1Password migrants thread

[svenmany]

Ironically, I thought thats the worse place to store passwords in. I mean, a dedicated password manager sounds like it will have much more security than a "save password" feature in a browser.

You really should spend a bit of time reading https://www.grc.com/sn/sn-822.htm. It's a very long transcription of a security podcast. However, the part about password managers is short and near the end (maybe the last 25%). Some snippets...

"So the name Tavis Ormandy is one we've often mentioned on this podcast because Tavis is a prolific security researcher at Google." and he is quoted as having said:

"If you want to use an online password manager, I would recommend using the one already built into your browser. They provide the same functionality and can sidestep these fundamental problems with extensions. ... I use Chrome. But the other major browsers like Edge or Firefox are fine, too. They can isolate their trusted UI from websites. They don't break the sandbox security model. They have world-class security teams, and they couldn't be easier to use"

But, the host of the podcast added: "And by the way, I would like to point out it was only recently that Chrome's password manager did not expose your passwords in plaintext to anybody who had access to your computer." The podcast is from 2021, but it does highlight the fact that some password managers suck, whether they are in the browser or not.

 

[svenmany]

Are you referring to the option that requires Accessibility Features to be enabled?

Yes.

In the past, I have thought about using this but it gives a lot of control over the OS to the program you grant privileges to.

I think we're on the same page.

Putting aside the use of extensions and just comparing the clipboard to Universal Autofill - The clipboard approach exposes you to all sorts of risky software, but only your credentials. The autofill approach only exposes you to 1Password, but related to things other than your credentials. I've decided autofill is less risky since I trust 1Password a lot. My confidence in other software on my computer doesn't even come close. To summarize

I prefer to allow broad exposure to a highly trusted application over allowing narrow exposure to many untrusted applications (especially since this narrow exposure is to such critical information).

Then I have to compare 1Password's browser extension to 1Password's Universal Autofill. The extension seems to be much higher risk. The extension has massive access to everything on every webpage you visit, compared to autofill's controlled access governed by macOS's security settings. If I didn't trust 1Password, I'd worry more about the extension. And then there's the fact that the browser extension puts 1Password's code in harm's way, embedding it in a potentially malicious web page.

I'm led to the conclusion that Universal Autofill is best for me. But, it's early days. I'm old enough to know that my intuition is often wrong. I always simplify complex topics to the level I can understand, leaving out the details I haven't studied. I hope I get a response on 1Password's forum.

Clipboard, browser extension, or universal autofill for macOS web pages - which is safest | 1Password Community

There's a bit of a discussion about this over at MacRumors (a 5 gazillion page thread about 1Password). The current side topic asks what is the safest way to...

1password.community

 

[gregmac19]

1Password’s Universal Autofill looks like a good alternative to using their browser extension. However, their documentation states that Universal Autofill might not work, in which case:

“If you’re still having trouble, you can copy your passwords from 1Password for Mac and paste them where you need to use them.” (https://support.1password.com/mac-universal-autofill/)

I’ve never used 1Password, but I would guess Universal AutoFill fails infrequently. Yet, I think copying passwords to the clipboard is a bad idea, though by default, 1Password clears the clipboard after 90 seconds (https://support.1password.com/copy-passwords/?mac#copy-passwords). As I stated back in Post #2,558, I never have to use the clipboard to copy information from Codebook to anywhere else. I am interested in knowing whether other password managers have this capability.

 

[DCIFRTHS]

Putting aside the use of extensions and just comparing the clipboard to Universal Autofill - The clipboard approach exposes you to all sorts of risky software, but only your credentials. The autofill approach only exposes you to 1Password, but related to things other than your credentials. I've decided autofill is less risky since I trust 1Password a lot. My confidence in other software on my computer doesn't even come close. To summarize

I prefer to allow broad exposure to a highly trusted application over allowing narrow exposure to many untrusted applications (especially since this narrow exposure is to such critical information).

