1Password migrants thread

[svenmany]

True, but it’s still worth knowing.

I agree.

There will always be bugs and vulnerabilities. When I hear about them I'm reminded to make sure my software is up to date. I have 1Password update automatically, so I already had the fix, but there's always stuff to learn.

The vulnerability points to the risks of browser extensions and the communication channel they open to processes outside of the browser. This is the risk that was mentioned by Tavis Ormandy of Google as he pushed for everyone to just keep their passwords inside Chrome.

The press release also highlights the general collaborative nature in the security world. AgileBits didn't discover the bug, but was notified in advance of any public disclosure, so they could push out a fix.

AgileBits security posts discuss the major challenges to keep passwords safe when a computer is compromised. I'm glad this vulnerability was addressed. I do hope the smaller password companies have had similar diligence applied to their browser extensions.

 

[Mr. Heckles]

Which is very easy to do on windows (drive-by) and also easy to do on Mac (usb device, public WiFi, false public WiFi,…)
But yes let’s talk it down as if this is nothing instead of admitting that no software is secure.
And then we are back at the question: why should Agilebits do a better job than any other company? It’s a matter of time and the more popular it gets the more it will be targeted. And at some point there will be a data breach.

My point is, someone takes over your computer, you think a password manager is going to protect you? No.
People need to be aware what they are doing at all times.

 

[MacBH928]

As your posting from a device that was probably made in China….

Correct but I can't do much about that, but i can choose not to use 1password for an alternative.

You still have have trust in FOSS. Can you guarantee the code they post for people to look is the exact code you’re running on your device? Nope.

Who says a program that is open source uses a different code in production to deceive people?

Technically you can if you build the app from the source code yourself which should be on GitHub I believe. But I trust Bitwarden not to do that, just as much as you trust Agilebits not to do anything funny in the background with 1password. Its a matter of trust.

Imagine someone makes a password manager that is open source, gains trust, and then uses a different code with a back door for the developer to access.

Honestly, that would be the greatest scam ever. I’m actually shocked no one has done this yet.

They already have done this. A contributor was working on a FOSS software for 2 years until he gained trust of the project maintainer then installed malware in it and the maintainer accepted it (unknowingly) and shipped it to the world. I think its this one.

Which is very easy to do on windows (drive-by) and also easy to do on Mac (usb device, public WiFi, false public WiFi,…)
But yes let’s talk it down as if this is nothing instead of admitting that no software is secure.
And then we are back at the question: why should Agilebits do a better job than any other company? It’s a matter of time and the more popular it gets the more it will be targeted. And at some point there will be a data breach.

So what do we do? what about all those bank transactions and credit cards? its all done in computer and software. Military? Government data?

 

[johnkree]

So what do we do? what about all those bank transactions and credit cards? its all done in computer and software. Military? Government data?

Government data is leaked all the time. At least in my country. Banks have high security measures and can be held responsible for money loss. I mean it’s why we give them our money in the first place. And there is a reason why in Military, planes, atomic reactors still use floppy discs and DOS.
Regarding passwords the weakest point is the end user, the consumer.
A ton of people don’t care about it at all, look at the most popular passwords.
Another ton of people save them in their browsers. And a growing number is using password managers thanks to apples keychain and 1Passwords popularity.
As you yourself pointed out it’s a matter of trust. I don’t trust companies in general so I don’t see a reason to store my precious data on a server. So local vaults. There are no hackers that target single computers without a good reason.
Using FOSS is another good way to protect yourself because you can easily use ChatGPT to check the code for malicious parts yourself without any knowledge of programming.
Do we know how Agilebits is storing our data? Can we see if the data is encrypted at all? I mean they could promise anything and just save it in plain text. We wouldn’t know.
Do I trust google? Or Mozilla? Or Apple? No. But I trust Mozilla more than Google. I trust Apple more than Microsoft. And I’m having a hard time trusting a company that is building upon broken promises, deleting critical forum posts and is trying to persuade their customers that a server is much saver than a personal vault, that Electron is better than native apps, that subscription is better than 1 time payment.
Look at any company in the world. There is a certain point where big investors with big money enter the game. And this is almost always the point where a company changes its course away from their customers into monetizing. Because investors want to see growth, they want to get their investment back. Take a close look at the gaming industry, like Blizzard, EA, Ubisoft,…
Take a look at the beer industry… or tools, clothing… no matter. They start to reduce costs everywhere which means that their products gets worse. And then they try to monetize every part of their product. Electron is in no way better than a native app, except it’s better for them. It’s cost effective because it’s an ugly browser, imho the worst browser because it’s Ressource hungry.
Server vaults aren’t good for us but for them because it helps their “we need subs to cover server costs” story. It’s good for them because if you are the average user you will agree to almost anything to keep using your passwords you saved there for a decade.
It’s good for them because they can exclude user errors on this part. But it’s no way better for us. Or saver.

