Keeping Your Passwords in Sync with 1Password 2.9
1Password 2.9 is now released!
Those paying close attention will notice that the last version of 1Password (2.8.2) was released on August 1st, over two months ago! We normally publish new releases every 2 weeks on average, so for us this release has taken a lifetime!
The reason this release took so long, quite frankly, is we were all exhausted after the release of the iPhone version of 1Password. When 1Password was added to the App Store things were absolutely crazy here; I have never seen anything like it. I now have even more respect for Apple; the firestorm they must have endured is unfathomable.
Now that we are back at full strength, we of course have some surprises in store for you! Without further ado, let me introduce the solution to our #1 requested feature: Robust Alternative to MobileMe Syncing!
Keeping Your Macs in Sync
There are few fantastic tools available to keep your files in sync. Examples of these include FolderShare, ChronoSync, Unison, iDisk, SugarSync, and our favorite, Dropbox.
Until now these tools could not be used to sync your 1Password data. With the new Agile Keychain format added in version 2.9 it is possible to sync information almost instantaneously and without conflicts. All changes are detected and reloaded by 1Password automatically.
It is also possible to share the Agile Keychain between multiple computers on your local home network using a regular shared folder.
What is the Agile Keychain?
The Agile Keychain is a new keychain format developed to build on the success of the OS X Keychain and expand its functionality. The OS X Keychain has served 1Password incredibly well over the years and we are proud to support it. Over time, however, our users have required us to create something more flexible and portable that meets all of their diverse needs.
Here is a comparison of the OS X and Agile Keychains:
| Mac OS X Keychain | Agile Keychain | |
| File Based Syncing1 | not practical |
 robust, easy & instantaneous |
| Performance2 | degrades as size increases |
fast even at GB sizes |
| AutoLock3 | based on keychain usage |
mouse and keyboard based |
| Data Encryption4 | Triple DES |
AES 128bit CBC & PBDKF2 |
| MobileMe Syncing5 | keychain synced |
iDisk only |
1 File level syncing is not practical with the OS X Keychain because everything is stored in a single file. Each modification causes the entire file to be recreated and then synced. This hurts performance and increases the chance of conflicts.
2The OS X Keychain slows significantly as its size increases because it creates an entire copy of the file and then replaces the original.
3 The OS X Keychain's AutoLock is based on keychain usage. The amount of time between using the keychain is calculated to determine if the keychain is locked. User activity such as typing or mouse movement is irrelevant. This forces users to specify a much longer Automatic Lock time than they might otherwise prefer.
4 The OS X Keychain uses Triple DES as its encryption algorithm which is quite secure, but it is growing older and has been superseded by newer encryption algorithms with longer key lengths. AES is the new standard used by the US Government.
5 The OS X Keychain has direct support for syncing with MobileMe. The Agile Keychain does not have this level of integration with MobileMe, but it can be kept on iDisk.
For a full analysis of our need to design the Agile Keychain, please refer to the History of 1Password's OS X Keychain Integration. For details on how the Agile Keychain was designed and made secure, please see the Agile Keychain Design document.
As mentioned, the OS X Keychain has served 1Password incredibly well. In fact, the majority of users are completely satisfied with its current functionality and will not be motivated to immediately transition to the Agile Keychain.
Therefore, the OS X Keychain will continue to be a part of 1Password for the foreseeable future, and we will not be forcing people to move to the Agile Keychain. Over time, however, features will be added to 1Password that are only possible using the new Agile Keychain format and will require switching in order to access the new feature.
How to Switch to Agile Keychain
It is easy to start using the new Agile Keychain format. Simply, launch 1Password and go to Preferences > Keychain and select Switch to Agile Keychain, as shown here:
You will be asked for the Master Password that will be used for the new keychain, as shown here:
Once provided, all your OS X Keychain items will be recreated and stored into the new Agile Keychain using the provided password.
You can switch back and forth between old and new keychains at any time. When switching back to the OS X Keychain, I recommend to reuse the old keychain for much faster switching. All changes (except deletions) made in one keychain will be copied to another:
While initially testing the Agile Keychain you should just leave the OS X Keychain where it is. Once you are satisfied with the new keychain format, however, you can clean things up. For detailed instructions, see the Removing the OS X 1Password Keychain section in the Using the Agile Keychain
Automatic Syncing Without MobileMe
You can sync your files using any of the great tools available, but our favorite is Dropbox. You can download it from their site, watch their video to see how things work, and be up and running in a few minutes.