Then I have to compare 1Password's browser extension to 1Password's Universal Autofill. The extension seems to be much higher risk. The extension has massive access to everything on every webpage you visit, compared to autofill's controlled access governed by macOS's security settings. If I didn't trust 1Password, I'd worry more about the extension. And then there's the fact that the browser extension puts 1Password's code in harm's way, embedding it in a potentially malicious web page.

I'm led to the conclusion that Universal Autofill is best for me. But, it's early days. I'm old enough to know that my intuition is often wrong. I always simplify complex topics to the level I can understand, leaving out the details I haven't studied. I hope I get a response on 1Password's forum.

Clipboard, browser extension, or universal autofill for macOS web pages - which is safest | 1Password Community

There's a bit of a discussion about this over at MacRumors (a 5 gazillion page thread about 1Password). The current side topic asks what is the safest way to...

1password.community

Agile Bits replied with some links. I'll have to read them before I feel confident enough to comment on their response.

 

[svenmany]

1Password’s Universal Autofill looks like a good alternative to using their browser extension. However, their documentation states that Universal Autofill might not work, in which case:

“If you’re still having trouble, you can copy your passwords from 1Password for Mac and paste them where you need to use them.” (https://support.1password.com/mac-universal-autofill/)

I’ve never used 1Password, but I would guess Universal AutoFill fails infrequently. Yet, I think copying passwords to the clipboard is a bad idea, though by default, 1Password clears the clipboard after 90 seconds (https://support.1password.com/copy-passwords/?mac#copy-passwords). As I stated back in Post #2,558, I never have to use the clipboard to copy information from Codebook to anywhere else. I am interested in knowing whether other password managers have this capability.

I did a quick test of an application that 1Password fails to fill. I'm running a trial of Codebook; secret agent filled the field without a problem. 1Password introduces the clipboard risk where Codebook doesn't.

The techniques used are different. Codebook uses AppleScript and 1Password doesn't. I had to (I think had to) grant both applications Accessibility and Automation permissions. I wonder about the choice to use AppleScript. Specifically, since it proved itself more reliable, I wonder why 1Password chose not to do it.

 

[svenmany]

Agile Bits replied with some links. I'll have to read them before I feel confident enough to comment on their response.

The links didn't answer the question. Only one added some insight - the link discussing their browser extension.

1Password runs in a sandboxed background page provided by the WebExtensions API, not in the untrusted web environment. Scripts running on web pages you visit have no way of interacting with the sandbox.

So, my intuition regarding the risks of the extension running in a hostile environment were coming from a position of ignorance. I might have to study

Browser extensions - Mozilla | MDN

Extensions, or add-ons, can modify and enhance the capability of a browser. Extensions for Firefox are built using the WebExtensions API cross-browser technology.

developer.mozilla.org

I suspect a lot of progress has been made in providing secure environments for browser extensions.

I'm going to wait a bit longer to see if they answer my question, comparing the three approaches.

 

[svenmany]

I've decided that I'll manually clear my clipboard after I'm forced to use it for credentials. I just set a hotkey to a shortcut that runs the shell script "pbcopy < /dev/null".

 

[DCIFRTHS]

The links didn't answer the question. Only one added some insight - the link discussing their browser extension.

Agreed. I was considering posting back to Agile Bits (in your thread) asking for additional info. I’d be curious to know what they use on their personal systems and why?

Questions on their foums are frequently answered by different employees. iMO, they also have a propensity to close threads prematurely.

So, my intuition regarding the risks of the extension running in a hostile environment were coming from a position of ignorance. I might have to study

Browser extensions - Mozilla | MDN

Extensions, or add-ons, can modify and enhance the capability of a browser. Extensions for Firefox are built using the WebExtensions API cross-browser technology.

developer.mozilla.org

While the thought of an extension in a hostile environment is bad enough on its own, I have a problem with a company analyzing every web page I visit. Obviously, I trust them with my passwords, but at as far as we know (or believe) they don’t have access to that data.

