Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the TidBITS Content Network for Apple consultants.

1Password 5 Touches New Heights in iOS 8

For years, 1Password has been a constant part of my workflow and security profile. The password creation and management software, first released for Mac OS X and later for iOS, makes quick work of creating a strong password for every site and retrieving it on request. The new 1Password 5 for iOS 8 unlocks the utility’s full capability and makes iOS 8 itself much better. It’s also now free, with an in-app purchase for a small set of Pro features. (1Password is also available for Windows and Android.)

As 1Password aged, it matured. In version 4, its improved browser integration in Mac OS X and interface overhaul on both platforms reduced the effort required to access passwords and other confidential data while also improving how categories of disparate things were organized and could be filed into folders or tagged with metadata. With 1Password 4 for OS X, I finally started filling in all my forms and credit card numbers from the program.

But 1Password integration in iOS suffered before iOS 8’s release because of Apple’s strict limitations on inter-application communication. While 1Password could (and still can) sync via Dropbox and iCloud to keep passwords and other data up to date between various installations on mobile and desktop systems, there was an awful lot of copying and pasting required, and that isn’t one of iOS’s strengths. An improved in-app browser in 1Password 4 was a big step up for accessing Web resources, but it carried a lot of compromises: cookies couldn’t be shared between Safari and 1Password’s browser, and so forth.

iOS 8 has given AgileBits the tools they needed to pull a lot of threads together. But because of Apple’s requirements and how AgileBits adapted some of 1Password’s current settings and thinking to iOS, how to make use of all the new options can be confusing. Here’s some step-by-step advice.

What’s New -- You can read AgileBits’ announcement, but the brief story is that 1Password 5 for iOS sports three key additions and two improvements, one of which has yet to be enabled. The additions are:

  • Because of Apple’s new support for extensions in iOS 8, 1Password can be used directly within Safari.

  • You can unlock 1Password using Touch ID on the iPhone 5s, 6, and 6 Plus.

  • Apps that use 1Password’s framework can incorporate the extension in various ways, such as allowing login by unlocking 1Password, including via Touch ID. No round-trip is required. Instead it all happens within the other app.

The two improvements relate to syncing. AgileBits rewrote its iCloud sync to use Apple’s overhauled CloudKit, and the company says it’s fantastic compared to the previous set of tools, although it requires iCloud Drive, which in turn requires the upcoming OS X 10.10 Yosemite. AgileBits also made Wi-Fi sync automatic — you don’t have to invoke it — but this change will come into effect only once 1Password 5 for the Mac sees the light of day.

The other major change is that 1Password for iOS is now free. The Pro upgrade to add some organizational features is a one-time in-app purchase of $9.99. Existing 1Password 4 for iOS owners get these features unlocked without paying for them.

The freemium split is interesting, because I imagine most users won’t particularly care about support for less common items (bank accounts, reward programs, software licenses, and so on), multiple password vaults, custom fields, and folder/tag organization, but they will want to sync with desktop versions of 1Password on the Mac or in Windows, both of which remain paid products. The freemium model is a great way to get new people using 1Password for iOS, and then either paying the in-app fee or buying desktop software licenses.

Turn On and Use Touch ID -- All versions of 1Password rely on a master password, which unlocks your vault. The iOS version also has an option that lets you compromise between having to enter the full master password repeatedly — often a pain for a good password on the iOS keyboard — and leaving 1Password unlocked for extended periods of time. You can set a short PIN that you can use between times you’re required to enter the full master password. The PIN unlocks the master password, and that unlocks the vault. Thus, you could have 1Password ask for the master password every 24 hours, but set it to require the PIN after a specified delay (like 2 minutes of idle time) or after switching away from and then back to 1Password.

If you own an iPhone 5s, 6, or 6 Plus, Touch ID replaces the PIN option and must be enabled to be effective. Even if you’d prefer to use a PIN, it’s not available.

Turning on Touch ID is simple: in 1Password, tap Settings > Security > Touch ID. (Note that this interface changed from 5.0 to 5.1, so be sure to update if you’re not yet using 5.1.)

1Password will require a Touch ID scan whenever it locks. If you enable Lock on Exit in Settings > Security, it will lock whenever you leave the app. It will also lock after a set amount of time, which you can change in Settings > Security > Auto-Lock. However, you must enter your master password after a device restart, or whenever Touch ID fails. (AgileBits tells me that Apple won’t let a developer replace a password with Touch ID entirely.)

