A huge problematic deficiency of 1Password is that it lacks literal multi-line text field types.<p>The items in its database let you define custom fields for them, but there is no literal multi line text field. There's a "File" type, but you can't simply define fields with multi-line text values. However, every item has exactly one built-in "notes" field, but that's actually styled markdown text. And you only get one. And its name is always "notes".<p>It would obviously be extremely useful to be able to define an arbitrary number of arbitrarily labeled multi line text fields that are not interpreted as markdown text.<p>It boggles my mind that 1Password doesn't support this. What were they thinking??? It makes it a real pain in the butt to store ssh keys and certificates and a lot of other types of information in 1Password.<p>A single markdown "notes" field just doesn't cut it. It's not as if it's technically challenging or a security risk. It already has a "notes" field, so just turn off the "rich text" feature and allow me to make my own! I would have thought it was a pretty obvious and often requested feature, but as far as I can tell, it's impossible!
Ah neat, the app exposes an ssh agent socket:<p><pre><code> export SSH_AUTH_SOCK=~/.1password/agent.sock
</code></pre>
So you would essentially replace Keychain, Gnome-keyring, or the vanilla SSH-agent with 1password. Very nice solution.
I think this is a bad idea for users. I don't think SSH keys are things you should share across machines in a password manager. If you have two devices, then you should have two keys (though this is the subject of some debate; see [0]). Using the 1Password SSH agent encourages people to have "one" SSH key across devices, which means that any leaks will disproportionately impact them.<p>It's unfortunate, because there is some real innovation around the per-application usage permissions:<p>> 1Password will ask for your consent before an SSH client can use your SSH key. Because of this, there's no concept of adding or removing keys like with the OpenSSH agent.<p>If an organization wishes to solve the SSH pubkey distribution problem (the main reason one would copy a private key across machines), then they should use SSH certificate authorities like [1]. In fact, I think that would be a far more interesting 1Password product—HashiCorp Vault could use some competition for this kind of use-case.<p>[0]: <a href="https://security.stackexchange.com/a/40061" rel="nofollow">https://security.stackexchange.com/a/40061</a><p>[1]: <a href="https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-certificates" rel="nofollow">https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-cert...</a>
For Bitwarden users, let's support the idea in the forum!<p><a href="https://community.bitwarden.com/t/implement-ssh-agent-protocol/833" rel="nofollow">https://community.bitwarden.com/t/implement-ssh-agent-protoc...</a>
I'm quite excited about this as a potential way to avoid the problems that once a key is added to an agent any process can then use it. It looks like this prompts for permission for each process that wants to use the key, but then doesn't prompt again.[1] I've tried using various tools for this but they've always been too clunky. YubiKeys work well with their requirement to be physically touched, except you continuously have to press them when using git commands (multiple times if fetching many remotes).<p>I haven't been able to see anything about how this handles agent forwarding over SSH. Does anyone know?<p>[1] <a href="https://developer.1password.com/docs/ssh/agent/security" rel="nofollow">https://developer.1password.com/docs/ssh/agent/security</a>
And yet we still can't use the keyboard to navigate to the `Generate Password` button like we could in every version of 1Password before the current one.
Since krypto.co use case of SSH key handling fell to the wayside, I recently switched my keys over to Secretive[0], which stores keys in your Mac’s Secure Enclave or YubiKey and the case of the former, uses Touch ID to authorize use of your key.<p>It’s very simple and works very well. Better than krypt.co did for me, actually — krypt.co would occasionally randomly break, but Secretive has been rock solid. Every time something tries to use your key you get a Touch ID prompt and a notification indicating what triggered it.<p>This 1Password feature looks nice, but I’m switching away when version 7 stops working. AgileBits just isn’t taking 1Password in a direction that’s appealing for me… they’re clearly more interested in corporate users than individuals, and in the pursuit of a one-size-fits-all-platforms UI they’re losing the attention to detail and polish that used to be a major selling point.<p>[0]: <a href="https://github.com/maxgoedjen/secretive" rel="nofollow">https://github.com/maxgoedjen/secretive</a>
I’ve been treating SSH keys in the same way I would a password. Each service gets a new key generated for it.<p>From doing some reading though it sounds like I might be wasting my time. Apparently it’s fine to have one key for an individual machine and to use that for everything.<p>What’s everyone else’s take on that? Are you reusing a single key or generating each time?
