Trouble in syncing paradise

This is my user experience, it highlights the problems I've encountered using 1P, it's not meant to bash developers work, but only to suggest improvement and ask for solutions.

In my quest for the perfect password manager one day I started using 1Password on my mac, it was beautiful and elegant, and a pleasure to use, but after a couple of years I had to move away from my mac to the grey world of windows, 1P wasn't there so I slowly forgot to use it.
Fast forward today.
I still have my old macbookpro, but also 1 PC with windows/linux, 1 windows laptop, 1 ipad mini, 1 android phone and 1 windows PC at work
that's a lot to manage, so I started using Lastpass because of it's cloud sync, which btw works great.
The problem is that LP is a pain to use, it has a crappy UI, no real desktop app (the mac one is a joke) and a confusing way of working, so I thought to get back to 1P.
Thanks to the splendid support I'm able to get a windows license and here I am now, trying to find how to manage the scenario outlined above with 1P
0) exported my LP data to 1P on mac
1) enabled wifi sync for my android phone
1/2) left wondering what the hell do with the rest of world :pirate:
2a) enabled folder sync on a usb key and stopped here because 1P for windows doesn't support folder sync and 1Panywhere doesn't seem to work from a usb key ( A key data file could not be loaded and 1PasswordAnywhere cannot continue without it) , and I'm back to point 1/2
2b) Dropbox sync, it's a better solution, but I'm stuck in being unable to use it at work because dropbox(or any other cloud drive) access is blocked
*) No real linux support (that's a problem highlighted here: https://discussions.agilebits.com/discussion/2846/new-product-request-1password-for-linux#latest )

So, right now 1P doesn't seems to fit my needs because:
there isn't a common way to sync out of dropbox (which cuts out my work PC), Folder sync only works on Mac (and mobile) and two way WiFi sync (as in Mac<->Android<->Windows) seems discouraged (see: https://discussions.agilebits.com/discussion/46933/wifi-sync-win-mac-ios )
and I'm unable to use 1Panywhere to access it from a linux box (There is a third party chrome extension that seems to work with dropbox but I haven't tried it ( https://chrome.google.com/webstore/detail/1passwordanywhere-extensi/mbgijoecaafppmdmlgjpahfhekafldfj?hl=en )

What could be improved?
well, apart of more flexibility, like getting on par mac and windows versions with folder sync, give the browser extension the ability to access a 1Panywhere file or use wifi sync between more systems using a mobile as a "man in thew middle" a full cloud sync like lastpass, maybe subscription based and supporting a robust encryption and 2factor authentication could be a great solution, because it could get every desktop app synced (even if cloud drives are blocked) and for unsupported platforms like linux it could give the ability to read/write passwords directly on cloud using the browser extension.

I know that you don't give any roadmap, but do you thing that there is space for improving 1P like said above?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • brentybrenty

    Team Member

    I know that you don't give any roadmap, but do you thing that there is space for improving 1P like said above?

    @lcorsini: Absolutely! Let's talk about that. :chuffed:

    What could be improved?
    well, apart of more flexibility, like getting on par mac and windows versions with folder sync,

    I'm really sorry for the confusion here. 1Password for Windows doesn't need a "Folder Sync" option because that's how it handles vaults anyway. 1Password for Mac maintains an internal database with all vaults, so if you need the vault in a specific location it needs to 'sync' a copy of it there.

    Yes, very confusing! Cross-platform consistency in particular is an area where there is room for improvement. But in this case 1Password for Windows does exactly what you want it to already, without needing a specific 'Folder Sync' option.

    give the browser extension the ability to access a 1Panywhere file

    This is an interesting idea. I don't think it's something we'll do, as 1PasswordAnywhere is really well past its prime, but you never know!

    or use wifi sync between more systems using a mobile as a "man in thew middle"

    Some people already do this, but it isn't something we recommend or support, as it can lead to sync conflicts. I think a better solution would be to allow computers to act as a client (instead of just the server) to enable computer-to-computer Wi-Fi Sync. I can't say for certain that this is something we'll do, but it's possible that we might add this feature in the future.

    a full cloud sync like lastpass, maybe subscription based and supporting a robust encryption and 2factor authentication could be a great solution, because it could get every desktop app synced (even if cloud drives are blocked) and for unsupported platforms like linux it could give the ability to read/write passwords directly on cloud using the browser extension.

