Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

1Password migrants thread

svenmany said:
I'm referring to a password program's ability to use some kind of system automation to fill any input field on a webpage or in a standalone application. I think that's what you mean by "keychain auto fill thing", although it has nothing to do with the keychain.

1Password can even fill in the authentication prompt on macOS when you have to provide administrator credentials.
Click to expand...
Okay. I think I have found out the answer to my question.
Agile Bits does not want to support MacOS Autofill (Credential Provider API) at this time because it limits the company in features they offer. Additionally, it seems like the Accessibility approach is their "workaround" :( :mad: If you read the posts below, please correct me if I misstated anything.

I'm linking to two posts that seem to explain their position, and the disappointment of some customers - including me. I'm guessing there may be more posts on the subject, but I don't have more time to search right now.

One Here... and the other Here...

Now my question is whether or not to use the extension, accessibility "workaround" or Apple Keychain... :oops:
Decisions, decisions.
 
DCIFRTHS said:
Okay. I think I have found out the answer to my question.
Agile Bits does not want to support MacOS Autofill (Credential Provider API) at this time because it limits the company in features they offer. Additionally, it seems like the Accessibility approach is their "workaround" :( :mad: If you read the posts below, please correct me if I misstated anything.

I'm linking to two posts that seem to explain their position, and the disappointment of some customers - including me. I'm guessing there may be more posts on the subject, but I don't have more time to search right now.

One Here... and the other Here...

Now my question is whether or not to use the extension, accessibility "workaround" or Apple Keychain... :oops:
Decisions, decisions.
Click to expand...
I guess you gave the answer to yourself. If you are unhappy with a product and you think that you can't trust them, why would you give them access to the most precious of your data?
It makes no sense.
Many in this thread did drop 1PW for several reasons, some of them being broken promises and partly shady business practices or just not caring about individual customers anymore.

There are some proven and very secure alternatives, like Strongbox and Bitwarden, who still care about their customers. And Apples keychain is awesome on its own, if you just need the passwords. And it will be better in the near future.

I can just repeat myself, a password manager has to be secure and it has to fill in passwords because the promise is that a generated password is more secure than having 1-5 easy to remember passwords.
That's it. Everything else is marketing, features that are just there to sell the software.

IMHO, 1Password is not secure because having my data on a foreign server isn't more secure than having it on my computer. Everyone who is trying to tell me that it's saver to give to keys to my house to a company to keep them save is more secure than having them in my pocket... We know that 1Password already had a lot of luck and have been targeted. We know from data breaches by a ton of other companies. So trust is the most important currency and they did some strange things that took away my trust in them.
You are proving that my decision to switch to keychain was right. :)
 
  • Like
Reactions: toasted ICT and Alwis
johnkree said:
IMHO, 1Password is not secure because having my data on a foreign server isn't more secure than having it on my computer.
Click to expand...

johnkree said:
You are proving that my decision to switch to keychain was right.
Click to expand...

So, I guess you aren't sync'ing your keychain to iCloud, otherwise your passwords would be on a foreign server. I understand that you can't share your credentials between devices; is any other functionality missing? I seem to remember reading something about that on this thread.
 
DCIFRTHS said:
Okay. I think I have found out the answer to my question.
Agile Bits does not want to support MacOS Autofill (Credential Provider API) at this time because it limits the company in features they offer. Additionally, it seems like the Accessibility approach is their "workaround" :( :mad: If you read the posts below, please correct me if I misstated anything.

I'm linking to two posts that seem to explain their position, and the disappointment of some customers - including me. I'm guessing there may be more posts on the subject, but I don't have more time to search right now.

One Here... and the other Here...

Now my question is whether or not to use the extension, accessibility "workaround" or Apple Keychain... :oops:
Decisions, decisions.
Click to expand...

Thanks for that post. I need to understand this API more. I think "Credential Provider API" is this

developer.apple.com

Password AutoFill | Apple Developer Documentation

Streamline your app’s login and onboarding procedures.
developer.apple.com developer.apple.com

My guess is that applications (including web browsers) have to be coded to use that API to get the best experience. That page hints that heuristics can be used if that hasn't been done, but I'm not confident that applies to macOS, except in Safari and other Apple applications. Then a password program provides an extension that can be configured in System Settings to respond to calls to that API. I'm just guessing.

