Investigating 1Password as a replacement of LastPass

Hi,

We are migrating away from LastPass due to lot of technical issues and a really poor support:

  • ID of entries change when moving from one share to another
  • API calls randomly fails due to SSL verification failures and break our DevOps scripts
  • CLI sync randomly fails and may causes lost of unsynced secrets
  • CLI in not officially supported
  • CLI seems to be abandoned

We are currently investigation 1Password as a possible replacement tool. We intend to subscribe to Business plan.

It seems to have some really good features:

  • beautiful UI
  • groups / membership / permissions
  • audit log
  • custom fields
  • multiple clients

But, currently the dealbreaker is the really poor performance of the cli. As we use our vault plugged with our DevOps scripts, we need a CLI tool that answer to secrets query in around 100ms.

So, we have some questions:

  • is the CLI officially supported ?
  • is there a limit capacity of the system ?
  • is it possible to sync the vaults locally while still using your infrastructure ?
  • is it possible to write a custom cli ?
  • is there a documentation of the API and the encryption/decryption process ?

Thanks for your answers


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • cohixcohix

    Team Member

    @mickael

    • Yes, it is
    • Could you clarify what you mean by limit capacity?
    • A local copy of all vaults are kept by the native apps if you're syncing with 1Password.com
    • What do you mean by a custom CLI?
    • We do not provide documentation of our API, but you can read about the encryption/decryption at https://1password.com/files/1Password for Teams White Paper.pdf (our security whitepaper)
  • @cohix Thanks a lot for your answers.

    Regarding the "capacity" question, this is related to my experience with others solutions. After importing 1500 entries, the system become unresponsive and I can't grab my passwords anymore. Support team is investigating, not sure this is related to the number of secrets, but I was wondering if such an issue could happen with 1Password. How many secrets may I store in a single vault without experiencing slows down ?

    Could you tell me where are the vaults stored on MacOS, I searched in ~/Library/Containers/com.agilebits.onepassword7/Data but didn't find any .js file.

    Regarding custom cli, my needs may differs from what your main users need. I need a fast query/decrypt solution for our integration with our devops scripts. As I guess that your development effort won't address my needs directly, I am wondering if I can write my own decrypt/search tool by using local files instead of using the native cli and remote queries.

    Thanks for the white paper, that's really interesting, I gave it a look this afternoon, I have also found some existing projects that helps manipulate .js files on GitHub even if they were not updated since a few years. So I am wondering if the way .js are handled evolve with years or if it's only the structure of the json that may evolve but not how the keys and encrypt/decrypt algorithms are used.

  • cohixcohix

    Team Member

    @mickael When querying by UUID, there is no real limit on the number of items you can have in a vault, the lookup time there should be constant. If you're searching by title or URL however, you will see a slowdown as you get more items. This is another thing we are addressing in the upcoming version.

    For the Mac data, it seems that you're in the right spot, but you'd be looking for an sqlite file, not a js file. Data synced from a 1Password account is stored encrypted in a database, rather than our "old" data formats that were designed to be stored in Dropbox.

    You are more than welcome to write your own tool based on the local sqlite data! If you read the whitepaper, that should give you everything you need to do the decryption, but it would likely involve some significant development time.

    Something we are looking to add in the future is a local cache for the CLI, however work has not yet started on that so I wouldn't wait out for it just yet.

    As for the tools, these file types aren't used when you sync with a 1Password account, but you could create a local vault using one of the desktop apps and then move some items into it, to be queried using those third party tools if you'd like!

  • @cohix thanks again for your detailed answers. Awesome support, that change from some other tools :dizzy:

    My question regarding the capacity limit wasn't directly spotted to the CLI version but from all clients. Currently our vault has around 1500-1600 entries, we expect 10-20% expansion rate by year. So I would like to be sure that the users may still have a proper experience of 1Password even after migrating our entries.

    Thanks, I found the sqlite file at /Group Containers/2BUA8C4S2C.com.agilebits/Library/Application Support/1Password/Data/OnePassword.sqlite

    Local cache would help a lot to suit my needs, and with the performance of Go, I am sure that you could expect the queries to perform in less that 100ms :)

    I know that developing a new client is a huge work. I spent almost the last two weeks to port the Bitwarden NodeJs Cli to Python to address similar performance issues :) Query performance is now no more a problem but I am facing other troubles after importing my old Lastpass vault. And Bitwarden is far from having the look and feel of 1Password in native/web clients, and I would like to convince all my team mates to share the same tool for devops and daily usage.

    Another question, while discussing with @sam.doran on the best way to integrate 1Password with Ansible, I discovered that he has far better query time than me. He got results in 1s where I am around 4s. Could it be related to the fact I am using the .eu servers?

  • cohixcohix

    Team Member

    @mickael Hmm I was wondering that myself as my own times on 0.5.5 aren't as bad as yours. I'm going to run some benchmarks against .com and .eu tomorrow when I get a chance to see what's going on there :)

  • brentybrenty

    Team Member
    edited April 22

    @mickael: Regarding the response time between 1Password servers, that will depend almost entirely on your proximity to them (though how you're routed over the internet can make a difference too). We have three instances of 1Password available running on AWS:

    The servers themselves are the same. But if it's a shorter hop for same.doran, he'll get a faster response time. I'm not sure that any can be that fast for me, given my location. :)

    Regarding importing data, I'd encourage you to start a new discussion with the details and @-mention me, so we don't derail this discussion. Often we're in a situation where there isn't much we can do, since import can only be as good as what was exported, but perhaps there's something I can suggest. :)

  • @brenty Thanks for the details. I live in south of France, and used the eu-central-1 aws datacenter last week to do some Ansible testing with Molecule and didn't notice any lags.

  • brentybrenty

    Team Member

    @mickael: That sounds like progress! I'd strongly suspect that you'd have a slower response time to us-east-1 from France compared to eu-central-1, but you could certainly try it and see. :)

  • @brenty I think I did not clearly expressed what I want to say :dizzy:

    Last week, I played with custom servers on eu-central-1 and didn't notice any lag while using SSH.

    So I doubt that my performance issue is due to my distance to the datacenter ;)

  • cohixcohix

    Team Member

    There are some performance related improvements in the pipeline that will help out regardless of which environment you're connecting with :)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file