    This is part of what we're doing with 1Password for Teams. The 'team' aspect is our focus, but making the data available in more places is a big part of that. You're right that syncing is often a challenge in work environments...and that's often the place that 1Password is needed most! And of course some folks are using Linux and other Unix variants there as well, so being able to access 1Password in the browser can be a big help there. I do hope that we can add a native Linux app in the future, but better browser support is something that we can do now that will benefit all platforms.

    Also be sure to take a look at what we're doing with the Account Key as a secure alternative to multi factor authentication, as it keeps you in control of your data, not AgileBits.

    And since I originally replied to your request for a Linux version of 1Password (yesterday?) and mentioned 1Password for Teams, we've actually rolled out editing and approved even more accounts so that people can check it out and see for themselves. I knew this was in the works, and was excited to see it go live today.

    This is probably just a start. Let me know what you think! :)

  • Just an extra note that 1Password for Windows works reasonably well under WINE, including browser integration. The main missing functionality is the Ctrl+\ shortcut.

  • @brenty

    This is probably just a start. Let me know what you think! :)

    Ok let's get started,
    First of all I admit that my setup is probably very complicated (lot of different machines in different places, and some ports closed), and this gets reflected in this post.
    Like I said flexibility and consistency are the key words, because or I have a central point of sync, or I need to sync multiple sources, even if that means to look out for conflicts

    Multiple ways (at the same moment) of sync have the main advantage of an offline sync (with offline, I mean without internet access) by using wifi sync (maybe like you suggested enabling network sync also between desktop apps) and/or folder sync (by coping the keychain on a usb drive) but this is in part affected by the way 1P for windows handles the keychain and rules out unsupported platforms until the browser extension has a way to access a local keychain file.

    Speaking of a central point of sync instead, going the dropbox (or other cloud storage service) way at the moment it's probabily one of the best way for me to sync almost every platform I use, only my work PC is left out (since I cannot access any cloud storage service) and needs a different way to get my data on it.
    For Linux I could use that third party chrome extension (but this rules out my idea of getting back to firefox, well this has to wait) to access data inside dropbox (it uses 1Panywhere)

    I'm really sorry for the confusion here. 1Password for Windows doesn't need a "Folder Sync" option because that's how it handles vaults anyway. 1Password for Mac maintains an internal database with all vaults, so if you need the vault in a specific location it needs to 'sync' a copy of it there.

    Yes, very confusing! Cross-platform consistency in particular is an area where there is room for improvement. But in this case 1Password for Windows does exactly what you want it to already, without needing a specific 'Folder Sync' option.

    The main point about folder sync consistency is that I expected it to work exacly like the mac version, but it works, like you said, differently
    It creates confusion because if I use a USB drive as sync folder like I did to get my passwords into my work PC (which it's physically away from my mac), if I remove the drive I lose access to my passwords because 1P for windows opens the keychain instead of syncing it
    The only solution for me here is to copy the file from the USB drive over my local keychain file.

    Some people already do this, but it isn't something we recommend or support, as it can lead to sync conflicts. I think a better solution would be to allow computers to act as a client (instead of just the server) to enable computer-to-computer Wi-Fi Sync. I can't say for certain that this is something we'll do, but it's possible that we might add this feature in the future.

    I'm aware that cross syncing between device opens the doors to possible conflicts, and needs to be done carefully, but at least in my case, the other side of the man-in-the-middle it's physically in a different location than my mac, so:

    mac<-wifi->android
    VVVVVVVVVVVVV
    travel to workplace
    AAAAAAAAAAAAA
    android<-wifi->work-pc

    leaving the other vaults synced in a different way (that could be dropbox ATM)

    This is part of what we're doing with 1Password for Teams. The 'team' aspect is our focus, but making the data available in more places is a big part of that. You're right that syncing is often a challenge in work environments...and that's often the place that 1Password is needed most! And of course some folks are using Linux and other Unix variants there as well, so being able to access 1Password in the browser can be a big help there. I do hope that we can add a native Linux app in the future, but better browser support is something that we can do now that will benefit all platforms.

