Getting started with 1Password for your growing team, or refining your setup? Our Secured Success quickstart guide is for you.
Onboarding experience: too hard
I have used 1P for many years, and it suits my needs as a software engineer nearly perfectly. However I have suggested it to a number of friends, and done the work of getting two distinct types of user up to speed: my partner (1P Families), and as the IT manager at a smallish company (1P Business). I started both a year or more ago, and thought I would share my experiences. tl;dr After a year, people are still struggling to understand 1P, and are still failing to gain the core benefits such as reused passwords. The main challenge my users have faced is how to migrate from whatever they used before ... intentional or not. My partner uses a Mac and iPhone, and has home and work Google accounts. She doesn't really understand that Safari and Chrome are different things, but uses both at work and home. In both cases, she accepted the default password management features, with autofill in chrome, and various flavors of Apple password managers. At any given time, without reconfiguration, all of these PW managers are competing to manage a password, and the result is confusion, and inevitable password resets "just to get in". So, the user ends up with multiple possible passwords saved in multiple places: Google, Apple, and now 1P. The same has been an issue for my co-workers, who are also at varying levels of technical awareness. The first thing I did for my partner, mainly to make her feel confident, was to import all the passwords from Google and Apple PW managers. This turns out to have been a really bad idea, and also, it's really a great deal harder than it should be -- not very well documented, hard to find on the site, and some parts of it didn't seem to work. This is a terrible idea because Google, at least, saves a new password for any different URL it finds, so there can be multiples just for one site. I am not sure about the Apple version, but the result was that we had at least two, often many more saved passwords imported into 1P. Finally, unless these PW managers are turned off, they keep adding their confusion to the mix. Suggestion: build an importer that figures out how to actually migrate to 1P. There may not be APIs that allow this to be automated, but at least you could build a step-by-step process, and a checker that sees the status and warns users. Ideally the tool would merge (or offer to) sites at the same domain, would identify a suitable name for the 1P entry, would retain history (archive) of old logins, and would coach the user through confirming the result on computer and phone. Passkeys and MFA are both great when 1P gets them right. But I am still regularly assaulted with the option to use passkey with my Amazon account, as well as my AWS accounts. The MFA process is kind of klunky
Enhance Security Against Windows 11 Recall Feature
Dear 1Password, I am writing to express concerns regarding the privacy implications of the Windows 11 Recall feature, which automatically captures screenshots of user activities. As highlighted in Signal’s recent announcement (https://signal.org/blog/signal-doesnt-recall/), this feature raises significant risks for applications handling sensitive data, as it could inadvertently capture and store confidential information. Given that password managers store highly sensitive data, such as login credentials and personal details, I strongly urge you to implement robust safeguards to protect user data from being accessed or recorded by the Recall feature or similar technologies. Signal has temporarily adopted DRM technology to mitigate this issue, but I recommend exploring additional or more advanced measures, such as: 1.Preventing Screenshot Capture: Implement mechanisms to block or obfuscate screenshots taken by the Recall feature when your application is in use. 2.Encrypted Data Display: Ensure that sensitive data is displayed in an encrypted or masked format to prevent exposure in screenshots. 3.User Notifications: Provide clear alerts to users when the Recall feature is detected, advising them to disable it or take precautions. 4.Enhanced App Isolation: Use sandboxing or other isolation techniques to prevent external applications from accessing your app’s data. By proactively addressing this issue, you can enhance user trust and ensure that your password manager remains a secure solution for managing sensitive information. I hope you will consider these suggestions and share any plans to implement protective measures. Thank you for your attention to this critical matter. Sincerely, Din
Watchtower idea
So I go into Watchtower, and it's always pretty overwhelming—68 vulnerable passwords, 78 weak ones, etc. Trying to get this in better shape is daunting. So I do what most people do: close Watchtower and try not to think about it. But what if we could chip away at it in a way that didn't feel so overwhelming? What if every day, 1Password gave me one website from Watchtower to change my password on? It could priorities sites that are both vulnerable and have passkeys available, so it's only a couple clicks and users start seeing progress. Then it goes to vulnerable, and down the line of whatever is most important. In just a few weeks you'd start seeing your score improve which is relieving and motivating.Feedback and a feature request regarding passkeys on the Mac