After Dropbox is installed, go to the 1Password > Preferences > Keychain window and select Change Location:
1Password will ask you for the new location of the keychain. Specify the Dropbox folder (or a subfolder within it):
Clicking Change Location will cause 1Password to move your Agile Keychain to the Dropbox folder. That's all there is to it! Your keychain is now being monitored by Dropbox and automatically copied to all your other machines.
To configure 1Password on your other Macs, first setup Dropbox, then make sure you have the latest version of 1Password installed, and then use Finder to browse your Dropbox folder and double click 1Password.agilekeychain. 1Password will launch and ask you if you want to switch to this new location:
After clicking Yes 1Password will configure itself to use this new keychain. Since the keychain is monitored by Dropbox, any change you make to your keychain will be automatically synchronized to all your other Macs. 1Password and its browser extensions will detect these changes and automatically reload the keychain, allowing for completely automatic and seamless syncing without MobileMe.
Automatic Syncing Using iDisk
By popular demand I decided to add this section to detail how to use MobileMe's iDisk to sync your data. The steps are nearly identical to the previous section but instead of using DropBox you use iDisk instead.
I have been using both iDisk and Dropbox for my testing and have found both to work fine for my purposes. With that said, Dropbox is a lot faster and has some amazingly cool features built into it, such as the ability to recover deleted files, revert to a previous version of a file, Growl notifications, and secure sharing of files between your friends. While this section is about using iDisk, I wanted to share my excitement that the 'new kid on the block' has some cool stuff :)
With that out of the way, here are detailed instructions for setting up 1Password syncing with iDisk:
Configuring iDisk to Sync 1Password Data
Important Note for Leopard+Firewall+iPhone Users
As mentioned in a previous blog post, after releasing the iPhone version of 1Password many people experienced permission issues every time 1Password was updated.
It is very important to follow the recommend upgrade steps carefully to ensure upgrading does not result in the same permissions problem reoccurring.
Basically what is required is to export all your data, upgrade 1Password, and then recreate your keychain. Detailed upgrade instructions can be found in the Recreating Keychains to Resolve Leopard Firewall Permission Issues section in the Using the 1Password Interchange Format document.
Once upgraded and your keychain recreated, you can change to the Agile Keychain. The new Agile Keychain will avoid this permissions issue and switching to it will solve this problem once and for all.
Can you explain the 1PasswordAgent a little? I'm assuming it has to do with controlling the automatic locking feature of the agilekeychain, based on the mouse & keyboard input mentioned in the article. It would be nice, however, if we could turn this off. While I don't want to compromise security, I don't like to have to have additional processes running, even if those processes use little memory and CPU. For example, I really don't like the fact that Google apps add the GoogleUpdate process, which is seemingly pretty useless.
Also, what are these web pages and scripts in the agilekeychain package? Can we open these, say, in a browser to view our passwords?
Now that I've been critical, I want to congratulate Agile on a fantastic update. The ability to sync my 1Password information across my Mac without MobileMe is absolutley fantastic! I'm especially appreciative of the fact that Agile continues to constantly improve an already fantastic app! Now, one of the few remaining things I could suggest would be away to use/sync the 1password database on Macs with a Windows password utility such as keypass, so you could use your 1password data on Windows (since there isn't a 1password windows client). Thanks for all your hard work!
Posted by: Jeff | October 04, 2008 at 09:06 PM
Is the iPhone bookmarklet back?
Posted by: Steve Rubel | October 04, 2008 at 11:14 PM
Great news!
I have a small question: do we need to quit 1Password to make sure the changes to the keychain are saved or read? (It seems that it's not the case, but I want to make sure.)
I use Unison (http://www.cis.upenn.edu/~bcpierce/unison/) to synchronize my macs, so if I understood correctly, I can have 1Password running all the time, and periodically synchronize the agilekeychain file: any change will be picked up by the other mac when the file is updated?
Posted by: Alan Schmitt | October 05, 2008 at 04:19 AM
@Jeff: Thank you for the congratulations! This release was a long time coming, over a year in fact, but I think the results speak for themselves.