 

[svenmany]

My point is, someone takes over your computer, you think a password manager is going to protect you? No.
People need to be aware what they are doing at all times.

If a program has infiltrated a computer it likely hasn't taken it over. It will try various avenues of attack but there's no way it will try every one. The more avenues that are closed off by security software, the better the odds that the malicious software will be rendered harmless.

I did get a response to my query on the 1Password forums about the best way to use 1Password: copy/paste, browser extension, or universal auto-fill. I'm a hyper-literal person and wanted a list in order of the most secure to the least. I didn't quite get that answer. But, certainly the answer places copy/paste as the least secure approach. Certainly, that would be a trivially easy target for any malicious code.

I run MacPGP sometimes. If I copy a public key to the clipboard, MacPGP, running in the background, detects it and offers me to import it. This proves that background applications can easily monitor the clipboard and capture things as they are placed there. No password program is going to be able to protect you from the careless behavior of putting something sensitive on the clipboard.

But even given the horrible risk of using the clipboard in this way, how many people, who think they are aware of what they are doing at all times, are even aware of how risky the clipboard is?

 

[johnkree]

But even given the horrible risk of using the clipboard in this way, how many people, who think they are aware of what they are doing at all times, are even aware of how risky the clipboard is?

Almost none because people who are aware of what they are doing are a minority already.

 

[gregmac19]

If a program has infiltrated a computer it likely hasn't taken it over. It will try various avenues of attack but there's no way it will try every one. The more avenues that are closed off by security software, the better the odds that the malicious software will be rendered harmless.

I did get a response to my query on the 1Password forums about the best way to use 1Password: copy/paste, browser extension, or universal auto-fill. I'm a hyper-literal person and wanted a list in order of the most secure to the least. I didn't quite get that answer. But, certainly the answer places copy/paste as the least secure approach. Certainly, that would be a trivially easy target for any malicious code.

I run MacPGP sometimes. If I copy a public key to the clipboard, MacPGP, running in the background, detects it and offers me to import it. This proves that background applications can easily monitor the clipboard and capture things as they are placed there. No password program is going to be able to protect you from the careless behavior of putting something sensitive on the clipboard.

But even given the horrible risk of using the clipboard in this way, how many people, who think they are aware of what they are doing at all times, are even aware of how risky the clipboard is?

Thanks for the update on your query to the 1Password forums.

Again, I ask what password manager or managers can you use, besides Codebook, to copy information from the manager to anywhere else without using a clipboard. I know that Apple’s iCloud Passwords cannot, nor can 1Password always do this (Ref. Post #2,605).

 

[svenmany]

Again, I ask what password manager or managers can you use, besides Codebook, to copy information from the manager to anywhere else without using a clipboard. I know that Apple’s iCloud Passwords cannot, nor can 1Password always do this (Ref. Post #2,605).

There's this

GitHub - s1ntoneli/Copi: A Secure Alternative to macOS Clipboard

A Secure Alternative to macOS Clipboard. Contribute to s1ntoneli/Copi development by creating an account on GitHub.

github.com

It's from China. I wouldn't use it since it's very new (version 0.1.0) and from a single developer. The code is only slightly commented and some of the comments are in Chinese.

Maybe there's a more reputable application providing this same functionality.

