Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

1Password migrants thread

Adora said:
Hi,

just found this thread, so sorry if this is already known here. I haven't read very much yet. And am not even sure what it is mainly about. 🙈
Click to expand...

Its for people who want to abandon 1password and look for an alternative after 1password became a monthly subscription service.

svenmany said:
The flaw is the use of the clipboard for inappropriate content. The clipboard is designed for easy communication between applications; it's been that way for decades.

It could be that a thread that accesses the clipboard has to satisfy certain conditions. Perhaps the thread has to be initiated by some user action. But, certainly it's not a physical action on the computer itself since a remote desktop session can use the clipboard. I really don't know anything about what protections there are around access to the clipboard. Perhaps someone on this thread knows.

The Clipboard Viewer application requires me to click somewhere before it displays the clipboard's contents. Based on that, we do know that any foreground application can probably access the clipboard without the user triggering an action that is explicitly represented as a clipboard copy.
Click to expand...

Thats the question. Does it see anything in the clipboard, or does it require an action from me to make it see what is in the clipboard?

If its the first, I can imagine the horror of running Chrome browser and anything I copy to the clipboard will be read by Chrome and can be sent to the Google servers because I agreed to this in their multipage ToS.

toasted ICT said:
Yes you keep saying that in different posts. Dont know why.

A cursory search "In 2020, 106 browser extensions were removed from the Chrome Web Store, being used to steal user data, take screen captures or even steal credit card information from web forms" Article here
Click to expand...

well obviously if you are going to install malware its going to be a security threat, but what about using extension from trusted source like Bitwarden? I have not heard any one got hacked because of that.
 
I think the best part would be to use something like built in Apples new passwords.app as it does have native support which should be the most secure.
 
Apple_Robert said:
An extension, as useful as it may be to use, creates a possible vector usage due to leaks and information being sent (intentional or not) to the developer of the extension and other possible parties. There have been numerous examples of bad results in this light with third party extensions. And while I have not directly researched any problems related extensions in such a manner, I made a decision years ago not to introduce a third party swinging door into my usage.
Click to expand...
I love this view, and I agree with it, I’m just wondering what you do with adblocking? Some websites are crazy at injecting Javascripts that decrease battery and look awful.
 
Apple_Robert said:
I use Strongbox.
Click to expand...
Thx for the feedback. Don't you have the issue, when you disable iCloud Keychain within Safari settings, that on websites where no credentials are stored, the little key close to formular fields does not work.
It seems to be stuck and only working on websites where you already have saved credentials.
 
bsmr said:
Thx for the feedback. Don't you have the issue, when you disable iCloud Keychain within Safari settings, that on websites where no credentials are stored, the little key close to formular fields does not work.
It seems to be stuck and only working on websites where you already have saved credentials.
Click to expand...
Are you talking about PassKey fill? I don’t have Keychain turned off.
 
Apple_Robert said:
Are you talking about PassKey fill? I don’t have Keychain turned off
Click to expand...
No. When a new website has no credentials it is not possible to create new ones when iCloud Keychain is turned off and you do use strongbox only. Seems to be an Apple bug.

Do you still use iCloud Keychain and strongbox? Or why do you leave it activated?
 
bsmr said:
No. When a new website has no credentials it is not possible to create new ones when iCloud Keychain is turned off and you do use strongbox only. Seems to be an Apple bug.

Do you still use iCloud Keychain and strongbox? Or why do you leave it activated?
Click to expand...
I don’t allow auto-fill with Strongbox but, I do allow use with Keychain.
 
Apple_Robert said:
An extension, as useful as it may be to use, creates a possible vector usage due to leaks and information being sent (intentional or not) to the developer of the extension and other possible parties. There have been numerous examples of bad results in this light with third party extensions. And while I have not directly researched any problems related extensions in such a manner, I made a decision years ago not to introduce a third party swinging door into my usage.
Click to expand...
Do you use an adblocker? If so, what one do you use that is not a browser extension?
 
Anyone found any other discounts for Enpass? That stacksocial links seems to have expired.
 
johannnn said:
I love this view, and I agree with it, I’m just wondering what you do with adblocking? Some websites are crazy at injecting Javascripts that decrease battery and look awful.
Click to expand...

