LastPass vs 1Password Part 1 of 3 - 1Password

LastPass vs 1Password Part 1 of 3 – 1Password

This is the question that has been plaguing me for quite some time: LastPass vs 1Password. Two very similar applications with two very different methods of execution. They both have their strengths as well as their weaknesses. Before I begin, a brief summary on these two great applications.

What is LastPass and 1Password?

Think about all the passwords you have. You have your email, online banking, maybe services like PayPal, Ebay, iTunes, a personal blog, and so on. More often than not, people will end up using the same password for everything. While this may seem to be convenient for you, it’s a severe security risk. All it takes is just one of these sites to become compromised, resulting in an attacker now having access to your email address and password for the attacked site. Should you use the same password for everything, they now have access to your email, and just about every other service you use that password with.

LastPass and 1Password are just two applications set out to increase your security while online. The two applications generate passwords like c>*mvbayJ3>adP97RTeELL$6rbGusxQv or 7pf[cBMn?z8Vo}6jk&DBnJEW4dTNLYqY to use with your online accounts. Furthermore, each online account you have will have a different combination of random numbers and letters. Now, should a hacker get your username and password from an insecure website like Gawker, the attacker won't be able to use your password to log into any other account you have online.

What it comes down to: every one of your online accounts will have a different, extremely complex password.

How do LastPass and 1Password differ?

While both of these applications reach out to achieve the same goal, it comes down to one main difference. LastPass is a hosted service and 1Password is not. When you use LastPass, your passwords are securely stored on LastPass's servers and are accessible from anywhere in the world you have an internet connection. 1Password, on the other hand, stores all of your passwords in a collection of files stored on your computer. There are some other minor differences, but it just comes down to where your data is stored.

User Experience

Here is my personal experience using the two applications. Keep in mind the way I use these application may differ from what you need. Additionally, I do not consider myself an expert in both of these applications, therefore there are some features I may have overlooked.

1Password

First off, 1Password is going to cost you a bit more than LastPass. They have different prices for Mac and Windows ranging from $29.95 for Windows to $39.95 for Mac to $59.95 for both. They also offer "family" licenses if you want to let your entire family benefit from 1Password. More importantly, there is no Linux version. I suppose you might be able to get the Windows version running in Wine, but regardless there is no native Linux version of 1Password. Additionally, it seems as though they do not offer free upgrades. Currently, the PC version is lacking many features and eyecandy that are available in the Mac version. When the new major version of 1Password is released for Windows, I suspect you will have to pay for an upgrade.

Interface

Since I'm a PC user and don't have a Mac, all these screenshots were taken under Windows. If you want to see how 1Password looks on the Mac, take a look here on the products website. However, it turns out that they only show screenshots on the Mac, at least on their main site. Screenshots for the Windows version can be found buried through the online knowledge base/wiki.

After getting 1Password installed and setup, you're presented with an application that looks like this:

The application itself is fairly well designed. I've never experienced a crash or hang yet, so nothing to complain about there. The ellipsis button next to the password field brings up an on-screen keyboard to let you use your mouse to type your password.

Now, this next screenshot is a little messy due to the information I had to black out. Here's what you're presented with after entering your master password.

There isn't too much to talk about. You have the tool bar up top used to lock your passwords, preferences, multiple options for adding new information, followed by Auto-Type and Find. Lock and Preferences should be pretty self-explanatory. 1Password stores more than just passwords, as you can tell from the rest of the tool bar. These include Wallet Item, Account, Software, Secure Note, and Identity, all of which are visible below. New Folder is for organisation, Auto-Type types your password into any window (not just web browsers) and Find just searches through all of your passwords.

So 1Password doesn't just stop at username and passwords, it can go far beyond that. However, the biggest problem I have with 1Password is that, while it stores all of the information on your computer and no where else. While some people see this as a good thing, it could turn out to be devastating. Take this into consideration, a computer virus that corrupts the data on your hard drive, taking your 1Password accounts with it. Perhaps your main computer is a Laptop and you lose it. With any important data, it's always important to maintain a proper backup. By setting your 1Password data folder to a folder in your Dropbox (referral link) you can easily keep your 1Password data backed up and synced between multiple computers. In fact, the creators of 1Password recommend the use of Dropbox (referral link) for keeping your 1Password data synced between multiple computers.

So, now you have a very well made application designed to keep your data secure, and you have your secured data. But, what happens when you need to log into your email account from a mobile phone and you're not near a computer to check your 1Password vault for your password? For that you'll need to download the mobile application available on Android (free) or the iPhone ($9.99). If you need it on your iPad that's also another $9.99 or you can get the iPad and iPhone/iPod version together for $14.99. Once you've installed the application you'll give it your Dropbox account information and it will pull all of your passwords down to your device, as well as keep any changes and new additions in sync with your desktop. In my opinion, the 1Password iPhone app (I can't speak for the iPad or Android app, having never used or seen it) is extremely well made. Only necessary data is shown to the user, it's very intuitive, and is one of the few iPhone applications I've used that actually hasn't crashed yet.

