The Electron Issue

News that the desktop (Mac, Windows, and Linux) versions of 1Password 8 would be built using a framework called Electron produced reactions that, like the eponymous subatomic particle, were negatively charged. (I should amend that: the complaints came mostly from Mac users; it’s much less of a big deal on other platforms.) Virtual barrels of digital ink were spilled decrying this affront to common decency.

In case you’re not a developer and you have no idea what all the fuss is about, let me give you the extremely short and partially accurate version of the story.

Electron is a tool that lets programmers create desktop apps using the same technologies (such as JavaScript and CSS) used to build webpages. Developers like it partly because it lets them employ the same set of skills in multiple places—and it’s particularly handy if whatever desktop app you’re creating already existed as a web app. But another big part of the appeal is that, because Electron is cross-platform, you can write the underlying code for your app once and, with only modest additional effort, build versions that run on Mac, Windows, and Linux (and look nearly identical in each place).

One problem with Electron, however, is that unless developers put in considerable extra effort, the apps don’t look, feel, or act like native apps on any platform. (Technically speaking, they are native in the sense that they run code compiled and packaged according to the rules of each platform, but that distinction is not particularly meaningful for users.)

Electron apps are commonly described as looking and acting exactly like websites. (Electron-based desktop apps that are often cited disapprovingly include Slack, Discord, and WhatsApp.) Now, sure, there are some fantastic and elegant websites out there, but critics who bring up this point don’t mean it as a compliment. Their point is: interface elements like windows, menu commands, buttons, checkboxes, and toolbars appear and behave a certain way in built-from-scratch native apps, but they’re often much different on webpages, owing to the constraints of HTML and browser design. Standard keyboard shortcuts may not work, some windows may not be movable, and various other conventions enforced by existing platform-specific development tools may be ignored. It’s not that the apps don’t work; it’s just that they feel wrong.

But beyond look and feel, a more worrying complaint is that Electron-based apps tend to be huge, far out of proportion to their functionality, and to have both poor performance and massively excessive memory use. The stereotypical Electron app, as described by its detractors, offers little or no functionality beyond what you could get in a web-based version of the same app, while using up astonishing amounts of system resources that can routinely bring the app (and whatever other apps you’re using) to a crawl.

I have seen and used Electron apps that match this stereotype and are unequivocally awful. However, that’s not because Electron is inherently bad. It’s because the developers took the path of least resistance rather than going to the considerable extra effort required to make their Electron-based apps small, fast, resource-efficient, and good citizens of each operating system they run on. With effort, an Electron app can keep all its benefits of cross-platform efficiency and also be extremely well behaved.

The 1Password developers put in that effort. They did their homework, tested and optimized relentlessly, and came up with an app that’s just fine, thanks. Yes, even on a Mac.

To be sure, there are some little quirks and oddities in 1Password that reflect its Electron wrapper and that you would not typically see in a native app. For example, there’s a control that lets you reduce or enlarge the size of the entire interface—not just the text but also every icon, button, and other control. OK, yes, that does seem like something on a webpage. But also: I’m old enough that I have to wear reading glasses when using a laptop, so the option to zoom in isn’t exactly upsetting. (There are also accessibility issues, which I address ahead.)

In short, in my personal and professional opinion, the Electron-ness of 1Password 8 is mostly a nonissue. It had the potential to be awful, but it turned out not to be! Crisis averted.

Missing Features

As I mentioned earlier, 1Password 8 adds important features not found in earlier versions, but as of publication time, it’s also missing some capabilities that 1Password 7 had. Needless to say, if you depend on a feature and find it’s absent when you upgrade to a new version, you’re going to be unhappy. Fair enough. Some of the missing features are in fact gone for good, but others are merely on holiday. Here’s a quick overview:

• Standalone licenses: You used to be able to pay a one-time fee to license the 1Password app, and then use it for as long as you liked (assuming it remained compatible with your current operating system). 1Password 8, however, is subscription-only, as is true of many popular apps these days. If you stop paying, you’ll still be able to access your 1Password data, but you won’t be able to edit it, add to it, or autofill items in your browser.