 

[svenmany]

There's this

GitHub - s1ntoneli/Copi: A Secure Alternative to macOS Clipboard

A Secure Alternative to macOS Clipboard. Contribute to s1ntoneli/Copi development by creating an account on GitHub.

github.com

It's from China. I wouldn't use it since it's very new (version 0.1.0) and from a single developer. The code is only slightly commented and some of the comments are in Chinese.

Maybe there's a more reputable application providing this same functionality.

You know, what's needed in the case of passwords is not a general secure clipboard. It's just a simple in-memory storage of a small text string. It might be trivial to write something as a service and assign hotkeys for copy and paste. Might need a bit of study to ensure memory is secure and being cleared after the paste. If someone writes the code themselves then they wouldn't be afraid to grant it screen reading and accessibility features.

 

[DCIFRTHS]

But even given the horrible risk of using the clipboard in this way, how many people, who think they are aware of what they are doing at all times, are even aware of how risky the clipboard is?

I am aware of what I am doing, but I must confess that I have used the clipboard for copying passwords
I needed to ”confess” as it bothers me every time I do it.

Im curious to know if you made a final decision on what method you use: Browser extension or the universal autofill option.

 

[MacBH928]

And there is a reason why in Military, planes, atomic reactors still use floppy discs and DOS.

I don't get, why? pre-2000 software was filled with security holes and viruses. I thought they use old operating systems because they didn't want to rewrite software for newer OSes. I think you mean to keep it off the internet because its more secure.

Another ton of people save them in their browsers. And a growing number is using password managers thanks to apples keychain and 1Passwords popularity.

Some posts ago, some one linked to a security expert saying saving it in the browser is actually the most secure way. Still waiting for someone to verify that.

And I’m having a hard time trusting a company that is building upon broken promises, deleting critical forum posts and is trying to persuade their customers that a server is much saver than a personal vault, that Electron is better than native apps, that subscription is better than 1 time payment.

Look at any company in the world. There is a certain point where big investors with big money enter the game. And this is almost always the point where a company changes its course away from their customers into monetizing. Because investors want to see growth, they want to get their investment back. Take a close look at the gaming industry, like Blizzard, EA, Ubisoft,…
Take a look at the beer industry… or tools, clothing… no matter. They start to reduce costs everywhere which means that their products gets worse. And then they try to monetize every part of their product. Electron is in no way better than a native app, except it’s better for them. It’s cost effective because it’s an ugly browser, imho the worst browser because it’s Ressource hungry.

completely agree 🎯

Server vaults aren’t good for us but for them because it helps their “we need subs to cover server costs” story. It’s good for them because if you are the average user you will agree to almost anything to keep using your passwords you saved there for a decade.
It’s good for them because they can exclude user errors on this part. But it’s no way better for us. Or saver.

This "we are a service" trick is pretty cunning on all SaaS 😂😂
They tell you its a service so it costs money, meanwhile my password DB is about 1.2MB . If they had 5 million customers like me their total storage would be about 5 TB HDD lets assume it costs $200 . Multiply that by 4 (1 main + 3 backups) the storage cost will be around $1000-1500 that will keep working for years meanwhile they subscriptions will be $180 million/year dollars making a profit of $179,998,500 😂

Of course its more complicated than that but just trying to get the idea across. No one jumps on me with "they keep updating the software, patches, features, tech support etc etc" I get it.

 

[MacBH928]

But even given the horrible risk of using the clipboard in this way, how many people, who think they are aware of what they are doing at all times, are even aware of how risky the clipboard is?

Do not forget about features like "universal clipboard" that shares the clipboard with other devices and operating systems. I still say, the clipboard should be saved locally accessible to the OS only until I paste it into the specific app.

Call me ignorant but I never imagined any app I run can have full access to my HDD, RAM, clipboard etc etc. It should only be allowed when I allow it to and for the specific files I allow it to.

 

[Alwis]

I am aware of what I am doing, but I must confess that I have used the clipboard for copying passwords

Same here, sometimes it can not be avoided. But I try to mitigate the risk. ain these cases I have only the required apps running, I usually only copy the password and not the user name and immediatly after pasting I copy some dummy tect into the clipboard. Beside that, the PW manager ist set to clear the clipboard after 1 minute.

