Use 1Password for Web Browsing - Take Control of 1Password (1.2.1) (2014)

Take Control of 1Password (1.2.1) (2014)

Chapter 4. Use 1Password for Web Browsing

A couple of chapters ago, in Learn How Logins Work, you learned how to save credentials for a few Web sites and use 1Password to fill them in. Although you can get lots of mileage out of the simple procedures I explained there, 1Password has lots of other options for working with Web sites. In this chapter I explain when you might need these extra features and how to use them when you do.

Among the things I cover here is generating new passwords, which you’ll probably need to do more often when browsing the Web than in any other situation. I also discuss the way 1Password uses identities (sets of contact details) and credit cards, both of which you’re likely to use regularly while browsing.

Create & Save Logins

The more logins you store in 1Password, the more powerful and handy it becomes. The easiest way to add your existing logins to 1Password is to browse the Web normally, enter your credentials for the sites that you encounter in whatever way you previously did, and then let 1Password’s automatic login saving feature add them one at a time, just as you did earlier in Learn How Logins Work. It’s also possible to add them manually to the main 1Password app (see Edit 1Password Items) or import them from certain other repositories (see Import & Export Data), but in my experience adding them as you go is the path of least resistance.

However, even though saving new logins is mostly self-explanatory, I want to cover a few less-obvious points. Then I’ll tell you how to Generate Random Passwords, which you’ll do when registering for new accounts (which you’ll also want 1Password to save for you).

Save New Logins

First things first: automatic login saving is enabled globally by default, but you can toggle it if the need arises:

· On a Mac, go to 1Password > Preferences > Browser and select or deselect Automatically Ask to Save New Logins. If you want to save logins automatically most of the time but exclude certain domains (for example, when you’re doing testing on a Web site you’re developing), you can add those domain names to the exceptions list.

· On a Windows PC, choose File > Preferences > Logins and select or deselect Ask to Save New Logins in Browsers. (The Windows version doesn’t have an exceptions list.)

If you use multiple vaults (see Work with Multiple Vaults), 1Password’s automatic login saving feature defaults to your primary vault. (Its name appears in the Save Login dialog as a reminder.) To save the credentials to a different vault, click the 1Password icon in the Save Login dialog and choose a different vault from the pop-up menu.

On a Mac, you can also disable automatic login saving for a particular domain on the fly. When you submit a login form and the 1Password Save Login dialog appears (much to your irritation), click the gear icon in the lower left of the dialog and choose Never Autosave for This Site from the pop-up menu. That adds the domain in question to the exceptions list on the Browser preference pane.

Generate Random Passwords

When a site or service asks you to come up with a new password, 1Password is ready to supply one that meets your desired criteria. You can access the password generator in any of the following ways:

· In 1Password mini, hover over Password Generator with your pointer—or select it using the Up or Down arrow keys (if it’s not already selected) and press Return, Enter, or the Right arrow key (Figure 12).

**Figure 12:** The password generator in 1Password mini on a Mac. Notice that the button says Fill if you’re in a Web browser, but Copy (as shown here) if you’re not.

Figure 12: The password generator in 1Password mini on a Mac. Notice that the button says Fill if you’re in a Web browser, but Copy (as shown here) if you’re not.

· In a Windows browser, press Control-\ or click the 1Password icon to display the 1Password window, and then click Generator (in Internet Explorer) or the password generator icon (in other browsers).

· In the main 1Password app, create a new login (choose File > New Item > Login) or any other type of item that contains a password field; you can see a list in Other Data Types. Then, on a Mac, click in the Password field; or, on a PC, click Generate (Figure 13).

**Figure 13:** The password generator in the Windows 1Password app.

Figure 13: The password generator in the Windows 1Password app.

Tip: It’s almost always easier to create new passwords in 1Password mini. Apart from being quicker to display (with Command-Option-\ or a click on the menu bar icon), it doesn’t force you to create an entire login item just to get a password.

If you want more control over your password’s details than just the length, click Password Recipe (in 1Password mini, Figure 14), Show Password Recipe (in the main 1Password app), or Advanced Options (in Windows) to display additional options. (These options are always visible when using the 1Password extension in a Windows browser.)