• Local vaults: Separate from how 1Password is licensed, in version 7 and earlier it was possible to create a standalone, local vault on a particular device—a vault whose data didn’t live in the cloud. This post by AgileBits discusses the reasoning behind discontinuing local vaults. Although local vaults aren’t going to come back, you should be aware that 1Password stores a local copy of all your data on each device, so you can still access everything if you lose your internet connection.

• Local sync: 1Password 7 and earlier let you optionally sync your vaults between devices using a local Wi-Fi connection, bypassing the cloud entirely. Local sync was cumbersome to configure and perform, and prone to glitches, while its sole hypothetical benefit was the lack of dependence on a third-party service. But did it ever solve (or prevent) real-world problems? I’m not sure that it did. I cannot, with a straight face, claim that a local sync of strongly encrypted data is somehow more secure than a cloud-based sync of the same data. If the encryption is solid (and it is), the syncing method genuinely does not matter. I don’t expect local sync ever to return. However, AgileBits has stated that they’re considering an option for self-hosted vaults, so that you could use a server under your control, rather than 1Password.com, to store and sync your data. Whether, when, or in what form that option appears is anyone’s guess.

• Search limitations: 1Password’s search feature is now global—it searches both titles and contents of vault items, with no way to constrain it to, for example, only titles. The advanced search feature in the Mac version, which offered much more extensive control over what data to search for and where, is also gone. The loss of advanced searches on Macs also means that smart folders, which depended on that feature and were available only for local vaults, are gone. Of course, there are still numerous other ways to sort, search, tag, and filter your 1Password data.

• Limited accessibility features: This one, I have to say, kind of hurts. Because of 1Password’s Electron wrapper, some accessibility features provided by operating systems—such as voice control on macOS—are either unavailable or limited. From the operating system’s point of view, the contents of the 1Password window appear to be a webpage, so individual elements (such as buttons, fields, and menus) may not be addressable by accessibility tools the same way they would be in a completely native app. AgileBits is aware of the problem and appears serious about finding a solution, but I have no further details.

• Changing field type: You can’t change a field’s type from, say, Text to Password, or Email to URL. This seems like an obvious, useful thing to be able to do, and AgileBits has stated that it’s on their feature request list, so I wouldn’t be surprised to see it return.

• Mobile security options: Previously, the iOS/iPadOS and Android versions of 1Password offered the option of a PIN code you could use in lieu of biometric login, as a less-secure alternative to retyping your whole master password. That option disappeared in 1Password 8, but AgileBits is planning to restore it soon. Similarly, you can choose in a mobile version of 1Password to be prompted for your master password every two weeks, every 30 days, or never (after initially unlocking the app), but other arbitrary options, like requiring a password every day or every 90 days, are no longer present. It seems plausible that such options may return.

• Mac launcher utility integration: Prior to 1Password 8, Mac launcher utilities, such as LaunchBar, Alfred, and Quicksilver, could search for and open individual 1Password items, as long as you enabled a special preference. Because of architectural changes in 1Password 8, such utilities would have to rewrite their code in order to offer a comparable feature; so far, only Alfred has done so. See About 1Password and Mac Launcher Utilities.

Why This Edition No Longer Covers 1Password 7

I know there are some users who, despite all the good things about 1Password 8, are unwilling to make that transition. Perhaps they’re miffed about the subscription model, or are philosophically opposed to using cloud storage, or are missing a specific crucial feature from 1Password 7, but whatever the reason, they choose to stick with the older version. If you’re such a person, well, do what you think is best; I won’t try to change your mind. All I can really say is: if that’s your decision, this book is not for you.

Previous editions of this book did cover 1Password 7 (which, although still available for download as of early 2023, is no longer being supported or developed except for “important security updates”), and if you already own an earlier edition, you can keep reading it and using it. However, we won’t offer older editions to new purchasers of this book, since we’ve said explicitly that it covers only 1Password 8.

But why didn’t I just keep all the 1Password 7 stuff in the book, and add the 1Password 8 instructions?

