Although TidBITS editors use multiple ways to create and store passwords securely, AgileBits’s 1Password has long been one of our top picks, and I rely on it everywhere. The only disappointment I’ve ever had with the program is that its iOS versions didn’t stack up to the desktop flavors for robustness and features. The iPad release, since its introduction, has omitted a way to pull up generated passwords, for instance, something I’ve complained about for years. It also appeared in three versions: two versions called 1Password, built separately for the iPhone/iPod touch and iPad, and a pricier universal version called 1Password Pro.
AgileBits’s fixes my complaints, and brings its mobile experience in line with what I have come to expect from the company on the Mac. AgileBits also collapsed the three 1Password versions to a single, universal app that will cost $17.99. However, since the App Store doesn’t allow developers to charge for upgrades, AgileBits has discounted this new 1Password app to $7.99 to give previous owners a break, and to entice new users.
For those who don’t use 1Password, let me offer a quick rundown. The app provides a secure data store that holds passwords, notes, and Web logins. It also stores “identities” (name, address, and so on), credit cards and other account-based information, and software serial numbers. A password generator creates strong passwords with adjustable parameters based on the site you’re using: you can include only letters and numbers, generate a password 14 characters long, or make one that comprises nonsense words that are nonetheless pronounceable.
The new iOS version, which requires iOS 6, more closely models itself after the desktop software, and indicates what we will likely see when the Mac and Windows versions are revised from 3 to 4, as well. Instead of tabs by item type (password, identity, and so forth), the app puts these categories into a single list view. You can tap a category, like Secure Notes, and browse through items or search the text stored in them. But the latest version also allows you to tap an All Items option to scroll through or search every item in every category at once. That’s a big help, and corresponds to the general search field in the desktop software. A new Favorites view lets you store frequently used items for quicker reference. The app also now shows items organized into folders in a separate view, a useful higher-level sorting option.
Where I find the new version of 1Password shines brightest is in its updated integral Web browser. When you use 1Password on the desktop, it’s a seamless process both to generate and fill in passwords. Whenever I create a new account on a site, I use 1Password to generate a password, which it can also fill into the areas that it guesses are the password and re-enter/verify password fields. When I click the site’s Create Account button, 1Password captures all the form information and prompts me to create a new entry. (You can also update existing entries, create entries without prompting, or block 1Password from ever asking about storing data for a given site.) Then, when I revisit a site, I can tap the 1Password toolbar icon or use a keyboard shortcut to have 1Password automatically fill in the login fields. The workflow is wonderful.
The iOS version of 1Password can’t provide a Safari plug-in, because Apple doesn’t allow browser extensions. Instead, 1Password has always had a built-in Web browser that could be used to log into a site, but the way it handled logins was weak: it showed you a site’s information and you had to tap each bit of information (like the account name) to copy it separately, then tap the associated HTML form field, tap, and choose Paste.
1Password 4 does away with that requirement. Instead, if you open the in-app browser to visit a site or tap a URL stored with one of your Web logins, it provides a button that reveals logins for the site, credit cards and other accounts, and identities. You can then tap to use any of those items just as you would in the desktop version of 1Password. (The app does allow the entry of Web logins from scratch, even though it can’t capture them.)
1Password 4 for iOS secures data with a master password, and the data store can be synced in three ways across devices and desktops. Dropbox support was already available, and AgileBits added iCloud and iTunes File Sharing. But the Dropbox connection is now improved: both it and iCloud use a direct authentication process to connect your data to your cloud account. (The previous Wi-Fi Sync option has been removed. It used Bonjour to allow syncing between desktop and mobile versions over a local network.)
While you might worry about storing data in the cloud, 1Password’s protection is strong enough that with a good password (say, 12 characters or longer that doesn’t resemble a word in the dictionary), there’s essentially no way to crack the file, even if the overall security of Dropbox or iCloud were compromised. (If there were such a way, most password-protected systems in the world would also be vulnerable.) Of course, do not reuse your 1Password password for any other app or site! See “Watch TidBITS Presents “Protecting Your Digital Life”” (22 August 2012) for more on why this is a bad idea. (We’ve added an audio-only option for this presentation; click the Listen link to hear the audio part without having to watch the video.)
If that doesn’t reassure you, then iTunes File Sharing is an alternative that can also be used to complement cloud storage. With that option turned on, 1Password stores its data file in such a way that it can be accessed in iTunes with a device selected by clicking the Apps tab and viewing the File Sharing section. The data file can then be dragged in or out between desktop and mobile versions to keep them up to date. This requires manual management, but prevents the data from ever being synced to cloud storage. (For more details,.)
You may also rely on File Sharing to let you back up the 1Password data file as part of an iOS backup. If you’re using local iTunes backup for an iOS device, the encrypted 1Password store never winds up in the cloud at any time. With an iCloud-based iOS backup, however, the file would be copied in its encrypted form to iCloud. (Visit Settings > iCloud > Storage & Backup > Manage Storage > your device — and, possibly, Show All Apps under a short list of apps — to enable or disable 1Password’s backup to iCloud.)
A number of other smaller improvements found their way in as well, such as automatically copying passwords when they’re created, viewing attachments stored with notes, and erasing the iOS clipboard after an interval to prevent a copied password from being available later to others who might use the device.
In an amusing move to promote sharing the program, 1Password includes an optional demonstration mode that can be turned on from the Settings view’s Advanced item. With Demo Mode set to On, entering “demo” as the master password brings up a fake set of data, and allows a 1Password owner to show off the app without compromising his or her own passwords.
I find 1Password 4 a substantial improvement. The previous release often caused mild irritation when I knew that I could accomplish a task, but it took too many steps or required workarounds. The latest release reduces friction, and makes the app a less fussy and more fluid part of my security workflow.