**Figure 14:** Additional “recipe” controls in 1Password mini on a Mac. Similar options appear in the main 1Password app on the Mac.

Figure 14: Additional “recipe” controls in 1Password mini on a Mac. Similar options appear in the main 1Password app on the Mac.

If you’re happy with the password shown, you’ll do one of the following (depending on the context):

· Fill: In 1Password mini within a Web browser, or in any Windows browser, click Fill to fill it into the password field(s) on the page. You can then enter any other data requested (such as a username or email address) and submit the form. When you do, be sure to click Save in the 1Password Autofill dialog (assuming it is enabled—see Configure Other Mac Preferences) to save a login item that includes your password (and any other data you entered) and the URL.

Filling a generated password saves it to your password history (see Work with Previously Generated Passwords), so even if you don’t use automatic login saving, you can still retrieve your password.

By default, 1Password on a Mac also copies the newly generated password to the Clipboard when you click Fill—just in case you need to paste it anywhere other than 1Password. (In Windows, click the Copy button to copy it.) If you want to avoid putting the password on your Clipboard, click the arrow by the Fill button and choose Copy on Fill from the pop-up menu to deselect it. To copy the password without filling it in, choose Copy from the same pop-up menu.

Tip: If you click Fill and the site complains that your password is too long, contains disallowed characters, or is otherwise unsuitable, change your settings and try again. Each of your attempts will be saved in your password history, so you may later want to delete the earlier password(s) the site didn’t accept.

· Copy: In 1Password mini outside a browser on a Mac, click Copy (which replaces the Fill button) to copy the password to your Clipboard.

By default, 1Password also saves the newly generated password to your password history when you click Copy. If you want to prevent it from doing so, click the arrow next to the Copy button and choose Save on Copy from the pop-up menu to deselect it.

· Save: In the main 1Password app on a Mac, click the Save button (after making any other desired changes to the login item). In the 1Password app on Windows, first click OK to close the Generate Password window; then click OK to save the new login item.

If you want to modify the new password first, you can change any or all of the following before filling, copying, or saving it:

· Length: Move the slider left or right. Passwords can have anywhere from 1 to 50 characters (although 1Password mini currently limits you to 30 characters).

· Pronounceable (Mac only): Select this checkbox (Figure 15) to generate a password consisting of valid English syllables (even if they’re not part of real words) separated by characters of your choice—click one of the radio buttons to choose hyphens, digits, or symbols as separators, or None to run the syllables together. If Use Mixed Case Letters is checked, the password will include both upper- and lowercase letters; if not, it’ll have only lowercase letters.

**Figure 15:** Pronounceable passwords consist of valid English syllables, and present additional options.

Figure 15: Pronounceable passwords consist of valid English syllables, and present additional options.

Pronounceable passwords are easier to remember and easier to type than completely random passwords, but they’re also weaker—so if you choose the pronounceable option, increase the password’s length by several characters to compensate for the lost entropy (see Learn Password Security Basics). If a password will only ever be entered automatically (particularly on a Web site), you gain nothing by making it pronounceable. But this option could be useful for your master password, or for other passwords you have to use in situations where 1Password can’t autofill your credentials.

· Digits: Drag the slider to determine how many digits (from 0 to 10) your password contains. Digits are displayed in blue in 1Password mini on a Mac to help them stand out.

· Symbols: Drag the slider to determine how many punctuation characters (from 0 to 10) your password contains. 1Password only uses common punctuation characters such as ,.;:/?<>()[]{}@!$&=* (which you should be able to type on any keyboard). Symbols are displayed in red in 1Password mini on a Mac.

· Avoid ambiguous characters: Have you ever noticed how 0 (zero) and O (uppercase o) are hard to tell apart in most fonts? Or l (lowercase L), 1 (the digit before 2), and I (uppercase i)? That ambiguity doesn’t matter if 1Password is filling in your passwords for you, but if you might ever need to retype a password manually, you’ll appreciate not having to wonder what’s what. Check this box to make sure the password omits these characters.

· Allow characters to repeat: A random password might have two or more of the same character in a row. If you want to make sure each character differs from the next, uncheck this box.

