The switch was a long time coming. I’m going to be honest here, 1Password has a lot of good things going for it, you can integrate MFA, encryption keys for SSH, GPG, it integrates with HIBP, it syncs all across any of your devices, it has a fantastic UX, it is well certified securitywise, and for what it does it is pretty good.

However it costs money (even for private use) and I want to reduce my footprint with US based cloud offers. I know this might sound a bit ironic given this site’s hosting provider, but I digress.

Good reasons to switch

Now that I’ve cleared up all of the good reasons to use 1Password, which already seems weird in an article about switching off of it, let’s bring up a few things that in my opinion heylogin does a bit better.

  • Only device based authentication (no master password to remember, no purely digital attack vectors)
  • Free for personal use (1Password charges for everything, heylogin’s private plan is free with unlimited passwords)
  • German company, German servers (heylogin GmbH is based in Braunschweig, all data hosted in Germany)
  • ISO 27001:2022 certified and fully GDPR compliant with exclusively European sub-processors
  • Built-in TOTP handling so your 2FA codes are filled automatically alongside your passwords

The device based authentication part is worth expanding on. Instead of a master password, your smartphone’s secure element holds the encryption keys. You unlock with biometrics or a PIN, the vault decrypts on-device, credentials are filled, and the key material is discarded. This means that 2FA is not an optional add-on but an integral part of the encryption itself. Even if someone compromises the server, they get nothing useful.

Completely vain reasons to switch

Yes, I also do this switch for virtual internet appreciation points. During the most festive activities to me during last year’s Christmas season (39c3) one of my favorite German comic book authors (Marc-Uwe Kling) presented the Digital Independence Day, and I felt a bit sad, because I’ll be honest with you, most of their recommendations were kind of old news to me. So this was one of the dwindling number of things I still had tied up in the US, so I thought this might get some attention.

The migration

I was expecting the migration to be painful. It was not. heylogin supports direct import from 1Password (and Bitwarden, LastPass, Dashlane, or plain CSV). I exported my vault from 1Password, imported it into heylogin, and it auto-detected duplicates. The whole process took maybe 15 minutes.

The browser extension is available for Chrome, Firefox, Safari and Edge. On mobile there are apps for both iOS and Android. There is no standalone desktop app, which is a departure from 1Password, but honestly I never used the desktop app much anyway. The browser extension does the heavy lifting.

What I miss

I’m not going to pretend everything is better. There are a few things I miss from 1Password:

  • SSH key management was nicely integrated in 1Password, heylogin does not do this
  • The desktop app some people might rely on it more than I did
  • Watchtower / HIBP integration for checking compromised credentials, heylogin does not have this (yet)
  • Non-web entries like secure notes, API keys, software licenses or identity documents are not supported

That last point is worth calling out. heylogin purely focuses on web logins, which it does very well, but it means a chunk of entries from your 1Password export simply have no place to go. For those I recommend using a local password manager like pass for Unix (for the CLI lover), any flavour of KeePass if you prefer a GUI, or honestly just writing them down old-school. Physical backups are cool as well.

None of these were dealbreakers for me. SSH keys I manage separately anyway - and a lot of people think SSH keys should never leave a device anyway - and for HIBP I just have free email alerts set up, so I get notified automatically if any of my accounts show up in a breach.

Verdict

If you are looking for a password manager that respects your privacy, is based in Europe, does not cost you anything for personal use and takes a fundamentally different (and arguably more secure) approach to authentication, heylogin is worth a serious look.

For me the combination of zero-knowledge encryption, device based auth and European data sovereignty was enough to make the switch. Your mileage may vary, but I’m happy with it.

Cheers.