It’s so easy to dunk on tools and vendors that you can forget to give flowers to those that are doing well. I’ve been really impressed with the utility and the user experience of a few things that 1Password have shipped (fairly) recently.

SSH agent

This works so well. You can generate SSH keys – or stash existing ones – in a 1Password vault. This will allow you to run the 1Password-controlled SSH agent which provides the private key on-demand, for git or ssh operations. As I’m primarily using Macbooks, this works in tandem with authorisation via Touch ID; these things combine to be an incredibly low-friction path to leveraging Secure Enclave for mission critical operations.

Fastmail + masked email

For a long time, I’ve used a Google Workspace (RIP to the much more elegant “Suite” nomenclature) for personal emails. I have a primary email domain for professional and most personal human-to-human contact. Separately, I have a second domain which is used for subscriptions, mailing lists, anything else which will sit in an unloved RDS until it invariably leaks into the public domain accompanied with password hash. Using a catch-all email address, each website gets its own email address using the scheme [company_name]@[domain]. Two primary reasons for this: it reduces the blast radius from data leaks, and also helps identify & mitigate email misuse.

1Password and Fastmail (another tool I’m really enjoying using) integrate to allow 1Password to generate Fastmail masked email addresses. I can still use my own domain – which is important as I try to preserve portability as much as is possible. Another benefit comes from this; the masked emails that Fastmail generates are more randomised (they come in the format of [random_word].[random_word][random_4_numbers]@[domain]). This protects against the “guessability” of my previous scheme, where the recipient was often the name of the company and could be easily deduced.

Much like with the SSH features, the UX of this is really good. It’s as simple to create a masked email (1-2 clicks) as it is to generate a password, and the prompt to create a masked email appears correctly about 95% of the time. Nobody who works in software needs to be told that getting things like this - that appear simple - to work seemlessly tends to be much more complex than you might expect.

1Password Connect

I’m pretty early on in using this, so it might turn out to be disaster; but early impressions of using 1Password’s sort-of-answer-to Hashicorp Vault have been really positive.

The TL;DR is that you can host a “Connect server” which acts as a bridge between 1Password’s servers and your own applications / infrastructure. Currently I’m using this in my k3s homelab, running a Connect server deployed through helm. Once the prerequisites exist, you can create OnePasswordItem resources in Kubernetes which translate 1Password stored secret material into Kubernetes native Secret resources.

An example:

1
2
3
4
5
6
7
8
---
apiVersion: "onepassword.com/v1"
kind: "OnePasswordItem"
metadata:
  name: "my-secret"
  namespace: "any-namespace"
spec:
  itemPath: "vaults/[1password_vault_name]/items/[secret_name]"

Secrets management has been something I’ve struggled with at multiple jobs. The default, and pretty correct, argument for an AWS-based shop is to “just use Secrets Manager”. Secrets Manager is excellent for using and controlling access to secrets; but the developer experience for hydrating and administering those secrets is awful. It’s really exciting to see something that has a positive UX, and seems fairly lightweight from an operational point of view, be offered. I’ll leave others much more competent than I am to assess the security of 1Password Connect, and I won’t yet be using it in a production environment; but using it in a homelab setting has been a simple joy.

Don’t throw a HackerNews hot take at me

There’ll are people who argue against using a SaaS-y password manager; suggesting that it is risky for InfoSec / financial / lots of other reasons. That can be true for you! It isn’t true for me. One of the best lessons I’ve learned from working with really good security engineers is the importance of thoughtful threat modelling. My threat model rates the risk of losing all my credentials through self-hosting software as much more likely – and impactful – that a potential 1Password breach.

It’s great to see use a tool that feels like it’s thinking about your problems, and solving them well.