The browser extension just seems like it is the perfect conduit for aggregating data and selling it. I don’t mean our passwords. What I do mean is marketing data.

Even their website directs me to a third party to opt of of data collection.

Maybe I’m just too paranoid?

 

[DCIFRTHS]

I've decided that I'll manually clear my clipboard after I'm forced to use it for credentials. I just set a hotkey to a shortcut that runs the shell script "pbcopy < /dev/null".

Have you decided the Mac OS Autofill / Accessibility route is what’s best for you?

I’m wondering why Apple has the ability to do Autofill so smoothly while others “struggle”…?

Are there undocumented APIs?

If so, will Apple open these up now that they are going to include a “real” app in the next version of MacOS?

On a side note, am I crazy or does iOS allow Autofill for 1Password without enabling the browser extension or the use of accessibility features? Maybe I’m just getting old…

 

[bsmr]

I’m wondering why Apple has the ability to do Autofill so smoothly while others “struggle”…?

Strongbox is doing quite well.

 

[bsmr]

On a side note, am I crazy or does iOS allow Autofill for 1Password without enabling the browser extension or the use of accessibility features?

Within iOS it does work (and is the better option, as within iOS the min. lock of iOS 1Password extension is 15 minutes!).

 

[DCIFRTHS]

Strongbox is doing quite well.

In MacOS? If so, do you know what method they are using?

Within iOS it does work (and is the better option, as within iOS the min. lock of iOS 1Password extension is 15 minutes!).

I’m not sure what you mean. Are you saying 1Password Autofill works without the user enabling it?

… and …

If using the 1Password browser extension in iOS that it takes 15 mins to “lock”? If so, what do you mean by lock?

Thanks!

 

[bsmr]

In MacOS? If so, do you know what method they are using?

They're using native Auto Fill from Apple.

 

[bsmr]

I’m not sure what you mean. Are you saying 1Password Autofill works without the user enabling it?

They're using native Autofill on iOS (but also have an extension).

 

[bsmr]

If using the 1Password browser extension in iOS that it takes 15 mins to “lock”? If so, what do you mean by lock?

1PW iOS extension will stay open min. 15 minutes after unlocking it. Even when locking iPhone and unlocking the browser extension is still open as the 15 minutes is the minimum! You have to know this when giving your phone someone else during this period of time - it's possible that they can see 'all' your password data. (I simply cannot understand why 1Password does not fix this...).

 

[svenmany]

Have you decided the Mac OS Autofill / Accessibility route is what’s best for you?

I haven't decided. In fact, I have no idea.

My gut is telling me that the only serious risk is using the clipboard. Every website you visit has access to the clipboard. Every application you run has access to the clipboard.

The browser extension just seems like it is the perfect conduit for aggregating data and selling it. I don’t mean our passwords. What I do mean is marketing data.

It's a risk and you have to evaluate that one yourself. I trust AgileBits to not scrape data from the websites I visit. It would likely be found out and the damage they would suffer would be very, very large. It's implausible they would do such a thing. This has nothing to do with analytics they collect regarding visits to their own website.

The general area of extensions is one of high risk because their are so many of them. But, I evaluate the risk of each one separately.

I’m wondering why Apple has the ability to do Autofill so smoothly while others “struggle”…?

Just to be clear, the only problem I've encountered is that 1Password struggled filling in a password in a free-standing application. It was a Java based application from Schwab called "thinkorswim". I've not ever had a situation in a web browser that both the extension and universal autofill didn't work.

Does Apple's software autofill in applications?

 

[gregmac19]

Does Apple's software autofill in applications?

Yes. Please see: https://support.apple.com/guide/security/password-autofill-security-sec7aefe77c3/web

P.S. Thanks for all the research you are doing!