Regarding the 1PasswordAgent process, it is used to maintain the unlocked state of the Agile Keychain. Because 1Password works across many applications, many users want to be able to keep the keychain unlocked when restarting 1Password and web browsers. This is how the OS X Keychain worked and it worked well. I never considered the need to keep the process list "clean", so for the moment you cannot disable this. I guess we could make this a preference but will need to give it more thought before committing.
As for the files in the `style` folder, they contain a huge surprise that we will be revealing in the coming weeks. I had planned to remove them from the 2.9.0 release, but decided to leave them to make testing simpler. If you promise not to tell anyone, they are for viewing your data on any modern web browser :)
Your last request for syncing to Windows is close to becoming a reality. Using a tool like Dropbox will allow you to sync to Windows. You can then use the standalone web application that is packaged into the Agile Keychain to view your data. Again, this is a secret and still in testing, so don't tell anyone :)
Posted by: Dave Teare | October 05, 2008 at 02:42 PM
@Steve: The Safari Logins bookmark for iPhone is near and dear to my heart and I plan on bringing it back. As discussed, things have been absolutely crazy around here since being added to the iPhone App Store.
Releasing the Agile Keychain was critical for many reasons and so we have focused our effort on completing it. Now that almost done Beta testing and nearing an "official" release we will be able to regroup and start thinking about the next items to focus on.
Updating the "native" iPhone application and adding the Logins bookmark back are high priority items and likely at least one of them will "make the cut" to be our next focus item.
Posted by: Dave Teare | October 05, 2008 at 02:47 PM
@Alan: 1Password will automatically detect changes and reload them for you. We wanted to make the sync process as transparent and painless as possible.
Unison should work perfectly as a sync solution. I know Roustem used to use Unison, but when Dropbox came out we both changed to use it instead.
Regardless of what tool you use to sync your files, neither 1Password or any of its supported browsers need to be restarted. It's magic :)
Posted by: Dave Teare | October 05, 2008 at 02:54 PM
Dave, sounds like good work. I am almost excited. The only cloud on horizon is I'm pretty committed to .mac syncing and it seems the plan is I will eventually need to move to an additional sync solution to handle the 1password file. Not on day 1, but that's where the train is heading. I will eventually get comfortable with using two sync solutions, not quite there yet. ralph
Posted by: ralphdaily | October 06, 2008 at 07:34 AM
@Jeff: I added an option to make 1PasswordAgent optional (Lock when 1Password and all browsers are closed). You will see it in the next build.
Thanks again for the feedback!
Posted by: Roustem Karimov | October 06, 2008 at 11:10 AM
@Ralphdaily: I used to absolutely love my .Mac setup; syncing was always fast and flawless and I proudly recommended it to everyone. About the time Leopard was released, however, I experienced many issues and lost faith in it. I was not alone as many users reported the same issues. It got so bad that we created the my1Password service to handle syncing in a different way.
I guess what I'm saying is .Mac/MobileMe is awesome when it works and so we do not plan on taking it away from those lucky people who have it working.
At the very least we will continue to support the OS X keychain for the foreseeable future. With that said, we have a few options to allow the new Agile Keychain to sync through MobileMe just as seamlessly as the OS X Keychain.
One way is to integrate directly with the MobileMe sync service, just like the OS X Keychain does today. It has been a while since I investigated this, but I remember being confident we could get this working.
My personal favorite option, however, is to allow 1Password to sync its data with iDisk. If we had this feature, all your Macs could then be configured to sync automatically with iDisk. The reason I like this approach so much is it can be easily extended to support multiple storage locations. For example, your personal server via FTP, online storage solutions like Box.net, etc.
Time will tell which way we go :)
Posted by: Dave Teare | October 06, 2008 at 11:50 AM
I should followup and clarify my last comment.
You can use iDisk to sync your files already in version 2.9. What I was referring to was adding more "magic" inside the 1Password application to automatically find your iDisk and use it, all by clicking a simple button or preference.
Posted by: Dave Teare | October 06, 2008 at 05:01 PM
Hey Dave,
So maybe I'm either real slow or just missing something here (put it down to tiredness).
As a current user of the my1password service I've read the recent thread in the forums about the future of my1password and you're ongoing debate as to whether to continue to support this. The feature that I love, and I assume most other people love, is that we can access any of our data anywhere in the world through a browser, be it on windows, mac etc etc.
