I know you all are looking for an update, but I still haven’t quite convinced my in-laws to use a password manager. I thought I had them close when my father-in-law read a Consumer Reports article about security that talked about how great LastPass is, but he wrote a message this week that they just can’t stand the idea of putting their passwords in the cloud. He also responded to some other information we gave him.
Let me set this up first. I gave a presentation recently on how to prepare your digital life in case something happens to you, a portion of which is about password managers. During my presentation I mentioned that my father-in-law is great about backing up his computer using a USB drive that he keeps in a fire safe. A guy from the user group where I was presenting pointed out that fire safes are meant to protect paper in the event of a fire, and all of us learned from Ray Bradbury that paper doesn’t burn till Farenheit 451. He pointed out that fire safes won’t let the interior temperature get to 451…but they will let the interior temperature rise well above the temp at which a USB drive will melt.
I told my father-in-law about this and he suggested instead of a cloud-based password manager, what if he kept his passwords at the bank in a safe deposit box. I pointed out that he would still need to keep a copy at home, again unprotected.
This pushed me to change my tactic and try to convince them to use 1Password. The advantage for him will be that he can store it locally, and back it up to a thumb drive he can keep in his safe deposit box. That way he’s got an encrypted vault for his passwords at home, AND the protection of an offsite backup. With most people I wouldn’t believe them that they would regularly update the thumb drive, but Steve’s dad is the most disciplined person I’ve ever met. If he says he’ll do it monthly, you can bet it will be on the nose monthly.
Now for the next piece of the puzzle, I’m a LastPass user, but if I’m going to guide him, I have to learn 1Password. I think it would really help me overall with the podcast if I know both LastPass and 1Password anyway. Plus I’ve been rather annoyed with LastPass lately – for some reason the browser plugin keeps forgetting to log me out, even though I have it set to log out after 15 minutes of inactivity. This is a very bad thing to have happen on a laptop – if I don’t notice I could end up with all of my passwords unprotected. I did everything they told me to do the first time and after 2 weeks of working with them, we got it started working again. But then a month later it has started leaving me logged in again. I’m getting less than enamored with LastPass. So another reason to give 1Password a whirl.
Years ago I bought 1Password in a bundle back on version 3. I installed it again and fired it up. So far so good. If I’m going to use it though, I need to import my LastPass passwords, right? I exported from LastPass to a .csv file (comma separated values) and in 1Password imported the file. It did that annoying thing we used to have to deal with a hundred years ago where you had to match column names in a database to transfer in. I spent probably 20 minutes trying to get them all right – and when it came in, it was a disaster, nothing looked right of my 492 passwords and software licenses.
I started hunting around and discovered that in version 4, AgileBits, makers of 1Password had written a translator. With Timothy Gregoire’s help from Twitter, he suggested I download the trial version of 1P version 4 to test it out. Great news – the passwords all came in beautifully! Unfortunately the more than 100 software licenses I had so painstakingly entered into LastPass were all messed up. Basically all of the information for each was piled into one field, and none of them were shown as being in the category Software License. I tweeted this out, and the 1P Twitter account suggested I open a ticket with their support team. While I was waiting, I took a look at the LastPass .csv file and noticed that the problem was actually with that file – everything about the license was all glopped into a single cell.
I wrote to 1P and they got back to me pretty quickly, but I wasn’t thrilled with their answer. The woman who wrote back (Laura) pointed to a discussion forum post where a user had put up a link to a script they had written that would convert the LastPass output into something 1Password could read. I had seen that forum post in my own searching, but there was no way I was going to run that. Think about it. You’re taking the database of every password you have to everything that’s important to you that’s tied to your credit cards…and you’re going to run it through a script by “some guy on a discussion forum”???
I asked Laura whether anyone from the dev team had vetted that script to see if it was trustworthy. I asked if they’d confirmed that the script didn’t package up all of the passwords and ftp them up to the guy’s server. She wrote back “Unfortunately we cannot test this script as control of it is not in our hands. I’m so sorry that we don’t yet have a better alternative ourselves.” Can you believe that? She pointed me to the script, and then said they wouldn’t vett it? She wrote back again saying that she hadn’t recommended it…but of course she’d done exactly that. She did point out that the user who posted it is a long time user and has been made a forum moderator though. Great. A rep from a company dedicated to our security gives an answer like that. I can only hope that she’s new.
