at $3.99 per user per year.
With version 7, 1Password gets a major user interface update and a raft of new features. For example, Windows users now get the full security audit that previously showed up only on macOS, and on both platforms the audit now checks for pwned passwords and sites where you could use two-factor authentication but don’t have it enabled. I’ll point out these new features in context.
The most immediately visible user interface change is in the sidebar menu at left. Previously, its lower portion split into three tabs for Categories, Tags, and Security. Now it’s one long scrolling list, with the option to expand or collapse those same three sections. It now puts the numbers next to each category and tag in a darker oval, making them easier to see. The differences aren’t huge, but it’s clear much thought went into fine-tuning the UI.
Launch Chrome, Edge, Firefox, Opera, or Safari, and navigate to the 1Password website. Sorry, 1Password doesn’t support Internet Explorer. Sign up for an account and you get 30 days of premium features for free. Entering your credit card info is optional. During setup you enter your name, and you have the option to add a photo.
The next step is somewhat unusual. 1Password generates what it calls an Account Key, a massive string of 34 letters and digits, separated by hyphens into seven blocks of varying sizes. Each time you add a new device or browser extension, you need this key.
Next, you create a strong master password. As always, this should be something you can remember, but nobody else would guess. To help you manage that monster account key, the wizard creates what it calls an emergency kit. This is a PDF file containing your email address and account key, with a space to write down your master password. Print it off, fill in the master password, and stick it in your fireproof lockbox, or somewhere else secure.
With your account finalized, it’s time to set up your apps for Windows, Mac, Android, and iOS. You do need that account key for each installation, but you don’t necessarily have to type it. After installing the app on an Android or iOS device, you can use it to snap a QR code that fills in all your information except the master password. If you’re installing on a desktop device, you can copy that QR code to the clipboard for import or, new in this edition, just tell 1Password to find the QR code onscreen. You won’t often need to type in the account key.
If your activated device gets lost or stolen, the thief would still need your master password to access your credentials. But for total security, you can log into the web console, click My Profile, and deactivate the device. Now that thief would need both your master password and Account Key to gain access.
For full functionality, you also must add the 1Password extension to your browsers. The first time you open a supported browser, 1Password offers its extension. To add the Edge extension, you install it from the app store and then log in with your account information.
The easiest way to switch from one password manager to another is to import the existing product’s passwords. 1Password can import passwords stored in Chrome, and import from LastPass, Dashlane, and RoboForm, but that’s it for direct import. If you’re moving from a different password manager, you must export the data to a CSV file and format it according to the instructions in 1Password.
LastPass, by contrast, can import from over 30 competing products, and KeePass imports from almost 40. Note that to use the import feature, you must log into your 1Password account online. The local app can only import 1Password files exported from another installation.
You do have another option for importing. The 1Password Utilities collection includes community-created scripts to convert data exported from 35 other products into 1Password’s own format. However, using these scripts is definitely a hands-on proposition.
Password Capture and Replay
1Password’s browser extension watches as you enter your credentials on secure websites and offers to save what you’ve entered. In the password capture dialog, you can enter a friendly name for the login and also add one or more tags. New in this edition, you can create nested tags by separating levels with a backslash, for example, “EntertainmentDining.” By default, all passwords go into your personal password vault. If you need to keep multiple sets of passwords, perhaps personal and work collections, you can define additional vaults and choose which to use at capture time. And you can choose to view items from just one vault, or see them all at once.
Password replay with 1Password is not quite as automated as with most competing products. When you revisit a site for which you’ve saved login credentials, you press the magic keystroke Ctrl+ to fill those saved credentials. If you have more than one set of credentials, 1Password presents you with a list.
My AgileBits contact pointed out that requiring user interaction before filling passwords is a deliberate, security-related decision. It eliminates the chance of a website snagging your credentials using invisible login forms.
RoboForm, LogMeOnce, Password Boss Premium, and most of the other products of this type offer another handy way to use your saved logins. Clicking the toolbar button displays a list of your saved sites, and clicking one of them first navigates to the site and then logs in. 1Password does this as well, using a popup list of logins rather than a menu. You can scroll down the list or just start typing the name of the login you want. The list narrows to match what you’ve typed. Just click to visit and log into the desired site.
You can also press the magic key combination Ctrl+Alt+ to bring up 1Password Mini. This is an even smaller version of the main app. You can use it to view your saved data, and even enter application passwords using copy/paste.
There are always some nonstandard logins that confuse password managers. LastPass Premium, Sticky Password, Keeper, and a few others get around this problem with a manual capture feature. So does 1Password, though it’s a bit tricky to find. You first enter your credentials, then press Ctrl+. In the resulting popup, click the Settings icon at the bottom left, and choose Save New Login.
Just storing all your existing passwords in 1Password isn’t enough. You need to find those old, weak passwords and update them to something strong and unguessable. 1Password deliberately doesn’t attempt to automate the process of changing passwords, for a variety of reasons. Chief among these, according to my company contact, is the worry that a failure of automatic password updating, perhaps due to a change in the website, could result in locking you out of your account. Keeper’s developers avoid this automation for similar reasons, though Keeper Password Manager & Digital Vault offers one-click filling of standard password-change forms.