    I left this topic for last because, like I said in the other thread I don't have access ATM for 1P for Teams (I've signed up for the beta, but still no access) so I don't really know if it has the ability to do everything I'm writing about

    • A cloud syncing service gives the ability to fully access the vault everywhere, from both the browser extension (even if only readonly) and the desktop app, so I can access my vault even on platform where there is no 1P app (like on linux)
    • No other syncing method needed, everything is consistent because every application sync with the same source and uses the same method
    • It doesn't involve file sharing, so there is smaller chance that it gets blocked by company security policies
    • It gives more flexibility in some environments (I'm thinking about the lastpass-cli tools https://github.com/lastpass/lastpass-cli which gives the ability to interrogate lastpass from the linux command line, I use it on some of my servers to get SSH keys installed)

    On the downside it poses more security risks (or better, different security risks) and probably needs more money involved in subscriptions, apart from applications licenses

    So, for the moment I'll stick with dropbox sync+wifi sync (or usb folder) for my work pc and third party chrome extension for my linux machine (I could survive using copy and paste from secure notes for SSH keys)

    I'll try 1P for teams when I get the chance.
    I hope that this discussion helps you with the development (even if you don't meet my requirements :pirate: )

    Cheers

    L.

  • brentybrenty

    Team Member

    @lcorsini: Indeed, multiple vaults are handled separately in 1Password for Windows, so it sounds like Wi-Fi Sync isn't going to help in your case regardless. Essentially for Wi-Fi Sync to be useful to you, it would need to be rearchitected to both allow computers to act as sync clients, and for multiple vaults to be sync'd together.

    Is your work computer unable to access the internet at all? I'd gotten the impression that Dropbox was intentionally being blocked, so I thought that 1Password for Teams might be able to bridge that gap for you — if nothing else, then with it's web interface. But if you are able to access websites with a browser, that may allow you to effectively use Firefox as your 1Password client there, and then use native apps on devices on supported platforms.

    It creates confusion because if I use a USB drive as sync folder like I did to get my passwords into my work PC (which it's physically away from my mac), if I remove the drive I lose access to my passwords because 1P for windows opens the keychain instead of syncing it

    The only solution for me here is to copy the file from the USB drive over my local keychain file.

    You're absolutely right about this! Weirdly, this use case isn't even the reason that 1Password for Mac has an internal database; it's simply more efficient for it to work that way, but of course a side effect is that the sync'd copy of the database allows some flexibility. On the other hand, for most other uses, 1Password for Windows is easier in that regard, since you don't have to manually set it up to sync your vault somewhere. You just open it like you would anything else and 1Password works with it directly. The biggest challenge here is that, depending on the person, either can be preferable. We get requests from both directions asking us to make it work like the other.

    mac<-wifi->android
    VVVVVVVVVVVVV
    travel to workplace
    AAAAAAAAAAAAA
    android<-wifi->work-pc

    Indeed. And I do apologize for not being clearer. The reason this can pose a problem is that the sync client (1Password for Android, in this case) can only be 'paired' with a single server. The obvious question is, why not allow more than one? But when the two are 'paired', it allows the sync state to be tracked over time to prevent conflicts, since many of us make changes on multiple devices. 'Pairing' with a new server destroys the sync state and starts with a clean slate, which is exactly what you'd want if you were going to sync with a new vault...except what you're trying to do is sync with the 'same' vault across multiple servers.

    A cloud syncing service gives the ability to fully access the vault everywhere, from both the browser extension (even if only readonly) and the desktop app, so I can access my vault even on platform where there is no 1P app (like on linux)

    Check.

    No other syncing method needed, everything is consistent because every application sync with the same source and uses the same method

    Check.

    It doesn't involve file sharing, so there is smaller chance that it gets blocked by company security policies

    Check.

    It gives more flexibility in some environments (I'm thinking about the lastpass-cli tools https://github.com/lastpass/lastpass-cli which gives the ability to interrogate lastpass from the linux command line, I use it on some of my servers to get SSH keys installed)

    On the downside it poses more security risks (or better, different security risks) and probably needs more money involved in subscriptions, apart from applications licenses

    No dice, though it's definitely an intriguing idea. I think before we consider something like that seriously we'd better 'ship' 1Password for Teams. ;)

    So, for the moment I'll stick with dropbox sync+wifi sync (or usb folder) for my work pc and third party chrome extension for my linux machine (I could survive using copy and paste from secure notes for SSH keys)
    I'll try 1P for teams when I get the chance.
    I hope that this discussion helps you with the development (even if you don't meet my requirements :pirate: )

    It really does! Thanks so much for taking the time to provide such extensive feedback. I'm glad that you at least have a workable solution for now, and while I can't say that we'll solve all of the problems you're having in the way you describe (as you have a very specific setup), we're very keen to find more general solutions to these problems to help not only you but many others as well.

