Feature Request: PKCS12 or similar import/export protection

ggm

1Password along with lastpass has a huge, unfortunate, but understandable walk-away security risk: the export mechanism is plaintext. We're using cut-paste or file save, with passwords en clair.

I understand this is asking tigers and lions to fight over a carcass because this is about when we chose to move between your products, but I think a truly secure export mechanism is really good for everyone.

Could you commit to adopting some industry recognised symmetric key algorithm and eg JSON format for export and import of key related data, so that we can be assured (a) you respect our privacy and security when you let us back up, import and export keys and (b) you don't artificially lock us into your product, by making it hard to switch in either direction.

jpgoldberg

PKCS12 is a nice idea for encrypted exports! As you know all of our export mechanisms (CVS, 1PIF) are unencrypted. In the distant past we had an encrypted export mechanism for encrypted HTML files (these included an AES JavaScript engine). For a number of reasons, we were unhappy with this, and eliminated that option. If we do encrypted exports, that encryption should be well designed and well supported.

So your suggestion of PKCS12 looks promising. I can't promise that we will implement it, but if we do return to providing an encrypted export mechanism, this is certainly something that seems like a good way to go.

The lingua franca for (unencrypted) import/export for password management systems seems to be CSV, and we are finally filling that hole in 1Password 4. (1Password 3 has long had CSV export, but we have got that back into 1Password 4 with our current beta). CSV export will be coming to a released version of 1Password 4 for Mac very very soon.

As you correctly note, these are unencrypted exports, and so you should take care with these, perhaps using an encrypted volume or folder or partition. There is a bit of a chicken and egg problem here: Encrypted import/export isn't going to help with data transfer until at least two password management systems agree on the same overall format. Because we structure our data differently, it would take quite some effort to hammer out a neutral interchange format (encrypted or otherwise). And so, realistically, I think that CSV is what we are going to be stuck with.

Though, as I said, I do like your suggestion. Our 1PIF format is largely JSON (although attachments cause a bit of a headache in import/export), and so I could imagine encrypting that in a PKCS12 package (without attachments). Again, no promises, but you have suggested a useful way to go if we do return to offering encrypted exports.

you don't artificially lock us into your product, by making it hard to switch in either direction.

In addition to exports, we publish the details of our data format, this enables third party developers to fully analyze our design, but also provide tools for handing 1Password data that doesn't come from us. But having better export mechanisms directly from us will provide users with more practical ways of avoiding lock in.

It is your data, and we want happy customers, not trapped ones.

ggm

Great Answer. I totally get your position on this, and I believe you understand mine. I've been a happy camper in 1P since V3, and paid to upgrade to 4 even though I have also paid for lastpass precisely because I want to support a development which uses published standards and understands the goals. I think CSV is a good 'lowest common denominator' but even that could be a blob, encrypted in some way. the JSON form is the way to go but without some neutral industry forum to share the format in, thats hard. Anyway, thanks for at least considering it.

benfdc

LastPass can export logins to the Firefox password manager, and 1Password can import from there, so that is a decent one-way solution for secure bulk export/import.

N.B. You will have to remove password protection on the Firefox password manager in order to execute this maneuver. Don't forget to lock it down again (or purge the Firefox password cache, or both) when you are done.

IMO export to the native password manager of a widely-supported browser is the obvious solution to the data exchange problem. Why look for a new universal exchange format when you already have one staring you in the face?

Anyway, back to the here-and-now. I use 1Password as my "home" password manager and LastPass as my "away" (and Linux) password manager. My LastPass vault contains a fairly small subset of my 1Password keychain—if I need something that isn't there then LastPass can take me to my Dropbox. When I want to add a few logins to my LastPass vault I just launch Opera (the one browser where I have installed both browser extensions), log into the sites with 1Password, and let LastPass save the logins.