1Password 7.9 Adds Secure Password Sharing
Five years ago, in “Share Passwords Securely with One-Time Secret” (13 June 2016), I wrote about One-Time Secret and d-note, which allow you to share a password—or any text—without worrying about it being intercepted or revealed in an email breach. This capability is essential when you’re in a group whose account access credentials need to be shared with people whose technical platform you might not even know.
Here’s how these password-sharing services work. You enter the password in a Web form, click a Generate button, copy the provided URL, and send the link to the recipient. When they click the link, the site shows them the password and immediately deletes the database entry to ensure no one else can ever use that link again. Although this is highly unlikely, if the recipient tells you that they couldn’t retrieve the link, you know someone intercepted your message, and you can change the password in question.
I’ve taken to using yet another similar service—1ty.me—which until recently allowed you to enter your email address and receive a notification of when the recipient accessed the password. I have no idea why the feature disappeared, but I liked getting the notification that the recipient had indeed retrieved the password.
In that article about One-Time Secret, I wrote:
The problem I solve with One-Time Secret is infrequent, one-off password sharing with people whose technical setup I seldom know. If you want to share passwords more regularly, better password managers like 1Password and LastPass simplify sharing as long as everyone uses the same app. In an ideal world, 1Password and LastPass would integrate the code from One-Time Secret or d-note into future versions to provide ad-hoc password sharing too.
It has taken a long time, but 1Password 7.9, which AgileBits recently released, finally adds secure password sharing, even with people who don’t use 1Password. The interfaces differ slightly between 1Password.com, the Mac version of 1Password, and the iOS and iPadOS versions, but here are the basics of how to use it.
Share a Password Securely
AgileBits did a good job of making secure password sharing easy:
- Select an item in your 1Password vault (in iOS, tap Categories if necessary).
- Tap the Share button (iOS) or click the Share button and choose Share (macOS and 1Password.com).
- Choose when the link should expire, either after a single view (like One-Time Secret and the others) or after some span of time. I recommend sticking with a single view in nearly all cases to ensure that the link stops working after one use—anything else opens it up to being seen by multiple people.
- Choose whether the link should be available to anyone or only to specific people. This tweak is an advancement over the competing services since you can specify that the recipient must enter their email address and receive a verification code before revealing the password. That raises the bar on interception since the attacker must also know the intended recipient’s address. However, it also makes retrieving the password a two-step process for the recipient, so you have to weigh the annoyance value against the added security.
- Tap or click Get Link to Share.
- In the next screen, tap or click the Copy button at the bottom, which helpfully changes to Copied.
- Send the link to the recipient however you like. For higher security, don’t send it in the same channel as the rest of the login information—for instance, send most of the login details in email and the password link via an end-to-end encrypted system like iMessage. That way, if an attacker does intercept or hack the recipient’s email before they see the message, the account remains secure.
Access a Shared Password
How you access a shared password depends on whether or not the sender restricted it to a specific set of people. If they didn’t, just click the provided link, tap or click the password field, and copy the password, as in the rightmost screen below. It’s best to verify that it works immediately and add it to your own password manager.
More interesting is what happens if the sender limited the set of recipients. In that case, follow these steps:
- Tap or click the provided link to open it in your Web browser.
- Enter your email address and click or tap Send Code.
- Switch to your email and copy the six-digit code from the message you received.
- Switch back to your Web browser and enter the code.
- 1Password displays the login information, with the password concealed; tap or click it to bring up options for Copy and Reveal.
- Copy the password and immediately try logging into the account in question to verify that it works and so you can save the password to your password manager.
Suppose someone gets hold of a 1Password shared password link but doesn’t enter the email address of an approved recipient. In that case, they’ll receive an email message telling them the item wasn’t shared with that address instead of the verification code.
The only thing I’d like to see AgileBits add to this system is an optional notification that a shared password was retrieved. I found that quite reassuring with 1ty.me because it helped me close the loop and know that my recipient was moving forward with the login task.
Otherwise, AgileBits has done an excellent job with this password-sharing feature, and it’s surprising that LastPass and other password managers haven’t done something similar.
I share passwords with my family via shared vaults with 1Password. We all have our private vaults. However, I have a shared one with my wife and another shared one with my entire family.
For instance if I have a password from something that’s definitely not Netflix I want to share with my family, I can move it to my family shared vault.