I set Auto-Lock to 2 minutes, though conceivably I could have set it to longer, because my iPhone is rarely out of my control. But I also enabled Lock on Exit, which adds a little inconvenience in return for more peace of mind.

Once enabled, here is the super cool part: you can use Touch ID everywhere 1Password can be invoked, whether through its Safari extension or direct integration with an app! I’ll explain that in a moment.

Sometimes, Touch ID doesn’t appear as an option when you use 1Password, and it took me some back and forth with AgileBits to understand why. iOS 8 gives developers only a “yes” or “no” response from a Touch ID interaction. If, when 1Password asks for your Touch ID, you tap Cancel or navigate away, iOS interprets that as a “no,” causing 1Password to see your action as an authentication failure and prompt you for your master password.

The one lingering issue with Touch ID isn’t limited to 1Password: physical coercion. Because you could be forced to use Touch ID by force (or even while unconscious), using it as a means to gain access to a password store could leave you vulnerable if you have concerns about potentially violent people having physical access to both you and your iPhone.

For most of us, that’s not an issue. Garden-variety muggers aren’t likely to know about Touch ID, and even if they do, access to someone’s passwords isn’t a guarantee of financial reward. If you live in a country or engage in a profession in which you might be physically compelled to unlock your secrets, Touch ID and 1Password may not be for you. Of course, your master password may not be much help then either.

Use 1Password with Safari -- “Oh, joy!” I exclaimed, when I first tried 1Password within Safari in iOS 8. Apple’s iCloud Keychain for generating, storing, and syncing passwords in Safari across mobile and desktop systems is good, but 1Password is great. Turning it on requires a few steps, after which you’ll never have to mess with setup again.

Somewhat counterintuitively (Apple’s fault, not AgileBits’), 1Password’s extension is accessible from the Share view in Safari, but getting it to show up requires a little work. After installing or upgrading 1Password and configuring your password preferences, open Safari.

With any page open, tap the Share button. On the list of actions on the second row, which starts with Add Bookmark at the left, by default, slide right until you see More. Tap More.

At the bottom of the list you see 1Password (with an on/off toggle) and any other apps that have Safari extensions. Toggle 1Password on, and then drag the three-line handle at right to move it to the top. In testing, I found that re-ordering Share items doesn’t stick. I’ve had to re-do it (with Apple’s items as well as 1Password) multiple times.

Now, when you visit a site that requires a log in, tap the Share button, tap 1Password, use Touch ID or the master password to unlock if necessary, and then you should see any matching logins. Tap the i icon to make changes or review or copy individual settings, or tap the item to fill. You may need to also tap a Login button.

For now, 1Password can fill in only login details; AgileBits says support for filling in street address and credit card information is in the works.

Use 1Password within an Integrated App -- AgileBits says that 100 developers are integrating 1Password’s iOS 8 extension directly into their apps. A few are ready now, including the latest release of Instapaper.

The process of logging into an app using 1Password requires a few steps, none of which is onerous, especially on devices with Touch ID. In Instapaper, for instance, when not logged in, tap the Sign In button on its home screen.

With 1Password installed, the Password field shows a 1Password logo at the far right. Tap it, and in a pop-up menu that shows extensions, you can select 1Password. Unlock 1Password, including with Touch ID, and then tap the correct Instapaper login entry — the sole entry for most people. The app handles the rest.

You can also create a new login within apps that support 1Password, something that’s not yet available when using 1Password within Safari.

Seamless Security without the Pain -- The new release of 1Password dramatically improves my overall iOS experience without compromising security. It’s more likely that I and other users of 1Password will become even more dedicated users of the software, because of its wider availability in Safari and apps, and its far easier use.

The more that regular users can be encouraged to create a unique, secure password for every site, the less likely a single site’s password breach will be seriously problematic. Combining passwords with Touch ID reduces friction even more.

The main missing piece, apart from filling in contact and credit card information, and something that AgileBits may not be able to do within Apple’s parameters, would be to let people create Web logins within Safari. But that’s minor, in the scope of things.


READERS LIKE YOU! Support TidBITS by becoming a member today!
Check out the perks at <>
Special thanks to Jerome Wilcox, Larry Susanka, Kevin Patfield, and
Mikael Grounes for their generous support!

Comments about 1Password 5 Touches New Heights in iOS 8
(Comments are closed.)