 

[svenmany]

I am aware of what I am doing, but I must confess that I have used the clipboard for copying passwords
I needed to ”confess” as it bothers me every time I do it.

Im curious to know if you made a final decision on what method you use: Browser extension or the universal autofill option.

I also confess that I use the clipboard now and again. Sometimes there's just no helping it. I do have a shortcut which clears the clipboard and have that assigned to a keystroke. So after pasting the text, I clear the clipboard. You can set that up in Automator as a shell script that runs: "pbcopy < /dev/null".

1Password also allows you to drag from the application onto a field. However, for the application where Universal Autofill fails, that fails as well. I'm left with choice of copy/paste, manually typing 30 random characters, or changing my password to something easy to type in. I've settled on copy/paste with a quick clear of the clipboard right after.

Even though process outside of the browser can capture clipboard content as it appears, I don't think it's possible for applications running in browser windows that don't have focus to do it. I haven't done the work to test that out, but it's what I've read online. Applications in background browser windows would have been the biggest risks.

Since Dave (1Password's founder who replied to me on the forums) didn't offer a preference of the browser extension over Universal Autofill, I suspect there are subtle considerations in play that could sway it one way or the other. I still believe Universal Autofill is safer than the browser extension. The code is running in a likely less hostile environment and all that's going on is that a trusted program is being allowed to write text into fields. Compare that to the browser extension where some trusted software (the browser extension) is opening a communication channel to other trusted software (the password application) that's running outside of the browser. That's risky and was exploited in the vulnerability reported by @einsteinbqat.

So, my final decision is that I'll use Universal Autofill whenever possible.

 

[svenmany]

Using FOSS is another good way to protect yourself because you can easily use ChatGPT to check the code for malicious parts yourself without any knowledge of programming.

It never occurred to me to use ChatGPT for that. Do you have references where security experts discuss this approach?

AI can be gamed in so many ways. We're told time and again not to fully trust it since it can tell us crazy things. I can imagine machine learning playing a role in security when used by experts, but to have any kind of confidence in casual use by amateurs seems strange.

 

[gregmac19]

I also confess that I use the clipboard now and again. Sometimes there's just no helping it.

You’re overlooking the obvious solution to your clipboard security issues: dump 1Password and use Codebook.

...manually typing 30 random characters, or changing my password to something easy to type in.

Up until this last week, I hadn’t given much thought to diceware passwords. But, the password strength checkers I tested indicate that as long as you use enough words (i.e., at least three), diceware passwords can be strong enough. It’s likely that most people can type three or more random words faster than 30 random characters.

...So, my final decision is that I'll use Universal Autofill whenever possible.

Good choice.

 

[Mr. Heckles]

But even given the horrible risk of using the clipboard in this way, how many people, who think they are aware of what they are doing at all times, are even aware of how risky the clipboard is?

I try to avoid the clipboard as much as possible. Sometimes, I do have to use it.

You’re overlooking the obvious solution to your clipboard security issues: dump 1Password and use Codebook.

Why? No family account, it’s not as polished, and if a person 1Password, so what? Also, I don’t see a Linux version.

Up until this last week, I hadn’t given much thought to diceware passwords. But, the password strength checkers I tested indicate that as long as you use enough words (i.e., at least three), diceware passwords can be strong enough. It’s likely that most people can type three or more random words faster than 30 random characters.

Good choice.

I use diceware for work accounts or anything I have to manually type.

 

[gregmac19]

I try to avoid the clipboard as much as possible. Sometimes, I do have to use it.

Why? No family account, it’s not as polished, and if a person 1Password, so what? Also, I don’t see a Linux version.

I use diceware for work accounts or anything I have to manually type.

I have noticed the following drawbacks to Codebook:

No ability to share vaults
No Linux version
The search option is too limited for a few people.
No family plan pricing

None of these are a problem for me, but I understand why others need or otherwise want these features.

