I've written before about the benefit — or perhaps I should say necessity — of using a password manager so that you can use sophisticated passwords that are unique for each service and keep track of them automatically without attempting the impossible task of remembering each of these complex passwords. My goal today is not to evangelize the need for a password manager such as 1Password but instead to address an issue for folks who are already using an older version of 1Password and are thinking about the benefits and procedures for updating to the latest version of 1Password, a subscription service. When I upgraded my account a few weeks ago, I couldn't find much useful written on this subject, so hopefully any of you considering an upgrade can learn from my experiences.
The new subscription system
In late 2012, I started using 1Password as my password manager on my iPhone, and it was one of the best technology decisions that I have ever made. A few months later, I bought licenses for my Mac (at home) and my PC (at work), allowing me to have all of my passwords on all of my devices. Just over a year ago, my wife also purchased licenses for her iPhone/iPad and for her Mac.
For over four years, I have used the product every day and enjoyed frequent product updates without ever having to pay for an upgrade after my initial investment. But considering how useful this software is, I would have been happy to pay for an upgrade whenever the developer asked longtime customers to do so.
Instead of charging for an upgrade, in 2016 the company introduced a new subscription payment structure. Unlike the prior system where you paid one price for the "pro" version on the iPhone/iPad, one price for Mac, and one price for PC, with the new system you pay $36 a year to use 1Password on all of your devices. I paid $88 in 2012 and 2013 for all of my different versions of 1Password on iPhone/iPad/Mac/PC, which I used for four years. That is sort of like paying $22 a year for four years, but that is largely because 1Password hasn't charged for upgrades every year or two like many other companies do. (I think that the last 1Password paid upgrade was version 4 back in 2013.)
You can instead subscribe to 1Password Families for $60 a year, and this is what I did. This package gives you accounts for up to five people on all of their devices. Whether you consider this to be more expensive than the prior system or less expensive depends upon your particular circumstances. If you are a new user of 1Password Families and have five people using 1Password, paying what amounts to $12 a year per person is a steal.
Speaking of the price, I'll also note that there are competing products such as LastPass and Dashlane which can be less expensive. It is not my intention today to compare the products, but if you want a well-reasoned comparison I recommend the Wirecutter review by Joe Kissell written in December of 2016. He concluded that LastPass was the best password manager for most folks because of its price ($12/year for a single user), although he noted in an update to that article that LastPass has struggled with some security vulnerabilities lately. He also concluded that 1Password was the best pick for iPhone/iPad/Mac users who want to pay a little more for a better product. Much like the decision on whether to use Lexis or Westlaw or Fastcase for your legal research, you need to consider cost and features and decide what is best for your needs.
Two more notes about pricing. First, there used to be a free version of 1Password for iOS with only basic features, and you paid for the premium version to unlock all features. It looks like that version if gone; if you download the app now, your first 30 days are free and then you need to purchase a subscription. Second, when you do pay to subscribe, you can do so either using the 1Password website or in the app itself. You pay more inside of the app, presumably because AgileBits has to give a cut to Apple. The individual subscription is $3.99/month in the app (versus $2.99/month on the website) and the family plan is $6.99/month in the app (versus $4.99/month on the website). The website does make you pay for an entire year at once, but if you don't mind doing that you can save money by not purchasing the subscription within the iPhone app.
The benefits and changes
The subscription model for software, in which you pay every year for the advantage of always having the latest version, seems to be catching on recently. For example, Microsoft has its Office 365 system that give you the latest software for PC, Mac, iPhone and iPad, and I think that Microsoft Word is a must-have for most attorneys using iOS. As long as the price is reasonable, I think subscription models make sense for everyone; the developer has a steady stream of money so that it can pay for software improvements, and users get the advantage of frequent updates.
If you subscribe to 1Password as an individual, you get the same benefit that you get with other subscription services — the knowledge that you always have the latest and greatest. I'll admit that with some software, you don't actually need the latest and greatest. Speaking of Microsoft Word, I know some folks who do just fine with an older version. But for security software like 1Password, it is obviously best to always use the latest and most robust version of the product.
If you use 1Password Families, in addition to the benefit of always having the latest version of the software, you get an additional benefit: shared vaults. Most of my passwords are personal to me and my wife doesn't need them. But we also have accounts that we both access, such as bank accounts, credit card accounts, utilities, computer passwords, insurance accounts, passwords associated with our kids (such as their frequent flier accounts), etc. In 1Password Families you can create one or more shared vaults and you get to decide who on the plan has access to each shared vault. I created a single shared vault, and my wife and I currently have 25 items in that vault. Syncing changes works great. If one of us updates a password or adds some note about the account, the change is automatically synced to all of both of our devices.
And remember, 1Password is more than just logins. There are special templates to store social security numbers, membership information, secure notes, etc. and any of those can easily be added to a shared account. You might have personal medical information that is private enough that you want to store it in a secure location on your iPhone, but which you would like to share with your spouse or other family member; a secure note is a perfect location for that.