Every time you change any of these options—selecting or deselecting a checkbox, or moving a slider—1Password generates a new password. At the moment, that’s the only way to generate a new password if you don’t like the one it came up with initially. So, if you want a different password with identical length and other characteristics, select and deselect a checkbox, or move the Length slider a notch and then move it back.

Dealing with Security Questions

When a site asks you to answer one or more security questions, like “What was your mother’s maiden name?” or “What was the name of your first pet?” its goal is often to help you verify that you are who you say you are if you ever forget your password. In theory, it should be easy for you to recall your answers to questions like these, but few other people would know them.

In practice, you might very well forget who your favorite singer was at the moment you filled in some form years ago—and personal information of the sort asked for in security questions is often extremely easy to find online. So, I have a few suggestions for dealing with security questions:

· Lie. Don’t give your mother’s real maiden name; make something up. That will make it much harder for someone to guess. In fact…

· Use a random password as an answer. Why not claim your first pet was YeUL7VgsT9Ca? 1Password can generate such answers for you easily. But…

· Don’t forget your lies! Once you generate a fake or random answer to a security question, be sure to record both the question and the answer in 1Password. You can store these either in your login item’s Notes field or in separate, custom-labeled fields (see Edit Saved Items for more on custom labels).

· Pick good questions. If you’re asked to create your own question, as well as an answer, you can point yourself directly to the answer. For example: “What is the answer to Security Question 2 for this site in 1Password?”

Add Multiple URLs to a Login

Although you should always use a unique password for each account, sometimes you can access a given account from more than one domain name. For example, I might use a single Apple ID to sign in at www.icloud.com as well as at store.apple.com. I could create two completely separate logins in 1Password, but that would mean that if I changed my Apple ID password, I’d have to update it in two places. In general, it makes more sense to have one login item per account (rather than one per site).

On a Mac, you can do this by adding URLs to an existing login:

1. In the main 1Password app, select an item whose credentials apply to multiple domain names.

2. Click the Edit button.

3. In the Website 2 field, type or paste the URL for another domain that uses the same credentials (Figure 16). Repeat if necessary to add more URLs.

**Figure 16:** Enter each additional URL in its own Website field.

Figure 16: Enter each additional URL in its own Website field.

4. Click Save.

The next time you visit any of the sites listed in that item, 1Password will recognize it as using this set of credentials.

1Password for Windows doesn’t yet offer this feature, but you can achieve much the same result in Internet Explorer (only) by using domain matching, which AgileBits explains on this Web page.

Note: There’s no need to add extra URLs for subdomains, such as www.apple.com, store.apple.com, and connect.apple.com, as 1Password recognizes those automatically. See the sidebar How Domains Work (and Don’t) for more details.

Use Multiple Logins for a Single Site

The previous topic was about using a single set of credentials for multiple sites. But you might also need to do the reverse—use multiple sets of credentials on a single site. For example, you may have multiple Gmail accounts or Apple IDs, each for a different purpose. That’s no problem in 1Password.

Once you’ve saved a login for one set of credentials, log out, manually fill in your second set of credentials and log in again. When the 1Password Save Login prompt appears, click Save. 1Password then stores two independent logins that happen to point to the same site. (You can edit their names and other characteristics later; see Edit Saved Items.)

When you next visit that Web site and press Command-\ (Mac) or Control-\ (Windows), instead of filling your credentials automatically, 1Password mini (or, in Windows, the 1Password browser extension) appears, showing a list of all the logins saved with the current domain name.

Use your mouse or the arrow keys (followed by Return or Enter) to select the one you want, and 1Password fills the information in for you.

Should You Turn Off Your Browser’s Password Manager?

1Password is almost certainly more powerful, more flexible, and more secure than the password manager built into your favorite Web browser. So, now that you’re using 1Password, should you turn off the one in your browser? Maybe.

· On the plus side: 1Password lets you choose from multiple sets of credentials for a single site; most built-in password managers don’t. 1Password also verifies that you’re not visiting a fake (phishing) site designed to steal your information. 1Password’s security is probably better than your browser’s, and it lets you sync your data across multiple browsers, across platforms (as opposed to syncing only with other versions of the same browser). And, unlike Apple’s iCloud Keychain, it can store, sync, and fill in your credit cards’ CVV numbers.

