Categories: AppleSoftware

Maximizing 1Password Security (with a local vault)

Like most, I advocate a password manager. And have frequently recommended 1Password (for years). However, I have led something of a double life in utilizing 1password without a subscription to store “important” passwords within a “local” iPhone vault. Whereas, I’d place my less critical credentials (think: Netflix) in LastPass for efficient cross platform access, including computer browser extension.

While 1password has never been breached and their technical architecture is actually fortified to keep our data secure in that scenario, experience tells us never say never – nothing is foolproof. But even if their cloud and our vaults remain secure, computer operating systems and browsers provide additional vectors of attack. Any random rogue browser extension can read everything (and I suspect how my Yahoo Mail address book was harvested, years ago) – including that 1password web view of your vault. Which is why I railed against 1password’s 2017 cloud requirement (which they wisely, thankfully backed off of).

Try 1Password for Free

What I didn’t realize at that time, after they decided to support both cloud and local accounts, is that the two implementations can coexist. So, this week I finally subscribed to 1password ($36/yr) and was able to kick LastPass to the curb (with a clean, comprehensive import). Once 1password merged my existing passwords into a new cloud vault, I blew away the local vault, recreated it, and moved over financial institution and other sensitive credentials from cloud to iPhone. I just don’t want them anywhere on the web. (Then I emptied my 1password trash which, under normal circumstances, they conveniently retain for 12 months. “Local” iPhone vaults can optionally be backed up to iCloud or across the LAN, should one so choose.)

Beyond the above, as two-factor auth has taken off 1password has been a godsend in collocating those rotating 2fa codes alongside passwords and automagically pasting them to the clipboard as needed. No dedicated authenticator app required. (And many thanks to Adam for turning me onto this feature a year or so ago!)

View Comments

  • There are many elements of the LastPass interface I prefer, but a local vault is a requirement for me and I don't believe they offer that. I also don't believe they provide two-factor codes within each entry. While not originally a requirement, now I'm never going back - despite the reasonable argument against putting all eggs in one basket. LastPass also had a couple incidents and (based on Twitter friends) a history of questionable support, since being acquired.

  • Mike - LastPass stores your 'vault' in the cloud, with no option to keep your data strictly local. The advantage is that your passwords are synced across multiple devices, but there is some risk that your data could be hacked.
    I am a LastPass user, but maybe I'll check out 1Password in order to keep my most critical passwords (Google / Yahoo, which is the key to recovering everything else) off the cloud. Or I can go back to writing it on a Post It stuck under my keyboard. :)

Published by
Dave Zatz