Ahh, this is such a nice improvement over literally anything i've used for agent key management on Windows or Linux, and easily competes with using the Keychain integration available on OSX; It sucks that I can't really use the functionality due to the v8 requirement, and am once again in the position of paying for something where I don't get to actually use new and useful features due to really aggressive ( if not outright anti-user ) product direction.<p>For some context on my bitterness: v6 stopped working with chrome based browsers a few years ago due to an issue with browser signatures, and the official guidance was to ( pay to ) upgrade to v7 rather than fixing the app, and so the software I had paid for was no longer usable in the way that it was when I purchased a license for it, effectively being downgraded through no fault of the end user ; Similarly, the Windows variant of 1pw has... kind of always just been a bad experience compared to the mac version, and while the controversial Electron-based unification for v8 promised to bring the experience in line with the Mac app ( not requiring purchase of another license type this time because I'd since bitten the bullet and paid for a subscription so I could actually use v7 ), it also required migration to the hosted vault system, as support for local vaults was completely dropped in the same version.<p>I would feel a lot more comfortable using this otherwise legitimately fantastic functionality if it didn't also require me to migrate from a local vault to the hosted version. I already didn't want my passwords hosted online; I definitely don't want my ssh agent and its private keys to be <i>bound</i> to said hosted service, and nothing has yet come out of 1Password's survey for self hosting the vault server in order to maintain a vault that works with 1PW 8 locally.<p>It's an unfortunate hill to die on, I realize; I just want to maintain control of my own stuff, using a tool that is actually nice to use ( 1Password is and has always been miles ahead of everything else in terms of the day to day user experience, otherwise I'd be able to justify looking at alternatives )
I've been a huge fan of 1Password for almost ten years now, recommending it to friends and family, but like some of the comments mentioned it feels like the product is trying to move upmarket while dropping support for core features.<p>I've bought their license a couple times as the versions are updated, but they no longer support licenses and only monthly subscriptions. Fine.. I'm happy to pay that to get a great product, but as I was installing it on my new laptop they prompted me to move from my self-managed cloud sync to their hosted password management saying the cloud-sync will no longer be supported. I simply don't want to use the hosted solution, I'm not comfortable with the trust implied.<p>I imagine they're trying to cut down on the features that allowed someone to use it without paying a membership, but then why not just include cloud-sync in your paid features? Why remove a such a core feature that allows users to use your security product much more trustlessly?
I have used 1pass for years. I think I bought my lifetime license sometime in 2014? I loved it and even advocated for our 2000+ company to adopt it back in 2018.<p>I would say in the past 2-3 years it has slowly become an absolute nightmare. I do not recommend it to anyone anymore. They have somehow screwed up the very basic functionality of filling in passwords on any browser I try. They continue to shift features around, break existing workflows, and even the basic tasks I rely on dozens of times a day seems to change with any significant release.<p>1Password got famous for building a great core product. It managed my logins I stored myself and autofilled them wherever I needed. It was clean and simple. Now they are so focused on growth and Product features like this that they have completely lost their way. As of this week I can no longer right click on a webpage and work with 1pass to find something. If the webpage attached to the original 'save login' prompt is not the one you are on - the auto popup underneath the login field has nothing to show and I cannot manually find and enter it. I have to go to the Desktop app, search, find, and copy. My team regularly wastes minutes on this each day.<p>Our company reevaluates platforms every couple years, in the next 12-24 months I will strongly advocate we find an alternative.
hmmm.... this could make me move from LastPass to 1Password... after krypt.co got bought by Akamai and discontinued work on their developer stuff, i have been looking for a better way of managing SSH keys... this might be it...
It looks like 2fa is not required for 1password, and also that even if you did enable 2fa you can only use TOTP. Both TOTP and passwords are vulnerable to phishing as there's no cryptographic protocol going on there, you are just typing in the numbers from your phone.<p>This seems like an excellent way to ensure that you reduce the security of your SSH login to either having a single-factor (password) or at best single-factor + TOTP, where you previously had a phishing-resistant cryptographic protocol.<p>Is this really an improvement for security, or is it just a usability improvement (i.e. sync of keys) intended to work around policies trying to improve security (i.e. required use of keys)?<p>(The other option is I skimmed the docs badly and maybe I've misunderstood something, it's possible.)<p>Edit: I did skim the docs badly, it is possible to use a FIDO2/WebAuthN key for 2FA. <a href="https://support.1password.com/security-key/" rel="nofollow">https://support.1password.com/security-key/</a>
How does it work with with `~/.ssh/config`? Mainly, say I have keys in the vault for many machines, if they all get added to the 1password ssh-agent sock, won't you get "Too Many Auth failures", unless there is a way to pair the key to a `Host`? Maybe `~/.ssh/config` can pair keys to a `Host` by fingerprint instead of file?
