Alex Smolen

Ideas for 1Password


Feb 10, 2013

I had a tough time looking for jobs because I wanted to be a Security Product Manager. That title doesn't exist at most companies. The closest I could find was product manager at a security software company. I was being interviewed for that role when the hiring manager asked: What's your favorite security product?

This was in 2011, and some new services like Cloak and CloudCracker didn't exist yet. I contemplated for a half minute - well, uh... let's see... and came up empty. Anti-virus, IDS, and scanning tools are some of the most confusing and ugly software out there.

Suddenly it struck - 1Password! It was by far my favorite password manager, and I had tried a lot of them: PasswordSafe, Password Gorilla, KeepPass, RoboForm, LastPass, etc. 1Password was less jarringly unaesthetic. It felt more polished. It even cost and presumably made money.

But as I was talking about 1Password, I started to remember its limitations. I thought about the times it worked against me, or didn't anticipate how people use passwords.

I think that 1Password has a little bit of all style, no substance disease. Starting from the skeuomorphic vault to sign in on the Mac client, it's obvious that 1Password has good graphic design. But good graphic design alone does not make good products.

Create an account

1Password works well for logging in to known sites, but that's only part of the problem. When you create an account on a site, you need to click around in the browser plugin to generate a strong password, then copy and paste that manually into the registration form. But then 1Password thinks the registration form is a login form because it has a password field, and offers to remember it. When it remembers the signup form, it sometimes causes the login flow to not work.

Instead, the 1Password browser extension could recognize registration forms, offer to generate a strong password, and then store it in a hasn't logged in yet state so that when you eventually ask to log in to the site it records that process.

Change password

When I want to change a password, 1Password is a hassle to work with. Usually you need to click around to generate a new password, copy and paste it twice, and then copy, paste, and enter your old password from your password history. The 1Password browser extension could easily recognize password change forms. Then it could offer to generate and fill in a strong new password, fill in the old password, and save the new password for me.

Automate login flow

I think the 1Password team has a philosophy to not learn login flows, except for recording them at the end user's computer. And, especially when they started, I thought this was the right approach. When you attempt to generalize how a site's form fields and Javascript interact during login, you are screen scraper status. It's a matter of time before things break.

Still, I bet 1Password has reached the size and scale where it could automate logins, at least for major sites. They'd need stay up to date with the HTML and Javascript, but 1Password could automatically handle registration, login, and changing passwords - all painful experiences - and gracefully degrade to manual processes when things fail. I could even imagine a Javascript API or microformat that keeps the interaction between the site and 1Password structured.

At least 1Password could maintain a list of standard icons and domains so that site lists looked better.

Inconsistent icons and settings

In the Mac client, some passwords have small icons next to globes, some have large icons, and some have no icons. Why? The sites that have no icons have favicon.ico files. The bigger icons are the best looking, and are probably not available for all sites, but having all three looks inconsistent to me.