    It sounds like 1Password for Teams already helps with a number of your pain points, so I hope you'll be able to give it a spin soon. We haven't been able to approve all new signups yet, but as we're ramping up you shouldn't have to wait long! :chuffed:

  • Good news,
    I've got access to 1Password for Teams

    Bad news:
    1Password for android unsupported ATM
    1Password for windows unsupported ATM
    1Password for mac needs beta version (not a problem though)
    I don't see a way to access it from browser extension
    I'm not able to access it at work (damn!!) because of our websense
    Overview:

    Could not connect to ******.1password.com .
    Details:
    Peer disconnected after first handshake message: Possibly SSL/TLS Protocol level is too low or unsupported on the server

    :angry: :chuffed:

    Well I'll still go the dropbox way (and usb) but 1P for teams looks very promising, so tonight I'll update my 1P for mac and upload my vault over there, and in the meantime I'll see how to get access to it from my work PC.
    Thank you again for this discussion, I think that this is a good way to get in touch with your customers

    Cheers..

    L.

  • brentybrenty

    Team Member

    Good news,
    I've got access to 1Password for Teams

    @lcorsini: YESSS!!! :lol:

    Bad news:
    1Password for android unsupported ATM
    1Password for windows unsupported ATM
    1Password for mac needs beta version (not a problem though)
    I don't see a way to access it from browser extension

    The beta browser extensions depend on the native 1Password app because we don't store your vault in the browser. I'm not sure that Android browsers fully support the web standards that 1Password for Teams is built on, but you can absolutely access (and now edit!) your 1Password data in browsers on Windows...

    I'm not able to access it at work (damn!!) because of our websense

    ..unless the site is being blocked for some reason. D'oh! :(

    Overview:
    Could not connect to ******.1password.com .
    Details:
    Peer disconnected after first handshake message: Possibly SSL/TLS Protocol level is too low or unsupported on the server :angry: :chuffed:

    I'm pretty sure that our protocols are top notch, but I've reported this to the (AgileBits) team so we can make sure there isn't some configuration issue on our end. I just haven't heard of anyone else encountering problems with this.

    Well I'll still go the dropbox way (and usb) but 1P for teams looks very promising, so tonight I'll update my 1P for mac and upload my vault over there, and in the meantime I'll see how to get access to it from my work PC.

    And we'll see what we can do to help! The issues affecting you will likely affect others as well, so

    Thank you again for this discussion, I think that this is a good way to get in touch with your customers

    No, thank you! It's really cool getting this kind of insight into your workflow. We'll get back to you once we have more information on the cypher suite. Looking forward to hearing from you more as well! :)

  • @brenty

    I'm pretty sure that our protocols are top notch, but I've reported this to the (AgileBits) team so we can make sure there isn't some configuration issue on our end. I just haven't heard of anyone else encountering problems with this.

    From what I've been able to gather here, the error message is probably because there is another websense on your side that blocks the connection because our websense is doing a man-in-the-middle to do https inspection, or our websense isn't able to do https inspection on this connection.

    The beta browser extensions depend on the native 1Password app because we don't store your vault in the browser. I'm not sure that Android browsers fully support the web standards that 1Password for Teams is built on, but you can absolutely access (and now edit!) your 1Password data in browsers on Windows...

    Chrome for Android is able to access it.
    I just scratched the surface since I only have limited use of 1P for Teams ATM, I've installed just the beta of 1P for Mac and added the account, the web interface is awesome, but I found a couple of things I didn't like

    • IMHO direct access from the extension (maybe a dedicated one) could be a good feature where you're unable to use the main client, still keeping the ability to autofill websites
    • Teams creates another vault (well more than one in case of team shared vaults) instead of syncing my local primary to my cloud personal vault (maybe this is by design, but I didn't expect that behaviour) that's not easy to manage, especially when your other apps don't support the cloud vault :P

    So, my quick suggestions, based on my first look are:
    Extension with 1PfT direct support
    Sync your primary vault with your personal one on 1PfT
    A download/upload option for agilekeychainfiles

    I'll see if I can investigate a little more the SSL problem too

    Cheers.

    L.

  • brentybrenty

    Team Member
    edited November 2015

    From what I've been able to gather here, the error message is probably because there is another websense on your side that blocks the connection because our websense is doing a man-in-the-middle to do https inspection, or our websense isn't able to do https inspection on this connection.

    @lcorsini: That was my guess as well, but I didn't want to jump to any conclusions without more information.