VineRider said:
Do you use an adblocker? If so, what one do you use that is not a browser extension?
Click to expand...

You can setup your device (or router) to use adblocking DNS. Here are free ones:

CloudD
76.76.2.2
76.76.10.2

Adguard
94.140.14.14
94.140.15.15

You can also use subscription NextDNS , or build your own PiHole and set it up as you like. Please note that DNS blocking does not stop youtube ads. Only browser extension can do that.

Ublock Origin is FOSS and trusted by many but to each his own. Also Wipr for Safari if you do not enable the "Wipr Extra" (which blocks youtube ads) should be safe since Apple has built it in a way that the extension can not read your web browser.

You will need to do further research on that though.

lostPod said:
Anyone found any other discounts for Enpass? That stacksocial links seems to have expired.
Click to expand...

just search online for "Enpass discount" or something like that and pick a reputable site. Try this one with the lifetime option, don't pick the "plan option" beceause thats subscription.

 
MacBH928 said:
well obviously if you are going to install malware its going to be a security threat, but what about using extension from trusted source like Bitwarden? I have not heard any one got hacked because of that
Click to expand...
It might be best not to underestimate the risk profile created by using browser extensions. Its not a matter of downloading malware. Even using extensions provided on reputable sites (such the official Chrome Store) that purport to be legitimate extensions for legitimate applications are a substantive risk:

www.darkreading.com

More Than Half of Browser Extensions Pose Security Risks

Spin.AI's risk assessment of some 300,000 browser extensions found 51% had overly permissive access and could execute potentially malicious behaviors.
www.darkreading.com www.darkreading.com

There are password managers that do not use browser extensions and I decided to use one of those.
 
toasted ICT said:
It might be best not to underestimate the risk profile created by using browser extensions. Its not a matter of downloading malware. Even using extensions provided on reputable sites (such the official Chrome Store) that purport to be legitimate extensions for legitimate applications are a substantive risk:

www.darkreading.com

More Than Half of Browser Extensions Pose Security Risks

Spin.AI's risk assessment of some 300,000 browser extensions found 51% had overly permissive access and could execute potentially malicious behaviors.
www.darkreading.com www.darkreading.com

There are password managers that do not use browser extensions and I decided to use one of those.
Click to expand...
You can do this with most password managers
 
toasted ICT said:
It might be best not to underestimate the risk profile created by using browser extensions. Its not a matter of downloading malware. Even using extensions provided on reputable sites (such the official Chrome Store) that purport to be legitimate extensions for legitimate applications are a substantive risk:

www.darkreading.com

More Than Half of Browser Extensions Pose Security Risks

Spin.AI's risk assessment of some 300,000 browser extensions found 51% had overly permissive access and could execute potentially malicious behaviors.
www.darkreading.com www.darkreading.com

There are password managers that do not use browser extensions and I decided to use one of those.
Click to expand...

The more I read, the more I am likely to come to the same decision. I posted a question about the security of extensions on the 1Password forums, comparing their use to alternatives; no answer yet.

I did read this:


Search for "I've spent a lot of time trying to understand the attack surface of popular password managers" to get Tavis Ormandy's opinion on extensions. But the person quoting him, Steve Gibson, has less concern. Those are two people with real knowledge rather than people who've read internet articles that are often misleading or naive.
 
  • Like
Reactions: DCIFRTHS
MacBH928 said:
If its the first, I can imagine the horror of running Chrome browser and anything I copy to the clipboard will be read by Chrome and can be sent to the Google servers because I agreed to this in their multipage ToS.
Click to expand...

Remember that if you are running the Chrome browser and it's executing Javascript (which is almost always is), that code can read the clipboard.

developer.mozilla.org

Clipboard: read() method - Web APIs | MDN

The read() method of the Clipboard interface requests a copy of the clipboard's contents, fulfilling the returned Promise with the data.
developer.mozilla.org developer.mozilla.org

and this:


with an important "The action that triggers the event is triggered in an app with permissions to read the clipboard". Chrome has permission to read the clipboard and events are more than user interactions.

And, I just now notice this:


which suggests that a malicious website can detect when something writes to the system clipboard (and the event fires when the browser gains focus). So applications don't have to be actively polling the clipboard to notice something new has been added there.