1Password does offer a password generator to help you create a strong password when signing up for a new site or updating an existing one. The password generator, whether in the Windows app or the browser extension, defaults to 24 characters. I approve of long generated passwords—after all, you don’t have to remember them. Not every product reflects this fact, though. RoboForm, Trend Micro Password Manager, and Ascendo DataVault default to just eight characters; I worry that users won’t know to change this. At the other end of the spectrum, the free Myki generates 30-character passwords by default.
By default, 1Password generates passwords that include capital and small letters, digits, and symbols. You can disable use of digits and symbols if you hit a website that doesn’t accept them, but the letters are always there. Also by default, 1Password doesn’t allow ambiguous characters such as the digit 0 and capital letter O. Since you don’t have to remember these passwords, I suggest you allow these characters, as suppressing them shrinks the pool of possible random passwords. Don’t worry, any changes you make to the defaults affect both the extension and the app.
Using a random collection of characters makes a password strong, meaning it’s extremely hard to crack. Another way to make a password strong is to make it long. 1Password’s generator can churn out random collections of words, separated by a hyphen, space, period, comma, or underscore. By default, it offers four-word phrases like “maxilla hound bisexual perspire” and “spake anarchy opal hysteric.” The main use I see for this feature is when you must memorize the password, like the famed “correct horse battery staple” example. For passwords that 1Password totally manages, stick with random collections of characters.
Like Dashlane, LastPass, and most other commercial password managers, 1Password lets you store personal information for use in filling Web forms. You can create any number of identities, each of which includes personal data, address information, and a variety of internet contact details. 1Password also stores credit card information separately from the personal identity.
Some fields, like name, address, and telephone, always appear. You can click the red-circled minus icon in front of optional fields to remove them, if you’re sure you’ll never use them. With the demise of AOL Instant Messenger there’s no point in storing an AIM screen name, for example, and few people still use ICQ.
RoboForm Everywhere is the long-time master of form-filling, and includes uncommon options like the ability to have multiple instances of any data field. 1Password doesn’t do that, but it does let you add custom fields.
When you navigate to a Web form, most products offer to fill your personal data. As with password replay, 1Password is a bit more hands-on. You click Ctrl+ for a menu of available identities. I found that it did an okay job of filling in my stored data. I entered phone numbers for home, work, fax, and cell; it filled in the Fax field with the home number, leaving the rest blank. It also filled in the CCV code for my imaginary credit card in the SSN field. Still, every field filled by 1Password is a field you don’t have to fill yourself.
Organizing and Editing
Whether in the Windows application or the browser extension, you can view and edit all your saved logins and other stored data. Many password managers let you organize your saved items into folders. LastPass, Sticky Password Premium, and a few others even support nested folders. 1Password instead uses a tag system, allowing multiple tags for each login. As noted, the current edition supports nested tags, created by separating the levels with a backslash, for example, “EntertainmentMovies.”
In addition to passwords, identities, and credit cards, you can add a wide variety of other data items, and access them from any of your devices. Among the many choices are driver’s license, passport, and social security number.
There aren’t many configuration options to worry about. Chief among these is the security option to log out after 10 minutes of inactivity. You can change the idle time to various choices from 30 seconds to 12 hours. 1Password also automatically locks if you switch away from your Windows user account. New in this edition, you can use Windows Hello to unlock 1Password.
Some Advanced Features
In the previous editions, 1Password’s password strength report appeared in the Mac edition, but not on Windows. Windows has now caught up. Under Security in the sidebar, you can see a list of weak passwords, of passwords you’ve used more than once, and of passwords that haven’t been changed for a long time. This isn’t the full security audit you get with LogMeOnce, LastPass, Dashlane, and a few others, but it’s good to have.
A feature called Watchtower warns you of possible compromised passwords. Keeper and Dashlane offer similar reporting of passwords possibly exposed by a data breach. Of course, I couldn’t test this feature, but it seems like a good idea. Watchtower also uses the haveibeenpwned.com website as another check for compromised passwords. More interestingly, it checks your saved sites against the Two Factor Auth website and flags entries where you’ve neglected to enable available two-factor authentication.
Password sharing is available only in the Family and Team editions. You can’t share a password with just any fellow user, the way you can with Intuitive Password, LastPass, and many others. In addition, 1Password does not include a mechanism for passing on your account to your heirs after your demise.
You can configure many websites to use time-based one-time password (TOTP) apps like Google Authenticator, Twilio Authy, and Duo Mobile for smartphone-based two-factor authentication. In addition to the password, you must enter a time-sensitive code returned by the app. 1Password has that sort of authentication built in. You register it as an authenticator, just as with any of the others. Thereafter, the site’s entry in the password list always shows the latest code. That means you need just one app to log in, not two. When you log in to the site, 1Password puts the current code in the clipboard, so all you need do is Ctrl+V after Ctrl+.