· On the minus side: If you let your Web browser continue to autofill passwords, and then also use 1Password’s automatic login saving feature, 1Password can learn your existing passwords as you go, without requiring you to import them or manually enter them. And, if you use Safari on a Mac running Mavericks and on an iOS 7 device (see 1Password & the Apple Keychain, earlier), turning off Safari’s password AutoFill will also stop it from learning new passwords, which would otherwise sync across devices using the iCloud Keychain.

So, if you plan to use Safari on devices that support iCloud Keychain, I think it’s worth leaving Safari’s AutoFill feature on at least until 1Password has picked up the most important passwords you previously had in Keychain, and iCloud Keychain has picked up the most important of your 1Password Web logins.

Otherwise, it’s up to you, but the most secure (and, in the long run, most convenient) path is probably to disable your browser’s built-in password manager and rely solely on 1Password.

Log In

Once you have a login stored in 1Password, you can use it to fill in your credentials automatically—but there are numerous ways to do so, each with its own advantages.

A Word about Autosubmit

Before I list the login methods, I want to take a moment to explain an important option that applies to all of them: autosubmit. Logging in consists of two parts: filling in a form (usually with a username and password) and submitting the form, which is often done by clicking a Log In, Sign In, or Submit button, clicking an icon, or simply pressing Enter or Return. If you like, 1Password can attempt to both fill in and submit your credentials in a single step, rather than force you to manually submit the form. That’s autosubmit—submitting immediately after entering your credentials.

Note: I say 1Password can “attempt” to submit your credentials because it doesn’t always succeed; some Web forms use nonstandard submission methods that 1Password can’t emulate.

Although autosubmit is usually the most convenient approach, you might want to avoid using it in cases where you need to see a site in its logged-out state, or when using a site where 1Password’s form-filling features don’t work. (I talk about some of these compatibility issues later, in Solve Problems.)

You can enable or disable autosubmit globally, and you can override the global setting for any given login item. To change the global setting on a Mac, go to 1Password > Preferences > Browser and select or deselect Automatically Submit Logins after Filling. On a PC, open File > Preferences > Logins and select or deselect Submit Logins Automatically.

To enable or disable autosubmit for a single login item, open the main 1Password app and select the login. Click Edit and then choose one of the following from the Submit pop-up menu:

· Submit When Enabled (Mac)/If Auto-Submit Is On (PC): Autosubmit only if the global Automatically Submit Logins after Filling option (described just previously) is selected.

· Always Submit (Mac)/Always (PC): Autosubmit regardless of the global setting.

· Never Submit (Mac)/Never (PC): Never autosubmit, regardless of the global setting.

After making a change, click Save (Mac) or OK (PC).

Login Options

That explanation out of the way, here are your options for logging in with 1Password:

· Double-click a login item in the main 1Password app (Mac only): Double-click any login item, in any list view, to open that URL in your default browser, fill in your credentials, and (at your option) automatically submit the form.

· Use a menu command in the main 1Password app (Mac only): Select a login item and choose Item > Fill Login in Browser (or press Command-Option-Return).

· Click a URL in the main 1Password app (Mac only): In the main 1Password app on a Mac, select any login item. Then click the URL next to the Website field. 1Password opens the page in your default Web browser and fills in your credentials (with optional autosubmit).

· Use auto-type (Windows only): In the 1Password app, locate and select a login. Click its URL next to Location to open it in your default browser. Make sure the login form (with username and password fields) is visible. Then switch back to 1Password, click the Auto-Type button on the toolbar, make sure your browser window is selected in the Auto-Type pop-up menu, and click OK. 1Password fills in your credentials (with optional autosubmit).

· Use 1Password mini outside your browser (Mac only): Press Command-Option-\ or click the 1Password key icon in the menu bar to display 1Password mini. Search or navigate to the login item you want, and then either click it or, with the item highlighted, press Return or Enter. 1Password opens the page in your default browser and fills in your credentials (with optional autosubmit).