Passkeys are still mostly useless on MacOS. Can 1password just bite the bullet already and implement native password manager support on MacOS? Although I love the autofill shortcut (shift+comand+space) and it truly is the best UX I've used on a password manager, that alone isn't enough to make me cough up 1password subscription fees for eternity when it remains fundamentally broken on the OS I'm using all day. I have a feeling the discussions have gone like this: Should we implement native password manager support on MacOS? It's yet another platform to support. How many points? [Estimates] Hmm, well we've got X that needs to get done this quarter. Next quarter is Y. And we've been putting off Z forever and senior engineers are going to start quitting if we don't fix THAT! Can users live without it? Well, sure. They've got the browser plugins... Great! Let's just table this for now and revisit it when we've got more capacity. Totally understandable! We've all been there. The problem is this really sucks for a few reasons. Here they are: (MAJOR) Passkeys: Unfortunately on MacOS the browser extensions seem to be the ONLY way to use Passkeys. That is problematic for a few reasons. The biggest issue is that browsers are NOT the only place you might need to auth on a computer. Sure it's 80% or more. But even if it were 99%, the software is not called .99password, it's 1password. I've already run into situations with native apps where I'm being prompted for a passkey. Your current solution will never work here. You might be thinking: "WHAT! Native apps using passkeys?! That is so rare and uncommon! We cannot expend engineering effort on a mere 1% of use cases!" Sure, maybe now. But it's happened to me multiple times and passkeys are pretty new. I can't imagine they're going away after all the effort to roll them out. It's only a matter of time. And for people who don't use the browser extensions, they are experiencing this pain every single time they are prompted for a passkey (GRIPE: Browser extensions) You're almost a victim of your own success (almost). The autofill shortcut works so well I have absolutely no desire to install the much less functional browser extensions. I use several browsers (I'm an engineer) and they honestly are pretty mediocre in how well they work and they're frustrating to use. I should need to log into 1password ONE time. Not 1 + N, where N is the number of browsers. They're constantly prompting me for my password, they need to be kept up to date, and frankly the UX just isn't great. I'm sure for various reasons (like non MacOS operating systems) you need to keep them working, but on MacOS they just aren't the best way to use 1password (nor are they a differentiator - every password manager, free or paid, has these, so I'm certainly not losing anything wrt these by switching away from 1password). In case you want to interpret this to mean "make browser extensions better", that is NOT what I'm saying. I'm not going to use them. It's simply more unnecessary complexity, more to keep in sync wrt updates, more surface area for attack, etc. Not happening. Wow. 1password doesn't really support the major authentication initiative that everyone is switching to? Sounds dire! Luckily there is a solution! Unfortunately for 1password, all a user needs to do is stop using 1password. The solution is simple: use the built-in free password manager Apple rolled out recently (alongside the API to actually support passkeys properly, in fact). That works great! I've simply been saving all my passkeys there. I did have it turned off for a while and was using 1password exclusively. But due to 1password's lack of compatibility with passkeys, it's turned back on. Now whenever it asks to save any of my credentials, I say yes. Eventually, I'm sure it will have pretty much everything. And once it has everything, does it really make sense to keep paying for 1password? Just implement the dang API already. Get it on the roadmap. A decent engineer could have that production ready in a month if you just said "go" and got out of their way for a while (tell them they don't have to attend any planning meetings if they can meet the deadline, you'll have people fighting to take it). Sent with ❤️. I never knew a password manager could be so great. If I didn't care and want you to be successful, I wouldn't waste spend my time on this.[Feature Request] Custimize App name and icon
I don't want the people around me to know that I'm using 1Password, such as colleagues and friends who accidentally see my device's screen, as well as my girlfriend. If my girlfriend knows that all my passwords are stored in 1Password, she will definitely force me to tell her 1Password account password, and I won't be able to refuse. The best security measure is not layers of encryption, but rather to prevent others from even knowing its existence in the first place. In this regard, 1Password is not as good as Bitwarden. Most people have no idea what Bitwarden is for, but it's immediately obvious what 1Password is. 1Password would be much safer and useful if it allow users to customize the app's name and icon (as well as desktop software and browser extension). Telegram already allows users to customize the app icon, so technically it shouldn't be a problem. If this feature can be implemented, I will be a 1Password subscriber forever.Google's advanced protection
I use 1password and have enabled google's "advanced protection" (https://landing.google.com/intl/en_in/advancedprotection/). I recently attempted to restore my android phone from backup and found it impossible to logon to google without temporarily disabling advanced protection. Note that the restore logon takes place before I have 1password on the device. Google insisted that I use my passkeys which were not on the device. It also had an option to scan a QR code from another device which had the passcode, but I don't know of a way to scan this QR code from 1password. Has 1password thought of supporting this somehow, or is temporarily disabling the advanced protection the preferred solution?