When the previous version of this book was released, an early version of 1Password 8 was available on some, but not all, platforms. (Besides being available everywhere now, it has changed a lot since then!) So, all throughout the book, I had to say things like, “If you’re using 1Password 7 on a Mac, do this. If you’re using 1Password 7 on a PC, do that. If you’re using 1Password 7, but with the classic (1Password 7-style) browser extensions, which no longer exist, do this other thing. If you’re using it with the 1Password in Your Browser extensions, do something else.” And so on, in numerous variations, hundreds of times.

All that was extremely tedious to read (and write). Although there are still a few platform-specific differences, and although there are also different modes of using 1Password 8 (such as working from the browser extension, working from Quick Access, or working from the main app; see Find Your Usage Pattern), having to provide yet another set of instructions for 1Password 7—which, by the way, also differed significantly between macOS and Windows—is just too much.

It’s time for a fresh start. I have embraced 1Password 8, and even though I still hope for some of those missing features to make a reappearance, I know that this new model is the only path with a future. Sooner or later, whether through operating system changes or other factors, 1Password 7 will cease to be a viable option, and I’d rather confront the future now, on my own terms, than be dragged into it kicking and screaming when I eventually have no choice. I won’t judge you if you make a different decision, but Take Control Books is officially done selling or supporting books on 1Password 7.

Moving from 1Password 7 to 1Password 8

Let’s suppose you’re currently using 1Password 7 (or even an earlier version) and you’ve just decided to make the jump to version 8. Once you’ve signed up for a 1Password.com subscription, what’s the actual process for moving your data from local, standalone vaults to your new 1Password account?

AgileBits spells out one version of the steps in support articles for Mac and Windows. But even if you ignore those instructions, 1Password will walk you through all the necessary steps as long as you still have 1Password 7 installed.

The process looks something like this:

1. Without removing 1Password 7 (or earlier) from your computer, download and install 1Password 8.

2. Open 1Password 8 and, if prompted to do so, sign in to your account.

3. The app automatically detects your existing local vault(s) and offers to migrate the data to your 1Password account (Figure 1). Click Move Data to Account to permit this.

   

4. Follow the prompts to select the 1Password account you want to use, and then click Move Data.

1Password moves all the items from the local vault(s) to the selected account, in the process converting any folders into tags.

Get Up and Running

If you’ve never used 1Password before on a given device, the first time you run the app, 1Password presents a series of choices to help you get up and running quickly. Don’t agonize over any of these decisions, because you can always change your mind later.

Although there’s more than one way to go about setting up 1Password, what I consider the optimal series of steps looks like this:

1. Sign up for a 1Password account. As part of this process, you’ll get a 40-character secret key, which you must keep careful track of; you’ll also create a master password (see Choose a Master Password). 1Password then creates a personalized PDF Emergency Kit with your details; print this out, fill in your master password, and put it in a safe place.

2. Download the app on each of your devices and install it.

3. Open the app. Then, assuming you’ve already signed up for an account (as in step 1), click or tap Sign In and follow the prompts.

4. If prompted to do so on a Mac, optionally turn on Unlock with Touch ID and/or Unlock with Apple Watch.

5. In macOS, Windows, and Linux, Install Browser Extensions for each browser you use.

Repeat these steps for your other devices.

Choose a Master Password

When you create a 1Password account, you’re prompted to create a master password, which will protect all the other passwords you later store. This password should be both strong and memorable (a tricky combination). Later, in Understand Password Security, I discuss factors to consider when choosing any new password. However, your master password is a special case. In particular, you’ll have to type it often, so it shouldn’t be obnoxiously long or error-prone.

Because I want you to start using 1Password right away, I don’t want you to get hung up on choosing the perfect master password. (Besides, you can change it later. And, once you’ve created your first master password, you can access 1Password’s password generator to more easily devise a better one.) So, here are some quick suggestions:

• As 1Password suggests, consider using a full sentence. Your password can include spaces and punctuation, so you can type it just as you normally would. Use at least five words, and for extra security, make your sentence nonsensical (as in, Galloping sloths calculate notorious wallpaper!).

