One password to rule them all: Migrating to 1Password from KeePass and text files

One password to rule them all: Migrating to 1Password from KeePass and text files

I can’t quite remember when I started using a password manager, or which password manager it was at the time. As an IT Pro I’ve used everything from text files stored on Windows Desktop to encrypted Excel files to post-it notes to reusing the same password (“R3member1”, “R3m3mber2”..) to forgetting my password and resetting it. Repeatedly.

I left Microsoft exactly 10 years ago, and we started our own company with my brother. I had amassed a formidable collection of passwords. Many systems at the time did not support Facebook authentication or Azure AD single sign-on so I had individual accounts for many systems. That’s when I started using KeePass.

I’d dabbled with KeePass several times and while it was slightly rough on the edges I somehow stuck to it. For about 10 years. KeePass is free, as in you can voluntarily make a donation to keep the development efforts going.

Image courtesy of KeePass.info

My KeePass setup

Over the years I’d become pretty good at managing and using KeePass for my needs. I had nearly 1,000 identities or other secrets stored in a single database. It was encrypted with something that sounds pretty secure, ChaCha20. I was able to access my passwords securely from my mobile devices (Android and iOS) and everything was in sync. And the best part is it didn’t cost me anything! Except the occasional, yearly donation I felt obligated to do for such a nice piece of software.

I configured the default global shortcut (CTRL-ALT-K) for bringing KeePass available in any context on my laptop and workstation, and with CTRL-C and CTRL-V I could easily copy and paste secrets between apps.

KeePass is very rudimentary, in it that it lacks many of the modern capabilities. Windows Hello was one of the things I missed, as mostly everything else I have supports Windows Hello-based authentication. Browser support was poor at best and I could never get it to work reliably so I just gave up and used the rich client.

Another painful aspect with KeePass is sharing of secrets and databases. Every family has a collection of secrets they need to mutually know and share — from children’s Xbox accounts to summer cabin electronic lock pin codes to car stereo access codes. As the database is stored locally it quickly becomes a burden to manage this sharing somehow securely and confidentially. I relented on this and simply created another database – which I then had to replicate with my main database.

Moving to 1Password

I’d seen 1Password being widely used but I disliked the subscription model. During Christmas break last year I figured I’d test it once again. There was much that I liked, which I didn’t know was part of the subscription:

  • Windows Hello support, as well as Apple’s Face ID support on iPhone
  • Global shortcut
  • Family plan for sharing secrets with family members
  • Browser support that (mostly) works

I kept using KeePass while trying out 1Password. I initially copied just a few secrets and used both apps at the same time, which wasn’t a problem. Not everything was perfect, but I felt I got so much more. The family plan was very affordable, and I felt I’d paid the same for KeePass if it provided a better synchronization and Windows Hello support.

Migrating to 1Password, on the other hand was a painful experience. Searching for guidance from 1Password on migrating from KeePass yielded nothing.

I found a thread on this from the 1Password support forum (somehow search doesn’t include this content). A team member suggests using a test version of a converter utility, that supposedly then imports KeePass entries to 1Password. That link returns a 404 today.

I found a few other utilities that seemed very shady, so I aimed to resolve this by myself without the help of external tools. Turns out, it’s both easy and very dissatisfying at the same time. A bit like my cooking.

First, I exported all my secrets from KeePass to a .CSV file. The universal file format for integrations. I performed this in a virtual machine that was not connected to the Internet. Just to be safe, as the .CSV file had all my secrets in plaintext! I made this extra precaution in case I forgot to remove the file after the migration was complete.

The necessary .CSV formatting and fields is documented here.

Armed with this .CSV I imported it through 1Password’s web interface. I also made sure HTTPS was enabled and the certificate was valid. For this I had to connect my virtual machine to a trusted network for the duration of the import. In case you’re wondering I forcefully removed the .CSV and destroyed the VM in the end 🙂

I made coffee from freshly ground beans and felt pretty good about myself. I had, once again, succeeded in a . CSV-powered integration!

Unfortunately — there’s always something isn’t there? — not all was well. The resulting import caused all my secrets to being visible within 1Password in plain text! The imported chose the fields incorrectly or perhaps my .CSV was not crafted correctly as the username-field container the password, and website-field container the username. And the real password field contained the website.

I thought about re-working the .CSV again but I felt I had already stored so much data with 1Password it was time to simply clean them up. I spent about two hours trawling through all my secrets and was able to reduce them down to about 500 in total. The remainder I had to perform a quick copy-paste operation.

1Password provides a command-line tool, that I found out about when I was mostly done with my copy-paste operations. I did try it but it fails with a very cryptic error message despite all details being correctly entered. That’s a problem to resolve during the next Christmas break, I think.

Things I (still) dislike about 1Password

Not everything is rosy with 1Password. Generally, it works like a dream — it’s fast, secure, and very affordable. The family plan is great, and I finally get to store certain secrets that my family regularly need.

There are plenty of things, still, that I dislike. If I had one wish for 1Password it would several fixes for the Windows client. Especially for user experience. Generally accepted and adopted shortcuts do not work — such as CTRL-E for search or ALT-D for “put the focus there.” Upon searching for secrets, it automatically always selects the first one and reveals everything — but I needed to select the other one from the list!

These tiny frustrations are in your face every hour of the day, and I now realize how fluent KeePass was to keep itself out of your way.

The other major blocker is mobile device integration for browsers. 1Password allows you to pick up a secret but it won’t allow you to search for any secrets while performing authentication in the browser. If I navigate to https://partners.microsoft.com, I get to view any identities mapped to this exact location – but if the identity is mapped to https://extranet.microsoft.com I cannot use it without a lot of manual copy-pasting. I wish the UI was more flexible and fluid in scenarios like this.

In summary

I’ve now used 1Password as my only password and secrets manager for a little over a month. I still have KeePass and my old database somewhere but evidently it is so out of sync it would take a lot of effort to go back again.

I also spent a long afternoon removing old identities from services I never use. Surprisingly many services provide a red button for deleting accounts and data, but many do not. Out of the +1000 secrets I think I was able to remove at least 100 just by logging in to a web site and asking my account to be deleted.

1Password is not without its flaws. Some, like the mobile experience are very frustrating while others are tiny issues that might be fixed some day.

For the price of one proper cappuccino cup I get to use 1Password with my family for a month, and I’m happy to support such a service.