Here's a link that describes what the developer of a web page should do to cater for this API, though I'm sure Safari can be clever in making guesses about the fields on web pages it presents. Almost every web page will not have done this.

developer.apple.com

Enabling Password AutoFill on an HTML input element | Apple Developer Documentation

Make sure a web view or webpage provides the correct AutoFill suggestions.
developer.apple.com developer.apple.com

Strongbox supports the API, but only on Safari. You have to install their browser extension to cater for other browsers. Check out https://strongboxsafe.com/support/#reamaze#0#/kb/autofill.

Further, both their browser extension and their use of autofill in Safari establishes a communication channel from inside the browser to the password program on the computer. That is probably the same risk that any other browser extension is vulnerable to. They describe here this communication:

Strongbox AutoFill has the capability of unlocking your database independently but if it detects that you already have your database unlocked in the background it can establish a secure tunnel or “Wormhole” to request your credentials without requiring authentication or going through the whole unlock and decrypt process.
Click to expand...

This is exactly the kind of behavior that the Google researcher was talking about when he complained about browser extensions.

I think Agile Bits will eventually provide an extension since they do on iOS. However, if my understanding of the API is correct, it's not a replacement for their Universal Autofill since there are so many applications that haven't been coded to call that API. Also, Universal Autofill could be much safer since the browser doesn't communicate to the external password program. Because of this, support of that API is not a high priority for me.
 
  • Like
Reactions: bsmr
johnkree said:
I guess you gave the answer to yourself. If you are unhappy with a product and you think that you can't trust them, why would you give them access to the most precious of your data?
Click to expand...

There’s always room for improvement. I’m hoping that 1Password will implement the ease of use that Keychain has - regarding autofill.

If I said I don’t trust 1Password, let me rephrase. What I don’t like is giving any app full control of my computer.
 
DCIFRTHS said:
If I said I don’t trust 1Password, let me rephrase. What I don’t like is giving any app full control of my computer.
Click to expand...

In regard to the browser piece of that, the Apple autofill that you mention in your earlier post has one advantage over other browser extensions. It's the browser that's inspecting the fields and handing control, for just those fields, to the password extension. A normal browser extension is doing the inspecting of fields itself. So, if there's some lack of trust in an extension, the autofill would have an advantage there.

One other thing worth considering with respect to trust - If I were to use Chrome, I would be giving Google access to the contents of my web pages. I trust Agile Bits to safeguard my privacy interests far more than I do Google. So, my evaluation is that the browser extension wouldn't add much risk over what is already there when using Chrome. That's a far less compelling argument for users of other browsers.
 
toasted ICT said:
Really? Why?
Click to expand...

Most of Google's profit comes selling user data. They do claim it's anonymized, but it would be greatly in their interest to not do that. Things holding them back include public perception and the risk of a government crackdown.

I have a friend who is a manager at Google. She said that it's pretty scary there. They do everything they can to work around advertised restrictions and still do things to make a buck, things that could harm their users. Exposure of those details would not hurt their bottom line. They would just claim that they've addressed the violation and the uproar would subside.

Agile Bits makes money by selling their services. There is little motive to abuse their users' privacy. It's very much in their interest to not do that. Exposure of such practices would destroy their company. They do have substantial competition.
 
  • Like
Reactions: SalisburySam, drumcat, gregmac19 and 1 other person
Among all Chromium based browsers Chrome is better than its reputation. I would rather use Chrome than Brave or Vivaldi. Microsoft is much worse than Google IMHO.
At least with Google Chrome I know where I stand. They will monetize my data as much as they can.
I agree that Agilebits won't abuse user data or they risk all.
But I don't trust them because I don't think they are good enough to keep my data safe. How many volunteers and how many employees are involved in security at Google? And how many employees does Agilebits have?
Agilebits has already been successfully hacked. See the Okta hack. Look at the Lastpass hacks. Or the Norton Lifelock hacks. My son is 4 years old. I trust him not to want to have an accident. Still, I don't give him the car keys.
 
svenmany said:
Most of Google's profit comes selling user data. They do claim it's anonymized, but it would be greatly in their interest to not do that. Things holding them back include public perception and the risk of a government crackdown.
Click to expand...
Google sell ads. They don't sell passwords.