• Avoid accented letters and characters that don’t appear in English (such as é, ñ, and ß). Although 1Password can accept any Unicode character, the methods used to enter them vary by platform, and that could lead to frustration later.

• For more ideas, read this great blog post from Jeff Goldberg at AgileBits, which discusses techniques for creating better master passwords that are still relatively easy to remember.

In any case, write down your master password and keep it in a safe, hidden place. Then take some time to practice using your master password (by locking and unlocking 1Password, as I explain in a moment) to reinforce it in your memory. Typing it will become second nature soon, but in the meantime, you don’t want to forget it.

Install Browser Extensions

Although it’s possible to use the Quick Access feature built into the 1Password app to fill in logins on webpages (as well as in other apps), a number of things you might want to do in a browser, such as saving credentials and generating new passwords, require the use of a browser extension (which I explain in more detail later in this chapter; see Browser Extensions).

Browser extensions aren’t installed automatically due to browsers’ security features; you must install them manually. I recommend doing so right away.

To install the 1Password in Your Browser extension, go to 1Password’s browser extensions page, click the Install button for your current browser, and follow the prompts. You can then return to the same page and repeat the process for any other browsers you use. If you use Safari on a Mac (see 1Password for Safari, ahead), you can’t install an extension directly; instead, you must download and install the free 1Password for Safari from the Mac App Store.

Once you’ve installed the browser extension, the 1Password icon should appear on your browser’s toolbar.

Lock and Unlock 1Password

1Password has two states: locked (the default) and unlocked. When it’s locked, all your passwords and other personal data are securely protected and inaccessible to you or anyone else. But when you unlock 1Password by entering your master password or using biometrics such as Touch ID, Face ID, or Windows Hello, you (or anyone with access to your device) can freely see, copy, or edit any of the data.

On the one hand, 1Password must be unlocked to do anything useful to you, such as storing or filling in passwords. On the other hand, it must be locked to prevent anyone who isn’t you from seeing your personal information. Although unlocking 1Password is simple, it can be tedious if you have to do it too often.

So, the trick is to make sure 1Password is unlocked enough of the time to be convenient, but locked enough of the time to be safe.

Unlock with Touch ID

On any Mac with Touch ID, you can unlock 1Password with your fingerprint.

Before you can unlock 1Password using Touch ID, you must give 1Password permission to use the Touch ID fingerprint(s) that you’ve set up in System Preferences > Touch ID (Monterey or earlier) or System Settings > Touch ID & Password (Ventura or later). Then go to 1Password > Settings > Security and turn on Touch ID. (For additional information, see the AgileBits article About the security of using Touch ID or Apple Watch to unlock 1Password for Mac.)

If the 1Password app is not running and you open it, an alert like the one shown in Figure 2 appears. Rest your finger on the Touch ID sensor to unlock 1Password.

If the 1Password app is already running but locked (Figure 3), click the Fingerprint icon. When the alert shown in Figure 2 appears, rest your finger on the Touch ID sensor.

The 1Password Cloud Service

The 1Password cloud service continuously and automatically synchronizes your logins and other data across your devices. All data is securely encrypted before it leaves your device, and it can’t be accessed—not even by AgileBits employees—without your account key and master password.

Although you can interact with your 1Password account almost entirely using the desktop and mobile apps, you also have the option, should the need arise, to access all your passwords and other secure data using your web browser. (When you set up your account, you also configure a custom URL to use for accessing it.) Only a few activities, such as the initial account setup and using Travel Mode (see Use Travel Mode), require the web interface.

Even though you can get essentially all the features of the 1Password app on the web, the website itself doesn’t provide autofill or login capture capabilities for other websites. For that, you’ll need to have the 1Password app, a browser extension, or both (described just ahead).

The 1Password App

The main 1Password desktop app (Figure 4) shows all your data and provides numerous ways to organize, edit, and search it. It also lets you configure settings, check for updates, and so on.

Even though I refer to it as the “main” app, many 1Password users open it only occasionally, relying more often on either Quick Access or the 1Password in Your Browser extensions (see Find Your Usage Pattern).