PIN prompt to access the 1Password app after returning to the app after a short while

Master password prompt to reveal account passwords

Additionally, if you need to access your 1Password vault from a public computer, the only way to do so is through your Dropbox account. However, if you use 1Password to access your Dropbox account, this step becomes quite difficult. Additionally, you risk the public computer containing a keylogger and exposing your Dropbox password and your 1Password master password. Because of this, it makes accessing your 1Password vault from a public computer next to impossible, at least not safely. Because of this, 1Password is not the ideal solution for storing your passwords if you frequently use computers that aren’t under your control.

Finally, we have the browser extensions.

Startup time for IE 9 extensions.

From the looks of their IE plugin, they’re doing something wrong. The 1Password add-on for IE nearly takes 100 times longer to start than the Skype plugin, and exponentially longer than any other add-on that IE loaded. While I don’t use IE and I hope you don’t either, it still shows they are doing something wrong in the browser plugin department.

Additionally, this warning is presented when you try and use the 1Password Add-on

The Chrome plugin is nothing more than the same web interface used in your 1Password data folder, only it’s tucked away in a nice tiny pop-up window off the Chrome extension icon. Sometimes the window will fail to load, requiring a restart of Chrome or having the extension disabled and re-enabled. Must like the rest of the design work, the extension is just as well put together as everything else 1Password has to offer.

After extended inactivity, the vault will lock and the master password is required to unlock it.

When accessing a web page, the extension will, by default, only show passwords that you've setup for that domain name.

You can also generate random passwords directly in the web browser and automatically fill out password fields with the new password.

When it comes down to it, 1Password seems like a great solution, but it also lacks some features that competitors offer. To me, 1Password seems to spend more time on aesthetics and less time on adding additional features. They even go on to admit the Windows version lacks many of the features they have on the Mac client. While I wouldn’t say I hate 1Password, I do see a lot of areas where it could use improvement.

In the upcoming days, I’ll have another post outlining the features LastPass has to offer, followed by a final post which directly compares the two services together while highlighting their specific strengths and weaknesses.

Update: Here’s Part 2!

March 29, 2011 Security 9 Comments

Rafi

For a long time I’ve used the crappy Roboform to store 300+ pwrdz. I couldn’t take it anymore. LastPass debut got so much buzz, but that’s just one thing I’m not gonna store on the cloud.
I waited till 1Password had their first stable Win version, and bought it. Been using it for a long time. It’s a joy. Who uses IE ?? :) Only FF/Chrome. I can store all kinds of sensitive data on it, and its just a shortcut away on any device.
Well off to read part 2 :) good article man !!
http://twitter.com/alan_miller Alan Miller

While it’s outside the scope of what you’re doing, it may also be worth considering KeePass and its various implementations.

If you use the older 1.x database, it’s available for just about every platform out there (including iPhone, Android, Blackberry, J2ME); using the 2.x rewrite limits you to read-only on some implementations (esp. Android) but adds additional features (there’s a feature comparison on the site). There is some kind of browser integration available, but I’ve never used it so I don’t know the details. Note that the 1.x version (“Classic”) is not a dead-end, it continues to be supported and updated but its binary file format is essentially fixed so features like history and multiple custom fields are only in the 2.x branch (“Professional”) with its XML-based storage.

For portability you can store your KeePass file on a DropBox account, though this does require that you log into DropBox to get to passwords.
Pingback: LastPass vs 1Password Part 2 of 3 – LastPass | Ryan Kearney
http://www.facebook.com/people/Ido-de-Lepper/100001427916259 Ido de Lepper

I did some lastpass researching this weekend, using more secure methods, like using a yubikey. Sounds safer, but you are only as safe as your email’s password. If you lost your yubikey its possible to disable it by having lastpass send you an email with a link to disable it. So whats the point in that?
Also people should disable the “remember password” feature of their browser and use 1password/lastpass to be safe.

I am realy curious what your conclusion will be, will 1 favor the other.
Anonymous

also looking forward to the next posts, this is great timing, all the other comparisons of these two products are like 2 years old.
http://www.facebook.com/people/Ido-de-Lepper/100001427916259 Ido de Lepper

btw, one new thing I notice, google chrome also offers session/password syncing, so you can have the same functionality as these 2 applications. Of course you are dependent on using Chrome as a browser, but its free though.
http://www.facebook.com/people/Ido-de-Lepper/100001427916259 Ido de Lepper

Good read, im curious about the next issue about LastPass.
I think you covered most categories
– using it at home
– syncing it, so you can use it from other computers (home, work, etc)
– using it from a public terminal
– using it from your mobile

Somehow storing the data locally (1pass) gives the feeling that its more save compared to storing it online somewhere (lastpass). mm, also wondering what happens if you dont have internet… but then again, logging in won’t matter anyway then. Or what happens if the lastpass site is down…

Anyway, Im still thinking about what to pick.
Good luck writing the next part.

http://www.ryankearney.com/ Ryan Kearney

Thanks, the LastPass post is about half way done now. Once it’s posted I’ll have one more follow-up that directly compares the two together, directly highlighting the benefits of one over the other. You raise a good point regarding what happens when LastPass is down, I’ll be sure to cover that in my next post.
Lucas Renzi

Sounds like you’ve done a bit of research, this is what convinced me to use LastPass, a 1-hour podcast about it: http://twit.tv/sn256

Ryan Kearney

Twitter

Categories

Archives