I don’t understand your, “it’s not as polished", comment. Codebook is clean, logically laid out, and easy and convenient to use.

Additionally, I don’t get your, “and if a person 1Password, so what?”, but possible you meant, “If a person uses 1Password, so what?” I think I understand why you and others use 1Password, and I don’t have any problem with that. Although I’ve never used it, I’ve defended 1Password several times on this forum.

My comment to use Codebook was partly to have fun with svenmany (and I think he would take it that way), but I do wholeheartedly recommend the program.

 

[Mr. Heckles]

I have noticed the following drawbacks to Codebook:

No ability to share vaults
No Linux version
The search option is too limited for a few people.
No family plan pricing

None of these are a problem for me, but I understand why others need or otherwise want these features.

I don’t understand your, “it’s not as polished", comment. Codebook is clean, logically laid out, and easy and convenient to use.

Yes, those things are a must for me. When I tried it, it just wasn’t smooth, this was a few years.

Additionally, I don’t get your, “and if a person 1Password, so what?”, but possible you meant, “If a person uses 1Password, so what?” I think I understand why you and others use 1Password, and I don’t have any problem with that. Although I’ve never used it, I’ve defended 1Password several times on this forum.

My comment to use Codebook was partly to have fun with svenmany (and I think he would take it that way), but I do wholeheartedly recommend the program.

I did edit it, but autocorrect got the best of me.

 

[MacBH928]

I also confess that I use the clipboard now and again. Sometimes there's just no helping it. I do have a shortcut which clears the clipboard and have that assigned to a keystroke. So after pasting the text, I clear the clipboard. You can set that up in Automator as a shell script that runs: "pbcopy < /dev/null".

1Password also allows you to drag from the application onto a field. However, for the application where Universal Autofill fails, that fails as well. I'm left with choice of copy/paste, manually typing 30 random characters, or changing my password to something easy to type in. I've settled on copy/paste with a quick clear of the clipboard right after.

Even though process outside of the browser can capture clipboard content as it appears, I don't think it's possible for applications running in browser windows that don't have focus to do it. I haven't done the work to test that out, but it's what I've read online. Applications in background browser windows would have been the biggest risks.

Since Dave (1Password's founder who replied to me on the forums) didn't offer a preference of the browser extension over Universal Autofill, I suspect there are subtle considerations in play that could sway it one way or the other. I still believe Universal Autofill is safer than the browser extension. The code is running in a likely less hostile environment and all that's going on is that a trusted program is being allowed to write text into fields. Compare that to the browser extension where some trusted software (the browser extension) is opening a communication channel to other trusted software (the password application) that's running outside of the browser. That's risky and was exploited in the vulnerability reported by @einsteinbqat.

So, my final decision is that I'll use Universal Autofill whenever possible.

1- How about opening the password manager, search for the password needed, and type that into the browser? is this more secure? This is why an "assistant app" is important to me. You can dock it on the screen and retrieve information. So far the only managers that have assistant apps are: 1password, Enpass, Codebook.

2-If opened apps have access to the clipboard, is it possible they have access to they keyboard too? (keyboard logging)

3-One thing everyone is missing, but probably because they trust it, is that the browser can read the clipboard where you paste your passwords. Is Google Chrome spying on that too? Edge? who knows?

It never occurred to me to use ChatGPT for that. Do you have references where security experts discuss this approach?

AI can be gamed in so many ways. We're told time and again not to fully trust it since it can tell us crazy things. I can imagine machine learning playing a role in security when used by experts, but to have any kind of confidence in casual use by amateurs seems strange.

how can AI figure out the malware? doesn't that take real human intelligence to find out how invulnerabilities in the code? otherwise, computers will be winning all those bug bounty programs 😝

Why? No family account, it’s not as polished, and if a person 1Password, so what? Also, I don’t see a Linux version.

I have learned that different strokes is indeed for different folks. I didn't like Codebook either as much as I wish I did but people seem to be very happy with it. It has 4.7 star rating on the App Store.