This is 1Password 8 dependent, so unfortunately I doubt I'll ever use it.<p>The 1Password 7 app on macOS is a beautiful native app. It "fits" in macOS, it follows macOS design paradigms.<p>1Password 8 does not. It is a weird self-designed UI toolkit that is well inside the uncanny valley scenario - it is a UI design that feels like it is trying to approximate all of the major platform desktop UIs without committing to actually feeling like any given platform - so it feels wrong everywhere. Honestly it would be better if it was <i>totally</i> different to any of the main platforms instead of vaguely approximating them. I don't care what devtools or toolkits they use to achieve what they do, I care about the end UI feel, and it's just awkward on all platforms to me.<p>Additionally, 1Password 8 removes the single most used feature for me - 1Password Mini - and replaces it with Quick Access. Quick Access is much more awkward to use, especially with a mouse. Everything with Quick Access involves more UI interactions than it was before. The reasoning for this is that it "feels weird" to implement parts of the app twice - but for me 1Password Mini is essentially a browser extension equivalent for every other app on your system. Quick Access is an awful replacement for that.<p>I <i>really</i> prefer 1Password 7 on macOS to 1Password 8, and I honestly prefer it on Windows too. The replacement of native apps with something that <i>really</i> feels like a web page in a window - with issues like context menus being stuck inside the window, or web-page style modals - is just not what I expected, and it's not what I <i>want</i>. Yes, it lets AgileBits bring updates to platforms more quickly because it's essentially the same backend & UI on every platform. However, as an individual user I don't <i>need</i> more from my password manager than 1P7 already does.<p>Sadly, it seems the target for AgileBits (especially with the influx of VC cash) from the outside at least is just growth and the big payouts that come from enterprise deals - individual user usecases don't matter any more. Just look at how much of a production they made out of restoring categories as an option to the sidebar. And their core featureset - form filling - is less reliable than ever for me.<p>I feel that there's absolutely a hole in the market here for a password manager product aimed at individuals or small families that works on at least macOS, Windows, iOS and Android - and feels native on each platform.<p>edit: oh, and I utterly abhor the 1Password PR style - trying to make things seem weirdly casual on serious topics, but especially the misdirection/redirection approach they always take to critiques or support queries. Just look at their support forums for any thread on purchasing standalone licenses - they always drive the discussion into "isn't our online product amazing?". Critique of features in 1P8 always becomes "but for me it's amazing" in some way. It's frustrating as hell to engage with as they never seem to actually accept criticism in any way without trying to redirect it to something somehow positive.
My public ssh keys go quite a few places. I hope this can help me keep track of where I’ve uploaded my pubkey, since then revoking the pubkey is much more efficient. Or even do it for me, automagically.
I stopped using SSH keys to authenticate against GitHub years ago and switched to HTTPS authentication. It's super convenient to set up with the GitHub CLI: <a href="https://cli.github.com/manual/" rel="nofollow">https://cli.github.com/manual/</a><p>Is there any advantage of using SSH keys to authenticate against GitHub?
I just wish they would implement the ability to disable 1Password for certain domains or even just local host (talking about the browser extension here). There is a menu option in the right click menu but it only works for a short duration and isn’t configurable ahead of time.
I've been using 1Password for years now, the auto-fill always works. I don't use their command line stuff much, and I have some read some legitimate criticisms about how they communicate secrets on unix-like systems. Apart from that, I'm not sure I understand the dissatisfaction in the comments. Can someone enumerate what's wrong with 1Password? Are tools like BitWarden any better?
It appears you need to have Beta 8.6 to use this. I was on Beta 8.5 on macOS, and autoupdate did not find Beta 8.6. After installing 8.6 manually, the instructions worked.
I'd rather use Secretive (<a href="https://github.com/maxgoedjen/secretive" rel="nofollow">https://github.com/maxgoedjen/secretive</a>), to be honest.<p>I've stopped using 1Password everywhere I can due to their product "focus", and am working my way through a set of alternatives (currently using Secrets on the Mac and looking at the KeePass ecosystem, which keeps improving monthly):<p><a href="https://taoofmac.com/space/apps/1password" rel="nofollow">https://taoofmac.com/space/apps/1password</a><p>Edit: It's been fun watching this get upvoted and downvoted in successive waves - for those who are curious, I suggest you check previous posts on 1Password and see if you can spot patterns in their advocates, since they were publicly called out on this a few times already (especially on Twitter).
And here I am, logging into Linux boxes without entering passwords nor SSH keys thanks to the magic known as Kerberos.<p>Open up my corporate laptop and login with my smart card and username/pass combo, then I can just log into any Linux machine I have authorization (group permissions) to. Been doing it this way for over a decade at this rate.<p>It's like all of these password manager tools were created by people who've never seen nor used these existing solutions.
I still have no idea why people use these kinds of programs.<p>I have no idea how companies managed to sell this security nightmare as a <i>feature</i> to actually serious people.<p>A single point of failure. Yeah, great idea!
My SSH key and passphrase are the holy of holies security wise. It's such a simple, mature, battle tested, open solution. Why would I put that in a proprietary opaque solution that has had multiple recent serious vulnerabilities?<p>And why would I replace the openssh agent with 1password agent?<p>They don't even offer additional functionality over the open tools. "Autofill public keys in your browser for Git and other cloud platforms" - really? cat and copy - paste is now too hard?<p>(the above logic is why I don't make any serious money)