· Use a browser extension: While viewing a login page in your Web browser, press Command-\ (Mac) or Control-\ (Windows). If you have just one login item for that domain, 1Password fills in your credentials (with optional autosubmit). If you have more than one login item for that domain, 1Password mini displays a list; select the credentials you want to use and 1Password logs you in.

Note: As of version 4.4, when you press Command-\ or Command-Option-\, 1Password mini always appears on your primary display on a Mac running OS X 10.8 Mountain Lion or earlier, regardless of where your browser window is. So, if you have more than one display connected to your Mac and your browser window is not on your primary display, the 1Password mini window may appear in an unexpected and hard-to-find place. There is reason to hope this bug will be fixed in a future release.

· Use a 1Click Bookmark: A 1Click bookmark is like any other browser bookmark, except that it contains a unique identifier code that points to a specific 1Password login item. If you select such a bookmark in your favorite browser, that code tells the browser extension to ask 1Password for the credentials you stored for this site (after prompting you for your master password, if 1Password is locked) and then fill them in (with optional autosubmit, natch). That way, if you normally open Web sites using browser bookmarks, you can keep doing so, with the added benefit that 1Password will automatically fill in your credentials if needed, with no further effort from you.

To create a 1Click bookmark, make sure the main 1Password app and your browser are both visible on your screen. In 1Password, locate a login item you want to turn into a bookmark and drag that login item to your browser’s bookmark bar. Once it’s there, you can either click it to log in, or move it to another location using your browser’s bookmark management tools.

Note: Earlier versions of 1Password used the term “Go & Fill” for any method of logging in that opened a URL, filled in your credentials, and submitted the form automatically. 1Password 4 no longer uses that term, although the functionality is still there.

How Domains Work (and Don’t)

When you click a button or press a keystroke to show 1Password in your browser, it looks for saved logins that match the current page. It doesn’t require a perfect match, only something whose base domain name (such as apple.com) matches. For example, if you save a login for something.apple.com and later visit apple.com/lots/of/other/stuff, the login will still work.

However, 1Password version 4.2 and up (currently Mac-only) are now smarter about matching exact subdomains. Suppose a company requires a different set of credentials for site1.domain.com and site2.domain.com. Every time you enter your credentials on a new subdomain, 1Password prompts you to save a separate login, and if you do, then on future visits it will match that specific subdomain.

For example, if you have exactly one login item with a Web site whose subdomain (e.g., site1.domain.com) exactly matches the one you’re visiting, pressing Command-\ now fills in your credentials for that login rather than displaying a list of all logins matching the base domain, as 1Password did previously. (If you prefer the old behavior, check Lenient URL Matching in 1Password > Preferences > Browser.)

On the other hand, if there isn’t an exact subdomain match, 1Password still displays a list of logins. So, if you’ve saved logins for site1.domain.com and site2.domain.com and you later visit domain.com (for which you didn’t save a separate login), when you press Command-\, 1Password displays a list of all the logins in the domain.com domain so you can pick the one you want.

Zero-click Autosubmit

1Password’s autosubmit feature automatically submits your credentials after filling them in, assuming you have that capability enabled for the app as a whole and for a particular login. But I’d like 1Password to go a step further.

One of the features on my wish list for a future version of 1Password (and only time will tell if it ever happens) is what I’ll call “zero-click autosubmit.” What that means to me is that if I manually go to a Web site for which I have an account (for example, by typing its name in my browser or following a link from another site), then as soon as the login form loads, 1Password would fill it in and submit the form without my having to click any buttons or press any keys at all. A shortcut like Command-\ is better than typing a password, but not pressing any keys at all would be better still!

1Password can already fill in credentials and autosubmit forms if you click a login in 1Password mini or in the main 1Password app, or if you use 1Click bookmarks. So if you long for zero-click autosubmit, as I do, those are two ways to get it sometimes. But neither of those helps if you’ve already reached the page by other means.

Zero-click autosubmit could be problematic for sites where you have multiple sets of credentials—1Password might choose the wrong one—and there are some sites you may want to visit in a “logged out” state, so you wouldn’t want to get in a loop of being logged in against your will. But other password managers have solved these problems, and I hope 1Password does too.

