1password Guide

[Jacint Kosack]

Thebenefit of keeping these online, @richardnml, is that as things change (and they do), we can update them right away and you'll have those changes immediately. With a physical user manual, even a small change like adding an extra setting means you've already got outdated info. If you want the closest thing we have to user guide, though, I'd check out our Getting Started Guide:

Think of it like a table of contents to the basics of 1Password. It links off to various articles to help you learn about different features, but can be used a guide to let you know the best thing to explore next. :+1:

@DenalB Just curious, but may I ask if the reason to switch had anything to do with the import? (edit: I should have read your initial post opening this thread . Seems you migrating from 1password was a long time ago and yes things have definitely improved with the 1pux importer)

I run a Windows 10 PC, MacBook Pro (macOS), and an iPhone & iPad (iOS) and on all 4 of these devices I have Brave, Tor & Firefox/Mozilla as my web browsers; plus obviously Safari on the Apple devices, and on Windows I also use Chrome (solely for Gmail access) and on rare occasions Opera. So key for me that BW works well with all these different O/S x Browser combinations and supports PIN use on all 3 platforms I use.

Next, you will need to add and delete a few columns, and modify some of the column names. It will be more efficient if you make these changes after combining the data from each vault export into a single CSV (after you have first added the folder column to identify which vault each login item belongs to). That way, you will only need to make the following changes once.

Save the resulting CSV file, then clear the contents of your Bitwarden vault (by going the the Web Vault and selecting Purge Vault), and import the new CSV using the Bitwarden CSV format.

Bitwarden does support enterprise solutions, including administration of users, access control, sharing of credentials, etc., but the details of how this is implemented in Bitwarden is likely different from how it is implemented in 1Password, which may affect the logistics of migration.

Passwords are the gateway to our digital identities. I have been relying on 1Password to manage my passwords in local vaults for a few years. But as you may know from the recent news, the company is moving in a controversal direction, which I do not support. You can find more discussion on this topic in the links 1, 2. As a 1Password refugee, I have been on the quest of finding a reliable and trustworthy alternative since then.

I have examined many alternative systems, including BitWarden, Secrets, and Enpass. But in the end I settled on KeePass, which is a free and open source password manager operating on its open standard database format, kdbx. The are several reasons for this choice.

The migration process from 1Password to KeePass is not exactly straightforward. It has to be done on a desktop computer, as 1Password only exports data from their desktop clients. It also seems that 1Password does not want you to export your data too easily. Their support article guides to export to 1pif format or plain text csv format, both of which are less than ideal. The 1pif format is not documented well 3, while the csv requires extensive manual calibration to properly transfer all data. So the best solution is to import from the 1Password local vault format opvault directly.

Now all data should have been migrated from 1Password to the kdbx database. You can choose to store it anywhere, or sync it with any cloud storage. But as a pre-caution, you should still keep the 1Password database in the rare case of data loss during conversion.

The best desktop client is probably KeePassXC, which runs natively across Windows, macOS, and Linux. It supports time-based one-time password (TOTP), and integrates with browsers (Chromium, Firefox) out of the box. The original KeePass client only runs natively on Windows, requiring extra setup to run on macOS and Linux. But it is more extensible with plug-ins. For most use cases, I would recommend KeePassXC over KeePass.

One major difference is that KeePassium is a completely offline app without any networking code 4, while Strongbox directly connects to the internet to integrate with Dropbox, Google Drive, and haveibeenpwned. These convinient features in Strongbox do come with some risks. It is more secure if the app that can read my secret cannot communicate with the internet. While I use and like both of them, I prefer KeePassium slightly for the above reasons.

It is sad to see 1Password to become increasingly more money-driven and customer-hostile. But fortunately, there are excellent open source alternatives like KeePass and BitWarden. So far I have been very satisfied with my adoption of KeePass.

In terms of features, KeePass has both advantages and disadvantages compared to 1Password. For example, KeePass supports additional security with key file, and hardware authentication like YubiKey. There is also attachment support on the mobile KeePass apps. But the lack of group sharing features in KeePass might be a dealbreaker for some, in which case BitWarden should be considered instead.