As a MobileMe user (I have it working for my needs perfectly) will, in 2.9, I be able to sync my data between my 2 macs easier than I've been able to at the moment? I have been getting errors with data going missing and the such... Or maybe this is just me and something I'm doing wrong. Anyhow...
Secondly, will there be some way (using MobileMe/iDisk) that I can view my passwords (similar to the my1password service) in a browser on any platform? From reading this it sounds like this won't be an option without a 3rd party FTP service? Or have I just misinterpreted this?
If I can sync to mobileMe/iDisk in some way to access my data in a browser will this be an automatic process or is it going to require some manual work (from the comments here I'm guessing manual work?)
Maybe it's just me but the comments here, and this post, have left me completely flummoxed as to the future of a mobile "1password" service so to speak...
Posted by: Dan P | October 06, 2008 at 06:13 PM
@Steve Rubel: We added "Sync to iPhone Safari Bookmark" back in the new build. Thank you for the feedback!
Posted by: Roustem Karimov | October 06, 2008 at 06:37 PM
@Dan P: I'm sorry for the confusion. There are a lot of moving parts and not everyone is in the same situation so its hard to make a single blog post for everyone. I will, however, update this post with some comments about MobileMe.
To answer your first question, the ability to access your data from anywhere using my1Password is definitely a killer feature. I tried to explain how we will make this possible with the new Agile Keychain format in The Future of my1Password thread:
So in other words, the goal is to build both of the my1Password killer features into the Agile Keychain. By storing your Agile Keychain on your iDisk or any other online service, you could access your data from anywhere. Again, this is a Work in Progress; you will see more on this in a few weeks.
As for your second question regarding MobileMe, I am a little confused because you said "I have it working for my needs perfectly" and then go on to say "I have been getting errors with data going missing and the such...". My guess is that you are encountering the typical MobileMe issues that sparked us to create the Agile Keychain. You can use the steps outlined in this post to sync via iDisk and it will be a lot more reliable.
I'll update the blog post now to mention how to configure iDisk based syncing.
Posted by: Dave Teare | October 07, 2008 at 01:32 PM
Dave,
Thanks for the update... All is clearer now. Once the official release is out I'll give it a test. One final thing that is still confusing me: having it on the iDisk as a "stand-alone web app" so to speak, will it need to be downloaded from iDisk to operate first or is it magically going to work straight from iDisk in a browser (I'm guessing the first..?)
Sorry about the second question. It did indeed turn out to be one of the typical errors (and I later found the solution in the forums). All is sorted regarding syncing now.
Looking forward to the next update.
Posted by: Dan P | October 07, 2008 at 06:48 PM
@Dan P: I'm going to ask you to sit tight for a few more weeks. The html version is not ready yet, but it will work as you have become accustomed to in my1Password. I think you'll love it :)
Posted by: Dave Teare | October 08, 2008 at 01:05 PM
This is AWESOME!
One question - how secure is the use of "Dropbox"?
This was a great way to fix the multiple-Mac dilemma, and it seems to be insanely good.
Just want to know who has my info...
Scott
Posted by: Scott Boettcher | October 08, 2008 at 07:58 PM
@Scott: From the Dropbox tour it says:
I had not found any documentation on how they accomplish this yet. Specifics like how encryption keys are created is not documented anywhere. I'm digging in their forum now; we'll see what I find.
In any event, the super confidential information from your Agile Keychain is encrypted so even if your Dropbox account was hacked you would have an extra layer of protection.
Posted by: Dave Teare | October 08, 2008 at 08:31 PM
@Scott: More information from Dropbox forum:
Posted by: Roustem Karimov | October 08, 2008 at 09:09 PM
1PW is getting better and better and couldn't be happier that it now has its own keychain format.
The thing I'm not sure of is, if all our entries are brought over to the 1PW keychain and I sync using MobileMe, do all my registered computers need to have 1PW installed in order to understand the new keychain format?
Kudos to you guys for consistently making 1Password a great app.
Posted by: Frank | October 08, 2008 at 09:51 PM
So great to see you're always thinking of making 1PW better.