Deal with Multistep Logins

An increasing number of sites—especially sites for banks and other institutions that handle highly sensitive data—no longer offer a single page with username and password fields. Instead, they spread out logins over two or more consecutive pages. For example, fill in your username on the first page and click Submit; fill in your password on the second page and click Submit again; and then answer a randomly selected security question on the third page and click Submit one last time. Only then can you access your account.

These sites will tell you that they’ve made such changes to make it harder for automated attacks to break into their users’ accounts. Unfortunately, multistep logins of this sort also make it harder to use password managers such as 1Password, thereby making it harder for legitimate users to access their own accounts!

Although 1Password can’t help you with every tricky security feature out there (see Sites That Thwart Password Managers for other examples), there are two techniques that can help with a fair number of multistep logins.

Use a Different Login for Each Step

One option is to create a different login item (and in some cases several) for each step—that is, for each page that appears during the login process. For example, say Acme Bank displays a page with just a username field. Go ahead and enter your username, let 1Password automatically save it, and label it “Acme 1” or “Acme Username.” Do the same thing with whatever appears on the next page—call that login “Acme 2” or “Acme Password” or whatever. Repeat until you run out of pages. Then, when it’s time to log in again, press Command-\ or Control-\ on each page and choose the correct step from the list that appears.

A variation on this technique is needed for sites that ask a randomly selected security question during the login process. For example, one of my banks asked me to select, and provide answers for, five different security questions, one of which it displays each time I log in. So I can’t have a single login item for “Bank Security Question.” Instead, for that step, I can create five different logins, like “Bank Mascot” and “Bank Singer,” and select the appropriate login when I get to a page that asks for my high school mascot or my favorite musician.

You can find a more detailed description of this technique on the AgileBits Web site.

Tip: Refer back to the sidebar Dealing with Security Questions for further tips on answering such questions and storing your responses in 1Password.

Use a Combination Login

If you already have a single login that contains your username and password for a site, and the site later splits the login into two pages (one for each piece of information), your existing login may continue to work. Simply press Command-\ or Control-\ on each page in turn; as long as the field names still match, the correct information will be filled in. (1Password ignores any missing fields.)

Even if this technique doesn’t work, if you are of a suitably geeky disposition, you may be able to combine multiple logins (one per page, as described in the previous technique) into a single login, as long as there’s only one option per field. (So, multiple possible answers to a security question would rule this out.) You’ll have to examine the Web form details for each login (described in Edit Saved Items, later), figure out which field name is being used for which type of data, and then copy/paste/relabel fields as necessary. I can’t guarantee success, so it would be useless to spell out the exact details (which vary from one site to the next ), but it has occasionally worked for me, and if you enjoy tinkering, it may be worth a try.

Sites That Thwart Password Managers

I’m sorry to say there are many Web sites that—thanks to measures intended to prevent automated attacks or improve security for the unenlightened masses without good password strategies—make life more difficult for us evolved beings who have excellent passwords stored in equally excellent password managers such as 1Password. The most common offenders are banks and other financial institutions. Here are some problems you might encounter:

· Autocomplete prohibitions: If a site uses any of various tricks to prevent passwords from being filled in automatically, 1Password’s autofill feature might fail. In rare (and highly annoying) cases, even copying and pasting is disallowed, and you’re forced to type passwords one character at a time.

· Grids: Some sites have ordinary fill-in fields for your account number or username, but then display a grid on which you must laboriously click out a numeric password. (Still others reverse this, letting you enter a password normally but making you click a series of numbers to enter your account number.) Because the positions of the numbers are different each time the page is loaded, there’s no way for an automated cracking system—or 1Password—to know how to click the right sequence; you must always do it manually.

· Specific password characters: I’ve heard of sites that ask you to type specific characters from your password—such as the third, sixth, and ninth character—with the characters requested changing each time you use the site. 1Password has no way to deal with such requests.

If you encounter a problematic site, please report it to AgileBits—they might be able to find a workaround—and complain to the site owner that the prohibition decreases everyone’s security by encouraging the use of simpler, weaker passwords.