To toggle display of the sidebar on a Mac, choose View > Hide Sidebar or View > Show Sidebar, or press ⌘-Shift-D. In Windows or Linux, hide the sidebar by clicking the More icon and choosing Hide Sidebar from the pop-up menu; display again by clicking More and choosing Show Sidebar; you can also toggle the sidebar by pressing Control-Shift-D.

Quick Access

The desktop versions of 1Password include a special window called Quick Access, which is available systemwide—even when the 1Password app is closed (Figure 5). You can display it by clicking the 1Password icon on the menu bar (Mac) or in the system tray (Linux), or right-clicking it in the notification area (Windows), then choosing Open Quick Access from the menu. You can also press ⌘- (Mac) or ⌘/Ctrl-Shift-Space; you can customize this shortcut, if you like, in Settings > General. To avoid having to click through a menu each time, you can set Quick Access to open with a single click on the 1Password icon on the menu bar, or in the notification area or system tray; in Settings > General choose Show Quick Access from the “Click the icon to” pop-up menu.

Although it looks like a “helper” app, Quick Access is quite powerful on its own, and because it’s available instantly throughout your system and nicely compact, you may choose to use it more often than the main app. It can search and display all your logins, credit cards, identities, secure notes, software licenses, and other 1Password data. Quick Access automatically displays suggested items if the context provides enough clues. Otherwise, to search in Quick Access, just type a portion of an item’s name or contents; matching results appear instantly.

With an item selected (via a mouse or the arrow keys on your keyboard), you can do the following:

• Press → or click the “More options” pop-up menu to see major commands and their keyboard shortcuts.

• Open a login in your default web browser and fill in your stored credentials automatically (Alt/Option-Return).

• Autofill credentials on webpages you’ve navigated to manually, as well as in Mac apps (Shift-Return).

• Copy the item’s username (⌘/Ctrl-C), password (⌘/Ctrl-Shift-C), or one-time password (⌘-Option-C/Ctrl-Alt-C). (For credit and debit cards, these three keyboard shortcuts copy the card number, verification number, and expiration date, respectively.)

• Open an item in a separate window (⌘/Ctrl-O).

• Display additional keyboard shortcuts (⌘/Ctrl-/).

Browser Extensions

In order for 1Password to perform tricks like displaying pop-up menus of saved logins in username/password fields and automatically saving the credentials that you enter on webpages, it needs low-level access to your browser. Browser extensions provide these “hooks.” (For help with installing browser extensions, flip back to Install Browser Extensions.)

Previously, 1Password extensions came in two main flavors: 1Password classic extensions, which simply functioned as conduits to the main 1Password app; and the more modern 1Password in Your Browser extensions, which embed most of the functionality of 1Password right in the extension such that you can use it whether or not the main app is installed. As of 1Password 8, only this newer extension type exists. Safari, meanwhile, has its own special extension flavor because of Apple’s security requirements, but it’s functionally equivalent to 1Password in Your Browser.

1Password in Your Browser

1Password’s browser extension, called 1Password in Your Browser, was formerly known as 1Password X (Figure 6). It looks and acts much like the full version of 1Password, can fill and save passwords, and gives you access to many but not all of 1Password’s other features (see the sidebar 1Password App, 1Password in Your Browser, or Both? ahead). Since the extension can’t include the persistent storage and syncing capabilities of a desktop app, it stores its data in (and retrieves data from) the cloud.

Currently, 1Password in Your Browser supports Brave, Chrome, Edge, and Firefox (Safari offers the same features with its own special type of extension; see 1Password for Safari, ahead), and you can use it either on its own or—for best results—in combination with the 1Password app. 1Password in Your Browser is also a huge win for people who use Chromebooks, giving them a way to run 1Password even though there’s no standalone version of the app for Chrome OS.

1Password for Safari

Because of Apple’s design requirements for Safari extensions in macOS, the 1Password in Your Browser extension can’t be installed by itself. Instead, if you want full 1Password integration in Safari, you must install a separate, free app from the Mac App Store called 1Password for Safari, which in turn includes a built-in Safari extension.