Just 1 thought though concerning comfort/ease of use:
In my OSX keychain utility I keep separate keychains for different purposes, one for mail passwords, another one for itunes and ebay passwords and then there was the 1password keychain.
What I really liked about 1Password though was that I only had to enter ONE single password, the master password, and then your application would go and unlock the OSX keychain itself.
With your new keychain approach this does not work anymore. Your new keychain format stores the master password in the login keychain, by default, probably because you suppose it's always unlocked or at least for a very long time.
But I only keep low security passwords - for fast access - in the login keychain (which, yes, stays unlocked).
As I said, I store more sensitive passwords (like the 1Password master password) in separate keychains.
Now the problem: I have created a new empty keychain to store the 1Password master password in (set to lock after some minutes). I start Safari and now I have to enter TWO passwords: when I start Safari I need to unlock the keychain and then I need to enter the 1Password master password.
The problem for me is that 1 Password does no longer unlock the corresponding keychain. Therefore 2 passwords to enter. Less ease of use.
I know, I could sacrifice security for ease of use, I could just leave the master pw in the login chain. Or I could go back to using the OSX keychain concept with 1Password.
But I am quite willing to move to the new format. But entering 2 passwords is so annoying.
Maybe you have a solution. I don't so far.
Thank you.
Posted by: Chris | October 08, 2008 at 10:02 PM
Any chance we see real MobileMe sync support in the future. I do not like the WLAN-sync mode as my WLAN is in "N" (at 5 Ghz only for less conflicts with the other WLANs around) mode most of the time which is not supported by the iPhone. I mean how hard would it be to have 1Passwd on the iPhone use the version on the iDisk. Is something like this planned?
Posted by: Sebastian Werner | October 09, 2008 at 12:39 PM
@Sebastian: Before this release, having your iPhone sync directly with iDisk was a HUGE amount of work. Now that the Agile Keychain is available, 90% of the effort is now complete, so we can finally start moving forward on this. Expect to see iPhone+iDisk integration soon.
Posted by: Dave Teare | October 09, 2008 at 12:47 PM
So, in short, do you recommend that users switch to the Agile Keychain? (And I totally agree re. Dropbox.)
One concern: what if my1password and the Dropbox-synced keychains get out of step?
Posted by: Geoff | October 09, 2008 at 12:52 PM
@Frank: The selection of the keychain type is an "all or nothing" type of decision. In other words, if you use OS X Keychain on one of your Macs, you have to use the same setting on all your other Macs, otherwise syncing will be impossible.
I'm not sure if I answered your question so let me try from another angle just to be sure. If you decide to switch to the Agile Keychain, you should disable the MobileMe syncing of your OS X 1Password keychain, and it should never be re-enabled. Once disabled, migrate all your OS X Keychain data to the new format, and then share it via iDisk/Dropbox/whatever. Then go to all your other machines and tell them to use the new share you setup.
Posted by: Dave Teare | October 09, 2008 at 12:52 PM
Have you guys considered moving this into an open framework or giving out the code for other developers? :)
Posted by: Devon | October 09, 2008 at 12:52 PM
@Devon: I have been considering making Agile Keychain an open framework for other developers to use. The main thing holding me back is I think a lot of stuff is 1Password specific, but given enough effort I'm sure we could abstract things. Also, the vast majority of the keychain is already open sourced as we use OpenSSL, Blake Seely's BSJSONAdditions, etc, so over 80% is already open and available for anyone to use.
With that said, I would like to make a framework and release it so that we can say it is "Open Source". I quote that because 95% is open sourced already, but it would be nice to get that last 5%.
Time will tell. Time is the one thing we're lacking at the moment. In fact, we have 3 other things we have been planning on open sourcing for a long time now. This new keychain makes it 4 :)
Posted by: Dave Teare | October 09, 2008 at 01:01 PM
@Geoff: In short: yes! :)
Regarding my1Password, please see this post on The Future of the my1Password Web Service. In short I'd recommend you stop syncing w/ my1Password and rely on this new file-based syncing approach. You can keep my1Password for viewing your data online, but do not use multiple sync solutions at the same time.
Posted by: Dave Teare | October 09, 2008 at 01:04 PM
@Chris: Sorry but I am not following you 100%. The new Agile Keychain does *not* require you to store your Master Password into the login keychain. That is completely optional. The only thing we require to be added to the login keychain is the Sync Authentications w/ iPhone.
