I've noticed a much improved Safari extension experience lately as well. 1Password is going to remain king for advanced users, but of course anyone who feels that the built-in Passwords.app is enough, good for them!
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
1Password Launches Recovery Codes and Simplified Sign-In Process
- Thread starter MacRumors
- Start date
- Sort by reaction score
Recovery key user also has to click/tap through a verification email to be let in. So someone would need both the recovery key and access to your email account.
Other products let you store additional info such as photos, text files, PDFs, etc.
In any case, I'm hoping the "notes" feature in Password will let me deal with such things since I've avoided the subscription on 1PW (loved single purchase).
No matter what you think of one product there are always other opinions for a variety of reasons. GUI, platforms, integration, keyboard usage, etc. Different things make sense to different people.
It's a password program. It literally doesn't get any simpler than that. I bought the app for Mac, then they moved to subscription, and they tried to push ongoing recurring payments for something this simple. Moving to a subscription after so many people paid for the app is what has caused all this ill will. They got greedy and laid the foundation for what is about to happen to them.
So I assume Adobe is going out of business soon too then?
It's $3 a month for a very useful and frequently updated product. Sure, I wish we didn't have so many subscriptions to things but it's the new way of doing business on so many things. To have this level of anger at just this company for this is really odd. Adobe did this and profits have never been higher. And people still use their software.
Only getting a big cash infusion when a major version is released has to make planning and running a software company much harder. If $3 leads to better software and releases then I'm fine with that. If $3 a month is too expensive for you, can always just write it down on a post it note or use some of the free software options out there.
more complicated than you’re making it sound
There is a lot to keep up with in this space, and they either have to do a subscription or charge full prices more consistently… Either way it ends up costing about the same.
For cross platform and cross browser users, 1password is outstanding and unrivaled
Wait what do you mean? I have a bunch of yubikeys that work for Bitwarden and windows including logging in.also works great on MacOS
The new 'recovery key' is obviously a way to combine your (master password and secret key) into a new key format.
The 1P 'secret key' is basically a salt to increase the complexity of your master password to 128 bits.
You have to have control over your account to generate a recovery key. [I am being charitable here and assuming this is how 1Password implemented it. I can imagine other ways to implement the feature that would allow them to open your database on server without your secret key.]
The problem is that if you store your recovery key on your computer (not smart) and get rooted, the attacker will likely have access to your email. With that, they just login with your recovery key, enter the 6 digit code from email and your entire password database is theirs.
At least under the previous status quo, if you memorized your master password and stored it offline (e.g. on a notecard), even if an attacker found a textfile on your computer with your secret key, they could not access your data.
This is a big introduction of potential vulnerability and has tipped the scale for me to begin the transition to Strongbox or another KeyPass based solution.
The 1P 'secret key' is basically a salt to increase the complexity of your master password to 128 bits.
You have to have control over your account to generate a recovery key. [I am being charitable here and assuming this is how 1Password implemented it. I can imagine other ways to implement the feature that would allow them to open your database on server without your secret key.]
The problem is that if you store your recovery key on your computer (not smart) and get rooted, the attacker will likely have access to your email. With that, they just login with your recovery key, enter the 6 digit code from email and your entire password database is theirs.
At least under the previous status quo, if you memorized your master password and stored it offline (e.g. on a notecard), even if an attacker found a textfile on your computer with your secret key, they could not access your data.
This is a big introduction of potential vulnerability and has tipped the scale for me to begin the transition to Strongbox or another KeyPass based solution.
Last edited:
I dunno. They’ve had years to improve things and I still have issues daily.
I find mine buggier than ever.
I keep all of my passwords on a spreadsheet, but in a way that even if somebody had that they would not be able to work out what the passwords are from what I record on that. I don't like the idea of Apple or anyone else keeping all of my passwords.
I wouldn’t take this article too seriously. It’s inaccurate in its description of the existing system, so there’s no reason to think the new one is described accurately.
Suffice to say there’s something new and we should probably go to primary sources to find out more.
Last edited:
Nah the switch to 1Password 8 has been rough. The Electron app is garbage. Mac heads hate 1Password because they were a Mac first product and now it’s a platform less Electron app that has the feel of Windows Vista. They did this AFTER they switched to a subscription model, removed the Dropbox sync option, which forced you to migrate to their servers and which effectively raised the price of the product many fold. I am personally disgusted to see their logo superimposed on NBA basketball floors because I know that’s where my subscription dollar is going, instead of to a beautiful Mac bespoke product…
So yeah, classic sellouts.