Trusting a password service is about trusting the security of the service. And I guess Google has some of the best engineers on earth. While I have no idea about the people at Agilebits.
 
  • Like
  • Haha
Reactions: kitKAC, Alwis, rmadsen3 and 1 other person
johnkree said:
But I don't trust them because I don't think they are good enough to keep my data safe. How many volunteers and how many employees are involved in security at Google? And how many employees does Agilebits have?
Click to expand...

johannnn said:
Trusting a password service is about trusting the security of the service. And I guess Google has some of the best engineers on earth. While I have no idea about the people at Agilebits.
Click to expand...

Just want to make sure we understand that this is a different topic than what I was addressing.

I was talking about a small piece of the puzzle - the risk of giving some software access to your computer and data. And a piece of that - whether you trust a company's intentions and how they might use your data against your own interests. Since Google is very competent they would have the best luck at covering their tracks.
 
johannnn said:
Google sell ads. They don't sell passwords.

Trusting a password service is about trusting the security of the service. And I guess Google has some of the best engineers on earth. While I have no idea about the people at Agilebits.
Click to expand...
Sure you can trust Google with your passwords. It’s not like Google happily assisted the Chinese government to spy on their citizens. And the last thing you would do if you were attempting to spy on people is to try to steal their passwords.
 
  • Like
Reactions: MacBH928
johannnn said:
Trusting a password service is about trusting the security of the service. And I guess Google has some of the best engineers on earth. While I have no idea about the people at Agilebits.
Click to expand...

johnkree said:
But I don't trust them because I don't think they are good enough to keep my data safe. How many volunteers and how many employees are involved in security at Google? And how many employees does Agilebits have?
Click to expand...


Responding more directly to these comments and putting aside the fundamental conflict of interest that Google has with respect to safeguarding your data ...

Google has all level of engineers. It's organizational competence that's relevant. They could have their less talented engineers working on very important things. Here's a quote from the article I referenced earlier


"Leo: And by the way, I would like to point out it was only recently that Chrome's password manager did not expose your passwords in plaintext to anybody who had access to your computer."

Everyone at AgileBits who would be involved in such decisions would be seriously focused on the risks. Clearly, at one point in time, Google's password handling was in the wrong hands.
 
  • Like
Reactions: DCIFRTHS and gregmac19
johannnn said:
Is Agilebits selling their software to Chinese citizens? Then they are also likely forced to assist the Chinese government.
Click to expand...
From 1Password’s website (https://1password.com/personal-family-security):

“Private by default
We can’t see passwords or sensitive information stored in 1Password, so we can’t use it, share it, or sell it – and neither can anyone else.”

If this is untrue, then 1Password would quickly lose most of their business. Thus, the likelihood of 1Password assisting the Chinese government is close to nil.
 
  • Like
Reactions: kitKAC and Mr. Heckles
johannnn said:
Is Agilebits selling their software to Chinese citizens? Then they are also likely forced to assist the Chinese government.
Click to expand...

I guess it's possible that they released a different version of their software for the Chinese market that allowed for a government backdoor. I suspect that didn't happen, even if the Chinese people are using the software. It would be known that the software doesn't really protect its data, so people just wouldn't use it.

Google doesn't need to anything like that since it's all server-side; there's no client software delivered to desktops that protects users. Google probably doesn't need to change anything since they have all the data; all they have to do is deliver it when asked.

Sometimes people don't have the luxury to just not use Google like they could with 1Password. A friend was asked to review a medical provider and describe her treatment. She was given a link that took her to Google reviews. I tried to help her set up an anonymous Google account, but it's virtually impossible without inadvertently linking it to any existing account you have. I tried a fresh user account with cookie-free browser. But, Google still required a recovery phone number. I recommended to her that she just not do the review. Unfortunately, the medical assistant would get a bonus if the review were posted.

Google is gooey - it sticks. If you would have been happy to provide your medical information on Google reviews with an anonymous account, then any argument we have here just won't go anywhere; we live on different planets. If you trust Google software as much as you trust AgileBits' to not violate your privacy (I'm not talking about leaking passwords), then we are also so far apart that it's not even worth arguing the point. I don't put my republican friends in the same room as my democrat ones.