In this post, I will detail how I moved my data out of 1Password and into iCloud Keychain and use the new Passwords preference pane introduced in macOS Monterey. I have only recently switched from 1Password to iCloud Keychain so this post will not dive into the pros and cons of the two.

Let me start by saying that I've been a happy user of 1Password for many years and I still am. My motivation for moving from 1Password to iCloud Keychain is solely to see how Apple is tackling the problem of making a password manager and how they are integrating it into macOS, iOS, and iPadOS.

As I was moving usernames, passwords and two-factor authentication codes to iCloud Keychain, I took the opportunity to reconsider where I could store my other data as well. Deciding where to store my credit card information was easy because iCloud Keychain has support for credit cards. I added my credit cards to iCloud Keychain from Settings -> Safari -> AutoFill on my iPhone. This can also be done through preferences in Safari on the Mac.

A few people recommended storing the backup codes in iCloud Keychain. This guide from Apple details how to store notes securely in iCloud Keychain. Storing the backup codes in iCloud Keychain sounds like a good idea at first since I would already use iCloud Keychain to store usernames, passwords, and credit cards. However, notes stored in iCloud Keychain aren't accessible on iOS and iPadOS. I didn't want to adopt a solution that wasn't available on all the platforms I use regularly.

Others recommended storing the backup codes in a locked note inside Apple's Notes app. These notes are synchronized over iCloud, end-to-end encrypted using a password, and can be opened on the Mac, iPhone, and iPad. They're a lot like notes stored in 1Password and perfect for my needs. They're also perfect for storing software licenses and passwords that aren't used on a website. I only had 25 notes with backup codes, 12 passwords, and a handful of software licenses stored in 1Password. It was trivial to move those into Notes by hand.

Now I could move on to moving usernames and passwords from 1Password to iCloud Keychain. I had roughly 300 usernames and passwords to move and didn't want to do that by hand. Fortunately 1Password supports exporting items in a format that can be imported into iCloud Keychain. There were still a few manual steps needed to get the import to work properly though. At a high level the steps are:

After ensuring all items have a valid website address, they can be exported from 1Password by selecting a single vault and navigating to File -> Export -> All items.... After entering the Master Password the dialog below is presented. It's important to change the file format to "iCloud Keychain (.csv)" before exporting.

Before importing the usernames and passwords into iCloud Keychain, I had to modify the exported file and get rid of any items where the password contained a quotation mark ("). I found out the hard way that items with a quotation mark cannot be imported. The Passwords preference pane will not import any items if just a single password contains a quotation mark, possibly because it fails to parse the CSV file. I filed a feedback about this to Apple (FB9773317).

I opened the CSV file in a text editor and searched for \". Luckily there were only four matches where two of them were in a single password. I took note of which three passwords they were and removed the entries from the CSV file.

Update: As noted by Ricky Mondello on Twitter quotes shouldn't be escaped with \" but with "" in CSV files. That means I could (and should) have just replaced all occurrences of \" with "" instead of removing the entries from the CSV file. I have later verified that would have done the trick.

The CSV file could now be imported into iCloud Keychain from System Preferences -> Passwords by selecting the three dots at the bottom of the window, then "Import Passwords..." and then selecting the CSV file.

After the import succeeded I manually added the three passwords that contained a quotation mark. Update: This wouldn't be necessary if I had just replaced all occurrences of \" with "".

The only piece missing in my setup was an easy way to access the Passwords preference pane. I quite liked that 1Password is a separate app that can easily be launched to browse my passwords. That's not the case with a system preference pane. Luckily there's a workaround.

Ricky Mondello shared a shortcut for opening Passwords with a single click. This shortcut works on both macOS, iOS, and iPadOS. After downloading Ricky's shortcut, I wanted to add it to the Applications folder on the Mac so I could easily run it using Alfred. This can be done by opening the shortcut in the Shortcuts app and selecting File -> Add to Dock. This will add the shortcut to both the dock and the Applications folder. The shortcut can be removed from the dock but it will stay in the Applications folder and as such it can be run from Alfred.

3a8082e126