After several years using the same password-manager service–and then paying for its premium version–I’ve spent the last few weeks trying an alternative.
I can credit a sales pitch that included the italicized phrase “completely free” for this departure: 1Password’s offer of a free membership to journalists, in celebration of World Press Freedom Day this May 3. But I was also overdue to spend some time in a password manager besides LastPass.
So far, I’m impressed by the elegance of the interface but a little put off by how persnickety 1Password can be to set up. You don’t just create a username and password, you also have to type in a complex and random secret key to get going.
Having read this Toronto-based firm’s documentation of how this extra step helps ensure that a successful guess of your password still won’t compromise your account, I get where they’re coming from. But I’m not sure I’d recommend it to just anybody, especially not when LastPass’s free version suffices for many casual users.
Further time with 1Password’s Mac, Windows and Android apps has revealed other things I like:
- Importing my saved passwords from LastPass was as simple as advertised (and 1Password having a documented export format should ease any possible future switch away from 1Password);
- Its Watchtower feature taps into the Have I Been Pwned data-breach index to warn you if you’re using passwords that have already leaked from other sites;
- You can unlock the Windows app using Microsoft’s Windows Hello biometric authentication (but not after a restart of the app or the PC).
This time has also surfaced one thing I don’t like: an incomplete approach to two-step verification that seems to require choosing between running an authenticator app on your smartphone or employing a weird Yubikey implementation that requires running a separate app instead of just plugging a standard USB security key. That’s no better than LastPass’s inflexible notion of two-step verification.
I’d like to see 1Password improve that and support the WebAuthn standard for security-key confirmation. But I’m prepared to give them some time, based on everything else I’ve seen so far.