(Sharing my Netflix password would be unthinkable)
Speaking of 1PW…is anybody running the beta version of v8…and if so are they getting close to release…and have they added local backup and restore? I can live with the subscription and the non native macOS client…although perhaps running the iPadOS client which is native iOS on an M1 Mac is a better idea. However…I can’t live with no ability for local backup and restore. I know that the app keeps a local copy but it’s in SQLLite I believe…and unless you’re a database wiener or there’s an easy way to export and import your data there that’s not really a local backup and restore even though a full backup would have the database in it somewhere.
Love the idea. When I updated my standalone 1Password Mac client to 7.9, the What’s New screen popped up with the information about “psst”, but no actual functionality. And as usual, the blog entry about the feature on AgileBits presumes everyone is using the subscription version of 1Password. Any clues on whether this is a subscription-only feature?
I don’t know for sure, but it would make sense that password sharing would be a subscription-only feature because it requires a server-side component. With the subscription and 1Password.com, that’s built in in a secure fashion.
Obviously, AgileBits could make it work with the standalone version, but it seems clear that they have no interest in moving that version forward.
1Password says that sharing a copy requires a 1Password account. See Securely share 1Password items with anyone under the section “Get Help”.
I don’t think that’s correct, at least for me. I just followed the instructions on the webpage you referenced and I was able to share a password using version 7.9 on an iPad which is still using a Dropbox vault. I have no 1Password account as of yet.
Well, cool—thanks for testing!
I’ll try it there. Cool!
Mmmm, might have to disagree. The page referenced (discussing share a link) does indicate an account is required. I also have the paid apps (no subscription account) and use Dropbox. My share button on MacOS and iOS does allow sharing via email, message, etc. but NOT the secure link sharing that was added in 7.9. I’d love to be proved wrong.
I have the standalone version. I was presented with the splash screen announcing the new feature also when I updated, but I cannot access the functionality either.
Standalone licenses will be history when 1Password 8 drops. We can use v.7 until it is no longer compatible because of OS updates, web browser changes, etc. 1Password is going to offer a 50% discount for 3 years for standalone users who migrate to the subscription model and upgrade to v. 8.
I haven’t decided whether to move to another password manager or migrate and switch later. The options for transferring my 1Password data is part of the equation. I plan on reviewing other password managers before I make a choice.
I’ve been unhappy with the quality of 1Password customer support for years. They have even managed to mishandle things regarding the coming v. 8 upgrade.
So I’m not inclined to continue with them if I can find an alternative that actually cares about their customers, even if it turns out to use a subscription licensing model.
Forgive me for asking what may be an obvious question. What is the primary purpose for 1Password (and other password managers like LastPass)?
Years ago, there was a definite need for a password manager, since the built-in password management in browsers were completely unsecured and may not even sync across devices.
Today, however, browsers have what I think are pretty good built-in password management. Apple provides one via Safari. Firefox includes Lockwise. Both of these securely store passwords (in an encrypted database), offer password protection, and provide cloud-based synchronization with other instances of the same browser that logs into their respective cloud services).
I assume Chrome/Edge have this feature as well, but I haven’t looked close enough to be sure about that.
It seems to me that the big advantage of these third-party password managers is that they are cross-browser. Apple’s solution (Keychain in iCloud) only works with Safari browsers (across a variety of platforms) and the Firefox solution only works with Firefox browsers (on all supported platforms). So you will want a third-party solution if you use different browsers on different platforms or use multiple browsers on a single platform, but are there any other advantages to these packages?
if you primarily use only a single browser (whether on one or multiple devices), is there an advantage to using a third-party password manager over what your browser provides?
If all I used 1P for was a few passwords, I’d probably switch to Apple’s solution.
But I’ve found 1P awesome for storing tons of other information: credit cards,
digital copy of my passport, insurance info, things like the license plates of vehicles and VIN numbers, serial numbers of software, bank safety deposit info, door codes, etc. I put in there anything I want secure and synced. I even have a document in there with instructions for my heirs if I should die (to link to the digital legacy thread) which basically tells them what is in my 1P and how to use it.
It’s really handy having all this info sync between all devices and be available at any time (i.e. while traveling or away from home). It’s saved my bacon and helped save me hassle numerous times (i.e. you’re at motel and they want the license plate of your car – I don’t have to run out to the parking lot to see it) and now I wouldn’t do without 1P’s secure notes and storage of other data.