Although I haven't tried the product, I'll also note that AgileBits now sells 1Password Teams, a service aimed at businesses that want to have some passwords shared to multiple members of different teams while also maintaining some passwords unique to each individual. It's the same basic idea as 1Password Families, but with some extra bells and whistles for companies.
If you use a PC, which is what I use in my office, there are additional advantages and disadvantages of upgrading to 1Password Families. The advantage is that instead of using the older 1Password version 4 for Windows, you get the interface of the new 1Password version 6. The interface on version 4 was always confusing to me, so much so that even if I was in front of my PC, I typically turned to my iPhone or iPad to use 1Password. Here is what one of the main windows looks like on version 4:
In contrast, version 6 of the Windows interface is very similar to what you see on an iPhone, iPad and Mac. This interface is far easier to use, and thus I am actually using 1Password on my PC much more often now, and I am certainly enjoying using the software much more.
There is also one disadvantage to version 6 on a PC: it doesn't support Internet Explorer. It does support the Chrome, Firefox and Opera browsers on a PC. But if you need to use Internet Explorer — and there are a few court-related systems that I access which still work better on Internet Explorer — you need to manually copy your username/password from the 1Password app and then paste it into Internet Explorer. That works, but it is less convenient.
Why the omission? I've seen this explanation on the AgileBits website: "Since Internet Explorer doesn't have a modern web extension APIs, we can't reuse our extension code easily like we can for Chrome, Firefox, or other browsers. We have to build it from scratch and it would be a great thing to do, but right now we are focused on bringing 1Password 6 to parity with other platforms." Keep in mind that Microsoft itself announced back in 2015 that it was phasing out its own support for Internet Explorer. The future of Microsoft web browsing is its Edge browser for Windows 10, which 1Password is currently working to support. I certainly see the logic of AgileBits having its Windows computer programmers focus on the future of Windows, not the past. Just keep in mind that if you currently use 1Password version 4 in Internet Explorer on your PC, you need to decide if support for IE is more important to you than the improved interface of version 6 and the benefits of 1Password Families. For me, it was an easy decision.
There is another major change with 1Password Families: you no longer use a third-party service like Dropbox to sync your accounts between you devices. Instead, your passwords are stored on the 1Password servers controlled by AgileBits.
I'll be honest — this is the one part that made me hesitate at first. One of the things that always made me uncomfortable about competitors to 1Password such as LastPass is that they stored all username and passwords on their own servers, which seemed like a tempting treasure chest of a target for hackers. And this is not just a theoretical concern; back in 2015, LastPass announced that hackers had accessed and presumably downloaded this very information from their server. (Here is an article from Wired describing the breach.) LastPass believed that the data itself was appropriately encrypted so that the hackers would not be able to determine username and passwords from what the hackers downloaded, and LastPass told users that changing their master passwords was sufficient to be safe. Hopefully that was true, but it was still scary.
In contrast, the old version of 1Password stored usernames and password in the cloud but didn't do so on a single, central server. Instead, each user would use their own cloud service, such as Dropbox. I liked this because my own personal Dropbox account is a much less tempting target for hackers than a single online depository used by a security company for millions of users.
After researching what 1Password is doing, however, I am comfortable with this change. While 1Password Families also now stores information on its own server, it uses an extra security measure that LastPass doesn't use. The first time that you use a computer, iPhone, iPad, etc. to access the 1Password server, you need not only the username and main password (which is what LastPass uses), but also a 34-character secret key. You are given this key when you first sign up for the 1Password.com subscription service, and 1Password recommends that you print out what it calls an Emergency Kit and keep it in a secure location such as lock box. The image at the right shows you what one looks like. The idea is that even if a hacker figured out your username and guessed your main password (perhaps because you had a really weak or otherwise guessable master password), the hacker wouldn't also have the secret account key so the hacker still couldn't decrypt the files and see your confidential information.
The use of a secret key makes it far more secure for 1Password to store your passwords online. 1Password explains it this way: "Unlike your Master Password, your Secret Key does not need to be memorized, so it can be much longer and more secure. It adds 128 bits of entropy to your Master Password, raising the total entropy of your encryption key far beyond the reach of current computing power. There is no amount of money that can break the encryption produced by the combined strength of your Master Password and your Secret Key." See this page on the AgileBits website for more information about the advantages of using a secret key.
[UPDATE 7/11/2017: Here is an interesting post from an AgileBits employee explaining how the new system is even more secure than the old system.]
You may be familiar with other services that use something called Two Factor Authentication, which means that to login you need not only something that you know (your password) but also something that you alone have (such as an app on your iPhone or other device that creates a number that changes every 60 seconds). 1Password believes that the use of a secure key is even better than Two Factor Authentication. This page explains why.