Strange! Might be worth a reinstall. I was frustrated with a broken auto-unlock of the Safari extension, but that is working at 100% for last few weeks. I’m no longer experiencing any issues whatsoever. Great timing because I was in the process of trying to migrate to Apple Passwords to check that out, and I didn’t get too far since there‘s immediately a ton of limitations…passwords must have a URL, there were inexplicably some “conflicts” upon importing, etc etc (keep in mind I‘m not running the dev beta for the new password.app, I was just trying to migrate to the existing Passwords in settings).
Between the current limitations that may or may not be solved in passwords.app and 1Password working flawlessly for me now, it’s a clear sign that I am best served with 1Password. Not to mention it is more secure rather than keeping all eggs in the Apple basket.
Long time 1Password user but I've had a pretty horrible experience with 1Password and the Safari extension since I added multiple profiles in Safari. It remains locked and clicking 'Open 1Password' from the extension does nothing. Then I have to use the main app every time. If I quit the main app the browser extension then unlocks. It is supposed to work the other way around.
If Apple can make their app work well and the browser extensions are functional, I will be happy to move away from 1Password.
If Apple can make their app work well and the browser extensions are functional, I will be happy to move away from 1Password.
Keychain is just not very usable cross-platform. And KeePass takes a bit more effort to setup and i'm just too lazy for it. Especially keeping the passwords in sync on all my devices, when i don't have my private cloud storage on my work devices (and don't want them there)... i'm sure i would find a way to automate it, but i just can't be bothered, when 1password just works.
This is the only product I subscribe to. Very useful on a family subscription that is used on both Mac and Windows, iPhone and iPad. Used on Safari and Edge on MacOS (works really well on Edge on an M1 Mac) with both the thick client or just the browser plugin installed. Updated frequently and now supports cross device passkeys. Merging the Master Password with the long secret password means your master password doesn't have to be that strong as they are combined to form your vault password whch a 'bad guy' would need to remotely try to break into your vault. Apple Passwords has a long way to go to surpass this product.
So the recovery code appears to be a one-stop way of getting into the 1Password account itself - a bit like the Google Recovery codes. This has nothing to do with the Password Vault itself. This is because you need the secret 'long' password to get into 1Password from a new device, the first time you use that device. So if you didn't print out the Emergency Access PDF and then lost all your devices, the recovery code could be used. IMHO an edge case but someone with one device and no printer may find this useful.
So the recovery code appears to be a one-stop way of getting into the 1Password account itself - a bit like the Google Recovery codes. This has nothing to do with the Password Vault itself. This is because you need the secret 'long' password to get into 1Password from a new device, the first time you use that device. So if you didn't print out the Emergency Access PDF and then lost all your devices, the recovery code could be used. IMHO an edge case but someone with one device and no printer may find this useful.
Last edited:
That is fine if all you use is a MAc or Iphone, but for people like me who use more platforms, the one built into Mac OS will not be any good,
I use Bit warden, for a start it is free, but it also works on Linux as a browser extension and desktop, also available on Windows, MacOS, Android and IOS.
I used to use Roboform many years agao, mainly because it did not use the cloud, it had local storage of the passwords, which I preferred, then I started to use my phone a bit more for other stuff and Linux, so needed something that was online, so used Lastpass until they started to go iffy.
I changed to Bit warden about 3 years ago and to be honest i don;lt see myself changing as it does what I want. Still don't like the idea of saving passwords to the cloud, but sometimes we have to do these things.
My strategy is still to survive with the version 6 perpetual license until Apple pull themselves together and create a proper application on top of the excellent keychain structure. It now even seems to be successful in a not to distant future.
Same. This is literally the only subscription I am willing to pay for. Family plan but mainly used on Windows and iOS devices. I don’t do macOS. It’s simply not made for business (I’m in).
I know NinjaOne staff are using it too. Good choice.
I love how it logs you in automatically with verification codes and how it recognises a screenshot of a QR code when you’re registering a new on-time passcode. And so much more.
Yes, I didn’t like when they moved to a subscription model, but it’s not very expensive for what it does.
Some really stupid apps on iOS have weekly subscription for £4.99 or more and they’re still in business. Unfortunately. WTAF?
I’ll check this recovery code thing, but I’m not sure if I need it.
LOL absolutely not. It is one of the most frustrating pieces of software I've ever used. It has been constantly rewritten from scratch and has had only a few features since they forced the monthly subscription on customers several years ago.
This is what I was thinking as well... Let's talk about this actual news here instead of bashing a company unrelated to the news article...