I haven't done any experiments to check all this, but it's clear that the clipboard is no place for sensitive information.

MacBH928 said:
well obviously if you are going to install malware its going to be a security threat, but what about using extension from trusted source like Bitwarden? I have not heard any one got hacked because of that.
Click to expand...

You have to trust an extension far more than a free-standing application.
  • I don't think Apple's gatekeeper would block a malicious extension. Maybe it would if running in Safari.
  • Apple's privacy controls limit what a desktop application can do and see. But, within a browser, an extension can see everything that's visible or typed in the browser window.
So, yeah, don't run malware. But, what if the software distribution channel is compromised and you get a hacked version of an extension. That could very well be the biggest risk when using software from a small player in the field, even if their security design is top notch. Tavis Ormandy mentions this risk in the what I linked in my previous post:


That same risk applies to desktop applications. Tavis believes the only safe place to store passwords is inside the native password managers of browsers. I guess he believes the distribution channels for major browsers are heavily guarded.
 
Apple_Robert said:
Both databases are the same. I do it that way with third party apps for security reasons. I admit that it is something others on here may not put up with but, I think it is safer.
Click to expand...
So Strongbox simply is a backup copy of your iCloud Keychain? Or do I get it wrong?
 
svenmany said:
The more I read, the more I am likely to come to the same decision. I posted a question about the security of extensions on the 1Password forums, comparing their use to alternatives; no answer yet.

I did read this:


Search for "I've spent a lot of time trying to understand the attack surface of popular password managers" to get Tavis Ormandy's opinion on extensions. But the person quoting him, Steve Gibson, has less concern. Those are two people with real knowledge rather than people who've read internet articles that are often misleading or naive.
Click to expand...

If you find anything definitive about extension risks please share. Everyone is using extensions no one is aware of the risks.

svenmany said:
Remember that if you are running the Chrome browser and it's executing Javascript (which is almost always is), that code can read the clipboard.

developer.mozilla.org

Clipboard: read() method - Web APIs | MDN

The read() method of the Clipboard interface requests a copy of the clipboard's contents, fulfilling the returned Promise with the data.
developer.mozilla.org developer.mozilla.org

and this:


with an important "The action that triggers the event is triggered in an app with permissions to read the clipboard". Chrome has permission to read the clipboard and events are more than user interactions.

And, I just now notice this:


which suggests that a malicious website can detect when something writes to the system clipboard (and the event fires when the browser gains focus). So applications don't have to be actively polling the clipboard to notice something new has been added there.

I haven't done any experiments to check all this, but it's clear that the clipboard is no place for sensitive information.
Click to expand...

This is worrisome. I have many apps all open at the same time and who knows what is reading and sending back what.

svenmany said:
That same risk applies to desktop applications. Tavis believes the only safe place to store passwords is inside the native password managers of browsers. I guess he believes the distribution channels for major browsers are heavily guarded.
Click to expand...

Ironically, I thought thats the worse place to store passwords in. I mean, a dedicated password manager sounds like it will have much more security than a "save password" feature in a browser.

bsmr said:
So Strongbox simply is a backup copy of your iCloud Keychain? Or do I get it wrong?
Click to expand...

its an indepedent password manager

strongboxsafe.com

iOS and macOS KeePass Password Manager | Strongbox

Strongbox is the world's leading password manager for iPhone and Mac. Built to utilise industry standard formats, it's ready to secure your data.
strongboxsafe.com strongboxsafe.com
 
svenmany said:
I have a feeling that Universal Autofill is the safest. I am forced to trust the 1Password program since I am giving it broader access to my system. But, I certainly do trust it; I wouldn't have put all my passwords into a program that I didn't trust.
Click to expand...
Are you referring to the option that requires Accessibility Features to be enabled?

In the past, I have thought about using this but it gives a lot of control over the OS to the program you grant privileges to.

I’m at crossroad regarding what the least vulnerable option is.…

wondering if Apple would ever implement notifications when a program read or pasted from the clipboard like they did in iOS? It stopped a lot of programs from accessing the clipboard unless there was a valid reason. Come to think of it, has Apple deprecated that function?
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back