 

[MacBH928]

Up until this last week, I hadn’t given much thought to diceware passwords. But, the password strength checkers I tested indicate that as long as you use enough words (i.e., at least three), diceware passwords can be strong enough. It’s likely that most people can type three or more random words faster than 30 random characters.

using random strings is tougher to type and more prone to error when typing. Using long passPHRASES is easier for the human and can be harder for the computer to guess. 4 random words take you long way over capitalization and symbols. See how longer passwords affects the strength.

I use the built in password generator in the password manager to give me four random passphrases and my choice of word separator : comma, dot, space, etc.

 

[johnkree]

I don't get, why? pre-2000 software was filled with security holes and viruses. I thought they use old operating systems because they didn't want to rewrite software for newer OSes. I think you mean to keep it off the internet because its more secure.

No, not at all.
First of all if you are using DOS you are disconnected from todays risks at all. It’s very unlikely that someone will write malware for dos. And the one that already exists is easily handled. You are completely isolated from any modern threats.
Second: simplicity. DOS is much simpler than windows 11 or MacOS. The simpler a system the smaller the targeting vector. You just can’t attack something that doesn’t exist. One of windows biggest problems have been printer drivers for a long time. Good luck in DOS. The attack surface is just so much smaller.
DOS is also much more reliable and stable than anything that exists nowadays. Even Linux.

Of course its more complicated than that but just trying to get the idea across. No one jumps on me with "they keep updating the software, patches, features, tech support etc etc" I get it.

Yes. This is such a dumb arguing. As if all devs before 2019 died from starvation. Think about the whole gaming industry. Besides MMOS there are no subscription games. How do they update constantly, add features, patches, and maintain multiplayer servers without constant monthly cash flow? But nontheless those calendar and password manager devs want us to believe that subs are mandatory to run a successful business. Yea. Right.
Look at YNAB: they went to subs and raised it from 45$ per year to 108$ because they locked their users into their system. While Actual, a FOSS clone is free with optional server for syncing for 2$ per month if you don’t want to run your own server.

It never occurred to me to use ChatGPT for that. Do you have references where security experts discuss this approach?

AI can be gamed in so many ways. We're told time and again not to fully trust it since it can tell us crazy things. I can imagine machine learning playing a role in security when used by experts, but to have any kind of confidence in casual use by amateurs seems strange.

ChatGPT is advancing rapidly. 3.5 was rather unreliable but 4.o is crazy.
You are right. Don’t trust it. Always check twice if answers are true.
But it does a good job reviewing code. And it does a very good job reviewing code snippets.
I wrote a ton of handful python tools with it. It works.
Can I rely on it if I want to know if Dracula really existed? No. It is possible that it makes stuff up if it doesn’t know it. But code is another story. They scanned almost all public available code. It can tell you everything about a line of code if you ask the right questions.
It‘s not possible to be manipulated by malware coders. The gpt makers themselves could manipulate it to give wrong answers but why should they do that to manipulate answers regarding open source password managers?

 

[svenmany]

They scanned almost all public available code. It can tell you everything about a line of code if you ask the right questions.
It‘s not possible to be manipulated by malware coders.

I would love to see such assertions being discussed by security researchers. I'd like to hear what such people think about the risks of a casual user using AI to decide whether an open source project is safe for them to use. I mostly wonder how likely a casual user would ask the right questions; I certainly wouldn't know how to do it to get full coverage.

I guess it would be good at detecting malicious code and techniques that have been made public. Those aren't the real risks.

Reasonable people trusting AI in such critical areas - we're in really scary times.

 

[svenmany]

My comment to use Codebook was partly to have fun with svenmany (and I think he would take it that way), but I do wholeheartedly recommend the program.

I did take it that way.

I really don't know how to evaluate the safety of Codebook's autofill and its use of AppleScript to transmit data from the Codebook application to another application. The fact that AgileBits didn't do it, even though it easily works, gives me pause. I know nothing about the environment that the AppleScript runs in and what doors have to be open to allow it access to secure data. I wonder if the AppleScript runs inside the Codebook process or has to communicate with it from outside. I would love to see a security audit of their product.

 

[jido]

I assume that no malicious software is running on my device. I use copy-paste.