As the name suggests, Myki Password Manager & Authenticator also packs this ability, without need for pasting from the clipboard. Dashlane, too, can replace Google Authenticator.
1Password didn’t previously support the two-factor authentication that’s such a major feature of True Key. However, its system of validating new devices using the Account Key is a form of two-factor authentication. You can get that key from your emergency kit, or from any of your existing devices. New in this edition, you can protect your 1Password account with full-scale two-factor authentication.
You’ll need a separate authenticator app such as Google Authenticator, Twilio Authy, or Duo Mobile. As the documentation points out, you can’t use 1Password’s authentication skills here. Doing so, it says, “would be like putting the key to a safe inside of the safe itself.” To enable two-factor authentication, you log in to your online account, click your name at top right, and choose My Profile. On the resulting page, click More Actions and then click Turn On Two-Factor Authentication. 1Password requests your master password at this point. Scan the displayed barcode with your authenticator, enter the resulting six-digit code, and you’re done. Now logging in to 1Password requires both your master password and a time-based one-time password.
Installed on a Mac, 1Password’s browser extension lets you capture and replay passwords in Chrome and Safari. The Mac edition includes a few other features not currently available in Windows. You can use markdown formatting for rich text formatting in notes. Markdown defines simple conventions such as boldfacing words bracketed by asterisks and italicizing words bracketed by underscores. On a Mac, you can move items between vaults using drag and drop. You can also pull an item off into a floating window, to keep it handy while you work in the browser. My contacts at AgileBits say these features will come to Windows in a point release.
On an iPhone or iPad, you get full access to all your logins and other saved data. Launching a site opens it inside 1Password’s proprietary browser. To use it with Safari you must copy and paste, but the Quick Copy feature automatically copies the next field after you fill one. TouchID support is available, and FaceID for the newest devices, and you can use your iOS device to enable 1Password’s TOTP authentication feature.
Fingerprint authentication is also available in the Android version, with the added ability to set a PIN code for devices without a fingerprint reader. As on iOS, logins open in the proprietary browser by default, but you can enable autofill in other browsers using Android 8 (Oreo) or later.
The browser extensions I’ve mentioned thus far work by communicating with the 1Password app. 1Password X is a standalone Chrome extension. That means you can use it on any platform that supports Chrome, including Linux. It encapsulates most of the app’s functionality, with a few exceptions. And it’s much improved since my last review.
Password capture and replay don’t require any special keystrokes. When you enter a username and password, 1Password X displays a popup offering to save your credentials. Like Dashlane and Keeper, it puts this offer right below the password field, which is convenient. In a similar fashion, when you revisit a page that has one or more saved logins, it displays the choices right under the login fields.
I did find that it failed to capture two-page logins like EventBrite and Amazon. However, it managed to log into them using credentials already in the system.
If 1Password X detects that you’re creating a new account, it offers a suggested password from the password generator. It defaults to 30 characters using letters and digits, but no symbols. New since my last review, you now have control over the password manager’s configuration. As with Abine Blur Premium, the password generator always includes uppercase and lowercase letters. I advise turning on use of symbols as well. The password generators in the app and in the app-reliant extensions share the same settings, but 1Password X doesn’t.
As with the app and browser extensions, it also offers memorable passphrases like baste-demijohn-myna-critter. In an unusual step, the password generator can also gin up digit-only PIN codes of any length.
I thought at first that 1Password X didn’t support time-sensitive passcodes. Pressing Ctrl+V didn’t paste in the code, the way it did with the regular extensions. I found that you must click the toolbar button, select the site from the list, and click a Copy button next to the code.
In testing the previous edition, I couldn’t get it to fill form fields. This time around it placed a keyhole icon in the selected field. Clicking the icon got me an offer to save the form’s data—not what I wanted. I found that the correct action is to click the toolbar icon, choose the desired identity, and click Fill.
This is a big improvement from the previous edition. You can now configure the password generator, it fills web forms just as well as the local app, and searching on item names or tags is a snap. And the fact that you can use it on absolutely any platform that supports Chrome makes it ever so useful.
Worth a Look
You can try AgileBits 1Password for 30 days at no cost, so if it sounds interesting to you, give it a whirl. It smoothly syncs your passwords and personal data across all your Windows, macOS, Android, and iOS devices, and handles all the expected tasks of a password manager. Not only that, the 1Password X extension brings your passwords to any platform that supports Chrome. True, password replay and form filling aren’t quite as automated as in competing products, but during the trial period you’ll learn whether that limitation bothers you. Don’t want to continue? There’s a handy option to delete your account completely.
If you find that you want more than what 1Password offers, consider the products we’ve identified as Editors’ Choices in the commercial password manager arena. Dashlane and Keeper both offer a wonderfully smooth user experience, along with a significant collection of advanced features. Keeper handles application passwords, for example, and Dashlane keeps receipts of your online purchases. Both offer secure sharing, and both let you assign an heir to inherit your account after your demise. Either one can be a great choice for your password management tasks.