In my opinion you should not store the 1Password Master Password in any keychain whatsoever unless you take a lot of steps to make sure it is secure. In your case you said you wanted the login keychain non-secured, so it means you should manually type and not store it anywhere.
If I totally missed your point, please email us directly so we can discuss in more detail.
Posted by: Dave Teare | October 09, 2008 at 01:11 PM
Should we clean the Mac OS X keychain once we moved to Agile Keychain ? If so, how to do so ?
thanks
fred.
Posted by: lefred | October 09, 2008 at 03:12 PM
@fred: Good point. I had documented this in Using the Agile Keychain, but I forgot to add that section in this post. I'll update it now...
Posted by: Dave Teare | October 09, 2008 at 04:11 PM
How complicated....
Now I've stuffed things up - I upgraded before I exported to the interchange file, and now I cannot Sync with my iPhone ("Sync not allowed"). Can anyone please suggest what I do now....?
Thanks!
Peter
Posted by: Peter B | October 09, 2008 at 11:54 PM
I have switched to the Agile format, but I see that you recommend turning off Mobile Me synchronization of the old keychain. Does this mean disabling the synchronization of keychains in Mobile Me (which I don't want to do), or is there something else to disable?
Posted by: Alan Schmitt | October 10, 2008 at 04:43 AM
I'm very interested in your new format. The one question I have is changes on multiple Macs at once. This is a bit of a story problem, but hopefully I can make it clear.
Can you please confirm the following. In my scenario, I have Mac A and Mac B each with Password 1, Password 2, and Password 3.
On Mac A, I change Password 1 while on Mac B one minute later I change Password 3. Password 2 remains the same on both. One minute after Mac B made it's change, sync occurred.
In the Apple keychain scenario, because it's syncing each keychain individually, this would pose no problem.
My question is whether the new 1Password keychain format will support such a scenario. The reason I'm concerned is that it appears to do a full file update and sync. So my scenario would not work because Mac B would overwrite the change on Mac A. Am I making an incorrect assumption? Does the 1Password format actually support individual keychain syncing and not just full-file syncing?
Thanks for the info!
Greg
Posted by: Greg K | October 10, 2008 at 09:23 AM
@Peter: Please open 1Password application and select Sync > Sync with iPhone/iPod touch menu.
Make sure you have "Enable Wi-Fi syncing" checkbox turned on.
Posted by: Roustem Karimov | October 10, 2008 at 10:24 AM
@Alan: It is recommended to turn off MobileMe syncing of the 1Password keychain after you switched to the new format. The MobileMe keychain syncing is done individually for every keychain and there is no need to turn off syncing for other keychains such as "login.keychain".
Posted by: Roustem Karimov | October 10, 2008 at 10:27 AM
@Greg: The new format will work just fine in the scenario you described — changing two different items at the same time will not cause any problems.
Posted by: Roustem Karimov | October 10, 2008 at 10:30 AM
@Greg: As Roustem mentioned the Agile Keychain supports the ability for true syncing between Macs, even when changes are happening on multiple machines at the same time.
The reason this works so well is the new keychain format is NOT a single file; it only looks that way in Finder. In reality, it is a bundle of individual files, one file per item. This allows sync tools (i.e. iDisk, DropBox, etc) to sync individual entries, making merging very easy.
One of the reasons I like DropBox so much is the syncing really is almost instantaneous. Once a change is made, it is replicated to all my other machines in seconds. Because it is so fast, it is very resilient to conflicts.
Posted by: Dave Teare | October 10, 2008 at 10:50 AM
Thanks, Roustem, for the response. Yes, that's the setting that I used before - and now all is working ok. Not sure what I did differently....
Thanks again.
Peter
Posted by: Peter | October 10, 2008 at 11:10 AM
@Dave & @Roustem:
I should have looked at the file more carefully and released it's a package. I'm also a big fan of dropbox, so it's not a leap for me at all. I switched over and it's truly stunning how well it works.
Now, if we could only get the iPhone to sync the dropbox copy. :)
Nice job!!!
Best regards,
Greg
Posted by: Greg K | October 10, 2008 at 07:14 PM
I must be dense, but when I got to the MobileMe preference pane, I only see "Keychains", and no list of individual keychains.
