Categories
Articles

Living with a Password Manager (part 3)

In the final part of our article we find out how well 1Password stacks up as a Password Manager. We examine how well our password-related objectives are met across a range of scenarios.

In Part 2 of this article we tested out the usability of 1Password by looking at the following:

  • Importing login credentials into 1Password from our existing web browsers and operating systems.
  • Testing the usability of 1Password whilst using apps and surfing the web.
  • Investigating the highlighted problems and questions raised in parts 1 & 2 of this article.

Here in part 3 we will examine how well 1Password met our 5 Objectives then provide some conclusions on how to make use of Password Managers.

Scenarios vs Objectives

In this section we will examine how well 1Password meets our 5 objectives.

1) Operating System support

For this objective we check out 1Password’s support for multiple operating systems i.e. its compatibility and ease of installation.

1.1) Android

Our device was a LG Nexus 5x smartphone running Android 8.1.0 (Oreo) as the operating system. The minimum requirement for 1Password was Android 5.0 or later.

Installation was straight forward by downloading the app from Google Play, then signing in by scanning a QR code from my 1Password online account and entering my Master Password.

1Password Android app download from Google Play.

Some minor configurations included:

  • Enabling 2FA (Two-Factor Authentication) to use Fingerprint Unlock.
  • Turning on the Autofill option to fill and save usernames & passwords.
1.2) iOS

Our device was a Apple iPad tablet running iOS 14.4.1 as the operating system. The minimum requirement for 1Password was iOS 12 or later.

Installation was similar to Android by downloading the app from the Apple App Store, then signing in by scanning a QR code from my 1Password online account and entering my Master Password.

1Password iOS app download from the Apple App Store.

Additional steps included:

  • Turning on ‘Unlock using Touch ID’ to act as 2FA. Later versions of an iPad would use Facial Recognition if present.
  • Configuring AutoFill to use 1Password rather than iCloud Keychain.
1.3) Linux

Our device was an AMD-based Desktop PC running Ubuntu 20.10 (Groovy Gorilla) as the operating system.

In part 1 we downloaded and installed ‘X’ which was the app listed for Linux. The minimum requirement for 1Password was Firefox 60 and the app turned out to be a browser extension.

1Password extension for Firefox web browser.

Whilst digging deeper into the Getting Started notes it turns out that there is a beta release app for Linux:

1Password for Linux is the simple, beautiful password manager you’ve been looking for. Easily organize your secure information, save and fill passwords in your web browser, and have everything available at your fingertips.

1Password.com

The beta app specified support for the following Linux variants:

  • Debian or Ubuntu
  • CentOS, Fedora, or Red Hat Enterprise
  • Arch Linux

Installation on Ubuntu involves:

  • Adding the key for the 1Password apt repository.
  • Adding the repository itself.
  • Installing the 1Password app.

The commands for these are:

sudo apt-key --keyring /usr/share/keyrings/1password.gpg adv --keyserver keyserver.ubuntu.com --recv-keys 3FEF9748469ADBE15DA7CA80AC2D62742012EA22

echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/1password.gpg] https://downloads.1password.com/linux/debian edge main' | sudo tee /etc/apt/sources.list.d/1password.list

sudo apt update && sudo apt install 1password

These commands ran successfully with only the following warning:

  • Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).

Starting the app opened up 1Password in Firefox then prompted for ‘onepassword’ links to be opened by the app itself. I then had to login with my Master Password then enter the 2FA (Two-Factor Authentication) 6-digit code.

1Password app on Linux (beta release).

Once the app was open it looked just the same as the web version and those in the Android and iOS apps. There was even a convenient icon added to the System Toolbar at the top of the screen.

1.4) macOS

Our device was an Apple Macbook laptop running macOS 11.2.3 (Big Sur) as the operating system. The minimum requirement for 1Password was macOS 10.13 or later.

Installation involved logging into my 1Password online account which required 2FA using the Google Authenticator app I had on my smartphone. The next step was to download the .pkg installation file and run it. This took me through the install wizard that involved scanning a QR code from my iPad using the Macbook camera then inputting the Master Password again and another 2FA prompt for Google Authenticator’s 6-digit code.

1Password macOS app download from the Apple App Store.

Once the app was installed I then proceeded to install the Firefox and Safari browser extensions which included signing into those too.

1.5) Windows

Our device was a Dell Laptop running Windows 10 as the operating system. The minimum requirement for 1Password was Windows 7 or later.

The Windows installation of 1Password was very similar to macOS. This involved logging into my 1Password online account, entering the Master Password then supplying 2FA from Google Authenticator app. Downloading and running the .exe installation file then going through the installation wizard to add my existing 1Password account.

1Password app on Microsoft Windows 10.

Once the app was installed I then proceeded to install the Chrome and Edge browser extensions which included signing into those too.

VERDICT

Installation across all the platforms was straight forward and the instructions were clear and understandable. There are some areas that could be improved for clarification on questions raised in parts 1 & 2 of this article but these were few.

Installation on Linux was not for the novice user but in general more technical users tend to opt for this operating system.

I was hoping that having the 1Password app installed on Linux, macOS and Windows would provide login integration with other apps but unfortunately this is not the case. The 1Password app is merely a way of managing you account rather than relying on the web page version. This leaves browser extensions as the only way to manage usernames and passwords for signup and login purposes thereby limiting it to websites.

2) Synchronizing Passwords for Browsers

This objective is to assess how well 1Password synchronizes usernames and passwords across web browsers. We will test this for the same browser on different devices plus different browsers on both the same and different devices.

1Password iOS app working with Safari.