    IMHO direct access from the extension (maybe a dedicated one) could be a good feature where you're unable to use the main client, still keeping the ability to autofill websites

    I agree. It just isn't something that's possible right now. Perhaps it will be i the future. But at this stage it's much too early for us to even think about that seriously. Direct browser extension access for 1Password for Teams won't be much good unless 1Password for Teams is great first. :)

    Teams creates another vault (well more than one in case of team shared vaults) instead of syncing my local primary to my cloud personal vault (maybe this is by design, but I didn't expect that behaviour) that's not easy to manage, especially when your other apps don't support the cloud vault :P

    Your preaching to the choir. ;) Our priority right now is to make sure that the 1Password for Teams backend and site are rock solid, and get the native apps to be able to use it. Those of us who spend a lot of time on PCs or Android devices or are especially anxious. We would have preferred to start the beta everywhere at once, but we've got enough users on OS X, iOS, or both that it's a pretty good start, without being too overwhelming.

    The vault bloat issue is also real, but we're probably not going to get rid of 'personal' classic 1Password vaults. However, we'd eventually like to be able to use 1Password in a "Teams-only" mode. It sounds like you might too. For the time bring though, we're stuck with some complications since we're adding it to the existing apps' experiences.

    A download/upload option for agilekeychainfiles

    Ooo. I think there might have been another request for this. So, you're talking about directly importing an existing vault into the web interface? Or using an exist vault in 1Password for Teams? I guess there isn't a significant difference between the two. I think it's worth investigating, at least as a sort of 'import' option. :)

  • Hello @brenty
    sorry for the delay, been busy
    First of all, bought the windows licence at last :P (had to wait some money)
    (now it seems that I own 2 1Passowrd version 3 for Mac even if I bought only one, probably some bundle or whatever, the Mac app store version and the windows version 4 one... what a mess... LOL)
    Apart from that:

    • Either working in team-only mode (so by accessing directly the 1PT personal vault) or syncing from 1PT could be the best option rather than having to manage another vault (for the same consistency aspect of having an internal db on mac and the agilekeychain on windows)
    • The import option is a good way to keep proper sync between the local agilekeychain and the remote vault in the meantime :) (also from work I've got the ability to access 1PT web interface, so I could download the agilekeychain and use it as local)

    A good news is that I probably managed to slip dropbox in between our network security, probably not the most stable solution (one of these days the security team will knock on my shoulder :pirate: :) ) so a fallback solution like an import/export on 1PT would be nice

  • brentybrenty

    Team Member

    sorry for the delay, been busy
    First of all, bought the windows licence at last :P (had to wait some money)
    (now it seems that I own 2 1Passowrd version 3 for Mac even if I bought only one, probably some bundle or whatever, the Mac app store version and the windows version 4 one... what a mess... LOL)

    @lcorsini: Haha, same here! My weakness for a good deal is infamous. No worries! Life happens, and we're here for you any time. ;)

    It sounds like you've come up with an interesting solution for the time being. I can't give a timeframe, but we'd like to make migration easier, and also roll out support on other platforms as well. Be sure to let us know if you have any other feedback about 1Password in general, but Teams especially as you use it more. And have a great weekend! :)

  • brentybrenty

    Team Member

    @lcorsini: I just wanted to follow up with you on this. It appears that the only thing we could do on our end to work around this issue with Websense would be to support older TLS versions. It would mean a downgrade in the security of 1Password for Teams, and that isn't something we're willing to do.

    ref: #681

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    Hi @lcorsini

    Just as a follow up, it does appear that Websense is considering it an "error" that we don't support connections over anything less than TLS1.2. It means that there are lots of browsers that we can't talk to, and so in a normal operation that might seem like a configuration error.

    But, as it turns out, the only browsers that we can support (because of how much of webcrypto they implement) can do TLS1.2, so our restriction to TLS1.2 doesn't actually rule out any browsers in practice.

    If you won't mind posting exactly what you see from Websense and find out what version your organization is using, we can see if there is someone we can talk to at Websense. But we can't loosen our security just so that Websense doesn't think we have a configuration error.

  • Probably there is an older installation here that for compatibility supports other TLS versions, I'll investigate a little more and report back

  • brentybrenty

    Team Member

    Fingers crossed. It still seems odd that it would require an older TLS protocol version...unless it simply doesn't support 1.2. Thanks for checking! :)

This discussion has been closed.