But, if you were to be using Firefox, for example, then the use of the 1Password extension should be considered a non-trivial incremental risk.
 
svenmany said:
"Leo: And by the way, I would like to point out it was only recently that Chrome's password manager did not expose your passwords in plaintext to anybody who had access to your computer."
Click to expand...

Some posts ago someone posted an article by a security guy saying the most secure place to store passwords is in the browser's autofill. I still have hard time to believe that and wonder if it is true or no and should we all be uninstalling the extension autofill password managers.

svenmany said:
Most of Google's profit comes selling user data. They do claim it's anonymized, but it would be greatly in their interest to not do that. Things holding them back include public perception and the risk of a government crackdown.

Agile Bits makes money by selling their services. There is little motive to abuse their users' privacy. It's very much in their interest to not do that. Exposure of such practices would destroy their company. They do have substantial competition.
Click to expand...

Google sells services too like YouTube Premium , Google Play, Google pay, Google One, Nest aware. They will still sell your data. The capitalist has hunger for no end growth and profit.

johnkree said:
But I don't trust them because I don't think they are good enough to keep my data safe. How many volunteers and how many employees are involved in security at Google? And how many employees does Agilebits have?
Agilebits has already been successfully hacked. See the Okta hack. Look at the Lastpass hacks. Or the Norton Lifelock hacks. My son is 4 years old. I trust him not to want to have an accident. Still, I don't give him the car keys.
Click to expand...

I would trust Agilebits more than google to secure passwords. Its valued at $6.8 Billion. The bread and butter is security and they only have 1 service to do and that is to secure your password vault.

On the other side Google has a wide range of services and colossus user base that actually want to collect your data. Some where something will go wrong. The more complex it gets, the easier it fails.


gregmac19 said:
From 1Password’s website (https://1password.com/personal-family-security):

“Private by default
We can’t see passwords or sensitive information stored in 1Password, so we can’t use it, share it, or sell it – and neither can anyone else.”

If this is untrue, then 1Password would quickly lose most of their business. Thus, the likelihood of 1Password assisting the Chinese government is close to nil.
Click to expand...

while true, call me paranoid, I do not trust those proprietary software because I have seen enough customer betrayal for extra profits. You never know what goes in the background. Its all about who you decide to trust.
 
einsteinbqat said:
Vulnerability found in all 1Password app for Mac prior to version 8.10.36.

https://support.1password.com/kb/202408a/
Click to expand...

Not worried. Per the article:
To exploit the issue, an attacker must run malicious software on a computer specifically targeting 1Password for Mac.
Click to expand...

If anyone gains access to your computer, you’re screwed anyways. If they put a keylogger on your computer, they will gain access to your password manager, and this goes for password managers that are locally also.
 
  • Like
Reactions: kitKAC and gregmac19
MacBH928 said:
while true, call me paranoid, I do not trust those proprietary software because I have seen enough customer betrayal for extra profits. You never know what goes in the background. It’s all about who you decide to trust.
Click to expand...
As your posting from a device that was probably made in China….

You still have have trust in FOSS. Can you guarantee the code they post for people to look is the exact code you’re running on your device? Nope.

Who says a program that is open source uses a different code in production to deceive people?

Imagine someone makes a password manager that is open source, gains trust, and then uses a different code with a back door for the developer to access.

Honestly, that would be the greatest scam ever. I’m actually shocked no one has done this yet.
 
Mr. Heckles said:
Not worried. Per the article:


If anyone gains access to your computer, you’re screwed anyways. If they put a keylogger on your computer, they will gain access to your password manager, and this goes for password managers that are locally also.
Click to expand...
True, but it’s still worth knowing.
 
Mr. Heckles said:
Not worried. Per the article:


If anyone gains access to your computer, you’re screwed anyways. If they put a keylogger on your computer, they will gain access to your password manager, and this goes for password managers that are locally also.
Click to expand...
Which is very easy to do on windows (drive-by) and also easy to do on Mac (usb device, public WiFi, false public WiFi,…)
But yes let’s talk it down as if this is nothing instead of admitting that no software is secure.
And then we are back at the question: why should Agilebits do a better job than any other company? It’s a matter of time and the more popular it gets the more it will be targeted. And at some point there will be a data breach.
 
  • Like
Reactions: MacBH928
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back