Where can I configure which keychain is synchronized?
Thanks a lot.
Posted by: Alan Schmitt | October 11, 2008 at 05:23 AM
@Alan
I'm no MobileMe expert, but used it with 1Password for about a year. As far as I know, you sync all or none when it comes to keychains.
After having used Mobile Me syncing for a that year and recently switching to storing everything in an agile keychain in dropbox (using that for syncing), I can tell you that's the way to go. I still do Mobile Me keychain syncing for a few other things, but 1Password is now exclusively synced using Dropbox.
Posted by: Greg K | October 11, 2008 at 11:30 AM
@Alan: You're right, in the MobileMe preferences you will only see Keychains, so on **that window** it is an "all or nothing" setting. Luckily there is another window :)
To disable the 1Password keychain from syncing, go to 1Password > Preferences > Keychain and click the "Change Auto-Lock and .Mac Syncing" button. From there you can disable the .Mac syncing (and yes, Apple still calls it .Mac on these windows). That is the easiest way, but just FYI, you can configure all these settings in the Keychain Access application as well.
@Greg: Thanks for the vote of confidence! I'm glad you are liking the DropBox syncing as much as I am :)
Posted by: Dave Teare | October 11, 2008 at 01:38 PM
Thanks, .mac syncing has been driving me crazy.
See you at MacWorld !
Dave - AAUG
Posted by: Dave in AK | October 11, 2008 at 02:41 PM
@Dave I'm very sorry, but in the 1Password > Preferences > Keychain dialog box, I only see the following buttons (omitting unrelated check boxes): "Show in Finder", "Change Location...", "Change Master Password...", and "Switch Back to OS X Keychain Format...". I tried all the other dialogs, and I cannot find anything related to .Mac.
So either I already disabled keychain synchronization without knowing it, or I cannot disable it without going back to the old format.
I launched the Keychain Access application, and could not find where to find these settings. I guess it does not really matter, but since it was suggested to turn it off, I'd rather do it (I depend too much on 1Password: if it goes away, most of my passwords will go away too!)
Posted by: Alan Schmitt | October 11, 2008 at 04:03 PM
@Alan: I see; you already switched to the Agile Keychain, and so that button I mentioned will not be present. It's okay, you can use Keychain Access.
Keychain Access is a utility, so apparently that means it does not need to be intuitive :) First, you need to click the little tiny arrow in the bottom left corner of the Keychain Access window to "Show and Hide the list of Keychains". Once the keychains are shown, it is pretty clear sailing: simply ctrl-click on the 1Password keychain and select "Change settings for keychain '1Password'". That will open a window where you can disable the .Mac syncing of *this* keychain.
HTH
Posted by: Dave Teare | October 11, 2008 at 04:29 PM
This looks great! One feature I'd love is the ability to have the iPhone version of 1Password sync with the agile keychain stored on these services.
Posted by: Joe Cool | October 11, 2008 at 04:42 PM
@Joe: Ask and thou shall receive :) Well, for iDisk anyway. I'm not sure how we would sync over the keychain from DropBox, but we will investigate.
Posted by: Dave Teare | October 11, 2008 at 04:46 PM
@Dave: it does not appear in the list of keychains (I have login, System, and System Roots). But as everything works and synchronizes fine, I just won't worry about it ;-)
Thanks for all the support.
Alan
Posted by: Alan Schmitt | October 12, 2008 at 01:51 PM
@All: Thanks to a post in the forum today I realized that iDisk does indeed treat the Agile Keychain bundle as a single file, making syncing a lot slower and greatly increasing the risk of conflicts. This is very surprising to me and I will be investigating possible workarounds.
I'm sorry for misleading people in the above comments where I adamantly said the Agile Keychain was not a single file. While it is not a single file, iDisk thinks otherwise. I never noticed this in my usage as I primarily use my MacBook Pro so no conflicts arose, and the syncing happens in the background so I never realized how slow changing a single item was. In retrospect I should have put iDisk through the same level of testing DropBox was subjected to.
Posted by: Dave Teare | October 12, 2008 at 05:59 PM
I had a problem converting to the Agile Keychain, and now I've lost access to my passwords. Sending you a support email with logfiles.
Posted by: Geoff | October 13, 2008 at 05:44 PM