 

[MacBH928]

While the thought of an extension in a hostile environment is bad enough on its own, I have a problem with a company analyzing every web page I visit. Obviously, I trust them with my passwords, but at as far as we know (or believe) they don’t have access to that data.

The browser extension just seems like it is the perfect conduit for aggregating data and selling it. I don’t mean our passwords. What I do mean is marketing data.

Even their website directs me to a third party to opt of of data collection.

Maybe I’m just too paranoid?

No. Capitalism aims to maximise profits and if they can make more profit by collecting data they will. investors paid $620 million in it .

I haven't decided. In fact, I have no idea.

My gut is telling me that the only serious risk is using the clipboard. Every website you visit has access to the clipboard. Every application you run has access to the clipboard.

💀

It's a risk and you have to evaluate that one yourself. I trust AgileBits to not scrape data from the websites I visit. It would likely be found out and the damage they would suffer would be very, very large. It's implausible they would do such a thing. This has nothing to do with analytics they collect regarding visits to their own website.

While what you say is true, Google, Microsoft, and Amazon scrap data and businesses keeping using their hardware and software. Maybe they do not record your website activity but there is always some data being collected and who knows what that is. https://tosdr.org/

 

[Mr. Heckles]

No. Capitalism aims to maximise profits and if they can make more profit by collecting data they will. investors paid $620 million in it .

And Capitalism lets you enjoy stuff, vote with your wallet, and helps innovation.

 

[bsmr]

No. Capitalism aims to maximise profits and if they can make more profit by collecting data they will. investors paid $620 million in it .

1Password is not playing with your data. Unless you allowed them to do so...

 

[DCIFRTHS]

1Password is not playing with your data. Unless you allowed them to do so...

??

 

[svenmany]

Yes. Please see: https://support.apple.com/guide/security/password-autofill-security-sec7aefe77c3/web

Thanks for the link. My understanding from the article is that it only works with Mac Catalyst apps, apps written for iOS or iPadOS. I tested it with the thinkorswim app and there didn't seem to be any way to make use of a login I had in my keychain.

P.S. Thanks for all the research you are doing!

Thanks for appreciating it.

I am interested in knowing whether other password managers have this capability.

I also wonder what other password managers provide for that, other than 1Password and Codebook.

 

[MacBH928]

And Capitalism lets you enjoy stuff, vote with your wallet, and helps innovation.

indeed, there is a dial of middle ground where capitalists make profits and consumers win. it hasn't to be to each extreme, its called the "invisible hand" in economics. I chose to vote with my wallet.

1Password is not playing with your data. Unless you allowed them to do so...

For now, but you never what happens in the future. Google code of conduct was "don't be evil" . We all know how that turned out to be.

I also wonder what other password managers provide for that, other than 1Password and Codebook.

if you mean the keychain auto fill thing, I think its 1password, codebook, and strongbox. Not sure about minimalist and secrets.

 

[svenmany]

if you mean the keychain auto fill thing, I think its 1password, codebook, and strongbox. Not sure about minimalist and secrets.

I'm referring to a password program's ability to use some kind of system automation to fill any input field on a webpage or in a standalone application. I think that's what you mean by "keychain auto fill thing", although it has nothing to do with the keychain.

1Password can even fill in the authentication prompt on macOS when you have to provide administrator credentials.

 

[svenmany]

if you mean the keychain auto fill thing, I think its 1password, codebook, and strongbox. Not sure about minimalist and secrets.

From Strongbox's website:

Note that this AutoFill system on works on Apple’s latest OS (MacOS Big Sur) and only with Apps and Browsers that have upgraded to support the Password AutoFill system. So far, as of post time, the only major browser that supports AutoFill is Safari. We believe this will change over the coming months and we should see ubiquitous Password AutoFill support in most browsers and Apps in short order.

It sounds like they've take a very secure approach to it, but it will have limited usability since it requires special coding in every application in order to support it.