Andrew Daws  2014-09-30 09:29
I can't understand why nobody talks about LastPass. It fills in addresses and credit cards (at least on the Mac) which is far more time consuming than logins. And presumably it will also benefit from the iOS integration (at the moment I do all form filling on the Mac but would like to do it on the iPhone)
Adam Engst  An apple icon for a TidBITS Staffer 2014-09-30 10:21
We do talk about it a fair amount, in fact, and it's what I use as my primary password manager because of its automatic login capabilities, which surpass those of 1Password. For many people, though, 1Password is the best choice because it offers significantly better interfaces in both Mac OS X and iOS.
What automatic login capabilities does LastPass have? 1Password seems fairly robust in this area (including the ability to go directly to a site and fill in a username and password in one step with one keyboard shortcut globally), and I'm curious what's on the other side of the fence :)
Adam Engst  An apple icon for a TidBITS Staffer 2014-09-30 12:22
With LastPass, you can simply go to a Web site in your browser, without having to invoke a separate utility, and LastPass can detect a login form, auto-fill it, and auto-submit it. That's all optional, for sites where you might have multiple logins, but for sites where you have only one, it's a nice time-saver. Obviously, if you don't mind invoking things from 1Password, that's not a major problem, but I go to so many Web sites that need logins that I prefer to work in whatever browser I'm using directly.
David Weintraub  2014-09-30 12:33
There are a few websites where 1Password doesn't work as a Safari extension. For example, doesn't work because it presents you with multiple login screens. You have to enter your user name, then go to another webpage to enter your password.

You also need to make sure that you have the correct URLs for websites. The Old Reader didn't work for me because I didn't have a URL in "Website". Pre-extension, it didn't really matter. I searched for it and cut and pasted the credentials. Post-extension, the credentials didn't come up.

Otherwise, it's a really nice to use 1Password as an extension. I prefer 1Password over Lastpass because Lastpass stores passwords in a centralized location which makes it a nice honey pot of a website for hackers. 1Password doesn't store passwords on the web unless you ask.
Glenn Fleishman  An apple icon for a TidBITS Staffer 2014-09-30 13:02
This is true, although you can also tap the circle-i button and copy passwords out if they match but won't fill. I figure and hope AgileBits will keep working on how to expand this for these sorts of situations.
Adam Engst  An apple icon for a TidBITS Staffer 2014-10-01 11:34
We've made an edit in the article to avoid implying that synchronization with the Mac and Windows versions of 1Password was an in-app Pro purchase - it's not. The point is that the Mac and Windows versions of 1Password remain paid products, and aren't free like the iOS version, so those who use the free iOS version may still want to purchase the other versions. Our apologies for any confusion!
Hitoshi Anatomi  2014-10-01 22:08
ID federations (single-sign-on services and password managers) create a single point of failure, not unlike putting all the eggs in a basket. It remembers all my passwords when un-hacked and loses all my passwords to criminals when hacked. It should be operated in a decentralized formation or should be considered mainly for low-security accounts, not for high-security business  Needless to say, the strength of the master-password is crucially important.

At the root of the password problem is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.
Dan Daranciang  An apple icon for a TidBITS Contributor 2014-10-04 09:46
I'm so glad to read that others have had trouble getting reordering share items! Mine still don't stick, neither on my iPhone nor on my iPad.
john Springer  2014-10-07 01:13
I downloaded 1password, eager to try an often-praised product. But I was thrown by the fact that I have many many passwords stored in Safaris system, and no way to import them into the new system. I also didn't understand what would happen as I come to a site that Safari knows about. Safari fills in the login; does 1Pass then learn it? I did not understand the comment in the article about not being able to create new logins in Safari.
xairbusdriver  2014-10-08 10:06
Mutiple, separate PW, ID's, Questions, etc. are not a problem for 1PW. While the app can't handle these separate items with _one_ login form, it is simple to create separate 1PW 'pages'/logins for those items. Simple create a suitable name for each one and select it in the Mac's Menu Bar list. No Copy/Paste required. I never have tried this in the iOS app but doubt that I would want to be accessing these usually much more sensitive sites via cellular/public WiFi.

I am looking forward to using 1PW5 on my iDevices! ;-)
xairbusdriver  2014-10-08 10:12
I still use URMLPro (still the best bookmark manager I've found) to go to 99% of the sites I visit. But I have started to use the 1PW Menu Bar function for sites requiring passwords. Not sure what difference what browser is open. Not sure I even need to _have_ a browser open. I think both URLMPro and 1PW will open the default browser and the site I requested. I save a step if a password is needed by using 1PW instead of URLMPro. 8-)