Fill Web Forms Using Identities

So far, I’ve talked mainly about usernames and passwords as the two pieces of information you’re most likely to fill in on Web forms. But whenever you buy something online (and in numerous other situations), you’re also asked to supply contact information such as your name, address, phone number, and email address. 1Password can help with that, too, thanks to a category called identities. Like logins, identities can be filled in on any Web page with a click or keystroke. Unlike logins, they consist of personal contact details—as much or as little as you want to include.

To create a new identity, choose File > New Item > Identity in the main 1Password app.

1Password displays a form (Figure 17) that looks much like any contact manager, with fields for all the usual details, including birth date, occupation, Skype and instant messaging IDs, and so on; if you want to include some piece of information that’s not already there, you can type it into any empty field marked “new field” and fill in a label of your choosing. Click Save (Mac) or OK (PC), and you’re done. You can repeat the process to create as many identities as you need.

**Figure 17:** A portion of 1Password’s Identity form. Below what’s shown here are fields for Internet details (email, Skype, IM, etc.).

Figure 17: A portion of 1Password’s Identity form. Below what’s shown here are fields for Internet details (email, Skype, IM, etc.).

When it comes time to fill in an identity—for example, you’re on the Billing and Shipping Info page of an online retailer—press Command-\ or click the 1Password key icon, navigate to the identity with your arrow keys or mouse, and click it or press Return. 1Password makes its best guess as to which pieces of information should go in which field; they may not always match up perfectly depending on how the form was constructed.

How many identities should you create? And what information should you include in, or exclude from, each one? That’s entirely up to you, but I suggest one identity for each mailing or billing address that you use. If you maintain an alter ego online for any reason, that fake persona should also get its own identity with whatever information (email address, URL, etc.) you normally provide.

In any case, for a given identity, include only the information you’re likely to fill in on a Web form. For example, if you’d never reveal your birthday, don’t put that in an identity.

To more easily distinguish identities, you can add a custom icon—perhaps a picture of you with a baseball cap for “home” and with a tie for “work.” Make sure the identity is in edit mode and drag a graphic to the name badge icon.

Shop Online Securely

By now, you’ve noticed the pattern: 1Password stores various bits of information and then, when you press a keyboard shortcut or click a button, fills that information into matching fields in a Web form. And just as that works for usernames, passwords, and contact details, it also works for credit card information, making it easier and safer to shop online.

Saving and entering credit card information follows exactly the same steps as login items and identities. I’m sure you can do this in your sleep by now: In the main 1Password app, choose File > New Item > Credit Card, enter any relevant details, and click Save (Mac) or OK (Windows). Repeat for as many cards as you like. Later, when you’re looking at a Web page with fields for credit card info, press Command-Option-\ or click the 1Password key icon in your menu bar to display 1Password mini (on a Mac) or click the key icon to display the browser extension (on a PC), navigate to the credit card you want to fill in and click it (or select its name in the menu with the arrow keys and press Return or Enter). 1Password fills in your information.

Although all of the above is reasonably obvious if you’ve been using 1Password already to set up logins, there are a few additional facts about credit cards in 1Password that aren’t so obvious, and that you’ll want to be aware of:

· In addition to filling in your credit card number, 1Password can usually fill in the card type, the expiration date (even if the billing page uses pop-up menus instead of conventional fields), the three-digit CVV (or “verification”) number from the back of your card, and the cardholder’s name, assuming you included all that information in the credit card item.

· Some Web sites design their payment pages in such a way that 1Password can’t access some or all of the fields. If you should encounter such a page, please report it to AgileBits (choose Help > Contact Us on a Mac; on Windows, email the report to support-windows@agilebits.com). If technologically feasible—and, unfortunately, it isn’t always—AgileBits will attempt to support the site in a future update.

· The back of your credit card probably has a phone number for reporting lost or stolen cards (sometimes two—for example, a toll-free number for within North America and a local number for people calling internationally). If your credit card is lost or stolen, however, you might have a hard time finding that number! So, take a moment to put it in 1Password, where you can find it easily in the event of a problem.

· You might find it helpful to scan or photograph both sides of your card and store those images as attachments to your credit card item. Besides giving you another way to access the information printed on the card, that’ll make it easier if a vendor ever asks you to email, fax, or mail a copy of your physical card for verification purposes. (I encounter that situation about once a year.)