I got Bart to get on Skype with me after that and he agreed to read the script to make sure it was safe. In about 10 minutes he was able to tell me that the script was just fine. He also explained that he was relatively certain that I’d need his help to run it – that it was probably calling some libraries that I wouldn’t have loaded. Sure enough, he taught me how to go to something called cpan and it would get the Perl libraries I needed. Yeah, like I could have done that on my own!
The best news is that after we ran the script, I found out I’d been missing a lot more than the 125 software licenses, I’d missed 45 notes, 1 database, 2 wireless items, 2 membership items, 1 server and 2 passports! When I went into 1Password, there they all were in their full glory. I’ll still have a few things to clean up but 1Password has a fighting chance now.
I have to give the best news. Remember I said I bought 1Password 3 via a bundle? I entered my license number into their upgrade pricing tool, and they let me upgrade to version 4 for only $25, or I could get a 5-pack family license for only $35! I figured I might as well go for the family pack just in case for only $10 more.
I hope to do some comparative analysis of the differences in 1Password and LastPass in the coming weeks so I can help other people make their decision with more information. I know they’re both great products but it will be interesting to learn what each does better than the other. Stay tuned!
I am looking forward to an Allison-review of the two password keepers in head to head competition.
I know you will be thorough but would caution you to ask if you think one or the other can’t do something. A recent conversation of folks comparing them in a forum had a lot of inaccuracies that were mostly because in the tool slighted it was not clear how to do something the commentators wrote off as impossible.
I don’t think this is going to be a problem because you are going to inspect both tools with engineering precision and you’re a pretty smart cookie, in spite of what you say, so like I said, I’m looking forward to it, especially since I’ve not seen a totally objective comparison yet. Most of the posts I’ve seen are “X stinks because Y rocks!” but doesn’t say what stinks or why.
Hello podfeet. I’m Jeffrey Goldberg, Chief Defender Against the Dark Arts over at AgileBits, the makers of 1Password. First of all, I’m sorry that you didn’t get a clear answer, and I’m even sorrier that there isn’t a clear answer with respect to imports.
A smooth import depends on being able to make sense of the data exported by someone else. And these things can change over time and are not always the best documented things. Our unencrypted 1PIF (1Password Interchange Format) format preserves information well, and should be easy to parse with a JSON parser, but it’s still not as well documented as it ought to be. And so I wouldn’t judge others harshly if their importers don’t always know what, say, category 006 means.
We don’t want to be in the business of vetting third party tools. There actually are a number of third party tools for managing 1Password data, but our line on these is that we have to advise against entering your Master Password into anything that isn’t 1Password. That isn’t quite the situation for these conversion scripts. Conversion will typically involve an export to some decrypted format and then an import from that. So import/export does typically mean having your data decrypted somewhere.
I can believe that. That has to be are standard answer. Otherwise, we would have to review every new version of everything that claims to manipulate 1Password data. There are some really great tools that some of our users have developed, but we simply can’t endorse them without committing ourselves to continuously reviewing code that comes from others.
I hope that the difficulty encountered in converting data doesn’t put you off to much, and please do let me know if there is anything I can help with.
Cheers,
-j
Jeff – I think you miss entirely what freaked me out. It’s not that you guys didn’t want to be in the business of vetting third party tools – I totally get that. The problem was that Laura chose to _recommend_ the script without vetting it. That was the really bad problem.
I got an email from Nik Lal at Agile Bits that showed he really did really understand the problem:
“I shan’t beat around the bush: There’s really no excuse for us to direct folks to a customer-created resource without fully reviewing that resource ourselves, and we shouldn’t have done that. We want to contact the author of the script and see if we can review the script and host it, but that’s down the road; we totally jumped the gun in an effort to help get your data into 1Password after our own importer didn’t get the job done, and I’m sorry that it made you question our dedication to preserving the integrity and security of your data.”
[…] Bumpy Road Converting from LastPass to 1Password […]