I do not make my living worry about security, but 1Password does, and the company has been around long enough and has a strong enough reputation that I trust 1Password to come up with the most secure way to make its products work. Indeed, another advantage of 1Password versus other password managers is that, as noted in the Wirecutter article by Joe Kissell that I mentioned earlier, 1Password's data format is publicly documented. AgileBits explains to the world how its security works, encouraging smart folks in academia and elsewhere to second-guess the decisions made on how to best keep information secure.
After studying all of this information, I am comfortable letting 1Password store my password vaults on its server. And of course, the advantage of doing so is that it allows me to use the 1Password website to create a shared vault that my wife and I both use. It is somewhat magical to update something on my iPhone and have it show up in the same entry on my wife's iPhone just a few seconds later.
The upgrade process
If you are not currently using 1Password at all and this post convinces you to do so, then just start fresh with a new account, either 1Password Families or just the regular 1Password if you are the only user, and everything will just work. But if you are upgrading from an older 1Password account, such as one that used Dropbox to sync between your devices, here is some information on how that process works.
First, as noted above, I encourage you to purchase the subscription on the AgileBits website and not within the iPhone or iPad app. It saves you some money.
Next, go into the Settings portion of the 1Password app on the iPhone and select Add Existing Account. You then need to enter the web address for logging in go your specific 1Password.com account, your username, your password, and that secure key I mentioned above.
Fortunately, however, you don't need to type all of that information. In the picture above of the 1Password Emergency Kit, you will see that there is a QR code on the page. You can tap the Scan Account Details option in the 1Password app to use your iPhone's camera to scan that QR code. If you didn't yet print out the Emergency Kit yet but you have another device, such as an iPad, you can just bring up the Emergency Kit on that device and scan the code. After doing this, the only information that you have to type is your master password.
The app will next ask you to move all of the items from your current primary vault into a new 1Password.com vault. Just follow the instructions to do so.
Next, follow the prompts to delete the old primary vault which you had been using.
If you own another iOS device, such as an iPad, you'll want to stop using the former vault on Dropbox (or wherever you kept it) and start using the 1Password.com vault. At first I tried to do this within the existing 1Password app on my iPad, but after some trial and error I learned that the best solution is to just delete the 1Password app from your iPad, download a fresh copy of 1Password from the App Store, and then add your account. Once again, I recommend that you scan the QR code to save yourself a lot of typing.
If you are using 1Password on a PC, you'll want to follow a similar approach. Use the Windows control panel to uninstall your prior copy of 1Password 4, download the new 1Password 6 for Windows from the AgileBits website, and then log in to your new 1Password.com account. Once again, there is a trick to avoid typing in all of the account details; read the Windows install instructions on this page from the AgileBits website for more info.
If you already have the latest version of 1Password installed on your Mac, you can follow the instructions on that same page to add the new 1Password.com account. And again, there is a neat trick to avoid typing in all of the details; make your QR code appear somewhere on your Mac screen (such as in the PDF version of the Emergency Kit you received from AgileBits) and then drag a see-through window in 1Password over that QR code so that 1Password can "see" it. Next, tell your Mac version of 1Password to stop using the former vault that you stored on Dropbox (or wherever). In my tests, the easiest way to do that was to go the Preferences part of the app, click on Advanced, and then turn off the final option "Allow creation of vaults outside of 1Password accounts."
If you are using 1Password Families, you will next go to the part of the 1Password website associated with your account and send an invitation to your spouse (or whoever else you are adding as one of the five users). Your spouse will follow steps similar to what I outlined above — or you can be a nice spouse and do all of this for him or her. Next, create a shared vault to share with your spouse.
The final step is to talk to your spouse and decide which entries in each of your vaults to move into the central vault so that they are shared. Often, my wife and I found that we both had an entry for an institution such as a bank, so we needed to determine who had the better entry and move that one to the shared vault, and the person with the weaker entry deleted their old entry to avoid duplicate items. This was the most time-consuming part of the whole process for me, but it did have the advantage of helping me to clean up some older entries.
Upgrading to the new subscription-based version of 1Password takes both time and money. If you don't have a need for 1Password Families and you are happy with your current 1Password setup, you might decide to wait to upgrade until AgileBits gives you a specific reason to upgrade, such as adding another feature that only works with new subscription service.
But if you and at least one other family member are going to use 1Password (or perhaps already use it), then I think it makes sense to upgrade now. You'll immediately get to take advantage of the shared vault feature to share passwords, secure notes, and other important but confidential information. And once you start the subscription, you'll know that you always have the latest and greatest version of 1Password on all of your devices. Indeed, it wouldn't surprise me if at some point soon, 1Password either stops supporting the older version, or limits features on the older version as compared to the current product which uses 1Password.com. As a subscriber, you won't have to worry about that happening, and instead you'll know that you are always using the most secure and advanced version of 1Password.