Below are the different tests performed:

  1. a) Create login for cbs.com using Safari on iOS (Keychain disabled).
    b) Next login to the same site using the same browser on macOS.
    • a) Partial Success – the account could be created in conjunction with 1Password once I followed these steps. I did however have to manually copy & paste the generated password into the CBS form. Additionally 1Password did not correctly save the form data e.g. zip code was stored under password and date of birth was stored under zip code.
    • b) Failed – whilst 1Password says here that it works with Safari on macOS I did not see any evidence of this and checked all the settings. The CBS login did synchronize from iOS to macOS even though the data was scrambled.
  2. Create login for nbc.com using Firefox on Linux then login to the same site using the same browser on macOS.
    • Success – creating the account using Firefox on Linux worked perfectly. Once the email was input 1Password prompted if I wanted to save this under a NBC entry. When I moved to the password field I was prompted with a random generated password which then updated within 1Password. Using Firefox on macOS the login was seamless.
  3. Change password for nbc.com using Firefox on macOS then access the same site using the same browser on Linux.
    • No result – this test was not possible because changing passwords on NBC is done via a Reset Password email. Unfortunately after many attempts the email never arrived and was not in the Junk or Spam folders! Not an issue on 1Password’s part.
  4. Login to nbc.com using Chrome on Windows.
    • Success – after being prompted to login to 1Password I was provided with my synchronized NBC details to login with.
  5. Delete login for nbc.com using Edge on Windows then attempt login to same site using Chrome on Android (ensure not logged into Google account on both devices).
    • No result – due to the issue with test #3 this was not possible. Again not a problem on 1Password’s part.
  6. Create login for abc.com using Chrome on Android then login to the same site using the same browser on Windows (ensure not logged into Google account on both devices).
    • Failed – even after following these instructions I could not get 1Password to work with Chrome on Android. When I completed the signup there was a prompt to save the login but this was not by 1Password. I had definitely logged out of my Google account so maybe Chrome itself was saving it? I then tried logging into abc.com in the Chrome and Edge browsers on Windows but there was no prompt by 1Password to save the login details in either browser.
VERDICT

The only winner out of all these tests was Firefox – everything else was problematic which is a disappointing performance by the Password Manager with regards working with Apple, Google and Microsoft products essentially covering 80-90%+ of the market.

3) Handling App Logins across Devices

This objective was to find out how effective 1Password is at synchronizing login credentials for apps across different devices with a mix of operating systems.

Password settings on iOS.

For this test we were going to use the Facebook and Instagram apps. Given Linux does not support the OEM versions of these apps we were going to see if 1Password allowed the use of the app logins for web browser access?

VERDICT

As we have already seen from objective #2 there is an inability for 1Password to effectively manage passwords across all web browsers on different platforms. It is fully limited to Firefox as multi-platform.

We also saw in part 2 (Usability with Apps & Browsers) that 1Password was sporadic with its ability to manage passwords with apps.

Finally in part 2 (Importing Login Credentials) we found it was not possible to export logins from iCloud Keychain due to the closed architecture on the part of Apple. This made importing them into 1Password unfeasible though I am sure there is room for them to provide supported scripting that is easy to use.

Password management for web browsers is somewhat easier than for apps as the latter has a far more diverse group of developers involved and thus harder to control. This means that handling app logins is bound to be less well supported overall.

4) Managing Password changes

An important challenge faced by password management is the propagation of changes from one device to all other devices. This objective covers the same website being accessed and the same app being used.

Google Account management including privacy and security.

Where it has been possible to get 1Password to work with a web browser or app, then the synchronization of changes between the browser extension or operating system app has worked. This is due to each extension or app synchronizing with a central server.

Additionally any change has usually prompted a 1Password pop-up asking whether to update a username, email or password change.

VERDICT

1Password seems to handle login credential changes well where it works from an integration perspective in the first place.

5) Password Generation

The key to proper security is the use of passwords that are difficult for hackers to guess. Therefore an important part of any Password Manager is the generation of complex passwords that meet the criteria of each website and app. In this objective we find out how well 1Password performs with this task.

1Password generation of a random login password.

During my tests the only fully successful use of 1Password was with Firefox. The Firefox extension did however prove itself when generating random passwords for cbs.com and nbc.com signups.

VERDICT

The generation of complex random passwords does appear to be a strong point for 1Password. These can also be configured by turning on/off special characters or numbers during the generation process.

Conclusions

I set out writing this three-part article with two aims:

  1. To provide informative information to our readers about Password Managers including their strengths, weaknesses and usability.
  2. To test out 1Password for use by both my wife and I given we use multiple browsers and apps across a variety of devices and platforms.

Hopefully #1 was a success? #2 however feels like what I learned is that these all-encompassing solutions are not that at all!

Firefox Sync facility.

So what does this lead me to conclude? The answer might come across as somewhat harsh…

Avoid the paid-for solutions. Instead use one or more of the following depending on your particular situation:

  • Firefox – use the built in Password Manager and turn synch on so that the logins are available on all platforms and devices where you use the Firefox web browser.
  • Google Account – use this for Android and ChromeOS devices together with their apps and the Chrome web browser on all platforms plus Google owned web sites e.g. YouTube.
  • iCloud Keychain – use this for managing passwords across iOS and macOS devices together with their apps and Safari web browser.

The downside of the above is likely to be some duplication of logging in and re-logins when passwords have changed BUT the key takeaway is that they work the majority of the time. Additionally there are Import/Export facilities available to help set up these password managers to some degree.


Did you find our assessment of 1Password useful? Did you encounter any issues that we overlooked? If so please share your comments below.

Leave a Reply