I have also used it for temporary data: like a friend wanted me to buy something for him on his credit card, so I saved all the details in my 1P so it’s secure but handy. Or another person gave me the unlock code for their garage when I visit – saved in 1P. I put other people’s Wifi or other passwords in there, too. (Example: I helped an elderly relative set up and iPad and accounts and kept copies of her passwords in my 1P. When she died, it was really helpful as I had all her details.) Using 1P is much more secure than putting that stuff in Apple Notes, for example.
Also, while I don’t regularly use other computers, occasionally it happens and it is handy to have a license if I need to use a Windows machine or Chromebook.
In short, if your needs are basic, the built-in solutions are sufficient, but if you want to do more, you need a real password manager.
I also use 1Password to store various kinds of data besides website logins.
But password managers also tend to me much more convenient particularly if you use them a lot like I do.
I wish that I could say that since password managers are “one trick ponies” that they are inherently more secure than web browsers and Apple’s iCloud keychain. But I can’t because some of them have been found to have security issues that could be exploited and those issues are public knowledge:
Now that article is from 2019 and 1Password may have addressed its issues by now. . . I have not done any further research since I read that article. But one of the things I will be doing is comparing the current security of various options while I am deciding what to do when 1Password 8 is introduced.
The new Apple OS Monterey features improved password manager functionality. So it may be a viable option for more people going forward. I’ve only read a summary of its new features and nothing about its security, so I can’t say any more about it right now.
But if a person is happy with the functionality and security of other options or you have cobbled together a system that meets your needs, more power to you. Especially now that more password managers are going with the subscription model and, particularly in the case of 1Password, it ain’t cheap. I’ve saved a fair amount of money sticking with a standalone license. But if I am going to be paying an annual subscription fee, any password manager I wind up using better have more going for it than the convenience factor i.e it better have excellent security to protect all of the sensitive data I have stored in its database.
I have used Apple’s password management at times, but mainly use 1P as I find it’s interface for actual password management, review, culling, etc to be much more intuitive than what Apple provides, which seems to be just a long list.
AgileBits has a page of security assessments, which includes a new assessment by ISE from June 2020.
I started using 1Password back at version 2, and the cross-browser support was the killer feature for me. For a friend, the killer feature was not having to enter credit card info by hand every time she bought stuff online.
Since those early years, like Marc, I’ve come to store a bunch of other information, like software licenses, driver’s licenses, and social security cards, in 1Password. Plus the shared vaults makes it easier for me when I need to occasionally help my mother or my friend. I don’t think you can do that easily with the password management feature of the various browsers.
Safari can save and enter credit card info. Enter the info in Preferences > AutoFill > Credit Cards.
Safari will (usually) recognize when you are being asked for a credit card and offer to fill it in. I have Touch ID, so it asks for authorization. I don’t know how it works on non-Touch ID machines.
(Unfortunately, it does not save the three-digit Security Code that you are sometimes asked for, so you might have to memorize that.)
I’ve been looking at this myself and so far have not sound another option that offers both file attachments to items and a local backup and restore capability for vaults. I can live with the subscription model and non native macOS client if I have to…but those two features above are mandatory for my usage unless I go with some combination of another manager and a separate encrypted cloud storage like Sync for the attachments.
I have way more kinds of things in my password manager beyond web pages…secure notes, passport/drivers licenses/Covid card images, etc. while there are other options for these…an all in one solution is preferable.
Safari gained that feature long after 1Password did, and again, it only works in Safari, not other browsers. But my point was that there were and are good reasons for using 1Password even if you only use one browser.
Standalone licenses are already history – even for 1Password 7. New purchases of 1Password 7 are subscription only. Existing standalone licenses are still good.
I see that 1Password announced the demise of new standalone licenses in August. I hadn’t visited the website recently and I probably would have missed blog post anyway. . .
Maybe the purpose is “an interface that makes confidential information storage easy and pleasurable)-ish) to use.”
I’ve used 1Password cross-platform since about 2011. I have a routine baked in to my use of any new-to-me computer that I’ll be using. Install Dropbox, install 1PW, install Evernote. With those three actions I have almost all of my work information at my fingertips, and I can back out of it just as easily when I’m done. (Yes, I know, it’s a naive view of user security, but I’ve simplified it here.)
I might get my mind around 1Password 8 and buying into the subscription model, but if that happens I’ll sure push it to the limit and get my money’s worth. Since I’ve actually given them money only twice over the past decade (initial purchase and a paltry upgrade fee about 3 years ago), I can understand the sustainability argument. Taking one of my “core 3” out of the colonization process for password purposes might not be a bad thing, either.
Join the discussion in the TidBITS Discourse forum