After installing the app, you also must enable it in Safari by choosing Safari > Settings/Preferences > Extensions and selecting 1Password for Safari. Safari may then automatically prompt you to give the extension permission to access websites (Figure 7); if not, click the 1Password icon on the toolbar (and authenticate with your master password, Touch ID, or Apple Watch if necessary). Click Always Allow on Every Website to enable 1Password to enter and save credentials on any site you may visit; any other choice will lead to lots of annoying additional prompts in the future.

By default, 1Password for Safari behaves almost identically to 1Password in Your Browser, with only a few minor differences in settings. So, for the purpose of this book, wherever you see “1Password in Your Browser,” you can assume that whatever I’m describing works the same way in 1Password for Safari, unless otherwise specified.

1Password Data Vault

The final major component of 1Password is your encrypted data itself, which 1Password refers to as a vault. You can have multiple vaults if you find that arrangement convenient for organizing your passwords. The master copy of each vault is stored in the cloud, and each device has its own copy—unless you’re using 1Password in Your Browser without the desktop app installed.

Enter Your First Login

First, make sure your browser’s built-in password autofill feature is off, at least for the moment, so you can see exactly what 1Password is doing. (To do this, check your browser’s preferences or settings—look for a heading such as AutoFill, Passwords, Security, or Advanced.)

Go to a site where you already have an account that isn’t yet in 1Password, and then:

1. Go to the login page so that you can see the field for username/email address (and, on some sites, the password field).

2. Fill in your credentials manually (by typing, copy and paste, or however you usually do it). On some sites, you might have to click Next or some other button between entering your username and your password.

3. If you click the 1Password icon in the username or password field, a pop-up control appears (Figure 10) with a Save in 1Password button. Click that, and a dialog (Figure 11) shows you the details that will be stored.

   

   

4. If you have more than one vault, optionally choose a different vault from the vault pop-up menu in the upper-right corner of the dialog.

5. Optionally edit the site’s name. You can also fill in one or more tags (see Use Tags). Then click Save.

6. Log out of the website (look for a Log Out or Sign Out link or button), and return to the login page.

7. It’s time to log in again, but this time with 1Password. To do so, click in the username or password field. An entry for the site appears below the field; click it or select it with the arrow keys and press Return. Then click the Log In, Sign In, or similar button.

1Password logs you in.

That’s it—you now know how to save a site’s credentials and log in to it later using 1Password. Now repeat this process with a few of your other favorite sites. And remember, even though that may seem like quite a few steps, it really takes just a click or two to save your credentials, and a click or two to fill them in later.

Create a New Password

Now let’s use a similar process but with the added step of creating a new password for a site on which you don’t already have an account:

1. Pick a site (perhaps from the previous list of suggestions) where you don’t already have an account, and go to the registration page so that fields for username/email address and password are visible.

2. Fill in your username or email address manually, along with any other requested information—except a password.

3. Click in the password field.

4. Click Use Suggested Password in the pop-up control (Figure 12). (If you want a shorter or longer password, or a different style of password, than the one shown by default, see Create and Save Logins.)

   

   1Password fills in the suggested password (repeating it in a second field, if necessary) and displays the Save dialog shown in Figure 11.

5. If you have more than one vault, optionally choose a different vault from the vault pop-up menu in the upper-right corner of the dialog.

6. Optionally edit the site’s name. You can also fill in one or more tags (see Use Tags). Then click Save.

7. Click the button or icon that submits your credentials (such as Submit or Log In).

8. In most cases, you’ll need to confirm your account by clicking a link in an email message, so be sure to do that before continuing.

9. Log out (look for a Log Out or Sign Out link or button), and then go to the login page on the same site.

10. Now, try signing in. To do so, click in the username or password field and click the entry for the site that appears below, or select it with the arrow keys and press Return. Then click the Log In, Sign In, or similar button.

1Password logs you in.

That’s it! You’ve generated, stored, and filled in a new password. You might consider repeating these steps a few times on different websites just to make sure you can complete them quickly in the future.